Antipova Anna
-
Posts
352 -
Joined
-
Last visited
Posts posted by Antipova Anna
-
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description and cautions
The article shares working examples of using KSC API calls for one of the available scenarios - publishing KSC virtual server Administration Agent package.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
-
Make sure you have Kaspersky Administration Agent available in installation packages
- Make sure you have internal api-user with permissions for Kaspersky Security Center (main and Virtual Kaspersky Security Center)
Example
- KSC address - 127.0.0.1 (the address can also be external and used over the network)
- API Port - 13299 (default port of KSC API)
- User: api-user (internal user with Kaspersky Security Center rights for KSC and vKSC), base64: YXBpLXVzZXI=
- Password: password, base64: cGFzc3dvcmQ=
-
Authentication, type: Authenticated session, other types: KSC Open API description
- Name vKSC: vksc2, base64: dmtzYzI=
- Requests are described in cUrl format, it is also possible to use the python library (KlAkOAPI Python package)
Session start for connecting to the KSC (Session::StartSession) :
Session::StartSession--header'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"'User and password are transmitted to base64 within a secure HTTPS session.
Response{"PxgRetVal":"nsPbUpP1oAVZlM1lODEbg8A=="}Sending request to the KSC server for a list of packages (PackagesApi::GetPackages2) :
PackagesApi::GetPackages2--header'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A=='#PxgRetVal from Session.StartSessionRetrieving a list of packets. Receiving KLPKG_NPI_PKGID nAgent to transmit packet to vKSC
Response{"PxgRetVal": [{...},{"type":"params","value": {"KLPKG_NPI_AV_BASES_UPDATE_TIME": {"type":"datetime","value":""},"KLPKG_NPI_AV_BASES_UPD_SUPPORTED":false,"KLPKG_NPI_CREATION_TIME": {"type":"datetime","value":"2021-04-30T12:39:00Z"},"KLPKG_NPI_EXTRA_DATA": {"type":"params","value": {"KLPGG_VAPM_DISTRIB_GLBID": {"type":"long","value": 0},"KLPKG_EULA_UID": {"type":"binary","value":"fPTQzfMWVvVPG7bFasjoJw=="},"KLPKG_FORMAT": 2,"KLPKG_IS_MSI":true,"KLPKG_LANG_TAG":"en","KLPKG_PARENT_ID": 0,"KLPKG_PKG_MAN": 0,"KLPKG_PLATFORM": 2,"KLPKG_PRD_TYPE": 1,"KLPKG_TYPE": 1,"bPkgPrereqAllowed":true,"nPatchGlbId": {"type":"long","value": 0},"nPatchLcid": 0}},"KLPKG_NPI_MODIF_TIME": {"type":"datetime","value":"2021-04-30T12:39:00Z"},"KLPKG_NPI_NAME":"Kaspersky Security Center 13 Network Agent (13.0.0.11247)","KLPKG_NPI_PACKAGE_PATH":"\\\\KSC\\KLSHARE\\Packages\\NetAgent_13.0.0.11247","KLPKG_NPI_PKGID": 3,"KLPKG_NPI_PRODUCT_DISPL_NAME":"Kaspersky Security Center 13 Network Agent","KLPKG_NPI_PRODUCT_DISPL_VERSION":"13.0.0.11247","KLPKG_NPI_PRODUCT_NAME":"1103","KLPKG_NPI_PRODUCT_VERSION":"1.0.0.0","KLPKG_NPI_SIZE": {"type":"long","value": 70113813},"KLPKG_NPI_SS_DESCR":"NetAgent_13.0.0.11247\\exec\\ss_install.xml|3"}},{...}]}Sending request for the vKSC list (VServers::GetVServers) :
VServers:GetVServers--header'Content-Type: application/json'\--header'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A=='\#PxgRetVal from Session.StartSession--data-raw '{"lParentGroup": -1}'Obtaining KLVSRV_DN and KLVSRV_ID
Response{"PxgRetVal": [{...},{"type":"params","value": {"KLVSRV_CREATED": {"type":"datetime","value":"2021-11-23T11:48:53Z"},"KLVSRV_DN":"vksc2","KLVSRV_ENABLED":true,"KLVSRV_GROUPS": 29,"KLVSRV_GRP": 0,"KLVSRV_HST_UID":"VSRV64c559dc-17e1-459d-b9d5-4c26ec35d426","KLVSRV_ID": 3,"KLVSRV_LIC_ENABLED":true,"KLVSRV_NEW_HOSTS_PROHIBITED":false,"KLVSRV_SUPER": 28,"KLVSRV_TOO_MUCH_HOSTS":false,"KLVSRV_UID":"VSRV64c559dc-17e1-459d-b9d5-4c26ec35d426","KLVSRV_UNASSIGNED": 32}},{...}]}Asynchronous request to transfer the Administration Agent installation package to vKSC and create a standalone package (PackagesApi::RetranslateToVServerAsync) :
PackagesApi:RetranslateToVServerAsynccurl --location --request POST'https://127.0.0.1:13299/api/v1.0/PackagesApi.RetranslateToVServerAsync'\--header'Content-Type: application/json'\--header'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A=='\#PxgRetVal from Session.StartSession--data-raw '{"nPackageId": 3,#KLPKG_LANG_TAG from PackagesApi.GetPackages2"nVServerId": 3,#KLVSRV_ID from VServers.GetVServers"pOptions": {"KLPKG_CREATE_STANDALONE_PRODS":false,"KLPKG_CREATE_STANDALONE_NAGT":true,"KLPKG_USE_LANGUAGE_TAG":"en",#KLPKG_LANG_TAG from PackagesApi.GetPackages2"KLPKG_TYPE": 1,"KLPKG_LAZY_RETRANSLATION":false}}'Obtaining asynchronous task ID
Response{"PxgRetVal":"C51B622B891CB03B7229A3CD9407B6AD"}Checking status of the task (AsyncActionStateChecker::CheckActionState) :
AsyncActionStateChecker:CheckActionStatecurl --location --request POST'https://127.0.0.1:13299/api/v1.0/AsyncActionStateChecker.CheckActionState'\--header'Content-Type: application/json'\--header'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A=='\#PxgRetVal from Session.StartSession--data-raw '{"wstrActionGuid":"C51B622B891CB03B7229A3CD9407B6AD"#PxgRetVal form PackagesApi.RetranslateToVServerAsync}'Completion ("bFinalized": true) and successful execution ("bSuccededFinalized": true)
Response{"bFinalized":true,"bSuccededFinalized":true,"lStateCode": 1,"pStateData": {"KLPKG_EP_EXECID": 11,"KLPKG_EP_FILESIZE": 0},"lNextCheckDelay": 0}Ending session to KSC (Session::EndSession) :
Session::EndSession--header'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A=='#PxgRetVal from Session.StartSessionStarting session to connect to the virtual KSC (Session::StartSession) :
Session::StartSession--header'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"'\--header'X-KSC-VServer: dmtzYzI='The user can belong to the vKSC or to the main KSC (user account rights for Kaspersky Security Center should additionally be configured in vKSC). The user name and password are transferred to base64 format as part of a secure HTTPS session.
X-KSC-VServer - vKSC name (KLVSRV_DN from VServers.GetVServers) to base64
Response{"PxgRetVal":"nz1/AOfHq6cdf986vTvNV7Q=="}Obtaining a list of standalone installation packages from vServer (PackagesApi::GetExecutablePackages) :
PackagesApi:GetExecutablePackagescurl --location --request POST'https://127.0.0.1:13299/api/v1.0/PackagesApi.GetExecutablePackages'\--header'X-KSC-Session: nz1/AOfHq6cdf986vTvNV7Q=='\#PxgRetVal from Session.StartSession--header'Content-Type: application/json'Receiving KLPKG_WebURL
Response{"PxgRetVal": {"KLPKG_evpExecs": [{...},{"type":"params","value": {"KLPKG_CreationDate": {"type":"datetime","value":"2021-11-24T12:07:23Z"},"KLPKG_EP_SHA256":"","KLPKG_IsPublished":true,"KLPKG_IsVirtual":true,"KLPKG_LicenseSerialNum":"","KLPKG_ModificationDate": {"type":"datetime","value":"2021-11-24T12:07:23Z"},"KLPKG_NAME":"","KLPKG_NagentDisplayVersion":"13.0.0.11247","KLPKG_NagentPkgId": 28,"KLPKG_NagentPkgName":"Kaspersky Security Center 13 Network Agent (13.0.0.11247)","KLPKG_ProdDisplayName":"","KLPKG_TargetGroup":"Managed devices","KLPKG_TargetGroupId": 29,"KLPKG_evpAddPkgId": 28,"KLPKG_evpExecPkgId": 10,"KLPKG_evpPkgId": 28,"KLPKG_evpPkgPath":"","KLPKG_evpPkgSize": 0}},{...}]}}Standalone Network Agent installation package is available at KLPKG_WebURL for KLPKG_NagentPkgName
Session end for vKSC (Session::EndSession) :
Session::EndSession--header'X-KSC-Session: nz1/AOfHq6cdf986vTvNV7Q=='#PxgRetVal from Session.StartSession -
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description and cautions
The article shares working example of using KSC API calls for one of the available scenarios - retrieving events, HW and/or SW inventory data.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
- internal user: api-user
Examples:
- KSC address - 127.0.0.1 (the address can also be external)
- API Port - 13299 (default)
- User: api-user (intrental KSC user), base64: YXBpLXVzZXI=
- Password: password, base64: cGFzc3dvcmQ=
-
Credentials:
UserPasswordapi-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= - Authentication, type: Authenticated session, other types: KSC Open API description
- All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package)
Login
Start connection to KSC (Session::StartSession )
Session::StartSession--header'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"'Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding.
Response{"PxgRetVal":"nsPbUpP1oAVZlM1lODEbg8A=="}Use below token in request header
Find Host
Find host by filter string (HostGroup::FindHosts)
Filter string contains a condition over host attributes, see also Search filter syntax.
We use "KLHST_WKS_DN" - Host display name
HostGroup::FindHostscurl --location --request POST"https://127.0.0.1:13299/api/v1.0/HostGroup.FindHosts"--header"X-KSC-Session: nqepy9ZpZZ/2tiWXhil5cBg=="--header"Content-Type: application/json"--data-raw "{\"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"KLHST_WKS_DN\",\"KLHST_WKS_IP_LONG\",\"KLHST_WKS_PRODUCT_TAG_NAME\",\"KLHST_WKS_RTP_AV_VERSION\",\"KLHST_WKS_NAG_VERSION\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_VIRUS_COUNT\"],\"lMaxLifeTime\":1200,\"wstrFilter\":\"(KLHST_WKS_DN=\\"WIN10-OPTIMUM-1\\")\" #"KLHST_WKS_DN" - Host display name}"Response ID
Response{"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":1}Copy Accessor for next request (ChunkAccessor::GetItemsChunk )
ChunkAccessor::GetItemsChunkcurl -L -X POST"https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk"-H"X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg=="-H"Content-Type: application/json"--data-raw "{\"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\",\"nStart\": 0,\"nCount\": 100}"Response info about host:
Response{"pChunk":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_DN":"WIN10-OPTIMUM-1","KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","KLHST_WKS_IP_LONG":{"type":"long","value":172250504},"KLHST_WKS_LAST_UPDATE":{"type":"datetime","value":"2022-02-17T13:00:01Z"},"KLHST_WKS_NAG_VERSION":"13.2.0.1511","KLHST_WKS_RTP_AV_VERSION":"11.7.0.669","KLHST_WKS_VIRUS_COUNT":{"type":"long","value":9}}}]},"PxgRetVal":1}Copy value "KLHST_WKS_HOSTNAME" for user in the next request
Hardware Inventory
SrvView
Find srvview data by filter string (SrvView::ResetIterator)
"wstrViewName" - see List of supported srvviews.
