Antipova Anna
-
Posts
352 -
Joined
-
Last visited
Posts posted by Antipova Anna
-
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
In NAgent 15, klmover was updated and now requires NAgent uninstallation password, if it is set in NAgent's policy. Right now the password can't be passed to klmover as an argument, but it can be supplied via echo:
echo<password>|klmover -address <administration server ip>Because cmd doesn't parse quotes and spaces in echo properly, if klmover is started from cmd and the password contains characters requiring quotes, klmover should be run from powershell.
Powerhell has a Start-Process command that allows to run a process as a different user, in this case it can be used in a batch script like this:
cd "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\" powershell -Command "Start-Process powershell '-Command echo <password>|.\klmover.exe -address <address>' -Verb RunAs"
But if it is run as a scheduled task in a group policy, it would be better to set the task to run as a user with administrator privileges and set it to run with highest privileges.
Previous NAgent klmover versions are not compatible with NAgent 15.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Try the following:
1. Check if the Administration Server is configured to use a proxy server on the Kaspersky Security Center server.
2. Try to clear the updates repository. Download the updates once again and check behavior.
If you still have issues, Delete the Download updates repository task and create a fresh task.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
While running Fix vulnerabilities task, the following error can occur:
'Transaction became the database conflict victim: '1205, 'Lock wait timeout exceeded; try restarting transaction' , LastStatement='CALL vapm_arrange_task_updates(119, 0xC89EAD3312227039C9FAC933840D7936)'
Solution
Most possible, the reason of the problem is that you have Fix vulnerabilities task or tasks with a big number of vulnerabilities that should be fixed inside one task. For example, you scroll list of KLAs and add each KLA to be fixed in the existing task. You have to check all fix vulnerabilities tasks or delete them and create new tasks. In the tasks, it's suggested to use categories attributes (like severity level etc.) instead of the big list of vulnerabilities.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
KSC Web Console can be used for monitoring purposes. It is particularly important to have no timeout disconnection errors in this scenario.
To avoid them, the timeout before Web Console disconnects can be increased.
Step-by-step guide
All you have to do is the following:
- Edit node.js web server config file located at C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json
- Change the following values and restart KSC WC services:
"clientIdleTimeout":2147483600,"clientLogoutTimeout":2147483600,"serverLogoutTimeout":2147483600,This value represents the maximum possible timeout period, which is about 24 days.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
Sometimes it is necessary to replace the KSN proxy address in products like KSWS, KESS or KES after restoring KSC from backup or when Server moved to new Hardware.
Unfortunately, there are no settings in the policy for this.
Solution
The corresponding option can be found in the properties of Installation packages node in KSC.
See the effects of changing this value:
Note that after changing these settings, you must also rebuild the Network Agent installation packages, even if the change is propagated to connected clients.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
0 - Update completed successfully
1 - All files are up-to-date (No available updates)
Result codes depending on OS type:
Windows
Linux(FreeBSD)
-1
255
Command line parsing exception
-2
254
Update Utility error (exception or another malfunction including incorrect command line arguments)
-5
251
Update process failure (Not all components are updated, File does not exist on update source, Invalid file signature, Index file damaged, File is not valid XML structure or does not exist) or network error
-6
250
Bases are not consistent after update
-3
253
Fail (error code for other update process failures)
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
Sometimes the problem with events receiving/transferring on KSC (including export to SIEM) may occur. The first thing that you have to check is Kaspersky Event Log. The following warnings may occur:
Warning
Total number of events stored in database (4010532) has exceeded the actual limit of 4000000 event(s). Starting to delete excessive events from the database...
Warning
600 event(s) have been deleted from the database because the limit of 4000000 event(s) was exceeded.
Warning
Server is busy: event has been rejected for device '<Device_name>', most common events in the database are: 'Scheduled' (from 'KES 11.0.0.0'), 'Error sending the request to KSN' (from 'Kaspersky Security 10 for Windows Server 10.0.0.486') and 'Password-protected archive detected' (from 'KES 11.0.0.0')
The same is correct for SIEM integration. Because KSC is busy, it won't provide event to SIEM immediately. You'll have to wait until load will be decreased.Events are coming from the hosts to KSC and sometimes KSC just cannot process all of them. For example, during KES update task all the hosts transfer event Scheduled and then Running. The more hosts you have, the more chance that KSC will suffer a pike load which will lead to the other events rejecting.Solution
Configure events storing in all KES policies according to https://support.kaspersky.com/KSC/14/en-US/92424_1.htm
Open KEL and check what the most common events in the database are. Most probably those events will be informational and not very helpful.
