Installation on Windows systems

This section describes the process of installing Kaspersky CyberTrace on Windows systems.

Installation methods

On Windows systems, you can install Kaspersky CyberTrace by two methods:

• Windows Installer—.msi file

  In this type of installation, you install the Windows Installer package. During the installation process, Windows Installer performs an interactive setup of Feed Service, Feed Utility, and Log Scanner.

• Windows installation by .zip file

  In this type of installation, you manually unpack a compressed (.zip) archive to a folder on your system, configure Feed Service, Feed Utility, and Log Scanner by editing the configuration files, and add services.

Windows Installer

To install Kaspersky CyberTrace by using Windows Installer:

1. Make sure that the computer you plan to use for running Feed Service meets the hardware and software requirements.
2. Make sure that the computer can send events to the computer on which a SIEM solution is installed and can receive events from the SIEM computer.
3. Run the .msi file of the Windows Installer package.

   To install Kaspersky CyberTrace by using Windows Installer, you must run Windows Installer from the Administrator account.

   In Windows 7, to launch Windows Installer for upgrading Kaspersky CyberTrace files, you must run the .msi file from the command line with the Administrator account.

4. Accept the End User License Agreement (EULA).

   If you continue the installation, Kaspersky CyberTrace will be installed to C:\Program Files\Kaspersky Lab\Kaspersky CyberTrace. This folder is called %service_dir% in this document.

5. Specify the proxy connection settings:
   1. Enter the IP address and port of the proxy server.
   2. Enter the user name and password for authenticating on the proxy server.

   The Windows Installer test the specified settings by connecting to https://wlinfo.kaspersky.com. If the Windows Installer reports a certificate error, see General troubleshooting for information about importing the CA certificate.

6. Specify the connection settings for events:
   1. Enter the IP address and port that Kaspersky CyberTrace listens on for incoming events.
   2. Enter the IP address and port to which Kaspersky CyberTrace sends detection events and service events.
   3. To test the specified connection settings, click Test connection.

Kaspersky CyberTrace Web will be launched. The check box and the link to Kaspersky CyberTrace Web will be displayed:

• By default, you will be directed to the Kaspersky CyberTrace Web page after installation. Clear this check box if you do not want to go to the web user interface.
• Click the Kaspersky CyberTrace documentation link to find the credentials that are used to log on to Kaspersky CyberTrace Web.

To configure Kaspersky CyberTrace after it is installed:

1. (Recommended) Configure Kaspersky CyberTrace further through its Web UI by performing actions described in sections "Configuring Kaspersky CyberTrace using the web interface" below.
2. Verify that everything is in working order. See subsection "Checking that the components of Kaspersky CyberTrace work properly" below.

Windows installation by .zip file

To install Kaspersky CyberTrace by unpacking the .zip archive manually:

1. Make sure that the computer you plan to use for running Feed Service meets the hardware and software requirements.
2. Make sure that the computer can send events to the computer on which a SIEM solution is installed and can receive events from the SIEM computer.
3. Unpack the contents of the installation archive. Hereinafter, this folder will be referred to as %service_dir%.

   The required folder is C:\Program Files\Kaspersky Lab\Kaspersky CyberTrace.

4. Read the End User License Agreements (EULAs) for Kaspersky CyberTrace and Kaspersky Threat Data Feeds. The EULAs are located at %service_dir%\doc\license.rtf.

   If you agree to the terms of the EULAs, proceed to the next step.

5. Accept the EULAs:
   1. In the %service_dir%\bin\kl_feed_service.conf file (hereinafter referred to as the Feed Service configuration file) find the following line:

      <EULA>rejected</EULA>

   2. If you accept the EULAs, change the line to the following:

      <EULA>accepted</EULA>

   3. In the %service_dir%\bin\kl_feed_util.conf file (hereinafter referred to as Feed Utility configuration file) find the following line:

      <EULA>rejected</EULA>

   4. If you accepted the EULAs, change the line to the following:

      <EULA>accepted</EULA>

6. Install CyberTrace Web, generate an SSL certificate for CyberTrace Web. You can use either a self-signed certificate or a certificate signed by a trusted CA:
   • To generate a self-signed certificate, run the following command from the command line:

     %service_dir%\tools\openssl.exe req -x509 -nodes -days 345 -subj /C=RU/CN=127.0.0.1 -newkey rsa:2048 -extensions EXT -keyout %service_dir%\httpsrv\kl_feed_service_private.pem -out %service_dir%\httpsrv\kl_feed_service_cert.pem -config %service_dir%\tools\openssl.cnf

   • To generate a trusted certificate, follow the instruction in section "Generating certificates for CyberTrace Web".
7. Add Feed Service and its watchdog service to Windows by running the %service_dir%\install.bat file as Administrator. The installation script will also run Kaspersky CyberTrace.
8. (Recommended) Configure Kaspersky CyberTrace further through its Web UI. Perform actions described in section "Configuring Kaspersky CyberTrace using the web interface" below.

