MilanBortel

Hi @ealnajjar, I must say that I don’t understand your issue completely..? Current versions are: KSC/Network Agent: 12.2.0.4376 (12.2) KES: 11.5.0.590Where are you getting the error? It’s always better to attach printscreen, so we know better what’s happening :) Cheers, Milan

Hi @K1029, are you using full disk encryption (BitLocker) on that server? If not, you can always boot the host from removable drive (e.g. WIN10 or Linux) and get access to original C:\ drive. And I’m thinking about changing registry entries, so Kaspersky won’t automatically run on computer start.. This is the location of services in Windows registry: Windows registry → KAVFSHere you can find the Start settings: KAVFS → StartAs you can see, the default value is 2 (to start Automatically), but you want to change it to Manual): Start optionsLet us know if it helped 🤓 Cheers, Milan

Hi @Deadlock4400, I don’t really have practical experiences with Kaspersky on Linux, so at the moment I don’t have any suggestions 😇 Fingers crossed for you, my friend ✊ Cheers, Milan

Hi @itcurves, yes, just as I thought - whenever you see a folder path containing “Cache” I wouldn’t worry and remove content from that folder (keep the folder itself!). If files are held by OS, you’ll be prompted.. Cache folderLast two items are located in servicing\LCU: servicing folderFor more details on LCU folder please follow https://social.technet.microsoft.com/Forums/en-US/be35a9ee-a610-4fdc-bb6c-50b9f458d19a/huge-lcufolder-after-latest-cumulative-update-on-windows-10-1809?forum=win10itprosetup Hope it helps 🤓 Cheers, Milan

Hi @Aaron Lopéz, if I understand well, you want to learn more about installation results? I would first go to installation task result - you can always see which computers has the installation successful and if there are any other problems .. Then you can connect to problematic host (with Network Agent installed) and go through event logs for details: Remote diagnosticsConnecting to host: KSC 12 Remote Diagnostics UtilityDownload event logs: How to download event logLet us know, if it helped 🤔 Cheers, Milan

Hi @itcurves, can you share a list (screenshot) of the files found? This typically happens for temp files, e.g. logs and usually you don’t have to worry.. but still - if you share the list, we can help better 🤠 Cheers, Milan

Hi @FC Sistemi, it is really weird. With the same Network Agent installation some hosts are connecting and some are not? Did the Network Installation task completed successfully on such hosts? Can you share printscreen of Network Agent klcsngtgui.exe from one such host? Network Agent → klcsngtgui.exeI’m afraid you will need to reinstall Network Agent with fresh package once more 😱 Cheers, Milan

Hi @kemuda, this is very tricky.. AV product needs to decide whether the process responsible for renaming is legitimate or malicious. I’ve tried it also with my own programmed “ransomware” and Kaspersky didn’t block it. My ransomware was using standard aescrypt binary for encrypting the files.. so I guess Kaspersky took it as a legitimate action 🤔 From admin perspective, I’d harden the policies: change basic settings of Host Intrusion Prevention: KES policy → Host Intrusion PreventionI’d disable to automatically trust apps with digital signature and move unknown apps to Untrusted category then you can protect your resources with updated Host Intrusion Prevention settings (follow article https://support.kaspersky.com/10905#block3). It is described on KES version 10, but it is the same in 11 :) Only the Application Privilege Control has been renamed into Host Intrusion Prevention 🤓 Let us know of result! Cheers, Milan

Hi @Deadlock4400, if you look into KSC/Unassigned devices, can you see that Linux host? Can you ping the host from KSC server? You can also try to search the host via Managed devices/Search: Managed devices → SearchYou can search using IP, DNS.. Cheers, Milan

Hi @aseman.ab, I’m afraid not. There’s no file operations logging on file shares, AFAIK.. Cheers, Milan PS: you can select one of my answers as “best answer” 🤓

Hi @aseman.ab, see Google SMTP settings at https://support.google.com/mail/answer/7126229?hl=en Cheers, Milan

Hi @FC Sistemi, from what I can see, there is problem with KSC certificate, although it is available.. I’d recommend to manually set the connection for Network Agent on affected host using klmover utility (see https://support.kaspersky.com/KSC/SP3/en-US/3911.htm). Current KSC certificate is available in C:\ProgramData\KasperskyLab\adminkit\1093\cert folder. Let us know if it helped 😇 Bye, Milan

Hi @FC Sistemi, I’d recommend standard steps: Can you ping the host? Is the Network Agent service running on host? Network Agent service Running What are the connection settings in Network Agent installation package? Is it IP/DNS? Network Agent installation package properties → Connection From one such host, run the klnagchk utility "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagchk.exe" to see what might be the problem when connecting to KSC: klnagchk utilityYou can share the printscreens here 🤠 Cheers, Milan

What do you mean by “where I create this report”? I was describing the event selections. You find those in the main screen of KSC console.. There is button Create a selection, then you go to Selection properties.

Hi @faz, I’d recommend to first put the network printer IP as trusted: KES Policy/General Settings/Network settings → Trusted addressesCan you check if it helped? If not, there are other possible ways how to help, don’t worry 🤓 Cheers, Milan

Hi @aseman.ab, first, you need to update Notification settings in your KES policy: General Settings/Interface → NotificationsAfter that, you can see these events in KSC console main window: Administration Server → EventsYou can prepare your own selection for such events: New event selection/Properies → Events → File operation performed​​​​​​Cheers, Milan

Hi @marafado88, please navigate to KES policy: General Settings/Interface → Password protectionCheers, Milan

Hi @aseman.ab, you can use Device Control feature with basic Select license. And when defining rules for Removable drives, you can turn on logging: Device Control → Removable drivesCheers, Milan

Hi @marafado88, of course exactly same commands won’t work ;) it was just an example. I always lookup the correct command line on Internet and it’s specific for each installation … Take care and let me know if it works :) Milan

Hi @marafado88, and how did you create that installation package? In my experience, it might happen due to incomplete setup - most likely the command line might be missing (EULA, silent installation).. When you start the installation, it might get stuck in installation wizard, waiting for user interaction, you get it? 🤓 So, for example: PF6076 installation package​​​​​​And this is the commandline: Installation Settings → command line Maybe you can share printscreen of that installation package properties/settings. Cheers, Milan

Yep, that was my next idea @Cesare - simply go straight to SQL ;) Milan

Hi @m.cavazzini, I think you can do it by cleaning all updates repositories: KSC12: Clear updates repositoryLet me know if it workes 😎 Cheers, Milan

Hi @Deadlock4400, if you want to delete any device from KSC, first you need to delete it from any managed group (it moves automatically to Unassigned devices folder). From there, you need to delete the device once more. After that, it is eventually deleted from KSC 😇 Cheers, Milan

Hi @Deadlock4400, in license properties, you can always view assigned devices, so probably you can check here, what’s going on … ? License properites → DevicesCheers, Milan

Hi @dmkasp, from what I know, you can only set that “attacker” as an exception in Network Threat Protection component: Network Threat Protection But then the server would not be protected from any possible attack coming from that excluded device 😒 Cheers, Milan