Kaspersky
Question

KSWS10.1.2.996 and Distribution Point as KSN Proxy does not work


Userlevel 1
Badge
  • Junior Helper
  • 51 replies

We have one KSC (11.0.0.1131 and Patch b) located at the headquarter and some branch offices, which use distribution points to lower the traffic on the WAN connection. All the computers (KES 11.1/11.2 and KSWS 10.1.2.996) at headquarter get updates from KSC and also use KSC as KSN proxy, that works fine.

The computers (same versions) at branch offices use their onsite distribution point for updates (that works fine as well) and KSN proxy.

The KES11.1 and 11.2 computers use the distribution point as KSN Proxy without any problems, but KSWS10.1.2.996 servers at branch office permanently log the following messages (using different file namens -> the KSN functionality does not work):

 

 

Do you have an idea why this does not work? Is this a bug of 10.1.2.996 (I have no patches installed for this version since there are no Core Fixes released publically).

 

The statistics state that KSWS uses the distribution point on TCP port 13111 (win10_1809_ksp is the distribution point, SRVAPWDS01 is the KSC server):

 

 

A network trace (wireshark) shows that KSWS opens a connection to the distribution point on TCP port 13111 and send some traffic, so it should work?!

The agent policy looks like this:

 

 


18 replies

Userlevel 1
Badge

You can have a KSWS trace but I only find the following entries (concerning KSN) :

07:14:34.933 1734 560 warning [wp] KsnService: make async request declined with error = 0x80250002, for file 'C:\Users\Administrator\AppData\Local\Temp\2\wireshark_Ethernet0_20200110081434_a02160.pcapng', file has been filtered

 

A network trace only shows communictation to the distribution point (however, I would expect more data sent when I start a manual scan task like in that case):

 

 

Hello,

The thing is that KSWS 10.1.2 does not fully support the new KSN distribution point scheme that appeared in KSC 11. I mean, KSWS can work with it, but in some cases (like yours) it can also generate additional error messages that should not be there. Also, we believe that KSWS could be more efficient in choosing the most optimal distribution point.

We should have changed it via a patch, but the code changes are too broad and we believe it requires a more thorough testing than we can afford for a (non-public) patch.

The full support for the new scheme should be included in the KSWS 11 release that is due out a bit later this year. For now the workaround for this should be to turn off the “Error sending request to KSN” events.

Also, I strongly recommend you to obtain the Core 3 patch for KSWS 10.1.2 from the Company Account (Core 4 is also very close to release and is also highly recommended). Apart from bug fixes, it contains some optimizations that should lower the overall impact KSWS has on a server.

 

Userlevel 1
Badge

Hallo Oleg

 

thank you very much for that information. I turned off this type of error message (so that it does not get sent to KSC).

As far as I understood it, KSWS 10.1.2 generally uses the Distribution Point KSN proxy but in some cases, it throws that error message (but generally, it works).

I will wait for KSWS11, that is no problem and I will get the Core3/4 Patches.

Userlevel 1
Badge

When I install Core Patch 3, I get the following error message 2 times (is this normal?):

Internal task error occurred. Error code: 0x000B. Subsystem code: 0x6 (WP). For more details go to the Kaspersky Lab Technical Support site: https://click.kaspersky.com/?hl=en-US&link=error&pid=wsee&version=10.1.0.0&error=B6X11X14X4X

 

 

I installed Core Patch 3 on a few (not so important) servers, on one of them I got the following error messages (but only one time):

Application module integrity corrupted. Reason: invalid module signature. Object name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Windows Server\drivers\x64\win10\klfltdev\klfltdev.sys

Application module integrity corrupted. Reason: invalid module signature. Object name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Windows Server\drivers\x64\win10\klam\klam.sys

 

However, these are just error messages. I have not encountered any functional problems of these servers (so everything works as expected so far).

 

When do you plan to release Core Patch 4?

Userlevel 1
Badge

Could you please tell me when Core Patch 4 is available?

