Yebach

Hello, I am getting quite tired of this KES 11 s”#”) I have a website that uses certificate issued from the govenrnemt to acces it. The component of Kaspersky that prevents me from accessing the page is WEb threat protection. I added the page to exclusion with all prefixes etc. and it still does not work. I need a solution ASAP since the client is loosing its nerves and wants to cancel the subscription. Oh and fun fact. I had another page with same problem, that I added before to exclusion and it works. But if i delete it from exclusions… IT STILL WORKS. how is that possible

Unfortunatelly i do not have access to the machine atm, but consider the logs posted as text are the correct ones.

Yeah I checked there. Nothing there. Nothing that would even signify that something happens in the folder. I added some logs "\\lzs-srv\EPP\EPP2\Program\EPP2 - Shortcut - Dean.lnk" - this is the app that is started Maybe something in this part 10:14:46.662 0x1330 INF avs AVSSession::ProcessObjectEx: ver: 30.0.2437.154-1436bf9e1f uptime: 241562.125000 steady_clock_time: 241562.133283 num_of_cores: 6 thread priorities: (dynamic: 8, base: 0, io: 2, mem: 5, boost: 1) process priority class: 0x20 10:14:46.662 0x1330 INF avs AVSSession::ProcessObjectEx: Scan settings: cProtectionSettings[ iC=1 iS=1 uE=1 el=1 sl=1 tp=0 iop=0 absnum=1 SA=2 DM=0xf AA=0xffff TD=0 TDC=0 TDis=1 TCoR=1 SS=0x0000000000010001 AD=0 SU=0 SSU=0x0000000000010001 USA=0 FConSVM=(off) KSNum=3 PMBD=1 DCO=0 DPPO=0 FAD=0 DMtd=0x0 DbyMSO=0x1 IL=(off),<C:\Users\bkristan\AppData\ (recurse)> EL=0] 10:14:46.662 0x1330 INF avs AVSSession::ProcessObjectEx: Rescan settings: cProtectionSettings[ iC=0 iS=0 uE=1 el=1 sl=1 tp=0 iop=0 absnum=1 SA=4 DM=0xf AA=0xffff TD=0 TDC=0 TDis=1 TCoR=1 SS=0x0000000000010001 AD=0 SU=1 SSU=<null> USA=0 FConSVM=(off) KSNum=3 PMBD=1 DCO=0 DPPO=0 FAD=0 DMtd=0x0 DbyMSO=0x1 IL=(off),<C:\Users\bkristan\AppData\ (recurse)> EL=0] 10:14:46.662 0x1330 INF avs AVSSession::ProcessObjectEx: External services: factory: 0x08f25d28 excl: 0x08f51a58 incl: 0x08f51b48 10:14:46.662 0x1330 INF avs AsyncKsnScanScope::AsyncKsnScanScope: [0x1ae76990] , taskId: 0x14de 10:14:46.662 0x1330 INF avs PendingRequestsGuard::OnPendingScanBegin: Enter. taskId = 0x14de 10:14:46.662 0x1330 INF avs PendingRequestsGuard::OnPendingScanBegin: Leave. 10:14:46.662 0x1330 INF avs KsnDetectsCollector::KsnDetectsCollector: [0x08216688] 10:14:46.662 0x1330 INF avs VerdictsUpdaterImpl::VerdictsUpdaterImpl: [0x1ab0f518] 10:14:46.662 0x1330 INF amfcd ThreatsProcessingEventsLogic::OnProcessingStarted: 0x8f8f410 10:14:46.662 0x1330 INF avs CScanContext::CScanContext: [0x18123b78] Enter 10:14:46.662 0x1330 INF avs VerdictsUpdaterImpl::GetISwiftVerdict: [0x1ab0f518] : 0x1822d5a0 10:14:46.662 0x1330 INF avs VerdictsUpdaterImpl::GetFastCheckerVerdict: [0x1ab0f518] : 0x1822d0f0 10:14:46.662 0x1330 INF aveng GetScanLevel: [0x0B59C4F8] 10:14:46.662 0x1330 INF aveng GetScanLevel (result) : 0x2 10:14:46.662 0x1330 INF avs CScanContext::CScanContext: Failed to get antimalware::context_properties::Durable: 0x0x8000004c 10:14:46.662 0x1330 INF avs CScanContext::CScanContext: Failed to get antimalware::context_properties::OmitMandatoryPeriodForDurableFiles: 0x0x8000004c 10:14:46.662 0x1330 INF avs CScanContext::CScanContext: CScanContext - durable is false, omit mandatory