Upgrading Kaspersky CyberTrace files (Windows)

This section describes how to upgrade Kaspersky CyberTrace on Windows.

Upgrading files (Windows Installer—.msi file)

When upgrading Kaspersky CyberTrace files in Windows 7 using Windows Installer, you must run the .msi file from the command line with administrator privileges.

To upgrade Kaspersky CyberTrace automatically to a newer version:

1. Make backup copies of the black and white lists:
   1. If the black list contains records, make a backup copy the %service_dir%\feeds\Black_List.json file and the %service_dir%\feeds\Black_List.json.url.bin folder.
   2. If the white list contains records, make a backup copy the %service_dir%\feeds\White_List.json file and the %service_dir%\feeds\White_List.json.url.bin folder.
2. Make a backup copy of the %service_dir%\bin\kl_feed_util.conf file.
3. Run the .msi file that starts upgrading automatically.
4. At the beginning of upgrading, accept the request to stop Feed Service. If you refuse to stop it, upgrading breaks.

   Starting from Kaspersky CyberTrace version 3.1.0, the CyberTrace HTTP service always runs when Kaspersky CyberTrace is initialized.

5. Change the settings during the upgrade process, if necessary.

   When Windows Installer finishes the upgrade process, Feed Service will be launched.

6. Stop Feed Service by running the following command:

   %service_dir%\bin\kl_control.bat stop

7. Move the settings of Kaspersky feeds from the backup copy of kl_feed_util.conf to the %service_dir%\bin\kl_feed_util.conf file:
   • For each Feed element of the kl_feed_util.conf backup copy that is not related to an OSINT or custom feed and whose Name nested element does not contain Mobile_Botnet_CnC_URL_Data_Feed.json, copy the contents of the Feed element to the kl_feed_util.conf file to substitute the existing data with the new data.
   • For the Feed element of the kl_feed_util.conf backup copy, whose Name nested element contains Mobile_Botnet_CnC_URL_Data_Feed.json, move the value of its enabled attribute to the enabled attribute of the corresponding Feed element of the kl_feed_service.conf.
8. Restore the black and white lists from their backup copies.
9. Start Feed Service by using Kaspersky CyberTrace Web or by running the following command:

   %service_dir%\bin\kl_control.bat start

10. Clear the browser cache using the standard method for your browser and navigate to the Kaspersky CyberTrace Web page.

After you perform the steps above, all the settings, user accounts data, available feeds and certificates will be transferred to the new version. If you have a commercial license key, you can add it to Kaspersky CyberTrace by means of the Licensing tab.

If the kl_feed_service.conf file contains a normalizing rule for delimiting events (namely, the output attribute of the Replace element has the value "\n" or "
"), edit the configuration file and restart Feed Service.

To edit a rule for delimiting events:

1. In the kl_feed_service.conf file, create or edit the Configuration > InputSettings > EventDelimiter element with the following contents:

   <EventDelimiter>%START_EVENT_SYMBOLS%</EventDelimiter>

   Here %START_EVENT_SYMBOLS% is the value of the input attribute of the Replace element whose output attribute has the value "\n" or "
".

2. Remove the Replace element whose output attribute has the value "\n" or "
".
3. Restart Feed Service by using Kaspersky CyberTrace Web or by running the following command:

   %service_dir%\bin\kl_control.bat restart

Note that automatic upgrade with the .msi file is available only if you have Kaspersky CyberTrace version 3.0.0 or later on your computer. Also, automatic upgrade functionality is available only if you have accepted the EULA in the installation that is being upgraded.

Upgrading files (.zip file installation)

To upgrade Kaspersky CyberTrace:

1. Stop Feed Service by running the following command:

   %service_dir%\bin\kl_control.bat stop

2. Make a backup copy of the following files:
   • %service_dir%\bin\kl_feed_service.conf
   • %service_dir%\bin\kl_feed_util.conf
   • %service_dir%\httpsrv\etc\custom_feed_list.conf
   • %service_dir%\httpsrv\etc\ktfsaccess
   • %service_dir%\httpsrv\etc\ktfsstatistics.kvdb
   • %service_dir%\httpsrv\etc\ktfsstorage.kvdb

   Also, make backup copies of the PEM-formatted certificates specified in the SSLCertificatePath and SSLPrivateKeyPath elements of the kl_feed_service.conf file and the CertFile element of the kl_feed_util.conf file.

   If the black list contains records, make backup copies of the %service_dir%\feeds\Black_List.json file and the %service_dir%\feeds\Black_List.json.url.bin folder. If the white list contains records, make backup copies of the %service_dir%\feeds\White_List.json file and the %service_dir%\feeds\White_List.json.url.bin folder.

