Kaspersky
Solved

Kaspersky Security 10.1.2 scan


I am currently using CommVault v11.19 together with Kaspersky Security 10.1.2 for windows server & Kaspersky Security Center 11 Network Agent. During our weekly Kaspersky scan we've used procmon to determine that process is changing both the timestamps and attributes on scanned files. Unfortunately, this results in CommVault's File Activity Anomaly Alert triggering as it detects Ransomware like activities plus the subsequent backup takes considerably longer as more changed files are obviously detected. Is there any way of preventing the Kaspersky scan from changing both the timestamps and attributes of the files? 

Thanks in anticipation

icon

Best answer by Oleg Bykov 20 May 2020, 17:35

To instruct KSWS to not mess with file times when doing the On-Demand scanning, add this value to the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"DontRestoreFileTimes"=dword:00000001

 

View original

4 replies

I also posted on the CommVault Forum and almost immediately received the following kind reply “I don’t think this is the right way for an antivirus to change the timestamps on a file. This will affect the backups as well since backups depend on modifications time of a file and if that changes, there is a chance that we could skip files from backup or backup extra data. The anomaly report is also pointing to the same that there is some anomaly happening on the machine. I don’t think CommVault can do anything here unless the antivirus fixes itself to not modify the timestamp.”

To instruct KSWS to not mess with file times when doing the On-Demand scanning, add this value to the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"DontRestoreFileTimes"=dword:00000001

 

This key completely resolves my issue with thanks Oleg. I only wish I’d been aware of it three years ago when Kaspersky was originally installed and configured. It appears to be very strange that there is any particular ‘out-of-the-box’ requirement to amend time-stamps? Do the installation/configuration instructions make specific reference to this requirement (and ‘fix’) anywhere (obviously I’m disappointed that I missed it) - a weblink or ‘cut-and-paste’ would be very much appreciated.  

I don't think we have it somewhere in the documentation - the timestamp restoration was done initially to avoid problems with Backup systems (and as far as I’m aware it helps with some). What we failed to do was to document it properly and also to make it easier to configure. Both of which will hopefully be addressed with the next release (KSWS 11).

 

Reply / Ответить