Antipova Anna

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. If you open KSC -> Advanced -> Application management -> Software Updates, there is a column Not assigned for installation (new version). Some computers may have this status or Not assigned for installation status. What does it mean? Installation status Not assigned for installation means that the update is applicable for this host (as a minor upgrade), but there is no patch management tasks for this host having an appropriate rule to install this update (update doesn't match any rule in any patch management task for this host). Column Not assigned for installation means number of computers having installation status Not assigned for installation. Installation status Not assigned for installation (new version) means that the update is applicable for this host (as a major upgrade - new version), but there is no patch management tasks for this host having an appropriate rule to install this update (update doesn't match any rule in any patch management task for this host). Column Not assigned for installation (new version) means number of computers having installation status Not assigned for installation (new version). Some computers have in Installation status Not assigned for installation. Should anything be done? Yes. Such updates should be analyzed, and if they should be installed, the administrator should decide, why it should be installed, and why it is not yes assigned for installation by any patch management task. if there is no patch management task at all, it must be created, etc. if this update should be installed because it fixes a vulnerability, then probably existing patch management tasks should have a rule to install all patches which fix vulnerabilities having certain vulnerability rating (such rule to install all updates fixing Critical vulnerabilities is created in default patch management task); if existing patch management task have a rule to install all manually approved updates (such rule is also created by default in default patch management task), then this update should be approved by administrator (the update approval state should be changed to Approved); if this update is a MS update of types Critical Update or Security Update, then it should also be installed by default and such rule should be created for a task (such rule is also created by default in the default patch management task by QSW); if you want to install, e.g., all patches for Java, or all updates published by "Adobe", appropriate rules also can be created, etc; by default, major updates (which increase major version) are not installed automatically; if you want to install major upgrades as well, the appropriate option should be set in the task properties; if major upgrades should be allowed for certain rules only (e.g., for Java updates or critical vulnerabilities fixes only), an additional patch management task should be created with appropriate rules and the option should to install major upgrades should be set for this task; the most inefficient way is to add certain updates to a rule with a direct list of updates to be installed; in certain test or emergency cases for small amount of updates such way can also be used, but in general it's better to use categorial rules (like mentioned above), and in case of updates not matching any common rules use the "approvement" mechanism (when having the default rule to install all "approved" updates). How to update all of the software in Software Updates for the clients? In this rare case a patch management task in the root administration group should exist, and it should have a rule allowing to install any applicable updates (except having "denied" approval state).

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem There is no mechanism to replace client root certificate used for iOS MDM via reserve certificate. That's why replacing the client root certificate used for iOS MDM will cause iOS MDM server to lose synchronization with all devices. Details of active certificate can be viewed in the properties of iOS MDM server, on the "Certificates' tab. Step-by-step guide The iOS MSM Server Client Root certificate replacement procedure includes the following steps: Backup iOS MDM Server configuration via kliosbackup utility: kliosbackup -backup(-restore) -path BACKUP_PATH [-pwd PASSWORD] Backup Kaspersky Security Center configuration via klbackup utility or ‘Backup of Administration Server data’ task; Create a new certificate in the PKCS#12 format using the PKI infrastructure; Submit the certificate to the input of the klsetsrvcert tool just the same way as it is described in the corresponding Kaspersky Security Center versions online help articles (for example, for KSC 14.2: https://support.kaspersky.com/KSC/14.2/en-US/227838.htm😞 klsetsrvcert -t MCA {-i <inputfile> [-p <password>] | -g <dnsname>} [-l <logfile>]. These actions will update the iOS MSM Server Client Root certificate, you may check C:\ProgramData\KasperskyLab\adminkit\1093\cert\klsrvmdm.cer to make sure that a new one certificate has been installed. Recommendations: Validity: up to 5 years Key length: 4096 bits (2048 bits is also possible, but for a five-year certificate it is still better to use 4096) Setting the EKU (Extended Key Usage) for this certificate in Client Authentication Automatic replacement of the client root certificate used for iOS MDM and issued through Administration server tools has been implemented since KSC 12.2 and higher.