 

Every day, I get the message about Application module integrity corrupted (on the servers, where Core Patch 3 is installed).

However, I have not noticed any problems concerning applications so far (just these error messages) when Core Patch 3 is installed.

Hello,

What is the Windows version you’re using on servers with error messages? Also, can I please get KSWS traces with the Application Module Integriy task running?

The traces can be uploaded here:

https://box.kaspersky.com/u/d/b515840c23ca40e4a2c6/

The same about the “Internal task error occurred” - can you provide KSWS traces collected during this error reproduction?

Oh, and the Core 4 patch is already available via Support request.

Userlevel 1
Badge

Thank you for Core Patch 4.

However, the mentioned error messages appear as well. Especially, two integrity (corrupted) error messages are thrown every day on every server (where the Patch is installed).

However, I have not experienced any application problems (concerning other applications that are installed on the server). On the other hand side I experienced a performance improvement.

Despite the error messages, KSWS10 does not execute my database update group task periodically any more. I think that it does not do it when I configure every three hours (I have to do some tests). When I start it manually, the task does its job.  

 

 

 

Uhrzeit:                              20.01.2020 20:00:03

Application module integrity corrupted. Reason: invalid module signature. Object name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Windows Server\drivers\x64\win10\klfltdev\klfltdev.sys

Application module integrity corrupted. Reason: invalid module signature. Object name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Windows Server\drivers\x64\win10\klam\klam.sys

Userlevel 1
Badge

I did some testing. When I configure “every 3 hours”, KSWS 10.1.2.996 and Core Patch 3 or 4 does not periodically start the Update group task. When I switch to “every 1 hour”, it does it periodically. On all the KSWS 10.1.2.996 servers without the Core Patches, it works (with “every 3 hours”).

I think this is a bug in Core Patch 3 and 4!

I don’t think it is a bug… Seems more like a fix. :)

I mean, you have set the task start randomization interval to 180 minutes (3 hours) - so, the task does not have to start immediately after the designated time, but it will start at (that time + some random time, up to three hours more).

What does the Audit Log say (in the local Administration console)? Do you see any group tasks starting there?

Userlevel 1
Badge

The group task get started but not every 3 hours (some starts were missed). It takes a while to see if it does it correctly when it is set to three hours (that is why it looked like KSWS never does it).

I now changed the randomize time span to 175 minutes (maybe it misses it when the random delay is bigger than the interval).

What have you changed within the Core patches concerning the group task handling?

The update TEST Task below is scheduled hourly (randomize 40min) and also runs hourly:

 

“Once every 3 hours” + “randomize over the interval of 3 hours” makes the period between task launches up to 6 hours long. Was that your intention? Maybe make the randomization interval even shorter, like 30 or 60 minutes?

What was changed in the patches is the way long randomization intervals were handled. Before the patches, the long randomization intervals didn’t lead to longer time spans between the tasks, and were often completely ignored.

Regarding your screenshot - I’ll consult my colleagues about the observed task frequence and what should be done about it.

Userlevel 1
Badge

Unfortunately, the last change (randomize time to 175 min) did not help. The group task (every 3 hours) was executed the last time yesterday. On the other hand side, the “TEST” task (every 1 hour) gets executed every hour reliably.

This happens on every server, which has Core Patch 4 installed (currently 13).

 

 

And if you change the randomize time to 60 (or even 30), does the task get to start more often?

Userlevel 1
Badge

I switched it to 60min (randomize time) at 9:50, the next scheduled start was at 11:30 and so far, all the 13 servers started the task around 11/12 o’clock. I will check tomorrow, if it is reliable.

However, I have about 160 KSWS 10.1.x servers, I need a bigger randomize time.

Userlevel 1
Badge

I checked today the 13 servers and the update group task was executed reliably every three hours, so the high amount of randomize time (>60 min) seems to cause the issue.

Userlevel 1
Badge

Do you have an idea why a huge randomize time stops the group task from getting reliably started? Do you plan to fix this? If not, what is the maximum randomize time, which can be used?

Reply / Ответить