Stephen B

I am using 11.4.0.233 on some of our servers with agent 12.0.0.7734 and I am getting these reports from a single device. The item being identified is a UPS that is monitored. We added the IP Address to the “Exclusions” but the reports still come through. We could change it to “Do not track MAC spoofing attacks” but I don’t think that is the safest thing to do. The preference would be for the Exclusion to work. Any ideas? Event "Network attack detected" occurred on device MILESTONEE1 in Windows domain ##### on Tuesday, 14 July 2020 11:30:56 AM (GMT+10:00) Event type: Network attack detected Application: Kaspersky Endpoint Security for Windows Application\Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\ User: NT AUTHORITY\SYSTEM (System user) Component: Network Threat Protection Result\Description: Allowed Object: ARP from unexpected source Object\Type: Network packet Object\Name: ARP from unexpected source Object\Additional: Suspicious: 14/07/2020 11:30:56 AM: 00-20-85-DF-19-CE -> 172.17.2.44

Thanks INC000010637336

The issue is as per described in the posts above. The instillation of the latest version of the network agent is failing and reporting that it is due to a lack of disk space. The item has been described in detail above. There is no shortage of disk space. The removal tool DOES NOT WORK WHEN THERE IS NOTHING INSTALLED. I am not having issues removing an old version. The issue is with installing a new version. If I go to an older version it will install and work fine. I can also uninstall the old version. The issue is only with the new version.

Hi Guys. As per above the item marked as "Best answer" is not an answer as the removal tool provided does not have an option to remove the network agent. How do I get help?

Please note that this is not the answer. I am not sure how to remove the incorrect selection that indicates that it is the answer.

Note that I did not like having an active server with no antivirus installed, so I went to an old installer with Network Agent 10.5.1781 and Kaspersky 10.1.1.746. This installed without error. Something in the disk space checking on the newer version?

Could you please have a look at kavremover and tell me which item I should be selecting? I can not see any items in the list that detail or are similar to Network Agent.

Hello! First of all you need to check if the Windows has some fragments of the previous KES installation. Please use KavremoverThe error that we seen in the logs is "Application: Kaspersky Endpoint Security for Windows -- The installed AES-56 encryption libraries do not correspond to the AES-256 encryption libraries in this package." Also check the type of encryption of installing package, Thank you! Thanks you for the information. I ran the Kavremover tool as requested on the main server (the one I have access to reboot during the day). I did not see any option in this tool to remove the Network Agent, which is the item failing on this server, It fails on the network agent and then does not proceed to the installation of the main application. I did select the Kasp Endpoint Security (in the Kavremover tool) and rebooted as requested by the software. This did not make any difference and the software still refuses to install at the Network Agent.

Any assistance on this one? We know the servers have more than enough disk space so I am not sure what else to do other than roll back to an older version.

Interestingly we started to work on another server and had the same error, but this time on the Kaspersky Endpoint for Windows (11.1.0) (11.1.0.15919) and not the network agent. What we have found so far is that all servers seeing this error have dynamicly expanding disks and run on a Hyper-V 2012 R2 host. We will be updating our hosts to 2019 in the next 3 months but I am not sure I can go three months without AV on these servers. GSI of this second server is attached.

Thanks for your assistance on this matter. That worked well

Since upgrading to 10.1.2.996 with network agent 11.0.0.1131 we are getting several servers reporting that "Protection is disabled" When I try to start the protect I can not seem to turn on the protection or work out why it is disabled. This server is a 2012 R2 as are the other servers where I am seeing the same issue. A GSI is attached. When I look at the Admin server it shows the following Internal task error occurred. Error code: 0x0007. Subsystem code: 0x6 (WP). For more details go to the Kaspersky Lab Technical Support site: https://click.kaspersky.com/?hl=en-US&link=error&pid=wsee&version=10.1.0.0&error=B6X7X13X20X The only reference I could find was that to the licence, so I deployed the licence file again which reported that it was successful, but this did not resolve the issue. It also reports that it has an active key

From what we know this event is just a warning from Microsoft for computers that are not on a UPS. Cache is not recommended in some circumstances. This is a VM on a host that has UPS protection, so there is no real risk. The server was a fresh build a few years ago (Server 2016) and has similar settings to other servers. One thing we did note is that this has a dynamically expanding disk, so the hard drive expands as required. Could the installer be reading this incorrectly and not allowing for it to be a dynamically expanding disk? Also, the temp file you have asked for is not on that server.

Sorry for the delay, we had issues in other areas. Please see attached GSI

So Google Drive is considered a Torrent. So under security controls > Web Control > add an allow rule for *.google.com/drive/*