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description Error "Error 1181/0x91 ('System error 0x91 (The directory is not empty.)') occured while deleting directory 'C:\ProgramData\KasperskyLab\adminkit\1103''" when installing Network Agent. The error can be found on a screenshot. How To Fix Make sure that the folder ‘C:\ProgramData\KasperskyLab\adminkit\1103’ actually exists. If you can navigate to this folder in Explorer (with "Hidden items" enabled), try to delete or rename this folder and repeat installation. If you can't find this directory, then please try to navigate to ‘C:\ProgramData\Kaspersky Lab\adminkit’ folder in the terminal (cmd) from NT AUTHORITY\SYSTEM account. Then check its contents with the "dir" command. If the folder appears on the list, then try deleting it or renaming it. Here you probably will need an option with CMD: rmdir /S /Q "C:\ProgramData\KasperskyLab\adminkit\1103" " (in order to remove) or ren "C:\ProgramData\KasperskyLab\adminkit\1103" “1103_old” (in order to rename). Do not forget to perform all actions from an account that has local administrator rights on this computer with elevated privileges (from the Administrator), if UAC is used.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. KSC13 introduced a feature that limits the frequent publication of events. In the event that the event storage overflows on the Server, the most common event in the storage is calculated, and such events are blocked when published on hosts. Problem: Machines have status "Virus scan wasn't performed for a long time" but the "Virus scan" task was started recently. Events that occur on local hosts (KES) are not displayed on the administration server (KSC). Cause: KSC 13 has a new functionality to limit the storage of frequent events. When the set event storage limit on the Administration Server is reached, the most frequently occurring event (in the database) is calculated and added to the block-list. After that, the events that occur and are displayed on the KES hosts, when received by the server, will be blocked and will not appear in the storage. This gives rise to a problem with updating host statuses on server - since the event was not written to the database, then server-side processing does not occur and the host in the Managed group does not receive the status update. Solution: Since this problem is directly related to the storage and publication of events, it is first of all necessary to find out what causes the event store to overflow: Find out which events appeared in the block list of the Administration Server ("Managing frequent events blocking" article). After finding out the cause of the overflow, the following can be done to fix the problem: Increase the number of events stored on the server database ("Setting the maximum number of events in the event repository") Set up event logging by deleting irrelevant ones and thereby reducing the flow of events stored on the server. Clear the block list for events on the administration server ("Removing blocking of frequent events")

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Dynamic hosts require more KSC resources than regular hosts. When a new host is connected to KSC (and the dynamic host is considered new), an icon and a new entry in the database are created, full synchronization with the agent is performed, and the host moved to a group. When the host is deleted, all information about it is deleted as well. These operations consume a lot of KSC resources, while static hosts require them to be performed only once. Recommended sizing (no more than 20 000 VDI hosts) may not be fully and correctly loaded. In industrial use, for each icon the following network lists are created: - hardware - installed software - detected vulnerabilities - events and lists of executable files of the Application control component. Size of these lists directly affects KSC performance as well as SQL server performance when performing internal procedures, and the load may grow in the non-linear way. If the use of the solution with your policy settings, environment and virtual desktop properties shows moderate consumption of resources during standard operations, then the number of managed VDI hosts can be increased up to the limit of resources available in the current configuration. Consumption of 80% of memory and 75-80% of available cores is considered moderate.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions To replace the expiring certificate for mobile devices, you need to create a reserve certificate manually! There is a problem with updating the certificate for mobile devices for KSC. So-as a mechanism for issuing a reserve certificate, which should replace the main one after its expiration. If there is an automatic procedure for creating and replacing an expiring certificate for the main KSC server certificate (klserver.cer), then for mobile devices the issue of a reserve certificate (klsrvmob.cer2) must be issuing manually. Details This is a simple procedure: 1) Open Administration Server properties 2) Select "Administration Server connection settings → Certificates" 3) Check the date when the current certificate expires. 4) Press "Reissue..." button and select "After this period expires" option. 5) Enter the number of days after which the new certificate will be applied. We recommend choosing at least 30 days so that all devices have time to contact the server and get a new certificate. 6) An additional field should appear in which the new certificate and the date of its application will be indicated. 