Kavuser10

Don’t think it’s possible. Better use something free like PDQ Inventory.

I think I figured out what has happened here. Turns out that that KSC Agent v13 has an option to install any of the undefined updates automatically and it’s enabled by default. Nice! So when the patch was released it went straight out to all the machines and as there’s obviously still an issue even in the latest version of KSC that was uploaded lately, it just did the same thing that happened during the upgrade.

I see now that there’s two patches released yesterday for KSC server and Agent. They are in unapproved state in KSC. Does this mean that those patches got pushed out by Kaspersky automatically anyway? That would explain this horrible mess.

I’m stunned. What the hell is going on with KSC v13 and KES v11.6? After the disastrous upgrade we got everything back to normal and everything was working fine yesterday. Today I come in to work and need to troubleshoot an issue. For that I need to disable Application Control on one machine. I open the KSC Console and my jaw drops to table. Literally every workstation has been wiped from KSC! Wth? Really? The I open the Unassigned Devices and every device is created there double with some garbage random names. Every machines says created 14 hours ago. All of course outside of our security policies. And it seems that network agent is not installed on a bunch of computers anymore. Now, instead of working on stuff I need to work on, I’m rebuilding our KSC because to get everything back to normal I need to delete absolutely everything from KSC and do another network discovery and then move everything back to proper management groups. So pretty much back to when we upgraded but this time we even did not do anything ourselves. What is going on with KSC v13? Was there some kind of update pushed yesterday? What is happening here? Will anyone from Kaspersky bothers to post here anymore? We are so close to moving to Sophos.

Even though we do use fully on premise management we faced the same or similar issue when deploying the KSC Network Agent v13. Pretty much all our endpoints were deactivated and the only solution was to manually activate them again with an activation code. What’s worse, it rendered all our remote management access useless so we had to mobilize the whole IT team to drive everywhere on location to do this by hand. What a huge failure on Kaspersky’s part. I totally regret not part-taking on the beta testing on the last version but their communication about beta testing is just so invisible and lousy so I completely missed it. And what’s even worse, is that their support took almost three full days to even respond to us. Something has really gone amiss with their support as it used to be very quick and pretty good before. I have also noticed that they have also mostly negated this community and rarely reply here anymore too, and instead spend their time posting memes on Facebook. Does not look good at all.

Yes it is. There’s KSC v13 install packages available for all major Linux platforms available here: https://www.kaspersky.com/small-to-medium-business-security/downloads/endpoint?icid=gl_sup-site_trd_ona_oth__onl_b2b_klsupport_tri-dl____ksc___ One big difference is that you only have web console for management on Linux. On Windows you also can use the Microsoft Management Console type of interface which I much prefer over the Web console. But as MMC has been phased out by Microsoft web console is the future anyway. MMC is currently still more functional that web console but the latest versions have been catching on pretty well and now most of the products can be managed properly through web console too.

Seems to be quite common. We see this also from time to time. When profile is uploaded to server the endpoint will get blocked by Anti-Cryptor. Haven’t found a good way to deal with it yet so that overall security is not lowered, so we have just put up with it. Anti-Cryptor false positives are annoying though. We currently have KES 11 on endpoints and Kaspersky For File Servers on servers.

One of the issues I have found after digging in is that when Network Agent v13 is installed, it not only wipes any settings and policies on on the machine it also wipes the machine from KSC. For example, if the machine is in a specific OU/Group and you install Network Agent v13 on it, the machines is not updated in the OU. Instead a completely new duplicate machine with random name is created in Unassigned Devices. This means that all the machines will fall out of the scope of policies assigned to them. So you need to delete the original machine and the duplicate created, then do a new network discovery (and if the KES was deactivated/disabled on the original machine you need to manually activate it) and then re-install the network agent over the previously installed v13 one. So if you would enable an automatic network agent installation on a Managed Devices OU/Group like we usually do, all the machines would be wiped out from it and any subgroups. Strangely enough this issue occurs with Windows 10 machines but not with Windows Server machines. This is really bad and I’m stunned that this has not been caught during beta testing. PS. It would also be nice if you guys would be as active in the forums as you are posting stuff on Facebook. This new community seems to be pretty dead.

We tend to get them too quite often. After starting the Advanced Disinfection it goes away.

Amazing! A new day and still nothing from Kaspersky support. I have another ticket open for several days and not have heard back regarding this either. Is there even anyone manning Kaspersky support anymore? They used to respond pretty much immediately. Meanwhile we have managed to mostly remedy the situation by ourselves. As all the clients were wiped from KSC we had to do everything from scratch. After activating the machines manually and getting them back to connect remotely had to clean out all the machines from KSC and re-deploy the agent second time, forcing it to install over the previous one.

Today migrated our KSC to v13 and started to migrate our clients to agent version v13. What a bad idea. It has completely wiped out our Kaspersky installation. When the agent started installation on machine it erased all the licenses from endpoints leaving any endpoint protection products in an inactive state. What’s worse - it did not f*cking disable them completely which means that Windows Defender was not activated. This in turn left the machines not only unprotected but also inaccessible from network because Windows Firewall did not kick in. All machines not only wiped out from KSC and no way to remedy but also inaccessible to our other remote management tools. Holy Jesus Christ on a chicken basket! Had to mobilize our whole IT team and send them by foot from machine to machine in every office and location to activate the endpoints manually with the activation code so that we would not be completely unprotected. None of the clients still connect to KSC. I shudder when I think what happened during those couple of hours our network was completely unprotected. Hours have passed and still haven’t heard back from Kaspersky support. So if you’re thinking about starting migration KSC and Agent v13 be warned.

Hi, Had this problem myself. It only works if you enter the domain with asterisk both at the beginning and end. Eg *domain.com* or *subdomain.domain.com* Kaspersky documentation has it wrong and their support admitted it. Not sure why they haven’t updated.

Hello, For some reason the update to KES 11.5 has not shown up in KSC 12.2 as new updates usually do. We have rolled out the new version manually for majority of the clients but would like to push it out through the automatic update mechanism too so that clients that are not online all the time would get it when they connect. Anyone had a similar issue?

Hello, It would be nice if Kaspersky would make a statement on how their products detect and help to mitigate the recent Solarwinds hack. Several security vendors like Sophos are already on it.

You have to enable syslog in the policy that you have pushed on clients. Open the policy in editor and under Events open the specific events that you want to send and make sure syslog is enabled. See here: https://help.kaspersky.com/KSC/SP3/en-US/151325.htm

Yes. KSC will then send messages over syslog and AlienVault knows then how to process them properly. Without enabling the plugin for KSC logs will show up just as generic text logs.

Why not just deploy a new license that replaces the old one? I don’t think you can remove the license from KSC. But you can do it on the endpoint in KES interface.

I would like to see better reporting implemented in KSC. For example reports about HIPS activity (apps placed in Low Restricted and Restricted groups, blocked activities etc). Currently you need to manually go through the logs in KSC for that. It would be neat to have something similar to App Control Blocked runs report that shows the blocked executables. There should also be a report on File Integrity Monitoring and System Inspection that would cover all the created and modified files, who modified them and at what time. The same goes with System Inspection where it would be good to have option to check what rules or events are reported on. Am I correct that the Software Registry report shows all the detected executables? Is it possible to get info only on new executables detected during a certain time period? And also, alerts also need to have more data in them. Especially for Kaspersky for File Server. For example, currently we use alerts for some custom Windows Event ID’s but the alert just contains data about it being triggered and not much else. That is kind of useless as every time I have to log into KSC to actually see what rule was triggered. It should contain the actual rule name set in Security for File server, event ID and the event contents. For example if a scheduled task is created, I would like to see which one, because Windows Update creates a bunch of false alerts which I would not investigate. But if I see a process created or new user added or whatever event ID’s I have defined, then I would probably want to investigate immediately.

AlienVault USM and OSSIM have a Kaspersky log parsing plugin built in. After configuring KSC you need to add it as log source in AlienVault and enable Kaspersky plugin. See here: https://cybersecurity.att.com/documentation/usm-appliance/supported-plugins/configuring-kaspersky.htm?tocpath=Documentation%7CAlienVault%C2%AE%20USM%20Appliance%E2%84%A2%7CDeployment%20Guide%7CPlugin%20Management%7CConfigure%20Log%20Forwarding%20on%20Commonly%20Used%20Data%20Sources%7C_____47

Have you looked at HIPS > Protected Ressources to check if the temporary location has write access to the program? As this is legacy app it might have been put into Untrusted or High Restricted group in KES. I can’t remember if the temp locations are protected by default or did I make those entries myself, but we have write access to those folders disabled for stuff that is not trusted. HIPSAlso could you upgrade one machine to KES v11.2? I see from logs that you are on 11.1.1

Do you see from Kaspersky logs (Reports) which component deleted the file and what the reason was?

I’m pretty sure you do not have to create a separate package. Patch B should also be automatically available under software updates. You just need to approve it for automatic installation.

I can confirm. I have seen those events for quite a long time. Self Defense is blocking all kinds of processes, even KES itself and processes that are in Trusted Apps and Excluded scan. I'm not sure that this is having any effect on the systems though. So far have not seen any stability or other issues. I once opened a ticket regarding this and thought that this is sorted.

If the regular ping works, can you check the connection from KSC? Also, maybe try a remote install from KSC to one of the clients in the VPN. For example, do a reinstall of network agent on one of the machines. Also, double check if all the needed ports are open in firewalls. You need to open several ports for the connection. You can also use Klnagchk utility on one of the clients in VPN to check connectivity. https://support.kaspersky.com/9292

Have you checked your firewall rules?