Igor Akhmetov

Hello! Thank you for raising this. There are several points regarding the raised questions: The mentioned "Offline Detection Rate" is related to the On Demand Scan only, and does not include samples execution in the Offline mode. That means that behavior-based technologies are not taken into the consideration in this synthetic scenario. This scenario is not typical for real-life use. Clearly, in case the samples had been executed in the Offline mode, the results would have been different. Unfortunately, the test lab does not run such a scenario. The most important result of the test is "ONLINE Protection Rate", which is based on samples execution with internet connection. It reflects the typical scenario of protecting user's system and data by security solutions. And it proves Kaspersky's results as one of the highest among the participants.

Dear @Abdulaziz Asulaiman, Thank you for the message. Please kindly use the advice from my colleague above, and let us know if that helps. May I ask you, which version of the Kaspersky Security Center did you have on the crashed server? And what is the version of the Kaspersky Network Agent do you have now? You can check the version of the currently installed Network Agent by running "c:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klcsngtgui.exe" with Administrator rights. Thank you in advance!

Problem Sometimes KES instalation may fail with the error 0x8000ffff. Installation log will contain something similar to the example. Installation log example InstallDriversDeferred: Failed to add a catalog file. Error 0x8000ffff. MSI (c) (84:48) [11:05:47:307]: Transforming table Binary. MSI (c) (84:48) [11:05:47:307]: Transforming table Binary. MSI (c) (84:48) [11:05:47:307]: Note: 1: 2262 2: Binary 3: -2147287038 MSI (c) (84:48) [11:05:47:307]: Transforming table Binary. MSI (c) (84:48) [11:05:47:307]: Transforming table Binary. MSI (c) (84:48) [11:05:47:307]: Note: 1: 2262 2: Binary 3: -2147287038 Error 27300.Error installing driver kl1.sys_X86. Error: -2147418113. MSI (s) (14!30) [11:07:22:451]: Product: Kaspersky Endpoint Security 10 for Windows -- Error 27300.Error installing driver kl1.sys_X86. Error: -2147418113. InstallDriversDeferred: InstallDriversDeferred: finished. Return value 1603. CustomAction InstallDriversDeferred returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 11:07:22: InstallExecute. Return value 3. Error 0x8000ffff indicates that there is a problem with CryptoAPI 2.0 driver *.cat files storage. Open Application event log from the affected PC. There should be events like: Source - Capi2: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -583. Get the file C:\Windows\System32\catroot2\dberr.txt, open it, there could be strings like this: C:\Windows\System32\catroot2\dberr.txt exmple ... encountered JET error -583 ... Check windows setupapi.dev.log for the error 0x8000ffff. This issue usually reproduces with other driver installations, too. Soluton This error is related to the OS Windows. We suggest to contact Microsoft support.

The materials provided on the Advice and Solutions (Forum Knowledgebase) part of the Forum result from the work of the Kaspersky Customer Support team and Forum community members. They are shared here for ease of use of Kaspersky products, deploying and configuring them. Please remember that using commands or recommendations from the articles without a clear understanding of their purpose may result in errors or system inoperability. Please note that some materials presented are not official, so technical support may decline to support a specific unsupported configuration in some instances. Please also ensure to use the official documentation, found in this link.

The materials provided on the Advice and Solutions (Forum Knowledgebase) part of the Forum result from the work of the Kaspersky Customer Support team and Forum community members. They are shared here for ease of use of Kaspersky products, deploying and configuring them. Please remember that using commands or recommendations from the articles without a clear understanding of their purpose may result in errors or system inoperability. Please note that some materials presented are not official, so technical support may decline to support a specific unsupported configuration in some instances. Please also ensure to use the official documentation, found in this link.