Perform the following procedure only if you cannot configure Kaspersky CyberTrace using Kaspersky CyberTrace Web.

To configure Kaspersky CyberTrace by editing its configuration files:

1. Select the feeds that must be downloaded and processed by Feed Utility:
   1. In the %service_dir%\bin\kl_feed_util.conf file, find the feeds that you want to download and process.
   2. For each of the feeds, find the following attribute:

      enabled="false"

   3. For each of the feeds, change the value of the attribute to true:

      enabled="true"

2. Specify the feeds that must not be processed by Feed Service:
   1. In the %service_dir%\bin\kl_feed_service.conf file, find the feeds that you will not use.
   2. For each of the feeds, find the following attribute:

      enabled="true"

   3. For each of the feeds, change the value of the attribute to false:

      enabled="false"

   The lists of the enabled feeds in the Feed Utility configuration file and the Feed Service configuration file must be the same.

3. Specify the IP address and port (or the Windows named pipe) to which Feed Service will send outgoing events in the OutputSettings > ConnectionString element of the Feed Service configuration file.
4. Specify the IP address and port (or the Windows named pipe) that Feed Service will listen on for incoming events in the InputSettings > ConnectionString element of the Feed Service configuration file.
5. If you want to use Log Scanner, specify the IP address and port (or the Windows named pipe) that the utility will use to interact with Feed Service in the Connection element of the Log Scanner configuration file.

   The Log Scanner configuration file is located at %service_dir%\log_scanner\log_scanner.conf.

6. If you have a commercial certificate for downloading feeds, replace the %service_dir%\dmz\feeds.pem demo certificate with your commercial certificate.
7. If you want Feed Utility to access Kaspersky servers through a proxy server, specify the proxy setting by running the utility with the --set-proxy option:

   kl_feed_util --set-proxy 'user:pass@proxy.example.com:3128' -c ..\bin\kl_feed_util.conf

8. If you have a commercial license key, you can add it to Kaspersky CyberTrace by copying it to the %service_dir%\httpsrv\lic directory.
9. If you want to use normalizing rules to process the events sent by various sources or if you want to use custom regular expressions to parse the events, add the <Source> elements with normalizing rules and custom regular expressions to the Feed Service configuration file.
10. Restart Feed Service by running the %service_dir%\bin\kl_control.bat file as Administrator.

Checking that the components of Kaspersky CyberTrace work properly

To check whether the components of Kaspersky CyberTrace work properly:

1. Run the kl_control.bat script with the status option.

   Run this script as Administrator. The result displayed in the console must be similar to that depicted in the figure below.

   

   kl_control.bat output

If the result of these commands is not similar to the information displayed in the figures, contact your technical account manager (ТАМ) for assistance.

Configuring Kaspersky CyberTrace using the web interface

To configure Kaspersky CyberTrace using the web interface:

1. Open Kaspersky CyberTrace Web in your browser at https://127.0.0.1.
2. Specify IP addresses and ports (or Windows named pipes) that Feed Service will use for incoming and outgoing events by means of the Settings > Service tab.
3. If you want to use Log Scanner, specify the IP address and port (or the Windows named pipe) that the utility will use to interact with Feed Service in the Connection element of the Log Scanner configuration file.

   The Log Scanner configuration file is located at %service_dir%\log_scanner\log_scanner.conf.

4. If you want to use normalizing rules to process the events sent by various sources or if you want to use custom regular expressions, configure them on the Matching tab.
5. If you want Feed Utility to access Kaspersky servers through a proxy server, specify proxy settings on the Settings > Service tab.
6. If you have a commercial license key, you can add it to Kaspersky CyberTrace using the Licensing tab.
7. If you have a commercial certificate for downloading feeds, you can import it using the Feeds update period section.
8. In the Filtering rules for feeds section of CyberTrace Web, select the feeds that must be downloaded and processed by Feed Utility.

Page top