- Disable storing events you are not interested in on KSC server in all corresponding policies.
- Task related events can be disabled in the corresponding task properties, on the Notifications tab. There are different store events options, choose to store only task execution results. Do this for all the tasks running of which cause "server busy" event.
After a while events receiving/transferring should be normalized.
-
NAgent upgrade failure because the old agent was installed from a different .msi package than the new NAgent's .msi package.
The below logs describe the root cause.
KLNAG_INS_MSI: CheckInstalledMsiName: installed name 'KasperskyNetworkAgent', installed ext '.msi'
MSI_UTILS: CAGetProperty(OriginalDatabase) called...
KLNAG_INS_MSI: CheckInstalledMsiName: installing name 'Kaspersky Network Agent', installing ext '.msi'
KLNAG_INS_MSI: CheckInstalledMsiName: names are NOT equalSolution
1. Copy the installation package of the new NA version from the shared folder and place it on the Desktop, for example.
2. Change the name of the .msi package related to the new version of NA to match the name of the installed .msi package.
3. Create "Installation package for specified exec file"
4. Browse the .msi package that you have edited to match the old NAgent .msi package name.
5. In the properties of the installation package insert the below command:
msiexec /i "KasperskyNetworkAgent.msi" /qn /l*vx c:\windows\temp\nag_inst4.log EULA=1 PRIVACYPOLICY=1 SERVERADDRESS=<server address> REINSTALL=ALL REINSTALLMODE=vomus
6. Install the created package remotely on the impacted machines.
-
Problem:
You have a new CPU in your managed device and Windows operating system released prior to Windows 10\Windows Server 2016. Start "
Find vulnerabilities and required updates" for a managed devices. Task results and Kaspersky Event log on a workstation may indicate a following error:Windows Update Agent error 80240037 ("The functionality for the operation is not supported.") #1181 (-2145124297) COM error 0x80240037 (wcode: 0) ''
Additionally, if you try to update workstation directly from Microsoft Update servers, you may see an error message in the Windows Update window that resembles the following:
Windows could not search for new updates
An error occurred while checking for new updates for your computer.
Error(s) found:
Code 80240037 Windows Update encountered an unknown error.Cause:
This error occurs because new processor generations require the latest Windows version for support.
Solution:
Microsoft recommend that you upgrade Windows Server 2012 R2-based and Windows Server 2008 R2-based computers to Windows Server 2016, and Windows 8.1-based and Window 7-based computers to Windows 10, if those computers have a processor that is from any of the following generations:
- Intel seventh (7th)-generation "Intel Core" processor or a later generation
- AMD seventh (7th)-generation (“Bristol Ridge") processor or a later generation
- Qualcomm “8996" processor or a later generation
More information on this topic can be found in the following Microsoft article:
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
You install latest Windows Assessment and Deployment Kit (Windows ADK) on the server where KSC is installed, but KSC console still shows message "to deploy OS images, you must install the Windows Assessment and Deployment Kit (Windows ADK) on the device that has KSC installed".
Solution
KSC doesn't see all the needed WADK components being installed. Because Microsoft is always changing components within their installation packages, we recommend to install all utilities from the Microsoft's official article.
- Go to https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install
-
Download all utilities under "The Windows ADK includes:" including WinPE and WSIM.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
To minimize network load, stop receiving error messages related to SNMP scan or to comply with security standards, you can disable SNMP scan completely.
Step-by-step guide
On KSC server:
-
Execute:
klscflag.exe -pv klserver -fset -n KLSRV_NETSVAN_MAY_USE_SNMP -v 0 -t d -
Restart network agent service
net stop klnagent
net start klnagent
In case if you need to disable SNMP scan made by UA/DP, then the command will be slightly different:
klscflag.exe -pv klnagent-fset -n KLSRV_NETSVAN_MAY_USE_SNMP -v 0 -t d -
Execute:
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Sometimes you want to use Connection Gateway for roaming hosts, but you don't want to use the default connection port (13000). To achieve that you can use the following solution.
Step-by-step guide
- Open NAgent policy.
- Network → Connection section.
- Open connection profile properties.
- Set necessary port after CG address (see screenshot).
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
You may run into differences between Application Registry and Incompatible Applications Report when trying to find computers with incompatible applications.
