Fixes and improvements

File Threat Protection

• The interception of file operations for network paths has been optimized.
• The mechanism for calculating file attributes upon detection by application anti-virus components has been optimized.

Traffic Security

Errors processing requests to HTTPS websites have been fixed that led to false positives and the blocking of trusted connections.

Anti-Cryptor

An option to configure synchronous processing of file operations has been implemented in order to balance the load on the processor and delays processing file operations. When synchronized, file operations are processed in order. When the Anti-Cryptor task is working in synchronous mode, the load on the processor does not increase, but files are processed more slowly.

By default, the application processes file operations asynchronously. When the Anti-Cryptor task is working in asynchronous mode, the processing of file operations is distributed to several parallel streams. This increases the processing speed, but also the load on the processor. This is the recommended mode.

To enable the synchronous mode of processing file operations, set the AntiCryptorSyncMode parameter the value REG_DWORD = 1 for the registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]

We do not recommend enabling synchronous mode.

Anti-Cryptor

Errors have been fixed that led to false positives when working with XLSX file formats.

Blocked Hosts

An error resolving the LUID value in IP addresses has been fixed. Without the critical fix, the Blocked Hosts component will not always resolve the LUID value in an IP address in time.

The critical fix increases the timeout for resolving the LUID value in IP addresses.

When receiving an IP address, the application moves the data to the blocked hosts storage. If the LUID for that host has already been moved to the storage, the application updates the data.

The actual blocking of access to network resources is performed immediately when encryption is detected and data about the host is moved to the blocked hosts storage. An event about blocked access is only recorded in the application log after the blocked host’s IP address is received.

When resolving the LUID value in an IP address, the application uses data from corresponding system events published in the Windows Event Log. If the critical fix CORE13 didn’t help and the application continues to register only the LUID for blocked hosts, make sure that the publication of ID4624 events is enabled in the Windows Event Log for Microsoft Windows Vista operating systems and newer, or ID528 for Microsoft Windows XP.

Installation

You must enter the password in order to install the critical fix on top of a version where password protection is in use. Specify the following command line key during installation: UNLOCK_PASSWORD=<password>

When installing the critical fix, the versions of the following application modules are updated:

Limited liability 

Due to technical reasons a private fix cannot be exposed to the full cycle of tests that ensure software quality. AO Kaspersky Lab explicitly disclaims any guarantees regarding both features and quality of a private fix. If not explicitly stated otherwise, private fixes are subject to the End-User License Agreement (EULA) under which the respective Kaspersky Lab product is licensed, in particular the following exclusion and limitation of liability notice. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL KASPERSKY LAB (THE RIGHTHOLDER) OR ITS PARTNERS BE LIABLE FOR ANY LOSSES AND/OR DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR INFORMATION, FOR BUSINESS INTERRUPTION, OR OTHER PROPERTY DAMAGE) ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF THE RIGHTHOLDER AND/OR ANY PARTNER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BY DOWNLOADING AND INSTALLING THIS SOFTWARE THE USER CONFIRMS THAT HE/SHE HAS READ THESE NOTICES, THE RELEVANT EULA, AND IS AWARE OF THE POSSIBLE RISKS.

The archive contains the latest version of the fixes described in this article. The fix is cumulative and includes changes from the previous versions.

If the private fix did not help, contact technical support.

The critical fix KB14306 of September 13, 2018 (CORE11), includes all the changes from previous critical fixes, as well as fixes for the following components:

• File Threat Protection
  • On-Demand Scan
  • The Trusted Zone
• Use of KSN
• Traffic Security
• Anti-Cryptor
• Log Inspection
• The RPC Network Storage Protection task.
• Anti-Cryptor for NetApp
• Exploit Prevention
• Integration with Kaspersky Managed Protection
• Core functionality
• Integration with Kaspersky Security Center
  • Password protection

Fixes and improvements

File Threat Protection

The mechanisms for detecting and isolating active viruses have been improved:

• The application detects fileless infections (viruses that exist only in the computer memory, and not on the hard drive) when scanning the system memory scope during on-demand scan tasks.
• The mechanisms for processing active viruses upon detection have been improved: the application now kills infected processes correctly.
• It is now possible to configure a list of processes to be considered critical for the operating system. The application will not kill these processes when an active infection is detected.

Before the critical fix was applied, the application independently determined whether or not a process was critical for the operating system. When a process is given ”critical” status, it means that the application will notify you about threats detected in these processes, but will not kill them automatically.

