Jump to content

todd.scallions

Members
  • Content count

    65
  • Joined

  • Last visited

About todd.scallions

  • Rank
    Candidate

Recent Profile Visitors

220 profile views
  1. todd.scallions

    Step Me Through Database Relocation

    Any issues moving the database from 2008 SQL Express to 2012 SQL Server?
  2. Since I can't seem to figure out why my Security Center database continuously bloats to 10GB, I've decided to move the database off SQL '08 Express and onto one of our licensed SQL servers. (Apparently running the database maintenance task three times a week for 400 devices is still not enough to avoid hitting the 10GB wall) So I've read the guide https://support.kaspersky.com/13920#block3 under Connect the Administration Server to the new Database server which I assume pertains to what I am trying to accomplish. What I don't understand is why I need to completely uninstall Kaspersky Security Center from my server and then turn around and reinstall it? I'm not relocating the Administration Server, I'm relocating the database to another server. Is there not a way to reconfigure Administration Server and tell it where to look for the database? Maybe it's just the wording of the support article that is throwing me off but the steps seem really confusing.
  3. todd.scallions

    Errors on Security Center

    Issue is resolved. Deleted all event logs which provided enough space to run the Database Maintenance task.
  4. todd.scallions

    Errors on Security Center

    The GSI report has been uploaded.
  5. todd.scallions

    Errors on Security Center

    Thanks. Trace files have been uploaded.
  6. todd.scallions

    Errors on Security Center

    I have collected the requested trace files but the compressed folder size is 81MB. Can you send me your FTP info?
  7. todd.scallions

    Errors on Security Center

    Just sent you a PM with the log files attached.
  8. todd.scallions

    Errors on Security Center

    I am having the same database issue. Running KSC v10.4.343 SF1
  9. todd.scallions

    Light Agent 4.0 "Action Blocked by Self-Defense"

    Here's an example: Every Saturday at 3AM, WSUS deploys updates to my persistent VM's. Here is what I see in the Kaspersky event log from 12/09/2017: 3:06 AM Event type: Action blocked by Self-Defense Application\Name: Windows® installer Application\Path: c:\windows\system32\ Application\Process ID: 6332 Component: Manage protection Result\Description: Blocked Action: Open Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Virtualization 4.0 Light Agent\avp.exe Object\Type: Process Object\Name: avp.exe 3:29 AM Event type: Action blocked by Self-Defense Application\Name: Citrix PortICA Session Agent Application\Path: c:\program files\citrix\icaservice\ Application\Process ID: 1116 Component: Manage protection Result\Description: Blocked Action: Modify Object: \REGISTRY\USER\S-1-5-21-1552643264-1385519994-1233284464-10331\SOFTWARE\KASPERSKYLAB\PROTECTED\KSVLA3\AVZSETTINGS\WIZARDSFAVOURITES Object\Type: Registry key Object\Path: \REGISTRY\USER\S-1-5-21-1552643264-1385519994-1233284464-10331\SOFTWARE\KASPERSKYLAB\PROTECTED\KSVLA3\AVZSETTINGS\ Object\Name: WIZARDSFAVOURITES 3:29 AM VM Restarts after applying Windows Updates 3:39 AM Event type: Action blocked by Self-Defense Application\Name: WMI Provider Host Application\Path: c:\windows\system32\wbem\ Application\Process ID: 2496 Component: Manage protection Result\Description: Blocked Action: Open Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Virtualization 4.0 Light Agent\avp.exe Object\Type: Process Object\Name: avp.exe Here's another random one I see ALL the time on ALL of my VM's: Event type: Action blocked by Self-Defense Application\Name: Citrix PortICA Session Agent Application\Path: c:\program files\citrix\icaservice\ Application\Process ID: 2456 Component: Manage protection Result\Description: Blocked Action: Modify Object: \REGISTRY\USER\S-1-5-21-1552643264-1385519994-1233284464-8118\SOFTWARE\KASPERSKYLAB\PROTECTED\KSVLA3\AVZSETTINGS\WIZARDSFAVOURITES Object\Type: Registry key Object\Path: \REGISTRY\USER\S-1-5-21-1552643264-1385519994-1233284464-8118\SOFTWARE\KASPERSKYLAB\PROTECTED\KSVLA3\AVZSETTINGS\ Object\Name: WIZARDSFAVOURITES Event type: Action blocked by Self-Defense Application\Name: Host Process for Windows Services Application\Path: c:\windows\system32\ Application\Process ID: 832 Component: Manage protection Result\Description: Blocked Action: Modify Object: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KL1\0000\CONTROL Object\Type: Registry key Object\Path: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KL1\0000\ Object\Name: CONTROL I have added all the suggested exclusions for Citrix XenDesktop & Microsoft. I can exclude these as well, but I have no clue as to what they are or what the process is doing that is setting off Kaspersky Self-Defense.
  10. Need assistance trying to figure out what Self-Defense is blocking on all 215 of my VM's running Light Agent 4.0.
  11. todd.scallions