"vecFieldsToReturn" - see https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html
"wstrFilter":"(KLHST_WKS_HOSTNAME=\"c0816918-fbc5-4fbc-8fed-6f245756120e\")"
SrvView::ResetIteratorcurl -L -X POST"https://127.0.0.1:13299/api/v1.0/SrvView.ResetIterator"-H"X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg=="-H"Content-Type: application/json"--data-raw "{\"wstrViewName\":\"HWInvPCSrvViewName\",\"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"dev_id\",\"RamType\",\"dev_type\"],\"vecFieldsToOrder\":[{\"type\":\"params\",\"value\":{\"Name\":\"dev_id\",\"Asc\":\"true\"}}],\"lifetimeSec\":100,\"pParams\":{\"TOP_N\":\"yes\",\"USE_DISTINCT\":\"true\"},\"wstrFilter\":\"(KLHST_WKS_HOSTNAME=\\"c0816918-fbc5-4fbc-8fed-6f245756120e\\")\"# KLHST_WKS_HOSTNAME from the previous request}"Response ID
Response{"wstrIteratorId":"466579A79FA755D69B94EC60A5B04744"}GetRecordRange from Response data (SrvView.GetRecordRange )
SrvView.GetRecordRangecurl -L -X POST"https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange"-H"X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg=="-H"Content-Type: application/json"--data-raw "{\"wstrIteratorId\":\"50054D2A2D7A93DCEBFA3BE6F7E21D5E\",\"nStart\": 0,\"nEnd\": 100}"Response info about hardware with specific filter:
Response{"pRecords":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"ABE3CC21B521C704DA4FC63BD5698F71","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\1&1F0C3C2F&0&UID256","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\4&31BE19FA&0&UID0","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E05564F28A7EBE312D1326FD0D1A8479","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E69E8830E7D33F96BF1E21996A7D73CA","dev_type":0}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\\3&18D45AA6&0&78","dev_type":4}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_8086&DEV_10D3&SUBSYS_07D015AD&REV_00\\005056FFFF87CC6600","dev_type":6}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"Physical Memory 0","dev_type":2}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\\5&A629540&0&000000","dev_type":8}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\\5&1982005&0&000000","dev_type":3}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0002","dev_type":4}}]}}
Software Inventory
Acquire software applications which are installed on specified host. (InventoryApi::GetHostInvProducts)
"szwHostId" - WKS_HOSTNAME form previosly request
InventoryApi::GetHostInvProductscurl -L -X POST"https://127.0.0.1:13299/api/v1.0/InventoryApi.GetHostInvProducts"-H"X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg=="-H"Content-Type: application/json"--data-raw "{\"szwHostId\":\"c0816918-fbc5-4fbc-8fed-6f245756120e\",# KLHST_WKS_HOSTNAME from previuosly reqest\"pParams\":{\"KLEVP_EA_PARAM_1\":\"\"}}"Response info about software:
Response{"PxgRetVal":{"GNRL_EA_PARAM_1":[{"type":"params","value":{"ARPRegKey":"{F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","CleanerProductName":"","Comments":"","DisplayName":"Kaspersky Endpoint Security for Windows","DisplayVersion":"11.7.0.669","HelpLink":"https://click.kaspersky.com/?hl=en&link=support&pid=kes&version=21.4.20.669","HelpTelephone":"","InstallDate":"20211002","InstallDir":"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\","InstanceID":{"type":"binary","value":"AA=="},"LangId":1033,"PackageCode":"","ProductID":"4E8A2680B3C78565814848DB5ED35C83","Publisher":"AO Kaspersky Lab","QuietUninstallString":"msiexec.exe /X {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16} /quiet /norestart","UninstallString":"msiexec.exe /x {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","VapmBuild":{"type":"long","value":0},"bIsMsi":true}},{"type":"params","value":{"ARPRegKey":"{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}","CleanerProductName":"","Comments":"","DisplayName":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508","DisplayVersion":"14.20.27508.1","HelpLink":"","HelpTelephone":"","InstallDate":"20210512","InstallDir":"","InstanceID":{"type":"binary","value":"AA=="},"LangId":0,"PackageCode":"","ProductID":"2E30B54FFAFE11F6DEDB0A31EA8CD6D1","Publisher":"Microsoft Corporation","QuietUninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall /quiet","UninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall","VapmBuild":{"type":"long","value":0},"bIsMsi":false}}, .......
Tasks Operations
#strTask - open task in nmc-web-console - 1326 (for example: https://localhost:8080/#/management/tasks/148)
Get Task
Acquire attributes of specified task. (Tasks::GetTask)
Response
Response{"PxgRetVal":{"DisplayName":"KEA - Isolation ON","PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-10T13:57:34Z"},"TASKID_PRODUCT_NAME":"1093","TASKID_VERSION":"1.0.0.0","TASK_NAME":"Remote Installation","TASK_UNIQUE_ID":"1326"}}Run task
Run remote installation task.
Tasks::RunTaskcurl -L -X POST"https://127.0.0.1:13299/api/v1.0/Tasks.RunTask"-H"X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ=="-H"Content-Type: application/json"--data-raw "{\"strTask\":\"1326\"# From NWC-web-cosnole ksc}"
Update Task
Get Data Task
Acquire task settings. Tasks::GetTaskData
GetData Taskcurl -L -X POST"https://localhost:13299/api/v1.0/Tasks.RunTask"-H"X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ=="-H"Content-Type: application/json"--data-raw "{\"strTask\":\"1326\"}"Response all parameters and some of them we must use in next request.
Modify task settings. Tasks::UpdateTask
Update TaskPOST/api/v1.0/Tasks.UpdateTask HTTP/1.1Host: localhost:13299X-KSC-Session: n8quj71CtoWbYijcBHY6FvA==Content-Type: application/jsonContent-Length: 3477{"strTask":"1338","pData":{"TASKID_COMPONENT_NAME":"87","TASKID_PRODUCT_NAME":"1093","TASKID_VERSION":"1.0.0.0","TASK_NAME":"Remote Installation","TASKSCH_TYPE":0,"TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}},"PRTS_TASK_GROUPID":-1,".HstQueryId":0,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}}}}Change values for HostList and enter specific host.
For example: "HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}]
{"strTask":"1338","pData":{"TASKID_COMPONENT_NAME":"87","TASKID_PRODUCT_NAME":"1093","TASKID_VERSION":"1.0.0.0","TASK_NAME":"Remote Installation","TASKSCH_TYPE":0,"TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}},"PRTS_TASK_GROUPID":-1,".HstQueryId":0,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}}}}- Run Task
Host Events
Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2 )
pFilter (params) object containing values for attributes to filter events. Only events with matching attribute values will be returned. If empty all events will be returned. See List of event filter attributes for attribute names.
"GNRL_EA_SEVERITY" paramInt Event severity. May have the following values:
- 0 - Constant to be used as invalid event severity value
- 1 - Severity "Information"
- 2 - Severity "Warning"
- 3 - Severity "Error"
- 4 - Severity "Critical"
vecFieldsToReturn (array) array of attribute names to return. See List of event attributes for attribute names #host id - FindHost
EventProcessingFactory::CreateEventProcessing2)POST/api/v1.0/EventProcessingFactory.CreateEventProcessing2 HTTP/1.1Host: localhost:13299X-KSC-Session: nvLZ4Hwi5VAL7XIiMwPaxPw==Content-Type: application/jsonContent-Length: 440{"pFilter": {"KLEVP_EVENT_HOST":"a537ddc0-b84b-488a-993c-9f76e62036e9",#host id"GNRL_EA_SEVERITY":4#Critical Event},"vecFieldsToReturn": ["GNRL_EA_SEVERITY","event_db_id","rise_time","hostname","event_type","event_type_display_name","GNRL_EA_DESCRIPTION","group_id","group_name"],"vecFieldsToOrder": [],"lifetimeSec": 1000}Response ID
Response{"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"}Get result from Response data ( ReportManager::GetStatisticsData) :
EventProcessing::GetRecordRangecurl --location --request POST'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange'--header'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q=='--header'Content-Type: application/json'--data-raw '{"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF","nStart": 0,"nEnd": 100}'Response critical events:
Response{"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119829},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:10:44Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119818},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:05:34Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119807},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime",........Close Session to KSC (Session::EndSession) :
Session::EndSessioncurl --location --request POST'https://127.0.0.1:13299/api/v1.0/Session.EndSession'--header'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A=='#PxgRetVal from Session.StartSession -
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
How to check if KES is installed, its state (running or not) and bases version via registry:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState
Obtaining information from the registry is for familiarization purposes only. KESCLI commands method supported by developers:
Managing the application from the command line > KESCLI commands > GetRealTimeProtectionState. File Threat Protection status
https://support.kaspersky.com/help/KESWin/12.2/en-US/213719.htmManaging the application from the command line > KESCLI commands > GetDefinitionState. Determining the update completion time
https://support.kaspersky.com/help/KESWin/12.2/en-US/213724.htmInformation in following registry is created by network agent (NA). Information will be deleted before OS shutdown and will be created after OS boot.
There is a delay (120s) for NA service start. So if you need to get the state of KES immediately after OS boot, use KESCLI.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Maximum validity of the custom certificate (administration server/web console):
- A maximum of 5 years can be stored as the maximum validity for the certificate for the administration server
- The maximum validity for the certificate for the web console cannot exceed 397 days
Two different certificates must be used:
- After the specified time has expired, a new certificate must be generated manually (at best 90 days in advance) and stored as a replacement certificate. Clients that do not identify themselves with the administration server within 90 days must be reconnected manually https://support.kaspersky.com/KSC/13.2/en-US/227839.htm
- The certificate must be replaced using klsetsrvcert: https://support.kaspersky.com/KSC/13.2/en-US/227838.htm
In general, it is important that the custom certificate meets the following requirements:
- https://support.kaspersky.com/KSC/13.2/en-US/155201.htm
- https://support.kaspersky.com/KSC/13.2/en-US/191451.htm
- Custom certificate should also have a certificate signing permission, it is vital in case of using Distribution Points.
Certificates issued by public CA do not have this permission, so they cannot be used:
How to create a pkcs12 file with an ordered certificate chain:
The certificate chain is very important for connecting devices to find out if the ssl certificate is created by a trusted authority.
After that is done do the following:
1. Create an empty file (C:\temp\cert-chain.txt) on your PC and past the following inside it:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate from C:\temp\your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate from C:\temp\TheIntermediateCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate part from C:\temp\TheTrustedRoot.crt)
-----END CERTIFICATE-----
2. Now replace the content inside the brackets with your certificates (which you can export via XCA; PEM txt format). The order above is VERY important, so do not mix it.
3. Export the private key (unencrypted in text format) with XCA from your certificate and store it inside C:\temp\server.pemkey
4. Now merge everything together as pkcs12 (filename extension for PKCS #12 files is .p12 or .pfx). To do that open a CMD (run as admin) and perform:
openssl pkcs12 -export -inkey C:\temp\server.pemkey -in C:\temp\cert-chain.txt -password pass:ABCD -out C:\temp\certificate(chain_and_key).pfx
5. Your PFX file is now ready to be used.
KSC - Information about the self-signed certificate:
- The self-signed certificate when installing the KSC has a maximum validity of 1 year (limit of 397 days).
- The Administration Server certificate is created automatically during the installation of the Administration Server component and is saved in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert folder.
- A new certificate will be generated by the Administration Server as a reserve certificate 90 days before the expiry date of the current certificate. The new certificate automatically replaces the current certificate one day before the expiration date.
- All Network Agents on client devices will be automatically reconfigured to authenticate Administration Server with the new certificate. Clients that do not identify themselves with the Administration Server within 90 days must be reconnected manually.
Proxy for the web console
The option can be implemented only when installing the web console on another device and accessing the Administration Server.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
Application category based on the "Metadata" conditions created, but does not work.
Solution
This is expected behavior, in case the file does not have a digital signature, that can be trusted by local KES on the host in question, or is not known in KSN. Use sigcheck tool to see if the file has a valid digital signature – https://technet.microsoft.com/ru-ru/sysinternals/bb897441.aspx
Use other criteria, to determine the category (for example file hash).
Add to KSN the necessary file by writing a request to KL.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
There are multiple fields in database that are not easy to interpret. For example
nIP,nStatusand many others. Most of them are from public viewv_akpub_hostwhich is one of the main sources of information about managed computer on KSC. The objective of this article is to help understanding the encoding used, if you want to learn more about public views and specific fields refer toklakdb.chmlocated in the KSC installation folder.nIP
When you will query for an IP address the result may surprise you. Instead of IP address you will receive a number, let's say 2130706433, which actually translates to 127.0.0.1. Here is an explanation how this translation is achieved.
Number 2130706433 equals 1111111000000000000000000000001 in binary.
Let's split it into groups of 4 to make it easier to read. 0111 1111.0000 0000.0000 0000.0000 0001 (leading zero is added for visibility). IP address is 4 byte long, which is 32 bits. As you see there are exactly 32 numbers divided into 4 groups called octets. It already starts to look like an IP address. We just need to convert binary back to decimal, while keeping it grouped: 127.0.0.1
The same can be done with the SQL query, here is an example, which returns Computer Name and its IP address in human readable format
SELECTwstrDisplayName"Display Name",CAST( ((nIp / 16777216) & 255)ASvarchar(4)) +'.'+CAST(((nIp / 65536) & 255)ASvarchar(4)) +'.'+CAST(((nIp / 256) & 255)ASvarchar(4)) +'.'+CAST(((nIp) & 255)ASvarchar(4))"IP Address"FROMv_akpub_host;Another good example is the following code which returns host's visibility, nagent installed or not, nagent alive or not and real time protection state:
SELECTh.wstrDnsName ,h.wstrDisplayName,/* h.nStatus'Host Status', */ /* Host status,bitsetbit0setif hostisvisible,bit2setif Network Agentisinstalledbit3setif Network Agentis"alive"bit4setifreal-timeprotectionisinstalled */CAST(((h.nStatus) & 1)ASvarchar(1))as'Host Visible',CAST(((h.nStatus / 4) & 1)ASvarchar(1))as'Agent Installed',CAST(((h.nStatus / 8 ) & 1)ASvarchar(1))as'Agent Alive',CAST(((h.nStatus / 16) & 1)ASvarchar(1))as'Protection Installed'FROMv_akpub_host horderbywstrDisplayNamenStatus
nStatus is another useful parameter stored as decimal integer. The key to understanding is the same, yet in this case each bit (not like in previous case where each 8 bits represented a number in IP address) represents its own aspect of a state. We should treat is as a (binary) bit set, where (information below is from
klakdb.chm) :- bit 0 is set if host is visible
- bit 1 is reserved
- bit 2 is set if Network Agent is installed
- bit 3 is set if Network Agent is "alive"
- bit 4 is set if real-time protection is installed
For example nStatus equals 29. 29 is 11101 in binary. Remember that binary is read from left to right. In this case the status is as follows:
- bit 0 equals 1 – that means a bit is set, which in our case means that the host is visible.
- bit 1 equals 0, but as it is reserved, we just omit it.
- bit 2 equals 1, so Network Agent is installed on the host.
- bit 3 equals 1, which means that Network Agent is “alive” – can communicate with SC etc.
- bit 4 equals 1, so protection (KES, KSWS, etc.) is installed on the host.
Additional reading
To learn more about this data format refer to this article https://en.wikipedia.org/wiki/Endianness
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Scenario:
When login to KSC Web Console, it shows the following error:
Administration Server uses an untrusted self-signed certificate. Please modify the application configuration by specifying a valid certificate for Administration Server.
Alternative wording (for older KSC versions):
Administration Server has untrusted self signed certificate. Please, reconfigure the application with correct certificate for Administration Server.
Reason:
KSC certificate is set when Web Console is installing. If there are any changes/errors with the certificate after the installation, KSC Web Console will show this error, e.g. you installed Web Console with KSC together, then restore a KSC backup.
Solution and Source:
Change certificate in KSC.
Specifying certificates for trusted Administration Servers - guide on specifying a new certificate
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem Description, Symptoms & Impact
In KES 12.0, the way Device Control component works has been changed. See changelog: https://support.kaspersky.com/help/KESWin/12.0/en-US/127969.htm
Due to these changes, you may notice that printing order becomes slow after you have upgraded KES to version 12.0 or higher. This delay may be around 30-60s or even 10-15 minutes. When you disable KES, it becomes instant. In some exceptional cases, the delay may be so big that it's impossible to print anything and the system hangs. The issue affects both local printers and network printers.
Diagnostics
First of all, test if the issue persists with Device Control component disabled. If it does, move any device to a separate group for testing, create a new default KES policy there and check if the issue persists on default policy or not. If everything is fine under default policy, this is a clear sign that something is wrong with your configuration.
Additionally, try latest PF for KES and check if the issue persists on it. There are some optimizations there that fix some Device Control issues and it can improve the performance, but if the issue is in the policy configuration, it won't help much.
Workaround & Solution
Troubleshooting steps:
- Select a host for troubleshooting and move it to a test group
- Install latest pf on it and reboot check the situation
- Check if the issue is caused by Device Control component and if the issue persists if this component is disabled
- Check if the issue persists under main policy and under default policy
- Check policy configuration and check how many devices have been added to Trusted Devices list. If there are several hundred entries or more, try to find a way to reduce their amount.
Please see this public article for more details: https://support.kaspersky.com/KESWin/12.1/en-US/38595.htm
It states "it is not recommended to add more than 1000 trusted devices, as this can cause system instability."
To reduce the list of trusted devices, you can use wildcard * for the same type of printer.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This info applies to KSC12-14.2.
Web Console port can be changed from default port 8080 to 443 or any other port not occupied by the operating system or a third-party application.
1. Open file "C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json" with any text editor and type the port you would like to use instead of 8080:
2. Restart all Kaspersky Security Center Web Console services via services.msc to apply changes.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description and cautions
KSN connection error on KATA web may appear.
Details
- It could be fixed unless you don't have permanent KSN errors, you have to check it in ksn_proxy.log DEBUG level. Key word is ErrCount. If you don't see Errcount: 0 in log, then you don't have access to our KSN servers which are:
2. In order to fix this web error do as below
For KATA 4.0/4.1
Under root at CN execute:
apt-settings-manager set --merge /configuration/preprocessor'{"ksn": {"non_dl_formats": ["GeneralHtml", "GeneralTxt", "ExecutableJs", "ImageGif", "ImageJpeg", "ImagePng", "ArchiveCab"], "request_threads": 4, "timeout": "PT1.5S"}}'* PT1.5S means 1,5 seconds, don't increase it more
Then let's increase "errors_increase_threshold": 100 (actually you have to check ksn_proxy debug log in order to understand how much KSN connection errors you have and adjust this parameter accordingly)
apt-settings-manager set --merge /configuration/monitoring_prometheus'{"ksn_proxy": {"errors_increase_threshold": 100, "errors_window_period": "10m", "scraping_alert_for_interval": "1m", "scraping_evaluation_interval": "30s"}}'
If this helps, then make this change persistent:vim /etc/opt/kaspersky/apt-swarm/swarm_config.json
"ksn": {
"non_dl_formats": [ Numbered list
"GeneralHtml",
"GeneralTxt",
"ExecutableJs",
"ImageGif",
"ImageJpeg",
"ImagePng",
"ArchiveCab"
],
"request_threads": 4,
"timeout": "PT0.5S" <<<<< set 1.5S
Find
"ksn_proxy": {
"errors_increase_threshold": 2, <<<<< set 100
"errors_window_period": "10m",
"scraping_alert_for_interval": "1m",
"scraping_evaluation_interval": "30s"
For KATA 5.+/6.+
Use one line:
-
console-settings-updater set --merge /kata/configuration/product/monitoring_prometheus'{"alert_settings": {"ksn_proxy": {"errors_increase_threshold": 100}}}'
if value 100 doesn't help you may increase it to 150-200.
Or use long way:
-
Under root at CN execute
console-settings-updater get /kata/configuration/product/monitoring_prometheus | python3 -m json.tool > /tmp/monitoring_prometheus - Make changes in /tmp/monitoring_prometheus (via vim or nano) by finding following block
"ksn_proxy": {
"errors_increase_threshold": 100, <<<<<< put here value 100 instead of default 2- Save file (ESC:wq!)
- Put changes back to container
-
console-settings-updater set /kata/configuration/product/monitoring_prometheus @/tmp/monitoring_prometheus
If value 100 doesn't help you may increase it to 150-200.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description and cautions
The article is giving some use cases examples of KSC API calls to ease one's start using the API. In that KB we are looking at host isolation with KES/KEA scenario.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
- internal user: api-user
Example
- KSC address - 127.0.0.1 (the address can also be external)
- API Port - 13299 (default)
- User: api-user (intrental KSC user), base64: YXBpLXVzZXI=
- Password: password, base64: cGFzc3dvcmQ=
-
Credentials:
UserPasswordapi-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= - Authentication, type: Authenticated session, other types: KSC Open API description
- Requests are in cUrl and http formats, as an alternative it is also possible to use Python library (KlAkOAPI Python package)
Login
Start connection to KSC (Session::StartSession)
Session::StartSession--header'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"'Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding.
Response{"PxgRetVal":"nsPbUpP1oAVZlM1lODEbg8A=="}Use this token in request header
Find Host
Find host by filter string (HostGroup::FindHosts)
Filter string, contains a condition over host attributes, see also Search filter syntax.
We use "KLHST_WKS_DN" - Host display name
HostGroup::FindHostsPOST/api/v1.0/HostGroup.FindHosts HTTP/1.1Host: localhost:13299X-KSC-Session: nH4iKWCdxuBJWO5U4ATKSew==Content-Type: application/jsonContent-Length: 170{"vecFieldsToReturn": ["KLHST_WKS_HOSTNAME","KLHST_WKS_DN"],"lMaxLifeTime": 1200,"wstrFilter":"(KLHST_WKS_DN=\"WIN10-*\")"}Response ID
Response{"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":18}Copy Accessor for next request (ChunkAccessor::GetItemsChunk)
ChunkAccessor::GetItemsChunkcurl -L -X POST"https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk"-H"X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg=="-H"Content-Type: application/json"--data-raw "{\"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\",\"nStart\": 0,\"nCount\": 100}"Response info about host:
Response{"pChunk": {"KLCSP_ITERATOR_ARRAY": [{"type":"params","value": {"KLHST_WKS_DN":"WIN10-OPTIMUM-1","KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e"}},{"type":"params","value": {"KLHST_WKS_DN":"WIN10-KES-11-OLD","KLHST_WKS_HOSTNAME":"ab365e11-a1c7-492b-a981-e84402b33a8f"}}]},........"PxgRetVal": 18}Copy value "KLHST_WKS_HOSTNAME" for next request
KEA Isolation
HostGroup.GetHostInfo
Acquire specified host attributes. (HostGroup::GetHostInfo)
strHostName (wstring) host name, a unique server-generated string (see KLHST_WKS_HOSTNAME attribute). It is NOT the same as computer network name (DNS-, FQDN-, NetBIOS-name) pFields2Return (array) array of names of host attributes to return. See List of host attributes for attribute names HostGroup.GetHostInfoPOST/api/v1.0/HostGroup.GetHostInfo HTTP/1.1Host: localhost:13299X-KSC-Session: nH4iKWCdxuBJWO5U4ATKSew==Content-Type: application/jsonContent-Length: 185{"strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f","pFields2Return": ["KLHST_WKS_HOSTNAME","KLHST_WKS_DN","KLHST_APP_INFO"]}HostGroup.SS_GetNames
Get section names from host settings storage. (HostGroup::SS_GetNames)
Parameters values should be taken from the previous response.
