Major

Hello, I’m facing a growing number of failed installations, which are launched by Configuration Manager and killed by Kaspersky, the Self Defense feature is also killing other processes, which are not malicious - our internal security department is looking into the issue, but I’m curious if it’s possible for a non Kaspersky admin to parse client logs using let’s say PowerShell? Are the logs from “Kaspersky → More tools → Reports” saved automatically (or is it a feature, that could be turned on) on the client devices in some form of log files, which could be read with PowerShell? P.S. Are there any known bugs with the self defense feature, that block to many processes (especially the non-malicious)?

Hi Alex, I wanted to say thank you for your help on this case! We have installed KES 11.5.0.590 on a few test machines and we do not observe the problem anymore. ☺

Hi Alex, I understand. As for the test, we most probably would need to setup a separate environment (DC and few clients) and a separate Kaspersky server that will support KES 11.4 as from what I heard it’s not compatible with our version of Kaspersky server. So if we would just setup a separate environment for testing purposes only, would we need any extra licenses from Kaspersky to host that?

Hmm, I checked the version info page and 11.1.1.126 seems to be a standard commercial release, so why aren’t you using it with your customers? Could you please share any document/release note that describes the issue being resolved in 11.3 or 11.4?

Hi Alex, actually we are still facing the issue and we are still troubleshooting the problem with Kaspersky support via our security department, it’s a bit of back and forth, but we are still on KES 11.1.1.126 Are you saying that this is a well known problem and if we upgrade to 11.3 or newer version we will no longer observe the logon problem? If so I will share this post with our security department and advise to upgrade KES. Additionally, maybe you have some inside knowledge that the problem is not fixable on KES 11.1.1.126, which would be very valuable information for us. @evanhandel the module had to do something with encryption, but I cannot remember the name of it, but as this approach didn’t work, I’m not sure if you actually need the name :)

Thank you Alex, for an extremely good explanation!

Thanks a lot for a fast reply! Just to be sure if I understand this correctly, if we have the “ File Encryption component (FLE)” and it even wouldn’t need to be used for the In-place upgrade to fail, is this correct? Is there any option to stay on KES 11.1.1.126 and disable some of it’s components and make the upgrade (just for a test)? BTW if there is a need to upgrade let’s say to 11.4 as you suggested, can we make the upgrade on a pilot group of client devices or do we need to upgrade it on all devices as I guess some server component also needs to be updated that talks to KES 11.4, right?

Hello, I’m curious of what are the best practices for Windows 10 In-place upgrades from Kaspersky’s perspective? I need to upgrade Windows 10 1809 to 1909 with KES 11.1.1.126 already installed on the clients, when I’m doing the validation suggested by MS I get a success code of 0xC1900210 (no issues found) and later on when I run the upgrade (from ISO) the upgrade fails and the device (VM) tries to revert with a poor effect as most applications don’t work including MS Office. Just to test I installed an identical client (same applications, also a VM on the same hypervisor) without KES and tried to upgrade it - totally no issues, the upgrade went smooth and fast. We are discussing with our internal security department the way to upgrade the OS and there is an idea to disable Kaspersky just for the upgrade and I’m wondering if this is the best practice/recommended way by Kaspersky? I think that till now people have made a lot of In-place upgrades and have faced the same issue, so please share the approach you took to make a successful upgrade of Windows 10 while using KES.

It seems that there has been a break through with this case, the 1552 Event ID is triggered by a module in Kaspersky, the module will be disabled (we were told that it has not impact on security of the client) and the 1552 event should not get triggered anymore and we hope that the logon issue will be solved also. BTW the outcome of the Microsoft troubleshooting was that Kaspersky is causing the logon issue, so if the mentioned above change won’t solve our issue I guess that the best next step would be to have a meeting with Microsoft support and someone from Kaspersky support to talk through the next troubleshooting steps.

Unfortunately the issue is still not solved for us, but we have contacted Microsoft to get more insight on the issue and to get to know how to “See Tracelogging for error details” (screen below). I was advised to use Windows Performance Recorder to gather the logs and use Windows Performance Analyzer to review the logs for the error details. I have the recorded etl file, but honestly I don’t know how to find the related error details in it - has anyone experience with this tool and could share their knowledge? BTW I've searched for 9f821051-83c5-4816-bb38-5f5fa3b65ddb and it points to Cloud Cache Initializer_Windows.CloudStore.dll - source: https://uuid.pirate-server.com/9f821051-83c5-4816-9b38-5f5fa3b65ddb (not sure if it's a good source, but it was one of the very few that gave results)

Hi nt30, our security department is contacting Kaspersky support via another channel, so at the moment I’m not suppose to share the logs on a public forum. We still have the issue, I’m doing a own investigation looking through the event log, but sadly I didn’t find much new information. What I have found is that the 1552 Event ID started with Windows 1809, here is an interesting link Regarding your case - did you spot anything specific, when the user cannot logon? Can you share your observations? Maybe we can solve this one together :)

I spoke with our security department and they said that Kaspesky support is already taking a look into this issue, so I don’t want to give you Nikolay again the same task that you already have somewhere in your queue :) I know there the guys will install some patch for Kaspersky on an affected device in the upcoming days to check if this will solve the issue. I’ll post back once the patch is installed, if it fixed the issue or not. From what I know this has already been done, but it didn’t solve the issue, but thank you very much for your support!

Hi all, I’m experiencing an issue where periodically users cannot login to their Windows 10 1809 devices because they get the “ The User Profile service failed the sign in User profile cannot be loaded “ message. We are using Kaspersky Endpoint Security 11.1.1.126 on our client machines and, in the event logs there is a Kaspersky entry which seems to either cause the issue or point to an issue, it’s in the Application log, Event ID 1552, “User hive is loaded by another process (Registry Lock) Process name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe” ← is this normal? I see it 10 to 20 times a day on a given machine, which experiences the logon issue - after reboot the logon issue goes away. No temporary profiles are being created, replacing ntuser.dat doesn’t help, it happens for new and old profiles. So can anyone tell me if the above entry from Kaspersky is some routine task and if not, where can I start looking for the reason of Kaspersky locking the registry?