[How to manage VMs, images, and slots via CLI in KATA SB [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

KATA Sandbox provides instruments to manage SB images, ISO files, and VM Slots number via CLI. For details, see below.

Slots

Sometimes, it is convenient to change a slot number via CLI. To do so, become a root user and run: 
/opt/kaspersky/sandbox/bin/sandbox-slots-setup <number of slots>

Change slots number via CLI

# /opt/kaspersky/sandbox/bin/sandbox-slots-setup 12

Images

ISOs can be managed using the sb-vm-iso tool.

# sb-vm-iso Usage:          --list-iso          --state [<iso-name>]          --install <iso-name>          --check-install <iso-name>          --remove <iso-name>          --add <iso-path>   # sb-vm-iso --list-iso {"iso": ["sandbox-images-centos7_x64-1.0.0.19888.x86_64.iso", "sandbox-images-win10_x64-1.1.0.18829-vl.x86_64.iso"]}

VMs

VM management is done using the sb-vms tool.

# sb-vms Usage:          --list-vms          --list-non-activated          --activate <vm_id> '[{"id": "<component-id>", "key": "<component-key>"}                                                                                                         ]'          --apply-all          --reset          --remove <vm_id>   # sb-vms --list-vms {"vms": [{"id": "CentOS7_x64-1.0.0.19888", "name": "CentOS7_x64-1.0.0.19888", "status": "installed", "description": ""}, {"id": "Win10_x64-1.1.0.18829", "name": "Win10_x64-1.1.0.18829", "status": "installed", "description": ""}]}

VMs removal using sb-vms tool

VMs removal

Counterintuitively, using IDs obtained by "sb-vms --list-vms" for "sb-vms --remove" doesn't work.

Obtain the IDs from kata_scanner etcd on Central node instead of using apt-settings-manager:

KATA 4.1

# apt-settings-manager get /configuration/kata_scanner | python -m json.tool | grep images -A5         "images": [             "CentOS7_x64",             "Win7_x64",             "Win10_x64",             "WinXP"          ],

To remove images one by one:

KATA 4.1 SB

# sb-vms --remove CentOS7_x64 # sb-vms --remove WinXP # sb-vms --remove Win7_x64 # sb-vms --remove Win10_x64

Same principle for 5.0: obtain the IDs from kata_scanner etcd on Central node using console-settings-updater :

KATA 5

# console-settings-updater get /kata/configuration/product/kata_scanner |  python3 -m json.tool | grep images -A6          "images": [             "Astra_x64",             "CentOS7_x64",             "Win7_x64",             "Win10_x64",             "WinXP"          ],

To remove images one by one:

KATA 5.0 SB

# sb-vms --remove Astra_x64 # sb-vms --remove CentOS7_x64 # sb-vms --remove WinXP # sb-vms --remove Win7_x64 # sb-vms --remove Win10_x64

[How to cancel PCN connection request KATA 5.x [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem Description

A PCN connection request got stuck in the "Waiting" status and doesn't result in failure. The reboot doesn't help. It can happen if, for example, a SCN IP was specified instead of PCN.

Solution

1. Run the following command as root:

   Cancel PCN connection request

   # console-settings-updater set /ipsec "{}"

2. Clear the browser cache. Reload the page. Alternatively, force the reload (Ctrl+F5 in FF).
3. The server status will revert to the Standalone solution.
4. Select the Distributed solution, specify the correct IP of PCN and retry to connect.

[How to change KATA SB Web Certificate [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Here's how to change web UI certificate for KATA SB. 

Create backup of original files with same rights as it was before (you can check them with ll /etc/nginx/ssl command)

cp -p /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.crt.orig   cp -p /etc/nginx/ssl/server.key  /etc/nginx/ssl/server.key.orig

• Replace original files

cat my_cert.crt > /etc/nginx/ssl/server.crt cat my_cert.key > /etc/nginx/ssl/server.key

• Restart nginx service

systemctl restart nginx.service

• Rights and owner of files should be the same

ll  /etc/nginx/ssl -rw-r----- 1 root klusers 1.5K Aug 11 2022 server.crt -rw------- 1 root root 1.7K Aug 11 2022 server.key

[YARA modules available on KATA CN [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

If you are writing your own rules for YARA engine on Central Node, you may need available modules in YARA and engine version.