For example, you created Device selection based on an Applications registry criteria, where you specified incompatible application name in Application name field and got a device selection of 12 computers. After that, you open Incompatible Applications Report and only get 3 computers with that software. It is expected, and here is why.
Solution
Application Registry and Incompatible Applications Report use different subsystems to build their lists upon.
Incompatible Applications Report uses Cleaner component which has a number of predefined entries (similar to what KES uses to detect incompatible applications), which are strictly defined by the product code. Cleaner database is constantly updated, but it is common when we do not have required entries in it. So Incompatible Applications Report will not show computers where software differs from what we have in our Cleaner. Different language, different version, basically everything may affect it.
Device selection that is based on application registry Application name criteria will perform search based on name and version, which may have broader results, thus returning more computers. Computers that are not on Incompatible Applications Report have software version which is not yet in our Cleaner.
There is another way to build a selection. There is Incompatible security application name dropdown menu. Device selection based on this criteria will be the same as in the Incompatible Applications Report.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
If you are using the MMC console with different servers, you may want to keep a list of configured servers after upgrading to a new version. Fortunately, this is possible.
Step-by-step guide
Follow these steps before the upgrade.
-
Save
Kaspersky Security Center XXfile fromC:\Users\%username%\AppData\Roaming\Microsoft\MMC - Upgrade.
- Start and close the MMC console.
-
Remove newly create
Kaspersky Security Center XXfile fromC:\Users\%username%\AppData\Roaming\Microsoft\MMC - Place the file you saved on the first step in the KSC installation folder (remember to rename it to the correct version).
-
Save
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
In some cases klakaut traces should be collected for diagnostics.
Step-by-step guide
To do so:
-
Import
klakaut-on_x*.regfile. -
Restart klakaut service.
net stop klakautnet start klakaut - Enable another trace if required.
- Reproduce the issue.
-
Import
klakaut-off_x*.regfile. -
Trace file
$klakaut-klakaut.logwill be placed inC:\Windows\Temp.
Make sure to use the correct reg file, depending on OS architecture x86 or x64.
-
Import
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
Kaspersky Shared Access To Desktop is not working or not working well. The provided image from remote PC is corrupted.
Solution
-
Check if the issue will reproduce with standard Windows functionality:
- On remote host create an invitation for Windows Remote assistance (Windows default feature).
- Send the file with invitation to the PC with KSC console installed.
- Connect to the remote PC via Windows remote assistance using the file with invitation.
- Click on Request control. Check the behavior.
- If the behavior will be the same, then it is Microsoft related problem, contact Microsoft support.
-
In case issues with Shared Access show up only with KSC, collect the following data and send to Kaspersky Support:
- Server traces from the server and NAgent traces from the remote host during the issue reproduction
- Screen capture (video)
- GSI report from the remote host and KSC server (after the traces)
Check the screen resolutions on the remote host and server. If the resolution is 1366x768 on either of those, then it is a known issue https://support.microsoft.com/en-us/help/2665720/remote-assistance-does-not-display-a-desktop-that-has-a-resolution-of-1366-x-768-correctly-in-windows-7
-
Check if the issue will reproduce with standard Windows functionality:
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
There is a known limitation in KSC. When hosts are managed from different domains and there are hosts with the similar names in these domains then 'doubles' will appear.
To avoid this, use FQDN (fully qualified domain name) as a display name instead of NETBIOS name.
Step-by-step guide
- Set up the following server flag:
SrvUseFqdnAsDisplayNames[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags]"SrvUseFqdnAsDisplayNames"=dword:000000012. Delete duplicated hosts from managed group and from unassigned devices.
3. Run polling so that hosts reappear on KSC.
In order for hosts to reappear with an FQDN name, the KSC must know their DNS domain. This information appears on the KSC from an installed network agent or AD scan. Therefore, a network agent must be installed on these hosts or AD polling must be used. -
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description
Sometimes KSC backup task may fail with the following error:
#1181 (-2147023878) System error 0x800703FA (Illegal operation attempted on a registry key that has been marked for deletion.)At first, rebooting the OS may help, but the error may return.
Cause
The user identity associated with the COM+ application was logged on when the COM+ application was first initialized. If that user logs off, their profile will be unloaded and the COM+ application will no longer be able to read the registry keys in that user's profile. The User Profile Service forcibly unloads a user's profile when the user logs off. In such a situation, forcing a user profile to be unloaded can cause the application to crash if registry handles are not closed. This User Profile Service functionality is the default behavior.
Resolution
As a workaround, you may need to change the default behavior of the User Profile Service. The "Do not forcefully unload the user registry at user logoff" policy setting controls the default behavior. If this setting is enabled, the User Profile Service will not force an unload of the registry, but will wait until other processes are not using the user's registry before unloading it. The policy can be found in the Group Policy Editor (gpedit.msc).
Computer Configuration → Administrative Templates → System → User Profiles
Do not forcefully unload the user registry at user logoff
Change the setting from Not Configured to Enabled which disables the new User Profile Service feature.
DisableForceUnload is the value added to the registry.For more information see MS article https://support.microsoft.com/en-us/help/2287297/a-com-application-may-stop-working-on-windows-server-2008-when-a-user
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
To troubleshoot SNMP functionality in KSC specific traces should be collected.
Step-by-step guide
To collect traces:
- Download archive
-
Use
trace-5-snmpagt.regto start trace - Reproduce the issue
-
Use
trace-off-snmpagt.regto stop trace - Archive files and send to Kaspersky Support.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Scenario
Backup task fails with the following error in Kaspersky Event Log:
Database is corrupted. At least one repository corrupted
C:\ProgramData\Application Data\KasperskyLab\adminkit\1093\gsyn\klsdata.dathas been corrupted and will not be recovered. Hardware fixing and application reinstallation are required.Possible root causes
The most common reasons are OS crash and unexpected reboot (for example due to power loss) of the system with disk caching is enabled. It leads to corruption of KSC repositories.
Solution
- Uninstall KSC
- Install KSC
- Restore from the latest backup
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This article explains ROBOT attack, RSA Key Exchange, OpenSSL and KSC.
Explanation
If you are running security analyzer and it shows that connections on ports 13000 (server-nagent traffic) and 17000 (activation proxy) are suspicious for a ROBOT attack, don't panic.
- Automatic analysis is not accurate. Run specific diagnostics to make sure that KSC traffic is actually not vulnerable. Examples:
- Check https://mta.openssl.org/pipermail/openssl-dev/2017-December/009887.html that ROBOT attack site is referencing. It states that "We're mostly focused on non-timing issues and OpenSSL is not among the vulnerable implementations", although OpenSSL uses RSA Key Exchange.
More information
What is ROBOT attack – https://robotattack.org/
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
The ability to modify the ciphers used by the product to communicate with port 13292 published on the Internet is required.
Step-by-step guide
You cannot change the ciphers used on a particular port, but you can change the cipher modes used by the MDM server on all listening ports.To do so, you will need to create a global variable
KLTR_ENV_SSL_CIPHER_SUITEand restart Kaspersky Security Center server.
You can familiarize yourself with the format of the values at this link https://www.openssl.org/docs/man1.0.2/man1/openssl-ciphers.htmlFor example, a variable might look like the following:
KLTR_ENV_SSL_CIPHER_SUITE=HIGH:!MD5:!DSS
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
RDP connection invoked via KSC console uses hostname to connect to a host -
mstsc.exeis invoked with/v hostnameparameter.Edit command line used to invoke mstsc.exe with ip address parameter instead of the hostname:
- Open Custom tools → Configure custom tools
- Select Remote Desktop, click Modify
-
Edit Command line text box, it should contain <host_ip> instead of <A>:
/v:<host_ip>:<P> /f - Disable Create tunnel for TCP port specified below checkbox
Administration Console will now launch mstsc.exe with ip address as argument.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
If there are many outdated entries in Executable files list in computer's properties or on a server, there is a way to bring it up-to-date.
Step-by-step guide
There is a hidden Actualization task that runs at the end of the Inventory task. To use this functionality and quickly update the list of executables, do the following:
- Create an Inventory task
- Set Inventory scope to either empty or very small folder
- Run it
Since the scope of work is small, the inventory task will be performed much faster and will go straight to the actualization task. After the task is completed, all outdated (not existing at the moment) executables will be removed from the list.
.jpg.e942711ef3d8124d79fa2d06e40ae34f.jpg)
.jpg.05f6fddb057e0f09ad4e00822a61dfc6.jpg)
KSC Upgrade [KSC for Windows]
in Advice and solutions for Kaspersky Security Center
Posted
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
The best practice is to back up your current Administration Server and then install the new version of Kaspersky Security Center.
To do so, follow these steps:
Important notes
For further details, please check this Online Help page.