After applying the critical fix, you can use the registry to independently specify a list of processes that must be considered critical:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"SystemCriticalProcesses"=hex(7):63,00,73,00,72,00,73,00,73,00,2e,00,65,00,78,\
00,65,00,00,00,77,00,69,00,6e,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,65,00,\
78,00,65,00,00,00,6c,00,73,00,61,00,73,00,73,00,2e,00,65,00,78,00,65,00,00,\
00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,65,00,78,00,65,00,\
00,00,00,00

By default, the list of processes is written in the registry in the MULTI_SZ format, which includes the following processes:

• csrss.exe
• winlogon.exe
• lsass.exe
• services.exe
• svchost.exe

If don’t want a particular one of these processes to be considered critical, change the MULTI_SZ value in the specified registry branch and remove the process ID. The application will automatically kill the process when an active infection is detected.

If you want to add a different process to the list, change the MULTI_SZ value and add a process ID.

On-Demand Scan

A feature has been implemented for configuring parameters for using the AccessTime attribute for files scanned by the On-Demand Scan task.

By default, the application restores the last access time of a file (the AccessTime attribute) after it has been scanned. You can disable the restoration of the AccessTime attribute via the registry if it causes false positives on backup systems.

To stop the access time of a file from being restored after an on-demand scan, specify the following value in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"DontRestoreFileTimes"=dword:00000001

The Trusted Zone

The algorithms for converting masks of trusted zone paths have been optimized. Suboptimal processing of path masks led to a significant performance reduction on servers where the application version Kaspersky Security 10.1 for Windows Server was in use. Applying the critical fix will reduce CPU consumption and increase the processing speed of file operations.

Use of KSN

• Interaction with the KSN Proxy has been improved.
  • An issue resolving KSN Proxy IP addresses has been fixed. This issue led to an error starting the Use of KSN task after rebooting the computer.
  • The waiting time for a response from the proxy server has been increased to 30 seconds.
• Errors starting and executing the Use of KSN task in local cloud mode as a result of missing KPSN configuration files have been fixed. If configuration files cannot be found on the drive when Local KSN has been enabled, the application now forcibly recreates configuration files on the drive based on KSN usage policy parameters.

Traffic Security

An error has been fixed that caused a potentially critical killing of the running application process when writing trace files at the time of network interception.

Anti-Cryptor

• The mechanisms have been improved for working with files of various formats:
  • The MDB format is now supported.
  • The likelihood of false positives when processing file operations with files in Microsoft Office formats has been reduced.
• File removal processing has been optimized:
  • The heuristic analyzer algorithms have been refined to reduce the number of false positives: the Anti-Cryptor component can more more accurately process the removal of multiple files at once.
  • A feature has been implemented the allows you to configure the detection of operations intending to permanently delete files. By default, the Anti-Cryptor component recognizes the overwriting of data with zeros as an encryption attempt. If you use legal software that allows you to permanently delete files and don't want the actions this software takes to be detected, specify the following parameters in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"AllowSecureDelete" : REG_DWORD = 1

Log inspection

The publishing format of events of the Log Inspection component in the Administration Server console has been fixed. Fields have been added for registering data about the name of the Log Inspection task rule that has been applied, the Event ID in Windows Event Log, and a copy of the entry from the Windows Event Log.

The RPC Network Storage Protection task.

Errors have been fixed that caused the connection to the network data storage to be lost when processing files in Office formats.

Errors have been fixed that led to fields in task events not being filled completely: in events about detected malicious objects, information about the user and host address that accessed the detected object was not published.

AntiCryptor for NetApp

The means of forming packages to be sent to the data storage system has been optimized: the processing speed of objects received over the FPolicy protocol has been increased.

Exploit Prevention

Errors applying process protection parameters to Modern App applications have been fixed.

Integration with Kaspersky Managed Protection

Errors filling forms in statistics necessary for protection against targeted attacks have been fixed.

Core functionality

• Issues have been fixed in the application driver that led to critical operating system errors (BSoD).
• The Kaspersky Security (kavfs.exe) service is no longer dependent on the cryptsvc service. This dependency led to the Kaspersky Security service stopping completely when installing operating system updates in some scenarios. The service did not automatically restart before the next operating system reboot.
• Errors have been fixed that caused the size of the Bases\Temp folder to increase after every database update.
• An error has been fixed that caused the size of the task log file (tasks.rpt) to increase: the size of the file increased when a large number of tasks had been started. The large size of the tasks.rpt file caused a delay when starting the Kaspersky Security service (KAVFS).

After applying the critical fix, the size of the tasks.rpt file will not increase when a large number of tasks have been started. The fix will enable the Kaspersky Security to start more quickly if the start time had increased as a result of a large tasks.rpt file.