7) Additionally, you can check that the certificate was created in the directory "C:\ProgramData\KasperskyLab\adminkit\1093\cert" You can also create a reserve certificate via the command line, using the klsetsrvcert utility with "-t MR" option for generate reserve certificate and "-f DD-MM-YYYY hh:mm" to specify the date of application of the new certificate.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Consider the following scenario: You have a large local area network 10.36.0.0/16. There is a managed device with the following IP config: IPv4 address: 10.36.35.10 and Subnet Mask: 255.255.255.0. You create a new subnet condition for klnagent connection profile: 10.36.0.0/16. Actual result: The connection profile is not applied to the managed device. The reason of this behavior is equality logic used by klnagent. It verifies if the condition matches by comparing the current value of the IP address and subnet mask of a managed device: IP address 10.36.35.10 is within the 10.36.0.0/16 network. However, subnet mask 255.255.255.0 is not equal to 255.255.0.0 specified in the condition. Solution: In order for the rule to work correctly, each 10.36.0.0/24 subnet (including 10.36.35.0/24) of the larger 10.36.0.0/16 network should be added as a condition:

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact KSC 14 is installed and everything is working fine except the backup task: Database is corrupted. One or more repositories are corrupted. Workaround & Solution The error may occur because of the operating system malfunction or an unexpected reboot of the system with disk caching enabled (for example, due to a power loss). This leads to the corruption of the Kaspersky Security Center repositories. https://support.kaspersky.com/ksc13/troubleshooting/other/15975#block7 In the event log it can be found that some repositories are corrupted and can’t be restored. It's suggested to restore KSC from an archive which was created before the issue appearance. If it doesn’t help, KSC reinstalling may be needed. What can be checked additionally? You may also check System event log for the large number of any warnings, such as events 50 or 140. These events may be a sign of a file system problem. If NTFS events such as Event ID 55, 50, 140, and 98 are logged, Microsoft suggests running the "chkdsk" utility. Because NTFS couldn't write data to the transaction log, this could affect the ability of NTFS to stop or roll back the operations in which the transaction data couldn't be written: https://learn.microsoft.com/en-us/troubleshoot/windows-server/backup-and-storage/troubleshoot-data-corruption-and-disk-errors#troubleshooting-event-id-55-and-98.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Klnagchk.exe is usually used to check if the connection between server and NAgent is OK. The expected result is the following: Attempting to connect to Administration Server...OK Attempting to connect to Network Agent...OK Network Agent is running. In case of problem with klnagent service, Kaspersky Network Agent should be re-installed and trace collected. If there is a problem with connection to Administration server, this should be investigated as a network issue. In case klnagent fails to connect to KSC Server over the ssl port 13000 (default), the following command can be used to switch to non-ssl port (run as admin): klmover -address administrationserveraddressorIP -pn 14000 -nossl. It is worth checking beforehand that ports 13000 and 14000 are available from the affected managed device with telnet or akconnect tool. In case of the "Transport level error while connecting to KSCServername: SSL connection error, possibly a non-SSL port was used", it is recommended to use openssl tool to check whether TLS connection can be stablished: openssl s_client -connect KSCServername:13000 -tls1 > tls1check.txt example of openssl output when there is a problem with TLSv1 traffic 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CONNECTED(000001F4) write:errno=10054 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 137 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1694581538 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no openssl s_client -connect KSCServername:13000 -tls1_2 >tls1_2check.txt example of openssl output when there is a problem with TLSv1.2 traffic 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 CONNECTED(000001F4) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 227 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1694581395 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no This means that TLS traffic is blocked by some software/hardware in the network. It is not possible to connect managed hosts over the SSL to KSC Server until the problem is fixed by your network infrastructure team. There is a common misconception about Network Agent statistical data section and how to read it, though. klnagchk.log excerpt 1 2 3 4 5 6 7 ... Network Agent statistical data: Total number of synchronization requests: 184 The number of successful synchronization requests: 184 Total number of synchronizations: 1 The number of successful synchronizations: 1 ... Lines 3 and 4 show how many heartbeats were sent from the nagent service start. Lines 5 and 6 show how many non-group synchronizations took place. When analyzing connection between KSC and NAgent, usually only numbers on lines 3 and 4 matter. In other words, no synchronization of policy is performed if the policy is not changed. The policy is synchronized when KSC administrator