Engine version is 3.7-3.11 in KATA 3.7.x

Engine version is 4.10 in KATA 4.1 and KATA 5.0

Here's the list of modules:

• tests
• pe
• elf
• math
• time
• pe_utils
• magic
• hash
• dotnet
• dex

For more info on modules, please refer to YARA documentation.

[How to force KATA Sandbox selfcheck [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

For KATA 3.7.2

You can force run Sandbox Healthcheck instead of waiting for 30 minutes' timeout. 

Step-by-step guide

1. Log into Sandbox Server via ssh.

2. To run checker, first you need to delete /var/tmp/sbtest file:

   rm /var/tmp/sbtest

3. Then run checker and wait until it finishes:

   /bin/su -c 'exec /opt/kaspersky/sandbox/libexec/utilities/checker.py -l /var/log/kaspersky/sandbox/checker/checker.log' -s /bin/sh kluser

4. Then on Central Node server run update_sandbox_status.py script:

   sudo -u kluser flock -w 1 /tmp/health_status_sandbox.lock python -B /opt/kaspersky/apt-base/libexec/health_status/update_sandbox_status.py

    

For KATA 4+ / 5+

On Central Node under root execute:

docker exec $(docker ps -q --filter name=kata_scanner) supervisorctl start update_sandbox_status

And after command's execution wait for 10-15 minutes and gather from SB file /var/tmp/sbtest (for Kaspersky support just in case).

[How to gather sandbox-debug-report from terminal [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article is fully applicable to KSB 2.0 server as well

You may want to gather KATA Sandbox diagnostics via SSH, without accessing Web UI. Here's how to do it.

Step-by-step guide

Login to Sandbox via SSH and become root. Then, execute the command:

Produce collect

sb-logs --create '/tmp' '-7' chmod 777 /tmp/sandbox-debug-report*

sandbox-debug-report%timestamp%.tar.gz archive will be created in /tmp directory. Its name will be printed in the output, .e.g

/tmp/sandbox-debug-report.2022-12-13.2022-12-20.tar.gz

Use this full path as input for local scp to download it:

Retrieve using scp

scp admin@SB_IP:/tmp/path/to/sandbox-debug-report

[How to validate KATA Sandbox VM sizing and resources reservation [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

As stressed in the product documentation, Sandbox, which is deployed as a Virtual Machine, should have an exact sizing, violation of which may lead to various issues. The only parameter that can be varied is a CPU clock rate.

Common mistake

The most notable mistake regarding scaling up VM sandboxes is an attempt to make one huge Sandbox VM with two to four times the required RAM/CPU as dedicated resources.
Correct approach is to create a respective number of additional VMs and distribute these resources between them.

For example, if you want to double the performance of a KATA Sandbox VM instead of adding 15 more CPU cores and 32 more gigabytes of RAM to an existing Sandbox, you need to deploy a new Sandbox VM with the following resources:

• CPU: 15 cores, 2.1 GHz or higher
• RAM: 32 GB
• HDD volume: 300 GB
• Two network adapters with 1 Gbit/s data transfer rate

Virtual machine settings: 

1. Only VMware ESXi hypervisor is fully supported.
2. Nested virtualization is enabled
3. Supported VMware ESXi versions 6.5, 6.7U3 or 7.0 hypervisor. 
4. Entire CPU clock rate reserved. For a minimum CPU clock this means 12*2100=25200 MHz reserved. For a clock rate higher than 2.21Hz, use the following formula to calculate the entire CPU clock rate: 12 * <clock rate in MHz>.
5. Entire RAM reserved (32 GB).
6. Expose hardware assisted virtualization to the guest OS check box selected.
7. Latency Sensitivity option set to High.
8. No Secure Boot.
9. The maximum number of simultaneously running virtual machines set to 12.

Please note, these cannot be checked from a debug report or from inside of the VM, as these settings are configured in a hypervisor.

Checking VMX file

Obtain a .vmx file of the respective sandbox VM. Demo video showing how to locate a .vmx file. Note, that in this video the goal is to modify the .vmx, and we only need to access it for reading, therefore, there is no need to unregister a VM from inventory as done in video. All the following lines in .vmx file must match exactly with the following two exceptions: 

• For sched.cpu.min, the value can be higher than 25200, see formula above.
• Line uefi.secureBoot.enabled might be absent, which is OK.

