KES11 events improvement suggestion

[ak01]

I have a suggestion concerning the reports messages and their types in KES11. Especially I would like to divide a message into two so that one of them can be configured to be sent by mail and the other not. For example, the message “Protection components are disabled” gets sent when a computer gets turned off (User: NT-AUTORITÄT\SYSTEM (System user)) and when a user turns it off. I would like to have two different message types, so that I can configure to get an e- mail when a specific user turns off KES (and not when the computer gets turned off -> too much mails!). Maybe, you could put these two reasons into different categories (turn off -> Warning as is, User forcibility exited -> critical)? The other message is “Host Intrusion Prevention was triggered”. This message is triggered a lot with “Result: Allowed” (when I configure it to be sent to KSC or by mail, this will congest KSC and my mailbox) but sometimes, there is a message with “Result: Blocked”, which would be interesting within the events on KSC and in my mailbox. So maybe you divide the two causes into two different messages, which can be differently configured (maybe also two different categories, Warning and Info). Generally, I would like to have messages within the KSC event log whenever KES blocks something (e.g. host intrusion example above). Could you please consider/implement that when you work on the next KES version? Examples: User terminates KES: 16.09.2019 06:50:19 Protection components are disabled Protection Kaspersky Endpoint Security for Windows DOMAIN\username Some protection components are disabled Application: Kaspersky Endpoint Security for Windows User: DOMAIN\username (Active user) Component: Protection Result: Some protection components are disabled turn off computer: 16.09.2019 08:07:34 Protection components are disabled Protection Kaspersky Endpoint Security for Windows NT-AUTORITÄT\SYSTEM Some protection components are disabled Application: Kaspersky Endpoint Security for Windows User: NT-AUTORITÄT\SYSTEM (System user) Component: Protection Result: Some protection components are disabled Host intrusion allowed (not wanted, too much messages!): 11.09.2019 08:40:50 Host Intrusion Prevention was triggered Google Chrome DOMAIN\username Allowed: Access to webcam Access to webcam Access to webcam Application: Google Chrome User: DOMAIN\username (Active user) Component: Host Intrusion Prevention Result: Allowed: Access to webcam Action: Access to webcam Reason: Access to webcam Host intrusion blocked (wanted): 22.08.2019 11:41:54 Host Intrusion Prevention was triggered 60.8.0; 20190719-0953 [950894abee] DOMAIN\username Blocked: Access to webcam Access to webcam Access to webcam Application: 60.8.0; 20190719-0953 [950894abee] User: DOMAIN\username (Active user) Component: Host Intrusion Prevention Result: Blocked: Access to webcam Action: Access to webcam Reason: Access to webcam Host intrusion allowed (not wanted, too much messages!): 19.08.2019 16:06:02 Host Intrusion Prevention was triggered Google Chrome DOMAIN\username Allowed: Access to webcam Access to webcam Access to webcam Application: Google Chrome User: DOMAIN\username (Active user) Component: Host Intrusion Prevention Result: Allowed: Access to webcam Action: Access to webcam Reason: Access to webcam

[ak01]

seems to be implemented in KES11.2 which was launched lately.

Thank you very much!

[ak01]

When I unlock some parts of KES (or turn it off by password), I get the following message:

28.11.2019 13:50:43      User name and password input  Protection          Kaspersky Endpoint Security for Windows     COMPUTER\User - UserTypedIn               Successful input               View reports               

 

 

Unfortunately, the host intrusion message is the same (blocked and allowed in same message). When I mark paint.net as untrusted (for testing), I only get this (information) message:

 

28.11.2019 13:51:12      Host Intrusion Prevention was triggered               paint.net               COMPUTER\User             Blocked: Start    Start                     Start