Jump to content
OBK

Some questions about Endpoint-Sensor

Recommended Posts

Hi,

Endpoint-Sensor is a new function in KES 11, isn't it? But how is it possible to configure it?

About configuration I found the following link: https://help.kaspersky.com/KESWin/11/en-US/132664.htm

There I read: If you selected the KATA Endpoint Sensor check box during the previous step, in the Server address field, specify the Kaspersky Anti Targeted Attack Platform server address consisting of the following parts:

  1. Protocol Name
  2. IP address or fully qualified domain name (FQDN) of the server
  3. Path to the Windows Event Collector on the server

One question: Which ist the IP adress or the fully qualified domain name of the server?

It's the KSC?

https://help.kaspersky.com/KESWin/11/en-US/134237.htm says:

Inbound connections to computers with the KATA Endpoint Sensor component should be allowed from the Kaspersky Anti Targeted Attack Platform server directly, without a proxy Server.

Which port? TCP/UDP?

Kind regards,

OBK

Share this post


Link to post
1 hour ago, OBK said:

Hi,

Endpoint-Sensor is a new function in KES 11, isn't it? But how is it possible to configure it?

About configuration I found the following link: https://help.kaspersky.com/KESWin/11/en-US/132664.htm

There I read: If you selected the KATA Endpoint Sensor check box during the previous step, in the Server address field, specify the Kaspersky Anti Targeted Attack Platform server address consisting of the following parts:

  1. Protocol Name
  2. IP address or fully qualified domain name (FQDN) of the server
  3. Path to the Windows Event Collector on the server

One question: Which ist the IP adress or the fully qualified domain name of the server?

It's the KSC?

https://help.kaspersky.com/KESWin/11/en-US/134237.htm says:

Inbound connections to computers with the KATA Endpoint Sensor component should be allowed from the Kaspersky Anti Targeted Attack Platform server directly, without a proxy Server.

Which port? TCP/UDP?

Kind regards,

OBK

Hi,

Basically, KATA products have three components named Central Node, Sandbox and Sensor. Sensors collect data from network, mail, devices etc.. In this case, KATA Endpoint Sensor component collects data from your devices. (with KATA Endpoint Sensor component in policy)

So, let me answer your questions.

1.TCP/8443

2. Ip Address of Central Node (ex. 192.168.1.100)

3. /apt/agent

The combination of these 3 components : https://192.168.1.100:8443/apt/agent

When this value entered in policy, process will be ok. Sensors collect data and send to Central Node 

Of course you must have the KATA product to be able to do all of this.

Thank you.

 

Share this post


Link to post
vor 2 Minuten schrieb FDemir:

Of course you must have the KATA product to be able to do all of this.

We don't have the KATA product. For this reason, it's strange that I get an error message when I don't install the component "Endpoint Sensor".

Share this post


Link to post
12 minutes ago, OBK said:

We don't have the KATA product. For this reason, it's strange that I get an error message when I don't install the component "Endpoint Sensor".

You can install KATA Endpoint Sensor component without having KATA. There is no restriction.

Which stage do you get this error ? In installation package properties section ?

A screenshot can be useful.

Thanks.

Share this post


Link to post
vor einer Stunde schrieb FDemir:

You can install KATA Endpoint Sensor component without having KATA. There is no restriction.

Which stage do you get this error ? In installation package properties section ?

A screenshot can be useful.

I think as a normal user with an advanced license. He doesn't need the component endpoint sensor. But when he installs KES11 without Endpoint Sensor, he get the message:

Event "The license allows the use of components that have not been installed" occurred on device XXXXX in Windows domain XXXXX on XXXXXX

Event type:     The license allows the use of components that have not been installed

Non-installed components:    

Endpoint Sensor

User:     NT-AUTORITÄT\SYSTEM (System user)

This seems a little bit strange vor me, but never mind. I will install the Endpoint Sensor to have peace. :)

You can close the ticket.

Kind regards,

OBK

Share this post


Link to post

Hello!

Can you please clarify - you install KES without sensor component?

And you get the corresponding error in the event log?

I don't think that it is a correct behavior, can you please provide us with event logs, where we can see this error and with installation logs.

Thank you!

 

Share this post


Link to post
vor 3 Stunden schrieb Vitaly Kravtsov:

Can you please clarify - you install KES without sensor component?

Yes.

vor 3 Stunden schrieb Vitaly Kravtsov:

And you get the corresponding error in the event log?

Event name  The license allows the use of components that have not been installed
Severity:  Warning
Application:  Kaspersky Endpoint Security for Windows (11.0.0)
Version number:  11.
Task name:  Protection
Device:  XXXX
Group:  group1
Time:  19.12.2017 11:44:18
Virtual Administration Server name:  
Description:  Event type:     The license allows the use of components that have not been installed
Non-installed components:    
Endpoint Sensor
User:     NT-AUTORITÄT\SYSTEM (System user)
 
I only receive the event, when in the policy endpoint security is disabled and locked. When the configuration isn't locked in the policy, I don't get the event. Default: Disabled and locked.
 

events-after-installation.txt

Installation-logs.zip

Share this post


Link to post
On 19.12.2017 at 1:57 PM, OBK said:

I only receive the event, when in the policy endpoint security is disabled and locked

Please clarify which parts of the Endpoint Security policy make difference when locked. Do you mean the Endpoint Sensor section, or some other settings? Note that generation of the specified event is optional (configurable in "Notifications"), and local and policy settings may differ.

Thank you.

Share this post


Link to post
vor 4 Minuten schrieb Kirill Tsapovsky:

Please clarify which parts of the Endpoint Security policy make difference when locked. Do you mean the Endpoint Sensor section, or some other settings? Note that generation of the specified event is optional (configurable in "Notifications"), and local and policy settings may differ.

I compare KES 10 PS2 with KES 11 beta. Same installed components, same policy configuration. With KES 10 SP2, I don't get the event and with KES 11 beta I get it. If you want to take a look at the policy, you can do it. I attached them.

policys.zip

Share this post


Link to post

Hi,

Thank you for that info!

Could you please clarify is this event appears once(after policy is applied) or permanently?

Please provide us with KES traces collected while this event occurs and with GSI log.

Please collect GSI log after traces.

Thank you!

Share this post


Link to post
Am ‎09‎.‎01‎.‎2018 um 23:05 schrieb Nikolay Arinchev:

Could you please clarify is this event appears once(after policy is applied) or permanently?

This event appears only once.

Am ‎09‎.‎01‎.‎2018 um 23:05 schrieb Nikolay Arinchev:

Please provide us with KES traces collected while this event occurs and with GSI log.

In the current case I installed KES 11 beta on a computer where the agent is already installed. The event appears just after the Installation. In this moment it isn't possible to enable traces.

For GSI and install logs, please refer to https://www.magentacloud.de/lnk/2tBZEhkD. There you'll find the KSC events of the device too. You'll see the Event "The license entitles to use components that have not been installed" several times. That's why we installed und uninstalled KES several times.

I think the problem is the following. If you only read the following text, it's okay:

Non-installed components:    
BadUSB Attack Prevention
Endpoint Sensors
File Level Encryption
Full Disk Encryption
Bitlocker Management
User:     OBK.DOM\nimda (Active user)

All five components are not installed.

But in combination with "The license entitles to use components that have not been installed", it's irritating, because the Advanced License doesn't include Endponit Sensors.

Kind regards,

OBK

Share this post


Link to post
vor 3 Stunden schrieb Nikolay Arinchev:

Yes, Advanced license does not support that component, but it could be installed to be used with another type of license.

Okay, if you think that this behaviour is okay, you may close the topic.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.