makes some changes to the policy settings. To be noted that Total number of synchronizations counter is increased when the administrator opens the properties of a managed host→all tasks and forces the synchronization. Linux NAgent output: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 Starting klnagchk utility Checking command-line arguments...OK Initializing basic libraries...OK Current host is 'kesl11.ksc' Network agent version is '11.0.0.29' Reading settings...OK Checking settings...OK Administration Agent settings: Server address: '10.67.152.24' Use SSL: 1 Compress traffic: 1 Server SSL ports: '13000' Server ports: '14000' Use proxy: 0 Certificate: present Open UDP port: 1 UDP ports: '15000' Ping period, minutes: 15 Conn timeout, s: 30 RW timeout, s: 180 HostId: bb8e4bdf-0483-490c-a9fd-3654a319e259 Connecting to server...OK Connecting to the Administration Agent...OK Administration Agent is running Acquire Administration Agent statistics...OK Administration Agent statistics: Ping count: 1 Succ. pings: 1 Sync count: 1 Succ. syncs: 1 Last ping:04/16/2021 11:03:28 AM GMT (04/16/2021 02:03:28 PM) Deinitializing basic libraries...OK macOS NAgent output: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 Starting klnagchk utility Checking command-line arguments...OK Initializing basic libraries...OK Current host is 'kesmac-bigsur-11.0.shared' Network agent version is '12.0.0.77' Reading settings...OK Checking settings...OK Administration Agent settings: Server address: '10.211.55.34' Use SSL: 1 Compress traffic: 1 Server SSL ports: '13000' Server ports: '14000' Use proxy: 0 Certificate: present Open UDP port: 1 UDP ports: '15000' Ping period, minutes: 15 Conn timeout, s: 30 RW timeout, s: 180 HostId: 6c795a48-5217-4af7-9656-3e7d6d93ca3a Connecting to server...OK Connecting to the Administration Agent...OK Administration Agent is running Acquire Administration Agent statistics...OK Administration Agent statistics: Ping count: 0 Succ. pings: 0 Sync count: 0 Succ. syncs: 0 Last ping:04/06/21 08:41:24 GMT (04/06/21 11:41:24) Deinitializing basic libraries...OK

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. These errors appear when the remote installation task of NAgent or KES with NAgent was created with the Assign package installation in Active Directory group policies option selected. At the first startup they start under the account specified in the New Task Wizard. If that user has access for creating domain policies and groups, the task will be completed successfully, and "GPO" and "Security Group" with target computers will be created on domain controller. When deleting this task, the user credentials entered in the task settings are used. If they are changed, or if the task is being deleted by another user who does not have sufficient rights in the domain, or if the user who created the task has lost its rights, the errors will occur: Error in EventLog Failed to delete group policy object 'LDAP://CN={1DEE8F3C-F36F-4FF7-8E18-01C83D482A44},CN=Policies,CN=System,DC=bn,DC=loc': 'System error 0x52E (The user name or password is incorrect.)' Error in EventLog Failed to delete group policy object 'LDAP://CN={1DEE8F3C-F36F-4FF7-8E18-01C83D482A44},CN=Policies,CN=System,DC=bn,DC=loc': 'Access is denied.' To fix it, you need to change the user in the task settings to the one with sufficient rights to delete "GPO" and "Security Group" on domain controller.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. When troubleshooting typical KSC issues, you will likely need to check the availability of TCP port 13000 on the KSC Server. Both telnet and akconnect tools can be used to achieve this. Syntax is very simple: akconnect host port Examples: akconnect.exe 192.168.1.19 13000 >akconnectoutput.txt telnet 192.168.1.19 13000 >telnetoutput.txt Where 192.168.1.19 is the IP address or DNS name of the KSC Server and 13000 is the port number. Results will be logged to .txt files that should be sent to Kaspersky support for verification. Please be advised that telnet is not installed by default in the recent versions of Windows. You can add it using the appwiz.cpl→Add feature. You can download the akconnect utility here.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Make sure the network agent of KSCCC has already been implemented: Download the Network agent installer of KSCCC from the web console. Click the installer and confirm that it has already has been installed and click OK. Finding the HDS site which is used by this NA： Run the klnagchk utility within C:\Program Files (x86)\Kaspersky Lab\NetworkAgent to check the network connection. By running the utility klnagchk you find that the server address received from HDS is e009.ksc.kaspersky.com Regarding the HDS:Hosted Discovery Service please refer to the online guide here: https://support.kaspersky.com/KSC/CloudConsole/en-US/200848.htm If Request timed out appears while using ping, then that means that the KSCCC server is not accepting incoming ICMP traffic. And the PSPing utility from MS KB: https://docs.microsoft.com/zh-cn/sysinternals/downloads/pstools also has the same output: We recommend to use PowerShell command Test-NetConnection Test-NetConnection e009.ksc.kaspersky.com -port 23100 Then if connection successfully established you will see the following response:

