This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Swiftyyyy
Advisor
‎2022-03-25 03:14 AM

Kaspersky-Free Pilot Deployment Thread

Hi everyone,

I'm sure we're not alone in performing pilot installations of the Kaspersky-Free Endpoint Security client.
As the knowledge base is still relatively empty in regards to issues and operational differences, I think it may be a good idea to start a community thread where we share our collective experiences before proceeding with full scale movements of our managed environments.

Some limitations are well documented by the SK, but a few things came in as a surprise so here's my list of notable experiences since beginning testing. I'd encourage you to share any findings as well.

All testing has been done with the "Kaspersky Free E86.25.5061 E2 client".

  1. Client upgrades from E86.01 (Recommended release) as well as E86.25 went fine, however the upgrade required a reboot of the Endpoint
  2. Anti-Malware Blade reports as "Off" for a minute or two after every system reboot. This alarmed some pilot group testers. After that the blade turns to "On" as normal
  3. The EPS tray icon is no longer animated during scheduled/manually initiated scans, no progress indication at all is given, this is also somewhat alarming to users as they're not notified of the scan while their notebook fans ramp up / performance decreases
  4. In association with no given progress indicators, no feedback is given to the user when pressing "Scan system now", no feedback given when performing "Right Click scan with Check Point" on individual files or directories either
  5. Scan start & stop entries are still produced in SmartConsole logs, nothing changed there
  6. Push operations relating to the AM blade still appear to work, however no progress indication is given during the scan (before it would state 123136 files scanned etc.), prior behaviour of producing a finishing message stating "n Infected files found" is also no longer present
  7. In Windows Security Settings the Anti-Malware is now presented as "Checkpoint ThreatEmulation and Antivirus" instead of "Check Point Anti-Malware". We have not tested this yet, but it may present a potential "compliance" issue with 3rd party software such as VPN clients which reference that string when permitting/denying connections
  8. Exclusions appear to still work as before, URL based exclusions specifically do appear to still work
  9. Downloads blocked by Threat Emulation are Quarantined successfully, however the client overview Anti-Malware blade displays Infection Status as UNTREATED and NOT quarantined in this case the status of AM blade is INFECTED, downloads intentionally permitted to pass Threat Emulation are correctly Quarantined and Treated by Anti-Malware & reported correctly. 
  10. When restoring files from Quarantine without an exclusion defined, the file isn't immediately re-inspected & Quarantined as it would be otherwise
  11. Anti-Malware blade does not seem to produce detection event log entries, though Forensic Reports are generated as usual

 

We have also experienced a case where upgrading to the E2 version of the client forced a system hang upon reboot (system was stuck on "System Preparing".

Upon a hard reset the system successfully rebooted with the AM blade reporting as functioning, however no system scan would actually execute. Starting a scan manually from Client Overview would create "Scan Start" log events in SmartConsole with every press of the button, but no scanning occured. When performing a scan via. Push operation, the operation would report an "Internal Error". We intend to consult with TAC on this particular issue, but it's something to be mindful of. So far we've only had one such occurrence.

11 Replies
PhoneBoy
Admin
Admin
‎2022-03-25 05:55 AM

A lot of these differences will be lessened over time.
Not sure we can eliminate the need for a reboot when switching to the E2 version of the client.

0 Kudos
Swiftyyyy
Advisor
‎2022-03-25 06:03 AM
In response to PhoneBoy

The reboot is perfectly understandable and can be worked around.
Really just the points in bold bother me since security posture is somewhat affected.

As long as the admins operate with awareness of these points they're really not issues in themselves, just *different*.

J_B
Collaborator
‎2022-03-25 09:21 AM
In response to PhoneBoy

It'll be a shame if you can't eliminate the need for a reboot.  It was a major step forward in the later clients when the need for a reboot was eliminated when upgrading a client.  It always caused so much issues with our users, especially when they couldn't control the reboot.

0 Kudos
Swiftyyyy
Advisor
‎2022-03-25 11:18 AM
In response to J_B

I'm assuming the reboot is only necessary for the initial move; just as it would be for certain software blade reconfigurations. 

