MilanBortel

Hi @dmkasp, it happened to me also. This intrusion has been detected on devices with both KSWS and KES installed. What is funny - it was detected on Windows 10 devices, that obviously doesn’t have any DNS role installed and thus cannot become victims for that attack.. It can only affect Windows Server host with DNS role installed, is that your case? From my communication with support I took it as false positive. I guess it detects some of our network monitoring tools sending the attacking packets.. Cheers, Milan

Hi @ameen abu siaf, I would definitely recommed to install Kaspersky Security for Windows Server, it is tested on servers and its components are created for server OS versions specifically. See more at https://support.kaspersky.com/ksws11 Cheers, Milan

Hi @ameen abu siaf, I believe that Kaspersky Endpoint Detection and Response is the general name for the product principle and Kaspersky Endpoint Detection and Response Optimum is the name of the specific product. When working with standard security products you use Kaspersky Security Center + Kaspersky Endpoint Security for Business, right? You can add additional product called Endpoint Agent, which acts as a sensor for detection (and is installed together with Network Agent and KES on devices). Then you use standard KSC Web Console with additional license for managing Endpoint Agent.. Using this enhanced Web Console you are doing the response part of the job. KEDR Optimum + KSC + KESB + Kaspersky SandboxAs you can see from attached picture you can then add one more product Kaspersky Sandbox, which acts as an independent test environment which is testing possible uknown threats and giving the reputation back to KSC for initiating futher steps. Is it making any sense to you? 🤔 Cheers, Milan

Hello guys, when I use the standard “Send message to user” task, from target user perspective it displays the message box as “inactive” window with “K” icon blinking in taskbar: Send message to user notification​​​​When user switch window, then he can see the message eventually: send message to userQuestion: can I set somehow so the windows is displayed on top of other windows? 🤓 Versions: KSC - 12.2.0.4376 + KES 11.5.0.590 Cheers, Milan

Hi @ak01 , confirmed - when KES is disabled, WAC works just fine.. Already submitted request for technical support (INC000012291803). Will let you all know of result.. :) Cheers, Milan

Attaching a printscreen for better understanding .. Not authorized to view this page

Hello guys, I’m having problem accessing Windows Admin Center via https://localhost:6516/ on a host with KES 11.5.0.590. When searching on Google we found out https://windowsserver.uservoice.com/forums/295071-management-tools/suggestions/40916809-you-are-not-authorized-to-view-this-page-if-you-r Has anyone seen this also? How did you solve this? :) Cheers, Milan

Hi @Bernak, the problem is, that you can’t install management plug-in KES11.4 on KSC11 .. this is not compatible.. So, that would be the reason to update to KSC12. Cheers, Milan

Hi @andrew75, you can built your own “test” ransomware using original AES encryption tool. download and extract AES tool from http://www.aescrypt.com/download/ into C:\AESCrypt\ create a test file .Desktop/invoice.txt create ransomware.bat file using this code: @echo off if exist C:\AESCrypt\aescrypt.exe goto :Step1 echo **** not exist C:\AESCrypt\aescrypt.exe **** pause exit :Step1 if exist .\invoice.txt goto :Step2 echo **** not exist .Desktop\invoice.txt **** pause exit :Step2 C:\AESCrypt\aescrypt.exe -e -p root .\invoice.txt if exist .\invoice.txt.aes goto :Step3 :Step3 del .\invoice.txt echo **** Congratulations!!! Your personal files are encrypted **** pause exit then run the bat file :)Kaspersky should recognize this encryption activity as a dangerous → block the process → restore the file. You can test on network path, on multiple files, .. see details on aescrypt.exe parameters here Cheers, Milan

Hello guys, I’d recommend to block all audio/video webs using built-in KL category and then specify exception to allow videos from your SharePoint gallery 🕵 Cheers, Milan

So tell me, what other product are you using? There are basically two Business Security products - Kaspersky Endpoint Security for Business (KES) and Kaspersky Security for Windows Server (KSWS) - for both of them, you set the Exclusions same way - via policy. In KSWS policy, you find the Exclusions here: Milan

Hello @palmer, you can set up Exclusions easily via policy: General Settings/Exclusions → Trusted Zone Settings Let us know of result :) Cheers, Milan

Hi Oleg, yeah, I’ve seen the roadmap ;) KSWS 11 should’ve been around since Q2/2020 .. Anyway, I’ll ask Ales Buba for the patch :) Cheers, Milan

Hi @Oleg Bykov, I never heard of Core 10 patch .. could you provide more details, pls? I do have 13 servers running KSWS 10.1.2.996 and I am a bit nervous about the fact, that the product has not been updated for a long long time :( Compared to KES, which is evolving much faster.. Thanks for feedback! Milan

Hello @jeo, from my point of view I can’t see anything wrong on your side :( Eventually, you’ll have to submit a ticket for official technical support. You can do this via Company Portal - Then you continue with: And finally specify the details: It happened to me before - that the Device Control was not able to deal with a certain type of device - and the support replied that it’s a known issue and will be fixed in next release.. So, of course there bugs in the products ;) Wish you luck and let me know of the result :) Cheers, Milan

Hm.. it’s getting a little complicated :) What do you mean by saying: “they won’t active through the console KSC” .. if you install Network Agent on the machine, it should appear as “managed device” - by default there is an automated relocation rule, which moves a machine with Network Agent installed in the “Managed devices” group. You can check the rules in here: Relocation rulesCan you share printscreen of the rules?

Yes, I’d try to install Network Agent first manually - after successful installation, the machine becomes “managable” and then the remote installation of KES might probably end up well 🤔 Let me know!

Hi @jeo, can you pls share the new fresh policy you have created for that test group? You can export policy via Policies→ right click the policy → Export I’ll try to look into the settings.. When you tested it - did the policy apply correctly to the test hosts? Milan

Hm.. that error is really weird 🙄 I’d try to install only Network Agent (no KES). If necessary, do it offline (export standalone installation package from KSC): Is it returning the same error? Milan

Hello @jeo, downgrade is not a solution.. And did you check the KES plug-in version? I’d try this: create temp group create new KES policy with BT blocking settings move few hosts in that group and check if the blocking works or notCheers, Milan

Hello @Mohamed-Ibrahim, is that machine already with some Kaspersky product installed? I’d try to use kavremover in such case, just to make sure it’s clean before the fresh installation.. See this page for kavremover details. Can you share printscreen of remote installation task error? Cheers, Milan

Hi @jeo, have you updated the KES administration plug-in? I’d recommend to do so.. You can check current plug-in versions via Administration Server → Properties → Administration Server → PropertiesOtherwise, I’m thinking about what KES version you have on your hosts? With Device control there are some known issues, see this article for more details. Cheers, Milan

Hello @Williamlee, are you able to connect via RDP to the server? From my point of view, there has to be something with the Firewall settings in the KES (Kaspersky Endpoint Security) policy. Anyway, for Windows servers in general, you should have installed different security product - Kaspersky Security for Windows Servers (KSWS) - info here. It is tested on servers and does not have so huge impact on the system.. Cheers, Milan

You can see my how-to video on Youtube Cheers, Milan

Hi @alexcad, yes, you’re right. Out-of-office policy is an optional.. But if you take it from the security point of view, I’d definitely want different settings IN/OUT of office - at least for Firewall. And with port-forwarding → it is working when a device wants to connect to KSC .. that’s fine. But if you try to push settings from KSC side, it won’t be able to connect to host.. And also, you can’t see the “real-time” statistics of application: