The critical fix KB14306 of September 13, 2018 (CORE11), includes all the changes from previous critical fixes, as well as fixes for the following components:
- File Threat Protection
- On-Demand Scan
- The Trusted Zone
- Use of KSN
- Traffic Security
- Anti-Cryptor
- Log Inspection
- The RPC Network Storage Protection task.
- Anti-Cryptor for NetApp
- Exploit Prevention
- Integration with Kaspersky Managed Protection
- Core functionality
- Integration with Kaspersky Security Center
Fixes and improvements
File Threat Protection
The mechanisms for detecting and isolating active viruses have been improved:
- The application detects fileless infections (viruses that exist only in the computer memory, and not on the hard drive) when scanning the system memory scope during on-demand scan tasks.
- The mechanisms for processing active viruses upon detection have been improved: the application now kills infected processes correctly.
- It is now possible to configure a list of processes to be considered critical for the operating system. The application will not kill these processes when an active infection is detected.
Before the critical fix was applied, the application independently determined whether or not a process was critical for the operating system. When a process is given ”critical” status, it means that the application will notify you about threats detected in these processes, but will not kill them automatically.
After applying the critical fix, you can use the registry to independently specify a list of processes that must be considered critical:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"SystemCriticalProcesses"=hex(7):63,00,73,00,72,00,73,00,73,00,2e,00,65,00,78,\
00,65,00,00,00,77,00,69,00,6e,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,65,00,\
78,00,65,00,00,00,6c,00,73,00,61,00,73,00,73,00,2e,00,65,00,78,00,65,00,00,\
00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,65,00,78,00,65,00,\
00,00,00,00
By default, the list of processes is written in the registry in the MULTI_SZ format, which includes the following processes:
- csrss.exe
- winlogon.exe
- lsass.exe
- services.exe
- svchost.exe
If don’t want a particular one of these processes to be considered critical, change the MULTI_SZ value in the specified registry branch and remove the process ID. The application will automatically kill the process when an active infection is detected.
If you want to add a different process to the list, change the MULTI_SZ value and add a process ID.
On-Demand Scan
A feature has been implemented for configuring parameters for using the AccessTime attribute for files scanned by the On-Demand Scan task.
By default, the application restores the last access time of a file (the AccessTime attribute) after it has been scanned. You can disable the restoration of the AccessTime attribute via the registry if it causes false positives on backup systems.
To stop the access time of a file from being restored after an on-demand scan, specify the following value in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"DontRestoreFileTimes"=dword:00000001
The Trusted Zone
The algorithms for converting masks of trusted zone paths have been optimized. Suboptimal processing of path masks led to a significant performance reduction on servers where the application version Kaspersky Security 10.1 for Windows Server was in use. Applying the critical fix will reduce CPU consumption and increase the processing speed of file operations.
Use of KSN
- Interaction with the KSN Proxy has been improved.
- An issue resolving KSN Proxy IP addresses has been fixed. This issue led to an error starting the Use of KSN task after rebooting the computer.
- The waiting time for a response from the proxy server has been increased to 30 seconds.
- Errors starting and executing the Use of KSN task in local cloud mode as a result of missing KPSN configuration files have been fixed. If configuration files cannot be found on the drive when Local KSN has been enabled, the application now forcibly recreates configuration files on the drive based on KSN usage policy parameters.
Traffic Security
An error has been fixed that caused a potentially critical killing of the running application process when writing trace files at the time of network interception.
Anti-Cryptor
- The mechanisms have been improved for working with files of various formats:
- The MDB format is now supported.
- The likelihood of false positives when processing file operations with files in Microsoft Office formats has been reduced.
- File removal processing has been optimized:
- The heuristic analyzer algorithms have been refined to reduce the number of false positives: the Anti-Cryptor component can more more accurately process the removal of multiple files at once.
