KSWS frequent exploit and malware detections - troubleshooting [Kaspersky Security for Windows Server]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

KSWS detects certain exploit or malware frequently with N/A as an action in KSC reports.

Solution

1. Download the latest patch for our product on the machine which detects the issue.

2. Download the latest Windows security updates on the machine to cover the potential vulnerabilities.

3. Make sure that the product has the latest updates from KLABs servers.

4. Check the events on the impacted server as sometimes KSC report shows "detection events" only with action N/A while KSWS already takes the action. 

     i. If you find a blocking event, it’s probably N/A on the report (Cause the blocking event appears in the next warning event at the same moment).

    ii. If you couldn’t find a blocking event:

            a. Enable KSWS traces https://support.kaspersky.com/15618

            b. In case the exploit or malware impacts system memory or the object path is .exe, download and run ProcMon (Process Monitor) https://support.kaspersky.com/common/diagnostics/10935

            c. Restart the product’s agent.

            d. Simulate the issue and wait till correlated event being generated.

            e. Stop product’s traces and ProcMon.

            f. Collect export from server's events and GSI report including event logs and AVZ. https://support.kaspersky.com/common/diagnostics/3632#block7

            g. Get KSWS reports if exists {c:\ProgramData\Kaspersky Lab\Kaspersky Security for Windows Server\11.0\Reports}

             i. Submit an issue to Kaspersky Support.