ElvinE5

Let me try to explain ... all of the following is my personal opinion and may not coincide with the opinion of the company :)))) To begin with, we should keep in mind that the concept of XDR is not a specific product .... it is an approach to the organization of information security of a company, using a variety of tools and techniques, and training of personnel. In the concept of XDR laboratory puts a set of its products that are able to integrate with each other helping to comprehensively protect the customer from the maximum number of threats, and give him the best tools to detect and eliminate threats. However, it is also necessary to realize that all these tools and technologies will be useless without people capable of managing them (and this applies to any vendor). As far as I understand ... you've been researching this information - https://support.kaspersky.com/xdr-expert/247185 In the future, this platform will have to combine the ability to manage all products deployed within your corporate network from a single center. As the core of the entire system, the company highlights the KUMA solution (it's SIEM), which is able to collect events from any objects within your network, correlate them, and represent events that occurred in different parts of the network as a single event (an attack, for example), it will be an indistinguishable part of the full XDR. However, as we said earlier XDR is a set of components ... for example a KATA+KEDR bundle - this could also be called XDR. you can analyze different types of raw traffic, mail, internet gateways, as well as events received from EPPs, while having its own sandbox to analyze new and unknown threats, response and investigation tools .... a large, complex and incredibly interesting complex. As for the comparison ... I looked at the concept on the home page. you can compare this to the concept of a three-tiered approach to implementing lab protection. https://www.kaspersky.com/enterprise-security#overview I think many companies will have solutions that allow them to manage all aspects of defense from a single console. regarding the choice of future solutions for you and your company I would like to show the following slide for better understanding ... I apologize for the quality of the picture vertically indicates the total cost of the system, horizontally the maturity of the IT infrastructure and the availability of specialists - on the left are basic IT specialists, in the middle is a dedicated Information Security department, on the right is SOC, CERT, etc. Since you now have two engineers, purchasing large, complex solutions will probably be problematic for you. We now have an optimal set that allows you to protect your company and conduct basic investigations and respond to incidents. As a recommendation - to enhance protection, you can purchase the Sandbox component using your existing tools (this is not the same as what is used in KATA) - https://support.kaspersky.com/KSB/2.0/en-US/223822.htm this is a separate solution that will allow you to counter new and unknown threats, and it will not take much of an engineer’s time since it works practically in automatic mode for example, this solution is included in the package - Kaspersky Total Security for Bussines - Plus You'll get ... Protection for EPP EDR (Optimum) functionality Sandbox 2.0 + Mail protection + Protection of Internet gateways + Extended technical support You will also have to purchase a license for MDR separately. In any case, contact your local partner... for detailed product information.

not quite sure what the question is ... if you mean that it will feed the quarantined file to some external sandbox - yes ... whether Kaspersky products can be integrated with other sandboxes - probably not.

Also add to the KSC-1 repository the installation packages of all products that need to be updated (I was advised to do so by tech support). That's right, but only in those items that the solution supports ... For example, in 12.x versions in the device control section the group - Printers - was divided into two groups - local and network. and if you customize this item, it will not work for 11.9. list of changes - https://support.kaspersky.com/KESWin/12.3/en-US/127969.htm it's gonna be hard to find them in the public domain right now. It would be better for you to request the versions you are interested in through your support channel https://companyaccount.kaspersky.com/account/login

что именно было в профиле подключения (для агента) правилом перехода ? вы сменили агенту адрес сервера подключения к KSC ? ну несколько вариантом как исправить ситуацию 1. отключите автономную политику на сервере KSC, и отключите профиль 2. На клиенте - если агент переключился на управление к другому серверу KSC, попробуйте сменить ему подключения утилитой klmover C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klmover.exe -address <IP вашего KSC> 2.1 или удалите агента, переустановите его из автономного пакета например ... проведите синхронизацию ... чтобы вылетал новые политики для себя и KES судя по этому вы пытаетесь удалить KES ...

