Search the Community

@SARDI02 Please disable all update sources and then enable one by one ?

@SARDI02 Please select another update source ? Kaspersky update servers → https://support.kaspersky.com/common/start/6105

tnx. i will do it tonight. what about update problem, that started few days ago? i would like to be certain that it is up to date since it takes few hours i am on: win 10 Pro Kaspersy Standard, app ver. 21.21.7.384(a) Databases release date: 8.8.25. 12:08

@SARDI02 Welcome. General recommendations for solving database update issues in Kaspersky applications Please run a full scan ?

hI, Kaspresky Standard, i noticed last few days problem with update. when i start it manually it says: "Update databases. Last update: not run" through Home screen: it starts and after it finishes "we recommend that you update databases and application modules." in reports it says that it has finished!? Kaspersy is green but with 1 warning "Databases are out of date" Windows security says the same. before few minutes i opened an email thorough outlook and word attach. kaspersky 15 sec later found trojan (kasp. couldn't delete it. i did it manualy) should i be worried and what to do about update? Thanks in advance.

Wenn ihr das machen wollt, ladet das Programm bei Kaspersky https://www.kaspersky.de/downloads#update-product Die Lizenz wird beim "drüberinstallieren" übernommen. Bei MyKaspersky (Lizenz im Programm) bekommt ihr, Stand jetzt, noch die ältere Version. (Die sich früher oder später aber auch aktualisieren sollte)

Patch "A" voor Kaspersky MR22 (21.22.7.466) wordt momenteel uitgerold, de update wordt uitgevoerd nadat de computer opnieuw is opgestart.

This is the result of an incorrect antivirus update. Try simply rebooting your computer (not turning it off/on). If this does not help, you will need to remove version 21.20 using kavremover utility. P.S. There is a Russian thread on the forum 🙂

Здравствуйте! Приобрели для компании лицензии на Kaspersky Endpoint Security для бизнеса, в парке имеются машины для управления тех процессом они никогда не подключены к интернету. После установки на них антивируса в поле активировать по коду активации оно не активно. Как нам активировать антивирус? Тук же вопрос для обновления баз антивируса без интернета в утилите Kaspersky Update Utility 4 для Windows нет нашей версии Касперского 12.10.0.466, какую версию баз выбирать для скачивания и обновления? прошу помочь с решением данных проблем.

Hello. Please post in the forum language. Update directly through the web console in the plugin area and not through mmc. In this image, where the note is, it should probably say Update Plug-in.

TLDR: Kaspersky is blocking chromium developed app to access internet, didn't find any place to remove this blockage. Hi. I'm developer and i've working with Playwright. For those who don't know, Playwright uses headless browsers for automation testing in the front-end, it opens a pure chromium, a pure webkit and a firefox browser to run the tests. After a whole day using the Playwright, the next day stated my headaches, i've been receiving errors like: net::ERR_CONNECTION_RESET And others, tryied a lot of things, also figure out that visual studio was unable to access the internet with the same error ERR_CONNECTION_RESET... Also, Discord didn't update anymore and get stuck in the update screen. I have disabled all single button the kaspersky software have, that makes sense about firewall, also the windows firewall and still getting the same error. Runned a lot of commands on windows 11 terminal, like: Netsh winsock reset Netsh int ip reset ipconfig /renew ipconfig /flushdns And nothing... Today, on the second day, i realize that only chromium based apps are blocked, then i close the kaspersky app and all came back to life. Vscode is updating, discord app opens and Playwrite opens the chromium testing without errors. So, where is the config to remove chromium based apps on this network blocking?

Hi @Sonar, ich hätte (wie Du) hier nachgefragt, aber gleichzeitig ein Ticket beim Support erstellt. Kaspersky läuft nicht so, wie es soll. Wir im Forum dürfen keine Logs anfordern, der Support darf und kann damit ein Problem recht sicher einkreisen. Wie Du sicher bemerkt hast, sind die Mac-User hier recht dünn gesäät, auch ich verwende kein Apple. Ich konnte aber @Flood and Flood's wife als Unterstützung gewinnen, vielleicht kommen wir gemeinsam einer Lösung näher (oder der Support ist schneller). Zunächst muss man anmerken, dass die Installation auf macOS etwas schwieriger ist als auf Windows. Wenn Du während der Installation nicht die angeforderten Rechte einräumst, kann es später Probleme geben. Auch die Liste der Inkompatiblen Programme sieht natürlich etwas anders als unter Windows aus. Hier kannst Du prüfen, ob eines Deiner installierten Programme aufgeführt ist: Liste der inkompatiblen Anwendungen. Dann wäre es hilfreich, noch ein paar Fragen zu beantworten: wird Safari schon seit der Installation blockiert oder hat es früher funktioniert (evtl. bis zu einem Update) wird in den Berichten etwas angezeigt? Das Blockieren eines Programms (hier Safari) sollte darin vermerkt sein.

В KRD 2024 можно доставить недостающие пакеты. 1) Поищите в интернете инструкцию как настроить PPPoE на Debian (на нём основан KRD) 2) Включите persistent раздел https://support.kaspersky.com/help/krd/2024/ru-ru/292858.htm 3) Установите недостающие пакеты (на любом компьютере где в KRD работает сеть). Команды "apt update", "apt install <имя пакета>". Они сохранятся на persistent разделе и будет доступны при перезапуске KRD. 4) Настройте сетевое подключение на проблемном компьютере Если будет успешно - напишите список требуемых пакетов. Мы их добавим в следующей версии KRD по умолчанию.

Thanks for all the replies. When a newer version comes out, will it auto update or will I have to check manually ?

Collect script output is a must for most KATA-related issues and questions. Which information? Which file? How to find/interpret? Example КАТА version and role: CN/PCN/SCN/Sensor /config/apt-va File contains the version and role in human-readable form. Also, you can see if the node was upgraded from previous KATA versions in 'migrate' line Primary CN [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.5.0-1269 release=release master = yes sensor = yes timestamp = 1568700994 migrate = cn_role = pcn Standalone CN [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.6.1-713 release=release master = yes sensor = yes timestamp =1572445307.01 migrate = cn_role = cn Sensor node [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.6.1-713 release=release master = no sensor = yes timestamp =1583845362.98 migrate = cn_role = Virtual or hardware? /environment/dmesg.txt OR /var/log/messages OR /var/log/boot.log Search for "DMI" entries in the file. Physical server [ 0.000000] DMI: HPE ProLiant DL560 Gen10/ProLiant DL560 Gen10, BIOS U34 06/20/2018 Virtual server [ 0.000000] DMI: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 CPU /environment/cpuinfo.txt Scroll to the bottom of the file. Each "processor" listed is not a physical core, but virtual "thread", so, i.e. 8-physical core CPU with hyper-threading will have 16 CPUs in the file. Keep in mind that CPUs are counted from 0, so for 16-thread CPU last entry will have number 15. processor : 15 vendor_id : GenuineIntel cpu family : 6 model : 79 model name : Intel(R) Xeon(R) Platinum 8158 CPU @ 3.00GHz stepping : 0 microcode : 0x2000050 cpu MHz : 2992.968 cache size : 25344 KB physical id : 0 siblings : 16 core id : 15 cpu cores : 16 apicid : 15 initial apicid : 15 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ibrs ibpb stibp fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm rdseed adx smap xsaveopt arat spec_ctrl intel_stibp arch_capabilities bogomips : 5985.93 clflush size : 64 cache_alignment : 64 address sizes : 43 bits physical, 48 bits virtual power management: RAM /environment/memory.txt File shows free command output. Values are in megabytes, pay attention to 'total' and 'available' columns. NB! Ignore 'free' column: despite of it's name, it doesn't actually show free RAM, 'available' column does it. total used free shared buff/cache available Mem: 197308 63869 3634 6738 129804 125558 Swap: 0 0 0 HDD /environment/hdd.txt Pay attention to partitions /dev/sda* and /dev/sdb*. If /dev/sdb* partition is present, you are dealing with two-disk installation, otherwise, it's one-disk installation. NB! Always check HDD partitions size and available free space! KATA needs a LOT of disk space to work correctly. Most important partitions are: /dev/sda4 1.2T 894G 224G 80% /data ← Used for processing queues and quarantine, main partition for KATA /dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage ← Used for EDR data: (telemetry from Endpoint Sensors) Filesystem Size Used Avail Use% Mounted on /dev/sda3 367G 14G 335G 4% / devtmpfs 126G 0 126G 0% /dev tmpfs 126G 252K 126G 1% /dev/shm tmpfs 126G 4.1G 122G 4% /run tmpfs 126G 0 126G 0% /sys/fs/cgroup /dev/sda2 232M 32M 189M 15% /boot /dev/sda1 237M 5.5M 232M 3% /boot/efi /dev/sda4 1.5T 435G 955G 32% /data /dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage tmpfs 26G 0 26G 0% /run/user/998 tmpfs 26G 0 26G 0% /run/user/1002 tmpfs 26G 0 26G 0% /run/user/1001 DNS name /environment/hostname.txt File contains exactly the hostname of the machine. kata-cn IP address /environment/ipa.txt /environment/ifconfig.txt Both files contain info about network interfaces and assigned IP addresses. ifconfig command is considered obsolete by community, but it can be useful: it helps to recognize SPAN interfaces. SPAN interfaces usually don't have IP address assigned, but have a lot of traffic. Also, SPAN interfaces always are in promiscuous mode: <UP,BROADCAST,RUNNING,PROMISC,MULTICAST> ipa.txt 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:9f:0e:77 brd ff:ff:ff:ff:ff:ff inet 10.200.178.85/23 brd 10.200.179.255 scope global ens192 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fe9f:e77/64 scope link valid_lft forever preferred_lft forever 3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:9f:db:4d brd ff:ff:ff:ff:ff:ff inet6 fe80::250:56ff:fe9f:db4d/64 scope link valid_lft forever preferred_lft forever ifconfig.txt ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.200.178.85 netmask 255.255.254.0 broadcast 10.200.179.255 inet6 fe80::250:56ff:fe9f:e77 prefixlen 64 scopeid 0x20<link> ether 00:50:56:9f:0e:77 txqueuelen 1000 (Ethernet) RX packets 604911116 bytes 747444631331 (696.1 GiB) RX errors 0 dropped 26 overruns 0 frame 0 TX packets 368814032 bytes 353073760300 (328.8 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::250:56ff:fe9f:db4d prefixlen 64 scopeid 0x20<link> ether 00:50:56:9f:db:4d txqueuelen 1000 (Ethernet) RX packets 437 bytes 135823 (132.6 KiB) RX errors 0 dropped 1125 overruns 0 frame 0 TX packets 8 bytes 656 (656.