ak01

pf6008 hilft auch bei uns und behebt die genannten Probleme.

we have the same issues. If you have a fix, I can test it (would test it). INC000011059789

same issues here. If you have a fix, I can test it (would test it). INC000011059789

leider haben wir ähnliche Probleme. Welche Nummer hat der private Fix? Möchte ihn anfordern.

When I unlock some parts of KES (or turn it off by password), I get the following message: 28.11.2019 13:50:43 User name and password input Protection Kaspersky Endpoint Security for Windows COMPUTER\User - UserTypedIn Successful input View reports Unfortunately, the host intrusion message is the same (blocked and allowed in same message). When I mark paint.net as untrusted (for testing), I only get this (information) message: 28.11.2019 13:51:12 Host Intrusion Prevention was triggered paint.net COMPUTER\User Blocked: Start Start Start

seems to be implemented in KES11.2 which was launched lately. Thank you very much!

ok, thank you. My fear is that when you remove the mmc console, the web console cannot cover all the daily administrative work since it does not have all the features yet.

What do you think? Would it be possible to implement such a feature in the next KSC/KES4Mobile versions?

do you plan to implement that into web console? What are the plans for the mmc console?

Ok, sorry, bad explanation. Does web console (11.0.96, KSC version is 11.0.0.1131 Patch B) have a desktop sharing feature like mmc console? If yes, where can I find it?

I had a look at MDM features of KSC and noticed that iPhones can be configured to use 802.1x wifi and get a certificate form a company pki. Android devices can only be configured with WP2-PSK (preshared key). I guess this is because Android does not have an interface for that. However, you also support Samsung Knox and we have currently another MDM which supports configuring Samsung Android devices with WPA2- Enterprise (802.1x EAP-TLS) with Samsung Knox Standard (it is called like that within the GUI), so I guess that Samsung has an interface (API) included in Samsung Knox to do that. Could you please add that feature to Android (KES4Mobile)?

Any news on that topic? I heard that Web Console should replace MMC console but from what I experienced until now, the web console does not have all the features compared to MMC console. The desktop sharing feature is just one example. Is the desktop sharing feature in MMC console a 100% Kaspersky feature or do you use any windows functionality (like bitlocker, image deployment, …)?

I have not found a context menu are an optoin for Windows Desktop Sharing? Is this still possible?

You recommend to automatically assign distribution points, but I would rather do this manually (especially with sites with a few thousand clients, network segmentation, …). In that case, I can prevent for example that on the site, where the main KSC is installed, a distribution point is selected. Is it necessary to use multicasting with distribution points? What about sites which have several ip subnets/VLANs (segmentation) and no multicast routing enabled? Can a distribution point also work with unicasting?

So a distribution point can handle this amount of computers (about 5000) without a problem? However, I would use an existing windows server as distribution point (not a desktop pc). The aim is to have everything within one KSC including all events and all management (and not to maintain and update several KSC servers). On the other side, the WAN connections should not transmit all the data of all the computers (updates, installation packages, …).

We have some sites with max. a few thousand computers and have slave servers installed on each site. The problem is that all these slave servers have to be managed and updated and some parts are not inherited to the slave servers (e.g. installation packages -> have to be manually created on each slave server). We would like to solve that with distribution points for these sites in order to only manage one KSC server. Is this recommended for such sites (a few thousand computers, not more than 5000)? What are the disadvantages of distribution points compared to slave servers?

