Jump to content
Kaspersky Support Forum

Antipova Anna

Kaspersky Employee
 View Profile  See their activity

  • Posts

    352

  • Joined

  • Last visited

 Content Type 

Everything posted by Antipova Anna

  1. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. How to check if KES is installed, its state (running or not) and bases version via registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState Obtaining information from the registry is for familiarization purposes only. KESCLI commands method supported by developers: Managing the application from the command line  >  KESCLI commands  >  GetRealTimeProtectionState. File Threat Protection status https://support.kaspersky.com/help/KESWin/12.2/en-US/213719.htm Managing the application from the command line  >  KESCLI commands  >  GetDefinitionState. Determining the update completion time https://support.kaspersky.com/help/KESWin/12.2/en-US/213724.htm Information in following registry is created by network agent (NA). Information will be deleted before OS shutdown and will be created after OS boot. There is a delay (120s) for NA service start. So if you need to get the state of KES immediately after OS boot, use KESCLI.
  2. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Maximum validity of the custom certificate (administration server/web console): A maximum of 5 years can be stored as the maximum validity for the certificate for the administration server The maximum validity for the certificate for the web console cannot exceed 397 days Two different certificates must be used: After the specified time has expired, a new certificate must be generated manually (at best 90 days in advance) and stored as a replacement certificate. Clients that do not identify themselves with the administration server within 90 days must be reconnected manually https://support.kaspersky.com/KSC/13.2/en-US/227839.htm The certificate must be replaced using klsetsrvcert: https://support.kaspersky.com/KSC/13.2/en-US/227838.htm In general, it is important that the custom certificate meets the following requirements: https://support.kaspersky.com/KSC/13.2/en-US/155201.htm https://support.kaspersky.com/KSC/13.2/en-US/191451.htm Custom certificate should also have a certificate signing permission, it is vital in case of using Distribution Points. Certificates issued by public CA do not have this permission, so they cannot be used: https://support.kaspersky.com/KSC/13.2/en-US/155201.htm How to create a pkcs12 file with an ordered certificate chain: The certificate chain is very important for connecting devices to find out if the ssl certificate is created by a trusted authority. After that is done do the following: 1. Create an empty file (C:\temp\cert-chain.txt) on your PC and past the following inside it: -----BEGIN CERTIFICATE----- (Your Primary SSL certificate from C:\temp\your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate from C:\temp\TheIntermediateCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate part from C:\temp\TheTrustedRoot.crt) -----END CERTIFICATE----- 2. Now replace the content inside the brackets with your certificates (which you can export via XCA; PEM txt format). The order above is VERY important, so do not mix it. 3. Export the private key (unencrypted in text format) with XCA from your certificate and store it inside C:\temp\server.pemkey 4. Now merge everything together as pkcs12 (filename extension for PKCS #12 files is .p12 or .pfx). To do that open a CMD (run as admin) and perform: openssl pkcs12 -export -inkey C:\temp\server.pemkey -in C:\temp\cert-chain.txt -password pass:ABCD -out C:\temp\certificate(chain_and_key).pfx 5. Your PFX file is now ready to be used. KSC - Information about the self-signed certificate: The self-signed certificate when installing the KSC has a maximum validity of 1 year (limit of 397 days). The Administration Server certificate is created automatically during the installation of the Administration Server component and is saved in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert folder. A new certificate will be generated by the Administration Server as a reserve certificate 90 days before the expiry date of the current certificate. The new certificate automatically replaces the current certificate one day before the expiration date. All Network Agents on client devices will be automatically reconfigured to authenticate Administration Server with the new certificate. Clients that do not identify themselves with the Administration Server within 90 days must be reconnected manually. Proxy for the web console The option can be implemented only when installing the web console on another device and accessing the Administration Server.
  3. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Application category based on the "Metadata" conditions created, but does not work. Solution This is expected behavior, in case the file does not have a digital signature, that can be trusted by local KES on the host in question, or is not known in KSN. Use sigcheck tool to see if the file has a valid digital signature – https://technet.microsoft.com/ru-ru/sysinternals/bb897441.aspx Use other criteria, to determine the category (for example file hash). Add to KSN the necessary file by writing a request to KL.
  4. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. There are multiple fields in database that are not easy to interpret. For example nIP, nStatus and many others. Most of them are from public view v_akpub_host which is one of the main sources of information about managed computer on KSC. The objective of this article is to help understanding the encoding used, if you want to learn more about public views and specific fields refer to klakdb.chm located in the KSC installation folder. nIP When you will query for an IP address the result may surprise you. Instead of IP address you will receive a number, let's say 2130706433, which actually translates to 127.0.0.1. Here is an explanation how this translation is achieved. Number 2130706433 equals 1111111000000000000000000000001‬ in binary. Let's split it into groups of 4 to make it easier to read. 0111 1111.0000 0000.0000 0000.0000 0001 (leading zero is added for visibility). IP address is 4 byte long, which is 32 bits. As you see there are exactly 32 numbers divided into 4 groups called octets. It already starts to look like an IP address. We just need to convert binary back to decimal, while keeping it grouped: 127.0.0.1 The same can be done with the SQL query, here is an example, which returns Computer Name and its IP address in human readable format SELECT wstrDisplayName "Display Name", CAST( ((nIp / 16777216) & 255) AS varchar(4)) + '.' + CAST(((nIp / 65536) & 255) AS varchar(4)) + '.' + CAST(((nIp / 256) & 255) AS varchar(4)) + '.' + CAST(((nIp) & 255) AS varchar(4) ) "IP Address" FROM v_akpub_host; Another good example is the following code which returns host's visibility, nagent installed or not, nagent alive or not and real time protection state: SELECT h.wstrDnsName , h.wstrDisplayName, /* h.nStatus 'Host Status', */ /* Host status, bit set bit 0 set if host is visible, bit 2 set if Network Agent is installed bit 3 set if Network Agent is "alive" bit 4 set if real-time protection is installed */ CAST(((h.nStatus) & 1) AS varchar(1)) as 'Host Visible', CAST(((h.nStatus / 4) & 1) AS varchar(1)) as 'Agent Installed', CAST(((h.nStatus / 8 ) & 1) AS varchar(1)) as 'Agent Alive', CAST(((h.nStatus / 16) & 1) AS varchar(1)) as 'Protection Installed' FROM v_akpub_host h order by wstrDisplayName nStatus nStatus is another useful parameter stored as decimal integer. The key to understanding is the same, yet in this case each bit (not like in previous case where each 8 bits represented a number in IP address) represents its own aspect of a state. We should treat is as a (binary) bit set, where (information below is from klakdb.chm) : bit 0 is set if host is visible bit 1 is reserved bit 2 is set if Network Agent is installed bit 3 is set if Network Agent is "alive" bit 4 is set if real-time protection is installed For example nStatus equals 29. 29 is 11101 in binary. Remember that binary is read from left to right. In this case the status is as follows: bit 0 equals 1 – that means a bit is set, which in our case means that the host is visible. bit 1 equals 0, but as it is reserved, we just omit it. bit 2 equals 1, so Network Agent is installed on the host. bit 3 equals 1, which means that Network Agent is “alive” – can communicate with SC etc. bit 4 equals 1, so protection (KES, KSWS, etc.) is installed on the host. Additional reading To learn more about this data format refer to this article https://en.wikipedia.org/wiki/Endianness
  5. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Scenario: When login to KSC Web Console, it shows the following error: Administration Server uses an untrusted self-signed certificate. Please modify the application configuration by specifying a valid certificate for Administration Server. Alternative wording (for older KSC versions): Administration Server has untrusted self signed certificate. Please, reconfigure the application with correct certificate for Administration Server. Reason: KSC certificate is set when Web Console is installing. If there are any changes/errors with the certificate after the installation, KSC Web Console will show this error, e.g. you installed Web Console with KSC together, then restore a KSC backup. Solution and Source: Change certificate in KSC. Specifying certificates for trusted Administration Servers - guide on specifying a new certificate
  6. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact In KES 12.0, the way Device Control component works has been changed. See changelog: https://support.kaspersky.com/help/KESWin/12.0/en-US/127969.htm Due to these changes, you may notice that printing order becomes slow after you have upgraded KES to version 12.0 or higher. This delay may be around 30-60s or even 10-15 minutes. When you disable KES, it becomes instant. In some exceptional cases, the delay may be so big that it's impossible to print anything and the system hangs. The issue affects both local printers and network printers. Diagnostics First of all, test if the issue persists with Device Control component disabled. If it does, move any device to a separate group for testing, create a new default KES policy there and check if the issue persists on default policy or not. If everything is fine under default policy, this is a clear sign that something is wrong with your configuration. Additionally, try latest PF for KES and check if the issue persists on it. There are some optimizations there that fix some Device Control issues and it can improve the performance, but if the issue is in the policy configuration, it won't help much. Workaround & Solution Troubleshooting steps: Select a host for troubleshooting and move it to a test group Install latest pf on it and reboot check the situation Check if the issue is caused by Device Control component and if the issue persists if this component is disabled Check if the issue persists under main policy and under default policy Check policy configuration and check how many devices have been added to Trusted Devices list. If there are several hundred entries or more, try to find a way to reduce their amount. Please see this public article for more details: https://support.kaspersky.com/KESWin/12.1/en-US/38595.htm It states "it is not recommended to add more than 1000 trusted devices, as this can cause system instability." To reduce the list of trusted devices, you can use wildcard * for the same type of printer.