Correct .vmx settings

numvcpus = "15" sched.cpu.units = "mhz" sched.cpu.min = "26400"   memSize = "32768" sched.mem.min = "32768"   vhv.enable = "TRUE" sched.cpu.latencySensitivity = "high" uefi.secureBoot.enabled = "FALSE" ethernet0.present = "TRUE" ethernet1.present = "TRUE"

Checking number of slots

• In the Sandbox web interface window, select the Administration section.
• In the Guest virtual machines group of settings, in the Maximum simultaneous VMs field, number of simultaneously running virtual machines must equal 12.

[How to install Sandbox VM images from command line [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article is applicable to both KATA and Kaspersky Sandbox 1. It's not applicable to KSB2.

In certain cases (i.e. slow connection to Datacenter from Administrator workplace) it may be troublesome to upload VM images to fresh installed KATA Sandbox server. In such cases, you may prefer to transfer VM images to Sandbox via tools like WinSCP, and then install images via command line tools.

Step-by-step guide

 Images should be transferred to Sandbox. Files should be located in /var/opt/kaspersky/apt/files/ folder.

Then, execute the following commands:

sb-vm-iso --list-iso   sb-vm-iso --check-install path-to-vm-image.iso //use the paths from previous command output   sb-vm-iso --install path-to-vm-image.iso   sb-vms --apply-all

Please install VM images one by one, and not all at once, to avoid issues with disk space/RAM

If you use PuTTY to connect via SSH make sure in its settings → Connection → "Seconds between keepalives"  is set to for example 10.

Otherwise SSH session might drop due to timeout which will terminate active command.

[How to check KSN availability on KATA CN [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Sometimes you may need to check KSN servers availability and operation on KATA CN.

For KSN issues, there's a way to check specific hash for reputation:

1. Become root 

   sudo -i

2. Check specific hash for reputation by running the following command:

   for KATA 4.+ and 5.0:

   docker exec -it "$(docker ps | grep ksn_proxy| awk '{print $1}')" /opt/kaspersky/apt-ksn_proxy/sbin/ksn_client --ip 127.0.0.1 --hash 9C642C5B111EE85A6BCCFFC7AF896A51

   for KATA 5.1:

   docker exec -it "$(docker ps | grep ksn_proxy| awk '{print $1}')" /opt/kaspersky/apt-ksn-proxy/sbin/ksn_client --ip 127.0.0.1 --hash 9C642C5B111EE85A6BCCFFC7AF896A51

3. UnTrusted: means that KSN working properly. 

[How to manually select EDR agents list from KATA [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

You may want to obtain list of EDR agents ever connected to KATA.

Step-by-step guide

KATA 3.7+

1. Connect to Central Node via ssh, choose Technical support mode, become root:

   $ sudo -i

2. Execute command:

   sudo -u postgres psql antiapt -c "select * from agent_status;"

KATA 4.0/4.1/5.0/5.1

psql -U kluser -h 127.0.0.1 antiapt -c "select * from agent_status;"

All agents with only hostname, ip, last_packet_time columns can be exported this:

psql -U kluser -h 127.0.0.1 antiapt -c "select hostname,ip,last_packet_time from agent_status;" > /tmp/agents

Export all agents from SCNs connected to PCN execute

psql -U kluser -h 127.0.0.1 primarydb -c "select hostname,ip,last_packet_time from agent_status;" > /tmp/agents

Then open Excel and make import from Data -> From Text/CSV from /tmp/agents (download it to local computer first).

The resulting output will be the list of agents.

[How to reset KATA web Administrator password in KATA 5.0 [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

No option to change Local Administrator/Cluster Administrator in pseudo-graphic menu available by default .

Solution

a) Upgrade to 5.1

b) Follow steps:

1. Download an archive with WHL packets.

2. Upload it to KATA CN to /tmp/change_password.zip

3. Extract (we have no unzip shipped by default):

   echo -e "import zipfile\nwith zipfile.ZipFile('/tmp/change_password.zip', 'r') as z:\n  z.extractall('/tmp/')" | python3

4. Become root:

   sudo su

5. Confirm this is a right node:

   docker ps | grep  kedr_database_server

6. Install installer patch:

   installer-1.0-py3-none-any.whl

   pip3 install --ignore-installed --no-deps /tmp/installer-1.0-py3-none-any.whl

7. Install docker_utils patch:

   docker_utils-1.0-py3-none-any.whl

   pip3 install --ignore-installed --no-deps /tmp/docker_utils-1.0-py3-none-any.whl

8. Restrict changing password to root: 

   which kata-web-admin-change-password | xargs chmod 754

9. Change password by running:

   kata-web-admin-change-password

10. Enter new password in the prompt, no confirmations or validation will be given

Selecting the correct node

Script must be executed on a node with kedr_database_server container, by default it is the processing one installed first, node2 in cluster.

