Antipova Anna

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description After successful installation kesl-supervisor.service may refuse to start with the following error: kesl-supervisor.service: Control process exited, code=exited status=203 journalctl -xe command provide more information related this error ***** kesl-supervisor.service: Failed to execute command: Permission denied kesl-supervisor.service: Failed at step EXEC spawning /var/opt/kaspersky/kesl/install-current/etc/init.d/kesl-supervisor: ***** kesl-supervisor.service: Control process exited, code=exited status=203 kesl-supervisor.service: Failed with result 'exit-code'. Failed to start kesl. Root cause SElinux is enabled on the system and prohibits execution of the service. Solution You can check SELinux status by running: $ sestatus If SELinux is enabled, then use the dedicated online help article to disable, configure and re-enable it.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem kesl-control --app-info outputs the following error: en File Threat Protection: Unavailable due to file interceptor driver error One of the most common root causes is Fanotify is disabled (or KESL could not access it) and kernel module compilation also failed. A special utility can be used for this directly on the affected machine with KESL installed: sudo /opt/kaspersky/kesl/bin/fanotify-checker && echo fanotify: supported || echo fanotify: unsupported In case, an operating system does not support Fanotify technology, it is required to install some additional packages and build a kernel module for KESL. A part of required packages may be found on the Hardware and software requirements section of the product documentation, for example for KESL 11.3; In addition to this, new packages kernel-headers-XXX and kernel-devel-XXX must be installed, where XXX - an operating system kernel version. Use the following scenario to install those packages and build a kernel module for KESL: for RHEL based OS: yum install kernel-headers-`uname -r` kernel-devel-`uname -r` for Debian based OS: apt install linux-headers-`uname -r` Reboot the system; Run the post-install script: /opt/kaspersky/kesl/bin/kesl-setup.pl --build | tee /tmp/buildLog And reboot the service: systemctl restart kesl-supervisor.service In case of any further issues, please contact Kaspersky Support.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem There are several problems with similar causes: 1) KESL postinstall script produces error. Warning: Failed to set up KSN 2) KESL is installed and running. However, the kesl-control command outputs something like that: kesl-control --app-info Connection refused. Invalid user permissions for /var. Only root user should have write access to this path. kesl-control --app-info Could not connect to Kaspersky Endpoint Security 11.2.2 for Linux 3) KESL is installed and running, kesl-control indicates no problems. However, kesl-gui shows the Application is currently unavailable error. 4) KESL is installed and running, nagent indicates no connectivity problems. However, KSC shows that KESL is stopped and can't be started. Root cause KESL service implements defensive internal logic which denies connections from not "trusted" processes. One of the causes is that the process executable file or some library it loads can be overwritten by a non-root user: 1) The Owner is not "root". 2) FS write permission is granted to "Group" or "Other". Such errors often serve as indication of some erratic configuration. For example: You may have changed ACL for /opt or other folder (which is supposed to not be widely accessible) to 777; In Astra Linux, the owner of the /var directory is sometimes changed to the fly-dm service user due to an error in the fly-dm package. Astra developers confirmed this bug and released fix. If the issue reproduces with new fly-dm versions, address Astra support. LD_PRELOAD variable may be used to load arbitrary libraries for any given process including KESL. This is usually the case when you see non-root permissions errors for some third-party libraries. Solution To restore proper permissions, use the chown and/or chmod commands: chown root:root /path/to/folder chmod g-w,o-w /path/to/folder Please exercise caution when changing permissions for / and folders straight under /. It depends on the environment which files/folders are checked, thus a complete list cannot be provided. In new kesl versions, kesl-control output suggests which path has incorrect permissions. You can check what folders have incorrect permissions using this command: # ls -ld / /var /var/opt /opt /opt/kaspersky /bin /usr /usr/lib /usr/lib64 | egrep -v '^d.{4}-.{2}-.*root root' To get a full list of files loaded by KESL or klnagent, you can read /proc/<pid>/maps. Use commands in the example below to filter out all application-specific files that are located in the folders listed above and to see what other files are used: # cat /proc/$(pidof -s klnagent)/maps | awk '{print $6}' | grep ^/ | grep -v 'kaspersky' | sort | uniq # cat /proc/$(pidof kesl)/maps | awk '{print $6}' | grep ^/ | grep -v 'kaspersky' | sort | uniq

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem While WTP/NTP is enabled, nft utility produces errors (stderr) like # nft list ruleset XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found These errors are caused by a bug in nft utility and xt_TPROXY dynamic library. This effect does not indicate functionality issues. This bug may be reported to netfilter.org developers. Explanation Whenever nft utility lists traffic rules, it dynamically loads extension libraries (for example, from /usr/lib/x86_64-linux-gnu/xtables in Debian OS) including TPROXY and CONNMARK. When nft encounters first ipv4 rule, it sets global "family=ipv4" state via xtables_set_nfproto function, then loads libxt_TPROXY.so which has both ipv4 and ipv6 targets, but ipv6 are ignored due to the flag. After that, nft processes ipv6 rules but there are no ipv6 targets for them. As a result, nft utility produces errors "XT target TPROXY not found".

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Sometimes one may need to enable transmitted traffic capturing in KATA (in example, for local testing of Suricata detections). Here's how to do it. Instructions for KATA 3.7.* In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this: options pf_ring enable_tx_capture=1 min_num_slots=16384 Stop apt-preprocessor and suricata services: systemctl stop apt-preprocessor.service systemctl stop suricata.service Reload pf_ring module: rmmod pf_ring modprobe pf_ring Start apt-preprocessor and suricata back systemctl start apt-preprocessor.service systemctl start suricata.service Instructions for KATA 4.0/4.1 In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this: options pf_ring enable_tx_capture=1 min_num_slots=16384 Stop docker service: systemctl stop docker Reload pf_ring module: rmmod pf_ring modprobe pf_ring Start docker back systemctl start docker Instructions for KATA 5.0 In file /etc/pf_ring/pf_ring.conf set enable_tx_capture=1. File should look like this: options pf_ring enable_tx_capture=1 min_num_slots=16384 Stop docker service: systemctl stop docker Reload pf_ring module: rmmod pf_ring modprobe pf_ring Start docker back systemctl start docker With these changes, KATA will capture and process both incoming and outgoing traffic.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This is a workaround and should be used if you can't check it the standard way. 1. Collect GSI 2. Open this file (see screenshot) and press ctrl+f and search for the word, for example, Firewall. Immediately you'll get a line with the installed components.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. In Compact Diagnostic Interface Can be checked in "About the application" window. In Kaspersky Security Console Can be checked in Action -> Information about the application and available module updates...