  7. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This info applies to KSC12-14.2. Web Console port can be changed from default port 8080 to 443 or any other port not occupied by the operating system or a third-party application. 1. Open file "C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json" with any text editor and type the port you would like to use instead of 8080: 2. Restart all Kaspersky Security Center Web Console services via services.msc to apply changes.
  8. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions KSN connection error on KATA web may appear. Details It could be fixed unless you don't have permanent KSN errors, you have to check it in ksn_proxy.log DEBUG level. Key word is ErrCount. If you don't see Errcount: 0 in log, then you don't have access to our KSN servers which are: *.ksn.kaspersky-labs.com ksn-*.kaspersky-labs.com ds.kaspersky.com 2. In order to fix this web error do as below For KATA 4.0/4.1 Under root at CN execute: apt-settings-manager set --merge /configuration/preprocessor '{"ksn": {"non_dl_formats": ["GeneralHtml", "GeneralTxt", "ExecutableJs", "ImageGif", "ImageJpeg", "ImagePng", "ArchiveCab"], "request_threads": 4, "timeout": "PT1.5S"}}' * PT1.5S means 1,5 seconds, don't increase it more Then let's increase "errors_increase_threshold": 100 (actually you have to check ksn_proxy debug log in order to understand how much KSN connection errors you have and adjust this parameter accordingly) apt-settings-manager set --merge /configuration/monitoring_prometheus '{"ksn_proxy": {"errors_increase_threshold": 100, "errors_window_period": "10m", "scraping_alert_for_interval": "1m", "scraping_evaluation_interval": "30s"}}' If this helps, then make this change persistent: vim /etc/opt/kaspersky/apt-swarm/swarm_config.json "ksn": { "non_dl_formats": [ Numbered list "GeneralHtml", "GeneralTxt", "ExecutableJs", "ImageGif", "ImageJpeg", "ImagePng", "ArchiveCab" ], "request_threads": 4, "timeout": "PT0.5S" <<<<< set 1.5S Find "ksn_proxy": { "errors_increase_threshold": 2, <<<<< set 100 "errors_window_period": "10m", "scraping_alert_for_interval": "1m", "scraping_evaluation_interval": "30s" For KATA 5.+/6.+ Use one line: console-settings-updater set --merge /kata/configuration/product/monitoring_prometheus '{"alert_settings": {"ksn_proxy": {"errors_increase_threshold": 100}}}' if value 100 doesn't help you may increase it to 150-200. Or use long way: Under root at CN execute console-settings-updater get /kata/configuration/product/monitoring_prometheus | python3 -m json.tool > /tmp/monitoring_prometheus Make changes in /tmp/monitoring_prometheus (via vim or nano) by finding following block "ksn_proxy": { "errors_increase_threshold": 100, <<<<<< put here value 100 instead of default 2 Save file (ESC:wq!) Put changes back to container console-settings-updater set /kata/configuration/product/monitoring_prometheus @/tmp/monitoring_prometheus If value 100 doesn't help you may increase it to 150-200.
  9. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions The article is giving some use cases examples of KSC API calls to ease one's start using the API. In that KB we are looking at host isolation with KES/KEA scenario. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Example KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description Requests are in cUrl and http formats, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession) Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Use this token in request header Find Host Find host by filter string (HostGroup::FindHosts) Filter string, contains a condition over host attributes, see also Search filter syntax. We use "KLHST_WKS_DN" - Host display name HostGroup::FindHosts POST /api/v1.0/HostGroup.FindHosts HTTP/1.1 Host: localhost:13299 X-KSC-Session: nH4iKWCdxuBJWO5U4ATKSew== Content-Type: application/json Content-Length: 170 { "vecFieldsToReturn": [ "KLHST_WKS_HOSTNAME", "KLHST_WKS_DN" ], "lMaxLifeTime": 1200, "wstrFilter": "(KLHST_WKS_DN=\"WIN10-*\")" } Response ID Response {"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":18} Copy Accessor for next request (ChunkAccessor::GetItemsChunk) ChunkAccessor::GetItemsChunk curl -L -X POST "https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\", \"nStart\": 0, \"nCount\": 100 }" Response info about host: Response { "pChunk": { "KLCSP_ITERATOR_ARRAY": [ { "type": "params", "value": { "KLHST_WKS_DN": "WIN10-OPTIMUM-1", "KLHST_WKS_HOSTNAME": "c0816918-fbc5-4fbc-8fed-6f245756120e" } }, { "type": "params", "value": { "KLHST_WKS_DN": "WIN10-KES-11-OLD", "KLHST_WKS_HOSTNAME": "ab365e11-a1c7-492b-a981-e84402b33a8f" } } ] }, ........ "PxgRetVal": 18 } Copy value "KLHST_WKS_HOSTNAME" for next request KEA Isolation HostGroup.GetHostInfo Acquire specified host attributes. (HostGroup::GetHostInfo) strHostName (wstring) host name, a unique server-generated string (see KLHST_WKS_HOSTNAME attribute). It is NOT the same as computer network name (DNS-, FQDN-, NetBIOS-name) pFields2Return (array) array of names of host attributes to return. See List of host attributes for attribute names HostGroup.GetHostInfo POST /api/v1.0/HostGroup.GetHostInfo HTTP/1.1 Host: localhost:13299 X-KSC-Session: nH4iKWCdxuBJWO5U4ATKSew== Content-Type: application/json Content-Length: 185 { "strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f", "pFields2Return": [ "KLHST_WKS_HOSTNAME", "KLHST_WKS_DN", "KLHST_APP_INFO" ] } HostGroup.SS_GetNames Get section names from host settings storage. (HostGroup::SS_GetNames) Parameters values should be taken from the previous response. HostGroup::SS_GetNames POST /api/v1.0/HostGroup.SS_GetNames HTTP/1.1 Host: localhost:13299 X-KSC-Session: nqH6Qma75t/wBcQm8vlyqvQ== Content-Type: application/json Content-Length: 148 { "strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f", "strType":"SS_SETTINGS", "strProduct":"SOYUZ", "strVersion":"4.0.0.0" } Response: Response { "PxgRetVal": [ ".KLNAG_SECTION_REBOOT_REQUEST", "85", "AccountLogonSettings", "ApplicationSettings", "AutoStartEntriesNotifySettings", "ConnectionSettings", "CreateProcessSettings", "FileChangeNotificationSettsEdr", "KLEVP_NF_SECTION", "KsnServiceSettings", "LoadImageSettingsEdr", "MaintenanceSettings", "MdrServiceSettings", "MessageBrokerSettings", "NetworkConnectionSettingsEdr", "NetworkIsolationProfilesSetts", "NetworkIsolationSettings", #copy this field setting "PasswordSettings", "PreventionSettings", "ProductPermissionSettings", "QuarantineSettings", "SandboxSettings", "SelfDefenceSettings", "UserModeApiMonitorSrvSettings", "WMIActivitySettings", "WindowsEventLogSettingsEdr", "WindowsRegistrySettings" ] } With NWC web console KSC create local network exteption for VPN: 1) Open host properties → Applications → KEA 2) Open tab APP Settings → Network Isolation → Isolation on detection 3) Add rule for RDP → click "OK" → click "Save" HostGroup.SS_Read Read data from host settings storage. (HostGroup::SS_Read) Parameters values should be taken from two previous responses HostGroup::SS_Read POST /api/v1.0/HostGroup.SS_Read HTTP/1.1 Host: localhost:13299 X-KSC-Session: nqc+0P0UI+Wzuu+FREB74yQ== Content-Type: application/json Content-Length: 194 { "strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f", "strType":"SS_SETTINGS", "strProduct":"SOYUZ", "strVersion":"4.0.0.0", "strSection":"NetworkIsolationSettings" } Response info about Network Isolation with RDP rule exception: Response { "PxgRetVal": { "BaseSettings": { "type": "params", "value": { "Revision": { "type": "long", "value": 0 }, "__VersionInfo": [ 1, 0 ] } }, "Enable": false, "Exclusions": [ { "type": "params", "value": { "Description": "Custom (user-defined)", "Name": "Custom (user-defined)", "Rules": [ { "type": "params", "value": { "AppProtocolName": "RDP", "Applications": [], "Direction": 3, "Enable": true, "LocalAddress": "", "LocalPort": { "type": "params", "value": { "MaxPort": 3389, "MinPort": 3389, "__VersionInfo": [ 1, 0 ] } }, "Protocol": 0, "RemoteAddress": "", "RemotePort": { "type": "params", "value": { "MaxPort": 0, "MinPort": 0, "__VersionInfo": [ 1, 0 ] } }, "UseApplications": false, "UseLocalAddress": false, "UseLocalPort": true, "UseProtocol": false, "UseRemoteAddress": false, "UseRemotePort": false, "__VersionInfo": [ 1, 1 ] } } ], "__VersionInfo": [ 1, 0 ] } } ], "IsolationTimeout": 1800, "NotifyUser": true, "UseIsolationTimeout": true, "__VersionInfo": [ 1, 2 ] } } Copy all response for next request. HostGroup.SS_Write Write data to host settings storage for isolation workstation with RDP rule. (HostGroup::SS_Write) 1) Use previous value parameters 2) for nOption use 7 7 - "Clear", replaces existing section contents with pData, i.e. existing section contents will deleted and variables from pData will be written to the section. 