[Intrusion.Win.CVE-2020-1350.b [MOVED]]

Hi @dmkasp,
it happened to me also. This intrusion has been detected on devices with both KSWS and KES installed. What is funny - it was detected on Windows 10 devices, that obviously doesn’t have any DNS role installed and thus cannot become victims for that attack.. It can only affect Windows Server host with DNS role installed, is that your case?

From my communication with support I took it as false positive. I guess it detects some of our network monitoring tools sending the attacking packets..

Cheers,
Milan

[Kaspersky Security for Windows Server VS Kaspersky Endpoint Security for FILE SERVERS]

Hi @ameen abu siaf,

I would definitely recommed to install Kaspersky Security for Windows Server, it is tested on servers and its components are created for server OS versions specifically.

 

See more at https://support.kaspersky.com/ksws11

 

Cheers,
Milan

[Kaspersky Endpoint Detection and Response Optimum Vs Kaspersky Endpoint Detection and Response [MOVED]]

Hi @ameen abu siaf,

I believe that Kaspersky Endpoint Detection and Response is the general name for the product principle and Kaspersky Endpoint Detection and Response Optimum is the name of the specific product.

When working with standard security products you use Kaspersky Security Center + Kaspersky Endpoint Security for Business, right?

You can add additional product called Endpoint Agent, which acts as a sensor for detection (and is installed together with Network Agent and KES on devices). Then you use standard KSC Web Console with additional license for managing Endpoint Agent.. Using this enhanced Web Console you are doing the response part of the job.

KEDR Optimum + KSC + KESB + Kaspersky Sandbox

As you can see from attached picture you can then add one more product Kaspersky Sandbox, which acts as an independent test environment which is testing possible uknown threats and giving the reputation back to KSC for initiating futher steps.

 

Is it making any sense to you? 🤔

Cheers,
Milan 

[KSC 12 - Send message to user on top of all windows?]

Hello guys,

when I use the standard “Send message to user” task, from target user perspective it displays the message box as “inactive” window with “K” icon blinking in taskbar:

Send message to user notification​​​​

When user switch window, then he can see the message eventually:

send message to user

Question: can I set somehow so the windows is displayed on top of other windows? 🤓

Versions: KSC - 12.2.0.4376 + KES 11.5.0.590

 

Cheers,
Milan

[KES 11.5 blocking Windows Admin Center]

This does not really look like a Kaspersky issue/error message.

However, if you turn off KES temporarily, does the admin center work?

If yes, I would check scan encrypted traffic (put an exception for that server) or WebAV component.

Hi @ak01 ,

confirmed - when KES is disabled, WAC works just fine.. Already submitted request for technical support (INC000012291803). Will let you all know of result.. :)

Cheers,
Milan

[KES 11.5 blocking Windows Admin Center]

Attaching a printscreen for better understanding ..

Not authorized to view this page

 

[KES 11.5 blocking Windows Admin Center]

Hello guys,

I’m having problem accessing Windows Admin Center via https://localhost:6516/ on a host with KES 11.5.0.590.

When searching on Google we found out https://windowsserver.uservoice.com/forums/295071-management-tools/suggestions/40916809-you-are-not-authorized-to-view-this-page-if-you-r

Has anyone seen this also? How did you solve this? :)

Cheers,
Milan

[KES v11.3 is compatible with KSC v11?]

Hi @Bernak,

the problem is, that you can’t install management plug-in KES11.4 on KSC11 .. this is not compatible.. So, that would be the reason to update to KSC12.

Cheers,
Milan

[Anti ransomware Encryption [Moved]]

Hi @andrew75,

you can built your own “test” ransomware using original AES encryption tool.

1. download and extract AES tool from http://www.aescrypt.com/download/ into C:\AESCrypt\
2. create a test file .Desktop/invoice.txt
3. create ransomware.bat file using this code:

   @echo off  
   
   if exist C:\AESCrypt\aescrypt.exe goto :Step1 
   
   echo **** not exist C:\AESCrypt\aescrypt.exe **** 
   pause 
   exit  
   
   :Step1
   if exist .\invoice.txt goto :Step2 
   echo **** not exist .Desktop\invoice.txt **** 
   pause 
   exit  
   
   :Step2 
   C:\AESCrypt\aescrypt.exe -e -p root .\invoice.txt
   if exist .\invoice.txt.aes goto :Step3  
   
   :Step3 del .\invoice.txt  
   echo **** Congratulations!!! Your personal files are encrypted **** 
   pause 
   exit 

4. then run the bat file :)

Kaspersky should recognize this encryption activity as a dangerous → block the process → restore the file. You can test on network path, on multiple files, .. see details on aescrypt.exe parameters here 

Cheers,
Milan

[Blocking YouTube using Kaspersky Cloud and endpoint 11.1 [MOVED]]

Hello guys,

I’d recommend to block all audio/video webs using built-in KL category and then specify exception to allow videos from your SharePoint gallery 🕵

 

Cheers,
Milan

[application exception [Moved]]

i think this is a different product

So tell me, what other product are you using? There are basically two Business Security products - Kaspersky Endpoint Security for Business (KES) and Kaspersky Security for Windows Server (KSWS) - for both of them, you set the Exclusions same way - via policy. In KSWS policy, you find the Exclusions here:

 

Milan

[application exception [Moved]]

I am using kaspersky security center but I do not find the way to exclude an exe file to be excluded because it has been detected as a false positive, any idea of how to do it ? I think there is a way to catalogue detected applications and exes as secure files.