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 19418334689 bytes 12053991732736 (10.9 TiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 19418334689 bytes 12053991732736 (10.9 TiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 SPAN interface eno2: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::42f2:e9ff:fecc:4343 prefixlen 64 scopeid 0x20<link> ether 40:f2:e9:cc:43:43 txqueuelen 1000 (Ethernet) RX packets 122540697216 bytes 104768065608116 (95.2 TiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7 bytes 586 (586.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device memory 0xbd5a0000-bd5bffff Sandbox server information /config/apt-agents-id Bottom part of the file contains info about connected sandbox nodes: IP addresses, cert fingerprints and states: Sandbox may be connected, but disabled. [sandbox_node.sandbox1] host = 172.16.0.151 enable = yes fingerprint = C0:15:18:C8:11:46:11:BC:23:50:16:95:10:2D:FF:FA:4E:06:21:90:20:AA:CC:36:53:27:B8:BF:CF:5A:1A:9C Enabled integrations(SPAN, ICAP, etc) /config/preprocessor.conf Preprocessor is the component responsible for main KATA integrations: SPAN, SMTP, ICAP, POP3. You should look for corresponding section in preprocessor.conf: SPAN: [traffic] SMTP: [smtp_proxy] ICAP: [icap] POP3: [pop3] For each section, there's a line defining whether this integration is enabled: enable=yes/no Other integrations like KSMG/KLMS/API aren't easy to check by collect script output Only SPAN is enabled [app] use_syslog=no trace_level=ERR cache_socket=localhost:6379 collector_url=http://centralnode:8081/apt/collector license_remote=no #this section applicable for sections: pop3, smtp_proxy and for traffic section but only for smtp preprocessor [mail] extract_urls=yes #file extensions of attachments which format recognizer is not used for file_extensions=dll,exe,com,java,js,jse,wsf,wsh,vbs,vbe,msi,deb,rpm,apk,zip,7z,rar,iso,cab,jar,bz2,gz,tgz,ace,arj,dmg,xsr,rtf,pdf,msg,eml,vsd,vdx,xps,xsn,odt,ods,odp,sxw,doc,dot,docx,docb,dotx,docm,dotm,xls,xlt,xlm,xla,xll,xlw,xlsx,xltx,xlsm,xltm,xlam,xlsb,ppt,pot,pps,ppam,sldx,sldm,thmx,pptx,potx,pptm,potm,ppsx,ppsm,pub,html,htm,hta,swf,jpg,jpeg,gif,png,tiff,chm,mht,cpl,ocx,pif,scr,bat,cmd,ps1,lnk,reg,msu,msp,z [traffic] enable=yes network_interfaces=ens6f0,ens6f1,ens5f1,ens5f0,ens5f3,ens5f2,eno1,ens3f1,ens3f0 pcap_snaplen=1600 pcap_cores= pcap_filter= checksum_validation=no buffer_size_limit=4096 tcp_threads_number=16 enable_dns=yes enable_http=yes enable_ftp=yes enable_ssl=yes enable_smtp=yes ftp_data_expired_timeout_in_seconds=60 ftp_data_supposed_max_size_in_bytes=10485760 [ksn] enable=yes #possible values of type are KSN or KPSN type=KSN timeout=500 non_dl_formats=GeneralHtml,GeneralTxt,ExecutableJs,ImageGif,ImageJpeg,ImagePng,ArchiveCab ksn_adapter_interfaces= # Change cache entries only you know what are doing. # 0 - disables cache cache_entries=3600100 request_threads=4 [snmp] enable=yes master_agent_address=tcp:localhost:705 ping_interval_in_seconds=15 [icap] enable=no listen_interfaces=ens3f3:1344,ens3f2:1344,eno2:1344 allow204=yes max_connections=5000 respmod_url=av/respmod header_client_ip=X-Client-IP header_client_port=X-Client-Port extract_user=no header_username=X-Authenticated-User base64_decode_username=yes [filter] file_size_limit=100000000 dns_lookup_enable=yes dns_timeout=500 html_filter=/var/opt/kaspersky/apt/update/bases/htmlre.txt [snort] enable=yes alerts_socket=/var/log/kaspersky/snort/snort_alert [pop3] enable=no server= port= user= password= cipher_list=ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:!DSS:!KRB5:!PSK:!RC4:!SRP:!CAMELLIA:!IDEA:!SEED:!3DES:@STRENGTH:!kDH:!kECDH encrypted=yes check_interval_in_seconds=2 accept_any_certificates=no accept_untrusted_self_signed_certificate=yes process_msgs_per_session=3000 request_timeout_in_seconds=60 [smtp_proxy] enable=no max_threads=20 socket_in=inet:10025@127.0.0.1 #RFC 1123 suggests 10 min timeout_in_seconds=600 [stat_engine] enable=yes db=kafka:centralnode:9092?topic=network oltp_bulk_size=1000 subnets= taa_skip_header_proxy_auth=status-code: 407 oltp_raw_data_limit=0 [proxy] enable=no bypass_local_addresses=yes host= port= user= password= Connected Endpoint Sensors /config/aapt_info You can find the beginning of Endpoint Sensors list by searching for 'Agent Status'. To find the number of connected sensors, you need to calculate lines; but it's not easy to automate it as the lines don't have obvious unique grep-able attribute. However, using 'Microsoft Windows' will give you enough precision(it will give a few extra matches from last detections info). Sample entry for 1 agent ae5290b1-c490-404b-beec-ee553d5d64ee | DXB00079395.*.corp | 2019-09-24 08:41:51.579011 | 10.56.14.170 | 3.5.435.0 | 2019-09-23 03:21:26.883616 | 2019-09-24 03:15:28.642816 | t | Microsoft Windows 10 | | | 2346c7a2-a395-4dc4-bc5c-ea99fa488386 | 6 | 568b01b8-4497-decf-7f8c-671bbf8ad8cc KSN/KPSN connection /config/preprocessor.conf From collect script, you can only determine whether KATA is set up to receive verdicts from the cloud, and understand which sort of cloud it is - global KSN or private KPSN. Look for [ksn] section in preprocessor.conf, it's pretty self-explanatory. Keep in mind that you have a tool which allows you to check KSN availability https://forum.kaspersky.com/blogs/entry/86-how-to-check-ksn-availability-on-kata-cn-katakedre/ [ksn] enable=yes #possible values of type are KSN or KPSN type=KSN

Symptoms OS hang, sometimes with open file errors in journals Customer application degrades with errors "unable to open file", "too many open files" Hangs and third-party (compatibility) issues often require advanced data collection and are sophisticated to investigate. However, a quick check is possible: On a system where KESL has worked for some time (not immediately after reboot/restart), validate the output of the following command, ran as root, for numerous records of /usr/bin or /usr/sbin folders lsof | grep -E 'kesl.+DIR.+\/usr\/s?bin' Root Cause Under heavy load, KESL may display linear increase in file descriptors usage (sysctl - fs.file-nr) up to system-wide limit (sysctl - fs.file-max) and eventually degradation. Workaround Schedule restart of KESL service every week/day, depending on intensity of descriptors growth. NB: KESL restart will also reset progress of certain tasks like "malware scan" and "database update". Schedule KESL restart outside of tasks timeframes. Solution This issue was fixed in KESL 12.1.0.1274, so an update to that or newer version should fix it.

The KESMac 12 and the KESMac 11.3 patch C allows adding particular processes into the trusted section named Trusted Applications. The both filesystem and network activity of which can be ignored by the product increasing performance. Please, however, note that this could be potentially risky. https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/194142.htm Problem This article will describe a few ways to configure KES for Mac to exclude some of the software from the scope of the product. Solution Trusted applications In order to have an ability to exсlude an application from scanning with KES, a function of Trusted Applications available in Kaspersky Endpoint Security for Mac can be used: The Trusted applications section as seen in the policy creation wizard. Naturally, it can be configured later by modifying the policy. Update the plugin to at least version 11.3.0.33 to get the new functionality. In some specific cases it might be required to put several binaries to Trusted Applications simultaneously in order to take effect. So, a final solution might include several path-based exclusions accompanied by a few BundleID-based ones. Trusted Applications are only available for configuration via KSC policy; i.e. it is currently impossible to add application to exclusions having no KSC installed. Additionally, an appropriate application control plug-in for KESMac must be downloaded and installed on the KSC prior to using Trusted Application functionality. It can be found on the corresponding download page. Common exclusions for developers It's suggested excluding the following paths: "/Library/Developer/CommandLineTools" and "/Library/Toolchains" for the standard developers' utilities, as well as the "/Applications/Xcode.app/*" for the XCode. At the same time, in case you use alternative tools, contact Kaspersky Support to get the exact paths for further exclusions. Excluding TCP 443 from port monitoring Additionally, in case of HTTPS-connectivity issues, unchecking port 443 in Monitored ports may also help:

