Jump to content
  • Announcements

    • Rodion Nagornov

      Долгое сохранение сообщений || Delays while posting (click here to read the full text RU/EN)   09/20/2017

      Due to some technical reasons visual delays are possible while message sending. Actually your message is published immediately - just interface works long. In such case, please, do not re-send your message immediately! Press F5 to reload the page and check if your message/topic is published. || По техническим причинам возможно визуально долгое отправление сообщений на форуме. Фактически ваше сообщение публикуется мгновенно - долго отрабатывает графика. В случае подобной ситуации, пожалуйста, сначала обновите страницу (F5) и проверьте, появилось ли ваше сообщение. Не пытайтесь сразу отправить его заново.
Thiago Saad

Anti-cryptor task not starting

Recommended Posts

Anticryptor is not working on Ubuntu 17.10 64bits Desktop.

The task is stopped and manually starting it seems to have no effect.

 

How to reproduce:

1) Install O.S.

2) Update the O.S

3) Install build-essentials

4) dpkg -i kesl

5) run kesl-setup post installation script

6) Fanotify is available and is used by KESL in my scenario

7) run chmod a+X /var/opt/kaspersky /var/opt/kaspersky/kesl 

8) Install klnagent64.deb

9) Run post-install of klnagent

  1. Install samba
  2. Create a share and confirm that is reachable from other computer
  3. Try to enable anti-cryptor through local GUI, CLI: kesl-control --start-task 13 or KSC

 

Traces 300 are collected during the tentative of starting the task.

Please find traces, event.db and collect.tar.gz.

 

 

image.thumb.png.f48dd0ec642b02b3a437e4920fa7875d.png

image.thumb.png.ac0ce481cebb2f719976172a75912065.png

 

collect.tar.gz

New folder.zip

Share this post


Link to post

Hi Dmitry,

No, NFS Server is not installed nor configured.
Can you please tell me what are the requirement for Anti-cryptor?

I just followed the installation requisites on the release notes.

Software requirements:

  1. Supported operating systems:
      32-bit operating systems:
        * CentOS-6.9;
        * Debian GNU/Linux 8.9;
      64-bit operating systems:
        * Red Hat® Enterprise Linux® 7.4
        * CentOS-6.9
        * Ubuntu Server 16.04 LTS
        * Ubuntu Server 17.10 LTS
        * Debian GNU/Linux 8.9
        * Debian GNU/Linux 9.2
        * openSUSE® 42.3

  2. Perl interpreter: version 5.10 or higher (www.perl.org) 
  3. Installed Which utility
  4. Installed packages for compiling applications (gcc, binutils, glibc, glibc-devel, make, ld),
     source code for the operating system kernel – for compiling modules of Kaspersky Endpoint Security 10 for Linux Beta,
         in operating systems that do not support fanotify.
  5. Kaspersky Endpoint Security 10 for Linux Beta is compatible with Kaspersky Security Center 10 SP1 and Kaspersky Security Center 10 SP2.
         To ensure proper functioning of the Kaspersky Endpoint Security 10 for Linux Beta administration plug-in, Microsoft Visual C++ 2015 Redistributable Update 3 RC (https://www.microsoft.com/en-us/download/details.aspx?id=52685) must be installed.
 

Thanks in advance,
 

Share this post


Link to post

Hi Nikolay,

Anti-cryptor task is running after installing NFS-server and dependencies: keyutils{a} libnfsidmap2{a} libtirpc1{a} nfs-common{a} nfs-kernel-server rpcbind{a}.

But seems like it is not protecting SMB shares.

Please find attached traces 300 during an successful tentative of encrypting file using AEScrypt.

Also a new collect.

Thanks,

collect.tar.gz

kesl.661.2018-01-09T201638.log

Share this post


Link to post

Hi,

Цитата

But seems like it is not protecting SMB shares.

Could you please describe the scenario you used to figure that out?

Thank you!

Share this post


Link to post

Hello!

Please do the following to check the anti-cryptor functionality:

1)    start the task with command
kesl-control --start-task 13

Or in GUI
2)    After you start the task the network rules appear, you can check it with the command

iptables -nvL

Chain INPUT (policy ACCEPT 7 packets, 534 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139 NFQUEUE num 0
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445 NFQUEUE num 0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 104 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:139 NFQUEUE num 1
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:445 NFQUEUE num 1

There will be 4 times more rules if NFS is enabled

3)    It is necessary to create a network directory on the protected server, if yo uuse SMB you need to add the following part into the config /etc/samba/smb.conf, example here i the /tmp folder. 

