Antipova Anna

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. If you are writing your own rules for YARA engine on Central Node, you may need available modules in YARA and engine version. Engine version is 3.7-3.11 in KATA 3.7.x Engine version is 4.10 in KATA 4.1 and KATA 5.0 Here's the list of modules: tests pe elf math time pe_utils magic hash dotnet dex For more info on modules, please refer to YARA documentation.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. For KATA 3.7.2 You can force run Sandbox Healthcheck instead of waiting for 30 minutes' timeout. Step-by-step guide Log into Sandbox Server via ssh. To run checker, first you need to delete /var/tmp/sbtest file: rm /var/tmp/sbtest Then run checker and wait until it finishes: /bin/su -c 'exec /opt/kaspersky/sandbox/libexec/utilities/checker.py -l /var/log/kaspersky/sandbox/checker/checker.log' -s /bin/sh kluser Then on Central Node server run update_sandbox_status.py script: sudo -u kluser flock -w 1 /tmp/health_status_sandbox.lock python -B /opt/kaspersky/apt-base/libexec/health_status/update_sandbox_status.py For KATA 4+ / 5+ On Central Node under root execute: docker exec $(docker ps -q --filter name=kata_scanner) supervisorctl start update_sandbox_status And after command's execution wait for 10-15 minutes and gather from SB file /var/tmp/sbtest (for Kaspersky support just in case).

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is fully applicable to KSB 2.0 server as well You may want to gather KATA Sandbox diagnostics via SSH, without accessing Web UI. Here's how to do it. Step-by-step guide Login to Sandbox via SSH and become root. Then, execute the command: Produce collect sb-logs --create '/tmp' '-7' chmod 777 /tmp/sandbox-debug-report* sandbox-debug-report%timestamp%.tar.gz archive will be created in /tmp directory. Its name will be printed in the output, .e.g /tmp/sandbox-debug-report.2022-12-13.2022-12-20.tar.gz Use this full path as input for local scp to download it: Retrieve using scp scp admin@SB_IP:/tmp/path/to/sandbox-debug-report

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. As stressed in the product documentation, Sandbox, which is deployed as a Virtual Machine, should have an exact sizing, violation of which may lead to various issues. The only parameter that can be varied is a CPU clock rate. Common mistake The most notable mistake regarding scaling up VM sandboxes is an attempt to make one huge Sandbox VM with two to four times the required RAM/CPU as dedicated resources. Correct approach is to create a respective number of additional VMs and distribute these resources between them. For example, if you want to double the performance of a KATA Sandbox VM instead of adding 15 more CPU cores and 32 more gigabytes of RAM to an existing Sandbox, you need to deploy a new Sandbox VM with the following resources: CPU: 15 cores, 2.1 GHz or higher RAM: 32 GB HDD volume: 300 GB Two network adapters with 1 Gbit/s data transfer rate Virtual machine settings: Only VMware ESXi hypervisor is fully supported. Nested virtualization is enabled Supported VMware ESXi versions 6.5, 6.7U3 or 7.0 hypervisor. Entire CPU clock rate reserved. For a minimum CPU clock this means 12*2100=25200 MHz reserved. For a clock rate higher than 2.21Hz, use the following formula to calculate the entire CPU clock rate: 12 * <clock rate in MHz>. Entire RAM reserved (32 GB). Expose hardware assisted virtualization to the guest OS check box selected. Latency Sensitivity option set to High. No Secure Boot. The maximum number of simultaneously running virtual machines set to 12. Please note, these cannot be checked from a debug report or from inside of the VM, as these settings are configured in a hypervisor. Checking VMX file Obtain a .vmx file of the respective sandbox VM. Demo video showing how to locate a .vmx file. Note, that in this video the goal is to modify the .vmx, and we only need to access it for reading, therefore, there is no need to