MilanBortel
-
Posts
128 -
Joined
-
Last visited
Posts posted by MilanBortel
-
-
Hi @K1029,
are you using full disk encryption (BitLocker) on that server? If not, you can always boot the host from removable drive (e.g. WIN10 or Linux) and get access to original C:\ drive. And I’m thinking about changing registry entries, so Kaspersky won’t automatically run on computer start..This is the location of services in Windows registry:
Windows registry → KAVFS Here you can find the Start settings:
KAVFS → Start As you can see, the default value is 2 (to start Automatically), but you want to change it to Manual):
Start options Let us know if it helped 🤓
Cheers,
Milan -
Hi @Deadlock4400,
I don’t really have practical experiences with Kaspersky on Linux, so at the moment I don’t have any suggestions 😇Fingers crossed for you, my friend ✊
Cheers,
Milan -
Hi @itcurves,
yes, just as I thought - whenever you see a folder path containing “Cache” I wouldn’t worry and remove content from that folder (keep the folder itself!). If files are held by OS, you’ll be prompted..Cache folder Last two items are located in servicing\LCU:
servicing folder For more details on LCU folder please follow https://social.technet.microsoft.com/Forums/en-US/be35a9ee-a610-4fdc-bb6c-50b9f458d19a/huge-lcufolder-after-latest-cumulative-update-on-windows-10-1809?forum=win10itprosetup
Hope it helps 🤓
Cheers,
Milan -
Hi @Aaron Lopéz,
if I understand well, you want to learn more about installation results? I would first go to installation task result - you can always see which computers has the installation successful and if there are any other problems ..
Then you can connect to problematic host (with Network Agent installed) and go through event logs for details:Remote diagnostics Connecting to host:
KSC 12 Remote Diagnostics Utility Download event logs:
How to download event log Let us know, if it helped 🤔
Cheers,
Milan -
Hi @itcurves,
can you share a list (screenshot) of the files found? This typically happens for temp files, e.g. logs and usually you don’t have to worry.. but still - if you share the list, we can help better 🤠Cheers,
Milan -
Hi @FC Sistemi,
it is really weird. With the same Network Agent installation some hosts are connecting and some are not? Did the Network Installation task completed successfully on such hosts?Can you share printscreen of Network Agent klcsngtgui.exe from one such host?
Network Agent → klcsngtgui.exe I’m afraid you will need to reinstall Network Agent with fresh package once more 😱
Cheers,
Milan -
Hi @kemuda,
this is very tricky.. AV product needs to decide whether the process responsible for renaming is legitimate or malicious. I’ve tried it also with my own programmed “ransomware” and Kaspersky didn’t block it. My ransomware was using standard aescrypt binary for encrypting the files.. so I guess Kaspersky took it as a legitimate action 🤔From admin perspective, I’d harden the policies:
- change basic settings of Host Intrusion Prevention:
KES policy → Host Intrusion Prevention I’d disable to automatically trust apps with digital signature and move unknown apps to Untrusted category
-
then you can protect your resources with updated Host Intrusion Prevention settings (follow article https://support.kaspersky.com/10905#block3). It is described on KES version 10, but it is the same in 11 :) Only the Application Privilege Control has been renamed into Host Intrusion Prevention 🤓
Let us know of result!
Cheers,
Milan - change basic settings of Host Intrusion Prevention:
-
Hi @Deadlock4400,
if you look into KSC/Unassigned devices, can you see that Linux host? Can you ping the host from KSC server? You can also try to search the host via Managed devices/Search:Managed devices → Search You can search using IP, DNS..
Cheers,
Milan -
Hi @aseman.ab,
I’m afraid not. There’s no file operations logging on file shares, AFAIK..Cheers,
Milan
PS: you can select one of my answers as “best answer” 🤓 -
Hi @aseman.ab,
see Google SMTP settings at https://support.google.com/mail/answer/7126229?hl=enCheers,
Milan -
Hi @FC Sistemi,
from what I can see, there is problem with KSC certificate, although it is available.. I’d recommend to manually set the connection for Network Agent on affected host using klmover utility (see https://support.kaspersky.com/KSC/SP3/en-US/3911.htm).Current KSC certificate is available in C:\ProgramData\KasperskyLab\adminkit\1093\cert folder.
Let us know if it helped 😇
Bye,
Milan -
Hi @FC Sistemi,
I’d recommend standard steps:- Can you ping the host?
- Is the Network Agent service running on host?
Network Agent service Running - What are the connection settings in Network Agent installation package? Is it IP/DNS?
Network Agent installation package properties → Connection -
From one such host, run the klnagchk utility "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagchk.exe" to see what might be the problem when connecting to KSC:
klnagchk utility
You can share the printscreens here 🤠
Cheers,
Milan -
What do you mean by “where I create this report”?
I was describing the event selections. You find those in the main screen of KSC console.. There is button Create a selection, then you go to Selection properties.
-
Hi @faz,
I’d recommend to first put the network printer IP as trusted:KES Policy/General Settings/Network settings → Trusted addresses Can you check if it helped?
If not, there are other possible ways how to help, don’t worry 🤓
Cheers,
Milan -
Hi @aseman.ab,
first, you need to update Notification settings in your KES policy:General Settings/Interface → Notifications After that, you can see these events in KSC console main window:
Administration Server → Events You can prepare your own selection for such events:
New event selection/Properies → Events → File operation performed Cheers,
Milan -
Hi @marafado88,
please navigate to KES policy:General Settings/Interface → Password protection Cheers,
Milan -
Hi @aseman.ab,
you can use Device Control feature with basic Select license. And when defining rules for Removable drives, you can turn on logging:Device Control → Removable drives Cheers,
Milan -
Hi @marafado88,
of course exactly same commands won’t work ;) it was just an example. I always lookup the correct command line on Internet and it’s specific for each installation …Take care and let me know if it works :)
Milan -
Hi @marafado88,
and how did you create that installation package? In my experience, it might happen due to incomplete setup - most likely the command line might be missing (EULA, silent installation).. When you start the installation, it might get stuck in installation wizard, waiting for user interaction, you get it? 🤓So, for example:
PF6076 installation package And this is the commandline:
Installation Settings → command line Maybe you can share printscreen of that installation package properties/settings.
Cheers,
Milan -
-
Hi @m.cavazzini,
I think you can do it by cleaning all updates repositories:KSC12: Clear updates repository Let me know if it workes 😎
Cheers,
Milan -
Hi @Deadlock4400,
if you want to delete any device from KSC, first you need to delete it from any managed group (it moves automatically to Unassigned devices folder). From there, you need to delete the device once more. After that, it is eventually deleted from KSC 😇
Cheers,
Milan -
Hi @Deadlock4400,
in license properties, you can always view assigned devices, so probably you can check here, what’s going on … ?License properites → Devices Cheers,
Milan -
Hi @dmkasp,
from what I know, you can only set that “attacker” as an exception in Network Threat Protection component:Network Threat Protection But then the server would not be protected from any possible attack coming from that excluded device 😒
Cheers,
Milan
network agent
in Kaspersky Endpoint Security for Business
Posted
Hi @ealnajjar,
I must say that I don’t understand your issue completely..?
Current versions are:
Where are you getting the error? It’s always better to attach printscreen, so we know better what’s happening :)
Cheers,
Milan