[tmp]
        comment = Guests
        path = /tmp
        public = yes
        writable = yes
        printable = no
        write list = +guest

Add he following the [global] section
map to guest = bad user
if login without password is needed

And restart the service

4)    Create a file on the protected server
echo test > /tmp/achb_test.doc

Important! To reduce the detection events heuristic does not work for all the file types so we will use .doc files for test. 

5) On another system, for example Windows, download the aescrypt utility https://www.aescrypt.com/download/ and install it. 

6)    Mpunt the protected directry in Windows with the following commands where <protected_server> is IP Address or Network Name of the machine where the product is installed.

net use \\<protected_server>\tmp
mklink /d  C:\tmp \\<protected_server>\tmp

7)    Encrypt files
"c:\Program Files\AESCrypt\aescrypt.exe" -p 123 -e c:\tmp\achb_test*

8)    Server will be blocked in several seconds

Events can be found under reports->Anti-Cryptor
9)    You can look at the blocked machine with the command in cli on the protected server
kesl-control --get-blocked-hosts

You can unblock the host with the command
kesl-control --allow-hosts <ip_address>
                       
            Important! While the encrypted system is blocked, no network connections between it and protected server are possible so tp unblock it you need a non-network connection like the screen of the VM if it is used for test or physical access to the protected server or another host. 
            

Thanks!

Share this post


Link to post

Hi Ivan,

Done the steps you recommended with no success:

1) AC is started as you can see on collect.tar.gz
2) Iptables rules are different from yours, but if i'm not wrong this is about HB not AC. Please correct me if i'm wrong and the AC relies on the firewall.
3) Done
4) Did not create file with the same name but the same extension. As you can see attached.

Please find attached Traces at DBG lvl during tentative or successful encryption (inside the collect), smb.conf, a new collect and also screenshot of the encrypted files.

Achb.7z

files encrypted.png

Share this post


Link to post

Hello!

Please check if the /tmp folder can accessed: right click - option "share this folder" must be off. 

After that please restart the anti cryptor task: kesl-control --stop-task 13 -W ; kesl-control --start-task 13

Thanks!

Share this post


Link to post
14 hours ago, Ivan.Ponomarev said:

Hello!

Please check if the /tmp folder can accessed: right click - option "share this folder" must be off. 

After that please restart the anti cryptor task: kesl-control --stop-task 13 -W ; kesl-control --start-task 13

Thanks!

Hi!


If i understood you correctly, it is already like that, as you can see on the image.
I did not change anything.


Can you please explain in another way if i misunderstood?

image.thumb.png.1bb2bf88de317acc5dd460fe9232e1e5.png

image.png.e97f07868a55d7494ba9ef0eef2bd4ed.png

 

getfacl.txt

ls.txt

Share this post


Link to post

Hello,

please restart Anticryptor ( kesl-control --stop-task 13 -W ; kesl-control --start-task 13 ) and collect KES traces.

Thank you.

 

Share this post


Link to post

Hi,

We received  an answer from RnD team.

Samba or NFS server should be installed to make antycryptor work. To make it work on beta version- both of them.

Thank you!

Share this post


Link to post
On 23/01/2018 at 2:42 AM, Dmitry Eremeev said:

Hello,

please restart Anticryptor ( kesl-control --stop-task 13 -W ; kesl-control --start-task 13 ) and collect KES traces.

Thank you.

 

Hi,

Rebooted machine, restarted AC, tried once again and same result: File encrypted.

Please find attached traces during tentative of encryption.

kesl.576.2018-01-29T212440.7z

Share this post


Link to post

Update:

Seems like Heuristic Analysis was disabled to Anti-cryptor task. But even turning it on, same behavior: files can be encrypted using AEScrypt and AC does not act as supposed.

Manually changed the Anti-cryptor to use Heuristic Analysis and you can see the results:

image.png.3e57f553cfb5b9b91c92d0355d08075f.png

 

By the way: The policy created by the wizard of KSC leave Heuristic Analysis of Anti-cryptor disabled, by default.

 

 

 

Share this post


Link to post

Hi,

According to traces KES cannot find shared resource, which is specified at /etc/samba/smb.conf

 

2018.01.29 21:24:48.214 3314     WRN     achb     Cannot find shareName for 1482668590, filename: ''

2018.01.29 21:24:42.039 3314     WRN     achb     Cannot find shareName for 1482668590, filename: 'Teste.doc'

There are 2 options

1. This network share is opened via usershares

2. You are trying to connect to, for example //ip/netdir like //ip/Netdir . Samba protocol is not case sensetive, but KES beta is.

 

Please make sure that network share is specified in the same register as it accessed.

Thank you! 

Share this post


Link to post

×