The materials provided on the Advice and Solutions (Forum Knowledgebase) part of the Forum result from the work of the Kaspersky Customer Support team and Forum community members. They are shared here for ease of use of Kaspersky products, deploying and configuring them. Please remember that using commands or recommendations from the articles without a clear understanding of their purpose may result in errors or system inoperability. Please note that some materials presented are not official, so technical support may decline to support a specific unsupported configuration in some instances. Please also ensure to use the official documentation, found in this link.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Security Center for Windows (KSC for Windows) Problem You set up integration with SIEM but no events come up on SIEM side. In some cases there is no incoming traffic to SIEM from KSC server. Solution In vast majority of cases the root cause can be located in KSC server trace Trace example #1 25.01.2017 09:56:56.855 00001320.0000015C L1 KLSPLG: There is no key for SystemManagement. Trace example #2 24.10.2017 13:27:06.071 00001C78.00001464 L1 KLERR: #1, Error was caught in KLSPLG::EventsSupplierToSiem::Build, .\splg\events_supplier_to_siem.cpp@224. Error params: (1571/0x0 ("Functionality in limited mode. Area: System Management."), "KLSRV", .\license_policy\license_policy_utils.cpp@151) Error loc: 'This operation requires a license for the feature Systems Management.'. If you can find such a line, make sure that Systems management license is installed on KSC. If the issue reproduces with SM license installed do the following: Enable admin server tracing Click 'Export archive' button Wait 15 minutes Provide Customer Support (https://companyaccount.kaspersky.com/) with the traces, GSI file (https://support.kaspersky.com/common/diagnostics/3632 - do not forget to switch on the event logs collection), and the detailed problem description.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Security Center for Windows (KSC for Windows) Step-by-step guide Make sure that System Management license is installed, otherwise KSC events won't be exported to SIEM. For more information please refer to SIEM integration: the most frequent error. Specify Splunk Server address and port; Login into Splunk Management console; Press Settings → Configure data inputs; In the opened Add Data window - select TCP; - Specify Port you are planning to use. And a Source (KSC server address or DNS-name). Configure Source type: choose Select and pick syslog from drop down menu. Configure Host: set IP for Method Check the settings on a result screen; Open Splunk home page and press Search & Reporting; Make sure that KSC event were indexed by Splunk correctly as expected; Right now you are able to see raw KSC events.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Security Center for Windows (KSC for Windows) Problem: KSC certificate renewal or replacement is made incorrectly because the option to instantly replace the server certificate is used. There is an article in Online help dedicated to the klsetsrvcert utility (https://support.kaspersky.com/KSC/13.2/en-US/227838.htm). Sometime people follow the instructions according to the example indicated in the article – "klsetsrvcert -t C -i <inputfile> -p <password> -o NoCA" without thinking about the consequences. This leads to the fact that administration agents (nagents) do not receive a new certificate, and the users have to use the klmover utility. Cause: After the certificate is renewed with "-t C" option, network agents do not receive a new certificate and have no connection to the server. Solution: Run the certificate renewal script using the "-t CR" option (CR — Replace the common reserve certificate for ports 13000 and 13291) and the "-f" option in the <dd.mm.yyyy> format where we indicate the date 3–4 weeks ahead the current one. The time we set aside for changing the certificate to a backup one will allow a new certificate to be distributed to all Kaspersky Network Agents (Nagent): -t <type> Type of certificate to be replaced. Possible values of the <type> parameter: C—Replace the common certificate for ports 13000 and 13291. CR—Replace the common reserve certificate for ports 13000 and 13291. M—Replace the certificate for mobile devices on port 13292. MR—Replace the mobile reserve certificate for port 13292. MCA—Mobile client CA for auto-generated user certificates. -f <time> Schedule for changing the certificate, using the format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291). Use this parameter if you want to replace the common or reserve certificate before it expires. Specify the time when managed devices must synchronize with Administration Server on a new certificate. For example, consider the command "klsetsrvcert.exe -f "DD-MM-YYYY hh:mm" -t CR -g nb.loc". Since this command was used in October, a backup certificate would be created and distributed to all nagents within a month. Thus, the certificate should have been applied on November 1, 2022. Let's check if the backup certificate has applied to the host. To do this, using the klscflag utility, enter the command: klscflag.exe -ssvget -pv 1103/1.0.0.0 -s KLNAG_SECTION_CERTDATA -n KLNAG_SSL_SERVER_CERT_RESERVE -ss '|ss_type = \"SS_LOCAL_MACHINE\";' The certificate has been delivered. If the backup certificate is not yet delivered to the destination host, we will see the following result of this command: Known problem: The problem with issuing a certificate with a length of 2048 bits on KSC 14. Files: module_i6225901.zip Web Console 14 issue This problem occurs after updating KSC to version 14, it is related to the fact that the Web Console version 14 requires a certificate with an RSA key length of 2048 bits, but when updating the administration server, the old certificate with a length of 1024 bits remains in use. To fix this error, you need to issue a backup certificate with a length of 20148 bits, and wait until it is applied as the main one. For KSC14, there is a problem of issuing a 1024-bit backup certificate. This is due to an error in the klsetsrvcert utility. To solve it, you need to replace (module_i6225901.zip) the utility's exe file in KSC setup directory and execute the command with the -o option "RsaKeyLen:2048". For example: klsetsrvcert.exe -t CR -g localhost -o "RsaKeyLen:2048" Error - Failed to establish connection with the remote device: This error occurs because we are trying to execute 2 consecutive commands on the same line. The first command is "-t CR -g nb.loc" and the second is "-f '20-12-2023 00:00'". Since the administration server restarts after executing the first command, the second command waits for some timeout before executing. But since in some user configurations, restarting the service can take a long time, the second part is performed when the server has not started yet. Which leads to the above error. In order to fix this behavior, you need to run the commands separately, according to this scenario: Run .\klsetsrvcert.exe -t CR -g nb.loc Wait until the administration server service starts completely (you can check by connecting the console). Run .\klsetsrvcert.exe -f '20-12-2023 00:00'