Applying the critical fix does not reduce the size of a tasks.rpt file that was created on the drive. We recommended removing the tasks.rpt file manually or to use the command KAVSHELL VACUUM.

Kaspersky Security Center Integration

Issue have been fixed with:

• The displaying of a computer’s status in the Administration Server console.
• Establishing a connection with the activation servers.
• The generation of events that led to SQL errors on the Kaspersky Security Center side.

Password protection

You can start and stop the Kaspersky Security service via the computer’s settings in the Administration Server console, even if a password protection policy has been applied to the computer. You do not need to enter the password or disable password protection.

Installation

You must enter the password in order to install the critical fix on top of a version where password protection is in use. Specify the following command line key during installation: UNLOCK_PASSWORD=<password>

When installing the critical fix, the versions of the following application modules change:

The critical fix KB14306 (CORE11) of May 11, 2018, includes error fixes for the following components:

• Traffic Security
• Anti-Cryptor
• Windows Subsystem Linux process interception
• Integration with the Administration Server
• Diagnostic interface
• Application Startup Control
• Core functionality
• Use of KSN

Basic features

The errors of integration with Windows Security Center have been fixed. Upon attempts to send the information about the server protection status to Windows Security Center, the kavfs.exe process (Kaspersky Security service) crashed.

After applying the critical fix the application will work correctly.

Use of KSN

The issues of names resolution to IP addresses specified in the KSN Proxy. When the application starts after the restart of the server, the resolution of the name to the IP address was performed incorrectly. This lead to the internal error of the task and the task stopping with an error.

After applying the critical fix, the application tries to resolve the name to the IP address and does not stop the Use of KSN task if the attempt was not successful.

Traffic Security

Errors in the algorithms for assigning categories to web pages have been fixed. After applying the critical fix, the application assigns the categories more correctly.

Application Startup Control

• The algorithms for blocking fileless malware through PowerShell and Regsvr32have been improved.
• Issues have been fixed with the processing of files in folders for which NTFS junction points were created. When forming application startup control allowing rules using the automatic rule generation task, the application incorrectly processed files in folders if they linked to other logical folders with a junction-link. The application missed these files when forming allowing rules, even if the scopes were specified in the parameters of the automatic rule generation task.

After applying the fix, the application correctly processes folders for which NTFS junctions were created. Rules formed for folders with junction points correctly process the startup of the files they contain.

• Issues have been fixed with the determination of file types when triggering application startup control rules.

Anti-Cryptor

• An issue has been fixed in the graphics file processing algorithms. The issue caused the application to freeze when attempting to analyze some JPEG file types.
• An issue with Untrusted Hosts Blocking has been fixed. The component for blocking compromised nodes in the network has been implemented as a task for version 10.0. An error in the mechanism for upgrading to version 10.1 led to the feature migrating as a partially working and unmanaged Untrusted Hosts Blocking task.

After applying the critical fix, the task’s components that were saved from version 10.0 become inactive, and the Blocked Hosts storage for version 10.1 is fully available and works correctly.

You can also use the build for Kaspersky Security 10.1 for Windows Server with the integrated fix if you haven’t already switched to version 10.1. When installing version 10.1 with the integrated fix on top of version 10.0, migration of parts of the Untrusted Hosts Blocking task is not performed.

Traffic Security. Interception of WSL processes

After applying the critical fix, the Traffic Security component registers the name of the user that started the WSL process interception in the task log.

Kaspersky Security Center Integration

Errors in the formation of events about the application of Kaspersky Security Center policies have been fixed. After applying the critical fix, the application only registers events when a policy is applied for the first time, and does not register a similar event at each scheduled synchronization with the Administration Server.

Diagnostic Interface

• Visual defects in the Diagnostic Interface have been fixed.
• Errors in the Diagnostic Interface run mode, reproduced on Windows Server 2012 R2 and higher, have been fixed. After applying the critical fix, the Diagnostic Interface dialog rises in the active mode when started.

Kaspersky Security Center Integration. Anti-Cryptor

A centralized list of blocked nodes, located in the Administration Server Console, only registered the LUID value for a blocked node, even if the application determined a name and an address for it.

After the critical fix has been applied, the Administration Server receives the correct information about the blocked node.

Kaspersky Security Center Integration. Traffic Security

Events about detections made by the Traffic Security component incorrectly displayed the compromised URL of the HTTPS-page during publishing on the Administration Server: only the part of the URL was displayed that determined the connection protocol.

After applying the critical fix, the report field containing the compromised URL is displayed fully.