    Kaspersky Outlook Plugin Disabled

    Evgeny_E "Overall, Microsoft Outlook plugins control is beyond KSC management functionality and should be addressed using Microsoft instrumentation." I disagree with this statement simply because it is obvious that the KES v10.3.06294 policy is able to prevent users from modifying the Kaspersky Outlook Add-In but the Light Agent 4.0 policy is not. Based on the screenshots above, had the three options been available in Settings under Connectivity, then my password protected policy would have greyed out the Kaspersky Outlook Add-In options. It can't restrict options on the PC that it doesn't know about! That would explain why it's greyed out for anyone with KES installed and not for all Light Agent users. Might be something Kaspersky should take a look at in Light Agent 5.0. ThomasLating And also only users with Outlook 2016 where involved by the problem. 2013 no problem at all. Unfortunately, all 215 VM's have Office 2013 installed with no plans to upgrade. I will definitely be testing the Send To function to see if I get the same result as you.
  12. todd.scallions

    Kaspersky Outlook Plugin Disabled

    After typing my previous post it got me a little curious of the differences between Light Agent 4.0 and KES 10.3.0.6294. Logged in on two other Win7 VM's running Light Agent 4.0 & Office 2013 (one had admin rights and the other did not) and both were able to go in and modify the Kaspersky Outlook Add-In. Checked another Windows 10 laptop running KES 10.3.0.6294 & Office 2013 (user has admin rights) and the Add-In options are greyed out. So it seems there is an issue with Light Agent 4.0. I compared the Light Agent 4.0 policy to the KES 10.3.0.6294 policy and there is only one difference between the two:
  13. todd.scallions

    Kaspersky Outlook Plugin Disabled

    From my understanding, the Kaspersky Outlook Add-In scans inbound mail prior to delivery to the user's mailbox. Therefore the infected object would never be seen by the user. With this Add-In disabled, the infected object would be delivered to the mailbox. At what point would File AV detect this object? The same can also be said for outbound mail. The Add-In would prevent the infected object from being sent to other internal and external users. Those external users might not have the same protection on their side. That doesn't paint a pretty picture If our users are able to email an infected object externally because of a disabled add-in that would have prevented it had it not been disabled. I get that you are saying File AV will scan it, but I like the idea of having multiple layers of protection. When it's cold outside, I don't just slap on a long sleeve shirt... I wear a jacket too. You asked me earlier if the user had admin rights. Well, I found another user today that had the add-in disabled. After I re-enabled the Add-In, I took a look the Add-In options and the user had the ability to disable all three and she does NOT have local admin rights. In contrast, I do have local admin rights and I am unable to make any changes to the Add-In as seen in the screenshot below. One caveat is that the user is on a Win7 VM running Light Agent 4.0 with Office 2013 32bit and I am on a Windows 10 laptop running KES v10.3.06294 with Office 2016 64bit.
  14. todd.scallions

    Kaspersky Outlook Plugin Disabled

    Any reason this doesn't set off an alert condition in Security Center?
  15. todd.scallions

    Kaspersky Outlook Plugin Disabled

    On the two that I have come across, one user was granted admin rights and the other was not. Since neither of these were detected by Security Center, I have requested that help desk agents start actively checking this if they happen to be remoted into a user's PC. They are to report their findings to me so I can investigate further. Can you verify as to whether or not this add-in has any bearing on mail scanning? If Endpoint is still scanning all inbound & outbound mail prior to delivery, then this is a non-issue.
×

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.