period is false 10:14:46.662 0x1330 INF avs CreateFormatRecognizer: no format has been set 10:14:46.662 0x1330 INF avs YieldHandlerProxy::YieldHandlerProxy: [0x1822d690] 10:14:46.662 0x1330 INF avs CObjectContext::AssignIoObject: Object instance <0xae9a2c8> with iid: 0xa 10:14:46.662 0x1330 INF avs CObjectContext::AssignIoObject: Object size: 2073 10:14:46.662 0x1330 INF avs YieldHandler::YieldHandler: [0x09202030] 10:14:46.662 0x1330 INF avs YieldHandlerProxy::SetYieldHandler: [0x1822d690] 0x09202030 10:14:46.662 0x1330 INF avs FormObjectInfo: Oo1: 0x0 10:14:46.662 0x1330 INF avs FormObjectInfo: Ot:0x0 10:14:46.662 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.662 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.662 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.662 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.662 0x1330 INF avs FormObjectInfo: Got strObjectName from property: \\lzs-srv\EPP\EPP2\Program\EPP2 - Shortcut - Dean.lnk 10:14:46.662 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.662 0x1330 INF avs Io::Io: yield: 0x1, preload params: a:0x0 re:0x0 rf:0x0 ios:0x819 iohs:0x1 bs:0x10000 ebs:0x100000 mcs:0x2000000 10:14:46.662 0x1330 INF esm Can't provide interface requested iface=0xdf241b2f, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor=. result=0xa6440003 (Can't find service specifie) 10:14:46.662 0x1330 INF esm Can't provide interface requested iface=0xef9425bb, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor=. result=0xa6440003 (Can't find service specifie) 10:14:46.662 0x1330 INF avs AVSSession::SendMsg: msgclass - 0x51121368, msgid - 0x0, send point - task (0xaf255e0) 10:14:46.662 0x1330 INF avs CScanContext::CScanContext: [0x18123b78] Leave 10:14:46.662 0x1330 INF avs CScanContext::IsShouldBeScan: serializedScanMode: 0x0 10:14:46.662 0x1330 INF avs CScanContext::IsISwiftUsageAllowed: Drive type: 0x4 10:14:46.662 0x1330 INF avs CScanContext::IsISwiftUsageAllowed: ISwift does not support this drive type 10:14:46.662 0x1330 INF avs CObjectContext::IsShouldBeScan: preProcess: 0x1, serializedScanMode: 0x0 10:14:46.662 0x1330 INF avs VerdictsUpdaterImpl::GetICheckerVerdict: [0x1ab0f518] : 0x1822d0a0 10:14:46.662 0x1330 INF avs TraceICheckerConditions: IChecker, isISwiftOnAndApplicable = 0x0, useICheckerWithISwift = 0x1 10:14:46.662 0x1330 INF avs CObjectContext::SkipByIChecker: ProcessStatusMask: 0x00000100 10:14:46.662 0x1330 INF avs CObjectContext::SkipByIChecker: skipUnchanged = 0x1, useVerdictCache = 0x1, shouldCheckIfObjectIsUnchanged = 0x0, needToCheckUnchanged = 0x1 10:14:46.662 0x1330 INF avs AVSImpl::IsKsnAvailable: 0x0 10:14:46.662 0x1330 INF avs CObjectContext::GetKsnAvailabilityForContext: KSN: 0x0 10:14:46.662 0x1330 INF avs CObjectContext::IsCheckByMetaAllowed: 10:14:46.662 0x1330 INF avs CObjectContext::IsCheckByMetaAllowed: Leave - skip top context check 10:14:46.662 0x1330 INF avs CObjectContext::SkipByIChecker: P5 10:14:46.662 0x1330 INF MemoryManager::Alloc: [0x09230938] size:65536 10:14:46.662 0x1330 INF MemoryManager::AllocStandardBlob: [0x09230938] 10:14:46.662 0x1330 INF MemoryManager::AllocNewBlob: [0x09230938] revision:81204 10:14:46.662 0x1330 INF oas Pender::Pend: Pend (0x17ba4ca0, 0x8f8f218) for 5000 ms 10:14:46.662 0x1330 IMP SI system_interceptors::blocking_event_processor::EventController::Pend Pending