3) for pSettings past previous response and change "Enable": true HostGroup::SS_Write POST /api/v1.0/HostGroup.SS_Write HTTP/1.1 Host: localhost:13299 X-KSC-Session: nbpsiiOAAxiDWfMSVkgciWQ== Content-Type: application/json Content-Length: 1066 { "strHostName":"bdcae680-eeaa-4279-a822-92a0d3e01dfb", "strType":"SS_SETTINGS", "strProduct":"SOYUZ", "strVersion":"4.0.0.0", "strSection":"NetworkIsolationSettings", "nOption":7, "pSettings":{ "BaseSettings": { "type": "params", "value": { "Revision": { "type": "long", "value": 0 }, "__VersionInfo": [ 1, 0 ] } }, "Enable": true, #Isolation ON "Exclusions": [ { "type": "params", "value": { "Description": "Custom (user-defined)", "Name": "Custom (user-defined)", "Rules": [ { "type": "params", "value": { "AppProtocolName": "RDP", #custom rule for RDP "Applications": [], "Direction": 3, "Enable": true, "LocalAddress": "", "LocalPort": { "type": "params", "value": { "MaxPort": 3389, "MinPort": 3389, "__VersionInfo": [ 1, 0 ] } }, "Protocol": 0, "RemoteAddress": "", "RemotePort": { "type": "params", "value": { "MaxPort": 0, "MinPort": 0, "__VersionInfo": [ 1, 0 ] } }, "UseApplications": false, "UseLocalAddress": false, "UseLocalPort": true, "UseProtocol": false, "UseRemoteAddress": false, "UseRemotePort": false, "__VersionInfo": [ 1, 1 ] } } ], "__VersionInfo": [ 1, 0 ] } } ], "IsolationTimeout": 1800, "NotifyUser": true, "UseIsolationTimeout": true, "__VersionInfo": [ 1, 2 ] } } Response Response { } Host isolated successfully. For off isolation you must change for pSettings past previous response and change "Enable": false KES Isolation (11.7 and upper) FindHost Find Host with previous method and copy value "KLHST_WKS_HOSTNAME" For example: "KLHST_WKS_DN":"KEDRO-1","KLHST_WKS_HOSTNAME":"a20da5de-49e5-469a-92ea-41b5adb74ea4" SrvView Find srvview data by filter string (SrvView::ResetIterator) "wstrViewName" - check List of supported srvviews. "vecFieldsToReturn" - check https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html SrvView::ResetIterator POST /api/v1.0/SrvView.ResetIterator HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 614 { "wstrViewName": "HostTasksSrvView", "vecFieldsToReturn": [ "nState", "strTask", "TASK_NAME", "txtDisplayName", "TASKID_PRODUCT_NAME", "TASKID_PRODUCT_VERSION", "bCannotBeDeleted", "bSystem" ], "vecFieldsToOrder": [ { "type": "params", "value": { "Name": "TASK_NAME", "Asc": "true" } } ], "lifetimeSec": 100, "pParams": { "strHostId": "a20da5de-49e5-469a-92ea-41b5adb74ea4" }, "wstrFilter": "" } Response ID Response {"wstrIteratorId":"67D74142AE0FA1A3D05CD696B957902B"} GetRecordRange from Response data (SrvView.GetRecordRange) SrvView.GetRecordRange curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrIteratorId\":\"67D74142AE0FA1A3D05CD696B957902B\", \"nStart\": 0, \"nEnd\": 100 }" Copy value "strTask" for Task "xdr_networkisolation_start" and "xdr_networkisolation_stop" For example: Isolation ON => "TASK_NAME":"xdr_networkisolation_start" .... "strTask":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056" Isolation OFF => "TASK_NAME":"xdr_networkisolation_stop .... "strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d" Isolation ON GetHostTasks Return server specific identity to acquire and manage host tasks. (HostGroup::GetHostTasks) HostGroup.GetHostTasks POST /api/v1.0/HostGroup.GetHostTasks HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 58 { "strHostName":"a20da5de-49e5-469a-92ea-41b5adb74ea4" } Response: Response {"PxgRetVal":"8122017D5C4081753E8FDE94244DC1AF"} HostTasks GetTaskData Acquire task settings. (HostTasks::GetTaskData) strSrvObjId - server object ID that got from HostGroup.GetHostTasks strTask - storage identifier of the task (such as returned by HostTasks.AddTask) HostTasks::GetTaskData POST /api/v1.0/HostTasks.GetTaskData HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 112 { "strTask":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056", "strSrvObjId":"8122017D5C4081753E8FDE94244DC1AF" } Response: Response {"PxgRetVal":{"EVENT_TYPE":"PRTS_EVENT_NONE","FILTER_EVENTS_COMPONENT_NAME":"","FILTER_EVENTS_INSTANCE_ID":"","FILTER_EVENTS_PRODUCT_NAME":"","FILTER_EVENTS_VERSION":"","TASKID_COMPONENT_NAME":"Connector","TASKID_INSTANCE_ID":"","TASKID_PRODUCT_NAME":"KES","TASKID_VERSION":"11.0.0.0","TASKSCH_FIRST_EXECUTION_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASKSCH_FIRST_EXECUTION_TIME_SEC":0,"TASKSCH_LIFETIME":{"type":"datetime","value":""},"TASKSCH_MS_PERIOD":0,"TASKSCH_RUN_MISSED_FLAG":false,"TASKSCH_TYPE":0,"TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"CompatibilityInfo":{"type":"params","value":{"MinimalPluginVersion":"11.7.0.0"}},"PRTS_TASK_EXT_SHEDULE_FLAGS":0,"exclusionRules":[{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}},"name":"DNS","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}},"name":"DNS","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":true,"paths":["%systemroot%\\system32\\dns.exe"]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":65535,"start":49152}}]}},"name":"Large numbered TCP ports, randomly assigned by the RPC service","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":true,"paths":["%systemroot%\\system32\\svchost.exe"]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":135,"start":135}}]}},"name":"RPC Endpoint Mapper","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":0,"localPorts":{"type":"params","value":{"enabled":false,"portRange":[]}},"name":"DNS client","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":0,"localPorts":{"type":"params","value":{"enabled":false,"portRange":[]}},"name":"DNS client","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":2,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":68,"start":68}}]}},"name":"DHCP server","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":67,"start":67}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":2,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":67,"start":67}}]}},"name":"DHCP client","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":68,"start":68}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":2535,"start":2535}}]}},"name":"MADCAP","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":647,"start":647}}]}},"name":"DHCP failover","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}}],"isolationDuration":3600000,"klprts-TaskStorageId":"_LOCAL_2d076fbe-7e60-4a99-9177-173076a5a2b1","ksc_settings_compatibility::TaskUniqueId":"89621cce@xdr_networkisolation_start@NetworkIsolationStart","responseId":{"type":"long","value":7998665773575485050}}},"TASK_CLASS_ID":0,"TASK_DEL_AFTER_RUN_FLAG":false,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"Network