[Kaspersky KSC12 - Network Packet Rules help]

Hi everyone, just need a little assistance with configuring the network packet rules as trying to fine tune them to be a little more locked down and secure.

 

In Network Packet Rules, i’ve got Allows at the top and then Deny underneath them, so anything not explicitly allowed will be blocked off.

I’ve set a rule up to allow RDP for Trusted Networks with Inbound connections on Port 3389 being allowed for a particular machine, at the bottom of the list i’ve got a rule that blocks inbound port 3389 from any address.  This doesn’t work though, i can rdp from both Trusted Networks and non-Trusted Networks.

 

I’ve also setup an allow for incoming ICMP stream coming from Trusted Networks and then Blocks Incoming ICMP stream from any address at the bottom.  This works absolutely fine, so i can ping the machine from a trusted network and ping responses fail from non-trusted networks.

 

Once i get these working and tested, i’m going to remove the explicit blocks and just put a block everything at the bottom so all traffic not specifically allow from any network is blocked, i can’t do that though when i’m not understanding why the Allow/Block with the RDP is acting differently than the Allow/Block with the incoming ICMP stream when the settings all appear to be the same.

 

edit:  Just as a quick test, i put in a Block for everything from any address and it seemed to do that, ignoring all of the explicit allows so had to kill off Kaspersky on the machine to reconnect to it.

KSC 12.0.0.7734

KES 11.4.0.233

[KES 11.0.1.90 - Policy is not supported: Web Control]

The issue has been resolved by downgrading to KES11.0.1 which has resolved every one of our issues.

[KES 11.0.1.90 - Policy is not supported: Web Control]

We are facing same issue in almost 100 devices, Its not easy to uninstall KES 11 and netagent on all 100 devices or install again. Its not Proper solution. do you have any other solution. Thanks

Fraid not, it's the only thing we've found but we've stopped all of our rollout as we've found that the newest Kaspersky is blocking all of our VPN connections and anything that connects to a untrusted certificate, so things like our phone system and backup system.

As a temporary workaround you can fix this by disabling Encrypted Connections Scan in policy. You might even fix it by just disabling the Block SSL 2.0 option in Encrypted Connections Scan subsettings. The latter caused a lots of issues for us as well at first. But after disabling it most of the problems went away and I kept the Encrypted Connections Scan. VPN issue is more trickier. Try disabling the ARP Spoofing detection if it's on. Also you have to add your VPN network to Trusted Networks in Firewall.

Just turned off the block ssl 2.0 option so will see if that works with the web portals. The ARP/MAC spoofing detection was never enabled so it's not that i'm afraid.

[KSC11 and KES11 blocking VPN/certificate issues]

Is it possible to add an allowing rule at web-control for internal web portals?

Just a quick update, the VPN is now broken on the old server after updating to KSC11 and KES11.1. It was tested and proved to be working fine for a few days and then it started failing today. What needs adding as an allow rule in web control to resolve the vpn issue? The domain name of the vpn has already been added originally and that's not resolved the issue. My presumption is that the issue is KES11.1 rather than KSC11.

[KSC11 and KES11 blocking VPN/certificate issues]

Thank you for the reply, all of the internal portals were already added as the settings were copied over from the Kaspersky KSC10 server. We did do a test where we did a backup of the old KSC10 server and then did an upgrade of that from KSC10 to KSC11 and everything is now working fine.

[KSC11 and KES11 blocking VPN/certificate issues]

Hello, just wondering if anyone has any suggestions on this? The only thing we can do is a full downgrade back to KSC10.

[KES 11.0.1.90 - Policy is not supported: Web Control]

We are facing same issue in almost 100 devices, Its not easy to uninstall KES 11 and netagent on all 100 devices or install again. Its not Proper solution. do you have any other solution. Thanks

Fraid not, it's the only thing we've found but we've stopped all of our rollout as we've found that the newest Kaspersky is blocking all of our VPN connections and anything that connects to a untrusted certificate, so things like our phone system and backup system.