seq 861423, time: 5000 10:14:46.662 0x1330 INF oas Pender::Pend: Pend finished 10:14:46.662 0x1330 INF avs MakeAutoIoIdlePriority: Perform with current priority 10:14:46.678 0x1330 INF avs IoImpl::ReadInternal: Incomplete block, probably EOF 10:14:46.678 0x1330 INF avs IoDecorator::CheckIoCached: eka::io_property::FullIOCached has been set 10:14:46.678 0x1330 INF ichecker ichecker::UseWholeContent: file is small, not PE, calc hash by pattern 10:14:46.678 0x1330 INF avs IoImpl::ReadInternal: Incomplete block, probably EOF 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF ichecker Processor::processFile: filename: [EPP2 - Shortcut - Dean.lnk] 10:14:46.678 0x1330 INF ichecker CalcFileHash::Get: calc file hash by descriptor - 0x27da349eca159ffd, res 0x0 10:14:46.678 0x1330 INF ichecker AutoThreadPriority::AutoThreadPriority: priority: 0x1, flags: 0x1 10:14:46.678 0x1330 INF ichecker detail::SetThreadPriority: priority: 131072, error: 0x191 10:14:46.678 0x1330 INF ichecker AutoThreadPriority::AutoThreadPriority: prev: 0, 0x0 10:14:46.678 0x1330 INF ichecker ICheckerDBImpl<class ichecker::ICheckerPersistentStorage>::FindRecordImpl: ICheckCtx { vol: 0x0 hash: 0x27da349eca159ffd first: 0x190d5db last: 0x190d5db params: 0x10161010001 file rev: <empty> } 10:14:46.678 0x1330 INF ichecker AutoThreadPriority::~AutoThreadPriority: 10:14:46.678 0x1330 INF ichecker IChecker_impl::GetStatusImpl: success ICheckCtx { vol: 0x0 hash: 0x27da349eca159ffd first: 0x190d5db last: 0x190d5db params: 0x10161010001 file rev: <empty> } 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF ichecker ICheckerVerdictImpl::ICheckerVerdictImpl: Object is unchanged: 0x1 10:14:46.678 0x1330 INF ichecker ICheckerVerdictImpl::CheckScanParams: in CheckScanParams, mandatoryScanPeriod: 2880 10:14:46.678 0x1330 INF ichecker ICheckerVerdictImpl::CheckScanParams: first_scan = 0x190d5db, last_scan = 0x190d5db, diff = 0x0, current = 0x190db0a, omit_mandatory_period = 0x0 10:14:46.678 0x1330 INF ichecker ICheckerVerdictImpl::CheckScanParams: mandatoryPeriodExpired = 0x0, omit_mandatory_period = 0x0 10:14:46.678 0x1330 INF ichecker ICheckerVerdictImpl::CheckScanParams: ICCheckData verdict: rescan - secure period isn't long enough, sp=0x0, mp=0xb40 10:14:46.678 0x1330 INF avs CObjectContext::SkipByIChecker: P4<0x0> 10:14:46.678 0x1330 INF avs CObjectContext::SkipByIChecker: Object is OK (Unchanged) 10:14:46.678 0x1330 INF avs FormObjectInfo: Oo1: 0x0 10:14:46.678 0x1330 INF avs FormObjectInfo: Ot:0x0 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF avs FormObjectInfo: Got strObjectName from property: \\lzs-srv\EPP\EPP2\Program\EPP2 - Shortcut - Dean.lnk 10:14:46.678 0x1330 INF CEkaIoPrIoProxy Use m_eka_io 10:14:46.678 0x1330 INF avs AVSSession::SendMsg: msgclass - 0xe532519d, msgid - 0x1, send point - task (0xaf255e0) 10:14:46.678 0x1330 IMP bl process_notification :: Input :: notification = eNotify_None, severity = 0 (info is ser=pid=0x0000000F:34, StateId = 0, mc=0xE532519D:0x00000001) 10:14:46.678 0x1330 INF bl process_notification: cDetectObjectInfo .m_nObjectStatus=1 .m_nDescription=4 .m_nDetectDanger=0 .m_nDetectType=0 .m_nObjectType=0 10:14:46.678 0x1330 INF esm Returning existing service name='antimalware.ObjectScannerImpl', serviceKey=0x8520a03d, hostId=0x00000000, accessPointId=0x00000000, object=0x08f0824c. Interface