isolation","klprts-TaskCannotBeDeleted":true,"klprts-TaskScheduleSubtype":256}},"TASK_LAST_EXEC_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASK_LAST_EXEC_TIME_SEC":0,"TASK_MAX_EXEC_TIME":0,"TASK_NAME":"xdr_networkisolation_start","TASK_PREP_START":0,"TASK_PRIORITY":1,"TASK_START_DELTA":0,"TASK_UNIQUE_ID":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056"}} Copy some of value from response and change parameters on next request with Network isolation exclusions RDP protocol (for example): exclusionRules { "type": "params", "value": { "applications": { "type": "params", "value": { "enabled": true, "paths": [] } }, "dataSource": 2, #inbound and outbound "localPorts": { "type": "params", "value": { "enabled": true, "portRange": [ { "type": "params", "value": { "end": 3389, #port "start": 3389 #port } } ] } }, "name": "RDP ANY", #name "protocol": { "type": "params", "value": { "enabled": true, "id": 0 #TCP and UDP } }, "remoteAddress": { "type": "params", "value": { "enabled": false, "ip": { "type": "params", "value": { "octets": { "type": "binary", "value": "" }, "zoneIPv6": "" } } } }, "remotePorts": { "type": "params", "value": { "enabled": false, "portRange": [] } } } } UpdateTask Modify task settings. ( HostTasks::UpdateTask) HostTasks::UpdateTask Collapse source POST /api/v1.0/HostTasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n18Zfc+1hPeedqD07uM96/A== Content-Type: application/json Content-Length: 32796 { "strTask": "_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056", "strSrvObjId": "46A9BEBC82C3FB1121050247A0697ECC", "pData": { "TASKID_COMPONENT_NAME": "Connector", "TASKID_PRODUCT_NAME": "KES", "TASKID_VERSION": "11.0.0.0", "TASKSCH_TYPE": 5, "TASK_ADDITIONAL_PARAMS": { "type": "params", "value": { "CompatibilityInfo": { "type": "params", "value": { "MinimalPluginVersion": "11.8.0.0" } }, "PRTS_TASK_EXT_SHEDULE_FLAGS": 0, "exclusionRules": [ { "type": "params", "value": { "applications": { "type": "params", "value": { "enabled": true, "paths": [] } }, "dataSource": 2, "localPorts": { "type": "params", "value": { "enabled": true, "portRange": [ { "type": "params", "value": { "end": 3389, "start": 3389 } } ] } }, "name": "RDP ANY", "protocol": { "type": "params", "value": { "enabled": true, "id": 0 } }, "remoteAddress": { "type": "params", "value": { "enabled": false, "ip": { "type": "params", "value": { "octets": { "type": "binary", "value": "" }, "zoneIPv6": "" } } } }, "remotePorts": { "type": "params", "value": { "enabled": false, "portRange": [] } } } } ], "isolationDuration":28800000, "klprts-TaskStorageId":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056", "ksc_settings_compatibility::TaskUniqueId":"89621cce@xdr_networkisolation_start@NetworkIsolationStart", "responseId":{"type":"long","value":4294967295}}}, "TASK_CLASS_ID":0, "TASK_DEL_AFTER_RUN_FLAG":false, "TASK_INFO_PARAMS": {"type":"params","value":{ "DisplayName":"Network isolation", "klprts-TaskCannotBeDeleted":true, "klprts-TaskScheduleSubtype":512} }, "TASK_NAME":"xdr_networkisolation_start", "TASK_PREP_START":0, "TASK_PRIORITY":1, "TASK_START_DELTA":0, "TASK_UNIQUE_ID":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056" } } Response Response { } Host isolated successful with allowed RDP session. Isolation OFF For example: Isolation OFF => "TASK_NAME":"xdr_networkisolation_stop .... "strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d" GetHostTasks Return server specific identity to acquire and manage host tasks. (HostGroup::GetHostTasks) HostGroup.GetHostTasks POST /api/v1.0/HostGroup.GetHostTasks HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 58 { "strHostName":"a20da5de-49e5-469a-92ea-41b5adb74ea4" } Response: Response {"PxgRetVal":"8122017D5C4081753E8FDE94244DC1AF"} HostTasks GetTaskData Acquire task settings. (HostTasks::GetTaskData) strSrvObjId - server object ID that got from HostGroup.GetHostTasks strTask - storage identifier of the task (such as returned by HostTasks.AddTask) HostTasks::GetTaskData POST /api/v1.0/HostTasks.GetTaskData HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 112 { "strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d", "strSrvObjId":"8122017D5C4081753E8FDE94244DC1AF" } Response: Response {"PxgRetVal":{"EVENT_TYPE":"PRTS_EVENT_NONE","FILTER_EVENTS_COMPONENT_NAME":"","FILTER_EVENTS_INSTANCE_ID":"","FILTER_EVENTS_PRODUCT_NAME":"","FILTER_EVENTS_VERSION":"","TASKID_COMPONENT_NAME":"Connector","TASKID_INSTANCE_ID":"","TASKID_PRODUCT_NAME":"KES","TASKID_VERSION":"11.0.0.0","TASKSCH_FIRST_EXECUTION_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASKSCH_FIRST_EXECUTION_TIME_SEC":0,"TASKSCH_LIFETIME":{"type":"datetime","value":""},"TASKSCH_MS_PERIOD":0,"TASKSCH_RUN_MISSED_FLAG":false,"TASKSCH_TYPE":0,"TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"CompatibilityInfo":{"type":"params","value":{"MinimalPluginVersion":"11.8.0.0"}},"PRTS_TASK_EXT_SHEDULE_FLAGS":0,"klprts-TaskStorageId":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d","ksc_settings_compatibility::TaskUniqueId":"59e0cc70@xdr_networkisolation_stop@NetworkIsolationStop","responseId":{"type":"long","value":4294967295}}},"TASK_CLASS_ID":0,"TASK_DEL_AFTER_RUN_FLAG":false,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"Termination of network isolation","klprts-TaskCannotBeDeleted":true,"klprts-TaskScheduleSubtype":256}},"TASK_LAST_EXEC_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASK_LAST_EXEC_TIME_SEC":0,"TASK_MAX_EXEC_TIME":0,"TASK_NAME":"xdr_networkisolation_stop","TASK_PREP_START":0,"TASK_PRIORITY":1,"TASK_START_DELTA":0,"TASK_UNIQUE_ID":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d"}} Copy some value from response and change parameters on the next request with Network isolation exclusions. UpdateTask Modify task settings. ( HostTasks::UpdateTask) POST /api/v1.0/HostTasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n18Zfc+1hPeedqD07uM96/A== Content-Type: application/json Content-Length: 32796 { "strTask": "_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d", "strSrvObjId": "A06A16B837CC0E73BD3BCCDAA98A3129", "pData": { "TASKID_COMPONENT_NAME": "Connector", "TASKID_PRODUCT_NAME": "KES", "TASKID_VERSION": "11.0.0.0", "TASKSCH_MS_PERIOD": 0, "TASKSCH_TYPE": 5, #change "TASK_ADDITIONAL_PARAMS": { "type": "params", "value": { "CompatibilityInfo": { "type": "params", "value": { "MinimalPluginVersion": "11.8.0.0" } }, "PRTS_TASK_EXT_SHEDULE_FLAGS": 0, "klprts-TaskStorageId": "_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d", "ksc_settings_compatibility::TaskUniqueId": "59e0cc70@xdr_networkisolation_stop@NetworkIsolationStop", "responseId": { "type": "long", "value": 4294967295 } } }, "TASK_CLASS_ID": 0, "TASK_DEL_AFTER_RUN_FLAG": false, "TASK_INFO_PARAMS": { "type": "params", "value": { "DisplayName": "Termination of network isolation", "klprts-TaskCannotBeDeleted": true, "klprts-TaskScheduleSubtype": 512 #change } }, "TASK_NAME": "xdr_networkisolation_stop", "TASK_PREP_START": 0, "TASK_PRIORITY": 1, "TASK_START_DELTA": 0, "TASK_UNIQUE_ID": "_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d" } } Response Response { } Host unblocked successfully. End Session to KSC (Session::EndSession) Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession
  10. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description If you need to know the name of the standard KSC service account (KL-AK...) that has been created during installation, it is stored in the registry key. This information can be viewed in the registry, using the following paths: for 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0 for 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0 this key is called AutoCreatedServiceAccount. It can also be quickly obtained with the following commands: For 64-bit systems reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0" /v AutoCreatedServiceAccount For 32-bit systems reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0" /v AutoCreatedServiceAccount
