Kaspersky Security 10.1.2 scan

[CivicWalker]

I am currently using CommVault v11.19 together with Kaspersky Security 10.1.2 for windows server & Kaspersky Security Center 11 Network Agent. During our weekly Kaspersky scan we've used procmon to determine that process is changing both the timestamps and attributes on scanned files. Unfortunately, this results in CommVault's File Activity Anomaly Alert triggering as it detects Ransomware like activities plus the subsequent backup takes considerably longer as more changed files are obviously detected. Is there any way of preventing the Kaspersky scan from changing both the timestamps and attributes of the files? 

Thanks in anticipation

[CivicWalker]

I also posted on the CommVault Forum and almost immediately received the following kind reply “I don’t think this is the right way for an antivirus to change the timestamps on a file. This will affect the backups as well since backups depend on modifications time of a file and if that changes, there is a chance that we could skip files from backup or backup extra data. The anomaly report is also pointing to the same that there is some anomaly happening on the machine. I don’t think CommVault can do anything here unless the antivirus fixes itself to not modify the timestamp.”

[Oleg Bykov]

To instruct KSWS to not mess with file times when doing the On-Demand scanning, add this value to the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"DontRestoreFileTimes"=dword:00000001

 

[Civic]

This key completely resolves my issue with thanks Oleg. I only wish I’d been aware of it three years ago when Kaspersky was originally installed and configured. It appears to be very strange that there is any particular ‘out-of-the-box’ requirement to amend time-stamps? Do the installation/configuration instructions make specific reference to this requirement (and ‘fix’) anywhere (obviously I’m disappointed that I missed it) - a weblink or ‘cut-and-paste’ would be very much appreciated.  

[Oleg Bykov]

I don't think we have it somewhere in the documentation - the timestamp restoration was done initially to avoid problems with Backup systems (and as far as I’m aware it helps with some). What we failed to do was to document it properly and also to make it easier to configure. Both of which will hopefully be addressed with the next release (KSWS 11).

 

[james_1984]

Hello,

 

I haven’t tried this registry fix yet on KS 10.1 but thank you for the info.

 

I’ve installed version KS 11.0 on a server recently and I still can’t find the option to preserve the last accessed time stamp, so will the registry work the same for 11??

 

Apparently, the option is on the workstation version but not the server versions, which seems a bit daft in my opinion.

 

Regards,

James

[Oleg Bykov]

Hello James,

You are right - there’s still no option to not restore filetime in the KSWS 11.0 UI. Sorry about that! Daft probably sounds appropriate in this case.

This is what we’ll do - we’ll prepare a Knowledge Base article about how to avoid these problems via the “registry hack”, and meanwhile we’ll strive to add this option to the UI in the next release (11.1 or whatever).

Thank you for using KSWS!

[james_1984]

Hi Oleg,

 

Thank you for your reply, yeah seems like a daft thing but it’s causing myself issues when trying to archiving files with our Redstor cloud backup.

 

An article would be great thank you :-), where will this article will be available when its done?

 

Can I use the same registry file for Version 11?

 

Regards,

James

 

[Oleg Bykov]

I’ll post a link to the article here as soon as it’s ready.

As for version 11, the registry key is a bit different:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\11.0\Environment]
"DontRestoreFileTimes"=dword:00000001

 

[james_1984]

Hi Oleg,

 

Thank you for reply again.

 

That’s what I thought on the registry would be, its exactly the location apparent from version number 11.0.

Thank you very much.

 

Regards,

James

[james_1984]

Hi Again Oleg,

 

I’ve tested the registry fix on a version 10.1 server and it hasn’t worked for me 😞, it has still been accessed the same day by Kaspersky’s on-demand scan I assume.

 

No one has accessed it for a while but so I’m stumped!

 

Regards,

James

[Oleg Bykov]

James, do you have patches installed for your KSWS 10.1.2? If yes, which ones?

[james_1984]

I’ve only got 10.1.1.746 installed on the server I’m trying it on but I haven't installed any patches.

 

Which patches do I need to install please?

 

Regards,

James

[alexcad]

I recommend version 10.1.2.996 with CF10 - this is the latest patch as far as I know
https://support.kaspersky.com/ksws10#downloads 

Regards
Alex

PS: The latest patch for 10.1.1 ist CF7 as far as I know.

[james_1984]

Thanks Alex, I’’ll do this now.

Can I upgrade or do I have completely remove and install the newer version?

 

Regards,

James

[alexcad]

Usually KS4WS can be updated without any problems and without reboot.

Regards
Alex

[james_1984]

Thank you.

 

Sorry, one more question so with the link you sent, is that a updated version of 10.1.2 with the patches the latest included?

 

Regards,

James

[alexcad]

No, patches are not included.
CriticalFixes must be requested from support: 
https://companyaccount.kaspersky.com/account/login  

Usually your Kaspersky partner can also help you.

Regards
Alex

PS: CF11 for KS4WS 10.1.2 is now available.

[james_1984]

Ah right I see, I’ll speak to them tomorrow,/

 

Is CF10 and CF11 I need or just CF11?

 

Regards,

James

[alexcad]

CFs are cumulative - you only need CF11.

Regards
Alex

[Oleg Bykov]

The article mentioned above will appear shortly at this URL:

https://support.kaspersky.com/15639

[james_1984]

Thanks Oleg, I will try this on the server I installed KS 11 on and see if it helps.

 

Regards,

James