In case it is executed on a wrong node, a hint will be given which is a right one.

[How to collect telemetry dump for load profile analysis [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Sometimes EDR agents generate more telemetry than anticipated. There's an option to tune telemetry collection via KEA bases, and in order to do it, telemetry profile, aka "topic-dump", is needed in ready-to-use format.

In order to collect telemetry, do the following:

1. Please do not run apt-sedr-reset before collecting topic dumps.

2. Execute the following command and wait till it finishes (it may take significant time to finish, depending on the telemetry flow):
   KATA 3.7:

   docker exec -it $(sudo docker ps | grep kafka1 | awk '{printf $1}') kafka-console-consumer.sh --bootstrap-server 127.0.0.1:9092 --from-beginning --property print.key=true --property key.separator="~" --max-messages 2000000 --timeout-ms 200000 --topic EndpointEnrichedEventsTopic | head -n -1 | gzip > /tmp/topic-dump.gz

   KATA 4.0/4.1/5.0/5.1:

   docker exec -it $(sudo docker ps | grep kafka\: | awk '{printf $1}') kafka-console-consumer.sh --bootstrap-server 127.0.0.1:9092 --from-beginning --property print.key=true --property key.separator="~" --max-messages 2000000 --timeout-ms 200000 --topic EndpointEnrichedEventsTopic | head -n -1 | gzip > /tmp/topic-dump.gz

3. Collect and provide to Kaspersky Support /tmp/topic-dump.gz

[How to export alerts from KATA to CSV [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Security officers may need raw alerts data from KATA for further processing in Excel/etc.

Here's how to export all alerts from KATA database to .csv file:

KATA 3.7.2

sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM all_alerts) TO '/tmp/kata_alerts.csv' (format csv, delimiter ';', header, encoding 'UTF8');\""

Instead of simply copying all alerts, administrator may export only last N alerts, or play around with SQL queries:

sudo -u postgres psql antiapt -c "copy (select * from all_alerts limit N) to '/tmp/test_oneliner1.csv' (format csv, header, encoding 'UTF8');"

For example, if a specific time interval is required, it can be done like this:

sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM all_alerts WHERE update_time BETWEEN '2021-04-19 21:36:11'::timestamp AND '2021-05-01 13:29:57'::timestamp) TO '/tmp/kata_alerts.csv' (format csv, delimiter ';', header, encoding 'UTF8');\""

NB! Sometimes, filenames may have \r\n EOL symbols, which may affect CSV import to Excel. You can change \r\n to \n via Notepad++ or any other text processor.

P.S. To export all connected/not connected endpoints you can execute:

sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM agent_status) TO '/tmp/agent_status.csv' (format csv, delimiter ';', header, encoding 'UTF8');\""

KATA 4.0/4.1/5.0/5.1

If the command above doesn't work or hangs, use the command below:

psql -U kluser -h 127.0.0.1 antiapt -c "select * from all_alerts;" > /tmp/all_alerts

Similar to previous, you can spice up the query to your taste, for example, to get time interval between now and then, execute:

psql -U kluser -h 127.0.0.1 antiapt -c "select * from all_alerts where update_time between '2021-04-19 21:36:11'::timestamp and now()::timestamp;" > /tmp/all_alerts

Then just open Excel and make import from Data -> From Text/CSV from /tmp/all_alerts (download it to local computer first).

[How to purge inactive devices [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

KATA doesn't have auto removal for inactive agents, and also it doesn't have support for VDI scenarios yet.

So if you have many VDI clients in use, they will quickly fill up the license.

Step-by-step guide

KATA 3.7.2

You can set up cron task to remove clients periodically, for example, this code will remove clients older than 3 days

sudo -u kluser psql antiapt -c "delete from agent_status where last_packet_time < (NOW() - INTERVAL '3 days');"

KATA 4.0/4.1/5.0

docker exec -it `docker ps | grep kedr_database_server | awk '{print $1}'` psql -U kluser antiapt -c "delete from agent_status where last_packet_time < (now() - interval '2 weeks');"

 It will delete 2 weeks old inactive agents.

