Antipova Anna

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem While running Fix vulnerabilities task, the following error can occur: 'Transaction became the database conflict victim: '1205, 'Lock wait timeout exceeded; try restarting transaction' , LastStatement='CALL vapm_arrange_task_updates(119, 0xC89EAD3312227039C9FAC933840D7936)' Solution Most possible, the reason of the problem is that you have Fix vulnerabilities task or tasks with a big number of vulnerabilities that should be fixed inside one task. For example, you scroll list of KLAs and add each KLA to be fixed in the existing task. You have to check all fix vulnerabilities tasks or delete them and create new tasks. In the tasks, it's suggested to use categories attributes (like severity level etc.) instead of the big list of vulnerabilities.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem KSC Web Console can be used for monitoring purposes. It is particularly important to have no timeout disconnection errors in this scenario. To avoid them, the timeout before Web Console disconnects can be increased. Step-by-step guide All you have to do is the following: Edit node.js web server config file located at C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json Change the following values and restart KSC WC services: "clientIdleTimeout": 2147483600, "clientLogoutTimeout": 2147483600, "serverLogoutTimeout": 2147483600, This value represents the maximum possible timeout period, which is about 24 days.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Sometimes it is necessary to replace the KSN proxy address in products like KSWS, KESS or KES after restoring KSC from backup or when Server moved to new Hardware. Unfortunately, there are no settings in the policy for this. Solution The corresponding option can be found in the properties of Installation packages node in KSC. See the effects of changing this value: Note that after changing these settings, you must also rebuild the Network Agent installation packages, even if the change is propagated to connected clients.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. 0 - Update completed successfully 1 - All files are up-to-date (No available updates) Result codes depending on OS type: Windows Linux(FreeBSD) -1 255 Command line parsing exception -2 254 Update Utility error (exception or another malfunction including incorrect command line arguments) -5 251 Update process failure (Not all components are updated, File does not exist on update source, Invalid file signature, Index file damaged, File is not valid XML structure or does not exist) or network error -6 250 Bases are not consistent after update -3 253 Fail (error code for other update process failures)

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Sometimes the problem with events receiving/transferring on KSC (including export to SIEM) may occur. The first thing that you have to check is Kaspersky Event Log. The following warnings may occur: Warning Total number of events stored in database (4010532) has exceeded the actual limit of 4000000 event(s). Starting to delete excessive events from the database... Warning 600 event(s) have been deleted from the database because the limit of 4000000 event(s) was exceeded. Warning Server is busy: event has been rejected for device '<Device_name>', most common events in the database are: 'Scheduled' (from 'KES 11.0.0.0'), 'Error sending the request to KSN' (from 'Kaspersky Security 10 for Windows Server 10.0.0.486') and 'Password-protected archive detected' (from 'KES 11.0.0.0') The same is correct for SIEM integration. Because KSC is busy, it won't provide event to SIEM immediately. You'll have to wait until load will be decreased.Events are coming from the hosts to KSC and sometimes KSC just cannot process all of them. For example, during KES update task all the hosts transfer event Scheduled and then Running. The more hosts you have, the more chance that KSC will suffer a pike load which will lead to the other events rejecting. Solution Configure events storing in all KES policies according to https://support.kaspersky.com/KSC/14/en-US/92424_1.htm Open KEL and check what the most common events in the database are. Most probably those events will be informational and not very helpful. Disable storing events you are not interested in on KSC server in all corresponding policies. Task related events can be disabled in the corresponding task properties, on the Notifications tab. There are different store events options, choose to store only task execution results. Do this for all the tasks running of which cause "server busy" event. After a while events receiving/transferring should be normalized.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. NAgent upgrade failure because the old agent was installed from a different .msi package than the new NAgent's .msi package. The below logs describe the root cause. KLNAG_INS_MSI: CheckInstalledMsiName: installed name 'KasperskyNetworkAgent', installed ext '.msi' MSI_UTILS: CAGetProperty(OriginalDatabase) called... KLNAG_INS_MSI: CheckInstalledMsiName: installing name 'Kaspersky Network Agent', installing ext '.msi' KLNAG_INS_MSI: CheckInstalledMsiName: names are NOT equal Solution 1. Copy the installation package of the new NA version from the shared folder and place it on the Desktop, for example. 2. Change the name of the .msi package related to the new version of NA to match the name of the installed .msi package. 3. Create "Installation package for specified exec file" 4. Browse the .msi package that you have edited to match the old NAgent .msi package name. 5. In the properties of the installation package insert the below command: msiexec /i "KasperskyNetworkAgent.msi" /qn /l*vx c:\windows\temp\nag_inst4.log EULA=1 PRIVACYPOLICY=1 SERVERADDRESS=<server address> REINSTALL=ALL REINSTALLMODE=vomus 6. Install the created package remotely on the impacted machines.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem: You have a new CPU in your managed device and Windows operating system released prior to Windows 10\Windows Server 2016. Start "Find vulnerabilities and required updates" for a managed devices. Task results and Kaspersky Event log on a workstation may indicate a following error: Windows Update Agent error 80240037 ("The functionality for the operation is not supported.") #1181 (-2145124297) COM error 0x80240037 (wcode: 0) '' Additionally, if you try to update workstation directly from Microsoft Update servers, you may see an error message in the Windows Update window that resembles the following: Windows could not search for new updates An error occurred while checking for new updates for your computer. Error(s) found: Code 80240037 Windows Update encountered an unknown error. Cause: This error occurs because new processor generations require the latest Windows version for support. Solution: Microsoft recommend that you upgrade Windows Server 2012 R2-based and Windows Server 2008 R2-based computers to Windows Server 2016, and Windows 8.1-based and Window 7-based computers to Windows 10, if those computers have a processor that is from any of the following generations: Intel seventh (7th)-generation "Intel Core" processor or a later generation AMD seventh (7th)-generation (“Bristol Ridge") processor or a later generation Qualcomm “8996" processor or a later generation More information on this topic can be found in the following Microsoft article: https://support.microsoft.com/en-us/help/4012982/the-processor-is-not-supported-together-with-the-windows-version-that