I believe I have an E2 variant of the E86.01 client buried somewhere as well, I'll install that and try an update E86.01 E2 to E86.25 E2 with the same blade config on Monday & post my findings in here.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-25 11:42 AM
In response to J_B

As we change from one running AV to another AV product a reboot is perfectly understandable as the most clean procedure.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Swiftyyyy
Advisor
‎2022-03-27 11:42 PM
In response to J_B

Hi,

I just tested moving from E86.01 E2 to E86.25 E2.
The client in this case didn't require a reboot, soo the reboot is only required as you move to the E2 client, but future upgrades appear to be just as they were with the Kaspersky engine.

G_W_Albrecht
MVP Silver
MVP Silver
‎2022-03-27 11:48 PM
In response to Swiftyyyy

As it should be - as i wrote, a reboot during change of AV engine seems completely understandable...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Swiftyyyy
Advisor
‎2022-03-28 12:05 AM

Additionally, it appears that the Anti-Malware blade DOES indeed still produce detection event logs along with Forensic blade reports, it just seems a tad inconsistent.

During my tests today with the E86.01 E2 client I ran through the same set of EICAR files as last week and I did infact get an AM blade event with every instance. The AM engine in both these clients appears to be on the same version (3.84).

So this may require some additional testing to validate.

Likewise I experienced some slightly different behaviour on point 9.), the detections today were reported correctly & the client did not get stuck on an INFECTED status.

tomerli
Employee
Employee
‎2022-03-28 12:55 PM
In response to Swiftyyyy

Hi,

Thank you for your feedback. We are looking at each and every item mentioned above. Below are responses for some of the items. We are continuing to check and will update as soon as we have more info.

Item #1 – When changing from one AV to another a reboot is required. This is a onetime reboot. As mentioned above by others, it should not be an issue.

Item #3 - Thank you for your comment. This will be handled in a future version.

Item #4 - We didn't success to reproduce this issue. When the user scan, he gets a window with progress bar similar to E1. If it is still happens to you, please let us know.

Item #5 - We didn't success to reproduce this issue. If you are still facing this issue, please send us more information.

Item #6 - We succeed to reproduce this issue. We are checking it. Thank you.

Item #8 – All good.

Item #9- We succeed to reproduce this issue. We are checking it. Thank you.

Item #11 - This is because we now have TE blade that is inspecting the files, and the log are being sent under the TE blade. The files are inspected and logs are sent… they are just TE logs instead of AM logs…

Thanks

Swiftyyyy
Advisor
‎2022-03-29 12:49 AM
In response to tomerli

@tomerli wrote:

Hi,

Thank you for your feedback. We are looking at each and every item mentioned above. Below are responses for some of the items. We are continuing to check and will update as soon as we have more info.

Item #1 – When changing from one AV to another a reboot is required. This is a onetime reboot. As mentioned above by others, it should not be an issue.

Item #3 - Thank you for your comment. This will be handled in a future version.

Item #4 - We didn't success to reproduce this issue. When the user scan, he gets a window with progress bar similar to E1. If it is still happens to you, please let us know.

Item #5 - We didn't success to reproduce this issue. If you are still facing this issue, please send us more information.

Item #6 - We succeed to reproduce this issue. We are checking it. Thank you.

Item #8 – All good.

Item #9- We succeed to reproduce this issue. We are checking it. Thank you.

Item #11 - This is because we now have TE blade that is inspecting the files, and the log are being sent under the TE blade. The files are inspected and logs are sent… they are just TE logs instead of AM logs…

Thanks

I do still experience this (#4), the files do get scanned however the log generated is incomplete and I get no bar like with E1. I have only tested this specific feature in my virtual machine. I'll ask our pilot users to attempt to reproduce and if we still see this issue I'll let you know.

0 Kudos
Nate_Nettrouer
Explorer
‎2022-04-06 07:50 AM
In response to Swiftyyyy

Just started rolling out our conversion.  The only issue we have had is we had our SolarWinds server require a second reboot after changing it over to E2.  After the initial reboot from switching from 86.10 to 86.25 E2, there were a few things in SolarWinds that did not function properly.  After 2nd reboot, it cleared it up.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events