Search the Community

I was locked out of several accounts because I couldn’t receive SMS on my old number, which no longer works. Needed a quick way to get verification codes without relying on my carrier. Used another mobile service — picked a UK number directly in the browser, no registration. The code arrived in under two minutes. Since it’s a real SIM-based number, not VoIP, it worked with services that usually block virtual lines. Didn’t have to install an app or reactivate a physical SIM.

@noone You are welcome. Open Firefox Click on the F12 function key on the top row of your keyboard The 'Developer Tool' half opens at the bottom inside Firefox Install the Kaspersky Firefox extension Check if any "Error" shows up in the 'Developer Tool' ?

In certain cases, ‘Install updates and fix vulnerabilities’ task might fail with some error. Below example contains ‘Error verifying file signature’ error but you may use mentioned keywords and overall approach for investigation of other errors met while running ‘Install updates and fix vulnerabilities’ task. Here are some steps to investigate such problems: First of all view list of updates aimed at installation on client. For this purpose in network agent trace file search for ‘Update to install:’ without quotes. You will get results similar to: etc. Some of found updates are skipped by filters so pay attention to skipped updates and to overall number of updates that should be installed. Some updates might already be downloaded to the target system so at the second step identify which update files are already downloaded and which should be downloaded. In network agent trace file search for ‘is already downloaded’ and ‘needs to be downloaded’ without quotes. In our sample traces results are: Match code of update which needs to be downloaded (79ae03df-d6eb-4de2-b59f-37e963d7a69e) with results detected at step 1 and you will see that KB907417 needs to be downloaded. Open MS Update catalog and search for KB907417. In search results click ‘Download’ button and observe window with results: Name of archive containing required update KB907417 is: otkloadr_c87e2fe94dd873224afa65e2af2473ca3e307a37.cab Search for c87e2fe94dd873224afa65e2af2473ca3e307a37.cab in WindowsUpdate.log from client machine. Pay attention to the found lines: Search for otkloadr_c87e2fe94dd873224afa65e2af2473ca3e307a37.cab in administration server trace file to find URL used by administration server to download required update from MS servers: Now once we know the name of problem update you may offer the customer to temporarily exclude KB907417 from update installation task to let other updates to be installed. Then proceed with investigation. On Administration server use web browser to download problem update from the link identified at step 6 and make sure that its signature is valid. It should look like on below screenshots In case if Digital Signatures tab is not present in properties of this file or signature is invalid then try to re-download with disabled AV solution. If this does not help then make sure that no proxy/firewall affect this issue. Verify that MS certificates are up to date on KSC server. In MMC console / Software updates node right click on KB907417 and ‘Delete update files’. Try to launch updates installation task again. On client machine use web browser to download problem update using link identified at step 5. Verify its signature and proceed same way as in step 8. Additionally compare downloaded file with C:\WINDOWS\SoftwareDistribution\Download\48ec39650764ea7a46ebe67ecf3b6f47\OTKLOADR.CAB. Verify diginal signature of OTKLOADR.CAB You may use signtool.exe to verify signature of .cab files on server and client: signtool.exe verify /pa otkloadr_c87e2fe94dd873224afa65e2af2473ca3e307a37.cab The utility signtool.exe goes as part of Windows SDK. It is available at C:\<Path to Windows SDK>\<version>\bin\<build number>\x64\signtool.exe In case if digital signature appears to be correct then use standard recommendations for resetting WUA: net stop wuauserv net stop cryptSvc net stop bits net stop msiserver Rename folders Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" net start wuauserv net start cryptSvc net start bits net start msiserver After resetting WUA launch ‘Find updates and critical vulnerabilities’ task. It might fail several times because WUA cache was cleared. So after getting error just re-launch task again. Once 'find updates' task completes successfully launch task to install updates and fix vulnerabilities (problem update should be included in task scope this time). Observe the results.

Hello @Pandonus, Welcome back! What happened - what errors show when Kaspersky Premium fails to update anydesk? Please look in Kaspersky Reports for any anydesk events & post back? Note - please post images in English - to convert the Kaspersky Gui to English - by pressing SHIFT + F12 on the keyboard; to revert press SHIFT + F5 on the keyboard. Are (you) able to update anydesk manually? *Note* when posting images to a public forum, for *your* privacy & security - please hide all personal information - for example - email address. Please post back? Thank you🙏 Flood🐳+🐋

Excellent, will try this method instead. Just one more question, should I first uninstall my existing kaspersky before launching the installer? Or just launch it as is with the application in my system and just wait for it to be overwritten Edit: Additionally: which version are you on? Im not sure if this installer i have will bring me up to the latest version (the one the Estonian, Latvian etc... has) or if i will be perma locked in this 21.21.7.384 version.

Symptoms OS hang, sometimes with open file errors in journals Customer application degrades with errors "unable to open file", "too many open files" Hangs and third-party (compatibility) issues often require advanced data collection and are sophisticated to investigate. However, a quick check is possible: On a system where KESL has worked for some time (not immediately after reboot/restart), validate the output of the following command, ran as root, for numerous records of /usr/bin or /usr/sbin folders lsof | grep -E 'kesl.+DIR.+\/usr\/s?bin' Root Cause Under heavy load, KESL may display linear increase in file descriptors usage (sysctl - fs.file-nr) up to system-wide limit (sysctl - fs.file-max) and eventually degradation. Workaround Schedule restart of KESL service every week/day, depending on intensity of descriptors growth. NB: KESL restart will also reset progress of certain tasks like "malware scan" and "database update". Schedule KESL restart outside of tasks timeframes. Solution This issue was fixed in KESL 12.1.0.1274, so an update to that or newer version should fix it.

Problem Description, Symptoms & Impact The installation of the Network Agent isn't possible on a device because of the error System error 0x1F (A device attached to the system is not functioning.) Diagnostics In the MSI Log and Application Eventlog can be found the following line: (1192/0x0 ("System container 'LOC-PUB-6EEB50F8D2EB46029DB4CCB77E0DA651' is corrupt") Workaround & Solution The issue comes from a corrupt cryptostorage in the OS. It's not a KL related issue, although there is a possible solution to fix it. On the problem host launch cmd.exe with administrative privileges Run klcryptstgclean.exe: klcryptstgclean -tl 4 -tf $klcryptstgclean_trace.txt -l klcryptstgclean.log Try to install NAgent. If it doesn't help, perform actions from the Cryptostorage-1.docx file. If installation fails again, send to Kaspersky Support the following files: "$klcryptstgclean_trace.txt", "klcryptstgclean.log", new GSI with klnagent installation logs. It is not KSC and klnagent related issue. It is OS related issue. If workaround doesn't help, try sfc /scannow command, OS restore, OS reinstallation or contact MS support.

Problem: Create Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Launch Group On Demand Scan Task Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 might detect infected object, but might not delete it. Solution: Delete created Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Delete all created Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Policies Add registry key on Kaspersky Administration Server 5_2_ksc_win_x86_fix.reg if Kaspersky Administration Server is installed on x86 operation system 5_2_ksc_win_x64_fix.reg if Kaspersky Administration Server is installed on x64 operation system Create Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Policies anew. Create Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Launch Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols. NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions: Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name. In the domain, you need to set the Service Principal Name (SPN) to publish the OpenAPI service on port 13299 for the machine with the Administration Server, the service of which is running under the name of the domain user <domain-user>. Kaspersky Security Center 13 Web Console user must be authenticated in Active Directory by using Kerberos protocol. Kerberos authentication should be allowed in web-browser. For details, refer to documentation of used web-browser. Details SPN - Service Principal Name Log in Domain Controller as Domain administrator. Open powershell as admin and run the following commands: Powershell setspn.exe -A HTTP/hostname-node-1.domain.local -u domain\user-ksc-service setspn.exe -A HTTP/hostname-node-2.domain.local -u domain\user-ksc-service Example setspn.exe -A HTTP/kscw-node-1.sales.lab -u sales\ksc setspn.exe -A HTTP/kscw-node-2.sales.lab -u sales\ksc setspn.exe -L -u sales\ksc #command for check spn records #Response Registered ServicePrincipalNames for CN=KSC Service,CN=Users,DC=sales,DC=lab: HTTP/kscw-node-1.sales.lab HTTP/kscw-node-2.sales.lab Enable Kerberos/NTLM authentication in web browsers Microsoft Edge \ Internet Explorer win + r => inetcpl.cpl Activate the Security tab. Select Local intranet and click Sites. In the opened dialog box click Advanced. Add the host name of Adaxes Web interface (e.g. host.company.com). Click Close and then click OK. Click Custom level. Navigate to Scripting and enable Active scripting. Navigate to User Authentication \ Logon. Select Automatic logon only in Intranet zone and click OK. Activate the Advanced tab. In the Settings list, navigate to the Security section. Select Enable Integrated Windows Authentication and click OK. Mozilla Firefox - https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication Launch Mozilla Firefox In the URL window, enter about:config and press Enter. In the filter text box, enter network.negotiate. Double-click the network.negotiate-auth.trusted-uris option and enter the host name of Adaxes Web interface (e.g. host.company.com). Repeat previous step for the network.negotiate-auth.delegation-uris option. Google Chrome Add the Software\Policies\Google\Chrome\AuthServerWhitelist key equal to *.<domain-name>.local to the registry Add the Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist key equal to *.<domain-name>.local to the registry