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You install latest Windows Assessment and Deployment Kit (Windows ADK) on the server where KSC is installed, but KSC console still shows message "to deploy OS images, you must install the Windows Assessment and Deployment Kit (Windows ADK) on the device that has KSC installed". Solution KSC doesn't see all the needed WADK components being installed. Because Microsoft is always changing components within their installation packages, we recommend to install all utilities from the Microsoft's official article. Go to https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install Download all utilities under "The Windows ADK includes:" including WinPE and WSIM.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. To minimize network load, stop receiving error messages related to SNMP scan or to comply with security standards, you can disable SNMP scan completely. Step-by-step guide On KSC server: Execute: klscflag.exe -pv klserver -fset -n KLSRV_NETSVAN_MAY_USE_SNMP -v 0 -t d Restart network agent service net stop klnagent net start klnagent In case if you need to disable SNMP scan made by UA/DP, then the command will be slightly different: klscflag.exe -pv klnagent -fset -n KLSRV_NETSVAN_MAY_USE_SNMP -v 0 -t d

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Sometimes you want to use Connection Gateway for roaming hosts, but you don't want to use the default connection port (13000). To achieve that you can use the following solution. Step-by-step guide Open NAgent policy. Network → Connection section. Open connection profile properties. Set necessary port after CG address (see screenshot).

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You may run into differences between Application Registry and Incompatible Applications Report when trying to find computers with incompatible applications. For example, you created Device selection based on an Applications registry criteria, where you specified incompatible application name in Application name field and got a device selection of 12 computers. After that, you open Incompatible Applications Report and only get 3 computers with that software. It is expected, and here is why. Solution Application Registry and Incompatible Applications Report use different subsystems to build their lists upon. Incompatible Applications Report uses Cleaner component which has a number of predefined entries (similar to what KES uses to detect incompatible applications), which are strictly defined by the product code. Cleaner database is constantly updated, but it is common when we do not have required entries in it. So Incompatible Applications Report will not show computers where software differs from what we have in our Cleaner. Different language, different version, basically everything may affect it. Device selection that is based on application registry Application name criteria will perform search based on name and version, which may have broader results, thus returning more computers. Computers that are not on Incompatible Applications Report have software version which is not yet in our Cleaner. There is another way to build a selection. There is Incompatible security application name dropdown menu. Device selection based on this criteria will be the same as in the Incompatible Applications Report.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. If you are using the MMC console with different servers, you may want to keep a list of configured servers after upgrading to a new version. Fortunately, this is possible. Step-by-step guide Follow these steps before the upgrade. Save Kaspersky Security Center XX file from C:\Users\%username%\AppData\Roaming\Microsoft\MMC Upgrade. Start and close the MMC console. Remove newly create Kaspersky Security Center XX file from C:\Users\%username%\AppData\Roaming\Microsoft\MMC Place the file you saved on the first step in the KSC installation folder (remember to rename it to the correct version).

