TwitterGitHubBlogSponsor

KIS / KES

Kaspersky Endpoint Security (KES) / Kaspersky Security Center (KSC) / Kaspersy Internet Security (KIS)

KES / KIS

Scan Exclusions

Potential scan exclusions:

  • C:\Windows\System32\LogFiles\

  • C:\Windows\System32\inetsrv\

  • C:\Windows\ClusterStorage\

  • C:\ProgramData\Microsoft\Windows\Hyper-V\

Stop Service

Check if KES Self-Defense is enabled:

PS > (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\settings" -Name "EnableSelfProtection").EnableSelfProtection

Check if KES external management of system services is allowed:

PS > (Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\settings" -Name "AllowServiceStop").AllowServiceStop

If EnableSelfProtection is 0 and AllowServiceStop is 1, then it's possible to manipulates KES application from the command line via klpsm.exe:

Cmd > cd "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows"
Cmd > klpsm.exe stop_avp_service
Cmd > klpsm.exe start_avp_service

Remove Product

KSC

Key
Value

Default MMC Port

13291

Remote Installation Path

%WINDIR%\Temp\KAV Remote Installations

Enumeration

Cmd > netstat -ano | findstr 13000
Cmd > "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klnagchk.exe"
Cmd > reg query HKLM\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState /s /v Protection_AdmServer
PS > Get-ItemProperty HKLM:\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState -Name Protection_AdmServer
Cmd > C:\PROGRA~2\KASPER~1\KASPER~1\klsql2.exe -i query.sql -u administrator -p "Passw0rd!" -o query.xml

KlScSvc in LSA

Last updated