Kaspersky Anti Targeted Attack Platform

Limitations

Kaspersky Anti Targeted Attack Platform 7.0.3 has the following known limitations:

1. Sigma rules relying on data sources other than System Monitor (Sysmon) and Windows Event Log are not supported.
2. Correlation Sigma rules are not supported.
3. As part of integration with the NDR functional block, up to 1000 Endpoint Agent components can be connected to a single Central Node component. If you want to connect more components, please contact Technical Support.
4. In a file alert created based on the results of scanning a copy of web traffic, the User name field is empty if the user is authenticated on the proxy server with basic authentication.
5. Information about the Endpoint Agent component is not displayed in the Processed widget on the Dashboard.
6. After upgrading Central Node deployed as a cluster, the alerts table may not display new alerts generated by the IDS technology. You can check whether the limitation applies to you and take steps to fix it, if necessary. For details, see the Updating Kaspersky Anti Targeted Attack Platform from version 7.0.1 to version 7.0.3 section
7. Upgrading the Central Node component from version 6.1 fails if processing of mirrored SPAN traffic is disabled in the version of the component that is being upgraded. To fix this limitation, we strongly recommend following steps 1 of the Updating Central Node installed as a cluster and 4 of the Upgrading a Central Node installed on a server instructions.
8. In rare cases, upgrading from version 7.0.1 to version 7.0.3 of Central Node deployed as a cluster based on the Astra Linux operating system may fail with the error "Upgrade has failed on task UpdateSizing".

   Resolving the "Upgrade has failed on task UpdateSizing" error

   If you get the "Upgrade has failed on task UpdateSizing" while upgrading Central Node deployed as a cluster based on Astra Linux from version 7.0.1 to version 7.0.3, follow the steps below.

   All steps described below must be performed on servers in Technical Support Mode, after elevating user privileges using the sudo -i command.

   To resolve the "Upgrade has failed on task UpdateSizing" error:

   1. Log in to any of the storage servers in the Central Node cluster and check if the Ceph storage is working. To do so, execute the following command:

      ceph -s | grep health:

      The Ceph storage is healthy if the following value is returned:

      health: HEALTH_OK

      If the value is different from health: HEALTH_OK, please contact Technical Support.

   2. Find out which servers in the cluster have the 'manager' role in Docker swarm. To do this, run the following command on any of the cluster servers:

      docker node ls

      A list of cluster servers is displayed. Look at the MANAGER STATUS column in the list: if a server has Leader or Reachable in that column, it means it has the 'manager' role.

   3. Log in to the server with the 'manager' role in Docker swarm and restart the ZooKeeper service with the following command:

      docker service update kata_product_main_1_zookeeper --force

   4. Wait 10 minutes and check the status of the Kafka service:
      1. Run the following command:

         docker service ps kata_product_main_1_schema_registry

         Look at the value in the NODE column to determine which server has the Schema Registry.

      2. Log in to the server with the Schema Registry and run the following command:

         docker exec -it $(docker ps | grep schema_registry | awk '{ print $1 }') curl http://127.0.0.1:8081/subjects

         If you get a JSON with a list of subjects, it means the Kafka service is working. In this case, go to step 6.

   5. If the Kafka service is not working, restart it using the following command:

      docker service update kata_product_main_1_kafka --force

      After this, do step 4 again. If the Kafka service still does not work after this, please contact Technical Support.

   6. Proceed with the upgrade with the following commands:

      source /opt/upgrade_venv/bin/activate

      kata-upgrade params --data-dir /data/upgrade/ --user admin --password '<pass>' --ndr-language '<language>' --current-task-index 15

      In the above command, replace <language> with the language that was selected at the start of the upgrade process. Possible values: English, Russian.

9. After upgrading from version 6.1 to version 7.0.3 of Central Node deployed as a cluster based on the Astra Linux operating system, telemetry search in the Threat Hunting section may not work.

   Resolving an "Internal error" that occurs when searching for event data

   If searching for event data (telemetry) in the Threat Hunting section is not working after upgrading the Central Node deployed as a cluster based on Astra Linux from version 6.1 to version 7.0.3, follow the steps below.

   All steps described below must be performed on servers in Technical Support Mode, after elevating user privileges using the sudo -i command.

   To resolve the event data search error:

   1. Find out which servers in the cluster have the 'manager' role in Docker swarm. To do this, run the following command on any of the cluster servers:

      docker node ls

      A list of cluster servers is displayed. Look at the MANAGER STATUS column in the list: if a server has Leader or Reachable in that column, it means it has the 'manager' role.

   2. Log in to the server with the 'manager' role in Docker swarm and run the following command:

      docker service ps kata_product_main_1_elasticsearch_data

      Look at the value in the NODE column to determine which servers in the cluster are running the elasticsearch_data process.