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. In some cases klakaut traces should be collected for diagnostics. Step-by-step guide To do so: Import klakaut-on_x*.reg file. Restart klakaut service. net stop klakaut net start klakaut Enable another trace if required. Reproduce the issue. Import klakaut-off_x*.reg file. Trace file $klakaut-klakaut.log will be placed in C:\Windows\Temp. Make sure to use the correct reg file, depending on OS architecture x86 or x64.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Kaspersky Shared Access To Desktop is not working or not working well. The provided image from remote PC is corrupted. Solution Check if the issue will reproduce with standard Windows functionality: On remote host create an invitation for Windows Remote assistance (Windows default feature). Send the file with invitation to the PC with KSC console installed. Connect to the remote PC via Windows remote assistance using the file with invitation. Click on Request control. Check the behavior. If the behavior will be the same, then it is Microsoft related problem, contact Microsoft support. In case issues with Shared Access show up only with KSC, collect the following data and send to Kaspersky Support: Server traces from the server and NAgent traces from the remote host during the issue reproduction Screen capture (video) GSI report from the remote host and KSC server (after the traces) Check the screen resolutions on the remote host and server. If the resolution is 1366x768 on either of those, then it is a known issue https://support.microsoft.com/en-us/help/2665720/remote-assistance-does-not-display-a-desktop-that-has-a-resolution-of-1366-x-768-correctly-in-windows-7

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. There is a known limitation in KSC. When hosts are managed from different domains and there are hosts with the similar names in these domains then 'doubles' will appear. To avoid this, use FQDN (fully qualified domain name) as a display name instead of NETBIOS name. Step-by-step guide Set up the following server flag: SrvUseFqdnAsDisplayNames [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags] "SrvUseFqdnAsDisplayNames"=dword:00000001 2. Delete duplicated hosts from managed group and from unassigned devices. 3. Run polling so that hosts reappear on KSC. In order for hosts to reappear with an FQDN name, the KSC must know their DNS domain. This information appears on the KSC from an installed network agent or AD scan. Therefore, a network agent must be installed on these hosts or AD polling must be used.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description Sometimes KSC backup task may fail with the following error: #1181 (-2147023878) System error 0x800703FA (Illegal operation attempted on a registry key that has been marked for deletion.) At first, rebooting the OS may help, but the error may return. Cause The user identity associated with the COM+ application was logged on when the COM+ application was first initialized. If that user logs off, their profile will be unloaded and the COM+ application will no longer be able to read the registry keys in that user's profile. The User Profile Service forcibly unloads a user's profile when the user logs off. In such a situation, forcing a user profile to be unloaded can cause the application to crash if registry handles are not closed. This User Profile Service functionality is the default behavior. Resolution As a workaround, you may need to change the default behavior of the User Profile Service. The "Do not forcefully unload the user registry at user logoff" policy setting controls the default behavior. If this setting is enabled, the User Profile Service will not force an unload of the registry, but will wait until other processes are not using the user's registry before unloading it. The policy can be found in the Group Policy Editor (gpedit.msc). Computer Configuration → Administrative Templates → System → User Profiles Do not forcefully unload the user registry at user logoff Change the setting from Not Configured to Enabled which disables the new User Profile Service feature. DisableForceUnload is the value added to the registry. For more information see MS article https://support.microsoft.com/en-us/help/2287297/a-com-application-may-stop-working-on-windows-server-2008-when-a-user

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. To troubleshoot SNMP functionality in KSC specific traces should be collected. Step-by-step guide To collect traces: Download archive Use trace-5-snmpagt.reg to start trace Reproduce the issue Use trace-off-snmpagt.reg to stop trace Archive files and send to Kaspersky Support.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Scenario Backup task fails with the following error in Kaspersky Event Log: Database is corrupted. At least one repository corrupted C:\ProgramData\Application Data\KasperskyLab\adminkit\1093\gsyn\klsdata.dat has been corrupted and will not be recovered. Hardware fixing and application reinstallation are required. Possible root causes The most common reasons are OS crash and unexpected reboot (for example due to power loss) of the system with disk caching is enabled. It leads to corruption of KSC repositories. Solution Uninstall KSC Install KSC Restore from the latest backup