Prerequisetes: Supported vSphere by Kaspersky Agentless solution Usage of NSX version 3.2+ Deployed Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance Problem Anew registration and Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance deployment completes successfully. By attempt to create Service Profile for Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker fails with error AntiVirus and Network Attack service registration might fail with the error "Service Definition id <ID> <Kaspersky Component> not found in MP Root cause NSX-T does not delete service references of Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance Solution Through terminal like putty you need access to NSX-T appliacnce and launch the command curl -kG https://admin:<PASSWORD>@<nsx-t address>/policy/api/v1/infra/service-references The path value should be remembered for Kaspersky File Antimalware Protection and for Kaspersky Network Protection Delete service reference by path value by launching the command curl -kX DELETE https://admin:<PASSWORD>@<nsx-t address>/policy/api/v1/<value of path> After it delete previously created profile service for Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker and create it anew

There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5+/6+ into HOME.LAB domain. Prerequisites Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab) It can be checked via Settings/Network Settings of Central Node. A and PTR record should be set for Central Node in DNS. Domain User Account should be created to set up Kerberos authentication by means of keytab file (in current case Domain User Account is kata-sign-on). AES256-SHA1 encryption algorithm should be enabled into created Domain User Account. Step-by-step guide to create keytab file On Domain Controller: Launch CMD As Administrator Execute the following command to create keytab file C:\Windows\system32\ktpass.exe -princ HTTP/kata-cn.home.lab@HOME.LAB -mapuser kata-sing-on@HOME.LAB -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\TEMP\kata-sgn-on.keytab The utility requests the kata-sign-on user password when executing the command. The SPN of the selected server is added to the created keytab file. The generated salt is displayed on the screen: Hashing password with salt "<hash value>" For multiple Central Node servers you need to save "<hash value>" of hashing password to add an SPN for each subsequent Central Node servers further using ktpass.exe utility. On Central Node Web Interface Move to Settings/Users/Active Directory Integration Add the created keytab file: Keytab file status section contains File which contains SPN for this server The file contains section HTTP/*****@*****.tld Under Users tab click Add and select Domain user account. Set domain user as <username>@<domain> On client machine Host should be joined to the same domain. Domain user should be logged in with account added into the Central Node. Open Control Panel/Internet Options Click on Security and select Local Intranet Click on Sites and then on Advanced Add FQDN of central node - kata-cn.home.lab Close windows: Launch Web Browser and access to Web Interface of the Central Node https://kata-cn.home.lab:8443 and it should be opened without asking any Login/Password.

To achieve this goal for Kaspersky Agentless 6.1 solution you should: Shutdown Kaspersky Agentless Appliance Disable the option "Сonfigure/vApp Options/edit/OVF Details/OVF environment transport/ISO image" for Kaspersky Agentless Appliance Launch Kaspersky Agentless Appliance

Problem Sometimes Anti-Cryptor task in KESL won't be able to launch after the OS is started. This may happen because Anti-Cryptor needs all the protected network resources to be up before KESL service is started. In other words, Samba or NFS services should be started before KESL service. Solution To resolve this problem you need to make sure that services start in the correct order. For Systemd systems: 1. Create a file /etc/systemd/system/kesl.service.d/override.conf # touch /etc/systemd/system/kesl.service.d/override.conf 2. Add the following to /etc/systemd/system/kesl.service.d/override.conf: [Unit] After=nfs-server.service smb.service [Service] TimeoutSec=300 3. Reload services # systemctl daemon-reload For Sys V init systems: Rename Samba and NFS init files to make those services start earlier. E.g. # mv /etc/rc3.d/<smb_init_file> /etc/rc3.d/S49smb # mv /etc/rc3.d/<nfs_init_file> /etc/rc3.d/S49<nfs_init_file> Where <smb_init_file> and <nfs_init_file> stand for current init files present in the system. NFS init file may have different name depending on your environment - nfs, nfs3 or nfs-server.

