Kaspersky
Question

Endpoint Agent

  • 15 December 2020
  • 18 replies
  • 994 views

Hello 

I have question about endpoint agent . I read the manual but was confused.

If I want to use EDRO in my network I must install Endpoint Agent and then check Endpoint Agent component in Installation package ???Both must be done?? or installing Endpoint agent is enough.

Thanks

 


This topic has been closed for comments

18 replies

Userlevel 1

Hi, if you want to use EDRO, first your license have to be an EDRO license, then you need 3 client packages

1 Kaspersky Network agent  < for server communication

2 Kaspersky EDR agent < EDR Component

3 Kaspersky Endpoint Security < for Protection

 

if you install KES and this detects your EDRO license, it will install EDR agent automatically, other way you have to install with another installation task and specify the EDR agent package.

Hello

Thanks for your Reply

yes ,I have EDRO License . I guess  enabling Endpoint agent in endpoint component is for deploying (Installing Endpoint And Endpoint Agent with together??) . and I can Deploy Endpoint Agent Separately for enabling EDRO on my clients(By using Installing Remotely task).   

Userlevel 1

Just run a remote installing task with “Kaspersky Network agent 12” and “Kaspersky Endpoint Security 11.5” packages, after that check the applications installed in the PC: select pc property > applications

if there two applications installed only, run a separely remote installing task specifying the EDR agent 3.9.2.1243 package. You have to see it like this at the end.

 

Hello 

Thanks for your answer

Hello
Dear support
I installed Endpoint Agent 3.9 on My Clients and want to generate a virus report to see open incident (EDRO Report) , but an error appears "Error
Preparing data to display. Please, wait."
1- assign License (EDRO) to Web console
2- create policy (Endpoint Agent)
3- Assign License to endpoint agent

Screenshot Attached 

Hello
Dear support
I installed Endpoint Agent 3.9 on My Clients and want to generate a virus report to see open incident (EDRO Report) , but an error appears "Error
Preparing data to display. Please, wait."
1- assign License (EDRO) to Web console
2- create policy (Endpoint Agent)
3- Assign License to endpoint agent

Screenshot Attached 

 

same error here.. Tried different browsers, tried to browse from other computer, reboot the KSC but the problem still persist. 

 

i have same error.

how to resolve this issue?

@hamed_masoomi   i have the same error does anyone have solved it 

@Syahril @ronnelsunga 

Userlevel 1
Badge

If you first install KES without EA component, and then a standalone KEA package, KES EDRO integration will be disabled and killchain will not work.

In order to fix this, please create and run the “Change application components” task on the host, enabling Endpoint Agent in KES. This fixed the current issue, and the incident was generated.

The same rule applies: KEA component needs to be installed in KSWS. KSWS does not have a "Change application components" task in KSC, so this has to be taken into account during KSWS deployment.

 

Userlevel 1
Badge

 

@Victor C. thanks victor for your reply ,but this is not a first installation and the kill chain was working as charm during the last period ,i’m trying your solution but i m sure that the endpoint agent addons is enables 

Hello @Victor C. 

The same thing is happening here. In my case;

  1. KES 11.5 was installed without Endpoint Agent
  2. Created and applied a task which installs KES 11.6 with Endpoint Agent
  3. After the task is over, Endpoint Agent is installed, KES is 11.6 and it seems the task went well

But the error “preparing data to display” occurs.

Did I do anything wrong?

And I want to know how to check if KEA is integrated with KES properly.

 

Thanks in advance.

Yasutoshi Takayama

Userlevel 1
Badge

Hi @Yasutoshi Takayama,

After installation of Endpoint Agent, please follow these steps:

  1. Activate EA with EDRO license trough a “Activation of application” task and confirm there are no activation errors.
  1. Ensure you have EA policy created and set to “Synchronize with Administration server settings” options enabled and enforced. 
  1. Configure Kill Chain by configuring Threat Report.
    Connect to the web console of the KSC. In the Home page, select the ‘Reports’ tab.Click on ‘Report on threats In ‘report properties, open the ‘Fields’ tab and customizing the report for a user-friendly experience.
    the main thing:
    Check the box for ‘Open Incident’ and use the ‘Move up’ button to bring this to the top
    Click ‘Save’
  2. If issue persists, please create and run the “Change application components” task on the host, enabling Endpoint Agent (Endpoint Sensor) in KES.

