Jump to content
cc_jon

Security Center 10 Best Practices [In progress]

Recommended Posts

We've just somewhat completed a deployment of SC 10 along with ES 10 on the desktop. I just need a sanity check on a few things as I find that Security Center 10 needs A LOT of babysitting to ensure that it's actually doing what it's supposed to be doing.

 

Questions:

 

1) Is there a list of best practices or list of 'good to know's related to ensuring that Tasks / Policies and automation are in place correctly? I find the app incredibly unwieldy compared to competitor apps that I have used in other organizations and so having a list I can run down will ensure that thing's are setup and configured correctly.

2) Is there a BPA (Best Practices Analyzer) tool that can be run against my configuration to determine any changes that should be made?

 

Concerns:

 

1) I find that when I execute certain tasks they appear to run but then fail to run such as:

 

On many systems the console reports that "Kaspersky Anti-Virus is not installed" but when remotely installing the application it reports "Running 50% - Kaspersky Security Center Network Agent (10.0.3361): The product is already installed on the computer. Nothing to do.". This results in multiple systems that are in a state of 'oblivion', neither managed nor unmanaged but refusing to be managed.

 

2) Event Logs seem a veritable mess reporting multiple running events that seemingly never expire/end/complete/finish, see this image:

 

TTH4eNF.jpg

 

Does this look right to you?

 

3) On many systems the console reports "Windows update search not performed for a long time" even though I've run the Windows Update task multiple times and configured the Security Center 10 server to act as a WSUS server. How do I ensure that Windows Updates are actually working as expected?

Edited by cc_jon

Share this post


Link to post

Hi,

 

For 1st and 2nd questions - unfortunately,no. There are no best practice lists or analyzers. Incidentally, default settings provide max defence with max performance.

 

As for your CONCERS part - that should not work that way.

 

To figure out what is going on we will need some additional info, such as

1. GSI log

2. Number of PC`s that install AV simultaneously(is there any task randomization configured)?

3. Installation logs form one of affected hosts

4. Admin server traces(collected during installation process)

5. Console trecaes

6. Event logs(Kaspersky, system and application) from admin server.

Share this post


Link to post

Jon,

 

I'm in the same boat as you. I've deployed KSC10 at several clients and I feel it's been such a time-sink with just doing menial things like restarting Network Agents and running manual scans here and there to clear the red status in the console. I believe that a new Maintenance Release is scheduled for December, so I'm hoping a lot of the bugs and quirks are fixed with that. But I was just wondering if you yourself have come up with some 'good to know's over the course of the past few months.

 

One thing that I've found myself doing at clients is disabling Network Access Protection and System Watcher, as it was causing issues on many machines and that's what some KAV forum posts suggested doing. It's just shocking to me that in order to make this run effectively, you actually have to hamper the protection. That's like buying a new sports-car and the salesguy telling you that it will only do 50+mph if you have the radio turned to NPR. Wh-what?

 

We've just somewhat completed a deployment of SC 10 along with ES 10 on the desktop. I just need a sanity check on a few things as I find that Security Center 10 needs A LOT of babysitting to ensure that it's actually doing what it's supposed to be doing.

 

Questions:

 

1) Is there a list of best practices or list of 'good to know's related to ensuring that Tasks / Policies and automation are in place correctly? I find the app incredibly unwieldy compared to competitor apps that I have used in other organizations and so having a list I can run down will ensure that thing's are setup and configured correctly.

2) Is there a BPA (Best Practices Analyzer) tool that can be run against my configuration to determine any changes that should be made?

 

Concerns:

 

1) I find that when I execute certain tasks they appear to run but then fail to run such as:

 

On many systems the console reports that "Kaspersky Anti-Virus is not installed" but when remotely installing the application it reports "Running 50% - Kaspersky Security Center Network Agent (10.0.3361): The product is already installed on the computer. Nothing to do.". This results in multiple systems that are in a state of 'oblivion', neither managed nor unmanaged but refusing to be managed.

 

2) Event Logs seem a veritable mess reporting multiple running events that seemingly never expire/end/complete/finish, see this image:

 

TTH4eNF.jpg

 

Does this look right to you?

 

3) On many systems the console reports "Windows update search not performed for a long time" even though I've run the Windows Update task multiple times and configured the Security Center 10 server to act as a WSUS server. How do I ensure that Windows Updates are actually working as expected?

Edited by jensonc

Share this post


Link to post
I'm in the same boat as you. I've deployed KSC10 at several clients and I feel it's been such a time-sink with just doing menial things like restarting Network Agents and running manual scans here and there to clear the red status in the console. I believe that a new Maintenance Release is scheduled for December, so I'm hoping a lot of the bugs and quirks are fixed with that. But I was just wondering if you yourself have come up with some 'good to know's over the course of the past few months.

 

One thing that I've found myself doing at clients is disabling Network Access Protection and System Watcher, as it was causing issues on many machines and that's what some KAV forum posts suggested doing. It's just shocking to me that in order to make this run effectively, you actually have to hamper the protection. That's like buying a new sports-car and the salesguy telling you that it will only do 50+mph if you have the radio turned to NPR. Wh-what?

 

Hello!

Did you create incidents in your CompanyAccount for the problems you are facing? Could you please post here one of the incidents' numbers?

Thank you in advance!

Share this post


Link to post

Since every client has different needs and each IT org has different goals, this list could vary greatly. I'll write down some thing I've done that help us...

 

1.) IF you don't want to monitor application vulnerability, disable that part of KES10. I found that Kaspersky's scan for this is VERY resource intensive.

2.) Separate managed computers group into desktops/laptops/etc. Then make sure you configure policies specifically for those types of devices...

3.) Give end users control over group tasks. That way if they need to make sure their computer is very responsive at a certain time, they can stop/restart virus-scan later.

4.) Don't use Wake-On-LAN. I've seen a number of people report problems with this...

5.) Make sure virus scan is not configured to scan mapped network drives. Use a daily task to scan your root system folder.

6.) Configure heuristics to medium/high on web AV and light on file AV (this assumes web browsing is your biggest threat surface)

7.) If you aren't using it already, USE WEB CONTROL! It rocks..especially for blocking ads/pornography/job search sites/etc.

8.) BE SURE DNS IS WORKING PROPERLY!!!!

9.) Occasionally empty out the container of unmanaged computers.

10.) Configure Network Agent to use IP address rather than FQDN.

11.) Occasionally empty out all the error logs in KSC.

12.) For my company, I opted to use a separate WSUS server not tied in to kaspersky......

 

On your issue: "Kaspersky Anti-Virus is not installed" but when remotely installing the application it reports "Running 50% - Kaspersky Security Center Network Agent (10.0.3361): The product is already installed on the computer. Nothing to do." - I think this is saying Network agent is already installed...I use two separate tasks for NA and KES10. Just run the installation for NA first, then KES10 after.

 

As mentioned before, these can all vary greatly depending on the organization...

Edited by Mikejt

Share this post


Link to post
Since every client has different needs and each IT org has different goals, this list could vary greatly. I'll write down some thing I've done that help us...

 

1.) IF you don't want to monitor application vulnerability, disable that part of KES10. I found that Kaspersky's scan for this is VERY resource intensive.

2.) Separate managed computers group into desktops/laptops/etc. Then make sure you configure policies specifically for those types of devices...

3.) Give end users control over group tasks. That way if they need to make sure their computer is very responsive at a certain time, they can stop/restart virus-scan later.

4.) Don't use Wake-On-LAN. I've seen a number of people report problems with this...

5.) Make sure virus scan is not configured to scan mapped network drives. Use a daily task to scan your root system folder.

6.) Configure heuristics to medium/high on web AV and light on file AV (this assumes web browsing is your biggest threat surface)

7.) If you aren't using it already, USE WEB CONTROL! It rocks..especially for blocking ads/pornography/job search sites/etc.

8.) BE SURE DNS IS WORKING PROPERLY!!!!

9.) Occasionally empty out the container of unmanaged computers.

10.) Configure Network Agent to use IP address rather than FQDN.

11.) Occasionally empty out all the error logs in KSC.

12.) For my company, I opted to use a separate WSUS server not tied in to kaspersky......

 

On your issue: "Kaspersky Anti-Virus is not installed" but when remotely installing the application it reports "Running 50% - Kaspersky Security Center Network Agent (10.0.3361): The product is already installed on the computer. Nothing to do." - I think this is saying Network agent is already installed...I use two separate tasks for NA and KES10. Just run the installation for NA first, then KES10 after.

 

As mentioned before, these can all vary greatly depending on the organization...

 

That's some solid info Mike. This knowledge should be a sticky post. Thanks for the input, I'm sure it will help a lot of new people moving forward!

Share this post


Link to post

Some more tips :

 

- Read the Administrator Manual, it contains extremely valuable information especially if you are new to the product. I've seen too many persons install first then ask questions later.

 

- In-place upgrade never works correctly. Want to update yu agent, client, migrate from another third-party product ? Always uninstall first, then a fresh install after that.

 

- Install Network Agent and Antivirus separately (one task for each).

 

- Do not start to install Antivirus clients unless all agents are up and running. Stay in control is the key.

 

- Choose the right product for the right computer. Too many people still ignore FSEE editions.

 

- If you are in charge, make sure your infrastructure is healthy. If you AD/DNS is a mess, do not expect your deployment to go smoothly.

 

- Separate computers by type (servers and workstations) and roles (AD, Hypervisor, DB etc...). It will allows you to create for each group custom policies and exclusions rules without worrying about inheritance and stuff.

 

- Performance is a HUGE concern, be sure you thoroughfully test it before deploying clients and policies.

 

- Do not trust default exclusions provided by Kaspersky - most of them do not match. Dig Technet and your vendor documentation for knowledge about what to exclude. It's a huge work but you will have to do it only one time,

and it can be reused no matter what antivirus solution you choose.

 

- TEST, TEST and TEST again before deploying into production ! Updates, Maintenance Pack, new policies, everything - in worst cases, you can brick an entire IT infrastructure if you are too trustful.

 

- If possible, use Microsoft built-in solutions when applicable - WSUS, Applocker, encryption, etc... Do not put all our eggs into the same basket.

 

I would strongly advise against using IP instead of DNS for network agent however, it's gonna be hell when you migrate your server or antivirus solution.

 

 

Share this post


Link to post

Hi All,

 

I just wanted to know if there is a new version of this BETTER to know or get sick with this mess-kaspersky AV.

Im going nuts with this :dash1: AV, I have tasks everywhere, some of them are duplicated tasks and some others don't even work.

There are tasks created in the top Group that are supposed to be inherited but they don't even show up in the group below, and so on I have many complains with this all messed up AV.

But anyway, as far as it last I would have to deal with it, so: is there any updated list of what works and what to disable?

It would be highly appreciated!!

 

Best regards,

 

EDIT: right now I have 3 exact same instances of AVP.EXE (with differents PIDs) running at the same time, plus the AVPSUS. I dont need the AVPSUS as I have the WSUS (I guess thats what the AVPSUS is for, right?).

Edited by d3tonador

Share this post


Link to post
Hi All,

 

I just wanted to know if there is a new version of this BETTER to know or get sick with this mess-kaspersky AV.

Im going nuts with this :dash1: AV, I have tasks everywhere, some of them are duplicated tasks and some others don't even work.

There are tasks created in the top Group that are supposed to be inherited but they don't even show up in the group below, and so on I have many complains with this all messed up AV.

But anyway, as far as it last I would have to deal with it, so: is there any updated list of what works and what to disable?

It would be highly appreciated!!

 

Best regards,

 

EDIT: right now I have 3 exact same instances of AVP.EXE (with differents PIDs) running at the same time, plus the AVPSUS. I dont need the AVPSUS as I have the WSUS (I guess thats what the AVPSUS is for, right?).

 

Hello,

 

please state the exact KSC server, agent and KES versions.

Here is best practices - http://media.kaspersky.com/documents/kasp1...practicesen.pdf

Thank you.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.