HostGroup::SS_GetNamesPOST/api/v1.0/HostGroup.SS_GetNames HTTP/1.1Host: localhost:13299X-KSC-Session: nqH6Qma75t/wBcQm8vlyqvQ==Content-Type: application/jsonContent-Length: 148{"strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f","strType":"SS_SETTINGS","strProduct":"SOYUZ","strVersion":"4.0.0.0"}Response:
Response{"PxgRetVal": [".KLNAG_SECTION_REBOOT_REQUEST","85","AccountLogonSettings","ApplicationSettings","AutoStartEntriesNotifySettings","ConnectionSettings","CreateProcessSettings","FileChangeNotificationSettsEdr","KLEVP_NF_SECTION","KsnServiceSettings","LoadImageSettingsEdr","MaintenanceSettings","MdrServiceSettings","MessageBrokerSettings","NetworkConnectionSettingsEdr","NetworkIsolationProfilesSetts","NetworkIsolationSettings",#copy this field setting"PasswordSettings","PreventionSettings","ProductPermissionSettings","QuarantineSettings","SandboxSettings","SelfDefenceSettings","UserModeApiMonitorSrvSettings","WMIActivitySettings","WindowsEventLogSettingsEdr","WindowsRegistrySettings"]}With NWC web console KSC create local network exteption for VPN:
1) Open host properties → Applications → KEA
2) Open tab APP Settings → Network Isolation → Isolation on detection
3) Add rule for RDP → click "OK" → click "Save"
HostGroup.SS_Read
Read data from host settings storage. (HostGroup::SS_Read)
Parameters values should be taken from two previous responses
HostGroup::SS_ReadPOST/api/v1.0/HostGroup.SS_Read HTTP/1.1Host: localhost:13299X-KSC-Session: nqc+0P0UI+Wzuu+FREB74yQ==Content-Type: application/jsonContent-Length: 194{"strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f","strType":"SS_SETTINGS","strProduct":"SOYUZ","strVersion":"4.0.0.0","strSection":"NetworkIsolationSettings"}Response info about Network Isolation with RDP rule exception:
Response{"PxgRetVal": {"BaseSettings": {"type":"params","value": {"Revision": {"type":"long","value": 0},"__VersionInfo": [1,0]}},"Enable":false,"Exclusions": [{"type":"params","value": {"Description":"Custom (user-defined)","Name":"Custom (user-defined)","Rules": [{"type":"params","value": {"AppProtocolName":"RDP","Applications": [],"Direction": 3,"Enable":true,"LocalAddress":"","LocalPort": {"type":"params","value": {"MaxPort": 3389,"MinPort": 3389,"__VersionInfo": [1,0]}},"Protocol": 0,"RemoteAddress":"","RemotePort": {"type":"params","value": {"MaxPort": 0,"MinPort": 0,"__VersionInfo": [1,0]}},"UseApplications":false,"UseLocalAddress":false,"UseLocalPort":true,"UseProtocol":false,"UseRemoteAddress":false,"UseRemotePort":false,"__VersionInfo": [1,1]}}],"__VersionInfo": [1,0]}}],"IsolationTimeout": 1800,"NotifyUser":true,"UseIsolationTimeout":true,"__VersionInfo": [1,2]}}Copy all response for next request.
HostGroup.SS_Write
Write data to host settings storage for isolation workstation with RDP rule. (HostGroup::SS_Write)
1) Use previous value parameters
2) for nOption use 7
- 7 - "Clear", replaces existing section contents with pData, i.e. existing section contents will deleted and variables from pData will be written to the section.
3) for pSettings past previous response and change
"Enable": true
HostGroup::SS_WritePOST/api/v1.0/HostGroup.SS_Write HTTP/1.1Host: localhost:13299X-KSC-Session: nbpsiiOAAxiDWfMSVkgciWQ==Content-Type: application/jsonContent-Length: 1066{"strHostName":"bdcae680-eeaa-4279-a822-92a0d3e01dfb","strType":"SS_SETTINGS","strProduct":"SOYUZ","strVersion":"4.0.0.0","strSection":"NetworkIsolationSettings","nOption":7,"pSettings":{"BaseSettings": {"type":"params","value": {"Revision": {"type":"long","value": 0},"__VersionInfo": [1,0]}},"Enable":true,#Isolation ON"Exclusions": [{"type":"params","value": {"Description":"Custom (user-defined)","Name":"Custom (user-defined)","Rules": [{"type":"params","value": {"AppProtocolName":"RDP",#custom rule for RDP"Applications": [],"Direction": 3,"Enable":true,"LocalAddress":"","LocalPort": {"type":"params","value": {"MaxPort": 3389,"MinPort": 3389,"__VersionInfo": [1,0]}},"Protocol": 0,"RemoteAddress":"","RemotePort": {"type":"params","value": {"MaxPort": 0,"MinPort": 0,"__VersionInfo": [1,0]}},"UseApplications":false,"UseLocalAddress":false,"UseLocalPort":true,"UseProtocol":false,"UseRemoteAddress":false,"UseRemotePort":false,"__VersionInfo": [1,1]}}],"__VersionInfo": [1,0]}}],"IsolationTimeout": 1800,"NotifyUser":true,"UseIsolationTimeout":true,"__VersionInfo": [1,2]}}Response
Response{ }Host isolated successfully.
For off isolation you must change for pSettings past previous response and change
"Enable": false
KES Isolation (11.7 and upper)
FindHost
Find Host with previous method and copy value "KLHST_WKS_HOSTNAME"
For example:
"KLHST_WKS_DN":"KEDRO-1","KLHST_WKS_HOSTNAME":"a20da5de-49e5-469a-92ea-41b5adb74ea4"
SrvView
Find srvview data by filter string (SrvView::ResetIterator)
"wstrViewName" - check List of supported srvviews.
"vecFieldsToReturn" - check https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html
SrvView::ResetIteratorPOST/api/v1.0/SrvView.ResetIterator HTTP/1.1Host: localhost:13299X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg==Content-Type: application/jsonContent-Length: 614{"wstrViewName":"HostTasksSrvView","vecFieldsToReturn": ["nState","strTask","TASK_NAME","txtDisplayName","TASKID_PRODUCT_NAME","TASKID_PRODUCT_VERSION","bCannotBeDeleted","bSystem"],"vecFieldsToOrder": [{"type":"params","value": {"Name":"TASK_NAME","Asc":"true"}}],"lifetimeSec": 100,"pParams": {"strHostId":"a20da5de-49e5-469a-92ea-41b5adb74ea4"},"wstrFilter":""}Response ID
Response{"wstrIteratorId":"67D74142AE0FA1A3D05CD696B957902B"}GetRecordRange from Response data (SrvView.GetRecordRange)
SrvView.GetRecordRangecurl -L -X POST"https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange"-H"X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg=="-H"Content-Type: application/json"--data-raw "{\"wstrIteratorId\":\"67D74142AE0FA1A3D05CD696B957902B\",\"nStart\": 0,\"nEnd\": 100}"Copy value "strTask" for Task "xdr_networkisolation_start" and "xdr_networkisolation_stop"
For example:
Isolation ON => "TASK_NAME":"xdr_networkisolation_start" .... "strTask":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056"
Isolation OFF => "TASK_NAME":"xdr_networkisolation_stop .... "strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d"
Isolation ON
GetHostTasks
Return server specific identity to acquire and manage host tasks. (HostGroup::GetHostTasks)
HostGroup.GetHostTasksPOST/api/v1.0/HostGroup.GetHostTasks HTTP/1.1Host: localhost:13299X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg==Content-Type: application/jsonContent-Length: 58{"strHostName":"a20da5de-49e5-469a-92ea-41b5adb74ea4"}Response:
Response{"PxgRetVal":"8122017D5C4081753E8FDE94244DC1AF"}HostTasks
GetTaskData
Acquire task settings. (HostTasks::GetTaskData)
strSrvObjId - server object ID that got from HostGroup.GetHostTasks
strTask - storage identifier of the task (such as returned by HostTasks.AddTask)
HostTasks::GetTaskDataPOST/api/v1.0/HostTasks.GetTaskData HTTP/1.1Host: localhost:13299X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg==Content-Type: application/jsonContent-Length: 112{"strTask":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056","strSrvObjId":"8122017D5C4081753E8FDE94244DC1AF"}Response:
Response{"PxgRetVal":{"EVENT_TYPE":"PRTS_EVENT_NONE","FILTER_EVENTS_COMPONENT_NAME":"","FILTER_EVENTS_INSTANCE_ID":"","FILTER_EVENTS_PRODUCT_NAME":"","FILTER_EVENTS_VERSION":"","TASKID_COMPONENT_NAME":"Connector","TASKID_INSTANCE_ID":"","TASKID_PRODUCT_NAME":"KES","TASKID_VERSION":"11.0.0.0","TASKSCH_FIRST_EXECUTION_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASKSCH_FIRST_EXECUTION_TIME_SEC":0,"TASKSCH_LIFETIME":{"type":"datetime","value":""},"TASKSCH_MS_PERIOD":0,"TASKSCH_RUN_MISSED_FLAG":false,"TASKSCH_TYPE":0,"TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"CompatibilityInfo":{"type":"params","value":{"MinimalPluginVersion":"11.7.0.0"}},"PRTS_TASK_EXT_SHEDULE_FLAGS":0,"exclusionRules":[{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}},"name":"DNS","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}},"name":"DNS","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":true,"paths":["%systemroot%\\system32\\dns.exe"]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":65535,"start":49152}}]}},"name":"Large numbered TCP ports, randomly assigned by the RPC service","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":true,"paths":["%systemroot%\\system32\\svchost.exe"]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":135,"start":135}}]}},"name":"RPC Endpoint Mapper","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":0,"localPorts":{"type":"params","value":{"enabled":false,"portRange":[]}},"name":"DNS client","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":0,"localPorts":{"type":"params","value":{"enabled":false,"portRange":[]}},"name":"DNS client","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":2,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":68,"start":68}}]}},"name":"DHCP server","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":67,"start":67}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":2,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":67,"start":67}}]}},"name":"DHCP client","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":68,"start":68}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":2535,"start":2535}}]}},"name":"MADCAP","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":647,"start":647}}]}},"name":"DHCP failover","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}}],"isolationDuration":3600000,"klprts-TaskStorageId":"_LOCAL_2d076fbe-7e60-4a99-9177-173076a5a2b1","ksc_settings_compatibility::TaskUniqueId":"89621cce@xdr_networkisolation_start@NetworkIsolationStart","responseId":{"type":"long","value":7998665773575485050}}},"TASK_CLASS_ID":0,"TASK_DEL_AFTER_RUN_FLAG":false,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"Network isolation","klprts-TaskCannotBeDeleted":true,"klprts-TaskScheduleSubtype":256}},"TASK_LAST_EXEC_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASK_LAST_EXEC_TIME_SEC":0,"TASK_MAX_EXEC_TIME":0,"TASK_NAME":"xdr_networkisolation_start","TASK_PREP_START":0,"TASK_PRIORITY":1,"TASK_START_DELTA":0,"TASK_UNIQUE_ID":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056"}}Copy some of value from response and change parameters on next request with Network isolation exclusions
RDP protocol (for example):
exclusionRules{"type":"params","value": {"applications": {"type":"params","value": {"enabled":true,"paths": []}},"dataSource": 2,#inbound and outbound"localPorts": {"type":"params","value": {"enabled":true,"portRange": [{"type":"params","value": {"end": 3389,#port"start": 3389#port}}]}},"name":"RDP ANY",#name"protocol": {"type":"params","value": {"enabled":true,"id": 0#TCP and UDP}},"remoteAddress": {"type":"params","value": {"enabled":false,"ip": {"type":"params","value": {"octets": {"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts": {"type":"params","value": {"enabled":false,"portRange": []}}}}UpdateTask
Modify task settings. ( HostTasks::UpdateTask)
HostTasks::UpdateTask Collapse sourcePOST/api/v1.0/HostTasks.UpdateTask HTTP/1.1Host: localhost:13299X-KSC-Session: n18Zfc+1hPeedqD07uM96/A==Content-Type: application/jsonContent-Length: 32796{"strTask":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056","strSrvObjId":"46A9BEBC82C3FB1121050247A0697ECC","pData": {"TASKID_COMPONENT_NAME":"Connector","TASKID_PRODUCT_NAME":"KES","TASKID_VERSION":"11.0.0.0","TASKSCH_TYPE": 5,"TASK_ADDITIONAL_PARAMS": {"type":"params","value": {"CompatibilityInfo": {"type":"params","value": {"MinimalPluginVersion":"11.8.0.0"}},"PRTS_TASK_EXT_SHEDULE_FLAGS": 0,"exclusionRules": [{"type":"params","value": {"applications": {"type":"params","value": {"enabled":true,"paths": []}},"dataSource": 2,"localPorts": {"type":"params","value": {"enabled":true,"portRange": [{"type":"params","value": {"end": 3389,"start": 3389}}]}},"name":"RDP ANY","protocol": {"type":"params","value": {"enabled":true,"id": 0}},"remoteAddress": {"type":"params","value": {"enabled":false,"ip": {"type":"params","value": {"octets": {"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts": {"type":"params","value": {"enabled":false,"portRange": []}}}}],"isolationDuration":28800000,"klprts-TaskStorageId":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056","ksc_settings_compatibility::TaskUniqueId":"89621cce@xdr_networkisolation_start@NetworkIsolationStart","responseId":{"type":"long","value":4294967295}}},"TASK_CLASS_ID":0,"TASK_DEL_AFTER_RUN_FLAG":false,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"Network isolation","klprts-TaskCannotBeDeleted":true,"klprts-TaskScheduleSubtype":512}},"TASK_NAME":"xdr_networkisolation_start","TASK_PREP_START":0,"TASK_PRIORITY":1,"TASK_START_DELTA":0,"TASK_UNIQUE_ID":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056"}}Response
Response{ }Host isolated successful with allowed RDP session.