Yeah, yeah thanks ... that makes more sense ... let me tell you how I see it, now ... You have a KSC server (let's call it KSC-1) installed in an external loop (with internet access), it is in charge of receiving updates and servicing clients on your network. You copy the Update folder from KLShare and move it to the closed loop (without internet access) behind an air gap where it is not possible to connect to KSC-1. KSC-2 and KSC-3 servers serving internal clients are located in the closed loop. That's what I'm thinking. So let's get started. 1. As a recommendation, I would not recommend copying the Update folder of their KLShare directly. At the moment of copying, some files may be busy, for example when the update download task is running, and may be copied incompletely or with an error. On KSC-1 in the task of downloading updates to the repository, create an additional setting - Copy updates to external folder. also try using the blue marked bases loading option ...sometimes this helps to solve the problem. after the task is completed ... you will have a copy of the databases that you can safely take back. 2. There is an assumption that your KSC-1 does not know what it needs to download for KSC-2 and KSC-3. Example KSC-1 - supports the following solutions - KES 11.8, 11.9 and KSWS 11.0.0. KSC-2 - supports the following solutions - KES 11.9 and KSWS 11.0.1 KSC-3 - supports the following solutions - KES 11.9, 12.x and Linux In this case KSC-1 - will not download any databases for KSWS 11.0.1, KES 12.x, and Linux products, as it has no idea that they are in the system KSC-2 and 3, respectively these products will not receive the necessary updates. In order for KSC 2 and 3 to get everything you need you need to have on KSC-1 all the necessary plugins for ALL PRODUCTS of all ververs in your network and installation packages for these products. i.e. check, update (if necessary) or install all necessary plugins and create packages for all products on KSC-1. in our application you should have at least the plugins for KES12.x KSWS 11.0.1 Linux new versions will override the needs of old ones (12.x will override 11.9 and KSWS 11.0.1 will override 11.0.0). In general, double-check all product versions on all your servers, and update KSC-1 to your current versions or add missing versions. I hope this helps.

for example, I saved one .exe file to my device (for further work) it will be saved like this ... in the extension the name of the device from which I received the file is added, which makes it impossible to run it just by clicking on it. But if I remove this description, the file can be run ... as usual how you will work with this file depends only on your tools, desires and needs ... including sandboxing, which will give you a report on how this file behaves and what it is trying to do on your device ...which will give you a broader view of the malware.

во первых ... не могли бы вы показать где и как (и какие) вы вносите изменения ... и то что вам рекомендовала тех поддержка есть предположение ... включите веб контроль и проверьте что все блокируется. в настройках политики KES 12.х отключите вот этот пункт в настройках и проверьте если все работает ... тот тут же добавите вашу ссылку в исключения ... только пожалуйста ...убедитесь что это именно та ссылка и задана по формату ... и включите назад параметр проверки защищенных соединений. PS ... простите страница не загрузилась не увидел что вам уже это же советовали. покажите что вам прислала тех поддержка и то как вы добавляете исключения и где ... вероятна ссылка не та для работы с документами битрикс

@Seimur попробуйте тут - https://support.kaspersky.ru/kes11/troubleshooting/install/15378#block2 чаще помогает полное удаления и "зачистка хвостов" предыдущих версий ... https://support.kaspersky.ru/common/uninstall/1464 https://support.kaspersky.ru/ksc13/tools/13088 так же так как у вас win 7 могут потребоваться некоторые обновления безопасности для Windows или обновление корневых сертификатов. https://support.kaspersky.ru/common/compatibility/15728

Да, но иногда надо "пожмакать" именно у клиента в GUI, а ходит ногами ... увольте ... так что вопрос с управлением через именно стороннего клиента удаленного подключения, актуален ... и да да да 🙂 , предвосхищая ваш вопрос ... лицензия менеджмент (Адвансед и выше) спасет "отца русской демократии" (с) в этом вопросе

Yeah, that's about right. and since each client has a different synchronization period, the same 15 minutes, but, for example you applied the policy at 11-55, one has the start of countdown from 12-00 (and every 15 minutes) the other 12-10 ... they will receive the update not at the same time, but with a small difference in time ... I hope I didn't confuse you 🙂 in general yes, on average 15 minutes to update the client's information

I need more data... - what product we are talking about KES, KSWS, etc. ...and what versions. - how do you initially obtain the databases, from the Internet ? with the KUU utility ? from Kaspersky servers (which you then place in a network or local folder), - Subordinate servers ? KSC ? or do you lead KSWS solutions - that is, the problem is only on a part of the end devices when updating from one source ? and if possible screenshots of the problems.

Это работа механизма самозащиты необходимо сделать исключения для вашего UltraVNC в политике Добавив как исключения для приложения указав путь к исполняемому файу, и выбрав пункт "разрешить взаимодействие"

такого рода вопрос лучше задать сразу вашему будущему поставщику ... он должен вам помочь в этом в общем подсчет по общему количеству например 300 ... если на деле будет больше 310-350 ... по сути ни чего не изменится ... это юридическое ограничение ... которое вы, как пользователь, должны "исправить" например при следующем продлении ... в любом случаи проконсультируйтесь с вашим поставщиком

Возможно всего пытаетесь редактировать дочернюю политику на которую действуют настройки родительской политики ... можно попробовать разорвать наследование ... или (вероятнее) вы пытаетесь редактировать основную политику, привязанную например к группе управляемые устройства, но из свойств дочерней группы, например офис как у меня ... что тоже не даст вам изменить настройки. просто перейдите в группу к которой привязана ваша политика

Подскажите где и какие исключения вы пытаетесь удивить на клиенте ...тут ? или тут например

The synchronization time between the client and the server is 15 minutes. In your solution - the server cannot speed up this process in any way and just waits for clients to contact it during the next synchronization period to give it new instructions. Well, and of course you must realize that the client does not always have the opportunity to connect to the server, in its next period ... because of, for example, a bad internet connection.