requested iface=0xb44e3135, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor= 10:14:46.678 0x1330 INF esm Returning existing service name='product.SessionInformationProvider', serviceKey=0x1b0ca888, hostId=0x00000000, accessPointId=0x00000000, object=0x07fcd8a8. Interface requested iface=0x85e82fc6, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor= 10:14:46.678 0x1330 INF bl native PID = 1360, our AppID = 1360 10:14:46.678 0x1330 INF bl process_notification :: Output :: notification = eNotify_AV_ObjectProcessed, severity = 4, taskId = 1; LocalReport: 0; ETW: 0; Balloon: 0; Mail: 0; OnlyBalloon: 0. 10:14:46.678 0x13b0 INF bl NotificationPostprocessor::Postprocessor::Run enter. Notification id - 301 10:14:46.678 0x13b0 INF bl NotificationPostprocessor::Postprocessor::Run leave. Notification id - 301 10:14:46.678 0x1330 INF avs ICheckerVerdictDecorator::ChangeVerdictAction: Current verdict action: 0x0. New verdict action: 0x1 10:14:46.678 0x1330 INF avs CScanContext::UpdateISwift: iswift verdict updated 10:14:46.678 0x1330 INF avs CScanContext::~CScanContext: [0x18123b78] Enter 10:14:46.678 0x1330 INF avs CScanContext::ReleaseYieldHandler: [0x18123b78] 0x09202030 10:14:46.678 0x1330 INF avs YieldHandlerProxy::SetYieldHandler: [0x1822d690] 0x08f21270 10:14:46.678 0x1330 INF avs YieldHandler::~YieldHandler: [0x09202030] 10:14:46.678 0x1330 INF avs AVSSession::SendMsg: msgclass - 0x96f7df9d, msgid - 0x1, send point - task (0xaf255e0) 10:14:46.678 0x1330 INF avs CScanContext::CleanUp: [0x18123b78] 10:14:46.678 0x1330 INF MemoryManager::OnReleaseMemoryBlobInternal: [0x09230938] handle:0x00000000 revision:81204 size:4194304 10:14:46.678 0x1330 INF amfcd ThreatsProcessingEventsLogic::OnProcessingFinished: 0x8f8f410 10:14:46.678 0x1330 INF avs CScanContext::~CScanContext: [0x18123b78] Leave 10:14:46.678 0x1330 INF avs YieldHandlerProxy::~YieldHandlerProxy: [0x1822d690] 10:14:46.678 0x1330 INF avs VerdictsUpdaterImpl::~VerdictsUpdaterImpl: [0x1ab0f518] 10:14:46.678 0x1330 INF avs ICheckerVerdictDecorator::~ICheckerVerdictDecorator: 10:14:46.678 0x1330 INF avs ICheckerVerdictDecorator::~ICheckerVerdictDecorator: 10:14:46.678 0x1330 INF avs ICheckerVerdictDecorator::~ICheckerVerdictDecorator: 10:14:46.678 0x1330 INF avs ICheckerVerdictDecorator::~ICheckerVerdictDecorator: 10:14:46.678 0x1330 INF avs AVSSession::ProcessObjectSync: There were 0 async detects during sync phase of the scan 10:14:46.678 0x1330 INF avs AVSSession::ProcessObjectSync: out inf: detect - , packer - 10:14:46.678 0x1330 INF avs AVSSession::ProcessObjectSync: Done, process status mask: 0x00000100 10:14:46.678 0x1330 INF avs KsnDetectsCollector::~KsnDetectsCollector: [0x08216688] 10:14:46.678 0x1330 INF avs PendingRequestsGuard::OnPendingScanDone: Enter. taskId = 0x14de 10:14:46.678 0x1330 INF avs PendingRequestsGuard::OnPendingScanDone: Leave. 