Isolation OFF
For example:
Isolation OFF => "TASK_NAME":"xdr_networkisolation_stop .... "strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d"
GetHostTasks
Return server specific identity to acquire and manage host tasks. (HostGroup::GetHostTasks)
HostGroup.GetHostTasksPOST/api/v1.0/HostGroup.GetHostTasks HTTP/1.1Host: localhost:13299X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg==Content-Type: application/jsonContent-Length: 58{"strHostName":"a20da5de-49e5-469a-92ea-41b5adb74ea4"}Response:
Response{"PxgRetVal":"8122017D5C4081753E8FDE94244DC1AF"}HostTasks
GetTaskData
Acquire task settings. (HostTasks::GetTaskData)
strSrvObjId - server object ID that got from HostGroup.GetHostTasks
strTask - storage identifier of the task (such as returned by HostTasks.AddTask)
HostTasks::GetTaskDataPOST/api/v1.0/HostTasks.GetTaskData HTTP/1.1Host: localhost:13299X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg==Content-Type: application/jsonContent-Length: 112{"strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d","strSrvObjId":"8122017D5C4081753E8FDE94244DC1AF"}Response:
Response{"PxgRetVal":{"EVENT_TYPE":"PRTS_EVENT_NONE","FILTER_EVENTS_COMPONENT_NAME":"","FILTER_EVENTS_INSTANCE_ID":"","FILTER_EVENTS_PRODUCT_NAME":"","FILTER_EVENTS_VERSION":"","TASKID_COMPONENT_NAME":"Connector","TASKID_INSTANCE_ID":"","TASKID_PRODUCT_NAME":"KES","TASKID_VERSION":"11.0.0.0","TASKSCH_FIRST_EXECUTION_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASKSCH_FIRST_EXECUTION_TIME_SEC":0,"TASKSCH_LIFETIME":{"type":"datetime","value":""},"TASKSCH_MS_PERIOD":0,"TASKSCH_RUN_MISSED_FLAG":false,"TASKSCH_TYPE":0,"TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"CompatibilityInfo":{"type":"params","value":{"MinimalPluginVersion":"11.8.0.0"}},"PRTS_TASK_EXT_SHEDULE_FLAGS":0,"klprts-TaskStorageId":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d","ksc_settings_compatibility::TaskUniqueId":"59e0cc70@xdr_networkisolation_stop@NetworkIsolationStop","responseId":{"type":"long","value":4294967295}}},"TASK_CLASS_ID":0,"TASK_DEL_AFTER_RUN_FLAG":false,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"Termination of network isolation","klprts-TaskCannotBeDeleted":true,"klprts-TaskScheduleSubtype":256}},"TASK_LAST_EXEC_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASK_LAST_EXEC_TIME_SEC":0,"TASK_MAX_EXEC_TIME":0,"TASK_NAME":"xdr_networkisolation_stop","TASK_PREP_START":0,"TASK_PRIORITY":1,"TASK_START_DELTA":0,"TASK_UNIQUE_ID":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d"}}Copy some value from response and change parameters on the next request with Network isolation exclusions.
UpdateTask
Modify task settings. ( HostTasks::UpdateTask)
POST/api/v1.0/HostTasks.UpdateTask HTTP/1.1Host: localhost:13299X-KSC-Session: n18Zfc+1hPeedqD07uM96/A==Content-Type: application/jsonContent-Length: 32796{"strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d","strSrvObjId":"A06A16B837CC0E73BD3BCCDAA98A3129","pData": {"TASKID_COMPONENT_NAME":"Connector","TASKID_PRODUCT_NAME":"KES","TASKID_VERSION":"11.0.0.0","TASKSCH_MS_PERIOD": 0,"TASKSCH_TYPE": 5,#change"TASK_ADDITIONAL_PARAMS": {"type":"params","value": {"CompatibilityInfo": {"type":"params","value": {"MinimalPluginVersion":"11.8.0.0"}},"PRTS_TASK_EXT_SHEDULE_FLAGS": 0,"klprts-TaskStorageId":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d","ksc_settings_compatibility::TaskUniqueId":"59e0cc70@xdr_networkisolation_stop@NetworkIsolationStop","responseId": {"type":"long","value": 4294967295}}},"TASK_CLASS_ID": 0,"TASK_DEL_AFTER_RUN_FLAG":false,"TASK_INFO_PARAMS": {"type":"params","value": {"DisplayName":"Termination of network isolation","klprts-TaskCannotBeDeleted":true,"klprts-TaskScheduleSubtype": 512#change}},"TASK_NAME":"xdr_networkisolation_stop","TASK_PREP_START": 0,"TASK_PRIORITY": 1,"TASK_START_DELTA": 0,"TASK_UNIQUE_ID":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d"}}Response
Response{ }Host unblocked successfully.
End Session to KSC (Session::EndSession)
Session::EndSessioncurl --location --request POST'https://127.0.0.1:13299/api/v1.0/Session.EndSession'--header'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A=='#PxgRetVal from Session.StartSession -
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description
If you need to know the name of the standard KSC service account (KL-AK...) that has been created during installation, it is stored in the registry key.
This information can be viewed in the registry, using the following paths:
for 64-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0for 32-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0this key is called AutoCreatedServiceAccount.
It can also be quickly obtained with the following commands:
For 64-bit systemsreg Query"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0"/v AutoCreatedServiceAccountFor 32-bit systemsreg Query"HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0"/v AutoCreatedServiceAccount -
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
For any types of issues with tasks managed by KSC, we require export of task execution history in
.txtfile. Task execution history is a sequence of events generated by client computer during task execution.Step-by-step guide
To export task execution history, follow these steps:
-
Open task results window.
-
In the upper part of the task results window, select problem computer.
- Right-click some event in the lower part of the task results window, where task execution history for selected host displayed.
-
In context menu, choose
Export…option. Events export Wizard will start.
-
Click "Browse" button, select file destination and file name. Save events to .txt file. Make sure option
Export selected events onlyNOT enabled.
- Click “Next” button.
-
Select option “Export as tab-delimited Unicode text”. Click “Next” button and complete the wizard.
-
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description and cautions
That article is describing a specific scenario: HA Cluster KSC with 4 CGWs between two different and geographical isolation DC (Data Center).
High level procedure:
- KLAdmins group: ksc, rightless / gmsa-ksc-server, gmsa-ksc-nwc; $KSC-NODE-1, $KSC-NODE-2, $SQL-SRV / sql / gmsa-sql-server
- SMB shares: data, state, sc_backup, kl-share |
- SMB Permissions NTFS ACL - - Full Control for KLAdmins
- Created MS SQL Database - KLFOC | Grand Access for admin server account
- Reboot servers
- Map network drivers - data, state
- Install KLFOC
Details
Here below is the detailed step-by-step procedure:
General terms
- HA - High availability
- DC - Data Center
- CGW - Connection Gateway
- gMSA - Group Managed Service Accounts
- WSFC - Windows Server Failover Cluster
Prerequisites
Hardware and software requirements
To deploy a Kaspersky failover cluster, you must have the following hardware:
x2 Windows Server with identical hardware and software. These servers will act as the active and passive nodes.
OS Windows Server 2019
Activated & configured OS Windows Server 2019 on 2x servers. Latest Windows updates & drivers installed.
Windows Firewall
Disabled Windows firewall on 2x KSC server nodes
DNS A & PTR records for Nodes
2x IP address for the KSC nodes
Internet connectivity
For 2x KSC server nodes
1. For downloading signatures and application updates on KSC cluster.
2. For downloading third party updates of vulnerability and patch management (if applicable).
Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards Connection with TLS 1.2 1. Make sure that remote SQL Server (or SQL Express) used by the Administration Server is a really 64-bit application (sqlservr.exe is a 64-bit process)
2. At the computer with Administration Server installed do the following:
- Install MSOLEDBSQL provider and reboot the computer if required
- Set KLDBADO_UseMSOLEDBSQL=1 i. either by defining global environment variable KLDBADO_UseMSOLEDBSQL=1 ii. ii. or by setting Administration Server flag KLDBADO_UseMSOLEDBSQL=1 using klscflag.exe. klscflag.exe -fset -pv klserver -n KLDBADO_UseMSOLEDBSQL -v 1 -t d
- Reboot the computer if required
3. Make sure that Administration Console successfully connects Administration Server and Kaspersky Event Log at the Administration Server computer does not contain errors like 'Generic db error: "11526 '{42000} The metadata could not be determined'
File server that supports the CIFS/SMB protocol, version 2.0 or higher. A server that is participating in a WSFC.
Make sure you have provided high network bandwidth between the file server, and the active and passive nodes. DBMS | MS SQL cluster on WSFC with Always On availability groups.
MS SQL clusterSQL Server Failover Cluster Installation
Listener DNS Name Specifies the DNS host name of the availability group listener. The DNS name is a string must be unique in the domain and in NetBIOS Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards Pre-created Database on MS SQL cluster
(DB name should be one word without special characters) Grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. Switch conditions
The failover cluster switches protection management of the client devices from the active node to the passive node with CGs in LAN or DMZ network if any of the following events occurs on the active node:
- The active node\LAN-CGW\DMZ-CGW is broken due to a software or hardware failure.
- The active node was temporarily stopped for maintenance activities.
- At least one of the Kaspersky Security Center services (or processes) failed or was deliberately terminated by user. The Kaspersky Security Center services are the following ones: kladminserver, klnagent, klactprx, and klwebsrv.
- The network connection between the active node and the storage on the file server was interrupted or terminated.
Deployment of a Kaspersky failover cluster
Creating an account for Kaspersky Security Center services
Create a new domain group, name it 'KLAdmins', and then grant the local administrator's permissions to the group on both nodes and on the file server. Then create two new domain user accounts, name them 'ksc' and 'rightless', and add the accounts to the KLAdmins domain group.
Add the user account, under which Kaspersky Security Center will be installed, to the KLAdmins domain group.
Domain accounts
Account for installer running - Local admin
gMSA service account
1. gMSA service account will be used to run tKaspersky Security Center 13 Administration Server services.
-
How to create gMSA account https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts
2. gMSA service account must have Dbo role permission on the pre-created Kaspersky database running MS SQL cluster. Dbo schema must be used by default. For more details on required permissions to be assigned https://support.kaspersky.com/KSC/12/en-US/156275.htm
3. Assign domain admin permission for KSC installation process only.
KLAdmins - Global security group:
-
Administration Server account - Domain\gMSA
-
Account for other services from the Administration Server pool - Rightness
-
Computers accounts $ksc-node1 and $ksc-node2
- SQL account - Domain\gMSA or computer account $SQL-server
File server preparation
Prepare the file server to work as a component of the Kaspersky failover cluster. Make sure that the file server meets the hardware and software requirements, create two shared folders for Kaspersky Security Center data, and configure permissions to access the shared folders.
Step Description 1 Make sure that the file server meets the hardware and software requirements.
2 Make sure that the file server and both nodes (active and passive) are included in the same domain or the file server is the domain controller.
3 On the file server, create Shared folders: data, state, klshare and SC_Backup on fileserver. One of them is used to keep information about the failover cluster state. The other one is used to store the data and settings of Kaspersky Security Center.
4 Grant full access permissions (both share permissions and NTFS permissions) to the created shared folders for the following user accounts and groups:
-
Computers accounts $ksc-node1 and $ksc-node2
- SQL account - Domain\gMSA or computer account $SQL-server
Preparation of active and passive nodes
Prepare two computers with identical hardware and software to work as the active and passive nodes.
To prepare nodes for a Kaspersky failover cluster:
- Make sure that you have two computers that meet the hardware and software requirements. These computers will act as the active and passive nodes of the failover cluster.
- Make sure that the file server and both nodes are included in the same domain.
- Do one of the following:
Skip this step and configurarion CGWs after installation KLFOC
-
On each of the nodes, create a virtual network adapter
- The virtual network adapters must be disabled. You can create the virtual network adapters in the disabled state or disable them after creation.
- The virtual network adapters on both nodes must have the same IP address.
-
Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following:
- Provide a dedicated Linux-based computer with nginx installed.
- Configure load balancing. Set the active node as the main server and the passive node as the backup server.
- On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13291, TCP 13299, and TCP 17000.
- Restart both nodes and the file server.
- Map the two shared folders, that you created during the file server preparation step, to each of the nodes. You must map the shared folders as network drives. When mapping the folders, you can select any vacant drive letters. To access the shared folders, use the credentials of the user account that you created before.
The nodes are prepared.
Database Management System (DBMS) installation
Select any of the supported DBMS, and then install the DBMS on a dedicated computer. For best practice, will use HA configuration of DBMS\SQL.
-
MS SQL cluster on WSFC with Always On availability groups.
MS SQL cluster
SQL Server Failover Cluster Installation Listener DNS Name Specifies the DNS host name of the availability group listener. The DNS name is a string must be unique in the domain and in NetBIOS Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards DB - KLFOC Create Database with specified name and grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run.
- DB - KLFOC - Create Database with specified name and grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run.
- Pre-created Database on MS SQL cluster (DB name should be one word without special characters)
Kaspersky Security Center installation
Install Kaspersky Security Center in the failover cluster mode on both nodes. You must first install Kaspersky Security Center on the active node, and then install it on the passive one.
- How-to instructions: Installing Kaspersky Security Center on the Kaspersky failover cluster nodes
Specifying the Administration Server certificate
If necessary, you can assign a special certificate for Administration Server by using the command-line utility klsetsrvcert.
To replace the certificate you must create a new one (for example, by means of the organization's PKI) in PKCS#12 format and pass it to the klsetsrvcert utility
klsetsrvcert.exe --stp klfoc -t C -i"C:\KLFOC\new-cert.pfx -p "<password>" -l "new-cert-change.log" -o "NoCA"When the certificate is replaced, all Network Agents that were previously connected to Administration Server through SSL lose their connection and return "Administration Server authentication error". To specify the new certificate and restore the connection, you can use the klmover utility.
Settings LAN\DMZ Gateways
-
Assigning Workstations (LAN-GW) to act as a distribution point
- Enable feature "Connection Gateway"
- Adding a connection gateways in the DMZ as a distribution point
- Install external gateways with the setting that this is a connection gateway in the DMZ
- On the KSC, add a distribution point as a connection gateway in the DMZ
- KSC initiates a connection to gateway and the gateway will appear as a distribution point
- Open the properties and set the checkbox in the Connection gateway section
- Create group for GW and add workstations with installed DPs and GWs
Configuration for Network Agent Policy
- Create 2 groups for workstations DC-1 and DC-2 and group for GW
-
For both groups create policies:
- Network Agent DC-1
- Network Agent DC-2
-
Add Connection profiles and Network Locations for users DC-1 and DC-2
Testing the failover cluster
Check that you configured the failover cluster correctly and that it works properly.
For example, you can stop one of the Kaspersky Security Center services on the active node: kladminserver, klnagent, ksnproxy, klactprx, or klwebsrv. After the service is stopped, the protection management must be automatically switched to the passive node.
Troubleshooting
DB Error
Check permissions for gMSA account
KLBACKUP
Run klbackup utulity with --stp klfoc
klbackup --stp klfoc -
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description and cautions
That article is describing KSC rel. 13.2 to rel. 14.x SW upgrade procedure.
Prerequisites
KSC 13.2 on MS Windows
S/N
Action
Online-Help
1
Download the KSC 14 Version
2
Take the backup of KSC Administration Server
3
Take the backup of the KSC Database
4
Export Policies (NA, KES) and encryption keys
5
Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center -> klfoc -stopcluster --stp klfoc
5.1
Check if all kaspersky security services were stopped on both nodes
6
Install KSC 14 on Primary Node
Run the ksc_14_<build number>_full_<language>.exe file
6.1
If the name of the load balancer matches with the name of the first node, then the upgrade process may "freeze" and will be finished after several of network connection timeouts.
EventsProcessorProxy: #1281 Failed to establish connection with the remote device (location: 'http://kscnode01.demo.lab:13000'): connection has failed.
6.2
Perform the same steps on the passive node.
Run the ksc_14_<build number>_full_<language>.exe file7
Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center. -> klfoc -startcluster --stp klfoc
8
Connect to the administration server
9
Restart Passive Node or start klfoc service.
10
Make sure and verify that the machines and policies are available in the console
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Article applies to KSC13-14.2 versions.
Sometimes you need to keep KSC tracing on for a long period of time to catch the error and there is little disk space left on the system disk.
Step-by-step guide
There is a way to change the default location of $klserver-1093.log file - use klscflag.exe utility"
-
klscflag.exe -tset -pv "klserver" -l 4 -d O:\Temp
- O:\temp can be changed to any existing folder name in file system. Remember to create this folder before running the command.
- In order to revert trace file location to default value, delete the value TraceDir from HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\1093\1.0.0.0\Debug:
Same applies to klnagent trace - custom settings should be written to the following registry branch:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Debug]
Additional option:
TraceMaxSizeMB is an optional value that enables trace files rotation for all services of the Kaspersky Security Center. The value of it variable determines the total size of trace files in MB. The absence of the variable or its zero value means that rotation is disabled. Maximum variable value is 102400 (0x19000), which means 100 GB.
Example of reg file:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\Debug]
"TraceDir"="O:\\Temp"
"TraceLevel"=dword:00000004
"TraceMaxSizeMB"=dword:00002000In this example, trace files rotation is enabled and total trace file size of 8192 MB (8 GB). Logs will be saved to O:\temp.
Note: in KSC14, klscflag.exe utility can be found in KSC installation folder, no need to copy the tool.
-
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description and cautions
You may experience low time to live value set in ICMP network packets sent by klnagents.
The following can be seen in wire shark traffic dump:
Explanation:
There are two modes of distribution point search:
0 - search of the nearest DP using a tool similar to traceroute. It generates a number of ICMP packets to find out the neatest route to DP - this is the default mode.
1 - selection of random DP without sending such amount of ICMP packets. This mode is configured on administration server computer via klcsflag utility and is enabled for all managed hosts.
The following command should be started as administrator on KSC Server computer to switch to mode 1:
klscflag.exe -fset -pv klserver -n SrvChooseUaMode -v 1 -t d
Restart of kladminserver service is required to apply changes.
The distribution point will be randomly selected among all DPs available.
-
1
-
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
You can set and run PLC Project Integrity Check task in KICS4Nodes console. But it is not clear how to add PLC projects into the task settings in the KSC Console.
Before PLC Project Integrity Check task setting the PLC Project Investigation task should be successfully executed.
Step-by-step guide
- Go to the KICS4Nodes policy -> Properties -> Logs and Notifications -> Interaction with Administration Server | Settings.
- Enable Versions of PLC projects option (disabled by default). Lock the padlock. Save and apply the policy. (Data of investigated PLC projects will be transferred to the KCS as Network lists).
- Go to the Properties of the target host, which will have PLC project checker role.
- Go to Tasks section-> Select "PLC Project Integrity Check" task -> Properties -> Settings section
- Click the ADD button -> You will see the list of PLC projects, which were collected by the PLC Project Investigation task.
- Check the projects that you want to check. Add them to the list. Enable checkbox of the PLC configurations. Apply task properties.
- Run the task.
PLC Project Integrity Check task does not start automatically after the application reboot. You should set the schedule in the task properties. We recommend to run task by schedule at the application launch.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
General information on ConnectWise Manage integration can be found in online help.
Enabling and disabling tracing
You may have to save traces of Kaspersky Security Integration with Tigerpaw, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to remove the trace files from your computer, when the issue, which required tracing, is resolved, because the trace files may contain personal and confidential data.
By default, tracing is disabled.
There are two ways of enabling and disabling tracing for Kaspersky Security Integration with Tigerpaw components:
- Using the Microsoft Windows Registry.
-
In the
.configfiles of Kaspersky Security Integration with Tigerpaw components.
Enabling and disabling tracing using the Registry
You can enable and disable tracing using the Microsoft Windows Registry.
To enable or disable tracing:
Before editing the Windows Registry, it is recommended that you back up the Registry.
- Click the Start button.
-
In the Start menu, either in the Run box or the Search box, type regedit and press Enter.
The Registry Editor window opens.
If you have restricted access to the Windows computer you are logged into, you might not be able to access the Registry.
-
In the Registry Editor window, navigate to the
Kaspersky Security Integration Service for MSPorKaspersky Security Integration Tool for MSPregistry key. They are available by one of the following paths:-
Kaspersky Security Integration Service for MSP
-
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Service for MSP -
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Service for MSP
-
-
Kaspersky Security Integration Tool for MSP
If the
Kaspersky Security Integration Tool for MSPregistry key is not displayed, either run the Kaspersky Security Integration Tool for MSP as administrator (by right-clicking the application icon and selecting Run as administrator in the context menu), or create the registry key manually.-
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Tool for MSP -
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Tool for MSP
-
-
Kaspersky Security Integration Service for MSP
-
Edit the value of the EnableTraces parameter as follows:
- 1—To enable tracing.
- 0—To disable tracing.
- Click OK in the Edit window to save your changes.
- Close the Registry Editor window.
The trace files are saved to the
.logfiles in the application installation folder:-
For Kaspersky Security Integration Tool for MSP the file is
IntegrationUI.log, by default saved to theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSPfolder. -
For Kaspersky Security Integration Service for MSP the file is
IntegrationServer.log, by default stored in theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSPfolder.
When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application.
Enabling and disabling tracing using the .config files
You can enable and disable tracing in the
.configfiles of Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, which are stored in the installation folders of the corresponding products.To enable or disable tracing:
-
Navigate to the .config file of the Kaspersky Security Integration with Tigerpaw component for which you want to enable or disable tracing. The .config file is stored in the installation folder. By default, the navigation paths are:
-
For Kaspersky Security Integration Tool for MSP the file is
IntegrationUI.exe.config, by default stored in theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSPfolder. -
For Kaspersky Security Integration Service for MSP the file is
IntegrationServer.exe.config, by default stored in theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSPfolder.
-
For Kaspersky Security Integration Tool for MSP the file is
-
Open the .config file with any text editor and change the value of the
minlevelattribute of theloggerelement as follows:-
To enable tracing, set the value of the
minlevelattribute toDebug.<logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> -
To disable tracing, set the value of the
minlevelattribute toOff.<logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Off" />
-
To enable tracing, set the value of the
-
Save and close the modified
.configfile.
The trace files are saved to the
.logfiles in the application installation folder:-
For Kaspersky Security Integration Tool for MSP the file is
IntegrationUI.log, by default saved to theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSPfolder. -
For Kaspersky Security Integration Service for MSP the file is
IntegrationServer.log, by default stored in theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSPfolder.
When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
General information on Solarwinds N-Central integration can be found in online help.
Trace logs are not created by this plugin. The integration with Solarwinds is based on PowerShell scripts launched on Solarwinds side. The only diagnostic information that is required in case of problems is the output of these scripts that can be found in SolarWinds UI.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
General information on ConnectWise Manage integration can be found in online help.
Kaspersky Security Integration Service for MSP log
To collect diagnostic log for Kaspersky Security Integration Service for MSP you need to take the following steps:
- Navigate to C:\Program Files\Kaspersky Lab\Kaspersky Security Integration Service for MSP;
- Open file IntegrationServer.exe.config
- Set minlevel attribute to "Debug":
<rules><logger name="MSPIntegration.*"writeTo="fileTarget"minlevel="Debug"/></rules>To enable traces via registry key you have to take the following steps:
-
In the Registry Editor window, navigate to the Kaspersky Security Integration Service for MSP:
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration ServiceforMSPorHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration ServiceforMSP - Set the value of the EnableTraces parameter to 0 to turn off tracing, or to 1 to enable tracing
Diagnostic log will be written to a file named IntegrationServer.log. If you restart Integration Service for MSP service the new log records will be appended to the same file.
Kaspersky Security Integration Tool for MSP
To collect diagnostic log for Kaspersky Security Integration Tool for MSP you need to take the following steps:
- Navigate to C:\Program Files\Kaspersky Lab\Kaspersky Security Integration Tool for MSP;
- Open file IntegrationUI.exe.config
- Set minlevel attribute to "Debug":
<rules><logger name="MSPIntegration.*"writeTo="fileTarget"minlevel="Debug"/></rules>To enable traces via registry key you have to take the following steps:
-
In the Registry Editor window, navigate to the Kaspersky Security Integration Tool for MSP:
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration ToolforMSPorHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration ToolforMSP - Set the value of the EnableTraces parameter to 0 to turn off tracing, or to 1 to enable tracing
Diagnostic log will be written to a file named IntegrationUI.log. If you close and reopen Integration Tool for MSP window the new log records will be appended to the same file.
Integration components installation logs
Installation logs are always written to four files in c:\windows\temp:
- $klssinstlib.log
- $akinstlib.txt
- $msp_msi*.log
- $msp_setup*.log
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
General information on ConnectWise Automate integration can be found in online help.
LabTech service logs
You can access service logs on a LabTech server by launching LabTech Control Center and then navigating to Dashboard → Management → Service Logs. Then select Go To Computer and select LabTech server.
To view diagnostic info for managed client hosts you should first refresh the information by clicking Commands → LabTech →Send LabTech Error Log. On both LabTech servers and client hosts diagnostic information is stored in a file
C:\Windows\LTSvc\LTErrors.txt. The file is truncated whenever you click Send LatTech Error Log.Plugin for LabTech integration logs
Plugin diagnostic information is stored in
C:\Windows\Temp\KasperskyPluginLogs\KasperskyPlugin.txt. This log is automatically rotated - after reaching 1MB the file is moved to an archive and new log is written to the same file. There is a limit of 10 archives. Upon reaching the limit the oldest archive is overwritten every time a new archive is created. -
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
General information on ConnectWise Manage integration can be found in online help.
Enabling and disabling tracing
You may have to save traces of Kaspersky Security Integration with Autotask, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to remove the trace files from your computer, when the issue, which required tracing, is resolved, because the trace files may contain personal and confidential data.
By default, tracing is disabled.
There are two ways of enabling and disabling tracing for Kaspersky Security Integration with Autotask components:
- Using the Microsoft Windows Registry.
-
In the
.configfiles of Kaspersky Security Integration with Autotask components.
Enabling and disabling tracing using the Registry
You can enable and disable tracing using the Microsoft Windows Registry.
To enable or disable tracing:
Before editing the Windows Registry, it is recommended that you back up the Registry.
- Click the Start button.
-
In the Start menu, either in the Run box or the Search box, type
regeditand press Enter.The Registry Editor window opens.
If you have restricted access to the Windows computer you are logged into, you might not be able to access the Registry.
-
In the Registry Editor window, navigate to the
Kaspersky Security Integration Service for MSPorKaspersky Security Integration Tool for MSPregistry key. They are available by one of the following paths:-
Kaspersky Security Integration Service for MSP
-
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Service for MSP -
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Service for MSP
-
-
Kaspersky Security Integration Tool for MSP
If the
Kaspersky Security Integration Tool for MSPregistry key is not displayed, either run the Kaspersky Security Integration Tool for MSP as administrator (by right-clicking the application icon and selecting Run as administrator in the context menu), or create the registry key manually.-
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Tool for MSP -
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Tool for MSP
-
-
Kaspersky Security Integration Service for MSP
-
Edit the value of the EnableTraces parameter as follows:
- 1—To enable tracing.
- 0—To disable tracing.
- Click OK in the Edit window to save your changes.
- Close the Registry Editor window.
The trace files are saved to the
.logfiles in the application installation folder:-
For Kaspersky Security Integration Tool for MSP the file is
IntegrationUI.log, by default saved to theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSPfolder. -
For Kaspersky Security Integration Service for MSP the file is
IntegrationServer.log, by default stored in theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSPfolder.
When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application.
Enabling and disabling tracing using the .config files
You can enable and disable tracing in the
.configfiles of Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, which are stored in the installation folders of the corresponding products.To enable or disable tracing:
-
Navigate to the .config file of the Kaspersky Security Integration with Autotask component for which you want to enable or disable tracing. The .config file is stored in the installation folder. By default, the navigation paths are:
-
For Kaspersky Security Integration Tool for MSP the file is
IntegrationUI.exe.config, by default stored in theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSPfolder. -
For Kaspersky Security Integration Service for MSP the file is
IntegrationServer.exe.config, by default stored in theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSPfolder.
-
For Kaspersky Security Integration Tool for MSP the file is
-
Open the .config file with any text editor and change the value of the
minlevelattribute of theloggerelement as follows:-
To enable tracing, set the value of the
minlevelattribute toDebug.<logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> -
To disable tracing, set the value of the
minlevelattribute toOff.<logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Off" />
-
To enable tracing, set the value of the
-
Save and close the modified
.configfile.
The trace files are saved to the
.logfiles in the application installation folder:-
For Kaspersky Security Integration Tool for MSP the file is
IntegrationUI.log, by default saved to theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSPfolder. -
For Kaspersky Security Integration Service for MSP the file is
IntegrationServer.log, by default stored in theC:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSPfolder.
When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application.
-
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
There're a few scenarios of telemetry backup to prevent its loss in case of unsuccessful manipulations over KATA node.
1. We suggest to use this scenario.
1) Disconnect PCN and SCNs;
2) Run Pre-upgrade script;
3) Mount storage for telemetry backup (HDD, or net-storage or etc.);
4) Copy elasticsearch volume to the mounted storage to tar.gz archive
5) Run upgrade normally.
Of course, you should back up KATA using built-in methods. Then you will have several backups: one for KATA settings and one for events (telemetry). And in case of problems, you can apply both of these backups to restore the entire KATA node.
2. This scenario requires a lot of days.
You can configure the export of telemetry to an external SIEM system. You then need to wait as many days as you need to store the telemetry. And after these days (e.g. 90 days), you can run an update and be sure that the telemetry will not be lost because it is stored in the external SIEM system.
3. Last scenario: create a snapshot of your KATA VM before upgrade manipulations.
1) Disconnect PCN and SCNs;
2) Shut down your KATA node;
3) Take a snapshot of KATA node Virtual Machine;
4) Turn VM back again;
5) Run an upgrade steps normally.
Keep in mind that this snapshot will live for a few days, after a couple weeks it will be obsolete and you won't be able to use it to rebuild the KATA node from this snapshot, simply put, it will crash when you run the snapshot in a few weeks.
KSC API use cases examples - tasks results and statistics data for Dashboards and Reports [KSC for Windows]
in Advice and solutions for Kaspersky Security Center
Posted
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Description and cautions
The article shares working examples of using KSC API calls for one of the available scenarios - retrieving tasks results and statistics data for Dashboards and Reports.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
Examples
Credentials:
Login
Start connection to KSC (Session::StartSession) :
curl --location --request POST'https://127.0.0.1:13299/api/v1.0/Session.StartSession'\--header'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"'Username and password should be encoded to base64 format as part of a secure HTTPS session. For expamle https://www.base64encode.org/ can be used for encoding.
{"PxgRetVal":"nsPbUpP1oAVZlM1lODEbg8A=="}Policies changes alert \ Critical task status
Audit events available
Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) :
curl --location --request POST'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2'--header'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q=='--header'Content-Type: application/json'--data-raw '{"pFilter": {"EVP_INCL_GNRL_EVENTS":true,"EVP_INCL_TASK_STATES":false,"EVP_MAX_EVENTS_COUNT": 3000,"KLEVP_EVENT_GNRL_TYPES_ARRAY": ["KLAUD_EV_SERVERCONNECT","KLAUD_EV_OBJECTMODIFY","KLAUD_EV_TASK_STATE_CHANGED","KLAUD_EV_ADMGROUP_CHANGED","KLAUD_EV_SERVERDISCONNECT","KLAUD_EV_OBJECTPROPMODIFIED","KLAUD_EV_OBJECTACLMODIFIED"],"Name":"Audit events","PredefinedID":"PREDEFINED_QUERY_ID_AUDIT_EVENTS"},"vecFieldsToReturn": ["event_db_id","rise_time","hostname","hostdn","event_type","event_type_display_name","GNRL_EA_DESCRIPTION","group_id","group_name","product_name","product_version","product_displ_version","GNRL_EA_SEVERITY","GNRL_EA_PARAM_1","GNRL_EA_PARAM_8","task_display_name","registration_time","KLVSRV_DN","KLEVP_EVENT_GROUP_TASK_ID","GNRL_EA_PARAM_3"],"vecFieldsToOrder": [],"lifetimeSec": 1000}'Response ID
{"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"}Get result from Response data ( ReportManager::GetStatisticsData) :
curl --location --request POST'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange'--header'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q=='--header'Content-Type: application/json'--data-raw '{"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF","nStart": 0,"nEnd": 100}'Response statistics dashboard:
{"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY".....Detection of threats:
Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) :
curl --location --request POST'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2'--header'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg=='--header'Content-Type: application/json'--data-raw '{"pFilter": {"KLEVP_EVENT_TYPE":"GNRL_EV_VIRUS_FOUND"},"vecFieldsToReturn": ["event_db_id","rise_time","hostname","hostdn","event_type","event_type_display_name","GNRL_EA_DESCRIPTION","group_id","group_name","product_name","product_version","product_displ_version","GNRL_EA_SEVERITY","GNRL_EA_PARAM_1","GNRL_EA_PARAM_8","task_display_name","registration_time","KLVSRV_DN","KLEVP_EVENT_GROUP_TASK_ID"],"vecFieldsToOrder": [],"lifetimeSec": 1000}'Response ID
{"strIteratorId":"48E14F430EF0058BB039929318693123"}Get result from Response data ( ReportManager::GetStatisticsData) :
curl --location --request POST'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange'--header'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg=='--header'Content-Type: application/json'--data-raw '{"strIteratorId":"48E14F430EF0058BB039929318693123","nStart": 0,"nEnd": 20}'Response statistics dashboard:
{"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY".....Critical task status
Status of Critical task:
for example - Backup of Administration Server data
#strTask - open task in nmw-web-console - 148 (for example: https://localhost:8080/#/management/tasks/148)
Acquire task execution history events (Tasks::GetTaskHistory)
curl --location --request POST'https://localhost:13299/api/v1.0/Tasks.GetTaskHistory'--header'X-KSC-Session: n/Uvfki+u+pAmb8jjMzVBzg=='--header'Content-Type: application/json'--data-raw '{"pSortFields": [{"type":"params","value":{"Name":"rise_time","Asc":false}}],"pFields2Return": ["hostdn","group_name","task_new_state","KLVSRV_DN","rise_time","GNRL_EA_DESCRIPTION"],"strHostName":"KSC",# Hostname Administration Server"pFilter": {"type":"params","value": {}},"strTask":"103"# from nmw-web-console}'Response ID
{"strIteratorId":"2C356F1FA5B5875980950999AD036094"}Get result from Response data ( ReportManager::GetStatisticsData) :
curl --location --request POST'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange'--header'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg=='--header'Content-Type: application/json'--data-raw '{"strIteratorId":"2C356F1FA5B5875980950999AD036094",#strIteratorId from response"nStart": 0,"nEnd": 20}'Response statistics dashboard:
{"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:47:57Z"},"task_new_state":1}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Invalid destination folder. ","group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":3}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:02Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-16T23:04:00Z"},"task_new_state":4}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-14T23:04:00Z"},"task_new_state":4}}]}}Information at Reports
Enumerates all existing reports.
curl --location --request POST'https://localhost:13299/api/v1.0/ReportManager.EnumReports'--header'X-KSC-Session: nejYJnFLwJgs14KpxeH9UMA=='Response all reports:
{"PxgRetVal": [{"type":"params","value": {"RPT_CREATED": {"type":"datetime","value":"2021-04-30T12:39:00Z"},"RPT_DN":"Report on file operations on removable drives","RPT_EXTRA_DATA": {"type":"params","value": {"KLRPT_DONT_USE_SPACES_FOR_SLASHES":false,"KLRPT_EXPAND_PERIOD":true,"KLRPT_GLOBAL_SCOPE":false,"KLRPT_OWNER_SRV_INSTANCE":"e71217d1-4a96-462c-a56a-6112bdc5369b","KLRPT_PROTECTION_INCLUDE_OK":false,"KLRPT_PROTECTION_INCLUDE_VM":true,"KLRPT_PROTECTION_INCLUDE_WARNING":true,"KLRPT_REPORT_ID": 27,#lReportId for next command Execute report ( ReportManager::ExecuteReportAsync)"KLRPT_SLAVE_EXEC_TIMEOUT": 300,"KLRPT_SLAVE_REC_DEPTH": 1,"KLRPT_TEMPORAL":false}},"RPT_GROUP_ID": 0,"RPT_ID": 27,#lReportId for next command Execute report ( ReportManager::ExecuteReportAsync)"RPT_MODIFIED": {"type":"datetime","value":"2021-04-30T12:39:00Z"},"RPT_TYPE": 0}},USB Data transfer alert \ Report on file operations on removable drives available
Execute report ( ReportManager::ExecuteReportAsync)
curl --location --request POST'https://localhost:13299/api/v1.0/ReportManager.ExecuteReportAsync'--header'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg=='--header'Content-Type: application/json'--data-raw '{"lReportId": 27,"pOptions": {"KLRPT_OUTPUT_FORMAT": {"type":"params","value": {"KLRPT_TARGET_TYPE": 2}}}}'Response ID
{"strRequestId":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"}Check status of the async action (AsyncActionStateChecker::CheckActionState)
curl --location --request POST'https://localhost:13299/api/v1.0/AsyncActionStateChecker.CheckActionState'--header'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg=='--header'Content-Type: application/json'--data-raw'{"wstrActionGuid":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"}'Response KLRPT_OUTPUT_FILE
{"bFinalized":true,"bSuccededFinalized":true,"lStateCode":1,"pStateData":{"KLRPT_OUTPUT_FILE":"/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json","KLRPT_OUTPUT_FORMAT":{"type":"params","value":{"KLRPT_TARGET_TYPE":2}}},"lNextCheckDelay":0}Get Data
curl --location --request GET'https://localhost:13299/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json'--header'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg=='Response with the report data:
{"data":{"summary":{"heading":"Report on file operations on removable drives","subhead":"Report on file operations on removable drives","description":"This report provides information about file operations performed on removable drives. This report is generated for all groups.", ......Commands can be used for all reports:
information at Dashboard
KLRPT_DSH_TYPE - List of statistics dashboards types and attributes
prohibited applications - 42
Most heavily infected devices - 14
Most frequent threats - 18, 19
8
20
8 - Distribution of anti-virus protection states in time.
20 - Current state of the most anti-virus protection (number of hosts with the status Critical, Warning, and OK).
AV Definition Status
Send Request to obtain required data( ReportManager::RequestStatisticsData) :
curl --location --request POST'https://127.0.0.1:13299/api/v1.0/ReportManager.RequestStatisticsData'--header'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA=='--header'Content-Type: application/json'--data-raw '{"pRequestParams": {"KLPPT_DASHBOARD": {"type":"params","value": {"AV-DB-2": {#AV-DB-2 - Same requested unique name (GUID)"type":"params","value": {"KLRPT_DSH_TYPE": 22,#22 - value from table List of statistics dashboards types and attributes"bIncludeVS":false,"id": 0}}}}}}'Response ID
{"strRequestId":"BA357813B44D88306228D8614B081C11"}Get result from Response data operation ( ReportManager::GetStatisticsData) :
curl --location --request POST'https://127.0.0.1:13299/api/v1.0/ReportManager.GetStatisticsData'--header'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA=='--header'Content-Type: application/json'--data-raw'{"strRequestId": "E71313D620483B40309EA81415C34005"}'#strRequestId from ReportManager.RequestStatisticsDataResponse statistics dashboard:
{"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"AV-DB-2":{"type":"params","value":{"KLRPT_DSH_TYPE":22,"bIncludeVS":false,"id":0,"nCount3Days":0,"nCount7Days":4,"nCountActual":1,"nCountDay":0,"nCountOld":1}}}}}}Threat detection details (Critical, High, Medium)
Send Request to obtain required data ( ReportManager::RequestStatisticsData) :
curl --location --request POST'https://localhost:13299/api/v1.0/ReportManager.RequestStatisticsData'--header'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ=='--header'Content-Type: application/json'--data-raw '{"pRequestParams": {"KLPPT_DASHBOARD": {"type":"params","value":{"threatsDetection-1": {#GUID"type":"params","value": {"KLPPT_StatPeriodInSec": 2592000,"KLRPT_DSH_TYPE": 56,"bIncludeVS":false,"id": 0}},"prohibitedApps-1": {#GUID"type":"params","value": {"KLPPT_StatPeriodInSec": 2592000,"KLRPT_DSH_TYPE": 42,"bIncludeVS":false,"id": 0}},"infectedDevices-1": {#GUID"type":"params","value": {"KLPPT_StatPeriodInSec": 2592000,"KLRPT_DSH_TYPE": 14,"bIncludeVS":false,"id": 0}},"frequentThreats0": {#GUID"type":"params","value": {"KLPPT_StatPeriodInSec": 2592000,"KLRPT_DSH_TYPE": 18,"bIncludeVS":false,"id": 0}},"frequentThreats1": {#GUID"type":"params","value": {"KLPPT_StatPeriodInSec": 2592000,"KLRPT_DSH_TYPE": 19,"bIncludeVS":false,"id": 0}}}}}}'Response ID
{"strRequestId":"D988500C858EBAE332816C34E5588F7F"}Get result from Response data operation ( ReportManager::GetStatisticsData) :
curl --location --request POST'https://localhost:13299/api/v1.0/ReportManager.GetStatisticsData'--header'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ=='--header'Content-Type: application/json'--data-raw'{"strRequestId": "D988500C858EBAE332816C34E5588F7F"}'Response statistics dashboard:
{"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"frequentThreats01":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":28,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":28,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":24,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":19,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":15,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":5,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}},{"type":"params","value":{"nCount":2,"wstrName":"UDS:Trojan.Win32.Agent.xadwev"}},{"type":"params","value":{"nCount":1,"wstrName":"Trojan.Multi.GenAutorunProc.a"}},{"type":"params","value":{"nCount":1,"wstrName":"http://bug.qainfo.ru/test/wmuf_w/"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":18,"bIncludeVS":false,"id":0}},"frequentThreats12":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":27,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":22,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":9,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":4,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":3,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":1,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":19,"bIncludeVS":false,"id":0}},"infectedDevices-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":114,"wstrInternalName":"1ccdd245-2850-424a-9f63-a35b115cbced","wstrName":"WIN10-KES-EDR"}},{"type":"params","value":{"nCount":7,"wstrInternalName":"3e043993-8332-4e1c-958e-a750cd3d0c7c","wstrName":"KHRAMEEV-WIN10"}},{"type":"params","value":{"nCount":2,"wstrInternalName":"c160e768-ba47-47e7-a905-d7c3d39b74d4","wstrName":"khrameev-ub19"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":14,"bIncludeVS":false,"id":0}},"prohibitedApps-2":{"type":"params","value":{"DSHT_DATA":[],"KLPPT_StatPeriodInSec":2592000,"KLRPT_DSH_TYPE":42,"bIncludeVS":false,"id":0}},"threatsDetection-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":67,"nType":1,"wstrName":"File Threat Protection"}},{"type":"params","value":{"nCount":45,"nType":10,"wstrName":"Scan task"}},{"type":"params","value":{"nCount":9,"nType":3,"wstrName":"Web Threat Protection"}},{"type":"params","value":{"nCount":2,"nType":6,"wstrName":"Host Intrusion Prevention"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:28Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:28Z"},"KLRPT_DSH_TYPE":56,"bIncludeVS":false,"id":0}}}}}End Session to KSC (Session::EndSession) :
Session::EndSession
curl --location --request POST'https://127.0.0.1:13299/api/v1.0/Session.EndSession'--header'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A=='#PxgRetVal from Session.StartSession