Jump to content
CraftyD

Siemens SCADA/Web Production and Kaspersky Endpoint [In progress] [1566894]

Recommended Posts

Has anybody had to run these two applications together? The Web interface to the production web server(SCADA) is very slow with Kaspersky running. After trial and error testing, disabling the WEB AV module fixes the problem.

Even if I put the server IP in the exclusions list and re-enable the module it's slow again. Something in the web av module is not liking what the SCADA is doing.

 

Siemens was no help what so ever " Sorry, Kaspersky is not supported" Basically saying screw you. Our software retailer connected after I logged a call at Kaspersky and they said everything is set up correctly and cannot say why it's not working. I have tried opening ports in the FW and its not working. If it was ports the application won't work at all. I have also excluded the application .exe to no avail.

 

I cannot disable the Web AV module for obvious reasons. The clients also needs to access the SCADA system so I have a problem.

Anyone have any ideas I can try please?

 

 

KSC : 10.2.434

KEP : 10.2.4.674 (mr2)

Share this post


Link to post
Has anybody had to run these two applications together? The Web interface to the production web server(SCADA) is very slow with Kaspersky running. After trial and error testing, disabling the WEB AV module fixes the problem.

Even if I put the server IP in the exclusions list and re-enable the module it's slow again. Something in the web av module is not liking what the SCADA is doing.

 

Siemens was no help what so ever " Sorry, Kaspersky is not supported" Basically saying screw you. Our software retailer connected after I logged a call at Kaspersky and they said everything is set up correctly and cannot say why it's not working. I have tried opening ports in the FW and its not working. If it was ports the application won't work at all. I have also excluded the application .exe to no avail.

 

I cannot disable the Web AV module for obvious reasons. The clients also needs to access the SCADA system so I have a problem.

Anyone have any ideas I can try please?

KSC : 10.2.434

KEP : 10.2.4.674 (mr2)

 

Hello.

 

For analysis, please enable KES traces after turning off all of its components except WebAV and reproduce the scenario (accessing the SCADA web interface); then turn off WebAV as well and access the site again, indicating that the issue is resolved. Then please provide the collected traces. Also, please specify what web browser you'll be using for reproduction, and which OS is installed on the client.

 

Thank you.

Share this post


Link to post
Hello.

 

For analysis, please enable KES traces after turning off all of its components except WebAV and reproduce the scenario (accessing the SCADA web interface); then turn off WebAV as well and access the site again, indicating that the issue is resolved. Then please provide the collected traces. Also, please specify what web browser you'll be using for reproduction, and which OS is installed on the client.

 

Thank you.

 

 

Hi

 

Here are the log files. The whole environment runs on Win 7 x64 Enterprise SP1 (Build 7601)

KES.10.2.4.674r_01.20_13.02_2364.WD.log_WEB_AV_Enabled.7z

KES.10.2.4.674r_01.20_13.17_2364.WD.log_WB_AV_DISABLED.7z

Share this post


Link to post
Hi

 

Here are the log files. The whole environment runs on Win 7 x64 Enterprise SP1 (Build 7601)

 

Please also specify which browser was used during the reproduction, and what port is used for connection. Is it plain HTTP or SSL?

 

Thank you

Share this post


Link to post
Please also specify which browser was used during the reproduction, and what port is used for connection. Is it plain HTTP or SSL?

 

Thank you

 

 

Hi

 

All clients use IE11 (11.0.9600) Standard HTTP.

Share this post


Link to post
Hi

 

All clients use IE11 (11.0.9600) Standard HTTP.

 

Issue 1566894 submitted, data provided to developer. After we receive a reply from them, the topic will be updated.

 

Thank you.

Share this post


Link to post
Issue 1566894 submitted, data provided to developer. After we receive a reply from them, the topic will be updated.

 

Thank you.

 

 

Thanks for your help! :)

Share this post


Link to post
Thanks for your help! :)

 

Unfortunately, according to the developer, KES traces on their own turned out inconclusive in figuring out the cause of this issue. If possible, please provide a more complex reproduction:

 

-KES trace (new)

-ProcMon log

-Wireshark log for the active network adapter

-xperf trace (if possible)

 

Also, a GSI log from the host is helpful.

 

Thank you!

Share this post


Link to post
Unfortunately, according to the developer, KES traces on their own turned out inconclusive in figuring out the cause of this issue. If possible, please provide a more complex reproduction:

 

-KES trace (new)

-ProcMon log

-Wireshark log for the active network adapter

-xperf trace (if possible)

 

Also, a GSI log from the host is helpful.

 

Thank you!

 

 

Ok will get working on it.

Share this post


Link to post
Please let us know about the result, or if you have any questions regarding it.

 

Thank you.

 

 

These logs are quite big, don't know if I can get past the 300k limit. Can I dropbox it ?

Share this post


Link to post
These logs are quite big, don't know if I can get past the 300k limit. Can I dropbox it ?

 

Of course, you can use any file sharing service of your choice, and provide us with a link.

 

Thank you.

Share this post


Link to post
Hi

 

Here is the link KES logs

 

For proper analysis, the developer requests a GSI log (as mentioned earlier). Please collect it and provide us with the link.

 

Also, the rest of the info is collected separately (one log at a time). It is possible to go through them as they are, but for the best result they need to be collected all at the same time, during a single reproduction.

If possible, please retrace the process.

 

Thank you.

Share this post


Link to post
For proper analysis, the developer requests a GSI log (as mentioned earlier). Please collect it and provide us with the link.

 

Also, the rest of the info is collected separately (one log at a time). It is possible to go through them as they are, but for the best result they need to be collected all at the same time, during a single reproduction.

If possible, please retrace the process.

 

Thank you.

 

 

Good Day

 

The logs are one right after each other with the problem replicated (while web av is on) and the same with web av off (problem not happening) . I have to manually disable the web av through policy via server.

 

Please let me know if you would need me to run everything again.

I have attached a GSI log HERE

 

I appreciate your efforts.

Share this post


Link to post
Good Day

 

The logs are one right after each other with the problem replicated (while web av is on) and the same with web av off (problem not happening) . I have to manually disable the web av through policy via server.

 

Please let me know if you would need me to run everything again.

I have attached a GSI log HERE

 

I appreciate your efforts.

 

Hello,

it's better to collect all diagnostic information simultaneously.

Thank you.

Share this post


Link to post
Hello,

it's better to collect all diagnostic information simultaneously.

Thank you.

 

 

Hi just waiting for a Gap to do the logs. Still on it.

Share this post


Link to post
Ok.

 

Hopefully these logs will be right. LOGS

 

Thanks Again

 

The developer suggests the following:

 

For analysis purposes, please remove any Malwarebytes software on the test computer (Malwarebytes Anti-Exploit, Malwarebytes' Managed Client etc) which may interfere with the traffic, and check the reproduction of the issue.

If the issue still reproduces, please collect simultaneous xperf + KES + Wireshark + Procmon logs when the software has already been removed.

 

Also, please consider that Wireshark logs only contain entries of inbound traffic. This may be caused by interfering software/TCP Chimney Offload. Thus it is strongly recommended to unload any VPN software (like Cisco VPN) or Offload while collecting logs.

 

Thank you.

Share this post


Link to post
The developer suggests the following:

 

For analysis purposes, please remove any Malwarebytes software on the test computer (Malwarebytes Anti-Exploit, Malwarebytes' Managed Client etc) which may interfere with the traffic, and check the reproduction of the issue.

If the issue still reproduces, please collect simultaneous xperf + KES + Wireshark + Procmon logs when the software has already been removed.

 

Also, please consider that Wireshark logs only contain entries of inbound traffic. This may be caused by interfering software/TCP Chimney Offload. Thus it is strongly recommended to unload any VPN software (like Cisco VPN) of Offload while collecting logs.

 

Thank you.

 

 

Ok, I am going to set up a test pc with our base build on. No extra software.

I have done this before and still experience the issue so it will be ideal for the logs. Please allow a day or two for me to get this done.

 

Thanks.

Share this post


Link to post
Ok, I am going to set up a test pc with our base build on. No extra software.

I have done this before and still experience the issue so it will be ideal for the logs. Please allow a day or two for me to get this done.

 

Thanks.

 

Hi,

 

Keep us informed about further results.

 

Thank You!

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.