   3. On each server in the cluster that is running the elasticsearch_data process:
      1. Get the ID of the container in which the elasticsearch_data process is running with the following command:

         docker ps | grep elasticsearch_data | awk '{ print $1 }')

      2. Check the container log with the following command:

         docker logs<container ID> | grep "this node is unhealthy: health check failed due to broken node lock"

      3. If the "this node is unhealthy: health check failed due to broken node lock" string is found in the server logs, terminate the process by running the following command:

         docker kill <container ID>

   4. In the application web interface, go to the Threat Hunting section and perform a custom search in event data. If you get the "Internal error" error again, please contact Technical Support.

10. When installing the Central Node component of version 7.0.3 on the server, Kaspersky Anti Targeted Attack Platform may refuse email messages received via SMTP. The sender may get a "Connection refused" error. You can remove this limitation. For details, see the Configuring integration with a mail server via SMTP section.

Kaspersky Anti Targeted Attack Platform 7.0 has the following known limitations:

1. Sigma rules relying on data sources other than System Monitor (Sysmon) and Windows Event Log are not supported.
2. Correlation Sigma rules are not supported.
3. As part of integration with the NDR functional block, up to 1000 Endpoint Agent components can be connected to a single Central Node component. If you want to connect more components, please contact Technical Support.
4. An error may occur when downloading mirrored traffic if the user has not waited for an already started download process to end.
5. When searching network packets for the last hour, no more than 200 records are displayed, even if the system has more matching records. We recommend refining the search query to get a selection with fewer sessions.

   Limitations do not apply to traffic dump downloading.

6. For a cluster configuration, when integrated with a mail server, an error may occur when sending an email message: "451 4.3.0 Error: queue file write error". For information on how to remove the limitation, see the Configuring integration with a mail server via SMTP section.
7. Embedded Sensor may be missing after upgrading to version 7.0 a Central Node component that had been used in the distributed solution or multitenancy mode. For information on how to remove the limitation, see the Upgrading Central Node installed on a server section.
8. In a file alert created based on the results of scanning a copy of web traffic, the User name field is empty if the user is authenticated on the proxy server with basic authentication.
9. No connection is established between the Endpoint Agent components and the PCN if the Sensor component installed on a standalone server is being used as the proxy server.
10. The Ignore MAC addresses for NIC rules toggle switch has no effect on the application.
11. If the Endpoint Agent host is running Windows Server 2016 or earlier, Endpoint Agent does not send information about the Code injection event. The component sends information about this event only if the host is running Windows Server 2019 or later.

Limitations that apply when deploying the Central Node component as a cluster:

1. A Central Node cluster must include at least 4 servers: 2 storage servers and 2 processing servers. You can scale the cluster to increase the amount of traffic handled or the number of connected hosts in accordance with the Sizing Guide.
2. It is recommended to add servers with the same hardware configuration to the cluster. Otherwise, a proportional increase in performance is not guaranteed.
3. Adding an extra server to the cluster does not speed up the processing of objects that are already in the scan queue.
4. The web interface of the application can be temporarily unavailable if the server on which it is hosted fails.
5. If the processing server fails, you may lose ICAP, POP3, and SMTP traffic data as well as the copies of emails that are waiting to be processed and the detections associated with them.
6. If the processing server is configured to receive mirrored traffic from SPAN ports, then SPAN traffic is not processed if this server fails.
7. If one of the cluster servers fails or the connection between the server and the Endpoint Agent component is temporarily lost, data in the event database can temporarily become desynchronized.
8. If the configuration of the cluster servers is changed, processing of traffic and events from computers with the Endpoint Agent component may be temporarily slowed down.
9. When installing Kaspersky Anti Targeted Attack Platform as a cluster or when updating a cluster configuration, it may happen that the Embedded Sensor does not start.

   In this case, we recommend doing the following:

   • If the Sensor is not connected, remove it using the web interface, then in Technical Support Mode, run the kata-sensor-tool fix-cluster-sensor command.
   • If Sensor is not running, in Technical Support Mode, run the kata-sensor-tool fix-cluster-sensor command.

   After some time, the Sensor should appear in the web interface.

10. Delays are possible when receiving email over SMTP. To solve this problem, we recommend the following steps:
    1. Connect to the Central Node or Sensor in Technical Support Mode.
    2. Enable the DEBUG logging level for the SMTP integration with the following command:

       console-settings-updater set --merge /kata/configuration/product/preprocessor_smtp '{"logging":{"level":{"root":"DEBUG"}}}'

    3. Wait approximately 30 seconds for the settings to synchronize.
    4. Go back to the ERROR logging level for the SMTP integration with the following command:

       console-settings-updater set --merge /kata/configuration/product/preprocessor_smtp '{"logging":{"level":{"root":"ERROR"}}}'

Limitations that apply when using the application in distributed solution and multitenancy mode:

1. On a PCN server, the Assets → Devices tab displays only hosts that are connected to that PCN server.
2. User account passwords can be changed only on the PCN server.

Limitations that apply to the Sensor component:

1. Only Sensor components installed on standalone servers can be used to capture network traffic at the maximum speed of 10 Gbps.
2. Capturing FTP traffic at the maximum speed of 10 Gbps can result in a high level of loss.
3. If you add or remove network interfaces that send SPAN traffic to Kaspersky Anti Targeted Attack Platform, raw network traffic dumps may be downloaded from a network interface that is different from the one you selected.