[How to add/export multiple prevention rules to KATA/EDR [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

You may need to add a batch of prevention rules to KATA. To speed up the process, we have created a script sample.

Adding more than 1000 prevention rules will require additional PF to improve Web UI performance. Please contact technical support to get this PF.

Adding more than 5000 prevention rules is highly NOT recommended as it may result in drastic performance degradation on both CN and Endpoint Agent.

Step-by-step guide

Script sample. To run it, you need any machine with 2 pre-requisites:

1. sh or bash should be installed on the machine
2. machine should have access to KATA Web UI

To use the script, please place a file with hashes (each hash should be on new line in this file) near the script, and please fill in the variables required for script operation:

#Fill in your KATA IP or FQDN address KATA_IP=""   #Default port is 8443 KATA_PORT="8443" #You need Senior Security Officer account to add preventions USER="SSO" PASS=""

To run the script, pass the file with hashes as argument to the script:

sh add_prev.sh /path/to/file/with/hashes.txt

Once the script is completed, it may take 5-10 minutes for the preventions to appear in Web UI.

Export user's prevention rules from KATA 4.0/4.1/5.0

1) Under root execute:

docker exec -it `docker ps | grep kedr_database_server | awk '{print $1}'` psql -U kluser antiapt -c "select * from agent_prevention_settings;" > /tmp/prevention_rules

2) Then import /tmp/prevention_rules to Excel as Data > From Text/CSV

[How to collect logs from Chrome DevTool for KSC Web Console [KSC for Windows]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This is a small guide about Chrome Developer tools for collecting logs.

 1. Open the Chrome menu and select More tools → Developer tools or press Ctrl+Shift+I.

2. Temporarily ignore the opened sidebar and open KSC Web Console.

3. Sign in using correct credentials. Wait until the page loads. If the loading of the page takes too long, wait a minute before moving on to the next step.

4. On the DevTool sidebar, go to the Network tab. Press the Export HAR... button and save the file.

5. Also, you may save the log on the Console tab. Just right-click on a clear space and select Save as...

[How to disable mandatory amount of VM images KATA SB 4.1/5.0 [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

You may not want to use all 3 or 4 (depends on settings at web set) VMs in KATA 4.1/5.0 SB. If one of the VM images is not installed, there will be SB self-diagnostics error at the KATA web-interface. Usually it's WinXP image that gets excluded.

This article is applicable only to KATA 4.1/5.0

Images names for 4.1:

CentOS7_x64, WinXP, Win7_x64, Win10_x64

Images names for 5.0:

Astra_x64, CentOS7_x64, WinXP, Win7_x64, Win10_x64

KATA 4.1 sets

KATA 5.0 sets

Prior to do steps below ensure that this option is enabled (under Security officer)

Step-by-step guide

1. Execute the following command under root (this is example, you can choose VM images as it suits you)

   For 4.1

   apt-settings-manager set --merge /configuration/kata_scanner '{"sandbox": {"images": ["CentOS7_x64", "Win10_x64"]}}'

   For 5.0

   console-settings-updater set --merge /kata/configuration/product/kata_scanner '{"sandbox": {"images": ["Astra_x64", "Win7_x64", "Win10_x64"]}}'

2. Check that the settings have been applied: SB self-diagnostics error at KATA web-interface should disappear.
3. Check that SB processing works fine.

Consequences

You will see error under Administrator:

and under Security officer (in KATA 5.0)

No need to worry, as the workaround described has consequences.

[Encrypted machine is unable to boot into Windows after FDE [KES for Windows]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Version: KES 11.*

Scenario:

You're unable to boot into encrypted machine after FDE applied due to some problems with preboot agent or operating system. 

The the safest and one of the most trivial options to restore the data from encrypted hdd or decrypt it 'in place' is going through KES related ‘challenge-response’ procedure using another (i.e. proxy) machine with KES and FDE installed.

1. KSC 11
2. HostA with KES 11.1 (corrupted hdd with FDE policy applied)
3. HostB with KES 11.1  (recovery host)

* KES version should be the same or higher than the one used on the affected PC and with the same AES module, it should be managed by the same KSC server but initially without FDE policy applied.

Solution:

1. Disconnect encrypted hdd from HostA.

2. Connect encrypted drive to HostB as a secondary.
3. HostB is installed with KES and FDE but no FDE policy applied (DO NOT apply encryption policy to HostB once secondary hdd connected to avoid multiple encryption which will cause data corruption).