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product: KSC 11 and more recent versions Consider the following problematic scenario: You use a caching proxy server to download updates for the KSC Server, for example, Squid. KSC is configured to download updates via https (default config). $up2date-1103-eka.log analysis KL uses the HTTP public key pinning mechanism to verify update server authenticity; a certificate used for authentication is self-signed by KL. A certificate revocation list is also implemented. More information about the certification revocation process is available here: https://learn.microsoft.com/en-us/archive/blogs/ieinternals/understanding-certificate-revocation-checks https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx A recent update of CRL was performed at the end of July 2023. CRL is available on this link: http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl Old CLR was valid till 23.7.2023 and is expired now. When KSC requests the CRL file, the proxy server sends back to KSC the cached version of it and the CRL verification fails. The details can be found in the $up2date-1103-eka.log to identify the issue precisely. 04:01:48.817 0x326c INF httpcli cert_revoke 0x70e2908 Got error: 0xa0010019 (http_client::eCrlHasExpired) 04:01:48.817 0x326c INF httpcli Req 0x70e2908 <- HttpsErrorOccurs: Revocation Error [0xa0010019 (http_client::eCrlHasExpired) 04:01:48.892 0x1d0c INF updater core: ========= Downloading primary index result TLS error ========= Troubleshooting steps To solve the problem, an administrator of the proxy server should turn off caching of the http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl file. It is recommended to turn off caching for all files downloaded from public update servers using this mask: *.kaspersky.com *.kaspersky-labs.com An alternative workaround: Set a server flag for KSC using the following commands: klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1 Also, set a server flag for Update Agents (Distribution Points) that get updates from the Internet, if any: klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1 Explicitly set an update task to use HTTP sources for URLs, for example, http://p00.upd.kaspersky.com. The full list of HTTP-enabled sources can be found in the <insecure_sites_list> parameter at http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact It is not possible to use a proxy server for KATA 5.0 and/or KATA 5.1 CN on TCP ports 8080, 8090 or 8091. If you will configure in KATA 5.0/5.1 proxy server connection settings using one of those ports, then such configuration will result in KATA update task failure and KSN connection errors right after those settings will be applied. This happens due to the fact, that KATA uses ports 8080, 8090 and 8091 for it's internal services and there are preconfigured default iptable rules that prevent incoming and outgoing connection on those ports for external hosts outside of the KATA cluster, which in turn results in connection errors if those ports are also used by the product for outgoing connections to a proxy server. Diagnostics It can be easily confirmed if a KATA server will be facing those updater and KSN issues, by either checking the current proxy server configuration in the product's web interface: if either of the listed ports 8080, 8090 or 8091 is used, then the KATA server is probably facing the issue. Or alternatively you can run the iptables -nvL DOCKER-USER command and check if the number of the rejected packages in the corresponding rules for ports 8080, 8090 and 8091 steadily increases upon running update task in KATA: Workaround & Solution To avoid this issue use one of the following 2 options: Do not use proxy server for KATA connections, configure direct internet connection for KATA CN nodes. Use a proxy server on a different port, for example port 3128 is quite standard option in such cases.

Description VMWare guest using Kaspersky products hanging or crashing due to driver conflicts between drivers used by VMWare NSX (vnetWFP.sys, previously vnetflt.sys) and Network Threat Protection component. This problem is known to happen with following versions of KES and VMware Tools: KES 11.6 with VMWare Tools 10.0.9 KES 11.6 and 11.7 with VMWare Tools 11.3.5 KES 12 with VMWare Tools 10.1.7 Troubleshooting steps Update VMWare Tools Sometimes there may be a bug in the driver built into VMWare Tools, and ESXi updates its images only through manually installed patches, and it compares installed version only to the version in it's storage, so even if ESXi says that the VM has current version of VMWare Tools, it may actually be outdated. Because of that, a new VM may run with outdated drivers. ESXi and VMWare Tools compatibility matrix: https://interopmatrix.vmware.com/Interoperability?col=1,&row=39,&isHidePatch=true&isHideGenSupported=false&isHideTechSupported=false&isHideCompatible=false&isHideNTCompatible=false&isHideIncompatible=false&isHideNotSupported=true&isCollection=false Latest supported VMWare Tools version for ESXi 6.5 and 6.7: https://packages.vmware.com/tools/releases/12.1.5/windows/ VMWare Tools for ESXi 7.0 and newer: https://packages.vmware.com/tools/releases/latest/windows/ If that did not help, uninstall NSX Network Introspection drivers of VMWare Tools: https://kb.vmware.com/s/article/2149764 This is the driver that is causing the conflict on VMWare's side, therefore removing it will resolve the conflict and should resolve the issue. Next solution is temporary and should not be used in production for extended periods of time. Disable Network Threat Protection in KES settings or in the policy, if it's controlled by KSC. Network Threat Protection is using klwfp.sys driver, and that driver is causing the conflict with vnetWFP.sys. With that component turned off, the driver loads on startup, but doesn't do anything, avoiding conflict with vnetWFP in most cases. Open KES Window -> Settings -> Network Threat Protection -> switch Network Threat Protection off Open KES policy properties -> Essential Threat Protection -> Network Threat Protection -> Uncheck Network Threat Protection checkbox If nothing helps, submit the case to the Kaspersky support with traces, GSI report including Windows event logs and a full memory dump. Related Information How to collect KES traces: https://support.kaspersky.com/kes11/diagnostics/14364 How to collect a full memory dump: https://support.kaspersky.com/common/diagnostics/10659 Link to GSI: https://media.kaspersky.com/utilities/ConsumerUtilities/GSI-6.2.2.43.exe