SNMP daemon on SVM should have the following default settings: protocol version: v2c rocommunity name: public listening address and port: 0.0.0.0:161 access type: read only transport: UDP logging: syslog The following statistics can be received from SVM: # Description Name Identifier 4.1 CPU Statistics UCD-SNMP-MIB::systemStats 4.2 Memory Statistics UCD-SNMP-MIB::memory 4.3 Load average statistics UCD-SNMP-MIB::laTable 4.4 Disk statisitcs HOST-RESOURCES-MIB::hrStorageTable 4.5 Network statistics IF-MIB::ifTable 4.7 Amount of desktop VMs connected KSVLA-MIB::ksvlaProtectedDesktopCount 1.3.6.1.4.1.23668.1491.1539.1.1 4.8 Amount of server VMs connected KSVLA-MIB::ksvlaProtectedServerCount 1.3.6.1.4.1.23668.1491.1539.1.0 4.9 ODS running status: - in progress (if all ODS Tasks are running) - waiting (if at least one ODS task is waiting for processing) - none (if no ODS tasks are running/waiting at all) KSVLA-MIB::ksvlaODSStatus 1.3.6.1.4.1.23668.1491.1539.0.0 4.10 ODS queue lenght: amount of VMs awaiting ODS processing KSVLA-MIB::ksvlaODSQueueLenght 1.3.6.1.4.1.23668.1491.1539.0.1 4.11 Amount of simualtaneously running ODS tasks KSVLA-MIB::ksvlaODSTaskCount 1.3.6.1.4.1.23668.1491.1539.0.2 4.12 Current percent of an allowed physical memory consumption - In case of watchdog is on use WDSERVER_MAX_MEM const from ScanServerLaunch.sh as maximum - In case of watchdog is off use 100% as maximum KSVLA-MIB::ksvlaMemoryConsumption 1.3.6.1.4.1.23668.1491.1539.3.0 4.13 Current percent of an allowed swap consumption - In case of watchdog is on use WDSERVER_MAX_SWAP const from ScanServerLaunch.sh as maximum - In case of watchdog is off use 100% as maximum KSVLA-MIB::ksvlaSwapConsumption 1.3.6.1.4.1.23668.1491.1539.3.1 4.14 Main processes state (running/stopped): -- scan server daemon KSVLA-MIB::ksvlaScanServerStatus 1.3.6.1.4.1.23668.1491.1539.2.0 -- klnagent daemon KSVLA-MIB::ksvlaKlnagentStatus 1.3.6.1.4.1.23668.1491.1539.2.1 -- nginx daemon KSVLA-MIB::ksvlaNginxStatus 1.3.6.1.4.1.23668.1491.1539.2.2 -- watchdog KSVLA-MIB::ksvlaWatchdogStatus 1.3.6.1.4.1.23668.1491.1539.2.3 Change SNMP community name Edit file /etc/snmnp/snmpd.conf Change public into the string recommunity on your own Save changes Restart SNMP daemon - systemctl restart snmpd Move on SNMPv3 Stop SNMP daemon - systemctl stop snmpd Launch the command - net-snmp-config --create-snmpv3-user -ro -a "authpass" -x "privpass" -X AES -A SHA "user" "authpass" is the private key/password for generating HMAC when connecting to snmpd, "privpass" is the private key/password for encrypting snmp traffic, "user" is the username for snmpd. "authpass" and "privpass" we can say passwords, which should be generated by you own "user" - user name for snmpd This command will make mpdifications into two files - /etc/snmp/snmpd.conf and /var/lib/net-snmp/snmpd.conf Restart SVM

Problem Environment: Citrix Virtual Apps and Desktops (Citrix XenApp and XenDesktop) with enabled option Citrix UPL (User Personalization Layer) Citrix App Layer Non-English Operation System localization. After installation of KSV LA 5.2, you can face the error "The specified path does not exist" which appears by launching any executable file. Possible root cause Both Citrix technologies use separate vhd files for creating VMs by using Citrix App Layer and for roaming profiles used by Citrix UPL. As the result, the merge of vhd files processes and Citrix driver returns incorrect path of where the executable files are. Workaround Install Kaspersky Light Agent 5.2 and ensure it does not connect to SVM. Disable Self Defense and exit LA. Add registry file from this archive. Launch installation of the latest cumulative patch from the archive (all further released Cumulative PFs will contain the fix as well). As soon as LA informs the restart is needed, restart VMs. Connect LA to SVM. Problem should be solved.