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You might notice that large files named like PR*.tmp appear in C:\Windows\Temp. Cause This is known and expected behavior. When the product scans an object it creates a temporary copy, names it like PR*.tmp and places it in the temp folder.Once the scan is complete, this temporary file gets deleted. Large PR*.tmp files mean that some large objects are scanned by OAS (On-Access Scan) or ODS (On-Demand Scan). Solution In some cases there might be not enough space of drive to create large temporary file. Below are the possible solutions: Exclude large objects from OAS and ODS; In OAS and ODS settings, enable option 'Do not scan compound objects larger than' and specify required size in MB; Change the folder where KSWS temporary files are created to a drive with higher capacity. In KSWS11 this can be achieved by editing Application settings → Scalability, interface and scan settings → Scan settings → 'Folder for temporary files created during scanning'. In KSWS10 use below registry entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment] "ProcessingTempPath"="d:\\Temp\\"

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Sometimes you may need to add a particular site\domain to an exclusions list of Traffic Security. Unfortunately, at current moment KSWS console allows us to make exclusions ONLY for Ports, IP-addresses, and Processes: But we have ability to make site and domain exclusions for Traffic Security via registry workaround. To implement workaround, we need to create and fill following REG_MULTI_SZ key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\WSEE\11.0\Environment\ICAP\IgnoreDomains] To make changes in this hive, you can add necessary permissions to your account OR you can run regedit in SYSTEM context (psexec -s -i regedit.exe). Important Besides required domain names, we recommend to add the following default list of names to avoid breaking of Windows Updates and KSWS activation functionality: *.data.microsoft.com *.update.microsoft.com *.kaspersky.com *.rds.amazonaws.com *.s3.amazonaws.com *.blob.core.windows.net *.database.windows.net

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Some issues with KSWS/KESS/KICS4Nodes may require a process dump to analyze. It is fairly easy to collect. Crash dumps KSWS/KESS/KICS4Nodes does not create crash dumps by default. It should be enabled before reproducing the issue. Using KSC console Open KSC console and navigate to the affected server. Open its properties. Switch to the Applications tab. Open KSWS properties. In the new window navigate to the Malfunction diagnosis tab. Mark Create dump file checkbox. Specify Dump file folder. Using KSWS command line Start elevated command prompt. Execute KAVSHELL DUMP command. More info about the syntax is here https://support.kaspersky.com/KSWS/11/en-US/146721.htm. Example where automatic dumps will be saved to C:\Dumps KAVSHELL DUMP /ON /F:"C:\Dumps" Manual dumps Manual dump files are usually required when the process does not crash, just hangs or consumes a large amount of CPU time. There are two ways to collect manual dumps. Keep in mind that there are multiple executables, and we need all dumps from all of them. There are always one kavfs.exe and at least one kavfswp.exe (number depends on load and settings). Using Windows Task Manager Start Task Manager Switch to the Details tab Right-click on the image name Select Create dump file Repeat for every running KSWS/KESS/KICS4Nodes process Using KSWS command line Start an elevated command prompt. Execute KAVSHELL DUMP command. More info about the syntax is here https://support.kaspersky.com/KSWS/11/en-US/146721.htm. Example where process with ID 1234 is dumped to C:\Dumps KAVSHELL DUMP /SNAPSHOT /F:C:\Dumps /P:1234

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. KSWS/KESS use * as a wildcard character. There are multiple ways to use it. Examples Masks without paths *.exe - all files with extension *.exe test - all files with name test Masks with absolute paths C:\dir\*.* - all files in folder C:\dir\ and its subfolders C:\dir\*.exe - all files with mask *.exe in folder C:\dir\ and its subfolders C:\dir\test - all files named test in folder C:\dir\ and its subfolders C:\dir\ - all files in folder C:\dir\ and its subfolders Masks with relative paths dir\*.* - all files in all folders named dir and their subfolders dir\*.exe - all files with mask *.exe in all folders named dir and their subfolders dir\test - all files named test in all folders named dir and their subfolders dir\test*.* - all files which name begins with test and has extention in all folders named dir and their subfolders (for example, C:temp\dir\sub\test2.exe will be excluded ) dir\ - all files in all folders named dir and their subfolders dir\ and dir\* have the same result. Combinations such as dir\*\ are not used. The product will ignore them. Masks acceptable while adding trusted processes: c:\dir1\dir2\fil?.exe c:\dir1\dir?\fil?.exe c:\dir1\dir2\*.exe c:\dir1\*\some_file.exe

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product version/Environment KSWS 10.1/11.X Windows Server Requirements for the server on which Kaspersky Security for Windows Server is deployed Description of Error Run installation of the application or the console with the setup file. Error "Please go to the Control Panel to install and configure system components" pops up and installation doesn't run. Solution Unpack the installation file and run the .msi file inside instead of the setup: *\ksws_11.0.1.897_en\client\ks4wstools*.msi for the console *\ksws_11.0.1.897_en\server\ks4ws*.msi for the application

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Consider the following scenario: Open update or scan KSWS task. Go to Schedule->Advanced→Task stop settings: Solution Task's stop settings are greyed out and cannot be changed. This is by design behaviour: Task stop settings can be changed only for real-time tasks - Real-Time File Protection and Script Monitoring. These tasks can be configured in KSWS policy to pause the execution at certain time not to interfere with 3d apps or speed up heavy operations. Task stop settings cannot be changed for Updater and On Demand Scan tasks. These tasks should be executed without pausing them.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem If you found out that KSWS installations are somehow corrupted, and you're not able to remove it using conventional means (using misexec and/or appwiz.cpl), please do not use kavremover and/or mszap tools. Do not attempt removing the product manually as our goal is to determine the root cause of the product moving to this inconsistent state. Solution Please provide Kaspersky Support with the pertinent GSI log of the affected host and KSWS msi installer logs containing all the previous installations/modifications of the product that have led it to its current state. Locate and copy all msi files from the windows temp folder and the user temp folders: %systemroot%\Temp :\Users\<username>\AppData\Local\Temp Or simply collect all files from those folders from the affected machine. Also, clarify the exact timestamp when the issue have started to occur, or an approximate date and time when you have noticed the problem on the affected host for the first time, and when the last time was when the product was working just fine on the said host as well. Based on this data it will be potentially possible to provide an automated msiexec string to repair and/or removing the product automatically, and more importantly it will give us a better chance of determining the root cause.