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article explains ROBOT attack, RSA Key Exchange, OpenSSL and KSC. Explanation If you are running security analyzer and it shows that connections on ports 13000 (server-nagent traffic) and 17000 (activation proxy) are suspicious for a ROBOT attack, don't panic. Automatic analysis is not accurate. Run specific diagnostics to make sure that KSC traffic is actually not vulnerable. Examples: https://testssl.sh/ https://github.com/robotattackorg/robot-detect Check https://mta.openssl.org/pipermail/openssl-dev/2017-December/009887.html that ROBOT attack site is referencing. It states that "We're mostly focused on non-timing issues and OpenSSL is not among the vulnerable implementations", although OpenSSL uses RSA Key Exchange. More information What is ROBOT attack – https://robotattack.org/

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. The ability to modify the ciphers used by the product to communicate with port 13292 published on the Internet is required. Step-by-step guide You cannot change the ciphers used on a particular port, but you can change the cipher modes used by the MDM server on all listening ports.To do so, you will need to create a global variable KLTR_ENV_SSL_CIPHER_SUITE and restart Kaspersky Security Center server. You can familiarize yourself with the format of the values at this link https://www.openssl.org/docs/man1.0.2/man1/openssl-ciphers.html For example, a variable might look like the following: KLTR_ENV_SSL_CIPHER_SUITE=HIGH:!MD5:!DSS

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. RDP connection invoked via KSC console uses hostname to connect to a host - mstsc.exe is invoked with /v hostname parameter. Edit command line used to invoke mstsc.exe with ip address parameter instead of the hostname: Open Custom tools → Configure custom tools Select Remote Desktop, click Modify Edit Command line text box, it should contain <host_ip> instead of <A>: /v:<host_ip>:<P> /f Disable Create tunnel for TCP port specified below checkbox Administration Console will now launch mstsc.exe with ip address as argument.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. If there are many outdated entries in Executable files list in computer's properties or on a server, there is a way to bring it up-to-date. Step-by-step guide There is a hidden Actualization task that runs at the end of the Inventory task. To use this functionality and quickly update the list of executables, do the following: Create an Inventory task Set Inventory scope to either empty or very small folder Run it Since the scope of work is small, the inventory task will be performed much faster and will go straight to the actualization task. After the task is completed, all outdated (not existing at the moment) executables will be removed from the list.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article provides additional details to the Online Help article. Modern web servers use gzip compression for transferred web pages. Such compressed web pages should not be sent to KATA API as these files will create unnecessary load on Sandbox. Content-Type - Optional parameter objectType - must always be a file (other types are not supported) content - object to send scanId - ID of the object sent to KATA (must be unique) sensorId - ID of the system sending file. Could be random UID, authorized in KATA Web UI (External Systems tab) Examples: # curl -k --noproxy '*' --cert ./cert.pem --key ./server.key -F scanId=9000001 -F objectType=file -F content=@/tmp/test.pdf -X POST https://<KATA_IP>:443/kata/scanner/v1/sensors/11111-111-11111/scans # curl -k --noproxy '*' --cert ./cert.pem --key ./server.key -F scanId=9000002 -F objectType=file -F content=@/tmp/test.docx -X POST https://<KATA_IP>:443/kata/scanner/v1/sensors/11111-111-11111/scans How to generate key and certificate: openssl genrsa -out server.key 2048 openssl rsa -in server.key -out server.key openssl req -sha256 -new -key server.key -out server.csr -subj '/CN=localhost' openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt cat server.crt server.key > cert.pem Or use the one-liner: openssl req -x509 -newkey rsa:2048 -keyout ./server.key -out ./cert.pem -days 365 -nodes -subj "/C=RU/ST=MSK/L=Moscow/O=Company Name/OU=Org/CN=www.example.com" To retrieve scan results: # curl -k --noproxy '*' --cert ./cert.pem --key ./server.key -X GET "https://<KATA_IP>:443/kata/scanner/v1/sensors/11111-111-11111/scans/state?&state=detect,not detected,error,timeout" -H "accept: application/json" { "scans": [ { "scanId": "9000001", "state": "detect" }, { "scanId": "9000002", "state": "detect" } ] } To view all scan results from KATA CN 3.7.2 # sudo -u postgres psql antiapt -c "select count (*) from all_alerts where meta_type='EXTERNAL' and object_type='FILE';" To view all scan results from KATA CN 4.0/4.1/5.0 # sudo -i # docker exec -it `docker ps | grep kedr_database_server | awk '{print $1}'` psql -U kluser antiapt -c "select count (*) from all_alerts where meta_type='EXTERNAL' and object_type='FILE';" How to use pfx for curl authentication This has more to do with curl than with the product. If curl is based on an SSL library that supports pfx, the integration will work correctly. MacOS example (curl is based on Secure Transport). # curl -k --noproxy '*' --cert-type P12 --cert ./<certificate>.pfx:<password> -F scanId="<ID>" -F objectType=file -F content=@/tmp/test -X POST https://<KATA_IP>:443/kata/scanner/v1/sensors/11111-111-11111/scans How to retrieve detects from detects API Typical curl request: curl -k --noproxy '*' --cert ./cert.pem --key ./server.key -X GET "https://127.0.0.1:443/kata/scanner/v1/sensors/11111-111-11111/detects"

