intrusus

Hey, ich habe jetzt einfach mal eine Auskunft über den Inhalt der automatischen Updates angefordert und ob nachvollziehbar ist, was für Dateien heruntergeladen wurden und werden (evtl. in Logfiles, etc.). Der Vorgang läuft unter INC000010558557, Vorgangstext siehe unten. Ich halte dich/euch auf dem laufenden. Vorgangstext:[spoiler]Ihre Nachricht 24.6.2019 16:29:13 Sehr geehrte Damen und Herren, vor kurzem wurde ein größeres Update heruntergeladen, was mich und ein paar andere User der Kaspersky Community verwundert hat. Ich wollte Fragen, welche Art von Updates über die automatischen Updates von KTS und KIS heruntergeladen werden und ob in irgendwelchen Logs nachvollziehbar ist, welche Dateien heruntergeladen wurden. Für pure Signatur-Updates erscheint das letzte Update sehr groß (mehrere MB statt KB). Sofern Sie mir diese Informationen bereitstellen könnten, wäre ich sehr dankbar.[/spoiler] Cheers Leon:v_tone3:

Hi, in den Release-Notes finde ich nichts dazu. Du kannst ja mal die Update-Berichte überprüfen: Öffne Kaspersky Total Security. Klicke auf Update. Klicke auf den Link mit dem Datum des jüngsten Updates. Das Berichtsfenster öffnet sich. Eventuell kannst du hier mehr Informationen finden. Liebe Grüße Leon

Okay, sure - hope you can handle it. Sometimes you just have to focus on one thing at a time to achieve your goals.:wink: I wish you and your company much success!:muscle_tone3: Cheers Leon

Hey Alex Can you briefly explain how you fixed the problem? Would be quite helpful for me and the community...:grin: Thanks in advance, Leon

Also, beziehen kannst du aktuell nur die Beta. Alle 2020-Versionen sind aktuell im RC-Status (release candidates). Zum offiziellen Release-Datum: die globale Veröffentlichung erfolgt in der Regel in den Sommermonaten (Juli-August-September), es kommt jedoch ganz auf Kaspersky an, eventuell kommt der Release in einigen Regionen schon früher. Liebe Grüße Leon

Hey Kaiay, your problem could have to do with this one: https://securelist.com/elevation-of-privileges-in-namco-driver/83707/ In a nutshell: The manufacturer of your game has supplied drivers that appear to be a rootkit - but they are not. They actually belong to an anti-cheat mechanism. The manufacturer seems to have patched this, but maybe another piece of code of the same kind was delivered with the last update... In the Types of detected objects section, you can the specify types of objects to be detected by Kaspersky Free. In the Exclusions section, you can create a list of the objects that Kaspersky Free will ignore. What you also can do is to contact Kaspersky and report a false/positive or have the program further analyzed. You can do this either via VirusDesk (upload the game .exe) or contact the official support. You can also try to enable gaming mode: Open the main application window. Click the settings button in the lower part of the window. In the left part of the window, select the Performance section. Select the Use Gaming mode check box. Cheers :v_tone3: Leon

I'm glad I could help you. :smile::muscle_tone3:

Hey, Yes, this also occured in our company and with customers of us. The reason for this could be two things: Kaspersky has removed removed the standard Windows exceptions, which you can re-import manually in the policy: In the left part of the window, in the General Settings section, select Exclusions. In the Scan exclusions and trusted applications section, click the Settings button. Click the Add or Import button. You can find the exclusions we're using right here. It could also be the Address Resolution Protocol (ARP). That's the protection against MAC spoofing attacks. You can find the corresponding settings it in the policy of KES: In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection. In the MAC spoofing Protection operating mode section, we selected: Notify about all activity characteristic of MAC spoofing attacks. If that doesn't help, contact technical support or wait for an answer from the experts here in the community. We did not detect any faulty network attacks after we adjusted the policy. I also reported the problem as a bug (INC000010311196) some time ago, but I couldn't provide logs here (colleague cleaned up). The Incident was then unfortunately closed. Best regards Leon