10:14:46.678 0x1330 INF avs AsyncKsnScanScope::~AsyncKsnScanScope: [0x1ae76990] , taskId: 0x14de 10:14:46.678 0x1330 INF oas PostponeContext::~PostponeContext: 10:14:46.678 0x1330 INF oas OASImpl::Process: Have result from AVS on object: \\lzs-srv\EPP\EPP2\Program\EPP2 - Shortcut - Dean.lnk; ProcessStatusMask: 0x100; Danger: 0x0; Type: 0x0 10:14:46.678 0x1330 INF ksnhlp [SendChecker.cpp:513] No need to send statistic: 0x7757992c (), reason: Statistics disabled by AgreementManager (GDPR) 10:14:46.678 0x1330 INF oas OASImpl::Process: (result: 0x00000000) Mark file as trusted 10:14:46.678 0x1330 INF oas CheckedFilesCacheImpl::AddCheckedFile: EPP2 - Shortcut - Dean.lnk 0x819 0x550 0x0 0xe65f215 0x2113f3ac 10:14:46.678 0x1330 INF oas FlexibleThreadPoolBase::EnableIdleProcessingIfAllowed: FlexTP[OAS] Going to enable idle processing (if allowed) 10:14:46.678 0x1330 INF oas cAvpg::CheckObjectSync: Completer: success: 0x1 0x1 10:14:46.678 0x1330 INF oas cAvpg::ProcessContext: Event: 0xd24ef. Processed with verdict: 0x1; Cachable: 0x1 10:14:46.678 0x1330 INF SI system_interceptors::blocking_event_processor::DriverMessageLoop::Receive New sync message: hook id = 3 major = 0 minor = 0 portLocalDrvMark = c532 size = 344 param count = 18 10:14:46.694 0x1330 INF SI system_interceptors::blocking_event_processor::Dispatcher::Select selecting 3 10:14:46.694 0x1330 INF SI system_interceptors::blocking_event_processor::Dispatcher::Select select push 3 done, size1 10:14:46.694 0x1330 INF SI system_interceptors::blocking_event_processor::EventController::SetHandlers size 1 10:14:46.694 0x1330 INF SI system_interceptors::blocking_event_processor::EventController::Dispatch size 1 10:14:46.694 0x1330 INF oas cAvpg::OnEvent: Event: 0xd24f0; PID: 0x550 (1360); TID: 0x1e48 (7752); On execute event: 0x0; On create process: 0x0; Function: 0x3, 0x0, 0x0; Flags: 0x6700000; Flags2: 0x10; FsFlags: 0x840000188010020; Placeholder:0x0; Ptr: 0x17ba4f88 10:14:46.694 0x1330 INF excl trusted_application::is_trusted_local: PID: 0x550 result: 0x0 found in cache 10:14:46.694 0x1330 IMP oas Checked if process PID=1360(0x550) is trusted: 0, result is err=0x00000000 10:14:46.694 0x1330 INF oas detail::CreateFileIdentity: Got _PARAM_OBJECT_CONTEXT_FLAGS: 0x06700000

Where can I collect them? there is no sign of that in reports or anywhere. At least I haven’t found them

I hope this is what you are looking for.

So after some try, catch I figured out that if I disable web threat protection and add .msg as exclusion in mail threat protection it works. How can i set up my web threat protection to still allow the *.msg files to be opened?

Yes. If I pause Kaspersky all works ok. Once turned on again it also deletes all previous files created in subfolders %USER%\Temp\EPP2\….. the subfolders stay tough

I attached some logs if this helps in any way

No. Kaspersky logs are useless unfortunately

Hello I have kaspersky security center 11 on my server and I have 15 machines that use enpoint security. Clients use a application that runs from server (exe file). It is a legacy documentation system taht stores some outlook emails. the temp folder and file are created in User\appdata\temp\EPP folder so a user can see an old email If I have kaspresky running it prevents the creation of a file in that subfolder, and also it deletes files prevously created by this app. I am loosing my mind over this, I added all exclusions and automatic deletion of any files anywhere but I am still unable to get this trough. If kaspersky is running and I have an app oppend, once I want to look up some old email with this *.msg attachement the app returns an error that the file cannot be found (this is due to the fact Kaspersky has deleted it or prevented its creation). any suggestions? thank you //Mod Note: moved to the correct section.