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Security Center for Windows (KSC for Windows) Sometimes it is necessary to execute batch files on managed hosts. When doing so, keep the following information in mind. To execute batch file on remote hosts: Create an installation package based on a file Create a remote installation task for that Installation package Assign the task to a target hosts and start it During task execution NAgent will run the file using a 32-bit cmd.exe process (C:\Windows\SysWOW64\cmd.exe) under LocalSystem account. Limitations Some commands and programs don't support execution under LocalSystem account. are not recognized as internal (external) for 32-bit cmd, thus can not be started from 32-bit cmd.exe process. To execute batch file using 64-bit cmd.exe process: Add simlink to 64-bit cmd.exe in the script Run all cmdlets using this simlink Example REM the following creates simlink named cmdin64.exe to C:\Windows\System32\cmd.exe cmd.exe /c mklink cmdin64.exe "C:\Windows\System32\cmd.exe" REM next line starts uwfmgr.exe with , which is not recognized as internal or external for 32-bit cmd.exe cmdin64.exe /c uwfmgr.exe Or Use x64 versions of commands. For example, to import reg.file you need to create the following bat file: Example echo off reg add <reg file> /reg:64 You can find x64 versions of the commands online.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Unless explicitly requested by Kaspersky Support, there is no need to collect ETW logs. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) ETW_drivers.zip can be found here. KES 11.5+ Enable KES tracing and driver trace will also be running. It will be stored in C:\ProgramData\Kaspersky Lab\KES\Traces and have name like KES.%version%_MM.DD_HH.mm_PID.drivers.etl Same as KES tracing, it is recommended to collect driver trace since driver startup unless it is affecting the issue reproduction or unless explicitly said it is mandatory for specific issue. So, after enabling KES trace it is enough to reboot the PC. This will both run driver logging on system boot and KES since service start. It is also recommended to collect drivers logs all at once, no matter the fact you'll find how to start them separately for specific driver below. Still, it is mandatory to identify the problematic driver prior to collecting diagnostics unless it is impossible due to certain reasons. Batch scripts to run driver logs altogether On demand Download ETW_drivers.zip archive and extract it into desired folder Run elevated CMD CD to the folder where the script file drivers_on_demand.cmd resides and run it Driver trace will start till you hit any key in the cmd and stop immediately. Driver logs should be present in the same folder where script was executed On demand for long time (split log files) Download ETW_drivers.zip archive and extract it into desired folder Run elevated CMD CD to the folder where the script file drivers_on_demand_long_time.cmd resides and run it Driver trace will start till you press any key in the cmd and stop if you press it again. Driver logs should be present in the same folder where script was executed On boot Download ETW_drivers.zip archive and extract it into desired folder Run elevated CMD CD to the folder where the script file enable_drivers_boot.cmd resides and run it. Do not run it more than once, and do not try to run disable_drivers_boot.cmd before the reboot. Driver trace will start after reboot. To stop the capture, run disable_drivers_boot.cmd, also from elevated CMD Note: use this bat file only when the problem is reproduced during Windows startup. Otherwise, use on demand bat files.