Jump to content
dhomer

Programatically get the product version and DAT file date [In progress]

Recommended Posts

Hello,

 

Does anyone have a script to reliably get the version number and DAT file version from a Kaspersky endpoint security installation?

 

I see there are registry keys however these seem to be version specific?

 

Is there an API or a better way to get this?

 

 

 

Thanks,

 

 

Dave

Share this post


Link to post

Hi,

 

Can you please clarify what is you task?

What do you want to receive?

 

BR

Share this post


Link to post

If it is possible retrieve the version number of the antivirus definition signatures from a command line or an API somehow?

Share this post


Link to post

Hi,

 

Do you mean a number of virus signatures (A screenshot would be nice)?

 

BR

Share this post


Link to post
Hi,

 

Do you mean a number of virus signatures (A screenshot would be nice)?

 

BR

 

Hello,

 

Thanks for the reply.

 

We are looking to programmatically and remotely (PowerShell, WMI, through the registry etc) get the following information

 

* Product name (for example "Kaspersky Endpoint Protection 10 SP1")

* Product version for example 10.2.40.1

* DAT file date or version (to check that the pattern is up to date)

* Whether the on-access scanner is enabled

 

And we want to do this for future versions without changing the code - for example the registry key being used seems to be hardcoded to the version number

 

 

If you want a screenshot, here's what Microsoft do with Windows Defender with a single PowerShell command (or corresponding WMI classes)

windowsdefender.png

 

 

 

Thanks,

 

 

Dave

Share this post


Link to post

Get it.

Can you please clarify why don't you want to use KSC reports for that purposes?

 

BR

Share this post


Link to post
Get it.

Can you please clarify why don't you want to use KSC reports for that purposes?

 

BR

 

Because this is for integration with an inventory product and we want to collect the data directly from AntiVirus endpoints directly.

 

Please can you tell me if this is possible?

Share this post


Link to post

You can export reports from KSC and the import them into inventory program.

Unfortunately, direct way from endpoint is not supported.

KSC also supports integration with QRadar.

What product do you use?

 

BR

Share this post


Link to post
You can export reports from KSC and the import them into inventory program.

Unfortunately, direct way from endpoint is not supported.

KSC also supports integration with QRadar.

What product do you use?

 

BR

 

That's a shame we are looking to add support for your product to our inventory tool Server documentation tool

 

We have customers needing the information for PCI/DSS compliance as part of the reports. We will tell them that your product doesn't support management and cannot be supported.

 

 

Thanks,

 

 

Dave

 

 

Share this post


Link to post

>>We have customers needing the information for PCI/DSS compliance as part of the reports. We will tell them that your product doesn't support management and cannot be supported.

 

They can already have reports extracted from within Security Center (provided by Kaspersky) as mentioned before.

Just because it does not support WMIC external queries and does not integrate with your product, does not mean there are no options for reporting.

Edited by Whizard

Share this post


Link to post
>>We have customers needing the information for PCI/DSS compliance as part of the reports. We will tell them that your product doesn't support management and cannot be supported.

 

They can already have reports extracted from within Security Center (provided by Kaspersky) as mentioned before.

Just because it does not support WMIC external queries and does not integrate with your product, does not mean there are no options for reporting.

 

 

Yes but as stated the answer doesn't meet the requirements.

 

We only deal with enterprise systems that report status and provide APIs for scripting and remote access, I guess your product is more suited to small business.

 

Thank you for your response we will state your product is unsupportable on our capabilities section. We'll keep an eye out to see if you provide a simple way to read dat / version information directly from machines in future.

 

 

 

Thanks,

 

 

Dave

 

 

 

 

 

 

 

 

 

 

 

 

Share this post


Link to post
Yes but as stated the answer doesn't meet the requirements.

 

We only deal with enterprise systems that report status and provide APIs for scripting and remote access, I guess your product is more suited to small business.

 

Thank you for your response we will state your product is unsupportable on our capabilities section. We'll keep an eye out to see if you provide a simple way to read dat / version information directly from machines in future.

Thanks,

Dave

 

Hello.

 

There is a technology called Administration Kit Automation, designed for scripting purposes. You can find its description here.

Detailed manual can be found in a klakaut.chm file in the KSC installation folder.

 

Thank you.

Share this post


Link to post
Hello.

 

There is a technology called Administration Kit Automation, designed for scripting purposes. You can find its description here.

Detailed manual can be found in a klakaut.chm file in the KSC installation folder.

 

Thank you.

 

 

Hello,

 

Thanks for the reply.

 

Again this is to script talking to your server product not the endpoint so doesn't meet this requirement.

 

"A scenario must be run on the Administration server." does not meet the requirement to run this remotely.

 

It states that this is a COM control designed for VBscript and ActiveX so I'm assuming this a dated control.

 

 

Dave

Share this post


Link to post

Hi Dave,

 

I don't know why the KL support guys are making it so hard for you. ;)

 

Please check HKLM\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1.0.0.0\Statistics\AVState, here you'll find e.g. Protection_BasesDate.

 

cheers,

sec4me

Share this post


Link to post
Hi Dave,

 

I don't know why the KL support guys are making it so hard for you. ;)

 

Please check HKLM\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1.0.0.0\Statistics\AVState, here you'll find e.g. Protection_BasesDate.

 

cheers,

sec4me

 

Hi thanks for the reply, do you know how stable this is to use?

 

Yes I don't know why, give the state of IT security you'd think that AV providers would make it as easy as possible for IT administrators and integrators to quickly check which AV product was installed, running and upto date.

 

 

 

Thanks,

 

 

Dave

 

Share this post


Link to post
Hi thanks for the reply, do you know how stable this is to use?

 

Yes I don't know why, give the state of IT security you'd think that AV providers would make it as easy as possible for IT administrators and integrators to quickly check which AV product was installed, running and upto date.

Thanks,

Dave

 

Actually that key doesn't exist on Endpoint Security 10 Service Pack 1 Maintenance Release 2?

 

Share this post


Link to post

sry my bad

HKLM\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState

it's stable

 

Share this post


Link to post
sry my bad

HKLM\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState

it's stable

 

I can't see that key either - here's a screenshot

 

registrykey.png

Share this post


Link to post

That's correct, the node is not managed by KSC -> that's why is not there.

Are the systems unmagaged?

Share this post


Link to post
That's correct, the node is not managed by KSC -> that's why is not there.

Are the systems unmagaged?

 

We want to be able to accurately determine the information regardless of the configuration.

 

 

 

Share this post


Link to post

value is stored in hklm\Software\wows6432node\kasperskylab\protected\kes10sp1\watchdog\BasesInfo - e.g. date, reg_qword, 1d1d6d97f278a00

 

the display in support window shows, database release date: 05.07.2016 18:23

i assume it is utc + 2 (mosow local time)

furthermore i assume it's saved in ticks

but converting it shows Tuesday, 5. July 0416 16:23:00

maybe kl support guys could shade some light on it

Edited by sec4me

Share this post


Link to post
value is stored in hklm\Software\wows6432node\kasperskylab\protected\kes10sp1\watchdog\BasesInfo - e.g. date, reg_qword, 1d1d6d97f278a00

 

the display in support window shows, database release date: 05.07.2016 18:23

i assume it is utc + 2 (mosow local time)

furthermore i assume it's saved in ticks

but converting it shows Tuesday, 5. July 0416 16:23:00

maybe kl support guys could shade some light on it

 

Ah interesting thanks !

 

 

Dave

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.