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) Sometimes it is required to unregister KES from context menu of Explorer. Follow these steps: Disable self-defense of KES; Open CMD shell as admin; Run commands: regsvr32 /u C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\shellex.dll regsvr32 /u C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\shellex.dll Process troubleshooting. To re-enable it, run in admin CMD: regsvr32 "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\shellex.dll" regsvr32 "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\shellex.dll"

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) If you are willing to uninstall KES with msiexec (msiexec.exe /x {PRODUCT_CODE}) then product code is something you are probably looking for. Here they are: KES product codes Product name Product code FS6 {1B419CE6-A1AA-4207-8581-A414BE9C7B85} WKS6 {8F023021-A7EB-45D3-9269-D65264C81729} KES8 {D72DD679-A3EC-4FCF-AFAF-12E2552450B6} KES10CF1 x64 {04CF7FBD-E56C-446D-8FC9-DD444BDBEE8E} KES10CF1 x86 {9813DD3F-A28E-4B98-ACDE-12A3AB1C42E4} KES10SP1 {7A4192A1-84C4-4E90-A31B-B4847CA8E23A} KES10SP2 {7911E943-32CC-45D0-A29C-56E6EF762275} KES11 {E7012AFE-DB97-4B8B-9513-E98C0C3AACE3} KES11.1 {60BB97EB-61BD-4FF3-8506-F155850CC6B5} KES11.1.1 {D1AB12B0-B9B5-43A0-98E1-584D790524FE} KES 11.2 {9A017278-F7F4-4DF9-A482-0B97B70DD7ED} KES 11.3 {192DE1DE-0D74-4077-BC2E-A5547927A052} KES 11.4 {AF1904E7-A94C-4F4C-B3B7-EC54D7429DA2} KES 11.5 {7B437856-99E3-4F01-B31C-B5A26465C633} KES 11.6 {7EC66A9F-0A49-4DC0-A9E8-460333EA8013} KES 11.7 {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16} KES 11.8 {1F39E63E-3F9C-4E21-928B-136C6362E88B} KES 11.9 {6BB76C8F-365E-4345-83ED-6D7AD612AF76} KES 11.10 {305A9EC9-294E-4555-A7C5-E1C767E01C11} KES 11.11 {BF39B547-8E24-4E11-8179-183B2F7C83EB} KES 12.0 {E70CCFE8-163C-4E2B-BC36-61B747DAD590} KES 12.1 {D8E156BC-0E64-47F7-8E4F-0DCD80F2A6D3} KES 12.2 {B524FBEF-035B-455E-AA3A-2ABA729C62F8}