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Environment/Preconditions KSC - 12 KSWS - 11.0.1.897 You may find a massive increase in disk usage from the folder report under the Kaspersky folder. The size of the report folder will increase from around 2GB to 12GB, the files in the report folder have random name (like 340a13d9-2a50-4c4e-94d6-82a79d80da4b), which rapidly grows and consumes disk space. The file can be deleted to resolve the disk space full issue, which itself can cause many issues (can't log in to the server, KSWS stop, etc) To delete the file: Stop KSWS. Add permission/owner for the login account. Right-click and delete file. This issue is caused by the Task log setting under Log and Notification tab in the KSWS policy. To avoid the detailed events issue: Ensure that there are no Informational events in the Importance level option in each Component. Remove task logs older than (days) is selected. In case you do the above step and the random file is still keep growing rapidly (100 MB per hour), it may be causes by the flooding event. You can check the event flooding by using "DB Browser for SQLite". For example, the log above is generated by the Application launch control component. You may solve this issue by disabling Application launch control log.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem KSWS10 and KSWS11 may have two issues because of the Application Control component: Can't uninstall KSWS with the error "There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run" Can't run GSI with this error "Unable to unpack the critical file. GsiSharp.bin" Solution Disable Application Control and retry uninstallation. Сollect GSI, if necessary.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem In some cases, it is possible to run a database upgrade task on the KSWS/KICS/KESS host, but despite the upgrade task successfully completing, the databases are still out of date. Solution Most probably product operates in UpdateBlackListOnly mode. This happens in cases when product is activated with activation code and is unable to reach our activation servers. Thus KSWS fails to receive/refresh activation ticket and downloads updates only for Blacklist. Possible ways to solve the problem: 1. Activate with a key file; 2. In case KSWS needs to be activated with the code make sure that either KSWS server is able to reach our public activation servers directly or set up KSC to act as activation proxy and make sure that KSWS server is able to reach KSC on TCP17000.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description As part of proactive security, you may wish to add sha256 to block the execution of application or malicious applications without having the original source files. This article explains how to perform this action. How To Create a text file containing the sha256 you want to block. Use the AppRulesGenerator.exe app to generate an xml file: Import the generated .xml file into the KSWS policy: AppRulesGenerator.exe can be downloaded here.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. In KSWS/KESS/KICS there is an option in update task to Lower the load on the disk I/O. It is important to understand that when this option is enabled the task does not use HDD resources at all. Updater will not only place current updates to RAM. Update temp and cache files will also be placed there. Incorrect expectation: The task uses dedicated amount of RAM, in case if dedicated RAM is not enough for all update files including temp and cache task will continues through HDD. Actual product behavior : The task uses dedicated amount of RAM, in case if dedicated RAM is not enough for all update files including temp and cache then task fails with the error: Failed to update. Reason: insufficient drive space.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem In previous versions of KATA it was possible to mount an NFS share to copy backups to. In KATA 5.x only CIFS share mounts are available out-of the box. Error root@1.srv.node1.node.dyn.kata:/home/admin# mount -t nfs 10.225.62.41:/mnt/NFS/KXDR /mnt/nfs mount: /mnt/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program. Solution Install packages manually via dpkg in the following order to add NFS support: dpkg -i /home/admin/libtirpc-common_1.2.5-1_all.deb dpkg -i /home/admin/libtirpc3_1.2.5-1_amd64.deb dpkg -i /home/admin/keyutils_1.6-6ubuntu1_amd64.deb dpkg -i /home/admin/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb dpkg -i /home/admin/rpcbind_1.2.5-8_amd64.deb dpkg -i /home/admin/nfs-common_1.3.4-2.5ubuntu3.5_amd64.deb

It is the same as setting up flag in the registry: [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags] "SrvUseFqdnAsDisplayNames"=dword:00000001 Both ways are acceptable. Thank you!

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Collect script output is a must for most KATA-related issues and questions. Which information? Which file? How to find/interpret? Example КАТА version and role: CN/PCN/SCN/Sensor /config/apt-va File contains the version and role in human-readable form. Also, you can see if the node was upgraded from previous KATA versions in 'migrate' line Primary CN [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.5.0-1269 release=release master = yes sensor = yes timestamp = 1568700994 migrate = cn_role = pcn Standalone CN [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.6.1-713 release=release master = yes sensor = yes timestamp =1572445307.01 migrate = cn_role = cn Sensor node [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.6.1-713 release=release master = no sensor = yes timestamp =1583845362.98 migrate = cn_role = Virtual or hardware? /environment/dmesg.txt OR /var/log/messages OR /var/log/boot.log Search for "DMI" entries in the file. Physical server [ 0.000000] DMI: HPE ProLiant DL560 Gen10/ProLiant DL560 Gen10, BIOS U34 06/20/2018 Virtual server [ 0.000000] DMI: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 CPU /environment/cpuinfo.txt Scroll to the bottom of the file. Each "processor" listed is not a physical core, but virtual "thread", so, i.e. 8-physical core CPU with hyper-threading will have 16 CPUs in the file. Keep in mind that CPUs are counted from 0, so for 16-thread CPU last entry will have number 15. processor : 15 vendor_id : GenuineIntel cpu family : 6 model : 79 model name : Intel(R) Xeon(R) Platinum 8158 CPU @ 3.00GHz stepping : 0 microcode : 0x2000050 cpu MHz : 2992.968 cache size : 25344 KB physical id : 0 siblings : 16 core id : 15 cpu cores : 16 apicid : 15 initial apicid : 15 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ibrs ibpb stibp fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm rdseed adx smap xsaveopt arat spec_ctrl intel_stibp arch_capabilities bogomips : 5985.93 clflush size : 64 cache_alignment : 64 address sizes : 43 bits physical, 48 bits virtual power management: RAM /environment/memory.txt File shows free command output. Values are in megabytes, pay attention to 'total' and 'available' columns. NB! Ignore 'free' column: despite of it's name, it doesn't actually show free RAM, 'available' column does it. total used free shared buff/cache available Mem: 197308 63869 3634 6738 129804 125558 Swap: 0 0 0 HDD /environment/hdd.txt Pay attention to partitions /dev/sda* and /dev/sdb*. If /dev/sdb* partition is present, you are dealing with two-disk installation, otherwise, it's one-disk installation. NB! Always check HDD partitions size and available free space! KATA needs a LOT of disk space to work correctly. Most important partitions are: /dev/sda4 1.2T 894G 224G 80% /data ← Used for processing queues and quarantine, main partition for KATA /dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage ← Used for EDR data: (telemetry from Endpoint Sensors) Filesystem Size Used Avail Use% Mounted on /dev/sda3 367G 14G 335G 4% / devtmpfs 126G 0 126G 0% /dev tmpfs 126G 252K 126G 1% /dev/shm tmpfs 126G 4.1G 122G 4% /run tmpfs 126G 0 126G 0% /sys/fs/cgroup /dev/sda2 232M 32M 189M 15% /boot /dev/sda1 237M 5.5M 232M 3% /boot/efi /dev/sda4 1.5T 435G 955G 32% /data /dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage tmpfs 26G 0 26G 0% /run/user/998 tmpfs 26G 0 26G 0% /run/user/1002 tmpfs 26G 0 26G 0% /run/user/1001 DNS name /environment/hostname.txt File contains exactly the hostname of the machine. kata-cn IP address /environment/ipa.txt /environment/ifconfig.txt Both files contain info about network interfaces and assigned IP addresses. ifconfig command is considered obsolete by community, but it can be useful: it helps to recognize SPAN interfaces. SPAN interfaces usually don't have IP address assigned, but have a lot of traffic. Also, SPAN interfaces always are in promiscuous mode: <UP,BROADCAST,RUNNING,PROMISC,MULTICAST> ipa.txt 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:9f:0e:77 brd ff:ff:ff:ff:ff:ff inet 10.200.178.85/23 brd 10.200.179.255 scope global ens192 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fe9f:e77/64 scope link valid_lft forever preferred_lft forever 3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:9f:db:4d brd ff:ff:ff:ff:ff:ff inet6 fe80::250:56ff:fe9f:db4d/64 scope link valid_lft forever preferred_lft forever ifconfig.txt ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.200.178.85 netmask 255.255.254.0 broadcast 10.200.179.255 inet6 fe80::250:56ff:fe9f:e77 prefixlen 64 scopeid 0x20<link> ether 00:50:56:9f:0e:77 txqueuelen 1000 (Ethernet) RX packets 604911116 bytes 747444631331 (696.1 GiB) RX errors 0 dropped 26 overruns 0 frame 0 TX packets 368814032 bytes 353073760300 (328.8 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::250:56ff:fe9f:db4d prefixlen 64 scopeid 0x20<link> ether 00:50:56:9f:db:4d txqueuelen 1000 (Ethernet) RX packets 437 bytes 135823 (132.6 KiB) RX errors 0 dropped 1125 overruns 0 frame 0 TX packets 8 bytes 656 (656.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 19418334689 bytes 12053991732736 (10.9 TiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 19418334689 bytes 12053991732736 (10.9 TiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 SPAN interface eno2: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::42f2:e9ff:fecc:4343 prefixlen 64 scopeid 0x20<link> ether 40:f2:e9:cc:43:43 txqueuelen 1000 (Ethernet) RX packets 122540697216 bytes 104768065608116 (95.2 TiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7 bytes 586 (586.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device memory 0xbd5a0000-bd5bffff Sandbox server information /config/apt-agents-id Bottom part of the file contains info about connected sandbox nodes: IP addresses, cert fingerprints and states: Sandbox may be connected, but disabled. [sandbox_node.sandbox1] host = 172.16.0.151 enable = yes fingerprint = C0:15:18:C8:11:46:11:BC:23:50:16:95:10:2D:FF:FA:4E:06:21:90:20:AA:CC:36:53:27:B8:BF:CF:5A:1A:9C Enabled integrations(SPAN, ICAP, etc) /config/preprocessor.conf Preprocessor is the component responsible for main KATA integrations: SPAN, SMTP, ICAP, POP3. You should look for corresponding section in preprocessor.conf: SPAN: [traffic] SMTP: [smtp_proxy] ICAP: [icap] POP3: [pop3] For each section, there's a line defining whether this integration is enabled: enable=yes/no Other integrations like KSMG/KLMS/API aren't easy to check by collect script output Only SPAN is enabled [app] use_syslog=no trace_level=ERR cache_socket=localhost:6379 collector_url=http://centralnode:8081/apt/collector license_remote=no #this section applicable for sections: pop3, smtp_proxy and for traffic section but only for smtp preprocessor [mail] extract_urls=yes #file extensions of attachments which format recognizer is not used for file_extensions=dll,exe,com,java,js,jse,wsf,wsh,vbs,vbe,msi,deb,rpm,apk,zip,7z,rar,iso,cab,jar,bz2,gz,tgz,ace,arj,dmg,xsr,rtf,pdf,msg,eml,vsd,vdx,xps,xsn,odt,ods,odp,sxw,doc,dot,docx,docb,dotx,docm,dotm,xls,xlt,xlm,xla,xll,xlw,xlsx,xltx,xlsm,xltm,xlam,xlsb,ppt,pot,pps,ppam,sldx,sldm,thmx,pptx,potx,pptm,potm,ppsx,ppsm,pub,html,htm,hta,swf,jpg,jpeg,gif,png,tiff,chm,mht,cpl,ocx,pif,scr,bat,cmd,ps1,lnk,reg,msu,msp,z [traffic] enable=yes network_interfaces=ens6f0,ens6f1,ens5f1,ens5f0,ens5f3,ens5f2,eno1,ens3f1,ens3f0 pcap_snaplen=1600 pcap_cores= pcap_filter= checksum_validation=no buffer_size_limit=4096 tcp_threads_number=16 enable_dns=yes enable_http=yes enable_ftp=yes enable_ssl=yes enable_smtp=yes ftp_data_expired_timeout_in_seconds=60 ftp_data_supposed_max_size_in_bytes=10485760 [ksn] enable=yes #possible values of type are KSN or KPSN type=KSN timeout=500 non_dl_formats=GeneralHtml,GeneralTxt,ExecutableJs,ImageGif,ImageJpeg,ImagePng,ArchiveCab ksn_adapter_interfaces= # Change cache entries only you know what are doing. # 0 - disables cache cache_entries=3600100 request_threads=4 [snmp] enable=yes master_agent_address=tcp:localhost:705 ping_interval_in_seconds=15 [icap] enable=no listen_interfaces=ens3f3:1344,ens3f2:1344,eno2:1344 allow204=yes max_connections=5000 respmod_url=av/respmod header_client_ip=X-Client-IP header_client_port=X-Client-Port extract_user=no header_username=X-Authenticated-User base64_decode_username=yes [filter] file_size_limit=100000000 dns_lookup_enable=yes dns_timeout=500 html_filter=/var/opt/kaspersky/apt/update/bases/htmlre.txt [snort] enable=yes alerts_socket=/var/log/kaspersky/snort/snort_alert [pop3] enable=no server= port= user= password= cipher_list=ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:!DSS:!KRB5:!PSK:!RC4:!SRP:!CAMELLIA:!IDEA:!SEED:!3DES:@STRENGTH:!kDH:!kECDH encrypted=yes check_interval_in_seconds=2 accept_any_certificates=no accept_untrusted_self_signed_certificate=yes process_msgs_per_session=3000 request_timeout_in_seconds=60 [smtp_proxy] enable=no max_threads=20 socket_in=inet:10025@127.0.0.1 #RFC 1123 suggests 10 min timeout_in_seconds=600 [stat_engine] enable=yes db=kafka:centralnode:9092?topic=network oltp_bulk_size=1000 subnets= taa_skip_header_proxy_auth=status-code: 407 oltp_raw_data_limit=0 [proxy] enable=no bypass_local_addresses=yes host= port= user= password= Connected Endpoint Sensors /config/aapt_info You can find the beginning of Endpoint Sensors list by searching for 'Agent Status'. To find the number of connected sensors, you need to calculate lines; but it's not easy to automate it as the lines don't have obvious unique grep-able attribute. However, using 'Microsoft Windows' will give you enough precision(it will give a few extra matches from last detections info). Sample entry for 1 agent ae5290b1-c490-404b-beec-ee553d5d64ee | DXB00079395.*.corp | 2019-09-24 08:41:51.579011 | 10.56.14.170 | 3.5.435.0 | 2019-09-23 03:21:26.883616 | 2019-09-24 03:15:28.642816 | t | Microsoft Windows 10 | | | 2346c7a2-a395-4dc4-bc5c-ea99fa488386 | 6 | 568b01b8-4497-decf-7f8c-671bbf8ad8cc KSN/KPSN connection /config/preprocessor.conf From collect script, you can only determine whether KATA is set up to receive verdicts from the cloud, and understand which sort of cloud it is - global KSN or private KPSN. Look for [ksn] section in preprocessor.conf, it's pretty self-explanatory. Keep in mind that you have a tool which allows you to [ksn] enable=yes #possible values of type are KSN or KPSN type=KSN