    Hope this helps.

Hello, @Victor C. 

 

Thank you for the advice.

The case has been solved. It was because of the lack of license application. I created a task which applied KEA license to the machine and ran it, it started working.

But I’m wondering why KEA license wasn’t applied automatically though its property “auto distribution” was on. Do I need to use license deployment task on each machine?

 

By the way, I still have another problem on another device.

  1. KES 11.6 was installed without KEA.
  2. Created one task “component change” but the application to the device failed with error, but error details weren’t displayed. 
  3. So I created a task which installs KEA only to the device and it went well
  4. Applied KEA license to the device.

After all, the devices has KES11.6 installed, KEA installed and NA installed. But incident card displays ”Error wait ...”

Actually Component change task fails and fails on this machine, so if this change works well everything gets OK I think.

Do you have any suggestion for that?

Sorry for too many questions. Thanks in advance.

 

Yasutoshi Takayama

 

Sorry for too many posts.

I really want to know how to check if KEA is installed properly.

“Properly” means that incident card should be created when the pc gets infected with virus.

I need to distribute KEA to around 900 PCs. I can’t test each PC if incident card is created or not.

 

Thanks in advance.

 

Yasutoshi Takayama

 

Userlevel 1
Badge

Hello, @Victor C. 

 

Thank you for the advice.

The case has been solved. It was because of the lack of license application. I created a task which applied KEA license to the machine and ran it, it started working.

But I’m wondering why KEA license wasn’t applied automatically though its property “auto distribution” was on. Do I need to use license deployment task on each machine?

 

By the way, I still have another problem on another device.

  1. KES 11.6 was installed without KEA.
  2. Created one task “component change” but the application to the device failed with error, but error details weren’t displayed. 
  3. So I created a task which installs KEA only to the device and it went well
  4. Applied KEA license to the device.

After all, the devices has KES11.6 installed, KEA installed and NA installed. But incident card displays ”Error wait ...”

Actually Component change task fails and fails on this machine, so if this change works well everything gets OK I think.

Do you have any suggestion for that?

Sorry for too many questions. Thanks in advance.

 

Yasutoshi Takayama

 


 

 

Hi @Yasutoshi Takayama ,

It is advised to create and run a “Activation of application” task for Kaspersky Endpoint Agent in order to activate KEA. Setting the key to automatically deployed functionality for KEA is not supported as of now. Task “Change application components” would fail if Password protection is enabled in the policy of KES.

To disable password protection, open the KES 11 policy in the General settings / Interface/ Password protection/ Settings section and uncheck password protection checkbox.

Password protection can be enabled for most of the user actions that affect Kaspersky Endpoint Security: editing its settings, exiting, and uninstalling.

Userlevel 1
Badge

Sorry for too many posts.

I really want to know how to check if KEA is installed properly.

“Properly” means that incident card should be created when the pc gets infected with virus.

I need to distribute KEA to around 900 PCs. I can’t test each PC if incident card is created or not.

 

Thanks in advance.

 

Yasutoshi Takayama

 

@Yasutoshi Takayama,

You can verify if KEA is installed in KSC Console under Device Properties>Applications.

The following changes are made locally when KEA is installed:

https://support.kaspersky.com/KEDR_Optimum/1.0/en-US/199164.htm

The following Kaspersky Endpoint Agent services are registered and started under the system account (SYSTEM):

  • SOYUZ.exe is the main Kaspersky Endpoint Agent service that manages its tasks and operation processes.
  • VOSTOK.dll (executed in proton.exe) is a service that provides interaction between Kaspersky Endpoint Agent and the Central Node component.
  • ANGARA.dll (executed in proton.exe) is a service that provides interaction between Kaspersky Endpoint Agent and EPP in scenarios of Kaspersky Sandbox integration.

Sorry for long silence.

Here is the summary of my understanding.

 

To create Incident Card properly

  • Kaspersky Endpoint Agent should be installed with KES
  • Component Change with KEA on will also do
  • KEA should be activated with a valid license
  • KEA license auto distribution doesn’t work as of now, you need to create and run activation task

If KEA is integraed with KES properly you can find this registry is created.

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features\AntiAPTFeature = 1

 

Hope this will help someone who has the same problem.

Thank you for your support.

 

Best Regards

Yasutoshi Takayama