Problem
KAV endpoints which are assigned to profile with "Automatic" update schedule keep getting flagged as "configuration out of compliance with the profile". After reassigning the profile, they go out of compliance again after a few hours.
Cause
Kaspersky Update component has a feature to avoid starting updates immediately after system is started (start delay time). When Update task runs, it makes a minor change to the start delay time so it is no longer the same value set when profile is applied. Although this does not affect functionality, it causes KAV to detect a configuration change and flag the profile out if compliance.
This problem only affects profiles with "Automatic" Update schedule.
Resolution
VSA R9.3
The new enhanced Antivirus module is not affected by this problem. The Antivirus Overview page in the online help describes how to migrate agents to new module from "Classic" Antivirus.
VSA R9.2
Kaspersky have provided a patch update to resolve the problem, which can be deployed using an agent procedure (requires reboot). Alternatively, it can be worked around by modifying the Update Options in the AV profile (details below).
Deploying Kaspersky patch PF1648
1) download attached archive file PF1648.zip and extract the contents
2) in VSA, go to Agent Procedures > Manage Procedures > Schedule / Create, select a folder where you want to create the agent procedure
3) click on Managed Files button and upload pf1648.msp file from within the archive to "Shared files" folder
4) click on Import Folder / Procedure button and select the XML file from the archive
5) the agent procedure works like this: -
- whether or not Kaspersky or KAV are currently installed, it deploys the patch update to "KAV" folder in agent "working directory" (usually c:\kworking\KAV)
- checks if Kaspersky 10 SP1 (v10.2.4.674) is currently installed - if so it executes the patch, uploads install log to "Get File" area of VSA (Agent Procedures > File Transfer > Get File. click on agent ID), then reboots machine with 5 minute delay after displaying notification to end user
- Kaspersky requires the reboot to complete the update. If you do NOT wish the machine to be rebooted automatically, edit the agent procedure and remove or change lines 16 and 25. However, please note that machine may not be fully protected until reboot is completed.
- if Kaspersky is NOT already installed, or there is an older version installed, the presence of the patch file in working directory will mean it will automatically get deployed when installing Kaspersky 10 SP1 (v10.2.4.674), which can be done by pushing new AV installation from KAV console. Running this procedure first will avoid the need for two reboots (one to complete installation, another to install patch).
6) to check that patch is successfully installed, check the log file (PF1648.txt) in the "Get File" area of VSA (Agent Procedures > File Transfer > Get File. click on agent ID). It will also show in the Application version string in Kaspersky UI. However this does not get reported in KAV console as the version string is not updated.
Changing Update Options in AV profile
This will work around the issue without needing to deploy the Kaspersky patch.
Change profiles with "Automatic" Update schedule to "By Schedule", every 2 hours. This will not affect update frequency because "Automatic" configuration also runs at 2 hour intervals.
Important - after selecting "hourly" from schedule selector, please ensure that information in "Run every" box has also changed to "hours" before saving the changes. In some environments there may be a delay in screen refresh after using the drop-down selectors, and this may result in wrong configuration being saved.
Applies to
Kaseya Anti-virus (KAV)
Kaspersky Endpoint Security v10.x
Ref: #124077 / PROTECT-705