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions The article shares working examples of using KSC API calls for one of the available scenarios - retrieving tasks results and statistics data for Dashboards and Reports. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For expamle https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Policies changes alert \ Critical task status Audit events available Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) : EventProcessingFactory::CreateEventProcessing2) curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "pFilter": { "EVP_INCL_GNRL_EVENTS": true, "EVP_INCL_TASK_STATES": false, "EVP_MAX_EVENTS_COUNT": 3000, "KLEVP_EVENT_GNRL_TYPES_ARRAY": [ "KLAUD_EV_SERVERCONNECT", "KLAUD_EV_OBJECTMODIFY", "KLAUD_EV_TASK_STATE_CHANGED", "KLAUD_EV_ADMGROUP_CHANGED", "KLAUD_EV_SERVERDISCONNECT", "KLAUD_EV_OBJECTPROPMODIFIED", "KLAUD_EV_OBJECTACLMODIFIED" ], "Name": "Audit events", "PredefinedID": "PREDEFINED_QUERY_ID_AUDIT_EVENTS"}, "vecFieldsToReturn": [ "event_db_id", "rise_time", "hostname", "hostdn", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name", "product_name", "product_version", "product_displ_version", "GNRL_EA_SEVERITY", "GNRL_EA_PARAM_1", "GNRL_EA_PARAM_8", "task_display_name", "registration_time", "KLVSRV_DN", "KLEVP_EVENT_GROUP_TASK_ID", "GNRL_EA_PARAM_3" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 }' Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY" ..... Detection of threats: Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) : EventProcessingFactory::CreateEventProcessing2) curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2' --header 'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg==' --header 'Content-Type: application/json' --data-raw '{ "pFilter": { "KLEVP_EVENT_TYPE": "GNRL_EV_VIRUS_FOUND"}, "vecFieldsToReturn": [ "event_db_id", "rise_time", "hostname", "hostdn", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name", "product_name", "product_version", "product_displ_version", "GNRL_EA_SEVERITY", "GNRL_EA_PARAM_1", "GNRL_EA_PARAM_8", "task_display_name", "registration_time", "KLVSRV_DN", "KLEVP_EVENT_GROUP_TASK_ID" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 }' Response ID Response {"strIteratorId":"48E14F430EF0058BB039929318693123"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId": "48E14F430EF0058BB039929318693123", "nStart": 0, "nEnd": 20 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY" ..... Critical task status Status of Critical task: Backup of Administration Server data, Administration Server maintenance, Download updates to the Administration Server repository. for example - Backup of Administration Server data #strTask - open task in nmw-web-console - 148 (for example: https://localhost:8080/#/management/tasks/148) Acquire task execution history events (Tasks::GetTaskHistory) Tasks::GetTaskHistory curl --location --request POST 'https://localhost:13299/api/v1.0/Tasks.GetTaskHistory' --header 'X-KSC-Session: n/Uvfki+u+pAmb8jjMzVBzg==' --header 'Content-Type: application/json' --data-raw '{ "pSortFields": [{"type":"params","value":{"Name":"rise_time","Asc":false}}], "pFields2Return": [ "hostdn", "group_name", "task_new_state", "KLVSRV_DN", "rise_time", "GNRL_EA_DESCRIPTION" ], "strHostName": "KSC", # Hostname Administration Server "pFilter": { "type": "params", "value": {} }, "strTask": "103" # from nmw-web-console }' Response ID Response {"strIteratorId":"2C356F1FA5B5875980950999AD036094"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId": "2C356F1FA5B5875980950999AD036094", #strIteratorId from response "nStart": 0, "nEnd": 20 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:47:57Z"},"task_new_state":1}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Invalid destination folder. ","group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":3}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:02Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-16T23:04:00Z"},"task_new_state":4}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-14T23:04:00Z"},"task_new_state":4}}]}} Information at Reports Enumerates all existing reports. ReportManager.EnumReports curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.EnumReports' --header 'X-KSC-Session: nejYJnFLwJgs14KpxeH9UMA==' Response all reports: Response { "PxgRetVal": [ { "type": "params", "value": { "RPT_CREATED": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "RPT_DN": "Report on file operations on removable drives", "RPT_EXTRA_DATA": { "type": "params", "value": { "KLRPT_DONT_USE_SPACES_FOR_SLASHES": false, "KLRPT_EXPAND_PERIOD": true, "KLRPT_GLOBAL_SCOPE": false, "KLRPT_OWNER_SRV_INSTANCE": "e71217d1-4a96-462c-a56a-6112bdc5369b", "KLRPT_PROTECTION_INCLUDE_OK": false, "KLRPT_PROTECTION_INCLUDE_VM": true, "KLRPT_PROTECTION_INCLUDE_WARNING": true, "KLRPT_REPORT_ID": 27, #lReportId for next command Execute report ( ReportManager::ExecuteReportAsync) "KLRPT_SLAVE_EXEC_TIMEOUT": 300, "KLRPT_SLAVE_REC_DEPTH": 1, "KLRPT_TEMPORAL": false } }, "RPT_GROUP_ID": 0, "RPT_ID": 27, #lReportId for next command Execute report ( ReportManager::ExecuteReportAsync) "RPT_MODIFIED": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "RPT_TYPE": 0 } }, USB Data transfer alert \ Report on file operations on removable drives available Execute report ( ReportManager::ExecuteReportAsync) ReportManager::ExecuteReportAsync curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.ExecuteReportAsync' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{ "lReportId": 27, "pOptions": { "KLRPT_OUTPUT_FORMAT": { "type": "params", "value": { "KLRPT_TARGET_TYPE": 2 } } } }' Response ID Response {"strRequestId":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"} Check status of the async action (AsyncActionStateChecker::CheckActionState) AsyncActionStateChecker::CheckActionState curl --location --request POST 'https://localhost:13299/api/v1.0/AsyncActionStateChecker.CheckActionState' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{"wstrActionGuid":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"}' Response KLRPT_OUTPUT_FILE Response {"bFinalized":true,"bSuccededFinalized":true,"lStateCode":1,"pStateData":{"KLRPT_OUTPUT_FILE":"/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json","KLRPT_OUTPUT_FORMAT":{"type":"params","value":{"KLRPT_TARGET_TYPE":2}}},"lNextCheckDelay":0} Get Data Get curl --location --request GET 'https://localhost:13299/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' Response with the report data: Response {"data":{"summary":{"heading":"Report on file operations on removable drives","subhead":"Report on file operations on removable drives","description":"This report provides information about file operations performed on removable drives. This report is generated for all groups.", ...... Commands can be used for all reports: Server health status Threat detection details from reports Software Vulnerability details from Report on vulnerabilities etc. information at Dashboard KLRPT_DSH_TYPE - List of statistics dashboards types and attributes KLRPT_DSH_TYPE Diagram Meaning 22 Distribution of anti-virus bases versions on hosts (5 counters: actual, 1 day old, 3-days old, 7-days old, and more than 7 days old). detection of threats - 56 prohibited applications - 42 Most heavily infected devices - 14 Most frequent threats - 18, 19 Threat detection details (Critical, High, Medium) 40 Distribution of hosts with different vulnerability status (critical, high, warning, none). 