Limitations that apply to the Sandbox component:

1. The following versions of operating systems are supported for custom images:
   • Windows 7
   • Windows 8.1 64-bit
   • Windows 10 64-bit (up to version 1909)
2. Only English and Russian localizations are fully supported for custom operating system images.
3. License keys for activating the operating systems and software are not provided.
4. If some of the operating systems selected in the set of operating systems on the Central Node server are not installed on the Sandbox server, Kaspersky Anti Targeted Attack Platform does not send objects to the Sandbox component for scanning. If multiple servers with the Sandbox component are connected to the server with the Central Node component, the application sends objects to those servers whose installed operating systems match the set selected on the Central Node.

Limitations that apply when integrating with Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows:

1. Tasks for getting RAM dumps and disk images can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows and Kaspersky Endpoint Security 12.1 or later for Windows.
2. Tasks for getting process memory dumps, NTFS metafiles, and registry keys can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows or Kaspersky Endpoint Security 12.1 or later for Windows.
3. The task of scanning hosts using YARA rules can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows and Kaspersky Endpoint Security 12.1 or later for Windows. If you simultaneously assign a task to computers with Kaspersky Endpoint Agent version 3.14 or later, and to computers with earlier versions of that application, the task runs only on computers with Kaspersky Endpoint Agent 3.14 or later.
4. If autorun points are selected as the scan scope, the task runs only on computers with Kaspersky Endpoint Agent 3.14 or later and Kaspersky Endpoint Security 12.1 or later for Windows.
5. The Code injection, Named pipe, WMI, LDAP, DNS, Process access events are available only when integrating with Kaspersky Endpoint Security for Windows 12.7 or a later version.

Limitations that apply when integrating with Kaspersky Endpoint Security for Linux:

1. The following functionality is not available for computers running Kaspersky Endpoint Security for Linux 11.4:
   • Network isolation of a host.
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 11.4 for Linux applications.

   • Finding indicators of compromise on computers using IOC files.

     No notifications are created about the unsuccessful search of indicators of compromise on computers with Kaspersky Endpoint Security 11.4 for Linux applications.

2. The following functionality is not available for computers running Kaspersky Endpoint Security for Linux 12:
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 12 for Linux applications.

3. The list of events that Kaspersky Endpoint Security 11.4 or 12 for Linux logs in the event database is limited to the following types:
   • File modified
   • Process started
   • Process completed
   • System event log
   • Detection
   • Detection processing result
4. The list of tasks that you can create on computers running Kaspersky Endpoint Security 11.4 for Linux is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
5. The list of tasks that you can create on computers running Kaspersky Endpoint Security 12 for Linux is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
   • Delete file
   • Kill process
6. The list of tasks that you can create on computers running Kaspersky Endpoint Security 12.2 for Linux is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
   • Delete file
   • Kill process
   • Quarantine file
7. In information about events registered in the event database by Kaspersky Endpoint Security 11.4 or 12 for Linux, the Time created field displays file modification time.
8. The Connection to remote host, Port listened, Module loaded, DNS, Process access events are available when integrated with Kaspersky Endpoint Security 12.2 or later for Linux.

Limitations that apply when integrating with Kaspersky Endpoint Security 12 for Mac:

1. The following functionality is not available for computers running Kaspersky Endpoint Security 12 for Mac:
   • Network isolation of a host.
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 12 for Mac applications.

   • Finding indicators of compromise on computers using IOC files.

     No notifications are created about the unsuccessful search of indicators of compromise on computers with Kaspersky Endpoint Security 12 for Mac applications.

2. The list of events that Kaspersky Endpoint Security 12 for Mac logs in the event database is limited to the following types:
   • File modified
   • Process started
   • Process completed
   • Detection
   • Detection processing result
3. The list of tasks that you can create on computers running Kaspersky Endpoint Security 12 for Mac is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
4. In information about events registered in the event database by Kaspersky Endpoint Security 12 for Mac, the Time created field displays file modification time.

Limitations of Kaspersky Endpoint Agent 3.16 for Windows:

You can view the list of limitations of Kaspersky Endpoint Agent 3.16 for Windows in the Kaspersky Endpoint Agent for Windows Online Help.

Limitations of Kaspersky Endpoint Security 12.5 for Windows:

You can view the list of limitations of Kaspersky Endpoint Security 12.5 for Windows in the Kaspersky Endpoint Security for Windows Online Help.

Limitations of Kaspersky Endpoint Security 12 for Linux:

You can view the list of limitations of Kaspersky Endpoint Security 12 for Linux in the Kaspersky Endpoint Security for Linux Release Notes.

Limitations of Kaspersky Endpoint Security 12 for Mac:

You can view the list of limitations of Kaspersky Endpoint Security 12 for Mac in the Kaspersky Endpoint Security for Mac Online Help.