Links

KIS / KES

Kaspersy Internet Security (KIS) / Kaspersky Endpoint Security (KES) / Kaspersky Security Center (KSC)

KIS / KES

Scan Exclusions

Potential scan exclusions:
  • C:\Windows\System32\LogFiles\
  • C:\Windows\System32\inetsrv\
  • C:\Windows\ClusterStorage\
  • C:\ProgramData\Microsoft\Windows\Hyper-V\

Stop Service

Check if KES Self-Defense is enabled:
PS > (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\settings" -Name "EnableSelfProtection").EnableSelfProtection
Check if KES external management of system services is allowed:
PS > (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\settings" -Name "AllowServiceStop").AllowServiceStop
If EnableSelfProtection is 0 and AllowServiceStop is 1, then it's possible to manipulates KES application from the command line via klpsm.exe:
Cmd > cd "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows"
Cmd > klpsm.exe stop_avp_service
Cmd > klpsm.exe start_avp_service

Remove Product

KSC

Key
Value
Default MMC Port
13291
Remote Installation Path
%WINDIR%\Temp\KAV Remote Installations

Enumeration

Cmd > netstat -ano | findstr 13000
Cmd > "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagchk.exe"
Cmd > reg query HKLM\SOFTWARE\WOW6432Node\KasperskyLab\Components /s /v Protection_AdmServer
Cmd > C:\PROGRA~2\KASPER~1\KASPER~1\klsql2.exe -i query.sql -u administrator -p "Passw0rd!" -o query.xml

KlScSvc in LSA

Last modified 2mo ago