26 License usage. 8 20 8 - Distribution of anti-virus protection states in time. 20 - Current state of the most anti-virus protection (number of hosts with the status Critical, Warning, and OK). AV Definition Status Send Request to obtain required data( ReportManager::RequestStatisticsData) : ReportManager::RequestStatisticsData curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/ReportManager.RequestStatisticsData' --header 'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA==' --header 'Content-Type: application/json' --data-raw '{ "pRequestParams": { "KLPPT_DASHBOARD": { "type": "params", "value": { "AV-DB-2": { #AV-DB-2 - Same requested unique name (GUID) "type": "params", "value": { "KLRPT_DSH_TYPE": 22, #22 - value from table List of statistics dashboards types and attributes "bIncludeVS": false, "id": 0 } } } } } }' Response ID Response {"strRequestId": "BA357813B44D88306228D8614B081C11"} Get result from Response data operation ( ReportManager::GetStatisticsData) : ReportManager::GetStatisticsData curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/ReportManager.GetStatisticsData' --header 'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA==' --header 'Content-Type: application/json' --data-raw '{"strRequestId": "E71313D620483B40309EA81415C34005"}' #strRequestId from ReportManager.RequestStatisticsData Response statistics dashboard: Response {"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"AV-DB-2":{"type":"params","value":{"KLRPT_DSH_TYPE":22,"bIncludeVS":false,"id":0,"nCount3Days":0,"nCount7Days":4,"nCountActual":1,"nCountDay":0,"nCountOld":1}}}}}} Threat detection details (Critical, High, Medium) Send Request to obtain required data ( ReportManager::RequestStatisticsData) : ReportManager::RequestStatisticsData curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.RequestStatisticsData' --header 'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ==' --header 'Content-Type: application/json' --data-raw '{ "pRequestParams": { "KLPPT_DASHBOARD": { "type": "params", "value": { "threatsDetection-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 56, "bIncludeVS": false, "id": 0 }}, "prohibitedApps-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 42, "bIncludeVS": false, "id": 0 }}, "infectedDevices-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 14, "bIncludeVS": false, "id": 0 }}, "frequentThreats0": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 18, "bIncludeVS": false, "id": 0 }}, "frequentThreats1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 19, "bIncludeVS": false, "id": 0 }} } } } }' Response ID Response {"strRequestId": "D988500C858EBAE332816C34E5588F7F"} Get result from Response data operation ( ReportManager::GetStatisticsData) : ReportManager:GetStatisticsData curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.GetStatisticsData' --header 'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ==' --header 'Content-Type: application/json' --data-raw '{"strRequestId": "D988500C858EBAE332816C34E5588F7F"}' Response statistics dashboard: Response {"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"frequentThreats01":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":28,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":28,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":24,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":19,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":15,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":5,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}},{"type":"params","value":{"nCount":2,"wstrName":"UDS:Trojan.Win32.Agent.xadwev"}},{"type":"params","value":{"nCount":1,"wstrName":"Trojan.Multi.GenAutorunProc.a"}},{"type":"params","value":{"nCount":1,"wstrName":"http://bug.qainfo.ru/test/wmuf_w/"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":18,"bIncludeVS":false,"id":0}},"frequentThreats12":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":27,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":22,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":9,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":4,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":3,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":1,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":19,"bIncludeVS":false,"id":0}},"infectedDevices-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":114,"wstrInternalName":"1ccdd245-2850-424a-9f63-a35b115cbced","wstrName":"WIN10-KES-EDR"}},{"type":"params","value":{"nCount":7,"wstrInternalName":"3e043993-8332-4e1c-958e-a750cd3d0c7c","wstrName":"KHRAMEEV-WIN10"}},{"type":"params","value":{"nCount":2,"wstrInternalName":"c160e768-ba47-47e7-a905-d7c3d39b74d4","wstrName":"khrameev-ub19"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":14,"bIncludeVS":false,"id":0}},"prohibitedApps-2":{"type":"params","value":{"DSHT_DATA":[],"KLPPT_StatPeriodInSec":2592000,"KLRPT_DSH_TYPE":42,"bIncludeVS":false,"id":0}},"threatsDetection-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":67,"nType":1,"wstrName":"File Threat Protection"}},{"type":"params","value":{"nCount":45,"nType":10,"wstrName":"Scan task"}},{"type":"params","value":{"nCount":9,"nType":3,"wstrName":"Web Threat Protection"}},{"type":"params","value":{"nCount":2,"nType":6,"wstrName":"Host Intrusion Prevention"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:28Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:28Z"},"KLRPT_DSH_TYPE":56,"bIncludeVS":false,"id":0}}}}} End Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions The article shares working examples of using KSC API calls for one of the available scenarios - publishing KSC virtual server Administration Agent package. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites Make sure you have Kaspersky Administration Agent available in installation packages Make sure you have internal api-user with permissions for Kaspersky Security Center (main and Virtual Kaspersky Security Center) Example KSC address - 127.0.0.1 (the address can also be external and used over the network) API Port - 13299 (default port of KSC API) User: api-user (internal user with Kaspersky Security Center rights for KSC and vKSC), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description Name vKSC: vksc2, base64: dmtzYzI= Requests are described in cUrl format, it is also possible to use the python library (KlAkOAPI Python package) Session start for connecting to the KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' User and password are transmitted to base64 within a secure HTTPS session. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Sending request to the KSC server for a list of packages (PackagesApi::GetPackages2) : PackagesApi::GetPackages2 curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.GetPackages2' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession Retrieving a list of packets. Receiving KLPKG_NPI_PKGID nAgent to transmit packet to vKSC Response { "PxgRetVal": [ {...}, { "type": "params", "value": { "KLPKG_NPI_AV_BASES_UPDATE_TIME": { "type": "datetime", "value": "" }, "KLPKG_NPI_AV_BASES_UPD_SUPPORTED": false, "KLPKG_NPI_CREATION_TIME": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "KLPKG_NPI_EXTRA_DATA": { "type": "params", "value": { "KLPGG_VAPM_DISTRIB_GLBID": { "type": "long", "value": 0 }, "KLPKG_EULA_UID": { "type": "binary", "value": "fPTQzfMWVvVPG7bFasjoJw==" }, "KLPKG_FORMAT": 2, "KLPKG_IS_MSI": true, "KLPKG_LANG_TAG": "en", "KLPKG_PARENT_ID": 0, "KLPKG_PKG_MAN": 0, "KLPKG_PLATFORM": 2, "KLPKG_PRD_TYPE": 1, "KLPKG_TYPE": 1, "bPkgPrereqAllowed": true, "nPatchGlbId": { "type": "long", "value": 0 }, "nPatchLcid": 0 } }, "KLPKG_NPI_MODIF_TIME": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "KLPKG_NPI_NAME": "Kaspersky Security Center 13 Network Agent (13.0.0.11247)", "KLPKG_NPI_PACKAGE_PATH": "\\\\KSC\\KLSHARE\\Packages\\NetAgent_13.0.0.11247", "KLPKG_NPI_PKGID": 3, "KLPKG_NPI_PRODUCT_DISPL_NAME": "Kaspersky Security Center 13 Network Agent", "KLPKG_NPI_PRODUCT_DISPL_VERSION": "13.0.0.11247", "KLPKG_NPI_PRODUCT_NAME": "1103", "KLPKG_NPI_PRODUCT_VERSION": "1.0.0.0", "KLPKG_NPI_SIZE": { "type": "long", "value": 70113813 }, "KLPKG_NPI_SS_DESCR": "NetAgent_13.0.0.11247\\exec\\ss_install.xml|3" } }, {...} ] } Sending request for the vKSC list (VServers::GetVServers) : VServers:GetVServers curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/VServers.GetVServers' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "lParentGroup": -1 }' Obtaining KLVSRV_DN and KLVSRV_ID Response { "PxgRetVal": [ {...}, { "type": "params", "value": { "KLVSRV_CREATED": { "type": "datetime", "value": "2021-11-23T11:48:53Z" }, "KLVSRV_DN": "vksc2", "KLVSRV_ENABLED": true, "KLVSRV_GROUPS": 29, "KLVSRV_GRP": 0, "KLVSRV_HST_UID": "VSRV64c559dc-17e1-459d-b9d5-4c26ec35d426", "KLVSRV_ID": 3, "KLVSRV_LIC_ENABLED": true, "KLVSRV_NEW_HOSTS_PROHIBITED": false, "KLVSRV_SUPER": 28, "KLVSRV_TOO_MUCH_HOSTS": false, "KLVSRV_UID": "VSRV64c559dc-17e1-459d-b9d5-4c26ec35d426", "KLVSRV_UNASSIGNED": 32 } }, {...} ] } Asynchronous request to transfer the Administration Agent installation package to vKSC and create a standalone package (PackagesApi::RetranslateToVServerAsync) : PackagesApi:RetranslateToVServerAsync curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.RetranslateToVServerAsync' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "nPackageId": 3, #KLPKG_LANG_TAG from PackagesApi.GetPackages2 "nVServerId": 3, #KLVSRV_ID from VServers.GetVServers "pOptions": { "KLPKG_CREATE_STANDALONE_PRODS": false, "KLPKG_CREATE_STANDALONE_NAGT": true, "KLPKG_USE_LANGUAGE_TAG": "en", #KLPKG_LANG_TAG from PackagesApi.GetPackages2 "KLPKG_TYPE": 1, "KLPKG_LAZY_RETRANSLATION": false } }' Obtaining asynchronous task ID Response { "PxgRetVal": "C51B622B891CB03B7229A3CD9407B6AD" } Checking status of the task (AsyncActionStateChecker::CheckActionState) : AsyncActionStateChecker:CheckActionState curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/AsyncActionStateChecker.CheckActionState' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "wstrActionGuid": "C51B622B891CB03B7229A3CD9407B6AD" #PxgRetVal form PackagesApi.RetranslateToVServerAsync }' Completion ("bFinalized": true) and successful execution ("bSuccededFinalized": true) Response { "bFinalized": true, "bSuccededFinalized": true, "lStateCode": 1, "pStateData": { "KLPKG_EP_EXECID": 11, "KLPKG_EP_FILESIZE": 0 }, "lNextCheckDelay": 0 } Ending session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession Starting session to connect to the virtual KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' \ --header 'X-KSC-VServer: dmtzYzI=' The user can belong to the vKSC or to the main KSC (user account rights for Kaspersky Security Center should additionally be configured in vKSC). The user name and password are transferred to base64 format as part of a secure HTTPS session. X-KSC-VServer - vKSC name (KLVSRV_DN from VServers.GetVServers) to base64 Response { "PxgRetVal": "nz1/AOfHq6cdf986vTvNV7Q==" } Obtaining a list of standalone installation packages from vServer (PackagesApi::GetExecutablePackages) : PackagesApi:GetExecutablePackages curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.GetExecutablePackages' \ --header 'X-KSC-Session: nz1/AOfHq6cdf986vTvNV7Q==' \ #PxgRetVal from Session.StartSession --header 'Content-Type: application/json' Receiving KLPKG_WebURL Response { "PxgRetVal": { "KLPKG_evpExecs": [ {...}, { "type": "params", "value": { "KLPKG_CreationDate": { "type": "datetime", "value": "2021-11-24T12:07:23Z" }, "KLPKG_EP_SHA256": "", "KLPKG_IsPublished": true, "KLPKG_IsVirtual": true, "KLPKG_LicenseSerialNum": "", "KLPKG_ModificationDate": { "type": "datetime", "value": "2021-11-24T12:07:23Z" }, "KLPKG_NAME": "", "KLPKG_NagentDisplayVersion": "13.0.0.11247", "KLPKG_NagentPkgId": 28, "KLPKG_NagentPkgName": "Kaspersky Security Center 13 Network Agent (13.0.0.11247)", "KLPKG_ProdDisplayName": "", "KLPKG_TargetGroup": "Managed devices", "KLPKG_TargetGroupId": 29, "KLPKG_WebURL": "http://ksc.test.lab:8060/dlpkg?id=12712942", "KLPKG_evpAddPkgId": 28, "KLPKG_evpExecPkgId": 10, "KLPKG_evpPkgId": 28, "KLPKG_evpPkgPath": "", "KLPKG_evpPkgSize": 0 } }, {...} ] } } Standalone Network Agent installation package is available at KLPKG_WebURL for KLPKG_NagentPkgName Session end for vKSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' \ --header 'X-KSC-Session: nz1/AOfHq6cdf986vTvNV7Q==' #PxgRetVal from Session.StartSession

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions The article shares working example of using KSC API calls for one of the available scenarios - retrieving events, HW and/or SW inventory data. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples: KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession ) Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Use below token in request header Find Host Find host by filter string (HostGroup::FindHosts) Filter string contains a condition over host attributes, see also Search filter syntax. We use "KLHST_WKS_DN" - Host display name HostGroup::FindHosts curl --location --request POST "https://127.0.0.1:13299/api/v1.0/HostGroup.FindHosts" --header "X-KSC-Session: nqepy9ZpZZ/2tiWXhil5cBg==" --header "Content-Type: application/json" --data-raw "{ \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"KLHST_WKS_DN\",\"KLHST_WKS_IP_LONG\",\"KLHST_WKS_PRODUCT_TAG_NAME\",\"KLHST_WKS_RTP_AV_VERSION\",\"KLHST_WKS_NAG_VERSION\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_VIRUS_COUNT\"], \"lMaxLifeTime\":1200, \"wstrFilter\":\"(KLHST_WKS_DN=\\"WIN10-OPTIMUM-1\\")\" #"KLHST_WKS_DN" - Host display name }" Response ID Response {"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":1} Copy Accessor for next request (ChunkAccessor::GetItemsChunk ) ChunkAccessor::GetItemsChunk curl -L -X POST "https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\", \"nStart\": 0, \"nCount\": 100 }" Response info about host: Response {"pChunk":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_DN":"WIN10-OPTIMUM-1","KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","KLHST_WKS_IP_LONG":{"type":"long","value":172250504},"KLHST_WKS_LAST_UPDATE":{"type":"datetime","value":"2022-02-17T13:00:01Z"},"KLHST_WKS_NAG_VERSION":"13.2.0.1511","KLHST_WKS_RTP_AV_VERSION":"11.7.0.669","KLHST_WKS_VIRUS_COUNT":{"type":"long","value":9}}}]},"PxgRetVal":1} Copy