unregister a VM from inventory as done in video. All the following lines in .vmx file must match exactly with the following two exceptions: For sched.cpu.min, the value can be higher than 25200, see formula above. Line uefi.secureBoot.enabled might be absent, which is OK. Correct .vmx settings numvcpus = "15" sched.cpu.units = "mhz" sched.cpu.min = "26400" memSize = "32768" sched.mem.min = "32768" vhv.enable = "TRUE" sched.cpu.latencySensitivity = "high" uefi.secureBoot.enabled = "FALSE" ethernet0.present = "TRUE" ethernet1.present = "TRUE" Checking number of slots In the Sandbox web interface window, select the Administration section. In the Guest virtual machines group of settings, in the Maximum simultaneous VMs field, number of simultaneously running virtual machines must equal 12.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is applicable to both KATA and Kaspersky Sandbox 1. It's not applicable to KSB2. In certain cases (i.e. slow connection to Datacenter from Administrator workplace) it may be troublesome to upload VM images to fresh installed KATA Sandbox server. In such cases, you may prefer to transfer VM images to Sandbox via tools like WinSCP, and then install images via command line tools. Step-by-step guide Images should be transferred to Sandbox. Files should be located in /var/opt/kaspersky/apt/files/ folder. Then, execute the following commands: sb-vm-iso --list-iso sb-vm-iso --check-install path-to-vm-image.iso //use the paths from previous command output sb-vm-iso --install path-to-vm-image.iso sb-vms --apply-all Please install VM images one by one, and not all at once, to avoid issues with disk space/RAM If you use PuTTY to connect via SSH make sure in its settings → Connection → "Seconds between keepalives" is set to for example 10. Otherwise SSH session might drop due to timeout which will terminate active command.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Sometimes you may need to check KSN servers availability and operation on KATA CN. For KSN issues, there's a way to check specific hash for reputation: Become root sudo -i Check specific hash for reputation by running the following command: for KATA 4.+ and 5.0: docker exec -it "$(docker ps | grep ksn_proxy| awk '{print $1}')" /opt/kaspersky/apt-ksn_proxy/sbin/ksn_client --ip 127.0.0.1 --hash 9C642C5B111EE85A6BCCFFC7AF896A51 for KATA 5.1: docker exec -it "$(docker ps | grep ksn_proxy| awk '{print $1}')" /opt/kaspersky/apt-ksn-proxy/sbin/ksn_client --ip 127.0.0.1 --hash 9C642C5B111EE85A6BCCFFC7AF896A51 UnTrusted: means that KSN working properly.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. You may want to obtain list of EDR agents ever connected to KATA. Step-by-step guide KATA 3.7+ Connect to Central Node via ssh, choose Technical support mode, become root: $ sudo -i Execute command: sudo -u postgres psql antiapt -c "select * from agent_status;" KATA 4.0/4.1/5.0/5.1 psql -U kluser -h 127.0.0.1 antiapt -c "select * from agent_status;" All agents with only hostname, ip, last_packet_time columns can be exported this: psql -U kluser -h 127.0.0.1 antiapt -c "select hostname,ip,last_packet_time from agent_status;" > /tmp/agents Export all agents from SCNs connected to PCN execute psql -U kluser -h 127.0.0.1 primarydb -c "select hostname,ip,last_packet_time from agent_status;" > /tmp/agents Then open Excel and make import from Data -> From Text/CSV from /tmp/agents (download it to local computer first). The resulting output will be the list of agents.