KSC 11 Download updates Failed to establish the HTTPS connection: TLS error (54). '/'

[bsylvain]

Hello everyone, KSC version 11.0.0.1131 (with autopatch A) KSWS version 10.1.2.996 KES version 11.1.0.15919 I have a problem to download updates since yesterday (morning? last update is from 03.07.2019 - 05:58 (Zurich time)). Failed to establish the HTTPS connection: TLS error (54). '/' When I check the URL I can see that the trusted root certificate seems to be untrusted. (you cannot trust this root certificate authority...) I tried also to directly update a KES from Kaspersky servers, same error : Is there something in your infrastucture causing that? Any knows problem? Thanks. Sylvain

[bsylvain]

Further tests brought me the following data : KSWS manual update through Kaspersky Servers (not ksc) are succeeding. KES 11 manual update through Kaspersky Servers (not ksc) are partially succeeding (although it reports the secure connection error and task failure, database date is correct) KES 10 update through Kaspersky Servers (not ksc) are succeeding. The problem could come from a particular module or url. Sylvain

[Oleg Bykov]

Hello, Maybe it's this problem? https://forum.kaspersky.com/index.php?/topic/409907-ksc-11-can-not-update-antivirus-db-with-traffic-security-on

[bsylvain]

Hello Oleg, Thanks for your answer. Traffic security module is not running on the KSC server. And if I check "https://s11.upd.kaspersky.com" on a lab without running with an antivirus or behind a NGFW, I have the root cert error, untrusted authority.

[bsylvain]

Still not working. We trusted the root cert for the domain, no luck. It looks like the KSC has his own trusted cert repository? We have a workaround but it would be great to fix that. Can you look if something happened on you side (about the kaspersky authority : "Kaspersky Lab Public Services Root Certification Authority") ? It's kind of strange as I have 3 KSC with the same problem (different infrastructure, different domain) and 1 KSC without problem (which is a off domain server providing Kaspersky service to remote computers). Thanks. Sylvain

[bsylvain]

Hello guys, After running a few days on our workaround (choosing our public KSC as master and update server), I switched back the download to Kaspersky Servers source and it seems to work now. Did you changed something or did the workaround made things go right? Sylvain

[Joel2015]

Hello, I assume this topic relates to the following description about https and certificate usage with KSC 11: https://support.kaspersky.com/15069 Following document is also helpful as it describe servers to use and how to switch to http instead https://support.kaspersky.com/15052 KSC https://support.kaspersky.com/15038 KES Regards Joel

[Deadlock4400]

hello bsylvain please see the link below - Network parameters in Kaspersky Security Center 11 for interacting with external services You can download updates via HTTP. Above link below side there is solutions for that, klscflag.exe tool and the command line: klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1 Use Http instead of Https !! Another problem may occurred: check the dns, if its work correctly. have a good day. Deadlock4400

[bsylvain]

Joel2015 Deadlock4400 Thank you for the infos, we're gonna check that. We are trying to avoid the downgrading to http. Have a good day. Sylvain

[amireditor]

Hello
I have a problem getting KSC updates and I really don't know what to do

Please Help me

 

[bsylvain]

Hello
I have a problem getting KSC updates and I really don't know what to do

Please Help me

 

Hello,

In my case it was an issue with DPI-SSL of our firewall.

We made a dpi-ssl bypass for *.kaspersky-labs.com

Check https://support.kaspersky.com/15052?_ga=2.223948760.2141884001.1590148658-856246144.1590148658

Sylvain

[ak01]

I tried everything mentioned (clear update repository, delete an recreate global update task again, …), but nothing helped (update task ran for hours, almost every time “not all components were updated”.

I ended up in updating mit KSC to v12 and that solved the issue.

KES11.3 uses another (new) update mechanism, which (I guess) KSC also needs to support.

[helviojr]

(tip: Solution on third paragraph)
That’s kind of unbelievable, but I cannot update my Security Center 12 server because of the Kaspersky Security 10 for Windows Server. The antivirus solution just block all https connections to Kaspersky Labs update servers, probably because of certification problem. We use KSN, so maybe Kaspersky servers’ reputation is not that good? :D

Unfortunatelly, the web connection interception (transparent proxy), necessary to analyze safe traffic in web applications, cannot be filtered by use of URL addresses, because of the nature of SSL interception. So, there are only four options. The solution given above of using http is simple, but introduce an insecure connection, unecessarily. The second one is worse: turning off Traffic Security Task in Real-Time Server Protection in KSWS. The third one I tested is including Kaspersky Labs update servers’ IP addresses. You can choose some of them. The task will show error for the others but eventually will use one of the allowed servers. That’s not good also, as Kaspersky may choose to change those addresses or even bringing a new server nearer you and you will not use it.

SOLUTION:
So, I suppose the best way to achieve continuous protection having updates working is including the update process as exception to the task: on Kaspersky Security for Windows Server's policy applied to the Security Center server(s), Real-time server protection session, Traffic Security Settings button, Configure interception area button, Exclude processes: mark option Apply exclusions for processes and click on Executable files to include Up2Date.exe process. In my server, I added C:\Kaspersky Lab\Kaspersly Security Center\Up2Date.exe.