- A feature has been implemented the allows you to configure the detection of operations intending to permanently delete files. By default, the Anti-Cryptor component recognizes the overwriting of data with zeros as an encryption attempt. If you use legal software that allows you to permanently delete files and don't want the actions this software takes to be detected, specify the following parameters in the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\WSEE\10.1\Environment]
"AllowSecureDelete" : REG_DWORD = 1
Log inspection
The publishing format of events of the Log Inspection component in the Administration Server console has been fixed. Fields have been added for registering data about the name of the Log Inspection task rule that has been applied, the Event ID in Windows Event Log, and a copy of the entry from the Windows Event Log.
The RPC Network Storage Protection task.
Errors have been fixed that caused the connection to the network data storage to be lost when processing files in Office formats.
Errors have been fixed that led to fields in task events not being filled completely: in events about detected malicious objects, information about the user and host address that accessed the detected object was not published.
AntiCryptor for NetApp
The means of forming packages to be sent to the data storage system has been optimized: the processing speed of objects received over the FPolicy protocol has been increased.
Exploit Prevention
Errors applying process protection parameters to Modern App applications have been fixed.
Integration with Kaspersky Managed Protection
Errors filling forms in statistics necessary for protection against targeted attacks have been fixed.
Core functionality
- Issues have been fixed in the application driver that led to critical operating system errors (BSoD).
- The Kaspersky Security (kavfs.exe) service is no longer dependent on the cryptsvc service. This dependency led to the Kaspersky Security service stopping completely when installing operating system updates in some scenarios. The service did not automatically restart before the next operating system reboot.
- Errors have been fixed that caused the size of the Bases\Temp folder to increase after every database update.
- An error has been fixed that caused the size of the task log file (tasks.rpt) to increase: the size of the file increased when a large number of tasks had been started. The large size of the tasks.rpt file caused a delay when starting the Kaspersky Security service (KAVFS).
After applying the critical fix, the size of the tasks.rpt file will not increase when a large number of tasks have been started. The fix will enable the Kaspersky Security to start more quickly if the start time had increased as a result of a large tasks.rpt file.
Applying the critical fix does not reduce the size of a tasks.rpt file that was created on the drive. We recommended removing the tasks.rpt file manually or to use the command KAVSHELL VACUUM.
Kaspersky Security Center Integration
Issue have been fixed with:
- The displaying of a computer’s status in the Administration Server console.
- Establishing a connection with the activation servers.
- The generation of events that led to SQL errors on the Kaspersky Security Center side.
Password protection
You can start and stop the Kaspersky Security service via the computer’s settings in the Administration Server console, even if a password protection policy has been applied to the computer. You do not need to enter the password or disable password protection.
Installation
You must enter the password in order to install the critical fix on top of a version where password protection is in use. Specify the following command line key during installation: UNLOCK_PASSWORD=<password>
When installing the critical fix, the versions of the following application modules change:
| Module name | Version after applying the critical fix |
|---|
| netappanticrypt.dll | 10.1.0.661 |
| fssync.dll | 10.1.0.661 |
| streamio.ppl | 10.1.0.661 |
| klam.sys | 17.0.55.0 |
| klam.inf | N/A |
| klam.cat | N/A |
| ak_conn.dll | 10.1.0.661 |
| avpgs.ppl | 10.1.0.661 |
| avscan.dll | 10.1.0.661 |
| icapsrc.dll | 10.1.0.661 |
| nappsrc.dll | 10.1.0.661 |
| oassrc.dll | 10.1.0.661 |
| odssrc.dll | 10.1.0.661 |
| scandll.dll | 10.1.0.661 |
| scrchsrc.dll | 10.1.0.661 |
| tm2src.dll | 10.1.0.661 |
| anticryptor.dll | 10.1.0.661 |
| avs.ppl | 10.1.0.661 |
| kavfs.exe | 10.1.0.661 |
| kavfsmui.exe | 10.1.0.661 |
| kavfswp.exe | 10.1.0.661 |
| kavtray.exe | 10.1.0.661 |
| kpcengine.dll | 10.1.0.661 |
| mitmprxy.dll | 10.1.0.661 |
| nfio.ppl | 10.1.0.661 |