Environment/Preconditions KSC - 12 KSWS - 11.0.1.897 You may find a massive increase in disk usage from the folder report under the Kaspersky folder. The size of the report folder will increase from around 2GB to 12GB, the files in the report folder have random name (like 340a13d9-2a50-4c4e-94d6-82a79d80da4b), which rapidly grows and consumes disk space. The file can be deleted to resolve the disk space full issue, which itself can cause many issues (can't log in to the server, KSWS stop, etc) To delete the file: Stop KSWS. Add permission/owner for the login account. Right-click and delete file. This issue is caused by the Task log setting under Log and Notification tab in the KSWS policy. To avoid the detailed events issue: Ensure that there are no Informational events in the Importance level option in each Component. Remove task logs older than (days) is selected. In case you do the above step and the random file is still keep growing rapidly (100 MB per hour), it may be causes by the flooding event. You can check the event flooding by using product local console. Install and launch KSWS tools and under Logs and Notifications node observe Task logs, System audit log and Security log in local UI. Check which event is generated in excessive amounts.

When administrator attempts to establish a connection between KS4O365 workspace and their Exchange online organization by doing the following in the administration console: Office 365 connection → Exchange Online connection → Grant Access → passes the consent validation algorithm but in the end gets the Error processing the request error: This error is usually triggered by the browser settings on the client host that is performing the consent validation. Upon executing consent validation algorithm we get the access token from Microsoft. Then we redirect browser to our web site's URL and attach access token as a cookie. Upon redirecting, cookie with access token is lost/blocked somehow, usually this is caused by one of the following reasons: Browser filters cookies on its own. For instance due to some extensions, browser settings, or due to some beta version of browser with paranoid default security settings. Some 3rd party program, for example a file anti-virus, is blocking access to the file with the browser's cookies on the local hard drive. Thus, the following action plan is suggested. Step-by-step guide Clear all history, cache and cookie in the web-browser, restart it and check the reproduction. If it doesn’t help, then please make sure that the same error occurs if you try to do the same operation in another web-browser supported by the product (https://support.kaspersky.com/KS4MO365/1.2/en-US/141858.htm) or in incognito mode of the browser. Also, temporarily disabling anti-malware solutions or any 3-rd party products that might be blocking/locking/inspecting browser's cookie files is called for. If the issue will persist, then please do the following: 1. Open Google Chrome web-browser. 2. Press F12 keyboard button. 3. Enable Preserve log option in Network tab. 4. Reproduce the whole scenario from the begging (log into business hub account) and the issue itself. 5. Make an error screenshot with time stamp. 6. Export Network debugging results to HAR-file. 7. Provide HAR-file + screenshot to the Kaspersky Support. Also we will be interested in the URL that will be shown when the error will pop-up in the browser.

Problem Using EDR, you may encounter an issue where you're unable to view incident card regarding a detection in KSC Web Console. It looks like this: Here we will discuss known causes of such behavior (several products are involved, so causes may be different). Possible causes and solutions MDR In MDR, incidents are to be viewed using the dedicated MDR Console, and KSC version 13 and newer with configured MDR plug-in. KSC 12.* Web Console will not receive the data; this is expected behavior. KES+KEA If you first install KES without EA component, and then a standalone KEA package, KES EDRO integration will be disabled and killchain will not work. Here is a quick way to determine if KEA was installed as a component of KES. Open regedit, then navigate to: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features] "AntiAPTFeature" = "1" If the value is 0, proceed to the workaround to enable the component as described below. To fix this, we ran Change application components task on the host, enabling Endpoint Agent in KES. If KES/KEA integration is configured correctly, we can find the following in KES traces: 12:08:37.426 0x2a18 INF edr_etw Start processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, recordId = 6, taskId = 1128, result = 0 12:08:37.426 0x2a18 INF edr_etw Start processing actions = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, action = 4, recordId = 6, taskId = 1128, edrAction = 3489660999, result = 0 12:08:37.442 0x2a18 INF edr_etw Killchain is enabled! 12:08:37.442 0x2a18 INF edr_etw SystemWatcher is running! 12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect begin 12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect end 12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::InvestigateProcessIds begin 12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::InvestigateProcessIds end 12:08:37.442 0x2a18 INF edr_etw Finish processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com threat status = 1, recordId = 6, taskId = 1128,result = 0 12:08:37.458 0x1f18 INF edr_etw Finish processing AV detect result = 0 Searching for ThreatID in KEA traces: 12:08:37.426 0x2a18 INF amfcd ThreatsProcessingEventsLogic::OnTreatActionImpl: ctx:0x23d68510 [TI 0x1b8dd490: id = 0x6, : tdid = {7F620459-6C51-9E46-9A5D-689A9B0D0098}, name = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, add info: <none>, 0x0] 0x4 0x0 KES+KEA (upgrade from KESB to EDR Optimum) EDR Optimum requires KSC 12.1 or newer to work. This includes the Network Agent, which is a part of KSC, and is generally installed on the host alongside KES. Using an outdated version of Network Agent (10.5, 11, etc.) will lead to the mentioned error when opening incident cards. If Network Agents were not upgraded along KSC, it's better upgrading them for EDR Optimum. KES 11.7+ Check that EDR Optimum feature is enabled in registry (GSI > Registry > HKLM_Software_Wow6432Node_KasperskyLab.reg.txt ). [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features] EdrOptimumFeature = 1 If value is 0, run Change application components task on the host, enabling EDR Optimum in KES. Also in traces (*.SRV.log) you can search for sentence bundles::InstalledFeaturesProvider::InstalledFeaturesProvider and check that EDROptimumFeature is there, for instance in example below such component is missing KES.21.9.6.465_05.18_14.00_3952.SRV.log 11:00:36.897 0x26a0 INF bundles::InstalledFeaturesProvider::InstalledFeaturesProvider{ 3 (AVScannerAndCoreFeature) 28 (AdaptiveAnomaliesControlFeature) 0 (AdminKitConnectorFeature) 24 (AdvancedThreatProtectionFeature) 27 (AmsiFeature) 7 (ApplicationControlFeature) 17 (BehaviorDetectionFeature) 30 (CloudControlFeature) 4 (CriticalScanTask) 6 (DeviceControlFeature) 23 (EssentialThreatProtectionFeature) 11 (ExploitPreventionFeature) 8 (FileThreatProtectionFeature) 19 (FirewallFeature) 5 (FullScanTask) 2 (HostIntrusionPreventionFeature) 16 (MailThreatProtectionFeature) 14 (NetworkThreatProtectionFeature) 12 (RemediationEngineFeature) 25 (SecurityControlsFeature) 18 (UpdaterTask) 21 (WebControlFeature) 20 (WebThreatProtectionFeature) 22 (WholeProductFeature) } KSWS+KEA The same rule applies: KEA component needs to be installed in KSWS. KSWS does not have a "Change application components" task in KSC, so this has to be taken into account during KSWS deployment. Here is a quick way to determine if KEA was installed as a component of KSWS. Open regedit, then navigate to: [HKEY_LOCAL_MACHINE\Software\Wow6432Node\KasperskyLab\\WSEE\11.0\Install] "Features"="AntiCryptorNAS=0;AntiCryptor=0;AntiExploit=0;AppCtrl=0;AVProtection=0;DevCtrl=0;Fim=0;Firewall=0;ICAPProt=0;IDS=0;Ksn=0;LogInspector=0;Oas=0;Ods=0;RamDisk=0;RPCProt=0;ScriptChecker=0;Soyuz=0;WebGW=0" (Soyuz needs to be set to 1) If Soyuz is set to 0, apply workaround to enable it. KSWS allows to change its components locally or via cli. Here is the example of how to set Soyuz=1 when KEA was installed not as a component of KSWS: 1. Locate ks4ws_x64.msi or ks4ws.msi (depends on OS architecture) 2. Create custom installation package based on ks4ws_x64.msi or ks4ws.msi from p.1 with parameters as per screenshot (add UNLOCK_PASSWORD= if KSWS is protected by password in policy) 3. Deploy package on problematic servers with KSWS and KEA, then check registry that Soyuz=1 4. Check host's properties at KSC side - EDRO should be in Running state in KEA If KSWS/KEA integration is configured correctly, we can find the following in KSWS traces: 19:57:04.577 7a8 1310 info [edr] Published ThreadDetected: VerdictName : HEUR:Win32.Generic.Suspicious.Access RecordId : 0 DatabaseTime : 18446744073709551615 ThreatId : {ffb58079-6d8d-4a62-8ab0-021ff4ed61c5} IsSilent : false Technology : 3489661023 ProcessingMode : 3489660948 ObjectType : 3489660934 ObjectName : C:\Windows\System32\wbem\WmiPrvSE.exe Md5 : e1bce838cd2695999ab34215bf94b501 Sha256 : 1d7b11c9deddad4f77e5b7f01dddda04f3747e512e0aa23d39e4226854d26ca2 UniquepProcessId: 0xf7c807730e051a0d NativePid : 3360 CommandLine : AmsiScanType : AmsiScanBlob : FileCreationTime: 1601-01-06T23:09:56.075520800Z Searching for ThreatID in KEA traces: 19:57:05.583 704 9b0 debug [bl] ThreatsHandler: detect v2 verdictName: HEUR:Win32.Generic.Suspicious.Access detectTechnology: 0xd000005f processingMode: 0xd0000014 objectType: 0xd0000006 objectName: C:\Windows\System32\wbem\WmiPrvSE.exe nativePid: 3360 uniquePid: 17854528913448180237 nativePidTelemetry: 3360 uniquePidTelemetry: 17854528913448180237 downloaderUniqueFileId: <none> downloadUrl: <none> isSilentDetect: false threatId: ffb58079-6d8d-4a62-8ab0-021ff4ed61c5 19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59675, processed=59675, dropped=0, queueBytes=191 19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59676, processed=59676, dropped=0, queueBytes=132 19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59677, processed=59677, dropped=0, queueBytes=371 19:57:05.583 704 9b0 debug [bl] Threats Handler: event processed, id = 2 19:57:05.584 704 1fc debug [killchain] Message discarded: name = ThreatDetect The verdict is Message discarded, this means the detection won't trigger killchain generation. No such entries can be found in traces, which might mean that EPP integration is not configured correctly (EDR component is disabled in KSWS). Check killchain presence on the host If all pre-requisites are met, it's worth checking if killchain files are actually created on the host. To check that, run cmd.exe as Administrator and check the c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects folder contents. Archives with <threat_id>.zip names should be present in the folder: C:\WINDOWS\system32>dir "c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects" Volume in drive C has no label. Volume Serial Number is 8010-ADC0 Directory of c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects 08/16/2021 12:20 PM <DIR> . 08/16/2021 12:20 PM <DIR> .. 08/16/2021 09:34 AM 636 0349c190-4ac3-4da4-9b64-07835298660f.zip //this is an archive with killchain info 08/16/2021 12:18 PM 696 1d306aa7-f37f-4ab2-969e-d337d398a995.zip 08/16/2021 09:34 AM 637 23a5dc93-5776-43c8-b949-79c102aa1184.zip 08/16/2021 12:19 PM 691 27bc9ea3-200b-49d2-b8b0-df7954cd428a.zip 08/16/2021 12:19 PM 683 40673c70-9e8e-420f-b5ce-65b406862b94.zip 08/16/2021 12:19 PM 688 590b6e30-4509-4b25-bdb0-062f89b7e062.zip 08/16/2021 12:20 PM 693 67993612-dc82-45a2-9e5b-74756adc46eb.zip 08/16/2021 12:20 PM 685 6a892bd1-f452-42d0-80b0-cb953cd7fc26.zip 08/16/2021 12:19 PM 686 a63fbafa-fcef-46f7-935f-42be4392a172.zip 08/16/2021 12:19 PM 699 d9d4f5eb-42b2-4460-8f8a-eb63bbef8791.zip 08/16/2021 12:19 PM 686 f6042624-9840-4a6e-9b30-9270cce22236.zip 11 File(s) 7,480 bytes 2 Dir(s) 240,763,092,992 bytes free