Hey KimiKimi, welcome to the family of Kaspersky!:wink: What is a rootkit?I don't know if you're directly interested in what a rootkit is, but I'm sure it's interesting for many others. Therefore a short overview in (hopefully) easy to understand language. First of all you have to distinguish the type of rootkit, there are six basic types: User-mode rootkits / application rootkits, Kernel-mode rootkits, Memory-based rootkits, Hypervisor rootkits, Bootkits and Hardware / firmware rootkits. Rootkits are, in my opinion, one of the most disgusting types of malware you can ever get. This is because of the way they work. User-mode rootkits run like normal user programs in user mode, the lowest permission level (ring 3) of the CPU. This prevents them from directly intervening in the memory area of other applications. Memory-based rootkits are working in the main memory (RAM) of a computer and therefore do not survive a reboot. Kernel mode rootkits run even at the highest permission level. They can write to all areas of main memory (RAM), including the memory areas of other programs. So kernel rootkits are able to intercept calls to certain operating system functions and filter their results against the calling programs. This leads, for example, to suspicious files and processes not being displayed in the Explorer or Task Manager. Bootloader rootkits / Bootkits target the foundation of the computer by attacking the master boot record. The MBR is an important part of the computer because it contains instructions on how to boot the operating system. Also, these rootkits are hard to get rid of. If the boot loader was infiltrated into the MBR code, removing the computers could damage it. Unlike other types, memory-based rootkits do not remain permanently stored on the machine. By resetting the RAM when you restart your computer, the Rootkit is also deleted. Instead of targeting the OS, firmware/hardware rootkits go after the software that runs certain hardware components. Hypervisor rootkits are rootkits that move an existing realy operating system into a virtual environment. The virtual environment is therefore a software layer under the operating system, which makes it very difficult to detect the VMBR. Why doesn't my antivirus tool work against rootkits?Antivirus software is of course designed to find as much malicious software as possible. However, these beasts are often extremely well hidden, the system often continues to work as before and rarely shows any obvious behavior. Even though Kaspersky's products stand out from the competition in an extremely positive way, no antivirus software has a 100% detection rate, especially not for malware that is not known to the general public (such as 0-day exploits). Of course, cloud technology (Kaspersky Security Network) and machine learning often help to identify strange software as malware. But even the best software can be deceived. Why didn't TDSSKiller find anything?The problem with TDSSKiller is that it specializes in a limited number of rootkits and sometimes provides some unclear scan results. However, the TDSSKiller is definitely a good tool. What should I do now?Be careful when you're trying to remove rootkits. There are plenty of tools available (like GMER or aswMBR) but these tools are either intended for professional users, provide meter-long logfiles or delete unintentionally needed system files and make the operating system unusable later. Therefore, please contact Kaspersky Support, they will be happy to assist you. The safest way is to have the operating system reinstalled if you have made a backup of your personal data. If not, remember that for the future. Don't visit weird websites, use a purchased antivirus solution like Kaspersky Internet Security and use an adblocker. I hope I was able to help you and wish you the best. Good luck! Image source:

A GSI logfile of an affected client, please. :wink:

I can finally confirm it too: Actually the agent has to be uninstalled manually (or via script) and then has to be reinstalled. Apparently the installer is buggy and doesn't always install the Network Agent in a clean way. After this walkaround the KES could be managed locally and remotely again.:thumbsup_tone2: I also stumbled across another bug: when checking ./klnagchk -sendhb I received the error message that the module SendHeartbeat is no longer available - bit strange:thinking: Thanks donkeykongjr for confirming the bug and the corresponding walkaround, I have informed the technical support that other customers are also affected. Cheers Leon

Also, Your files were probably encrypted by the so-called .STOP Ransomware. This also includes the extension .redmat. Michael Gillespie is currently working on a decryption tool, but whether this can decrypt your files again is questionable. You can identify your malware at his malware identification site. If necessary, you will also receive instructions here on how to decrypt your files again. In any case (if you have bought a product from Kaspersky) let the official support help you. Kaspersky has one of the best Global Research and Analysis teams in the world. Also remember to back up your personal files regularly in the future (how-to). Keep your systems up-to-date, don't visit insecure sites. Use ad blockers and always be aware that even the best antivirus program can't provide 100% protection. Even though Kaspersky is pretty close.:wink: Good luck!

Hi, some questions: Can you provide us a GSI log file via https://www.getsysteminfo.com/? Are you trying to install the new KES over the other one or do you uninstall the old one first and then install the new one by separate tasks? Kind regards Leon

FlorinM Parsed the GSI log file via the official GSI parser from Kaspersky. So the experts active here can get a system overview directly. https://www.getsysteminfo.com/report/ed019f44262a061ef825ff78f273c89e Cheers Leon

donkeykongjr Maybe I closed this topic a little hastily, sorry.:thinking: I haven't received any feedback from the user yet, I hope the problem is solved now. But if you also found this error, I suspect bad. I'll get back to you as soon as I have news! Cheers Leon Nikolay arinchev Please uncheck the "best solution" so that the topic remains open for the moment, as the complete troubleshooting has not yet been confirmed. Thx!

The problem with the missing permission is fixed now, I deleted the domain groups "KLAdmin" and "KLOperators" out of the corresponding local groups. I then logged in with my _adm account (member of the local "KLAdmin" group) via the administration console and was able to view and edit the policy. I think we created them some time ago to give our service team access to all KSCs... Sometimes you just forget when you play around with the systems.:disappointed_relieved: Question Nikolay arinchev: Does the local "KLAdmin" group has to be present in the local "Administrators" group? This is not the case with our old administration server (KSC 10), so i removed it. Something seems to have gotten messed up here a bit... :tired_face: In the attachment once again an overview of all local groups. Thank you & kind regards Leon:v_tone2:

I have received feedback from support. The product cannot be controlled via KSC while the agent is not running. Of course I am aware of this, but it's funny that the tasks can still not be started locally. Probably the KES lacks the policy. I have now told my user to uninstall the agent and delete the directory: /Library/Application Support/.../klnagent_conf/. The user then has to reinstall the agent locally. If I have any news, I will post it here.

Sorry for being late, I was on vacation :wink: Kaspersky Lab Support provided me a Private Fix, it's Private Fix PF7020. You can download it here. After installation the client should be restarted. If the PF doesn't work (may vary from device to device) or you don't trust the link, you should contact support. Cheers, Leon

Dear Community, dear KL-Team, following fact: the new KES 11 for macOS is not executed correctly in our environment. Update tasks can neither be started remotely nor via the GUI. An Incident is already opened (INC000010353734 and INC000010487018), there is actually no really progress here however. The corresponding trace files can be found here. Via Kaspersky Security Center I can see that the KES is running, but the agent is displayed as inactive. I believe that the error is due to an incorrect adoption of the policy. After running the klnagchk -sendhb locally I get the following error message: The error shown in the screenshot continues after re-installing the network agent. We use the following programs: KES Mac 11.0.0.51 Network Agent Mac 11.0.0.23 Is there a workaround for this? If not, I hope for a solution from support and will publish it here for everyone. Best regards Leon

Hello João, so far only about ~20 countries are offered. This has less to do with your purchased plan than with the technical background. Providing data centers and servers around the world while securing and maintaining them at the same time is costly and time-consuming. Therefore, it probably takes time to add new countries. The best way is to leave feedback here like you did and/or at the official support page to suggest Kaspersky Lab to add the country to the VPN infrastructure of Secure Connection. Kind regards Leon

The way I interpret the icons next to the corresponding licenses, you've only set one to active automatic distribution. To automatically deploy a key to managed devices: Open Kaspersky Security Center 11. Go to Kaspersky Lab Licenses. Select the key that you want to deploy automatically. Open the key’s properties and select the Automatically distributed key checkbox. Click OK. Kaspersky Security Center will now automatically distribute the remaining free licenses of all keys of your database to new devices. During automatic distribution of a license key as the active or additional license key, the licensing limit on the number of devices is taken into account. (The licensing limit is set in the properties of the license key.) If the licensing limit is reached, distribution of this license key on devices ceases automatically. More information: https://help.kaspersky.com/KSC/11/en-US/3612.htm Cheers Leon

Sure thing, I am using KSC 11.0.0.1131 and my KSWS plugin is Kaspersky Security 10.1 für Windows Server 10.1.0.622. Cheers Leon

Hi Dennis, is it possible that you bought a Kaspersky Lab product on its official website but forgot to uncheck "Auto Renewal"? You may have purchased your AV-product with subscription, but you can cancel it at any time. Please look here, if you want to cancel the subscription: https://www.kaspersky.com/auto-renewal-service I understand that this upsets you, recently fell into a subscription trap myself and then wondered about a billing. Nevertheless, I hope that everything will turn out for the best with you. In case of trouble the Kaspersky Lab Support will help you! :v_tone2: Kind regards, Leon

Good evening everyone, today, while browsing through the Kaspersky Security for Windows Server 10.1 policy, I was a little surprised to receive an error message or warning. When clicking on "Supplementary" -> "User access permissions for application management" I get the message that I am not authorized to display the current KSWS 10.1 permission settings. However, I am allowed to change them.[spoiler] [/spoiler] In the Administration Server settings at "Security" I checked what the permissions look like: As you can see, KLAdmins and KLOperator Group do exist and their roles are also correct. Under local users and groups on the Windows server where the Administration Server is installed, I can confirm that my user is in the local administrator group and in the KLAdmin group. What could be the mistake here? Best regards Leon

Hey, offiziell wird von Kaspersky Lab Kaspersky Security for Windows Server empfohlen, da dieses Produkt gemäß den Sicherheitsvorschriften des Server-Betriebssystems erstellt wurde. Es ist außerdem besonders anpassungsfähig an unterschiedliche Serverrollen, einschließlich geschäftskritischer Szenarien. Die Schutzkomponenten wurden extra für Server-Umgebungen angepasst und der Wartungsaufwand verringert (z. B. erfordert die KSWS weniger Neustarts). Ältere Server-Betriebssysteme werden durch KSWS unterstützt (runter bis zu Windows Server 2003), der Einsatz in virtuellen Umgebungen ist zertifiziert. Edit: Auf Terminalservern solltest du auf jeden Fall aus Kompatibilitätsgründen KSWS einsetzen, sonst geht es dir z.B. wie hier. :smile: Liebe Grüße, Leon