4. The following pop-up window will appear once attempt to access the encrypted hdd:

   

5. Save the file.

6. On KSC, find the HostB. Right-click its property -> click on "Grant access in offline mode" -> navigate to "Data Encryption" tab:

   

7. Browse and select the saved "challenge file".

8. You will be prompted to save the "response file".

9. At HostB KES console, you can see a notification at the bottom, click at notification and input the "response file" you saved from KSC.

10. You can access the encrypted hdd from HostB. Transfer all important data you want to restore to another backup drive or deploy Kaspersky FDE 'Decrypt all hard drives' policy to the proxy-computer (HostB) in order to decrypt the 'affected' drive connected as a secondary.

11. The previously encrypted hdd can be connected back to HostA as primary in case it was decrypted successfully and the disk is healthy. 

[KES public and private versions chart [KES for Windows]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Same info can be found here: http://support.kaspersky.ru/16010

Starting from version 11.5, some file versions, registry and file system paths may differ from the release version and refer to the product line version.

Release full build number	Product line number	GUID
12.3.0.493	21.15.8.493	{8409A30E-CDF7-4800-B389-FB0A8FB6CE2C}
12.2.0.462	21.14.5.462	{B524FBEF-035B-455E-AA3A-2ABA729C62F8}
12.1.0.506	21.13.5.506	{D8E156BC-0E64-47F7-8E4F-0DCD80F2A6D3}
12.0.0.465	21.9.6.465	{E70CCFE8-163C-4E2B-BC36-61B747DAD590}
11.11.0.452	21.8.5.452	{BF39B547-8E24-4E11-8179-183B2F7C83EB}
11.10.0.399	21.7.7.399	{305A9EC9-294E-4555-A7C5-E1C767E01C11}
11.9.0.351	21.6.7.351	{6BB76C8F-365E-4345-83ED-6D7AD612AF76}
11.8.0.384	21.5.11.384	{1F39E63E-3F9C-4E21-928B-136C6362E88B}
11.7.0.669	21.4.20.669	{F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}
11.6.0.394	21.3.10.394	{7EC66A9F-0A49-4DC0-A9E8-460333EA8013}
11.5.0.590	21.2.16.590	{7B437856-99E3-4F01-B31C-B5A26465C633}

[How to upgrade KATA 3.7.2 > 4.0 > 4.1 > 5.0 > 5.1 [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

In order to upgrade KATA from 3.7.2 to 4.0 > 4.1 > 5.0 > 5.1 please follow the manual below.

Step-by-step guide

Prior to PCN upgrade you have to disconnect all Sensors, SCNs and Sandboxes.

After upgrade Sandboxes and Sensors must be reinstalled, disconnected SCNs – upgrade to 4.0 and 4.1 and then reconnect them to PCN.

NB! Events database is not being transferred if you want to restore backup to new installation (e.g. new physical or virtual server). 

System requirements are the same for 3.7.2 and 4.0/4.1, so if 3.7.2 installation matches the requirements, you can upgrade keeping the same hardware/VM configuration.

For upgrade you don’t need .ktgz archives, only the ISO file.

Upgrade order described here. Information which is kept during upgrade. Contents of backup.

Pre-upgrade recommendations

This recommendation is optional for vanilla 3.7.2, and it's a must for 3.7.2 PF1

Before upgrading KATA 3.7.2 to KATA4, copy and run this script.

Run it as root:

python /var/opt/kaspersky/apt/files/kata4-preupgrade-checker.py

Expected result for vanilla 3.7.2:

In case any issues arise, please contact Kaspersky support, and provide script output as shown on screenshot above and this script log, the script shows log location upon completion: /data/kata4-preupgrade-checker.log

Upgrade order

• Create backup of CN and do the manual backup of /var/opt/kaspersky/apt-preprocessor/preprocessor.conf (from CN and sensors, especially if tuning was made at sensors).
• Mount installation ISO to KATA VM or boot from drive with ISO, if a server is physical.
• Select Install Kaspersky Anti Targeted Attack Platform.
• Select Disk marked as [upgrade] and press Enter.

• Select Upgrade and press Enter

• Select Upgrade again and press Enter

• Wait for the completion and check at WEB UI, that there are no errors / issues / etc.

  
  Storage migration is a lengthy procedure and may take many hours, depending on the installation. No visual indication of progress is provided, but it's not frozen.

• Perform a backup of 4.0
• The upgrade procedure from 4.0 up to 4.1 is pretty much the same, you have to map ISO and boot from it, select disk marked as [upgrade], proceed, make a backup of 4.1

Upgrade procedure from 4.1 to 5.0 is described here.

Before updating the product from version 4.1 to version 5.0, check which boot mode is used on the server (BIOS or UEFI). If UEFI is used, the update will fail. To avoid this, you need to update from a special KATA 5.0 image which can be provided by Kaspersky Support.

Before upgrade DISABLE NTP on 4.1

Information which is kept during upgrade.

     1) You can obtain file upgrade_preparation-1.0-py3-none-any.whl in kata-cn-5.0.0-5201-inst.x86_64_en-ru.iso, just mount it in Windows, go to support folder, copy this file and put it to /tmp  via WinSCP to your KATA 4.1.

    2) Proceed with steps described in Online help

• After mounting ISO and running from it you will be prompted to say y + ENTER to upgrade

• Then press ENTER, read EULA and select "I accept"

• Then you have two options: leave cluster and bridge/overlay subnets by default (just by pressing ENTER in windows below) or you can change them as you want (especially if these subnets crossover with your infrastructure subnets)

• Upgrade procedure can take a while, after that you'll be prompted to choose management interface, enter it's details again

• Enter password for admin

• Configure DNS servers and press ENTER

• Enable SPAN capturing by typing y or skip this step as n and press ENTER (you can do it later after upgrade).

• Don't forget to read this article, kindly pay attention to section "Special considerations for upgrading Kaspersky Anti Targeted Attack Platform from version 4.1 to version 5.0"
• After upgrade you have to perform initial configuration of KATA via web interface using admin (with Local administrator checkbox) credentials being set up during upgrade, please refer to https://support.kaspersky.com/KATA/5.0/en-US/242580.htm and https://support.kaspersky.com/KATA/5.0/en-US/240726.htm

Once the configuration is completed, it's possible to log in to Web UI as regular local admin: use Administrator/Administrator login and password, "Local administrator" checkbox must be enabled, too. Change the password for Administrator user and proceed with adding license, creating users etc.

Upgrade procedure from 5.0 to 5.1 is described here.

Step-by-step guide of upgrade is here.

Information kept during upgrade is here.

• According to KB you have to upload upgrade.tar.gz to /data/upgrade

• But first, you have to create this directory and set permissions to it to be able to upload upgrade package via WinSCP (in this example we use chmod 777 as an ultimate set of rights, you can use another set) 

  mkdir /data/upgrade chmod 777 /data/upgrade

• After that upload upgrade.tar.gz to /data/upgrade via WinSCP and unarchive it

  cd /data/upgrade tar xvf upgrade.tar.gz

• Give executive permissions to script install_kata_upgrade.sh and install pre-upgrade package

• Execute as root

  chmod +x /data/upgrade/install_kata_upgrade.sh sh install_kata_upgrade.sh

  You'll see this 

• And finally run upgrade (use admin user credentials which you use for ssh)

  kata-upgrade --data-dir /data/upgrade --user admin --password 'passw@rd'

• In a while you should receive message about successful upgrade  .

[How to create a user that has full rights to only one admin group and cannot see other managed groups [KSC for Windows]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

In this scenario we will create an internal user "test-user" on KSC who has permission on admin group "Virtualized" only, while couldn't view nor manage admin groups "servers" and "workstations".

Step-by-step guide

1. Take a backup from KSC admin server in order to make sure that incorrect changes will not impact your KSC.
2. Login to KSC admin server using admin account and go to KSC admin server →  Monitoring → Administration server →  Configure functionality displayed in user interface →  check the box Display security settings section.
3. Close KSC admin console and re-open it again in order to apply the feature.
4. Go to KSC admin server →  server properties →  security →  + internal user.
5. Don't assign Roles to the created user and only assign Rights.
6. The assigned Rights should be allow-all except Management of administration groups as per below.

7. Go to Managed devices →  properties →  security →  uncheck inherit settings →  assign the right to the user as per below.

8. For admin groups that the user will not manage (e.g. servers in this scenario).

9. For admin group that the user will manage (e.g. virtualized in this scenario).

10. Disconnect from KSC admin server and login to KSC console using the created user and you will find that he has access to only virtualized admin group as per below.

 

[How to collect KES11 traffic dump [KES for Windows]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This instruction is relevant only in case of troubleshooting incorrect loading or rendering of a web page.

In order to troubleshoot issues KES network traffic related issues traffic dump is required. It is easier to analyze and does not require third-party software installation. 

If reproduction of the issue requires the web browser to open web pages(such as web control non-working as expected, web page not loading, and so on), the tests should be performed in Incognito mode(also known as private browsing).

Chrome browser: Ctrl+Shift+N or you can start browser from terminal: & "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -incognito . Starting application from terminal will make launch key visible in traces and make diagnostic easier.

Firefox browser: Ctrl+Shift+P or you can start browser from terminal: & "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window . Starting application from terminal will make launch key visible in traces and make diagnostic easier.

Microsoft Edge: Ctrl+Shift+P

Opera browser: Ctrl+Shift+N

KES11 Instructions

1. Disable KES11 Self-defense

2. Navigate to the following registry key:

   x86: HKLM\SOFTWARE\KasperskyLab\protected\KES\environment\ x64: HKLM\SOFTWARE\Wow6432Node\KasperskyLab\protected\KES\environment\

3. Create a string type value named DumpNetworkTraffic :

   DumpNetworkTraffic = (REG_SZ)"1"

4. Restart the product or reboot the host
5. Traffic dump files will be saved to %ProgramData%\Kaspersky Lab\KES\Data\traffic
6. Once the issue is reproduced compress the whole traffic directory
    

Do not forget to disable traffic dump collection. To do so delete DumpNetworkTraffic value.

[KSC Application registry doesn't clear information about deleted applications [KSC for Windows]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Application registry in KSC contains information about applications that was deleted. Reinstalling Network Agent on a workstation should solve a problem.

This behavior can be caused by per-user applications. You can alter how long network agent will retain information about applications on a managed workstation:

On a managed workstation :

1. Add a registry key:

   [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\NagentFlags]
   "KLINV_INV_PERUSER_APPS_CACHE_NONACTIVE_SIDS_LIFETIME_SEC"=dword:3600 

   This will make network agent to retain information about per-user applications up to an hour.
2. Restart network agent service.

After completing these changes information in Application registry will be deleted in a roughly 2 to 3 hours.

[KATA 4+ SSO problems for users with too many AD groups [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

When user is added to a lot of AD groups, he may be unable to login to web interface of KATA via SSO.

Step-by-step guide

1. Modify /etc/opt/kaspersky/apt-swarm/swarm_config.json like this (set buffer_size to 65535 under uwsgi section - it's on bottom of the file)

     2.  Execute via SSH 

apt-settings-manager get /configuration/web_backend | python -m json.tool > /tmp/web_backend

    3.  vim /tmp/web_backend

    4. Find uwsgi and change value as per below, save file

"uwsgi": {

        "buffer_size": 65535,

        "cache2": [

    5. Put settings back

apt-settings-manager set /configuration/web_backend @/tmp/web_backend

   6. Execute

docker ps | grep nginx

Output will be similar like this: 39c125e0546e   kaspersky/kata/web/nginx_gateway:0e5fabb

Write down somewhere this value 39c125e0546e (yours will be different).

  7. Execute

docker exec -it 39c125e0546e bash echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf nginx -s reload exit

 8. Do the same (6-7) for container web_backend

 9. However, if containers web_backend and nginx_gateway will be restarted, changes in 6-7 will be lost, thus you can quickly put back settings like this:

docker exec -it `docker ps | grep web_backend | awk '{print $1}'` bash -c 'echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf && nginx -s reload'   docker exec -it `docker ps | grep nginx_gateway | awk '{print $1}'` bash -c 'echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf && nginx -s reload'

[How to burn KATA ISO on USB drive [KATA/KEDRE]]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Description and cautions

This is short article about how to burn KATA ISO on USB drive.

For KATA 4.0/4.1 you need 8Gb USD drive, for 5.0/5.1 - 16Gb at least.

3d party solutions are involved, therefore success is not guaranteed. Ventoy is more preferable working method.

 

Details

1. Download latest Rufus release or Ventoy, how to use Ventoy described here.
2. [Rufus part] Open it and select respective KATA ISO.
3. KATA 4.0/4.1 Rufus config should be like on screenshot below (Partition scheme GPT, Target system UEFI)

     

For KATA 5.0/5.1 (Partition scheme MBR, Target system BIOS or UEFI)

           

After clicking Start choose Write in DD image mode.