Hello @palmer,

you can set up Exclusions easily via policy: General Settings/Exclusions → Trusted Zone Settings

 

Let us know of result :)

Cheers,
Milan

[Application database is extremely out of date]

Hi Milan,

No need to be nervous, if everything is working so far (except the Update task), then there’s nothing to worry about. The KSWS patches are not automatic, this is true, but if there’s something really critical, we’ll release it as an autopatch, of course.

Still, I'd recommend getting the Core 10 patch and installing it. By the way, we’re preparing the new release - KSWS 11. So we also have some evolution going on. :)

Hi Oleg,

yeah, I’ve seen the roadmap ;) KSWS 11 should’ve been around since Q2/2020 ..

Anyway, I’ll ask Ales Buba for the patch :)

Cheers,
Milan

[Application database is extremely out of date]

Hello,

Do you have any patches installed for KSWS 10.1.2? If not, I strongly recommend you to request and install the Core 10 patch from the Support.

Hi @Oleg Bykov,

I never heard of Core 10 patch .. could you provide more details, pls? I do have 13 servers running KSWS 10.1.2.996 and I am a bit nervous about the fact, that the product has not been updated for a long long time :( Compared to KES, which is evolving much faster..

Thanks for feedback!

Milan

[Bluetooth Blocking in KSC 12]

Hello @jeo,

from my point of view I can’t see anything wrong on your side :( Eventually, you’ll have to submit a ticket for official technical support. You can do this via Company Portal - 
 

Then you continue with:
 

And finally specify the details:
 

 

It happened to me before - that the Device Control was not able to deal with a certain type of device - and the support replied that it’s a known issue and will be fixed in next release.. So, of course there bugs in the products ;)

 

Wish you luck and let me know of the result :)

Cheers,
Milan

[Can not Deploy KES from KSC]

Hm.. it’s getting a little complicated :)

What do you mean by saying: “they won’t active through the console KSC” .. if you install Network Agent on the machine, it should appear as “managed device” - by default there is an automated relocation rule, which moves a machine with Network Agent installed in the “Managed devices” group. You can check the rules in here:

Relocation rules

Can you share printscreen of the rules?

[Can not Deploy KES from KSC]

@MilanBortel

 

You mean i should try to Install the Network Agent manual on the Machine, and then try to deploy the Endpoint 11 from the Console ??

or I have to install both manually ??

Yes, I’d try to install Network Agent first manually - after successful installation, the machine becomes “managable” and then the remote installation of KES might probably end up well 🤔

Let me know! 

[Bluetooth Blocking in KSC 12]

Hi @jeo,
can you pls share the new fresh policy you have created for that test group? You can export policy via Policies→ right click the policy → Export

I’ll try to look into the settings..

When you tested it - did the policy apply correctly to the test hosts?

Milan

[Can not Deploy KES from KSC]

Hm.. that error is really weird 🙄

I’d try to install only Network Agent (no KES). If necessary, do it offline (export standalone installation package from KSC):

Is it returning the same error?

Milan

[Bluetooth Blocking in KSC 12]

Hello @jeo,

downgrade is not a solution.. And did you check the KES plug-in version?

I’d try this:

1. create temp group
2. create new KES policy with BT blocking settings
3. move few hosts in that group and check if the blocking works or not

Cheers,
Milan

[Can not Deploy KES from KSC]

Hello @Mohamed-Ibrahim,

is that machine already with some Kaspersky product installed? I’d try to use kavremover in such case, just to make sure it’s clean before the fresh installation.. See this page for kavremover details.

Can you share printscreen of remote installation task error?

Cheers,
Milan

[Bluetooth Blocking in KSC 12]

Hi @jeo,

have you updated the KES administration plug-in? I’d recommend to do so.. You can check current plug-in versions via Administration Server → Properties → 

Administration Server → Properties

Otherwise, I’m thinking about what KES version you have on your hosts? With Device control there are some known issues, see this article for more details.

Cheers,
Milan

[File Server issue]

Hello @Williamlee,
are you able to connect via RDP to the server? From my point of view, there has to be something with the Firewall settings in the KES (Kaspersky Endpoint Security) policy.

Anyway, for Windows servers in general, you should have installed different security product - Kaspersky Security for Windows Servers (KSWS) - info here. It is tested on servers and does not have so huge impact on the system..

 

Cheers,
Milan

[KSC 10 version]

1) Can I upgrade from version 10 straight to version 12? Or do you need to go to 11 first?

R: yes → see details here

2) Do I need to remove the old plugins to update?

R: no, but you’ll probably want to update the plugins to be able to manage newer versions of security products

3) Is it necessary to run database maintenance before?

R: no

4) Any best practices for upgrading?

R: backup all KSC data, then run the upgrade :)

 

You can see my how-to video on Youtube

 

Cheers,
Milan

[Add Secondary IP Address in Network agent]

Hi @alexcad,

yes, you’re right. Out-of-office policy is an optional.. But if you take it from the security point of view, I’d definitely want different settings IN/OUT of office - at least for Firewall.

 

And with port-forwarding → it is working when a device wants to connect to KSC .. that’s fine. But if you try to push settings from KSC side, it won’t be able to connect to host.. And also, you can’t see the “real-time” statistics of application: