Issue: LANDESK Antivirus Network Attack Blocker incorrectly blocking traffic

Version 4

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Issue


    In Network Attack Blocker reports, you can see "Network Attack Detected" messages.

    Image 001.png

    Problem

    1. Customer enabled Network Attack Blocker in Antivirus on a machine and added the desired IP range in the LDAV exclusions list. However NAB report still showed that NAB had blocked an attack from an IP address of the excluded IP range on port XXX on the server.
    2. Customer enabled Network Attack Blocker in Antivirus on a machine. However once NAB was enabled, customer was not able to login to their internal site via VPN. The IP address of their internal site had already been added into the LDAV exclusion list. Once having NAB disabled, they were able to login to their internal site.

     

    Cause

    Both issues were escalated to Kaspersky and were resolved as below:

     

     

    For problem 1

    One needs to check whether the traffic is really blocked by NAB first.

    Scenario 1: If the traffic is NOT blocked despite the report stating the traffic is blocked

     

      This is 'by design' according to Kaspersky. The explanation of this issue from Kaspersky support was: "Even with exclusion rules during a lot of connections Network Attack Blocker may spam KES reports with messages about a 'Synflood' attack while not actually blocking any of the requests if correct exclusions are set. This is a known issue. Regarding logging of  XXX port being blocked. If it isn’t actually blocked and is excluded via settings, KES still logs that this port is blocked in reports. This is by design – the message shows there were connections on XXX port, not that it is actually blocked. If the exclusion of XXX port does not work – this is considered an issue.”

     

    Scenario 2: If the traffic IS indeed blocked

      Apply a KES patch first and see if the issue can be resolved. If not, collect information requested below and LANDesk Support can help reach out to Kaspersky for further troubleshooting.

     

           For problem 2

    This is a known issue with Kaspersky and can be resolved with a patch listed below.

     

    Solution / Workaround


    For Problem 1


    Scenario 1: If the traffic is NOT blocked despite the report stating the traffic is blocked

    Since this is "by design" there isn't any solution for this issue

     

     

    Scenario 2: If NAB actually blocks the traffic

    Use patch: ftp://newbeta.kaspersky-labs.com/download/INC000/005/198/349/patch_pf613.zip 

     

    Installation instructions:

    To install KES patch perform following steps (see http://support.kaspersky.com/10949 for details):

    1. Extract archive to some folder, e.g. C:\pf521.

    2. Run cmd.exe as administrator.

    3. Navigate to the folder where patch is located: "cd c:\pf521".

    4. Install patch with the following command: "patch_pf521.exe /when now" (without quotes).

    5. Patch will be installed silently, so you have to wait about 5 minutes or so for it to complete.

    6. Reboot machine – wait about 5 minutes and then restart it manually.

    7. After reboot check that the patch is successfully installed: on the KES “About” screen there should be (pf613) in the version string (e.g. KES 10.2.1.23 (pf521)). It is available by a right click on tray icon. If you see "pf613" patch number after the version number, then it was installed.

    8. If patch was not installed, collect KESPatch.log and KESPatchMSI.log from %TEMP% folder (Usually C:\Windows\Users\User\AppData\Local\Temp) or from C:\ProgramData\Kaspersky Lab\ and send them to LANDesk Support. They will forward to Kaspersky for analysis.

     

    The pf should prevent the blocking of traffic. In case pf would not solve the issue please collect GSI 6 logs from the affected machine - http://support.kaspersky.com/general/dumps/3632. Also collect the product traces while the issue is reproduced with only NAB enabled and other components disabled: enable product traces, reproduce the issue, disable traces and send those to LANDesk Support -http://support.kaspersky.com/general/dumps/3632#block1.

     

    For Problem 2

    Please try installing pf466 on the clients with VPN software reboot and see if the issue persists.

     

    NOTE


    This is a private patch to address a specific issue, it is not intended to be deployed elsewhere, where no such issues are present.

     

    Use patch: ftp://newbeta.kaspersky-labs.com/download/INC000/005/353/092/patch_pf466.zip

     

    Installation instructions:

    To install KES patch perform following steps (see http://support.kaspersky.com/10949 for details):

    1. Extract archive to some folder, e.g. C:\pf466.

    2. Run cmd.exe as administrator.

    3. Navigate to the folder where patch is located: "cd c:\pf466".

    4. Install patch with the following command: "patch_pf466.exe /when now" (without quotes).

    5. Patch will be installed silently, so you have to wait about 5 minutes or so for it to complete.

    6. Reboot machine – this step is obligatory and should not be omitted. Wait till machine reboots, do not reset it.

    7. After reboot check that the patch is successfully installed: on the KES “About” screen there should be (pf466) in the version string (e.g. KES 10.2.1.23 (pf466)).

     

    Collect the same info as above if the patch does not work and contact LANDesk support. Support will contact Kaspersky for analysis.