I have a suggestion concerning the reports messages and their types in KES11. Especially I would like to divide a message into two so that one of them can be configured to be sent by mail and the other not. For example, the message “Protection components are disabled” gets sent when a computer gets turned off (User: NT-AUTORITÄT\SYSTEM (System user)) and when a user turns it off. I would like to have two different message types, so that I can configure to get an e- mail when a specific user turns off KES (and not when the computer gets turned off -> too much mails!). Maybe, you could put these two reasons into different categories (turn off -> Warning as is, User forcibility exited -> critical)? The other message is “Host Intrusion Prevention was triggered”. This message is triggered a lot with “Result: Allowed” (when I configure it to be sent to KSC or by mail, this will congest KSC and my mailbox) but sometimes, there is a message with “Result: Blocked”, which would be interesting within the events on KSC and in my mailbox. So maybe you divide the two causes into two different messages, which can be differently configured (maybe also two different categories, Warning and Info). Generally, I would like to have messages within the KSC event log whenever KES blocks something (e.g. host intrusion example above). Could you please consider/implement that when you work on the next KES version? Examples: User terminates KES: 16.09.2019 06:50:19 Protection components are disabled Protection Kaspersky Endpoint Security for Windows DOMAIN\username Some protection components are disabled Application: Kaspersky Endpoint Security for Windows User: DOMAIN\username (Active user) Component: Protection Result: Some protection components are disabled turn off computer: 16.09.2019 08:07:34 Protection components are disabled Protection Kaspersky Endpoint Security for Windows NT-AUTORITÄT\SYSTEM Some protection components are disabled Application: Kaspersky Endpoint Security for Windows User: NT-AUTORITÄT\SYSTEM (System user) Component: Protection Result: Some protection components are disabled Host intrusion allowed (not wanted, too much messages!): 11.09.2019 08:40:50 Host Intrusion Prevention was triggered Google Chrome DOMAIN\username Allowed: Access to webcam Access to webcam Access to webcam Application: Google Chrome User: DOMAIN\username (Active user) Component: Host Intrusion Prevention Result: Allowed: Access to webcam Action: Access to webcam Reason: Access to webcam Host intrusion blocked (wanted): 22.08.2019 11:41:54 Host Intrusion Prevention was triggered 60.8.0; 20190719-0953 [950894abee] DOMAIN\username Blocked: Access to webcam Access to webcam Access to webcam Application: 60.8.0; 20190719-0953 [950894abee] User: DOMAIN\username (Active user) Component: Host Intrusion Prevention Result: Blocked: Access to webcam Action: Access to webcam Reason: Access to webcam Host intrusion allowed (not wanted, too much messages!): 19.08.2019 16:06:02 Host Intrusion Prevention was triggered Google Chrome DOMAIN\username Allowed: Access to webcam Access to webcam Access to webcam Application: Google Chrome User: DOMAIN\username (Active user) Component: Host Intrusion Prevention Result: Allowed: Access to webcam Action: Access to webcam Reason: Access to webcam

have a look at https://support.kaspersky.com/14856

I noticed that KES11 tries to connect sometimes to ds.kaspersky.com even when KSC is used as KSN proxy and the updates get downloaded from KSC (I checked the reports, it always uses Kaspersky Security Center as update source). Why is KES connecting to that specific URL? We have some PCs where users are logged in which do not have internet allowed (get a proxy authentication) and of course that triggers KES to bring up a proxy authentication message (for this URL). I have KSC 10.5.1781 and KES11.1.0.15919

any new on that? The change between different VLANs or LANWifi still triggers that detection. LAN and Wifi is a different VLAN with different Gateway (and MAC) so it seems that you monitor the MAC of the gateway.

any new on that? no change so far (the list of exceptions is still empty)?

The other issue is when I switch between Wifi and LAN or between different VLANs (on LAN interface), especially when the gateway uses VRRP. Therefore, the gateway IP and MAC changes and I think that this KES feature tracks that as well (I have to investigate that further). On every switch, I gate one “network attack” message (with the gateway IP mentioned).

I found the root cause: When you look into the reports on local KES interface, there is additional information (MAC and IP of threat) -> why not on KSC? In my case, it is a QNAP NAS (with Linux on it) which is configured for bonding (mode: balance-alb). “When a link is reconnected or a new slave joins the bond the receive traffic is redistributed among all active slaves in the bond by initiating ARP Replies with the selected mac address to each of the clients. The updelay parameter (detailed below) must be set to a value equal or greater than the switch's forwarding delay so that the ARP Replies sent to the peers will not be blocked by the switch.” https://wiki.linuxfoundation.org/networking/bonding I also checked the arp packets and sometimes, the nas responds with the 2nd mac (as described above). This triggers the network attach warning mentioned (because the arp cache learned the 1st mac -> it seems that this feature monitors arp cache changes). The two mac addresses are in my case upward (24-5E-BE-0A-83-EC and 24-5E-BE-0A-83-ED) so maybe this could be a work around. Could you please consider also such use cases (teaming/bonding of NICs for servers which may use two mac addresses for the same IP) so that this new ARP protection feature covers that as well?

You should also check the KES policy (events section). On every event, you can decide where to send it to (also SIEM -> this is not enabled by default).

The updates are done every hour, but so far no entries in "Anomaly Detection". I am using KSC10.5 PatchA and not KSC11. It worked with KES11.1Beta and KSC10.5 in the past.