Hi Kaspersky Community, I’m new to Kaspersky Internet Security and want to set up Safe Browsing to protect my online activity (~5-10 websites daily). I’m struggling with the setup. Setup: Kaspersky Internet Security 21.3, Windows 10, Chrome browser. Steps Tried: Enabled Safe Browsing in KIS settings; some websites are blocked unexpectedly. Added a trusted site to exclusions; still getting “untrusted certificate” errors. Ran a quick scan; no threats found. Questions: What’s the best way to configure Safe Browsing for secure internet use? How do I fix “untrusted certificate” errors for specific websites? Any tips for optimizing Safe Browsing on Chrome? Thanks for your guidance!

While removing Kaspersky Security for Windows Server Console removal log may contain a message: Error 1336. There was an error creating a temporary file that is needed to complete this installation. Folder: C:\Program Files (x86)\Common Files\Kaspersky Lab\Kaspersky Security for Windows Server\. System error code: 5 And if you launch removal process using an appwiz.cpl a popup will be displayed stating : “There was an error creating a temporary file that is needed to completed this installation” This may happen because KES is installed in the system, so far the workaround is the following: Disable self-defense in KES and perform removal one more time.

RDP connection invoked via KSC console uses hostname to connect to a host - mstsc.exe is invoked with /v hostname parameter. Edit command line used to invoke mstsc.exe with ip address parameter instead of the hostname: Open Custom tools → Configure custom tools Select Remote Desktop, click Modify Edit Command line text box, it should contain <host_ip> instead of <A>: /v:<host_ip>:<P> /f Disable Create tunnel for TCP port specified below checkbox Administration Console will now launch mstsc.exe with ip address as argument.

This article describes what is considered a Full Scan, which affects the KSC status "Virus Scan has not been performed for a long time". Scan task area settings There are two ways to set areas for a Scan task. Tasks started with any other settings (including Quick Scan and Critical Area Scan with default settings) will not be considered as a Full Scan. Primary Kernel Memory Running processes and Startup Objects Disk boot sectors Local disk (logical disk where OS is installed) Alternative Kernel Memory Running processes and Startup Objects Disk boot sectors %systemroot%\ %systemroot%\System\ %systemroot%\System32\ %systemroot%\System32\drivers\ %systemroot%\SysWOW64\ %systemroot%\SysWOW64\drivers\ Path is Case-Sensitive in order to support upcoming Windows features. Selecting "including subfolders" is not obligatory. Successful execution of background scan clears the status of managed host 'not scanned for a long time" in KSC console.

Problem Some devices do not have keyboards, but still are detected with BadUSB. Step-by-step guide In order to allow them work properly use BadUSB on-screen keyboard, using other onscreen keyboards or physical ones is not recommended. To open BadUSB on-screen keyboard click on the highlighted text (example for Russian localization). Note that Prohibit use of On-Screen Keyboard for authorization of USB devices option should be turned off.

Security administrator can create KSWS Application Control rules based on Digital Certificate. What does product actually checks and how it is related to the file itself? First of all, product checks whether the file matches certificate. Secondly, whether certificate is valid. If any of verifications fail - launch of the file will be denied. And vice versa. If signed file which execution was allowed by certificate has been modified, will execution of the file be allowed? Altering the file signed by the certificate will cause its certificate to no longer confirm the integrity of this file. As a result "Allowing" rule will no longer be applied to the file. How the control of the revoked certificates operates, if such a control exist? Certificates revocation in the operation system is implemented through OS updates. When a certificate becomes revoked, it can no longer pass validation checks. Thus file execution will be blocked. When both the subject of the certificate and its thumbprint verifications are selected, then product checks that the file is signed by an exact "version" of certificate. In other words, it will not be enough to make a self-signed certificate with the Subject field equal to "Redmont, Microsoft" - such a certificate does not coincide with the real thumbprint of Microsoft.

This instruction is relevant only in case of troubleshooting incorrect loading or rendering of a web page. In order to troubleshoot issues KES network traffic related issues traffic dump is required. It is easier to analyze and does not require third-party software installation. If reproduction of the issue requires the web browser to open web pages(such as web control non-working as expected, web page not loading, and so on), the tests should be performed in Incognito mode(also known as private browsing). Chrome browser: Ctrl+Shift+N or you can start browser from terminal: & "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -incognito . Starting application from terminal will make launch key visible in traces and make diagnostic easier. Firefox browser: Ctrl+Shift+P or you can start browser from terminal: & "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window . Starting application from terminal will make launch key visible in traces and make diagnostic easier. Microsoft Edge: Ctrl+Shift+P Opera browser: Ctrl+Shift+N KES11/12 Instructions Disable KES11/12 Self-defense Navigate to the following registry key: x86: HKLM\SOFTWARE\KasperskyLab\protected\KES<Build version>\environment\ x64: HKLM\SOFTWARE\Wow6432Node\KasperskyLab\protected\KES<Build version>\environment\ Create a string type value named DumpNetworkTraffic : DumpNetworkTraffic = (REG_SZ)"1" Restart the product or reboot the host Traffic dump files will be saved to %ProgramData%\Kaspersky Lab\KES<Build version>\Data\traffic Once the issue is reproduced compress the whole traffic directory Do not forget to disable traffic dump collection. To do so delete DumpNetworkTraffic value.Then restart the product or reboot the host.