[KSC11 and KES11 blocking VPN/certificate issues]

It is version 11.1.0.15919 of KES and version 11.0.0.1131 of the network agent. KSC version is 11.0.0.1131. The previous version of KSC, version 10.5.1781, and KES 11.0.0.6499 with agent version 10.5.1781 didn't cause any issues at all. edit: I've attached the certificate error that comes up, when you click to proceed, a Kaspersky error pops up warning that i'm about to enter an unsafe web resource, it will then allow me to log into the website. If the website times me out, i need to close the browser and reopen it so i can get the certificate error before Kaspersky allows me to log in again. I'm not sure if the VPN is the same issue but the VPN also doesn't use a certificate.

[KSC11 and KES11 blocking VPN/certificate issues]

Thought we had fixed it but it's reared it's ugly head again. Just updated to a KSC11 and KES11 and we're having a lot of issues with Kaspersky blocking our Cisco Anyconnect VPN and also causing issues with some people accessing internal web portals for servers. The VPN and the portals all either have no certificate or an out of date certificate so the belief is that this is what is causing the issue. I've turned notifications on for everything and it still won't alert me at all to tell me what is being blocked or causing the issue but when i turn off the Web Control part of KES11, everything starts working again. Nothing is being blocked under Web Control in the reports side for the machines.

[New installed of KSC11 and KES11.1 blocking firewall]

All sorted. It was shockingly web control that was blocking it, the url of abnp.ironport.com was being blocked so just had to unblock it for it to work.

[New installed of KSC11 and KES11.1 blocking firewall]

Just upgraded from KSC10 to KSC11 with Agent and KES11 as well. The policy was replicated on the new KSC11 server and most things are alright but we're having an issue with machines running the new version KES11 managed by the new KSC11 server not being able to connect via VPN. The only events i can see in the logs is- Event name Network attack detected Severity: Critical Application: Kaspersky Endpoint Security for Windows (11.1.0) Version number: 11.1.0.15919 Task name: Network Threat Protection Device: LAPTOP1 Group: Test Time: 13/05/2019 10:03:19 Virtual Administration Server name: Description: Event type: Network attack detected Application\Name: Kaspersky Endpoint Security for Windows User: OPENFIELD\Administrator (Active user) Component: Network Threat Protection Result\Description: Blocked Object: from several different sources Object\Type: Network packet Object\Name: from several different sources Object\Additional: Suspicious: Database release date: 13/05/2019 04:41:00 I've added the IP range given by the vpn, which is 10.251.130.0/24, into the Firewall as a Local network, i've turned off the Network Threat Protection and i've even turned off the firewall and it still won't let me connect to the VPN. I've also added the vpnagent.exe and vpnui.exe of the Cisco Anyconnect client in as a Trusted Application and again, it stills failed to connect. As soon as i turn off KES11 on the laptop, the vpn connects straight away without issue.

[KES 11.0.1.90 - Policy is not supported: Web Control]

Just to update my previous message. The issue seemed to go away when i did a full uninstall of the old KES11 and Agent 10.5, after these had been uninstalled and the workstation restarted, everything worked fine with the new install.

[KES 11.0.1.90 - Policy is not supported: Web Control]

Just an update, i fully removed both KES11 and the network agent from a machine and then reinstalled it and it is now working fine. Will try to do a task for all of the other machines to remove Kaspersky and then do a reinstall of it.

[KES 11.0.1.90 - Policy is not supported: Web Control]

Please find the image below, policy linked below as well. The policy was created from the default template and not imported from the old KSC10 server. https://www.filehosting.org/file/details/799412/KSC11%20Client.klp

[KES 11.0.1.90 - Policy is not supported: Web Control]

Short Story Just installed KSC11 on a brand new Server 2016 server and deployed Network Agent 11.0.0.1131 and KES 11.0.1.90 on about 10 machines, 3 of them are fine but the rest are coming back with an error stating "Policy Is Not Supported: Web Control". Does anyone have any ideas? Long Story We've got a current Server 2012 machine running KSC10 managing 200+ devices all running atleast KES 11 and the Network agent version of 10.5, this is running absolutely fine. I've built up a brand new Server 2016 machine and installed KSC11 on it, all of the clients are going to be managed by this new server. The new policy seems to be fine and KES11.1 and Network Agent 11 was deployed out via a task to 10+ clients to make sure they go through ok and everything is working. 3 of the machines are coming up as being fine whilst the rest are reporting issues with "Policy Is Not Supported: Web Control". Has anyone seen this before and know a resolution?