IPB

Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Reply to this topicStart new topic
> Migrating Application Categories from SP1 to SP2 fails [2205111] [2178362]
Michel-B
post 15.05.2017 15:31
Post #1


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




I've upgraded my KSC to 10.4.343 and now have issues with Application Startup Control. I understand this part has some significant changes to it and I had to recreate the policy, which is fine. The Application Categories I created did migrate to the new version so I used those when I built my new policy.

Now it turns out the whole component simply isn't working anymore because of some categories I've added. I'm using a White List setup but everything was whitelisted. Even executables and script that actually HIT the default deny rule were allowed.

How is this possible? And how do I use the categories I've created in the earlier versions? I suspect it has something to do with the fact I'm using a MD5 file hash as a condition, is this correct? If that's the case, I have a serious problem. I have hundreds of files added to my whitelist for this one company based on the MD5 file hash.
Go to the top of the page
 
+Quote Post
Kirill Tsapovsky
post 15.05.2017 16:00
Post #2


Technical Support Specialist
***************

Group: KL Russia
Posts: 12271
Joined: 3.12.2013
From: Moscow




QUOTE(Michel-B @ 15.05.2017 14:31) *
I've upgraded my KSC to 10.4.343 and now have issues with Application Startup Control. I understand this part has some significant changes to it and I had to recreate the policy, which is fine. The Application Categories I created did migrate to the new version so I used those when I built my new policy.

Now it turns out the whole component simply isn't working anymore because of some categories I've added. I'm using a White List setup but everything was whitelisted. Even executables and script that actually HIT the default deny rule were allowed.

How is this possible? And how do I use the categories I've created in the earlier versions? I suspect it has something to do with the fact I'm using a MD5 file hash as a condition, is this correct? If that's the case, I have a serious problem. I have hundreds of files added to my whitelist for this one company based on the MD5 file hash.


Hello.

Due to the changes in file hash calculation between versions, certain categories might need to be recreated in order to work properly. Such categories will not show up when creating rules for KES SP2.

The white list issue might not be related however, in case you are using it in "Notify" mode, and not "Block" mode.

Thank you.


--------------------
In English: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces | klnagchk log
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Please evaluate support help by using "Rating" option!
Go to the top of the page
 
+Quote Post
Michel-B
post 15.05.2017 16:32
Post #3


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




QUOTE(Kirill Tsapovsky @ 15.05.2017 14:00) *
Due to the changes in file hash calculation between versions, certain categories might need to be recreated in order to work properly. Such categories will not show up when creating rules for KES SP2.


This is a huge problem... I have literally hundreds of executables and scripts based on MD5 file hashes in there...

QUOTE
The white list issue might not be related however, in case you are using it in "Notify" mode, and not "Block" mode.


Sadly, no. I do have it set to Block.





I believe this is a bug in KSC that's been around for a while now. Please refer to this topic where a similar issue occured: https://forum.kaspersky.com/index.php?showtopic=326757

I see now that, when I add a faulting category to a rule, the rule's name is displayed as 'Category is not defined' in KES and then breaks the entire module.
I also get the notification when the policy is applied:

Event type: Task settings error. Settings not applied

This post has been edited by Michel-B: 15.05.2017 16:33
Go to the top of the page
 
+Quote Post
Kirill Tsapovsky
post 15.05.2017 16:58
Post #4


Technical Support Specialist
***************

Group: KL Russia
Posts: 12271
Joined: 3.12.2013
From: Moscow




QUOTE(Michel-B @ 15.05.2017 15:32) *
This is a huge problem... I have literally hundreds of executables and scripts based on MD5 file hashes in there...



Sadly, no. I do have it set to Block.





I believe this is a bug in KSC that's been around for a while now. Please refer to this topic where a similar issue occured: https://forum.kaspersky.com/index.php?showtopic=326757

I see now that, when I add a faulting category to a rule, the rule's name is displayed as 'Category is not defined' in KES and then breaks the entire module.
I also get the notification when the policy is applied:

Event type: Task settings error. Settings not applied


Please provide a screenshot of the entire properties section if possible.
Does this issue only occur when legacy categories are used in rules?

Thank you.


--------------------
In English: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces | klnagchk log
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Please evaluate support help by using "Rating" option!
Go to the top of the page
 
+Quote Post
Michel-B
post 15.05.2017 17:45
Post #5


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




Sadly, I can't really show the previous state anymore. In the meanwhile, I deleted the categories that showed up as 'Category is not defined' in KES and tried re-adding them.

In the screenshot below for example, you can see the category called KMWE Software SP1, but when I try to add this to the policy, it won't show up. I've created a new blank category named KMWE Software (without the SP1 in the name) and that does show up, but there's no way for me to copy all the items from the old category to the new one.





Now, I'm going to make it even stranger. In my SP2 policy I have removed all of my categories except for Trusted Updaters, Golden Image and a category I've created myself called Safe Folders. I've just created this category from scratch, it didn't exist before. Right now, I did change the action to Notify because I don't want to interfere with people.



In the Safe Folders category I've added the folders for Program Files.



Still, I'm getting all these events:





This happens on a lot of clients (not sure if it's on all), and I can see the policy has been applied to these clients.



Go to the top of the page
 
+Quote Post
Kirill Tsapovsky
post 15.05.2017 19:11
Post #6


Technical Support Specialist
***************

Group: KL Russia
Posts: 12271
Joined: 3.12.2013
From: Moscow




In the scenario you describe in the previous post, the issue is different from the initial one. Please describe in more detail whether the applications that should be blocked are actually allowed, or vice versa, and under which condition this happens.

Thank you.


--------------------
In English: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces | klnagchk log
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Please evaluate support help by using "Rating" option!
Go to the top of the page
 
+Quote Post
Michel-B
post 15.05.2017 21:46
Post #7


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




QUOTE(Kirill Tsapovsky @ 15.05.2017 17:11) *
In the scenario you describe in the previous post, the issue is different from the initial one. Please describe in more detail whether the applications that should be blocked are actually allowed, or vice versa, and under which condition this happens.

Thank you.


Ok lets focus on the last issue, since the first part is clearly bugged, I'll get back to that later.

A category with C:\Program Files\ and C:\Program Files (x86)\ added as Application Folders. I've also added a specific folder with an executable I use for testing just to be sure.
Example:







Like I said, I've changed it to notify for testing purposes, but it's still reported as blocked in notify mode.
Go to the top of the page
 
+Quote Post
Dmitry Eremeev
post 16.05.2017 02:05
Post #8


Technical Support Specialist
**************

Group: KL Russia
Posts: 11392
Joined: 30.07.2014
From: Moscow




QUOTE(Michel-B @ 15.05.2017 20:46) *
Ok lets focus on the last issue, since the first part is clearly bugged, I'll get back to that later.

A category with C:\Program Files\ and C:\Program Files (x86)\ added as Application Folders. I've also added a specific folder with an executable I use for testing just to be sure.
Example:







Like I said, I've changed it to notify for testing purposes, but it's still reported as blocked in notify mode.


Hello,

please attach klnagchk report from the host where the event occurred.
Thank you.


--------------------
In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)

На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Подписаться на новости о корпоративных продуктах

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!

Please evaluate support help by using "Rating" option!


Go to the top of the page
 
+Quote Post
Michel-B
post 16.05.2017 09:54
Post #9


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




I've sent a private message containing the logfile.
Go to the top of the page
 
+Quote Post
Kirill Tsapovsky
post 16.05.2017 11:56
Post #10


Technical Support Specialist
***************

Group: KL Russia
Posts: 12271
Joined: 3.12.2013
From: Moscow




QUOTE(Michel-B @ 15.05.2017 20:46) *
Ok lets focus on the last issue, since the first part is clearly bugged, I'll get back to that later.

A category with C:\Program Files\ and C:\Program Files (x86)\ added as Application Folders. I've also added a specific folder with an executable I use for testing just to be sure.
Example:







Like I said, I've changed it to notify for testing purposes, but it's still reported as blocked in notify mode.


Please provide the following data for investigation:

1. Export of the active policy
2. Export of local settings from KES host where the issue occurs
3. KES traces during the test application run

Thank you.


--------------------
In English: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces | klnagchk log
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Please evaluate support help by using "Rating" option!
Go to the top of the page
 
+Quote Post
Michel-B
post 16.05.2017 12:08
Post #11


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




Please check the private message.

This post has been edited by Michel-B: 16.05.2017 12:11
Go to the top of the page
 
+Quote Post
Michel-B
post 18.05.2017 10:09
Post #12


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




Any updates on this?
Go to the top of the page
 
+Quote Post
Dmitry Eremeev
post 18.05.2017 12:25
Post #13


Technical Support Specialist
**************

Group: KL Russia
Posts: 11392
Joined: 30.07.2014
From: Moscow




QUOTE(Michel-B @ 18.05.2017 09:09) *
Any updates on this?


Hello,

sorry for late response.
Please send all collected information to the user
Thank you.


--------------------
In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)

На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Подписаться на новости о корпоративных продуктах

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!

Please evaluate support help by using "Rating" option!


Go to the top of the page
 
+Quote Post
Michel-B
post 18.05.2017 14:49
Post #14


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




QUOTE(Dmitry Eremeev @ 18.05.2017 10:25) *
Hello,

sorry for late response.
Please send all collected information to the user
Thank you.


I did. Please check the message I sent on 16-5 at 10:11.
Go to the top of the page
 
+Quote Post
Dmitry Eremeev
post 18.05.2017 16:34
Post #15


Technical Support Specialist
**************

Group: KL Russia
Posts: 11392
Joined: 30.07.2014
From: Moscow




QUOTE(Michel-B @ 18.05.2017 13:49) *
I did. Please check the message I sent on 16-5 at 10:11.


Issue 2205111 was submitted.
Please wait information from developers.
Thank you.


--------------------
In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)

На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Подписаться на новости о корпоративных продуктах

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!

Please evaluate support help by using "Rating" option!


Go to the top of the page
 
+Quote Post
Dmitry Eremeev
post 18.05.2017 18:07
Post #16


Technical Support Specialist
**************

Group: KL Russia
Posts: 11392
Joined: 30.07.2014
From: Moscow




QUOTE(Michel-B @ 18.05.2017 13:49) *
I did. Please check the message I sent on 16-5 at 10:11.


Information from developers :

Category "Safe Folders" does not appear in KES traces.
Please collect KES traces since KES launch:
1. enable KES traces - http://support.kaspersky.com/9343
2. reboot the computer
3. reproduce the problem (get a notification about prohibited application)
4. disable KES traces.
Thank you.


--------------------
In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)

На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Подписаться на новости о корпоративных продуктах

Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!

Please evaluate support help by using "Rating" option!


Go to the top of the page
 
+Quote Post
Michel-B
post 19.05.2017 16:44
Post #17


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




Done. You have a new message with a link to the traces.
Go to the top of the page
 
+Quote Post
Konstantin Anton...
post 19.05.2017 20:29
Post #18


Technical Support Engineer
*************

Group: KL Russia
Posts: 4021
Joined: 2.12.2015




QUOTE(Michel-B @ 19.05.2017 15:44) *
Done. You have a new message with a link to the traces.

Hi,

Please send this link to this user - https://forum.kaspersky.com/index.php?showuser=488871

Thank you!


--------------------
In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 | Трассировки KES8 | Отчет утилиты klnagchk

Please evaluate support help by using "Rating" option!
Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Go to the top of the page
 
+Quote Post
Michel-B
post 22.05.2017 09:55
Post #19


Advanced Member I
***

Group: Members
Posts: 138
Joined: 29.06.2015
From: Netherlands




I did that already, please check the message on 19.05.2017 14:43
Go to the top of the page
 
+Quote Post
Ivan Ponomarev
post 22.05.2017 15:31
Post #20


Technical Support Engineer
********

Group: KL Russia
Posts: 1679
Joined: 8.07.2016
From: Москва




QUOTE(Michel-B @ 22.05.2017 08:55) *
I did that already, please check the message on 19.05.2017 14:43


We sent the new traces to the developers. We will inform you later, when we get answer.

Thanks!


--------------------
In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 | Трассировки KES8 | Отчет утилиты klnagchk

Please evaluate support help by using "Rating" option!
Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 26.06.2017 12:53