  11. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. For any types of issues with tasks managed by KSC, we require export of task execution history in .txt file. Task execution history is a sequence of events generated by client computer during task execution. Step-by-step guide To export task execution history, follow these steps: Open task results window. In the upper part of the task results window, select problem computer. Right-click some event in the lower part of the task results window, where task execution history for selected host displayed. In context menu, choose Export… option. Events export Wizard will start. Click "Browse" button, select file destination and file name. Save events to .txt file. Make sure option Export selected events only NOT enabled. Click “Next” button. Select option “Export as tab-delimited Unicode text”. Click “Next” button and complete the wizard.
  12. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions That article is describing a specific scenario: HA Cluster KSC with 4 CGWs between two different and geographical isolation DC (Data Center). High level procedure: KLAdmins group: ksc, rightless / gmsa-ksc-server, gmsa-ksc-nwc; $KSC-NODE-1, $KSC-NODE-2, $SQL-SRV / sql / gmsa-sql-server SMB shares: data, state, sc_backup, kl-share | SMB Permissions NTFS ACL - - Full Control for KLAdmins Created MS SQL Database - KLFOC | Grand Access for admin server account Reboot servers Map network drivers - data, state Install KLFOC Details Here below is the detailed step-by-step procedure: General terms HA - High availability DC - Data Center CGW - Connection Gateway gMSA - Group Managed Service Accounts WSFC - Windows Server Failover Cluster Prerequisites Hardware and software requirements To deploy a Kaspersky failover cluster, you must have the following hardware: x2 Windows Server with identical hardware and software. These servers will act as the active and passive nodes. OS Windows Server 2019 Activated & configured OS Windows Server 2019 on 2x servers. Latest Windows updates & drivers installed. Windows Firewall Disabled Windows firewall on 2x KSC server nodes DNS A & PTR records for Nodes 2x IP address for the KSC nodes Internet connectivity For 2x KSC server nodes 1. For downloading signatures and application updates on KSC cluster. 2. For downloading third party updates of vulnerability and patch management (if applicable). Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards Connection with TLS 1.2 1. Make sure that remote SQL Server (or SQL Express) used by the Administration Server is a really 64-bit application (sqlservr.exe is a 64-bit process) 2. At the computer with Administration Server installed do the following: Install MSOLEDBSQL provider and reboot the computer if required Set KLDBADO_UseMSOLEDBSQL=1 i. either by defining global environment variable KLDBADO_UseMSOLEDBSQL=1 ii. ii. or by setting Administration Server flag KLDBADO_UseMSOLEDBSQL=1 using klscflag.exe. klscflag.exe -fset -pv klserver -n KLDBADO_UseMSOLEDBSQL -v 1 -t d Reboot the computer if required 3. Make sure that Administration Console successfully connects Administration Server and Kaspersky Event Log at the Administration Server computer does not contain errors like 'Generic db error: "11526 '{42000} The metadata could not be determined' File server that supports the CIFS/SMB protocol, version 2.0 or higher. A server that is participating in a WSFC. Make sure you have provided high network bandwidth between the file server, and the active and passive nodes. DBMS | MS SQL cluster on WSFC with Always On availability groups. MS SQL cluster SQL Server Failover Cluster Installation Listener DNS Name Specifies the DNS host name of the availability group listener. The DNS name is a string must be unique in the domain and in NetBIOS Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards Pre-created Database on MS SQL cluster (DB name should be one word without special characters) Grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. Switch conditions The failover cluster switches protection management of the client devices from the active node to the passive node with CGs in LAN or DMZ network if any of the following events occurs on the active node: The active node\LAN-CGW\DMZ-CGW is broken due to a software or hardware failure. The active node was temporarily stopped for maintenance activities. At least one of the Kaspersky Security Center services (or processes) failed or was deliberately terminated by user. The Kaspersky Security Center services are the following ones: kladminserver, klnagent, klactprx, and klwebsrv. The network connection between the active node and the storage on the file server was interrupted or terminated. Deployment of a Kaspersky failover cluster Creating an account for Kaspersky Security Center services Create a new domain group, name it 'KLAdmins', and then grant the local administrator's permissions to the group on both nodes and on the file server. Then create two new domain user accounts, name them 'ksc' and 'rightless', and add the accounts to the KLAdmins domain group. Add the user account, under which Kaspersky Security Center will be installed, to the KLAdmins domain group. Domain accounts Account for installer running - Local admin Creating accounts for the Administration Server services Accounts for work with the DBMS gMSA service account 1. gMSA service account will be used to run tKaspersky Security Center 13 Administration Server services. How to create gMSA account https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts 2. gMSA service account must have Dbo role permission on the pre-created Kaspersky database running MS SQL cluster. Dbo schema must be used by default. For more details on required permissions to be assigned https://support.kaspersky.com/KSC/12/en-US/156275.htm 3. Assign domain admin permission for KSC installation process only. KLAdmins - Global security group: Administration Server account - Domain\gMSA Account for other services from the Administration Server pool - Rightness Computers accounts $ksc-node1 and $ksc-node2 SQL account - Domain\gMSA or computer account $SQL-server File server preparation Prepare the file server to work as a component of the Kaspersky failover cluster. Make sure that the file server meets the hardware and software requirements, create two shared folders for Kaspersky Security Center data, and configure permissions to access the shared folders. Step Description 1 Make sure that the file server meets the hardware and software requirements. 2 Make sure that the file server and both nodes (active and passive) are included in the same domain or the file server is the domain controller. 3 On the file server, create Shared folders: data, state, klshare and SC_Backup on fileserver. One of them is used to keep information about the failover cluster state. The other one is used to store the data and settings of Kaspersky Security Center. 4 Grant full access permissions (both share permissions and NTFS permissions) to the created shared folders for the following user accounts and groups: Computers accounts $ksc-node1 and $ksc-node2 SQL account - Domain\gMSA or computer account $SQL-server Preparation of active and passive nodes Prepare two computers with identical hardware and software to work as the active and passive nodes. To prepare nodes for a Kaspersky failover cluster: Make sure that you have two computers that meet the hardware and software requirements. These computers will act as the active and passive nodes of the failover cluster. Make sure that the file server and both nodes are included in the same domain. Do one of the following: Skip this step and configurarion CGWs after installation KLFOC On each of the nodes, create a virtual network adapter The virtual network adapters must be disabled. You can create the virtual network adapters in the disabled state or disable them after creation. The virtual network adapters on both nodes must have the same IP address. Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following: Provide a dedicated Linux-based computer with nginx installed. Configure load balancing. Set the active node as the main server and the passive node as the backup server. On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13291, TCP 13299, and TCP 17000. Restart both nodes and the file server. Map the two shared folders, that you created during the file server preparation step, to each of the nodes. You must map the shared folders as network drives. When mapping the folders, you can select any vacant drive letters. To access the shared folders, use the credentials of the user account that you created before. The nodes are prepared. Database Management System (DBMS) installation Select any of the supported DBMS, and then install the DBMS on a dedicated computer. For best practice, will use HA configuration of DBMS\SQL. MS SQL cluster on WSFC with Always On availability groups. MS SQL cluster SQL Server Failover Cluster Installation Listener DNS Name Specifies the DNS host name of the availability group listener. The DNS name is a string must be unique in the domain and in NetBIOS Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards DB - KLFOC Create Database with specified name and grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. DB - KLFOC - Create Database with specified name and grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. Pre-created Database on MS SQL cluster (DB name should be one word without special characters) Kaspersky Security Center installation Install Kaspersky Security Center in the failover cluster mode on both nodes. You must first install Kaspersky Security Center on the active node, and then install it on the passive one. How-to instructions: Installing Kaspersky Security Center on the Kaspersky failover cluster nodes Specifying the Administration Server certificate If necessary, you can assign a special certificate for Administration Server by using the command-line utility klsetsrvcert. To replace the certificate you must create a new one (for example, by means of the organization's PKI) in PKCS#12 format and pass it to the klsetsrvcert utility klsetsrvcert.exe --stp klfoc -t C -i "C:\KLFOC\new-cert.pfx -p "<password>" -l "new-cert-change.log" -o "NoCA" When the certificate is replaced, all Network Agents that were previously connected to Administration Server through SSL lose their connection and return "Administration Server authentication error". To specify the new certificate and restore the connection, you can use the klmover utility. Settings LAN\DMZ Gateways Assigning Workstations (LAN-GW) to act as a distribution point Enable feature "Connection Gateway" Adding a connection gateways in the DMZ as a distribution point Install external gateways with the setting that this is a connection gateway in the DMZ On the KSC, add a distribution point as a connection gateway in the DMZ KSC initiates a connection to gateway and the gateway will appear as a distribution point Open the properties and set the checkbox in the Connection gateway section Create group for GW and add workstations with installed DPs and GWs Configuration for Network Agent Policy Create 2 groups for workstations DC-1 and DC-2 and group for GW For both groups create policies: Network Agent DC-1 Network Agent DC-2 Add Connection profiles and Network Locations for users DC-1 and DC-2 Testing the failover cluster Check that you configured the failover cluster correctly and that it works properly. For example, you can stop one of the Kaspersky Security Center services on the active node: kladminserver, klnagent, ksnproxy, klactprx, or klwebsrv. After the service is stopped, the protection management must be automatically switched to the passive node. Troubleshooting DB Error Check permissions for gMSA account KLBACKUP Run klbackup utulity with --stp klfoc klbackup --stp klfoc Data backup and recovery in non-interactive mode
  13. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions That article is describing KSC rel. 13.2 to rel. 14.x SW upgrade procedure. Prerequisites KSC 13.2 on MS Windows S/N Action Online-Help 1 Download the KSC 14 Version 2 Take the backup of KSC Administration Server 3 Take the backup of the KSC Database 4 Export Policies (NA, KES) and encryption keys 5 Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center -> klfoc -stopcluster --stp klfoc https://support.kaspersky.com/KSC/14/en-US/222447.htm 5.1 Check if all kaspersky security services were stopped on both nodes 6 Install KSC 14 on Primary Node Run the ksc_14_<build number>_full_<language>.exe file https://support.kaspersky.com/KSC/14/en-US/235429.htm 6.1 If the name of the load balancer matches with the name of the first node, then the upgrade process may "freeze" and will be finished after several of network connection timeouts. EventsProcessorProxy: #1281 Failed to establish connection with the remote device (location: 'http://kscnode01.demo.lab:13000'): connection has failed. 6.2 Perform the same steps on the passive node. Run the ksc_14_<build number>_full_<language>.exe file https://support.kaspersky.com/KSC/14/en-US/235429.htm 7 Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center. -> klfoc -startcluster --stp klfoc https://support.kaspersky.com/KSC/14/en-US/222447.htm 8 Connect to the administration server 9 Restart Passive Node or start klfoc service. 10 Make sure and verify that the machines and policies are available in the console
  14. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Article applies to KSC13-14.2 versions. Sometimes you need to keep KSC tracing on for a long period of time to catch the error and there is little disk space left on the system disk. Step-by-step guide There is a way to change the default location of $klserver-1093.log file - use klscflag.exe utility" klscflag.exe -tset -pv "klserver" -l 4 -d O:\Temp O:\temp can be changed to any existing folder name in file system. Remember to create this folder before running the command. In order to revert trace file location to default value, delete the value TraceDir from HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\1093\1.0.0.0\Debug: Same applies to klnagent trace - custom settings should be written to the following registry branch: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Debug] Additional option: TraceMaxSizeMB is an optional value that enables trace files rotation for all services of the Kaspersky Security Center. The value of it variable determines the total size of trace files in MB. The absence of the variable or its zero value means that rotation is disabled. Maximum variable value is 102400 (0x19000), which means 100 GB. Example of reg file: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\Debug] "TraceDir"="O:\\Temp" "TraceLevel"=dword:00000004 "TraceMaxSizeMB"=dword:00002000 In this example, trace files rotation is enabled and total trace file size of 8192 MB (8 GB). Logs will be saved to O:\temp. Note: in KSC14, klscflag.exe utility can be found in KSC installation folder, no need to copy the tool.