value "KLHST_WKS_HOSTNAME" for user in the next request Hardware Inventory SrvView Find srvview data by filter string (SrvView::ResetIterator) "wstrViewName" - see List of supported srvviews. "vecFieldsToReturn" - see https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html "wstrFilter":"(KLHST_WKS_HOSTNAME=\"c0816918-fbc5-4fbc-8fed-6f245756120e\")" SrvView::ResetIterator curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.ResetIterator" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrViewName\":\"HWInvPCSrvViewName\", \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"dev_id\",\"RamType\",\"dev_type\"], \"vecFieldsToOrder\":[{\"type\":\"params\",\"value\":{\"Name\":\"dev_id\",\"Asc\":\"true\"}}], \"lifetimeSec\":100, \"pParams\":{\"TOP_N\":\"yes\",\"USE_DISTINCT\":\"true\"}, \"wstrFilter\":\"(KLHST_WKS_HOSTNAME=\\"c0816918-fbc5-4fbc-8fed-6f245756120e\\")\" # KLHST_WKS_HOSTNAME from the previous request }" Response ID Response {"wstrIteratorId":"466579A79FA755D69B94EC60A5B04744"} GetRecordRange from Response data (SrvView.GetRecordRange ) SrvView.GetRecordRange curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrIteratorId\":\"50054D2A2D7A93DCEBFA3BE6F7E21D5E\", \"nStart\": 0, \"nEnd\": 100 }" Response info about hardware with specific filter: Response {"pRecords":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"ABE3CC21B521C704DA4FC63BD5698F71","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\1&1F0C3C2F&0&UID256","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\4&31BE19FA&0&UID0","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E05564F28A7EBE312D1326FD0D1A8479","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E69E8830E7D33F96BF1E21996A7D73CA","dev_type":0}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\\3&18D45AA6&0&78","dev_type":4}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_8086&DEV_10D3&SUBSYS_07D015AD&REV_00\\005056FFFF87CC6600","dev_type":6}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"Physical Memory 0","dev_type":2}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\\5&A629540&0&000000","dev_type":8}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\\5&1982005&0&000000","dev_type":3}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0002","dev_type":4}}]}} Software Inventory Acquire software applications which are installed on specified host. (InventoryApi::GetHostInvProducts) "szwHostId" - WKS_HOSTNAME form previosly request InventoryApi::GetHostInvProducts curl -L -X POST "https://127.0.0.1:13299/api/v1.0/InventoryApi.GetHostInvProducts" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"szwHostId\":\"c0816918-fbc5-4fbc-8fed-6f245756120e\", # KLHST_WKS_HOSTNAME from previuosly reqest \"pParams\":{\"KLEVP_EA_PARAM_1\":\"\"} }" Response info about software: Response {"PxgRetVal":{"GNRL_EA_PARAM_1":[{"type":"params","value":{"ARPRegKey":"{F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","CleanerProductName":"","Comments":"","DisplayName":"Kaspersky Endpoint Security for Windows","DisplayVersion":"11.7.0.669","HelpLink":"https://click.kaspersky.com/?hl=en&link=support&pid=kes&version=21.4.20.669","HelpTelephone":"","InstallDate":"20211002","InstallDir":"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\","InstanceID":{"type":"binary","value":"AA=="},"LangId":1033,"PackageCode":"","ProductID":"4E8A2680B3C78565814848DB5ED35C83","Publisher":"AO Kaspersky Lab","QuietUninstallString":"msiexec.exe /X {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16} /quiet /norestart","UninstallString":"msiexec.exe /x {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","VapmBuild":{"type":"long","value":0},"bIsMsi":true}},{"type":"params","value":{"ARPRegKey":"{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}","CleanerProductName":"","Comments":"","DisplayName":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508","DisplayVersion":"14.20.27508.1","HelpLink":"","HelpTelephone":"","InstallDate":"20210512","InstallDir":"","InstanceID":{"type":"binary","value":"AA=="},"LangId":0,"PackageCode":"","ProductID":"2E30B54FFAFE11F6DEDB0A31EA8CD6D1","Publisher":"Microsoft Corporation","QuietUninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall /quiet","UninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall","VapmBuild":{"type":"long","value":0},"bIsMsi":false}}, ....... Tasks Operations #strTask - open task in nmc-web-console - 1326 (for example: https://localhost:8080/#/management/tasks/148) Get Task Acquire attributes of specified task. (Tasks::GetTask) Response Response {"PxgRetVal":{"DisplayName":"KEA - Isolation ON","PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-10T13:57:34Z"},"TASKID_PRODUCT_NAME":"1093","TASKID_VERSION":"1.0.0.0","TASK_NAME":"Remote Installation","TASK_UNIQUE_ID":"1326"}} Run task Run remote installation task. Start specified task. Tasks::RunTask curl -L -X POST "https://127.0.0.1:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" # From NWC-web-cosnole ksc }" Update Task Get Data Task Acquire task settings. Tasks::GetTaskData GetData Task curl -L -X POST "https://localhost:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" }" Response all parameters and some of them we must use in next request. Modify task settings. Tasks::UpdateTask Update Task POST /api/v1.0/Tasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n8quj71CtoWbYijcBHY6FvA== Content-Type: application/json Content-Length: 3477 { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Change values for HostList and enter specific host. For example: "HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}] { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Run Task Host Events Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2 ) pFilter (params) object containing values for attributes to filter events. Only events with matching attribute values will be returned. If empty all events will be returned. See List of event filter attributes for attribute names. "GNRL_EA_SEVERITY" paramInt Event severity. May have the following values: 0 - Constant to be used as invalid event severity value 1 - Severity "Information" 2 - Severity "Warning" 3 - Severity "Error" 4 - Severity "Critical" vecFieldsToReturn (array) array of attribute names to return. See List of event attributes for attribute names #host id - FindHost EventProcessingFactory::CreateEventProcessing2) POST /api/v1.0/EventProcessingFactory.CreateEventProcessing2 HTTP/1.1 Host: localhost:13299 X-KSC-Session: nvLZ4Hwi5VAL7XIiMwPaxPw== Content-Type: application/json Content-Length: 440 { "pFilter": { "KLEVP_EVENT_HOST":"a537ddc0-b84b-488a-993c-9f76e62036e9", #host id "GNRL_EA_SEVERITY":4 #Critical Event }, "vecFieldsToReturn": [ "GNRL_EA_SEVERITY", "event_db_id", "rise_time", "hostname", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 } Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response critical events: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119829},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:10:44Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119818},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:05:34Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119807},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime",........ Close Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession