Kaspersky Endpoint 10, klnagent & Kaspersky Server

[Tonsko]

Hey all,

So here's the juice: I've got 4 macs, 3 x MBA and 1 x MBP, all but the MBP are remote and in the field. 1 x MBA are on Yosemite, and the other airs and MBP are El Cap.

1 x MBA on Yosemite and 1 x MBA on El Cap, after installing the network agent and the Endpoint 10 software, setting the licence get corrupted virus databases. The other 2, 1 remote and 1 local do not have this problem.

Things I have tried:

*Installing agent and software locally (in that order), activating locally, connecting to the server, update - virus db corrupt.
*Installing agent locally, deploying Endpoint from server, activating via pushing the key, databases corrupt.
*Installing agent and software locally, deploying key from server, databases corrupt.
Each time removing everything totally - the other 2 macs have worked perfectly.
Now, one of the macs won't activate either via the licence or via pushing the key from the server.

Have tcpdump running live on the macs, firewall logging turned on server end, and where possible, home router firewall opened to specific IP address. Traffic shows at appropriate times in the TCPdump & firewall logs.

Local installs are being done via me connecting over LogMeIn.

I'm at a loss really, Kaspersky's suppliers have basically suggested all the above things. Anyone have any ideas?

 

[Kissmyne]

When you initially removed the software did you sift through your system library for remnants?... a lot of times I've had software that leaves save state data, app cache and other support data lingering.. thus the "reinstalled" app would inherit the problems of the previous install..not saying its what's happening.. have you checked app bundle sizes? Can you locate the "good" signature database on one of the computers that is working?

 

[Tonsko]

Hey man, thanks for the reply.

Have edited the main post correcting the OSX versions on the machines, as well as who is offering tech support.

I did wonder whether there was anything like you have suggested, and did have a poke around, but there wasn't anything obvious - didn't want to go round removing stuff willly-nilly as that way lies madness!

Our Kaspersky supplier mostly said just use the 'uninstall app' script that comes with the DMG - agree that sometimes these don't often remove things completely. I did run a search via finder and include system files (like how you do if you want to completely uninstall some software) but there was nothing obvious called 'Kaspersky', 'KAV' or similar, and as I say, I do not know exactly what these files may be called.

To be fair to the uninstall programs, they do remove the plist files from LaunchAgents and LaunchDaemons (in system /Library, doesn't use the user ~/Library) folders.

As for the update files, that did occur to me, but I've no idea how they arrange their files and dbs, can kind of have a finger in the air stab at it, but don't really have the time to mess around at that level. The software does at least seem to put all relevant/required files in a Kaspersky folder in /Library/Application Support (which are removed once you've run the unsinstall script), I feel that Kaspersky should be able to offer me detailed info on the file structure so I don't have to experiment. Only dealing with the reseller at the moment, have got one of my colleagues to try and escalate to Kaspersky themselves, as they were in the office yesterday.

In conclusion, I hope it's me and that I've done something soft, and not the software as it's seeming a right pretty problem atm!

 

[Tonsko]

Have resolved this:

Basically did everything through security centre, including manually selecting a compatible licence key (rather than allowing the server to select the key file from a stack of them) and using the SC as an update source, as well as having to add individual kaspersky server IP addresses to the FW in order to successfully update the repository. For some reason, it was trying to call other IPs other than the 20 in the list provided on Kaspersky support forums.

Once that was all done, the problems were resolved - not sure why, as the updates via SC should in theory be the same ones as the Kaspersky Lab servers (as that's where the updates come from!). The other two macs continue to work as advertised without needed to resort to all of that. I have edited the configuration to follow the method above as a matter of completeness.