How to renew KEA unique identifier on cloned devices [Kaspersky Endpoint Agent]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

 

Problem

You may use images with installed KEA that are distributed to multiple devices, or some hardware vendors (ACER) do not comply with standards and sell hardware with non-unique BIOS IDs, etc.

As a result, a telemetry from different agents may end up merged into a single record.

Symptoms

• Certain hostnames are present in KATA alerts, but search returns 0 events. Moreover, such hostnames are not present in the agent list. If looked up by an IP in the database/logs, UUID is found to be non-unique or belonging to other host.
• The same UUID is found in KEA logs from different machines.
• There is UUID 03000200-0400-0500-0006-000700080009 in the logs.
• There is UUID 6ab5b300-538d-1014-9fb5-b0684d007b53 in the logs.
• There is UUID 0bea76da-28ca-4e13-9715-361a8bbf3bc8 in the logs.

Solution for KEA

Run the new script on the affected machine to reset the UUID.

Solution for KES with built-in Endpoint Agent

Download this script, unpack it. Please check the KES version inside of it and change if needed. Turn off self-defence feature of KES, and run the script. After that please restart KES and UUID should be changed (if restarting the KES does not work then please reboot the machine). 
For 32-bit system use this 32-bit script.

Solution for KESL with built-in Endpoint Agent

uuidgen > /var/opt/kaspersky/epagent/install_id
uuidgen > /var/opt/kaspersky/kesl/common/pcid
systemctl restart kesl

Solution for LENA

Remove LENA from the host
rm  /var/opt/kaspersky/kesl/common/install_id
Reinstall LENA