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product: KSC 11+ Applies also to the update utility version 4.1 and more recent. Consider the following problematic scenarios: You have installed KSWS on the KSC server and enabled Traffic Security component and Traffic Security uses MITM mechanism to analyze traffic. You use a 3rd party software or hardware appliance for traffic filtering and this appliance disrupts connections to HTTPS-enabled public update servers. It can be a hardware appliance like BlueCoat or F5, FortiGate SSL Deep Inspection, or a software proxy like Squid that uses ICAP to redirect traffic to another security application for scanning. KL uses HTTP public key pinning mechanism to verify update server authenticity; certificate used for authentication is self-signed by KL. Using any MITM-based solutions for SSL traffic inspection will lead to failures in establishing connection between KSC and a HTTPS-enabled KL update source. It happens because any MITM traffic inspection will forward a wrong certificate to KSC after inspection and KSC11 will break the connection. The following string can be found in up2date trace: self signed certificate in certificate chain The following trace files are required for accurate diagnostic: $up2date-1103.*, $up2date-1103-eka.* Please bear in mind that Kaspersky Support needs KSC traces mentioned above to be collected BEFORE you apply any of the workarounds listed in this post. Troubleshooting steps If you have KSWS blocking traffic, add Up2Date.exe process or the update source certificate to trusted in Traffic Security settings. If you use a 3rd party appliance to filter traffic, you can explicitly allow traffic signed by KL certificate. Otherwise you can use HTTP to download updates. There are two ways to make KSC use HTTP: Set a server flag on KSC using following commands: klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1 and on Update Agents (Distribution Points) getting updates from the internet, if any: klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1 Explicitly set update task to use HTTP sources URLs, for example http://p00.upd.kaspersky.com. Full list of HTTP-enable sources can be found in <insecure_sites_list> parameter in http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml Download updates using update utility 4.0. More recent version of update utility uses https.