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. You're using KSC as WSUS server and moving the Windows Update folder to another drive so it won't occupy space on the C drive. However, when you're downloading Windows updates to KSC, the “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” folder is increasing its size up to 15.5 GB. Solution Here is the procedure: Make a backup copy of KSC. Stop KSC service Copy folder “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” to its new location, for example “E:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” Rename old FTServer folder, for example “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer_old” Create a symbolic link for FTServer folder that points to new FTServer folder location using this command (run in elevated command prompt, replace link target with path to your new FTServer folder location): mklink /D “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” “E:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” Start KSC service.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. In cases when some data is not displayed/shown properly in the MMC administration console, for example, data in the right pane is not displayed properly: One of the most common reasons of such behavior may be blocked/prohibited execution of JS in the Internet Explorer on the host with the console. This can be easily identified by the following test: Step-by-step guide Start the currently installed Internet Explorer on the host with the malfunctioning MMC Try opening the following URL: https://www.whatismybrowser.com/detect/is-javascript-enabled The following should be shown in the browser: If this is the case, then the test is successful and JS is enabled and working properly, otherwise JS is not running correctly and it is necessary to enable it in the security policies/browser settings for this issue to be resolved.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. If two different update agents on a PC are assigned in different ways: To an administration group. Based on a network location. Which one will have a higher priority for the PC? Among the update agents assigned to administration groups, the one assigned to the administration group, that is closest to the target host in the group hierarchy, has the higher priority. If the update agents are assigned to the same group, they have an equal priority. The priority of update agents assigned based on the network location is equal to the priority of the nearest update agent in the group hierarchy. If two update agents have the same priority, the one, the route to which is closer in the number of passed routers, is selected. If two update agents have the same priority and the network distance to them is the same, the agent is selected randomly.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem When you assign KSC as WSUS all hosts are not able to download anything from Microsoft Store. It is a Microsoft's design limitation. Description When KSC acts as WSUS group policy (GPO) "DoNotConnectToWindowsUpdateInternetLocations" is applied to the hosts. It is needed to prohibit hosts from downloading updates from the Internet (it is relevant for Windows 10/Server 2016). Such limitation blocks the ability to download applications from Microsoft Store. Microsoft explanation More details about this behavior can be found in the following link: https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ Solution In case if you need this ability back and don't mind hosts download updates from the Internet, you can apply the following solution: Stop KSC server service Open registry editor "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags" Create server flag KLWUS_WUA_DISABLE_CONN_TO_INET = 0 Start KSC server service A restart of KSC Server might be required in some cases.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Scenario After the deployment of KSC in the environment, the Backup task fails with the following error using the KSC Backup task or klbackup utility (screenshot is below). All the permissions were correctly assigned on the shared folder, and ports were opened, but still the backup was failing. There were no blocking events in the Firewall traffic logs. Error -1963 ('Database connection is broken " 'Connection failure{08S01};' LastStataement='select type from sys.system_object where name = 'dsm_os_host_info';'" Root cause The issue was identified to be the IPS module of the Firewall (Fortinet/Paloalto) in the environment. When the backup task was initiated, the IPS module was blocking the SQL backup query with "SMB Injection/Attack" signatures. Solution Disable the IPS policy on the Firewall for KSC and MS SQL servers and the backup task will be completed successfully.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem: KSC certificate renewal or replacement is made incorrectly because the option to instantly replace the server certificate is used. There is an article in Online help dedicated to the klsetsrvcert utility (https://support.kaspersky.com/KSC/13.2/en-US/227838.htm). If you follow the instructions according to the example indicated in the article – "klsetsrvcert -t C -i <inputfile> -p <password> -o NoCA", it may lead to the fact that administration agents (nagents) do not receive a new certificate, and you have to use the klmover utility. Cause: After the certificate is renewed with "-t C" option, network agents do not receive a new certificate and have no connection to the server. Solution: Run the certificate renewal script using the "-t CR" option (CR — Replace the common reserve certificate for ports 13000 and 13291) and the "-f" option in the <dd.mm.yyyy> format where we indicate the date 3–4 weeks ahead the current one. The time we set aside for changing the certificate to a backup one will allow a new certificate to be distributed to all nagents. -t <type> Type of certificate to be replaced. Possible values of the <type> parameter: C—Replace the common certificate for ports 13000 and 13291. CR—Replace the common reserve certificate for ports 13000 and 13291. M—Replace the certificate for mobile devices on port 13292. MR—Replace the mobile reserve certificate for port 13292. MCA—Mobile client CA for auto-generated user certificates. -f <time> Schedule for changing the certificate, using the format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291). Use this parameter if you want to replace the common or reserve certificate before it expires. Specify the time when managed devices must synchronize with Administration Server on a new certificate. For example, consider the command "klsetsrvcert.exe -f "DD-MM-YYYY hh:mm" -t CR -g nb.loc". Since this command was used in October, a backup certificate would be created and distributed to all nagents within a month. Thus, the certificate should have been applied on November 1, 2022. Let's check if the backup certificate has applied to the host. To do this, using the klscflag utility, enter the command: klscflag.exe -ssvget -pv 1103/1.0.0.0 -s KLNAG_SECTION_CERTDATA -n KLNAG_SSL_SERVER_CERT_RESERVE -ss '|ss_type = \"SS_LOCAL_MACHINE\";' The certificate has been delivered. If the backup certificate is not yet delivered to the destination host, we will see the following result of this command: Known problems: The problem with issuing a certificate with a length of 2048 bits on KSC 14. NWC 14 issue This problem occurs after updating KSC to version 14, it is related to the fact that the Web Console version 14 requires a certificate with an RSA key length of 2048 bits, but when updating the administration server, the old certificate with a length of 1024 bits remains in use. To fix this error, you need to issue a backup certificate with a length of 2048 bits, and wait until it is applied as the main one. For KSC14, there is a problem of issuing a 1024-bit backup certificate. This is due to an error in the klsetsrvcert utility. To solve it, you need to replace the utility's exe file in KSC setup directory and execute the command with the -o option "RsaKeyLen:2048". For example: klsetsrvcert.exe -t CR -g localhost -o "RsaKeyLen:2048" Error - Failed to establish connection with the remote device: This error occurs because we are trying to execute 2 consecutive commands on the same line. The first command is "-t CR -g nb.loc" and the second is "-f '20-12-2023 00:00'". Since the administration server restarts after executing the first command, the second command waits for some timeout before executing. But since in some user configurations, restarting the service can take a long time, the second part is performed when the server has not started yet. Which leads to the above error. In order to fix this behavior, you need to run the commands separately, according to this scenario: Run .\klsetsrvcert.exe -t CR -g nb.loc Wait until the administration server service starts completely (you can check by connecting the console). Run .\klsetsrvcert.exe -f '20-12-2023 00:00'

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact The installation of the Network Agent isn't possible on a device because of the error System error 0x1F (A device attached to the system is not functioning.) Diagnostics In the MSI Log and Application Eventlog can be found the following line: (1192/0x0 ("System container 'LOC-PUB-6EEB50F8D2EB46029DB4CCB77E0DA651' is corrupt") Workaround & Solution The issue comes from a corrupt cryptostorage in the OS. It's not a KL related issue, although there is a possible solution to fix it. On the problem host launch cmd.exe with administrative privileges Run klcryptstgclean.exe: klcryptstgclean -tl 4 -tf $klcryptstgclean_trace.txt -l klcryptstgclean.log Try to install NAgent. If it doesn't help, perform actions from the Cryptostorage-1.docx file. If installation fails again, send to Kaspersky Support the following files: "$klcryptstgclean_trace.txt", "klcryptstgclean.log", new GSI with klnagent installation logs. It is not KSC and klnagent related issue. It is OS related issue. If workaround doesn't help, try sfc /scannow command, OS restore, OS reinstallation or contact MS support.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem On Windows 10 v1903 and Windows Server v1903 after applying GPO Enable svchost.exe mitigation options, in System\Service Control Manager Settings\Security Settings, high CPU consumption by the following processes may be observed (avp.exe, klnagent.exe, kavfs.exe, kavfswp.exe). When checking if any resource consuming tasks are running, there are no ODS tasks running in KES or KSWS and no patch management related tasks are running too. This is happening because MS security configuration baselines recommendations had a suggestion to enable this option and this policy was applied to the host. This policy setting enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code. https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-servicecontrolmanager Solution Microsoft has removed it from security baseline. MS have updated their Windows 10 v1903 and Windows Server v1903 security configuration baseline recommendations to address some issues: The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated. https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Security-baseline-Sept2019Update-for-Windows-10-v1903-and/ba-p/890940

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This guide describes how to configure KSC events export to Splunk. Step-by-step guide Make sure that System Management license is installed, otherwise KSC events won't be exported to SIEM. Specify Splunk Server address and port; Login into Splunk Management console; Press Settings → Configure data inputs; In the opened Add Data window - select TCP; - Specify Port you are planning to use. And a Source (KSC server address or DNS-name). Configure Source type: choose Select and pick syslog from drop down menu. Configure Host: set IP for Method Check the settings on a result screen; Open Splunk home page and press Search & Reporting; Make sure that KSC were indexed by Splunk correctly as expected; Right now you are able to see raw KSC events.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Which task is responsible for downloading third party Application updates? Updates metadata is downloaded by Download Updates to the repository task. Updates themselves are downloaded by Install updates and fix Vulnerability task. What is a source folder containing the third party application updates on the administration server? 3rd party updates are downloaded into the folder C:\ProgramData\KasperskyLab\adminkit\1093\.working\wusfiles, then copied to C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer to transfer to the hosts. If I run Install updates and fix Vulnerability for Google Chrome as example, all versions of Chrome will be upgraded to the latest release? Which means after a while of running task I will get one version of Google Chrome on all PCs? It depends on settings specified in the install task. For example, if you choose to install all applicable updates, Google Chrome will be updated on all hosts to the latest version. If I have a Connection Gateway, the devices outside the network and connected to the KSC through Connection Gateway will update through KSC or Connection Gateway? Firstly, updates will be transferred to Connection Gateway, then distributed from Connection Gateway to the hosts. So if host needs update which is already on the Connection Gateway, KSC will not distribute files again. CG will distribute them to the hosts. Is it possible for the PCs outside the network and connected through Connection Gateway to use the internet as an update source for third party application? Indeed. 1. On the host with the KSC server, create the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags] "KLSRV_SYSPATCH_DOWNLOAD_PATCHES_LOCALLY"=dword:00000001 2. Recreate the Install updates and fix vulnerabilities task.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. The best practice is to back up your current Administration Server and then install the new version of Kaspersky Security Center. To do so, follow these steps: Back up the data of Kaspersky Security Center using one of the methods described below: Backup and Restore Wizard Backup task Check if you can install Kaspersky Security Center on your current server. For system requirements, see Online Help. Then export the list of currently installed plug-ins in the .csv format. Download the latest version of Kaspersky Security Center. Install Kaspersky Security Center. For instructions, see Online Help. If needed, you can restore the Administration Server data. For details, see Online Help. Important notes Make a note of the password configured during the backup process. Install Kaspersky Security Center on a new server if your current database server is not supported. Then restore the database data. Restoration works between database servers of the same type. If you use an SQL Server as a DBMS, you can migrate data to MySQL or MariaDB DBMS before the upgrade. For details, see Online Help. It is possible to restore data from the SQL Express database to the SQL Standard database, but the restoration of data from the SQL Standard database to the SQL Express database is supported with limitations. For further details, please check this Online Help page.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. In NAgent 15, klmover was updated and now requires NAgent uninstallation password, if it is set in NAgent's policy. Right now the password can't be passed to klmover as an argument, but it can be supplied via echo: echo <password>|klmover -address <administration server ip> Because cmd doesn't parse quotes and spaces in echo properly, if klmover is started from cmd and the password contains characters requiring quotes, klmover should be run from powershell. Powerhell has a Start-Process command that allows to run a process as a different user, in this case it can be used in a batch script like this: cd "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\" powershell -Command "Start-Process powershell '-Command echo <password>|.\klmover.exe -address <address>' -Verb RunAs" But if it is run as a scheduled task in a group policy, it would be better to set the task to run as a user with administrator privileges and set it to run with highest privileges. Previous NAgent klmover versions are not compatible with NAgent 15.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Try the following: 1. Check if the Administration Server is configured to use a proxy server on the Kaspersky Security Center server. 2. Try to clear the updates repository. Download the updates once again and check behavior. If you still have issues, Delete the Download updates repository task and create a fresh task.