3. Uninstall Kaspersky CyberTrace:
   1. Run the uninstall.bat script, which you can find in the Kaspersky CyberTrace distribution kit.
   2. Delete the %service_dir% folder.
4. Unpack the ZIP archive to the %service_dir% folder and overwrite existing files.
5. Set the connection settings as follows:
   1. Copy the proxy settings to the ProxySettings element of the kl_feed_util.conf file from its backup copy.
   2. Copy the IP address and port (or the Windows named pipe) to which the outgoing events will be sent to the OutputSettings > ConnectionString element of the kl_feed_service.conf file from its backup copy.
   3. Copy the IP address and port (or the Windows named pipe) to listen on for incoming events to the InputSettings > ConnectionString element of the kl_feed_service.conf file from its backup copy.
6. For every Configuration > InputSettings > RegExps > Source element of the kl_feed_service.conf file, copy the element to the kl_feed_service.conf file (by this you can substitute the existing data with the new data).
7. Copy the contents of the Configuration > NormalizingRules element of the backup copy of the kl_feed_service.conf file to every Configuration > InputSettings > RegExps > Source > NormalizingRules element of the kl_feed_service.conf file whose id attribute of the Source element is not http_single_lookup or http_file_lookup.

   If, however, a normalizing rule is used for delimiting events (namely, the output attribute of the Replace element has the value "\n" or "
"), do not copy it to the kl_feed_service.conf file, but create or edit the Configuration > InputSettings > EventDelimiter element instead with the following contents:
   <EventDelimiter>%START_EVENT_SYMBOLS%</EventDelimiter>
   Here %START_EVENT_SYMBOLS% is the value of the input attribute of that Replace element.

8. Merge the contents of the Feeds element of the kl_feed_service.conf file backup with the kl_feed_service.conf file as follows:
   1. In the kl_feed_service.conf file backup, in each Field element pertaining to custom JSON feeds, change the value of the name attribute as follows: in the kl_feed_util.conf file backup, in the Parsing element pertaining to this JSON feed, find an element whose name is the same as the value of the cited name attribute and replace the value of the name attribute with the value of the Field element.

      For example:

      The contents of the kl_feed_service.conf file backup before editing: <Feed filename="My_custom_feed.json" outdated_alert_period="0" enabled="true"> <Field name="Custom_MD5" matching_type="Exact" input_regexp_to_match="RE_HASH" category=" My_custom_feed_MD5" /> <Field name="Custom_URL" matching_type="Url" input_regexp_to_match="RE_URL" category=" My_custom_feed_URL" /> </Feed>   The contents of the kl_feed_util.conf file backup: <Parsing type="json"> <Custom_URL type="url">URL</Field> <Custom_MD5 type="md5">MD5</Field> </Parsing>   The contents of the kl_feed_service.conf file backup after editing: <Feed filename="My_custom_feed.json" outdated_alert_period="0" enabled="true"> <Field name="MD5" matching_type="Exact" input_regexp_to_match="RE_HASH" category=" My_custom_feed_MD5" /> <Field name="URL" matching_type="Url" input_regexp_to_match="RE_URL" category=" My_custom_feed_URL" /> </Feed>

      A custom JSON feed is not from Kaspersky, nor is it an OSINT feed, but instead is a feed for which the Path element of the kl_feed_util.conf has the .json extension.

   2. For every Feed element of the kl_feed_service.conf file backup that is not related to an OSINT feed and whose filename attribute is not equal to Mobile_Botnet_CnC_URL_Data_Feed.json, copy the Feed element's contents to the kl_feed_service.conf file to substitute the existing data with the new data.
   3. For the Feed element of the kl_feed_service.conf file backup whose filename attribute is Mobile_Botnet_CnC_URL_Data_Feed.json, copy the value of its enabled attribute to the enabled attribute of the Feed element of the kl_feed_service.conf file whose filename attribute is Mobile_Botnet_CnC_URL_Data_Feed.json.
9. Merge the contents of the Feeds element of the kl_feed_util.conf file backup with kl_feed_util.conf as follows:
   1. Edit the kl_feed_util.conf file backup as follows:
      1. For each field listed in the RequiredFields element of every custom JSON feed, find an element, nested in the Parsing element of this JSON feed, whose name is the same as the field name, and rename the field in the RequiredFields element to the value of the found element.
      2. For the field specified in the UrlMatcherField element (if this element is used) of every custom JSON feed, find an element nested in the Parsing element of this JSON feed, whose name is the same as the field name. Rename the field in the UrlMatcherField element to the value of the found element.
      3. For each element nested in the Parsing element that pertains to a custom JSON feed, change its name to Field.

      For example:

      The contents of the kl_feed_util.conf file backup before editing: <Feed enabled="true"> <Name>My_custom_feed</Name> <Path>./custom_example/example_feed.json</Path> <UrlMatcherField>Custom_URL</UrlMatcherField> <Parsing type="json"> <Custom_MD5 type="MD5">MD5</Custom_MD5> <Custom_URL type="URL">URL</Custom_URL> <Some_Trash type="CONTEXT">trash</Some_Trash> </Parsing> <RequiredFields>Custom_MD5;Custom_URL;Some_Trash</RequiredFields> </Feed>   The contents of the kl_feed_util.conf file backup after editing: <Feed enabled="true"> <Name>My_custom_feed</Name> <Path>./custom_example/example_feed.json</Path> <UrlMatcherField>URL</UrlMatcherField> <Parsing type="json"> <Field type="MD5">MD5</Field> <Field type="URL">URL</Field> <Field type="CONTEXT">trash</Field> </Parsing> <RequiredFields>MD5;URL;trash</RequiredFields> </Feed>

      A custom JSON feed is not from Kaspersky, nor is it an OSINT feed, but instead is a feed for which the Path element of the kl_feed_util.conf has the .json extension.

   2. For every Feed element of the kl_feed_util.conf file backup that is not related to an OSINT feed and whose Name nested element does not contain Mobile_Botnet_CnC_URL_Data_Feed.json, copy the Feed element's contents to the kl_feed_util.conf file to substitute the existing data with the new data.
   3. For the Feed element of the kl_feed_util.conf file backup, whose Name nested element contains Mobile_Botnet_CnC_URL_Data_Feed.json, specify the value of its enabled attribute in the enabled attribute of the Feed element of the kl_feed_service.conf file whose Name nested element contains Mobile_Botnet_CnC_URL_Data_Feed.json.
10. Set the regular feed update settings as specified in Windows Task Scheduler as follows:
    1. Receive from Windows Task Scheduler the update period for the %service_dir%\scripts\schtasks script by running the following command:

       schtasks /query /tn KasperskyFeedServiceUpdate /v /fo list

       The update period is the value of the Repeat Every parameter.

    2. Choose the nearest value for the update period among the following: 0, 30, 60, 120, 240, 480, 960, 1440 minutes.

       If you specify 0, the automatic update is switched off.

    3. Specify the chosen value in the update_frequency attribute of the Configuration > Feeds element of the kl_feed_service.conf file.

       If you specify a value other than the values listed above, an error will occur during the Feed Service start.

    4. Remove from Windows Task Scheduler the regular update of the %service_dir%\scripts\schtasks script by running the following command:

       schtasks /Delete /tn KasperskyFeedServiceUpdate

11. Copy the Kaspersky CyberTrace GUI settings to the GUISettings element of the kl_feed_service.conf file from its backup copy (in this way, you can replace existing data with new data).

    If the value of the enabled attribute of the GUISettings > HTTPServer section in the kl_feed_util.conf backup copy is false, copy this section to the kl_feed_util.conf configuration file without the enabled attribute.

12. Configure Kaspersky СyberTrace so that it will use the existing regular expressions and work with the new feeds.

    For this, specify feed matching rules for the new feeds (Mobile Botnet СnC URL Data Feed, IoT URL Data Feed, Vulnerability Data Feed) in the Feeds element of the kl_feed_service.conf configuration file as follows:

    1. For every new feed, remove all the Field elements from the kl_feed_service.conf file.
    2. In the kl_feeds_info.conf file, find the feed being considered, the list of its fields to detect, and the name, type, and category parameters of these fields.
    3. For every field to detect, determine the matching type and the type of extracted data on the basis of the field type, from the following table (there can be several choices):

       Field type	Type of extracted data	Matching type
       URL	URL	URL
       DOMAIN	URL	URL
       IP	IP	EXACT
       MD5	MD5	EXACT
       SHA1	SHA1	EXACT
       SHA256	SHA256	EXACT
       MD5	HASH	EXACT
       SHA1	HASH	EXACT
       SHA256	HASH	EXACT
       DOMAIN	DOMAIN	URL
       URL	DOMAIN	URL

    4. In the RegExps section, find all regular expressions of the determined type of extracted data.
    5. For every regular expression found, add a Field element to the kl_feed_service.conf file with the following data:
       • The name attribute contains the value of the name parameter of the field to detect, according to the kl_feed_info.conf file.
       • The matching_type attribute contains the matching type from the above table.
       • The input_regexp_to_match attribute contains the regular expression name.
       • The category attribute contains the value of the category parameter of the field to detect, according to the kl_feed_info.conf file.
13. Replace the following files and folders with their backup copies:
    • PEM-formatted certificates mentioned in step 2
    • %service_dir%\httpsrv\etc\custom_feed_list.conf
    • %service_dir%\httpsrv\etc\ktfsaccess
    • %service_dir%\httpsrv\etc\ktfsstatistics.kvdb
    • %service_dir%\httpsrv\etc\ktfsstorage.kvdb
    • %service_dir%\feeds\Black_List.json
    • %service_dir%\feeds\Black_List.json.url.bin
    • %service_dir%\feeds\White_List.json
    • %service_dir%\feeds\White_List.json.url.bin
14. Copy the Feed Utility proxy settings to the Settings > ProxySettings element of the kl_feed_util.conf file from its backup copy.
15. Add Feed Service and its watchdog service to Windows by running the %service_dir%\install.bat file as Administrator. The installation script will also run Kaspersky CyberTrace.
16. Clear the browser cache using the standard method for your browser and navigate to the Kaspersky CyberTrace Web page.
17. Select the Settings > Feeds tab in Kaspersky CyberTrace Web and turn on the use of the OSINT feeds that you need in the Filtering rules for feeds table.
18. If you have a commercial license key, you can add it to Kaspersky CyberTrace by means of the Licensing tab.

Page top