Jump to content
  • Announcements

    • Rodion Nagornov

      Долгое сохранение сообщений || Delays while posting (click here to read the full text RU/EN)   09/20/2017

      Due to some technical reasons visual delays are possible while message sending. Actually your message is published immediately - just interface works long. In such case, please, do not re-send your message immediately! Press F5 to reload the page and check if your message/topic is published. || По техническим причинам возможно визуально долгое отправление сообщений на форуме. Фактически ваше сообщение публикуется мгновенно - долго отрабатывает графика. В случае подобной ситуации, пожалуйста, сначала обновите страницу (F5) и проверьте, появилось ли ваше сообщение. Не пытайтесь сразу отправить его заново.

todd.scallions

Members
  • Content count

    63
  • Joined

  • Last visited

About todd.scallions

  • Rank
    Candidate

Profile Information

  • Gender
    Male
  • Location
    Memphis, TN

Recent Profile Visitors

143 profile views
  1. Errors on Security Center

    Issue is resolved. Deleted all event logs which provided enough space to run the Database Maintenance task.
  2. Errors on Security Center

    The GSI report has been uploaded.
  3. Errors on Security Center

    Thanks. Trace files have been uploaded.
  4. Errors on Security Center

    I have collected the requested trace files but the compressed folder size is 81MB. Can you send me your FTP info?
  5. Errors on Security Center

    Just sent you a PM with the log files attached.
  6. Errors on Security Center

    I am having the same database issue. Running KSC v10.4.343 SF1
  7. Light Agent 4.0 "Action Blocked by Self-Defense"

    Here's an example: Every Saturday at 3AM, WSUS deploys updates to my persistent VM's. Here is what I see in the Kaspersky event log from 12/09/2017: 3:06 AM Event type: Action blocked by Self-Defense Application\Name: Windows® installer Application\Path: c:\windows\system32\ Application\Process ID: 6332 Component: Manage protection Result\Description: Blocked Action: Open Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Virtualization 4.0 Light Agent\avp.exe Object\Type: Process Object\Name: avp.exe 3:29 AM Event type: Action blocked by Self-Defense Application\Name: Citrix PortICA Session Agent Application\Path: c:\program files\citrix\icaservice\ Application\Process ID: 1116 Component: Manage protection Result\Description: Blocked Action: Modify Object: \REGISTRY\USER\S-1-5-21-1552643264-1385519994-1233284464-10331\SOFTWARE\KASPERSKYLAB\PROTECTED\KSVLA3\AVZSETTINGS\WIZARDSFAVOURITES Object\Type: Registry key Object\Path: \REGISTRY\USER\S-1-5-21-1552643264-1385519994-1233284464-10331\SOFTWARE\KASPERSKYLAB\PROTECTED\KSVLA3\AVZSETTINGS\ Object\Name: WIZARDSFAVOURITES 3:29 AM VM Restarts after applying Windows Updates 3:39 AM Event type: Action blocked by Self-Defense Application\Name: WMI Provider Host Application\Path: c:\windows\system32\wbem\ Application\Process ID: 2496 Component: Manage protection Result\Description: Blocked Action: Open Object: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Virtualization 4.0 Light Agent\avp.exe Object\Type: Process Object\Name: avp.exe Here's another random one I see ALL the time on ALL of my VM's: Event type: Action blocked by Self-Defense Application\Name: Citrix PortICA Session Agent Application\Path: c:\program files\citrix\icaservice\ Application\Process ID: 2456 Component: Manage protection Result\Description: Blocked Action: Modify Object: \REGISTRY\USER\S-1-5-21-1552643264-1385519994-1233284464-8118\SOFTWARE\KASPERSKYLAB\PROTECTED\KSVLA3\AVZSETTINGS\WIZARDSFAVOURITES Object\Type: Registry key Object\Path: \REGISTRY\USER\S-1-5-21-1552643264-1385519994-1233284464-8118\SOFTWARE\KASPERSKYLAB\PROTECTED\KSVLA3\AVZSETTINGS\ Object\Name: WIZARDSFAVOURITES Event type: Action blocked by Self-Defense Application\Name: Host Process for Windows Services Application\Path: c:\windows\system32\ Application\Process ID: 832 Component: Manage protection Result\Description: Blocked Action: Modify Object: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KL1\0000\CONTROL Object\Type: Registry key Object\Path: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_KL1\0000\ Object\Name: CONTROL I have added all the suggested exclusions for Citrix XenDesktop & Microsoft. I can exclude these as well, but I have no clue as to what they are or what the process is doing that is setting off Kaspersky Self-Defense.
  8. Need assistance trying to figure out what Self-Defense is blocking on all 215 of my VM's running Light Agent 4.0.
  9. Kaspersky Outlook Plugin Disabled