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This instruction applies only to KES11.9 and earlier versions. It will not work with most recent versions of KES installer (cleanerapi_v2).The list of ini files in cleaner_v2.cab is encrypted, and there is no cleanapi.ini file to change. If you have a specific need to add a new ini file to the KES installation package, kindly contact Kaspersky Support. In case you want to skip automatic uninstallation of a specific software, but do not want to disable incompatible software check completely, you may edit cleaner.cab. Step-by-step guide Download full KES distributive Start it and make sure all files were unpacked Navigate to the directory you unpacked installer to Find cleaner.cab Unpack it to the separate directory Find *.ini you want to skip and delete it Pack all the remaining files to cleaner.cab Find cleanapi.ini Find and remove all lines related to the products you removed on step 6 You may now use this custom file instead of the standard one place it near setup.exe or *.kud\*.kpd before creating package for KSC Packing files back to *.cab file may be difficult if you do not have specific software. Below you can find two scripts: one for command prompt, one for powershell. Command prompt Run command prompt script from the directory with *.ini files. @echo off dir /s /b /a-d >files.txt makecab /d "CabinetName1=cleaner.cab" /d "MaxDiskSize=0" /f files.txt del /q /f files.txt, setup.inf, setup.rpt Powershell Powershell script syntax is: compress-directory "PATH_TO_INI" function compress-directory([string]$dir) { $ddf = ".OPTION EXPLICIT .Set CabinetNameTemplate=cleaner.cab .Set DiskDirectory1=. .Set CompressionType=MSZIP .Set Cabinet=on .Set Compress=on .Set CabinetFileCountThreshold=0 .Set FolderFileCountThreshold=0 .Set FolderSizeThreshold=0 .Set MaxCabinetSize=0 .Set MaxDiskFileCount=0 .Set MaxDiskSize=0 " $dirfullname = (get-item $dir).fullname $ddfpath = ($env:TEMP+"\temp.ddf") $ddf += (ls -recurse $dir | ? {!$_.psiscontainer}|select -expand fullname|%{'"'+$_+'" "'+$_.SubString($dirfullname.length+1)+'"'}) -join "`r`n" $ddf $ddf | Out-File -encoding UTF8 $ddfpath makecab /F $ddfpath rm $ddfpath rm setup.inf rm setup.rpt }

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) You may come across an occasion when instead of an internal webpage you will have a warning message in a browser if you have Scan encrypted connections option enabled. You should not blindly add certificates to a Trusted Root Certification Authorities storage just to remove a legitimate warning. Doing so may impact a protection level of your working environment. Step-by-step guide Prerequisites: Enable Scan encrypted connections in KES policy. Use self-generated certificate in a web server configuration. Open an internal webpage in a browser. Solutions: Add your self-signed certificate to a system certificate storage in Trusted Root Certification Authorities section. It will make not only KES but all web browsers to trust this website. Except for Firefox, it uses internal certificate storage to determine trust relationships. To make Firefox use Trusted Root Certification Authorities storage do the following: Open Firefox Mozilla Go to page about:config Find the setting security.enterprise_roots.enabled Change its value to True Add FQDN of a web site into Trusted domains section of an Encrypted Connection Scan settings in KES policy. If client is working without proxy server you may configure Trusted Applications in KES policy. Add a web browser into Trusted Applications list, enable option Do not scan network traffic, than you will add IP address of a web server for which you don't want to have an alert. Explanation This message is generated by KES as a response to a mismatch between FQDN and certificate attributes obtained during a scan of encrypted connection.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Issue In KATA 4.1, when Central Node was used as Sensor, it was possible to access Traffic Capture and disable protocol, e.g SMTP. CN-Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500.htm Standalone Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500_1.htm In KATA 5.0, this possibility is missing from docs and from CN and only available on Standalone Sensor: Solution Workaround is to use CLI and access predecessor configuration directly: Settings section #console-settings-updater get /kata/configuration/product/preprocessor_span | python3 -m json.tool | grep \"traffic\" -A 23 "traffic": { "buffer_size_limit": 4096, "checksum_validation": false, "enable": true, "enable_dns": true, "enable_ftp": true, "enable_http": true, "enable_smtp": false, "enable_ssl": true, "ftp_data_expired_timeout": "PT60S", "ftp_data_supposed_max_size_bytes": 10485760, "iface_groups": [ { "ifaces": [ "ens192" ], "core_id": null } ], "pcap_filter": "", "pcap_snaplen": 1600, "pcap_timeout": 10, "tcp_threads_number": 16 }, Example disable SMTP, enable the rest #console-settings-updater set --merge /kata/configuration/product/preprocessor_span '{"traffic": {"enable_dns": true, "enable_ftp": true, "enable_http": true, "enable_smtp": false}}' Example change #console-settings-updater get /kata/configuration/product/preprocessor_span | python3 -m json.tool > /tmp/preprocessor_span.json #vim /tmp/preprocessor_span.json #console-settings-updater set /kata/configuration/product/preprocessor_span @/tmp/preprocessor_span.json

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Description and cautions This article explains how to save a virtual machine memory dump in different hypervisor environments. You may find this information useful if you need to save a memory dump of an unresponsive or non-booting virtual machine. Instructions for each hypervisor environment: VMware ESXi/vSphere Microsoft Hyper-V Proxmox VE KVM Citrix Hypervisor VMware vSphere You can do this either via vCenter Client or ESXi host client. Create a snapshot of the VM 1.1. Right click on the VM in the list of all virtual machines → Snapshots → Take snapshot 1.2. Check the Snapshot the virtual machine's memory checkbox Download snapshot file. 2.1. For ESXi: 2.1.1. Right-click on Storage → Browse datastores 2.1.2. Select VM's datastore 2.1.3. Open VM's folder 2.1.4. Right-click on the newest .vmsn file → Download 2.1.5. Right-click on the newest .vmem file → Download 2.2. For vCenter: 2.2.1. Open Datastores tab of the VM view and click on the datastore listed 2.2.2. Open Files tab of the datastore view and find the folder of the virtual machine 2.2.3. Select newest .vmem and .vmsn files and click Download 3. Download vmss2core utility. vmss2core is included with VMWare Workstation, and is available in C:\Program Files(x86)\VMware\VMware Workstation\ on 64-bit versions of Windows vmss2core: https://flings.vmware.com/vmss2core 4. Extract the memory dump from downloaded snapshot. For a snapshot of a VM running: 1. Windows 8/Server 2012 and newer <path to vmss2core's folder>\vmss2core -W8 <.vmsn file path> <.vmem file path> 2. Older versions of Windows <path to vmss2core's folder>\vmss2core -W <.vmsn file path> <.vmem file path> 3. Linux <path to vmss2core's folder>\vmss2core -N <.vmsn file path> <.vmem file path> It should save the dump file to the working directory. Microsoft Hyper-V This method is only applicable to Windows VMs. To get a memory dump of a Hyper-V virtual machine, you need the kernel debugger included in the Windows SDK. Download Windows SDK Installer and LiveKD to the Hyper-V host. Windows SDK Installer: https://go.microsoft.com/fwlink/?linkid=2237387 LiveKD: https://download.sysinternals.com/files/LiveKD.zip Run Windows SDK installer in Powershell: .\winsdksetup.exe /features OptionId.WindowsDesktopDebuggers /q /norestart To check if the installation has completed, check the Task Manager while installing the Windows SDK. It should look like the one shown in this screenshot: Once the SDK installation is complete, the winsdksetup.exe process should disappear. Unpack LiveKD.zip by running the following in Powershell: Expand-Archive LiveKD.zip Set _NT_SYMBOL_PATH environment variable. xset _NT_SYMBOL_PATH "srv*c:\symbols*http://msdl.microsoft.com/download/symbols" Relogin to make the variable available to LiveKD. Run following to save a memory dump to a specified path on Hyper-V server's storage: .\LiveKD\livekd64.exe -hv <VM Name> -k <Path to Windows SDK install>\Debuggers\x64 -p -o <Path to save memory dump> Default Windows SDK path is C:\Program Files(x86)\Windows Kits\10. One way to copy the dump is to mount a network drive in Powershell and copy the file to it. $cred = Get-Credential <Domain\username> Get-Credential asks for the password of the specified user and stores the credential used by New-PSDrive in a variable. New-PSDrive mounts an SMB/CIFS share at specified network path as a network drive. New-PSDrive -Name <Drive Letter> -Persist -PSProvider FileSystem -Root "<network path>" -Credential $cred Proxmox VE Open Monitor tab of the VM. To create a dump in ELF format, execute the following: dump-guest-memory -d <path to save the file> -d detaches the process from the shell, that is needed, which is necessary because Proxmox has a time limit on monitor operations. To create a dump in Windows crashdump format, VM has to be started with a vmcoreinfo device and have latest virtio-win drivers installed. The VM can be started with vmcoreinfo device by running the following in the node's shell: echo $(sudo qm showcmd <VMID>) -device vmcoreinfo | sudo bash -s -- If the VM has a TPM configured: export VMID=<VMID> && swtpm socket --tpmstate backend-uri=file://<path to tpm state file>,mode=0600 --ctrl type=unixio,path=/var/run/qemu-server/$VMID.swtpm,mode=0600 --pid file=/var/run/qemu-server/$VMID.swtpm.pid --terminate --daemon --log file=/run/qemu-server/$VMID-swtpm.log,level=1,prefix=[id=$(date +%s)] --tpm2 && echo $(sudo qm showcmd $VMID) -device vmcoreinfo | sudo bash -s -- By default Proxmox creates a Thin provisioned LVM storage, called local-lvm, which path is /dev/pve After that a dump can be created by running the following: dump-guest-memory -d -w <path to save the file> 2.1. Wait until dump file size reaches the amount of ram allocated to the VM, if it is stuck at 0 bytes, it means that the VM couldn't load the vmcoreinfo driver and the only way is to create an ELF dump To check it run following in Proxmox node's shell, which can be accessed via Shell tab in node's view: watch -n 1 ls -al --block-size=M <dump file path> This command will run ls every second showing file's size, it may take some time to show anything, because of the way Proxmox is saving the dump. Copy the dump from the node, one way it can be done is by using scp: scp <user>@<KVM host ip>:<dump file path> <local path> KVM This part is applicable for generic KVM servers with libvirt, Alt Server-V, OpenStack, OpenNebula and any other virtualization environments based on them. To save a memory dump in ELF format to the KVM host, run as root: sudo virsh dump --memory-only <name of the vm> <path to dump> All virsh commands can be run without sudo, if the user is in libvirt group To save a dump in Windows crashdump format, VM has to have latest virtio-win drivers installed and vmcoreinfo feature has to be enabled in VM's configuration file: export VMID=<vm name>; export xml_path="/etc/libvirt/qemu/$VMID.xml"; sudo grep vmcoreinfo $xml_path; if [ $? -ne 0 ]; virsh shutdown $VMID; sudo systemctl stop libvirtd; then sudo sed -i "s/<features>/&\n <vmcoreinfo state=\"on\"\/>/" $xml_path; sudo systemctl start libvirtd; sudo virsh start $VMID; fi; After VM boots up (or crashes), run the following to create the dump: sudo virsh qemu-monitor-command dump-guest-memory -w <path to save the file> Check dump file size, if it is 0 bytes, it means that the VM couldn't load the vmcoreinfo driver and the only way is to create an ELF dump ls -al <dump file path> Copy the dump from the node, one way it can be done is by using scp: scp <user>@<KVM host ip>:<dump file path> <local path> Citrix Hypervisor The only way to capture a memory dump in a virtual machine running on Citrix Hypervisor is to use memory dump mechanisms built into the guest OS, but a crash of the guest can be triggered from the hypervisor by running: xen-hvmcrash <id> How to collect a full memory dump on Windows: https://support.kaspersky.com/common/diagnostics/10659