Description and cautions The article shares working example of using KSC API calls for one of the available scenarios - retrieving events, HW and/or SW inventory data. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples: KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession ) Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Use below token in request header Find Host Find host by filter string (HostGroup::FindHosts) Filter string contains a condition over host attributes, see also Search filter syntax. We use "KLHST_WKS_DN" - Host display name HostGroup::FindHosts curl --location --request POST "https://127.0.0.1:13299/api/v1.0/HostGroup.FindHosts" --header "X-KSC-Session: nqepy9ZpZZ/2tiWXhil5cBg==" --header "Content-Type: application/json" --data-raw "{ \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"KLHST_WKS_DN\",\"KLHST_WKS_IP_LONG\",\"KLHST_WKS_PRODUCT_TAG_NAME\",\"KLHST_WKS_RTP_AV_VERSION\",\"KLHST_WKS_NAG_VERSION\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_VIRUS_COUNT\"], \"lMaxLifeTime\":1200, \"wstrFilter\":\"(KLHST_WKS_DN=\\"WIN10-OPTIMUM-1\\")\" #"KLHST_WKS_DN" - Host display name }" Response ID Response {"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":1} Copy Accessor for next request (ChunkAccessor::GetItemsChunk ) ChunkAccessor::GetItemsChunk curl -L -X POST "https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\", \"nStart\": 0, \"nCount\": 100 }" Response info about host: Response {"pChunk":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_DN":"WIN10-OPTIMUM-1","KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","KLHST_WKS_IP_LONG":{"type":"long","value":172250504},"KLHST_WKS_LAST_UPDATE":{"type":"datetime","value":"2022-02-17T13:00:01Z"},"KLHST_WKS_NAG_VERSION":"13.2.0.1511","KLHST_WKS_RTP_AV_VERSION":"11.7.0.669","KLHST_WKS_VIRUS_COUNT":{"type":"long","value":9}}}]},"PxgRetVal":1} Copy value "KLHST_WKS_HOSTNAME" for user in the next request Hardware Inventory SrvView Find srvview data by filter string (SrvView::ResetIterator) "wstrViewName" - see List of supported srvviews. "vecFieldsToReturn" - see https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html "wstrFilter":"(KLHST_WKS_HOSTNAME=\"c0816918-fbc5-4fbc-8fed-6f245756120e\")" SrvView::ResetIterator curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.ResetIterator" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrViewName\":\"HWInvPCSrvViewName\", \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"dev_id\",\"RamType\",\"dev_type\"], \"vecFieldsToOrder\":[{\"type\":\"params\",\"value\":{\"Name\":\"dev_id\",\"Asc\":\"true\"}}], \"lifetimeSec\":100, \"pParams\":{\"TOP_N\":\"yes\",\"USE_DISTINCT\":\"true\"}, \"wstrFilter\":\"(KLHST_WKS_HOSTNAME=\\"c0816918-fbc5-4fbc-8fed-6f245756120e\\")\" # KLHST_WKS_HOSTNAME from the previous request }" Response ID Response {"wstrIteratorId":"466579A79FA755D69B94EC60A5B04744"} GetRecordRange from Response data (SrvView.GetRecordRange ) SrvView.GetRecordRange curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrIteratorId\":\"50054D2A2D7A93DCEBFA3BE6F7E21D5E\", \"nStart\": 0, \"nEnd\": 100 }" Response info about hardware with specific filter: Response {"pRecords":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"ABE3CC21B521C704DA4FC63BD5698F71","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\1&1F0C3C2F&0&UID256","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\4&31BE19FA&0&UID0","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E05564F28A7EBE312D1326FD0D1A8479","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E69E8830E7D33F96BF1E21996A7D73CA","dev_type":0}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\\3&18D45AA6&0&78","dev_type":4}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_8086&DEV_10D3&SUBSYS_07D015AD&REV_00\\005056FFFF87CC6600","dev_type":6}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"Physical Memory 0","dev_type":2}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\\5&A629540&0&000000","dev_type":8}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\\5&1982005&0&000000","dev_type":3}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0002","dev_type":4}}]}} Software Inventory Acquire software applications which are installed on specified host. (InventoryApi::GetHostInvProducts) "szwHostId" - WKS_HOSTNAME form previosly request InventoryApi::GetHostInvProducts curl -L -X POST "https://127.0.0.1:13299/api/v1.0/InventoryApi.GetHostInvProducts" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"szwHostId\":\"c0816918-fbc5-4fbc-8fed-6f245756120e\", # KLHST_WKS_HOSTNAME from previuosly reqest \"pParams\":{\"KLEVP_EA_PARAM_1\":\"\"} }" Response info about software: Response {"PxgRetVal":{"GNRL_EA_PARAM_1":[{"type":"params","value":{"ARPRegKey":"{F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","CleanerProductName":"","Comments":"","DisplayName":"Kaspersky Endpoint Security for Windows","DisplayVersion":"11.7.0.669","HelpLink":"https://click.kaspersky.com/?hl=en&link=support&pid=kes&version=21.4.20.669","HelpTelephone":"","InstallDate":"20211002","InstallDir":"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\","InstanceID":{"type":"binary","value":"AA=="},"LangId":1033,"PackageCode":"","ProductID":"4E8A2680B3C78565814848DB5ED35C83","Publisher":"AO Kaspersky Lab","QuietUninstallString":"msiexec.exe /X {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16} /quiet /norestart","UninstallString":"msiexec.exe /x {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","VapmBuild":{"type":"long","value":0},"bIsMsi":true}},{"type":"params","value":{"ARPRegKey":"{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}","CleanerProductName":"","Comments":"","DisplayName":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508","DisplayVersion":"14.20.27508.1","HelpLink":"","HelpTelephone":"","InstallDate":"20210512","InstallDir":"","InstanceID":{"type":"binary","value":"AA=="},"LangId":0,"PackageCode":"","ProductID":"2E30B54FFAFE11F6DEDB0A31EA8CD6D1","Publisher":"Microsoft Corporation","QuietUninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall /quiet","UninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall","VapmBuild":{"type":"long","value":0},"bIsMsi":false}}, ....... Tasks Operations #strTask - open task in nmc-web-console - 1326 (for example: https://localhost:8080/#/management/tasks/148) Get Task Acquire attributes of specified task. (Tasks::GetTask) Response Response {"PxgRetVal":{"DisplayName":"KEA - Isolation ON","PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-10T13:57:34Z"},"TASKID_PRODUCT_NAME":"1093","TASKID_VERSION":"1.0.0.0","TASK_NAME":"Remote Installation","TASK_UNIQUE_ID":"1326"}} Run task Run remote installation task. Start specified task. Tasks::RunTask curl -L -X POST "https://127.0.0.1:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" # From NWC-web-cosnole ksc }" Update Task Get Data Task Acquire task settings. Tasks::GetTaskData GetData Task curl -L -X POST "https://localhost:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" }" Response all parameters and some of them we must use in next request. Modify task settings. Tasks::UpdateTask Update Task POST /api/v1.0/Tasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n8quj71CtoWbYijcBHY6FvA== Content-Type: application/json Content-Length: 3477 { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Change values for HostList and enter specific host. For example: "HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}] { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Run Task Host Events Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2 ) pFilter (params) object containing values for attributes to filter events. Only events with matching attribute values will be returned. If empty all events will be returned. See List of event filter attributes for attribute names. "GNRL_EA_SEVERITY" paramInt Event severity. May have the following values: 0 - Constant to be used as invalid event severity value 1 - Severity "Information" 2 - Severity "Warning" 3 - Severity "Error" 4 - Severity "Critical" vecFieldsToReturn (array) array of attribute names to return. See List of event attributes for attribute names #host id - FindHost EventProcessingFactory::CreateEventProcessing2) POST /api/v1.0/EventProcessingFactory.CreateEventProcessing2 HTTP/1.1 Host: localhost:13299 X-KSC-Session: nvLZ4Hwi5VAL7XIiMwPaxPw== Content-Type: application/json Content-Length: 440 { "pFilter": { "KLEVP_EVENT_HOST":"a537ddc0-b84b-488a-993c-9f76e62036e9", #host id "GNRL_EA_SEVERITY":4 #Critical Event }, "vecFieldsToReturn": [ "GNRL_EA_SEVERITY", "event_db_id", "rise_time", "hostname", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 } Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response critical events: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119829},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:10:44Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119818},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:05:34Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119807},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime",........ Close Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession

Issue "Databases and modules update task" is configured for hosts with LENA 3.12 installed. Task is executed via KSC. Diagnostics "Activate KEA" task is configured for the hosts with LENA or has been configured and deleted in the past. An update is executed locally, using lenactl works. KLNagent successfully synchronizes with the server. Other installed applications (e.g. KESL) display no synchronization issues. Workaround To fix the issue: Remove the "Activate KEA" task or any other configured KEA tasks except for "Databases and modules update task" for hosts with LENA installed. If necessary, move hosts with LENA to a separate group or configure other desired KEA tasks using a selection for Windows hosts only. Ensure there are no tasks except for "Databases and modules update task" remaining for hosts with LENA installed in KSC. Option A. Reinstall LENA on hosts to get rid of cached activation tasks. Option B. Remove the problematic cached tasks locally: Stop LENA: # systemctl stop epagent Remove the cached tasks: # rm -rf /var/opt/kaspersky/epagent/tasks/* Start LENA # systemctl start epagent Force synchronization with the host, e.g. by calling klnagchk. # /opt/kaspersky/klnagent64/bin/klnagchk Ensure one task is recieved. # ll /var/opt/kaspersky/epagent/tasks/ Execute "Databases and modules update task" on KSC. Ensure it finishes successfully. Double check locally that the bases are updated. RCA LENA connector that receives the product tasks from KLNagent is only configured to accept valid tasks ant halt synchronization if an invalid task is received. Only "Databases and modules update task" is considered to be valid for certified LENA version. "Activate KEA" task is received or cached first. Connector halts synchronization once it is processed. An update task is never received by the product.

Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally. The solution to this demand is to check bases version locally via CLI. KEA for Windows bases date From Elevated Command Prompt, execute: type "C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Bases\Current\aptem.stt" The example output is as follows, ;202209190911 Format is ;YYYYMMDDHHMM KEA for Linux (LENA) bases date Fresh installation For a fresh LENA installation that has never been updated, the bases "aptem.stt" file might be missing. From root or using sudo: sudo cat /var/opt/kaspersky/epagent/update/bases/aptem.stt Output format is the same, ;YYYYMMDDHHMM. Using built-in tools, we can easily make it in a proper way: sudo cat /var/opt/kaspersky/epagent/update/bases/aptem.stt | sed -E 's/\;([0-9]{8})([0-9]{2})([0-9]{2})/\1 \2:\3/g' | xargs -0 date -d Bonus: LENA's Last update date Lena's Last update date is stored in epoch format in /opt/kaspersky/epagent/update/last_update. Using built-in tools, we can make it human-readable: sudo cat /var/opt/kaspersky/epagent/update/last_update | xargs -0 -I% date -d \@% It is also worth mentioning that "Last update date" is relevant but it is still entirely different value than bases date. In case the bases in repository are outdated, Last Update date may be 5 minutes ago, yet bases will remain old.

Problem KSC and KS4Android are implemented but KSC is offline and could not access Internet. KUU can be used for updating KS for Android and distribute the update databases. But after running KUU (Kaspersky Update Utility), you cannot find actual KES for Android versions. Solution AV bases for new KESM versions will appear in KUU UI after running KUU with empty application list. The KUU settings should look like the following (in order to update the list of supported applications, you need first to press 'Start' with a blank application list as follows):