ak01

I added a firewall rule on top but it does not work: I exported the trusted appl exclusion rule and found some XML which describes the IP (is it possible to change something within the XML file to cover more than one IP?): <key name="0000"> <key name="V6"> <tQWORD name="Hi">0</tQWORD> <tQWORD name="Lo">0</tQWORD> <tDWORD name="Zone">0</tDWORD> <tSTRING name="ZoneStr"></tSTRING> </key> <tBYTE name="Version">4</tBYTE> <tDWORD name="V4">2130706433</tDWORD> </key>

Thank you for the suggestion. Does a firewall rule also apply in such a case (INC000012833838): 09:43:07.935 0x13dc ERR http ProxySession(245): traffic_processing::protocollers::http::pipeline::Http1Processor::ProcessData ResultCodeException - 0x8000004b (Unspecified error): Incorrect HTTP header. At C:\a\c\d_00000000\s\component\traffic_processing\source\protocollers\http\http_parser\http1\header_parser\header_parser.cpp(61) 09:43:07.935 0x13dc ERR trafmon ProxySession(245): traffic_processing::traffic_monitor::Session::OnDataReceived ResultCodeException - Failed to process data in high layer protocol: 0x8000004b (Unspecified error). At (0) 09:43:07.935 0x13dc INF trafmon ProxySession(245): TERMINATE connection

Currently, someone can only add single IPs as a remote IP (trusted Application → do not check network traffic to a specific remote IP): Could you please consider to be able to add IP ranges or IP subnets? This is the only way to exclude (old internal) websites, which do not use HTTP protocol as it is described within RFC standards. We have many old printers providing a configuration website which do not send a response header (no even 200 OK) on certain requests (KES blocks that).

Normally, this happens when a third party app has a lot of activity (the cpu utilization of java is also high) and KES monitors that. Normally, I would add that app (when it is legitimate and not malware) to the trusted applications (in KES for windows -> I do not know KES for Linux).

Have you added the NTUSER.dat exclusions stated in one of the first posts (above)? As fas as I know, KES self defense protects (it’s own) registry keys in HKCU.

Have you done that: https://support.kaspersky.com/ksc/12/en-US/92235.htm

Is there any task running (e.g. scheduled scan task)? You can have a look at this information when you start/install the KSWS console. Are there any other processes with higher CPU load (from my experience, these should be added to exclusions, as long as their legitimate software which was installed, so that the activity of these processes will not be scanned).

you can do a simple search (this does not recognize portable versions):

Which version/product are you using? You should use KSWS for servers (not KES or a home product). https://support.kaspersky.com/ksws11

but KSC does (can do ) this automatically?!

ADDKEY in https://support.kaspersky.com/11336

aber wie alexcd kenn ich so ein Verhalten auch nicht (haben auch viele Outlook 2010/13 und jetzt 2016 im Einsatz).

ok, dann ist das ein file locking?! Du könntest Outlook selbst als vertrauensw. Appl. definieren (und die Dateien, auf die es zugreift, nicht scannen)...

wir hatten einmal einen MS Techniker vor Ort, der dies meinte bzw.: https://www.msoutlook.info/question/virus-scanner-exclusion-recommendations KES hat ja auch eine MailAV Komponente (ein Outlook Plugin), ob dies dann dadurch auch ausgeschaltet wird, kann ich nicht sagen. Weiters gibt es ein Plugin für Exchange bzw. das Mail Gateway (AV Scan beim Eintritt in das Org- Netzwerk), dass Viren bereits zentral herausfiltert.

Hallo ich weiß nur, dass MS empfielt, OST/PST auszunehmen. Werden die Dateien in Quarantäne geschoben? Gibt es in den Reports Meldungen, warum diese Dateien angefasst werden (ist es an Malware Fund bzw. welche Komponente greift)?

I would just install the agent package from the new KSC on alle the computers (you can also start an agent install task on the new KSC but you need an AD user which has admin rights on the computers). You can only move computers from one KSC to the other if the original is still alive and the computers are connected to it

I think that’s why the HIPS windows does not show applications. You should activate (sorry, I just have it in german):

when you look at the properties of a computer object, do you see “executable files”? Could you please post the whole message above?

you could start procmon (sysinternals)to see which process is doing that change

You should look for the same application name as the Report messages states (this is sometimes not the exe). Maybe the application reporting is disabled as well….

Could you please add the application also under “Application rights” (mark as trusted, last screenshot above). How does the HIPS message/report in KES (local gui) look like?

Have you added it to the 2nd tab(trusted applications)? You can also do a manual recategorization in host intrustion module. From my experience, it could also be that the process which does the work/gets blocked is different from what gets started.

bei CF kann man das PW mittels UNLOCK_PASSWORD= angeben, dann muss man die Richtlinie nicht ändern (aber ich kenne keine Möglichkeit, dies beim Upgrade zu tun → ich mache immer eine vollständige Deinstallation, ohne Reboot weil nicht notwendig, und dann Neuinstallation von KSWS).

Have you tried to add all the checkpoint processes (maybe there are more of them in the background)? Are you speaking about KIS, for home? I only have experience with KES (Kaspersky Endpoint Security) for business and Checkpoint VPN.

We have KES11 and Checkpoint VPN client. So far it works. The only thing I know is that when CP VPN Client is installed first, KES cannot be installed (so KEs has to be installed first and after that the CP Client -> but that is an experience from former times). However I think that CP VPN Client can also block things and restrict things.