Kaspersky
Question

KES11 events improvement suggestion

  • 16 September 2019
  • 2 replies
  • 80 views

Badge
  • Junior Helper
  • 26 replies
I have a suggestion concerning the reports messages and their types in KES11. Especially I would like to divide a message into two so that one of them can be configured to be sent by mail and the other not.
For example, the message “Protection components are disabled” gets sent when a computer gets turned off (User: NT-AUTORITÄT\SYSTEM (System user)) and when a user turns it off. I would like to have two different message types, so that I can configure to get an e- mail when a specific user turns off KES (and not when the computer gets turned off -> too much mails!). Maybe, you could put these two reasons into different categories (turn off -> Warning as is, User forcibility exited -> critical)?

The other message is “Host Intrusion Prevention was triggered”. This message is triggered a lot with “Result: Allowed” (when I configure it to be sent to KSC or by mail, this will congest KSC and my mailbox) but sometimes, there is a message with “Result: Blocked”, which would be interesting within the events on KSC and in my mailbox. So maybe you divide the two causes into two different messages, which can be differently configured (maybe also two different categories, Warning and Info).
Generally, I would like to have messages within the KSC event log whenever KES blocks something (e.g. host intrusion example above).

Could you please consider/implement that when you work on the next KES version?

Examples:

User terminates KES:
code:
16.09.2019 06:50:19     Protection components are disabled      Protection         Kaspersky Endpoint Security for Windows DOMAIN\username       Some protection components are disabled
Application: Kaspersky Endpoint Security for Windows
User: DOMAIN\username (Active user)
Component: Protection
Result: Some protection components are disabled


turn off computer:
code:
16.09.2019 08:07:34     Protection components are disabled      Protection         Kaspersky Endpoint Security for Windows NT-AUTORITÄT\SYSTEM              Some protection components are disabled
Application: Kaspersky Endpoint Security for Windows
User: NT-AUTORITÄT\SYSTEM (System user)
Component: Protection
Result: Some protection components are disabled




Host intrusion allowed (not wanted, too much messages!):
code:
11.09.2019 08:40:50     Host Intrusion Prevention was triggered              Google Chrome              DOMAIN\username       Allowed: Access to webcam       Access to webcam                       Access to webcam         
Application: Google Chrome
User: DOMAIN\username (Active user)
Component: Host Intrusion Prevention
Result: Allowed: Access to webcam
Action: Access to webcam
Reason: Access to webcam


Host intrusion blocked (wanted):
code:
22.08.2019 11:41:54     Host Intrusion Prevention was triggered              60.8.0; 20190719-0953 [950894abee]   DOMAIN\username       Blocked: Access to webcam       Access to webcam                       Access to webcam         
Application: 60.8.0; 20190719-0953 [950894abee]
User: DOMAIN\username (Active user)
Component: Host Intrusion Prevention
Result: Blocked: Access to webcam
Action: Access to webcam
Reason: Access to webcam


Host intrusion allowed (not wanted, too much messages!):
code:
19.08.2019 16:06:02     Host Intrusion Prevention was triggered              Google Chrome              DOMAIN\username       Allowed: Access to webcam       Access to webcam                       Access to webcam         
Application: Google Chrome
User: DOMAIN\username (Active user)
Component: Host Intrusion Prevention
Result: Allowed: Access to webcam
Action: Access to webcam
Reason: Access to webcam

2 replies

Badge

seems to be implemented in KES11.2 which was launched lately.

Thank you very much!

Badge

When I unlock some parts of KES (or turn it off by password), I get the following message:

28.11.2019 13:50:43      User name and password input  Protection          Kaspersky Endpoint Security for Windows     COMPUTER\User - UserTypedIn               Successful input               View reports               

 

 

Unfortunately, the host intrusion message is the same (blocked and allowed in same message). When I mark paint.net as untrusted (for testing), I only get this (information) message:

 

28.11.2019 13:51:12      Host Intrusion Prevention was triggered               paint.net               COMPUTER\User             Blocked: Start    Start                     Start     

Reply / Ответить