Perhaps we should ask your politicians ... I assume that you are instructed to block connection of USB removable devices (flash drives, disks, etc.), for this purpose you will find it more convenient to disable access to removable media ... In your case, as I understand it, you disable access at the USB bus level, and that's probably why some of your USB devices don't work ... try testing this option 1. in the bus section allow USB bus access 2. in the device section, disable access to Removable media (check also how you have configured the resolution for cameras and scanners). check if your problem will recur. I think this would be a more correct approach to solving the problem of locking USB removable devices ... there you can also personalize who can be allowed to access removable devices and at what time ... and whether to log actions on removable media.

на проблемном устройстве ... из командной строки от имени админа ... выполните команду C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klmover.exe -address <IP адрес вашего сервера KSC>

Yeah, I asked support about that too ... and I was told "that before, it was automatically included in the permissions, but in new versions it has to be added separately" ...well, that's how it is :)))) all is correct, the system will give access to the user you specify, but will constantly bother you with messages that the system itself has restricted access. This means that even if you receive a notification that the system access is restricted, the user can still work with the device.

@Diego Moraes Wrong ... backup files (deleted by KES file threat protection for example) as well as quarantine are stored on the same device where they were detected and deleted. Only information about quarantined objects (on the device) is transferred to KSC. and when you try to retrieve it (save it to disk) through the console, KSC requests it on the host where it is stored. So sometimes it may not be available because it is deleted on the host ...and the information in KSC is not updated

Думаю с такими вопросами лучше сразу в СА, так как подобного рода проблемы всегда персональны. вы учли требования при с системам при восстановлении ? как имнимум 1. Сервер (новый) должен иметь тоже имя и IP - для "бесшовного" переключения устройств 2. При развертывании нового KSC выбранная БД и Имя самой базы должна совпадать со старыми, иначе восстановление не будет возможным я бы предложил не тратить время на решение проблем с восстановлением из бекапа 0. Настройте чистый сервер, добавьте необходимые плагины управления 1. импортируйте настройки (политики и задачи) со старого сервера 2. Выполните миграцию устройств со старого сервере при помощи соответствующей задачи. (изменение сервера администрирования) 3. обновите подключившихся клиентов до актуальных версий

I think it's best told by this link to product features - https://support.kaspersky.com/ksws11/licensing/15634 The product was originally developed and tested more thoroughly in server operations. As you can see, it has a number of special tools to protect systems such as storage, or handling traffic from external systems, but this requires a separate, more specialized, license. If you don't have a need for this functionality and your license doesn't cover it ... you can safely switch to using KES. However, do familiarize yourself with the differences when installing this solution on different platforms (Server or Workstation). https://support.kaspersky.com/KESWin/12.3/en-US/181834.htm In addition, the product's life tsikal, although extended until 2025, some refinements for it will no longer be produced. - https://support.kaspersky.com/corporate/lifecycle#b2b.block1.ksws11 The company is moving towards product unification in favor of KES

That's right, when adding a device to trusted devices, the bus settings and device permissions (e.g. removable devices) are irrelevant. The bus setting only matters if you select "work via bus ..." in the device settings. like this ... but if you choose that removable devices should be blocked (or conversely allowed) ... any value of the USB bus settings will be ignored. As for your question ... there are a few assumptions. As far as I can see you have authorized this device to specific users, hence the two questions. 1. On the device where you plug in the trusted USB, are you logged in under one of the users you specified ? 2. When assigning a specific user, you kind of cut off access to the system itself, check who this device is blocked for, I assume as in your first post ... you can check by granting permissions to "Everyone" on this device, the message should disappear and access should be granted. Add the SYSTEM user to the permissions for this device, along with the users you are allowing this device to, and the lockout message will stop bothering you.

Now I see ... it can be done remotely, via client policy like the rest of the components. and judging by the fact that you have the ability to enable or disable this component via the client application on the device ... either you forgot to close the "lock" or the device is not covered by the policy you are trying to change. as it should be in the policy for KES when the component is enabled ... on the client device in such a case the component works and you cannot control the component When disconnecting, you simply uncheck the "checkbox" without opening the "lock". the component will be disabled BUT you will still not be able to manage it locally. do you have a policy for KES ? check its settings ... and that the device is subject to that policy ... PS: I was thinking that maybe you are trying to manage components through device tasks ? is that right ? then this item is not there.

@Yurayuyuy попробуйте это решение ... https://support.kaspersky.ru/krd18/tools/14221