    Evgeny_E "Overall, Microsoft Outlook plugins control is beyond KSC management functionality and should be addressed using Microsoft instrumentation." I disagree with this statement simply because it is obvious that the KES v10.3.06294 policy is able to prevent users from modifying the Kaspersky Outlook Add-In but the Light Agent 4.0 policy is not. Based on the screenshots above, had the three options been available in Settings under Connectivity, then my password protected policy would have greyed out the Kaspersky Outlook Add-In options. It can't restrict options on the PC that it doesn't know about! That would explain why it's greyed out for anyone with KES installed and not for all Light Agent users. Might be something Kaspersky should take a look at in Light Agent 5.0. ThomasLating And also only users with Outlook 2016 where involved by the problem. 2013 no problem at all. Unfortunately, all 215 VM's have Office 2013 installed with no plans to upgrade. I will definitely be testing the Send To function to see if I get the same result as you.
  10. Kaspersky Outlook Plugin Disabled

    After typing my previous post it got me a little curious of the differences between Light Agent 4.0 and KES 10.3.0.6294. Logged in on two other Win7 VM's running Light Agent 4.0 & Office 2013 (one had admin rights and the other did not) and both were able to go in and modify the Kaspersky Outlook Add-In. Checked another Windows 10 laptop running KES 10.3.0.6294 & Office 2013 (user has admin rights) and the Add-In options are greyed out. So it seems there is an issue with Light Agent 4.0. I compared the Light Agent 4.0 policy to the KES 10.3.0.6294 policy and there is only one difference between the two:
  11. Kaspersky Outlook Plugin Disabled

    From my understanding, the Kaspersky Outlook Add-In scans inbound mail prior to delivery to the user's mailbox. Therefore the infected object would never be seen by the user. With this Add-In disabled, the infected object would be delivered to the mailbox. At what point would File AV detect this object? The same can also be said for outbound mail. The Add-In would prevent the infected object from being sent to other internal and external users. Those external users might not have the same protection on their side. That doesn't paint a pretty picture If our users are able to email an infected object externally because of a disabled add-in that would have prevented it had it not been disabled. I get that you are saying File AV will scan it, but I like the idea of having multiple layers of protection. When it's cold outside, I don't just slap on a long sleeve shirt... I wear a jacket too. You asked me earlier if the user had admin rights. Well, I found another user today that had the add-in disabled. After I re-enabled the Add-In, I took a look the Add-In options and the user had the ability to disable all three and she does NOT have local admin rights. In contrast, I do have local admin rights and I am unable to make any changes to the Add-In as seen in the screenshot below. One caveat is that the user is on a Win7 VM running Light Agent 4.0 with Office 2013 32bit and I am on a Windows 10 laptop running KES v10.3.06294 with Office 2016 64bit.
  12. Kaspersky Outlook Plugin Disabled

    Any reason this doesn't set off an alert condition in Security Center?
  13. Kaspersky Outlook Plugin Disabled

    On the two that I have come across, one user was granted admin rights and the other was not. Since neither of these were detected by Security Center, I have requested that help desk agents start actively checking this if they happen to be remoted into a user's PC. They are to report their findings to me so I can investigate further. Can you verify as to whether or not this add-in has any bearing on mail scanning? If Endpoint is still scanning all inbound & outbound mail prior to delivery, then this is a non-issue.
  14. Kaspersky Outlook Plugin Disabled

    I doubt I'll ever be able to capture a screenshot from a user's workstation because of the criteria Outlook uses to measure add-in performance when opening and closing Outlook. Here is a generic screen shot I found online. So if Kaspersky triggers Outlook's performance metrics, it will prompt the user to disable the add-in like you see in the screenshot. I don't know if this disables email scanning or cripples it, etc. It's just something that I noticed on a few workstations. It never set off any alerts in Security Center that the add-in was disabled. I re-enabled the add-in and Outlook is working fine. For all I know, maybe the user tried to launch Outlook right after they logged onto the PC and Kaspersky just took too long to load that one particular time and they were presented with the option to disable it. Even if this has no bearing on mailbox protection, I don't like the idea that any user is able to easily disable any part of Endpoint... especially without me being notified that a change was made.
  15. Just curious, is using Group Policy the only way to prevent Outlook from suggesting the users disable the Kaspersky Outlook plugin? I have found a few clients that had the Kaspersky plugin disabled in Outlook. Re-enabling it was no problem, but why is this even an option for the users? Is there a setting in Kaspersky Security Console that I am missing? I'd rather avoid having to create a group policy just prevent this. Kaspersky Security Center v10.4.343 Clients are running a mix of Kaspersky Endpoint Protection v10.2.6.3733, v10.3.0.6294, & Light Agent v4.0.46.281
×