  15. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions You may experience low time to live value set in ICMP network packets sent by klnagents. The following can be seen in wire shark traffic dump: Explanation: There are two modes of distribution point search: 0 - search of the nearest DP using a tool similar to traceroute. It generates a number of ICMP packets to find out the neatest route to DP - this is the default mode. 1 - selection of random DP without sending such amount of ICMP packets. This mode is configured on administration server computer via klcsflag utility and is enabled for all managed hosts. The following command should be started as administrator on KSC Server computer to switch to mode 1: klscflag.exe -fset -pv klserver -n SrvChooseUaMode -v 1 -t d Restart of kladminserver service is required to apply changes. The distribution point will be randomly selected among all DPs available.
  16. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. You can set and run PLC Project Integrity Check task in KICS4Nodes console. But it is not clear how to add PLC projects into the task settings in the KSC Console. Before PLC Project Integrity Check task setting the PLC Project Investigation task should be successfully executed. Step-by-step guide Go to the KICS4Nodes policy -> Properties -> Logs and Notifications -> Interaction with Administration Server | Settings. Enable Versions of PLC projects option (disabled by default). Lock the padlock. Save and apply the policy. (Data of investigated PLC projects will be transferred to the KCS as Network lists). Go to the Properties of the target host, which will have PLC project checker role. Go to Tasks section-> Select "PLC Project Integrity Check" task -> Properties -> Settings section Click the ADD button -> You will see the list of PLC projects, which were collected by the PLC Project Investigation task. Check the projects that you want to check. Add them to the list. Enable checkbox of the PLC configurations. Apply task properties. Run the task. PLC Project Integrity Check task does not start automatically after the application reboot. You should set the schedule in the task properties. We recommend to run task by schedule at the application launch.
  17. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. General information on ConnectWise Manage integration can be found in online help. Enabling and disabling tracing You may have to save traces of Kaspersky Security Integration with Tigerpaw, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to remove the trace files from your computer, when the issue, which required tracing, is resolved, because the trace files may contain personal and confidential data. By default, tracing is disabled. There are two ways of enabling and disabling tracing for Kaspersky Security Integration with Tigerpaw components: Using the Microsoft Windows Registry. In the .config files of Kaspersky Security Integration with Tigerpaw components. Enabling and disabling tracing using the Registry You can enable and disable tracing using the Microsoft Windows Registry. To enable or disable tracing: Before editing the Windows Registry, it is recommended that you back up the Registry. Click the Start button. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. The Registry Editor window opens. If you have restricted access to the Windows computer you are logged into, you might not be able to access the Registry. In the Registry Editor window, navigate to the Kaspersky Security Integration Service for MSP or Kaspersky Security Integration Tool for MSP registry key. They are available by one of the following paths: Kaspersky Security Integration Service for MSP HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Service for MSP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Service for MSP Kaspersky Security Integration Tool for MSP If the Kaspersky Security Integration Tool for MSP registry key is not displayed, either run the Kaspersky Security Integration Tool for MSP as administrator (by right-clicking the application icon and selecting Run as administrator in the context menu), or create the registry key manually. HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Tool for MSP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Tool for MSP Edit the value of the EnableTraces parameter as follows: 1—To enable tracing. 0—To disable tracing. Click OK in the Edit window to save your changes. Close the Registry Editor window. The trace files are saved to the .log files in the application installation folder: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.log, by default saved to the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.log, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application. Enabling and disabling tracing using the .config files You can enable and disable tracing in the .config files of Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, which are stored in the installation folders of the corresponding products. To enable or disable tracing: Navigate to the .config file of the Kaspersky Security Integration with Tigerpaw component for which you want to enable or disable tracing. The .config file is stored in the installation folder. By default, the navigation paths are: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.exe.config, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.exe.config, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. Open the .config file with any text editor and change the value of the minlevel attribute of the logger element as follows: To enable tracing, set the value of the minlevel attribute to Debug. <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> To disable tracing, set the value of the minlevel attribute to Off. <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Off" /> Save and close the modified .config file. The trace files are saved to the .log files in the application installation folder: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.log, by default saved to the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.log, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application.
  18. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. General information on Solarwinds N-Central integration can be found in online help. Trace logs are not created by this plugin. The integration with Solarwinds is based on PowerShell scripts launched on Solarwinds side. The only diagnostic information that is required in case of problems is the output of these scripts that can be found in SolarWinds UI.
  19. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. General information on ConnectWise Manage integration can be found in online help. Kaspersky Security Integration Service for MSP log To collect diagnostic log for Kaspersky Security Integration Service for MSP you need to take the following steps: Navigate to C:\Program Files\Kaspersky Lab\Kaspersky Security Integration Service for MSP; Open file IntegrationServer.exe.config Set minlevel attribute to "Debug": <rules> <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> </rules> To enable traces via registry key you have to take the following steps: In the Registry Editor window, navigate to the Kaspersky Security Integration Service for MSP: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Service for MSP or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Service for MSP Set the value of the EnableTraces parameter to 0 to turn off tracing, or to 1 to enable tracing Diagnostic log will be written to a file named IntegrationServer.log. If you restart Integration Service for MSP service the new log records will be appended to the same file. Kaspersky Security Integration Tool for MSP To collect diagnostic log for Kaspersky Security Integration Tool for MSP you need to take the following steps: Navigate to C:\Program Files\Kaspersky Lab\Kaspersky Security Integration Tool for MSP; Open file IntegrationUI.exe.config Set minlevel attribute to "Debug": <rules> <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> </rules> To enable traces via registry key you have to take the following steps: In the Registry Editor window, navigate to the Kaspersky Security Integration Tool for MSP: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Tool for MSP or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Tool for MSP Set the value of the EnableTraces parameter to 0 to turn off tracing, or to 1 to enable tracing Diagnostic log will be written to a file named IntegrationUI.log. If you close and reopen Integration Tool for MSP window the new log records will be appended to the same file. Integration components installation logs Installation logs are always written to four files in c:\windows\temp: $klssinstlib.log $akinstlib.txt $msp_msi*.log $msp_setup*.log
  20. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. General information on ConnectWise Automate integration can be found in online help. LabTech service logs You can access service logs on a LabTech server by launching LabTech Control Center and then navigating to Dashboard → Management → Service Logs. Then select Go To Computer and select LabTech server. To view diagnostic info for managed client hosts you should first refresh the information by clicking Commands → LabTech →Send LabTech Error Log. On both LabTech servers and client hosts diagnostic information is stored in a file C:\Windows\LTSvc\LTErrors.txt. The file is truncated whenever you click Send LatTech Error Log. Plugin for LabTech integration logs Plugin diagnostic information is stored in C:\Windows\Temp\KasperskyPluginLogs\KasperskyPlugin.txt. This log is automatically rotated - after reaching 1MB the file is moved to an archive and new log is written to the same file. There is a limit of 10 archives. Upon reaching the limit the oldest archive is overwritten every time a new archive is created.
  21. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. General information on ConnectWise Manage integration can be found in online help. Enabling and disabling tracing You may have to save traces of Kaspersky Security Integration with Autotask, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to remove the trace files from your computer, when the issue, which required tracing, is resolved, because the trace files may contain personal and confidential data. By default, tracing is disabled. There are two ways of enabling and disabling tracing for Kaspersky Security Integration with Autotask components: Using the Microsoft Windows Registry. In the .config files of Kaspersky Security Integration with Autotask components. Enabling and disabling tracing using the Registry You can enable and disable tracing using the Microsoft Windows Registry. To enable or disable tracing: Before editing the Windows Registry, it is recommended that you back up the Registry. Click the Start button. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. The Registry Editor window opens. If you have restricted access to the Windows computer you are logged into, you might not be able to access the Registry. In the Registry Editor window, navigate to the Kaspersky Security Integration Service for MSP or Kaspersky Security Integration Tool for MSP registry key. They are available by one of the following paths: Kaspersky Security Integration Service for MSP HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Service for MSP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Service for MSP Kaspersky Security Integration Tool for MSP If the Kaspersky Security Integration Tool for MSP registry key is not displayed, either run the Kaspersky Security Integration Tool for MSP as administrator (by right-clicking the application icon and selecting Run as administrator in the context menu), or create the registry key manually. HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Tool for MSP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Tool for MSP Edit the value of the EnableTraces parameter as follows: 1—To enable tracing. 0—To disable tracing. Click OK in the Edit window to save your changes. Close the Registry Editor window. The trace files are saved to the .log files in the application installation folder: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.log, by default saved to the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.log, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application. Enabling and disabling tracing using the .config files You can enable and disable tracing in the .config files of Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, which are stored in the installation folders of the corresponding products. To enable or disable tracing: Navigate to the .config file of the Kaspersky Security Integration with Autotask component for which you want to enable or disable tracing. The .config file is stored in the installation folder. By default, the navigation paths are: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.exe.config, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.exe.config, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. Open the .config file with any text editor and change the value of the minlevel attribute of the logger element as follows: To enable tracing, set the value of the minlevel attribute to Debug. <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> To disable tracing, set the value of the minlevel attribute to Off. <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Off" /> Save and close the modified .config file. The trace files are saved to the .log files in the application installation folder: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.log, by default saved to the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.log, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application.
  22. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. There're a few scenarios of telemetry backup to prevent its loss in case of unsuccessful manipulations over KATA node. 1. We suggest to use this scenario. 1) Disconnect PCN and SCNs; 2) Run Pre-upgrade script; 3) Mount storage for telemetry backup (HDD, or net-storage or etc.); 4) Copy elasticsearch volume to the mounted storage to tar.gz archive 5) Run upgrade normally. Of course, you should back up KATA using built-in methods. Then you will have several backups: one for KATA settings and one for events (telemetry). And in case of problems, you can apply both of these backups to restore the entire KATA node. 2. This scenario requires a lot of days. You can configure the export of telemetry to an external SIEM system. You then need to wait as many days as you need to store the telemetry. And after these days (e.g. 90 days), you can run an update and be sure that the telemetry will not be lost because it is stored in the external SIEM system. 3. Last scenario: create a snapshot of your KATA VM before upgrade manipulations. 1) Disconnect PCN and SCNs; 2) Shut down your KATA node; 3) Take a snapshot of KATA node Virtual Machine; 4) Turn VM back again; 5) Run an upgrade steps normally. Keep in mind that this snapshot will live for a few days, after a couple weeks it will be obsolete and you won't be able to use it to rebuild the KATA node from this snapshot, simply put, it will crash when you run the snapshot in a few weeks.
  23. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. We suggest free and lightweight client, part of Putty: pscp. Step-by-step guide You can download pscp.exe for Windows from official site. Navigate to the folder with pscp.exe and start cmd or powershell there To copy files to KATA, run the following command: .\pscp.exe -scp <path to local file> admin@<kata_ip>:<remote location> .\pscp.exe -scp D:\patch.ktgz admin@10.70.244.89: \\sample command that will put patch.ktgz to /var/op/kaspersky/apt/files/ folder To copy files from KATA, run the following command: .\pscp.exe -scp admin@<kata_ip>:<filename> <path to local folder> .\pscp.exe -scp admin@10.70.244.89:collect-20200429-133436.tar.gz D:\ \\sample command for downloading collect from KATA
  24. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact It is not possible to use a proxy server for KATA 5.0 and/or KATA 5.1 CN on TCP ports 8080, 8090 or 8091. If you will configure in KATA 5.0/5.1 proxy server connection settings using one of those ports, then such configuration will result in KATA update task failure and KSN connection errors right after those settings will be applied. This happens due to the fact, that KATA uses ports 8080, 8090 and 8091 for it's internal services and there are preconfigured default iptable rules that prevent incoming and outgoing connection on those ports for external hosts outside of the KATA cluster, which in turn results in connection errors if those ports are also used by the product for outgoing connections to a proxy server. Diagnostics It can be easily confirmed if a KATA server will be facing those updater and KSN issues, by either checking the current proxy server configuration in the product's web interface: if either of the listed ports 8080, 8090 or 8091 is used, then the KATA server is probably facing the issue. Or alternatively you can run the iptables -nvL DOCKER-USER command and check if the number of the rejected packages in the corresponding rules for ports 8080, 8090 and 8091 steadily increases upon running update task in KATA: Workaround & Solution To avoid this issue use one of the following 2 options: Do not use proxy server for KATA connections, configure direct internet connection for KATA CN nodes. Use a proxy server on a different port, for example port 3128 is quite standard option in such cases.
  25. Antipova Anna
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. What is the role of Kaspersky in BitLocker encryption process ? Basically, KES BitLocker management is a COM object that is registered in the system and changes the BitLocker component settings in accordance to the settings that are specified in the KES policy. Afterwards it stores the recovery data received from BitLocker component on the KSC side. Also, it provides error-reporting and verifies that the settings that were specified in the policy are left intact and return errors, if this is not the case. You can manage BitLocker using a number of tools and approaches, KES is just one of them, that do share the same principles with the rest. You can enable BitLocker manually, using GPO, using native Microsoft's solutions, using various similar 3rd party solutions, and using KES BitLocker management. Each of those have their own pros and cons. Is there a guide for the recovery by means of AD in case of Kaspersky Bitlocker encryption? KES only enables encryption (changes settings for the component), stores the recovery data received from it, reports the status, that's it. Naturally, BitLocker recovery data can be stored besides KSC in AD and other BitLocker management tools. Storing keys in AD is possible, for example like this: https://blogs.technet.microsoft.com/askcore/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7/ but this has nothing to do with functionality of Kaspersky products. What happens in case if Kaspersky Security Center is down/not reachable, and I want the recovery key for Kaspersky Bitlocker Encryption? In this case recovery keys from this KSC will not be available as well. A valid KSC backup containing the recovery keys should be used for a recovery in this case. Is there an opportunity to export all recovery keys at once for all encrypted devices? It is not possible to export recovery keys in volume from KSC to a txt file, for example. This data is stored in a protected (encrypted) format in the KAV db and can be extracted only using KES management plugin over KSC console individually for each host. Is there an approximate algorithm for the initial implementation of BitLocker encryption using KES management? Make sure that the encrypted hosts will be serviced by a healthy KSC infrastructure (backups are performed regularly, no errors in Kaspersky Event log that needs to be addressed, healthy database with plenty room for growth, no cloned hosts, etc.). Create a scope of devices for KES Bitlocker implementation testing, that will consist of devices representing most widespread hardware & software configurations that is used in your enterprise. Devices should have default firmware settings configured on them. Attach to the test devices as much peripheral devices as possible (again most widespread configurations that is likely to be attached to encrypted devices during its regular usage) USB headsets, dongles, external flash drives, tokens, card-readers, etc... Deploy KES Bitlocker management and encrypt devices using actual KES version on a limited scope of test devices in production. Use the desired Bitlocker configurations, that is expected to be used in production. Monitor the user experience on the test devices in actual production environment during the pilot testing period. Make sure that it was encrypted successfully and there are no errors, recovery data is available for all test hosts, and the data can be successfully recovered from those devices using the recovery procedures (especially for the devices with multiple hard drives, that both hard drives can be unlocked assuming access to the data is lost completely and Bitlocker password is forgotten). Also make sure that the procedure itself is well-documented and is clearly understood by the local IT staff, that will execute it in production. Prohibit the end-users to adjust firmware settings on the hosts with encryption, prior to deploying encryption to production on the whole set of devices, by setting a BIOS password, for example. Deploy to production.
×
×
  • Create New...