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem No option to change Local Administrator/Cluster Administrator in pseudo-graphic menu available by default . Solution a) Upgrade to 5.1 b) Follow steps: Download an archive with WHL packets. Upload it to KATA CN to /tmp/change_password.zip Extract (we have no unzip shipped by default): echo -e "import zipfile\nwith zipfile.ZipFile('/tmp/change_password.zip', 'r') as z:\n z.extractall('/tmp/')" | python3 Become root: sudo su Confirm this is a right node: docker ps | grep kedr_database_server Install installer patch: installer-1.0-py3-none-any.whl pip3 install --ignore-installed --no-deps /tmp/installer-1.0-py3-none-any.whl Install docker_utils patch: docker_utils-1.0-py3-none-any.whl pip3 install --ignore-installed --no-deps /tmp/docker_utils-1.0-py3-none-any.whl Restrict changing password to root: which kata-web-admin-change-password | xargs chmod 754 Change password by running: kata-web-admin-change-password Enter new password in the prompt, no confirmations or validation will be given Selecting the correct node Script must be executed on a node with kedr_database_server container, by default it is the processing one installed first, node2 in cluster. In case it is executed on a wrong node, a hint will be given which is a right one.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Sometimes EDR agents generate more telemetry than anticipated. There's an option to tune telemetry collection via KEA bases, and in order to do it, telemetry profile, aka "topic-dump", is needed in ready-to-use format. In order to collect telemetry, do the following: Please do not run apt-sedr-reset before collecting topic dumps. Execute the following command and wait till it finishes (it may take significant time to finish, depending on the telemetry flow): KATA 3.7: docker exec -it $(sudo docker ps | grep kafka1 | awk '{printf $1}') kafka-console-consumer.sh --bootstrap-server 127.0.0.1:9092 --from-beginning --property print.key=true --property key.separator="~" --max-messages 2000000 --timeout-ms 200000 --topic EndpointEnrichedEventsTopic | head -n -1 | gzip > /tmp/topic-dump.gz KATA 4.0/4.1/5.0/5.1: docker exec -it $(sudo docker ps | grep kafka\: | awk '{printf $1}') kafka-console-consumer.sh --bootstrap-server 127.0.0.1:9092 --from-beginning --property print.key=true --property key.separator="~" --max-messages 2000000 --timeout-ms 200000 --topic EndpointEnrichedEventsTopic | head -n -1 | gzip > /tmp/topic-dump.gz Collect and provide to Kaspersky Support /tmp/topic-dump.gz

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Security officers may need raw alerts data from KATA for further processing in Excel/etc. Here's how to export all alerts from KATA database to .csv file: KATA 3.7.2 sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM all_alerts) TO '/tmp/kata_alerts.csv' (format csv, delimiter ';', header, encoding 'UTF8');\"" Instead of simply copying all alerts, administrator may export only last N alerts, or play around with SQL queries: sudo -u postgres psql antiapt -c "copy (select * from all_alerts limit N) to '/tmp/test_oneliner1.csv' (format csv, header, encoding 'UTF8');" For example, if a specific time interval is required, it can be done like this: sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM all_alerts WHERE update_time BETWEEN '2021-04-19 21:36:11'::timestamp AND '2021-05-01 13:29:57'::timestamp) TO '/tmp/kata_alerts.csv' (format csv, delimiter ';', header, encoding 'UTF8');\"" NB! Sometimes, filenames may have \r\n EOL symbols, which may affect CSV import to Excel. You can change \r\n to \n via Notepad++ or any other text processor. P.S. To export all connected/not connected endpoints you can execute: sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM agent_status) TO '/tmp/agent_status.csv' (format csv, delimiter ';', header, encoding 'UTF8');\"" KATA 4.0/4.1/5.0/5.1 If the command above doesn't work or hangs, use the command below: psql -U kluser -h 127.0.0.1 antiapt -c "select * from all_alerts;" > /tmp/all_alerts Similar to previous, you can spice up the query to your taste, for example, to get time interval between now and then, execute: psql -U kluser -h 127.0.0.1 antiapt -c "select * from all_alerts where update_time between '2021-04-19 21:36:11'::timestamp and now()::timestamp;" > /tmp/all_alerts Then just open Excel and make import from Data -> From Text/CSV from /tmp/all_alerts (download it to local computer first).

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. KATA doesn't have auto removal for inactive agents, and also it doesn't have support for VDI scenarios yet. So if you have many VDI clients in use, they will quickly fill up the license. Step-by-step guide KATA 3.7.2 You can set up cron task to remove clients periodically, for example, this code will remove clients older than 3 days sudo -u kluser psql antiapt -c "delete from agent_status where last_packet_time < (NOW() - INTERVAL '3 days');" KATA 4.0/4.1/5.0 docker exec -it `docker ps | grep kedr_database_server | awk '{print $1}'` psql -U kluser antiapt -c "delete from agent_status where last_packet_time < (now() - interval '2 weeks');" It will delete 2 weeks old inactive agents.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. You may need to add a batch of prevention rules to KATA. To speed up the process, we have created a script sample. Adding more than 1000 prevention rules will require additional PF to improve Web UI performance. Please contact technical support to get this PF. Adding more than 5000 prevention rules is highly NOT recommended as it may result in drastic performance degradation on both CN and Endpoint Agent. Step-by-step guide Script sample. To run it, you need any machine with 2 pre-requisites: sh or bash should be installed on the machine machine should have access to KATA Web UI To use the script, please place a file with hashes (each hash should be on new line in this file) near the script, and please fill in the variables required for script operation: #Fill in your KATA IP or FQDN address KATA_IP="" #Default port is 8443 KATA_PORT="8443" #You need Senior Security Officer account to add preventions USER="SSO" PASS="" To run the script, pass the file with hashes as argument to the script: sh add_prev.sh /path/to/file/with/hashes.txt Once the script is completed, it may take 5-10 minutes for the preventions to appear in Web UI. Export user's prevention rules from KATA 4.0/4.1/5.0 1) Under root execute: docker exec -it `docker ps | grep kedr_database_server | awk '{print $1}'` psql -U kluser antiapt -c "select * from agent_prevention_settings;" > /tmp/prevention_rules 2) Then import /tmp/prevention_rules to Excel as Data > From Text/CSV

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This is a small guide about Chrome Developer tools for collecting logs. 1. Open the Chrome menu and select More tools → Developer tools or press Ctrl+Shift+I. 2. Temporarily ignore the opened sidebar and open KSC Web Console. 3. Sign in using correct credentials. Wait until the page loads. If the loading of the page takes too long, wait a minute before moving on to the next step. 4. On the DevTool sidebar, go to the Network tab. Press the Export HAR... button and save the file. 5. Also, you may save the log on the Console tab. Just right-click on a clear space and select Save as...

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. You may not want to use all 3 or 4 (depends on settings at web set) VMs in KATA 4.1/5.0 SB. If one of the VM images is not installed, there will be SB self-diagnostics error at the KATA web-interface. Usually it's WinXP image that gets excluded. This article is applicable only to KATA 4.1/5.0 Images names for 4.1: CentOS7_x64, WinXP, Win7_x64, Win10_x64 Images names for 5.0: Astra_x64, CentOS7_x64, WinXP, Win7_x64, Win10_x64 KATA 4.1 sets KATA 5.0 sets Prior to do steps below ensure that this option is enabled (under Security officer) Step-by-step guide Execute the following command under root (this is example, you can choose VM images as it suits you) For 4.1 apt-settings-manager set --merge /configuration/kata_scanner '{"sandbox": {"images": ["CentOS7_x64", "Win10_x64"]}}' For 5.0 console-settings-updater set --merge /kata/configuration/product/kata_scanner '{"sandbox": {"images": ["Astra_x64", "Win7_x64", "Win10_x64"]}}' Check that the settings have been applied: SB self-diagnostics error at KATA web-interface should disappear. Check that SB processing works fine. Consequences You will see error under Administrator: and under Security officer (in KATA 5.0) No need to worry, as the workaround described has consequences.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Version: KES 11.* Scenario: You're unable to boot into encrypted machine after FDE applied due to some problems with preboot agent or operating system. The the safest and one of the most trivial options to restore the data from encrypted hdd or decrypt it 'in place' is going through KES related ‘challenge-response’ procedure using another (i.e. proxy) machine with KES and FDE installed. KSC 11 HostA with KES 11.1 (corrupted hdd with FDE policy applied) HostB with KES 11.1 (recovery host) * KES version should be the same or higher than the one used on the affected PC and with the same AES module, it should be managed by the same KSC server but initially without FDE policy applied. Solution: Disconnect encrypted hdd from HostA. Connect encrypted drive to HostB as a secondary. HostB is installed with KES and FDE but no FDE policy applied (DO NOT apply encryption policy to HostB once secondary hdd connected to avoid multiple encryption which will cause data corruption). The following pop-up window will appear once attempt to access the encrypted hdd: Save the file. On KSC, find the HostB. Right-click its property -> click on "Grant access in offline mode" -> navigate to "Data Encryption" tab: Browse and select the saved "challenge file". You will be prompted to save the "response file". At HostB KES console, you can see a notification at the bottom, click at notification and input the "response file" you saved from KSC. You can access the encrypted hdd from HostB. Transfer all important data you want to restore to another backup drive or deploy Kaspersky FDE 'Decrypt all hard drives' policy to the proxy-computer (HostB) in order to decrypt the 'affected' drive connected as a secondary. The previously encrypted hdd can be connected back to HostA as primary in case it was decrypted successfully and the disk is healthy.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Same info can be found here: http://support.kaspersky.ru/16010 Starting from version 11.5, some file versions, registry and file system paths may differ from the release version and refer to the product line version. Release full build number Product line number GUID 12.3.0.493 21.15.8.493 {8409A30E-CDF7-4800-B389-FB0A8FB6CE2C} 12.2.0.462 21.14.5.462 {B524FBEF-035B-455E-AA3A-2ABA729C62F8} 12.1.0.506 21.13.5.506 {D8E156BC-0E64-47F7-8E4F-0DCD80F2A6D3} 12.0.0.465 21.9.6.465 {E70CCFE8-163C-4E2B-BC36-61B747DAD590} 11.11.0.452 21.8.5.452 {BF39B547-8E24-4E11-8179-183B2F7C83EB} 11.10.0.399 21.7.7.399 {305A9EC9-294E-4555-A7C5-E1C767E01C11} 11.9.0.351 21.6.7.351 {6BB76C8F-365E-4345-83ED-6D7AD612AF76} 11.8.0.384 21.5.11.384 {1F39E63E-3F9C-4E21-928B-136C6362E88B} 11.7.0.669 21.4.20.669 {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16} 11.6.0.394 21.3.10.394 {7EC66A9F-0A49-4DC0-A9E8-460333EA8013} 11.5.0.590 21.2.16.590 {7B437856-99E3-4F01-B31C-B5A26465C633}

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. In order to upgrade KATA from 3.7.2 to 4.0 > 4.1 > 5.0 > 5.1 please follow the manual below. Step-by-step guide Prior to PCN upgrade you have to disconnect all Sensors, SCNs and Sandboxes. After upgrade Sandboxes and Sensors must be reinstalled, disconnected SCNs – upgrade to 4.0 and 4.1 and then reconnect them to PCN. NB! Events database is not being transferred if you want to restore backup to new installation (e.g. new physical or virtual server). System requirements are the same for 3.7.2 and 4.0/4.1, so if 3.7.2 installation matches the requirements, you can upgrade keeping the same hardware/VM configuration. For upgrade you don’t need .ktgz archives, only the ISO file. Upgrade order described here. Information which is kept during upgrade. Contents of backup. Pre-upgrade recommendations This recommendation is optional for vanilla 3.7.2, and it's a must for 3.7.2 PF1 Before upgrading KATA 3.7.2 to KATA4, copy and run this script. Run it as root: python /var/opt/kaspersky/apt/files/kata4-preupgrade-checker.py Expected result for vanilla 3.7.2: In case any issues arise, please contact Kaspersky support, and provide script output as shown on screenshot above and this script log, the script shows log location upon completion: /data/kata4-preupgrade-checker.log Upgrade order Create backup of CN and do the manual backup of /var/opt/kaspersky/apt-preprocessor/preprocessor.conf (from CN and sensors, especially if tuning was made at sensors). Mount installation ISO to KATA VM or boot from drive with ISO, if a server is physical. Select Install Kaspersky Anti Targeted Attack Platform. Select Disk marked as [upgrade] and press Enter. Select Upgrade and press Enter Select Upgrade again and press Enter Wait for the completion and check at WEB UI, that there are no errors / issues / etc. Storage migration is a lengthy procedure and may take many hours, depending on the installation. No visual indication of progress is provided, but it's not frozen. Perform a backup of 4.0 The upgrade procedure from 4.0 up to 4.1 is pretty much the same, you have to map ISO and boot from it, select disk marked as [upgrade], proceed, make a backup of 4.1 Upgrade procedure from 4.1 to 5.0 is described here. Before updating the product from version 4.1 to version 5.0, check which boot mode is used on the server (BIOS or UEFI). If UEFI is used, the update will fail. To avoid this, you need to update from a special KATA 5.0 image which can be provided by Kaspersky Support. Before upgrade DISABLE NTP on 4.1 Information which is kept during upgrade. 1) You can obtain file upgrade_preparation-1.0-py3-none-any.whl in kata-cn-5.0.0-5201-inst.x86_64_en-ru.iso, just mount it in Windows, go to support folder, copy this file and put it to /tmp via WinSCP to your KATA 4.1. 2) Proceed with steps described in Online help After mounting ISO and running from it you will be prompted to say y + ENTER to upgrade Then press ENTER, read EULA and select "I accept" Then you have two options: leave cluster and bridge/overlay subnets by default (just by pressing ENTER in windows below) or you can change them as you want (especially if these subnets crossover with your infrastructure subnets) Upgrade procedure can take a while, after that you'll be prompted to choose management interface, enter it's details again Enter password for admin Configure DNS servers and press ENTER Enable SPAN capturing by typing y or skip this step as n and press ENTER (you can do it later after upgrade). Don't forget to read this article, kindly pay attention to section "Special considerations for upgrading Kaspersky Anti Targeted Attack Platform from version 4.1 to version 5.0" After upgrade you have to perform initial configuration of KATA via web interface using admin (with Local administrator checkbox) credentials being set up during upgrade, please refer to https://support.kaspersky.com/KATA/5.0/en-US/242580.htm and https://support.kaspersky.com/KATA/5.0/en-US/240726.htm Once the configuration is completed, it's possible to log in to Web UI as regular local admin: use Administrator/Administrator login and password, "Local administrator" checkbox must be enabled, too. Change the password for Administrator user and proceed with adding license, creating users etc. Upgrade procedure from 5.0 to 5.1 is described here. Step-by-step guide of upgrade is here. Information kept during upgrade is here. According to KB you have to upload upgrade.tar.gz to /data/upgrade But first, you have to create this directory and set permissions to it to be able to upload upgrade package via WinSCP (in this example we use chmod 777 as an ultimate set of rights, you can use another set) mkdir /data/upgrade chmod 777 /data/upgrade After that upload upgrade.tar.gz to /data/upgrade via WinSCP and unarchive it cd /data/upgrade tar xvf upgrade.tar.gz Give executive permissions to script install_kata_upgrade.sh and install pre-upgrade package Execute as root chmod +x /data/upgrade/install_kata_upgrade.sh sh install_kata_upgrade.sh You'll see this And finally run upgrade (use admin user credentials which you use for ssh) kata-upgrade --data-dir /data/upgrade --user admin --password 'passw@rd' In a while you should receive message about successful upgrade .

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. In this scenario we will create an internal user "test-user" on KSC who has permission on admin group "Virtualized" only, while couldn't view nor manage admin groups "servers" and "workstations". Step-by-step guide 1. Take a backup from KSC admin server in order to make sure that incorrect changes will not impact your KSC. 2. Login to KSC admin server using admin account and go to KSC admin server → Monitoring → Administration server → Configure functionality displayed in user interface → check the box Display security settings section. 3. Close KSC admin console and re-open it again in order to apply the feature. 4. Go to KSC admin server → server properties → security → + internal user. 5. Don't assign Roles to the created user and only assign Rights. 6. The assigned Rights should be allow-all except Management of administration groups as per below. 7. Go to Managed devices → properties → security → uncheck inherit settings → assign the right to the user as per below. 8. For admin groups that the user will not manage (e.g. servers in this scenario). 9. For admin group that the user will manage (e.g. virtualized in this scenario). 10. Disconnect from KSC admin server and login to KSC console using the created user and you will find that he has access to only virtualized admin group as per below.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This instruction is relevant only in case of troubleshooting incorrect loading or rendering of a web page. In order to troubleshoot issues KES network traffic related issues traffic dump is required. It is easier to analyze and does not require third-party software installation. If reproduction of the issue requires the web browser to open web pages(such as web control non-working as expected, web page not loading, and so on), the tests should be performed in Incognito mode(also known as private browsing). Chrome browser: Ctrl+Shift+N or you can start browser from terminal: & "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -incognito . Starting application from terminal will make launch key visible in traces and make diagnostic easier. Firefox browser: Ctrl+Shift+P or you can start browser from terminal: & "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window . Starting application from terminal will make launch key visible in traces and make diagnostic easier. Microsoft Edge: Ctrl+Shift+P Opera browser: Ctrl+Shift+N KES11 Instructions Disable KES11 Self-defense Navigate to the following registry key: x86: HKLM\SOFTWARE\KasperskyLab\protected\KES\environment\ x64: HKLM\SOFTWARE\Wow6432Node\KasperskyLab\protected\KES\environment\ Create a string type value named DumpNetworkTraffic : DumpNetworkTraffic = (REG_SZ)"1" Restart the product or reboot the host Traffic dump files will be saved to %ProgramData%\Kaspersky Lab\KES\Data\traffic Once the issue is reproduced compress the whole traffic directory Do not forget to disable traffic dump collection. To do so delete DumpNetworkTraffic value.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Application registry in KSC contains information about applications that was deleted. Reinstalling Network Agent on a workstation should solve a problem. This behavior can be caused by per-user applications. You can alter how long network agent will retain information about applications on a managed workstation: On a managed workstation : Add a registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\NagentFlags] "KLINV_INV_PERUSER_APPS_CACHE_NONACTIVE_SIDS_LIFETIME_SEC"=dword:3600 This will make network agent to retain information about per-user applications up to an hour. Restart network agent service. After completing these changes information in Application registry will be deleted in a roughly 2 to 3 hours.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem When user is added to a lot of AD groups, he may be unable to login to web interface of KATA via SSO. Step-by-step guide Modify /etc/opt/kaspersky/apt-swarm/swarm_config.json like this (set buffer_size to 65535 under uwsgi section - it's on bottom of the file) 2. Execute via SSH apt-settings-manager get /configuration/web_backend | python -m json.tool > /tmp/web_backend 3. vim /tmp/web_backend 4. Find uwsgi and change value as per below, save file "uwsgi": { "buffer_size": 65535, "cache2": [ 5. Put settings back apt-settings-manager set /configuration/web_backend @/tmp/web_backend 6. Execute docker ps | grep nginx Output will be similar like this: 39c125e0546e kaspersky/kata/web/nginx_gateway:0e5fabb Write down somewhere this value 39c125e0546e (yours will be different). 7. Execute docker exec -it 39c125e0546e bash echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf nginx -s reload exit 8. Do the same (6-7) for container web_backend 9. However, if containers web_backend and nginx_gateway will be restarted, changes in 6-7 will be lost, thus you can quickly put back settings like this: docker exec -it `docker ps | grep web_backend | awk '{print $1}'` bash -c 'echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf && nginx -s reload' docker exec -it `docker ps | grep nginx_gateway | awk '{print $1}'` bash -c 'echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf && nginx -s reload'

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions This is short article about how to burn KATA ISO on USB drive. For KATA 4.0/4.1 you need 8Gb USD drive, for 5.0/5.1 - 16Gb at least. 3d party solutions are involved, therefore success is not guaranteed. Ventoy is more preferable working method. Details Download latest Rufus release or Ventoy, how to use Ventoy described here. [Rufus part] Open it and select respective KATA ISO. KATA 4.0/4.1 Rufus config should be like on screenshot below (Partition scheme GPT, Target system UEFI) For KATA 5.0/5.1 (Partition scheme MBR, Target system BIOS or UEFI) After clicking Start choose Write in DD image mode.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Sometimes, KATA Sandbox may suddenly stop functioning normally and throw a self-diagnostic error. This may be caused by snapshots corruption: as one of the troubleshooting steps, you may remove the latest VM snapshots, this is harmless procedure. Step-by-step guide Login to Sandbox via SSH and execute the following command: ls -l /vm/qemu/vms/ total 36 drwxrwx---+ 3 sandbox-core klusers 4096 Apr 19 16:42 Win10_x64-1555680939 //This is the folder with original VM image drwxrwxr--+ 6 sandbox-core klusers 4096 Apr 22 00:17 Win10_x64-1555680939_2019.04.22.1555880403 //This is a folder with VM snapshot drwxrwxr--+ 6 sandbox-core klusers 4096 Apr 23 00:18 Win10_x64-1555680939_2019.04.23.1555966815 //This is a folder with VM snapshot drwxrwx---+ 3 sandbox-core klusers 4096 Apr 19 16:34 Win7_x64-1555680478 //This is the folder with original VM image drwxrwxr--+ 6 sandbox-core klusers 4096 Apr 22 00:09 Win7_x64-1555680478_2019.04.22.1555880403 //This is a folder with VM snapshot drwxrwxr--+ 6 sandbox-core klusers 4096 Apr 23 00:11 Win7_x64-1555680478_2019.04.23.1555966815 //This is a folder with VM snapshot drwxrwx---+ 3 sandbox-core klusers 4096 Apr 19 16:27 WinXP-1555680293 //This is the folder with original VM image drwxrwxr--+ 5 sandbox-core klusers 4096 Apr 22 00:07 WinXP-1555680293_2019.04.22.1555880403 //This is a folder with VM snapshot drwxrwxr--+ 5 sandbox-core klusers 4096 Apr 23 00:08 WinXP-1555680293_2019.04.23.1555966815 //This is a folder with VM snapshot Remove the latest snapshots by date and restart the following services - KATA 3.7.2 : service sandbox-komilfo restart service sandbox-create-snapshot restart For KATA 4.0/4.1/5.0 - restart Sandbox

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols. NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions: Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name. In the domain, you need to set the Service Principal Name (SPN) to publish the OpenAPI service on port 13299 for the machine with the Administration Server, the service of which is running under the name of the domain user <domain-user>. Kaspersky Security Center 13 Web Console user must be authenticated in Active Directory by using Kerberos protocol. Kerberos authentication should be allowed in web-browser. For details, refer to documentation of used web-browser. Details SPN - Service Principal Name Log in Domain Controller as Domain administrator. Open powershell as admin and run the following commands: Powershell setspn.exe -A HTTP/hostname-node-1.domain.local -u domain\user-ksc-service setspn.exe -A HTTP/hostname-node-2.domain.local -u domain\user-ksc-service Example setspn.exe -A HTTP/kscw-node-1.sales.lab -u sales\ksc setspn.exe -A HTTP/kscw-node-2.sales.lab -u sales\ksc setspn.exe -L -u sales\ksc #command for check spn records #Response Registered ServicePrincipalNames for CN=KSC Service,CN=Users,DC=sales,DC=lab: HTTP/kscw-node-1.sales.lab HTTP/kscw-node-2.sales.lab Enable Kerberos/NTLM authentication in web browsers Microsoft Edge \ Internet Explorer win + r => inetcpl.cpl Activate the Security tab. Select Local intranet and click Sites. In the opened dialog box click Advanced. Add the host name of Adaxes Web interface (e.g. host.company.com). Click Close and then click OK. Click Custom level. Navigate to Scripting and enable Active scripting. Navigate to User Authentication \ Logon. Select Automatic logon only in Intranet zone and click OK. Activate the Advanced tab. In the Settings list, navigate to the Security section. Select Enable Integrated Windows Authentication and click OK. Mozilla Firefox - https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication Launch Mozilla Firefox In the URL window, enter about:config and press Enter. In the filter text box, enter network.negotiate. Double-click the network.negotiate-auth.trusted-uris option and enter the host name of Adaxes Web interface (e.g. host.company.com). Repeat previous step for the network.negotiate-auth.delegation-uris option. Google Chrome Add the Software\Policies\Google\Chrome\AuthServerWhitelist key equal to *.<domain-name>.local to the registry Add the Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist key equal to *.<domain-name>.local to the registry

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Some devices do not have keyboards, but still are detected with BadUSB. Step-by-step guide In order to allow them work properly use BadUSB on-screen keyboard, using other onscreen keyboards or physical ones is not recommended. To open BadUSB on-screen keyboard click on the highlighted text (example for Russian localization). Note that Prohibit use of On-Screen Keyboard for authorization of USB devices option should be turned off.