Kaspersky Embedded System Security PoC Guide
Uploaded by
Ahnaf TahmeedKaspersky Embedded System Security PoC Guide
Uploaded by
Ahnaf TahmeedKASPERSKY EMBEDDED
SYSTEMS SECURITY
PROOF OF CONCEPT GUIDE
Moscow, 23 August 2017
TABLE OF СONTENTS
Introduction ............................................................................................................................................. 3
Who should use this guide? .............................................................................................................. 3
What is KESS? .................................................................................................................................. 3
What are the components of KESS? ................................................................................................. 3
Prepare environment .............................................................................................................................. 5
Review KESS requirements .............................................................................................................. 5
Configure network ............................................................................................................................. 6
Download required files ..................................................................................................................... 6
Setup and deploy .................................................................................................................................... 6
KESS local deployment ..................................................................................................................... 7
KESS management console installation ......................................................................................... 12
KESS deployment via KSC ............................................................................................................. 16
License activation ............................................................................................................................ 22
Capability scenarios.............................................................................................................................. 24
Anti-malware protection ................................................................................................................... 24
Application launch control ................................................................................................................ 25
Device control .................................................................................................................................. 33
Exploits prevention .......................................................................................................................... 39
File integrity Monitoring ................................................................................................................... 42
Log inspection.................................................................................................................................. 45
Conclusion ............................................................................................................................................ 48
Appendix A: Advanced capability scenarios ......................................................................................... 49
Software distribution control ............................................................................................................ 49
Self-defense..................................................................................................................................... 62
Appendix B: Further reading ................................................................................................................. 66
Appendix C: Troubleshooting and FAQ ................................................................................................ 67
Appendix D: Known limitations ............................................................................................................. 68
Appendix E: POC success criteria ........................................................................................................ 69
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 2
INTRODUCTION
WHO SHOULD USE THIS GUIDE?
This guide is built to help you quickly deploy and configure Kaspersky Embedded Systems Security
(hereinafter KESS) for evaluation. It guides you through detailed scenarios in a proof of concept
environment to help you better understand how KESS works. The instructions provide an evaluation
method to the most common use cases for KESS.
The target audience includes KL’s presales engineers and 3rd parties willing to evaluate KESS product.
It is assumed that reader will:
1. Have prior knowledge of Kaspersky Security Center product.
2. Possess experience in a system administration or technical reviewer role.
WHAT IS KESS?
KESS is a security solution designed to protect variety embedded systems, including ATMs and POS
against viruses and other logical attacks.
WHAT ARE THE COMPONENTS OF KESS?
Figure 1. Kaspersky Embedded Systems Security architecture
KESS protects devices against malware and other logical attacks using the following independent
components:
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 3
Anti-malware Protection consists of Real-Time File Protection and On-Demand scan. This
component detects viruses using AV-bases. With the Real-time file protection task the
application scans files and alternative streams of file systems (NTFS streams) when an
application accesses them. With On-Demand scan anti-virus scan tasks the application scans
files, autorun objects, memory and other specified areas.
Kaspersky Security Network services integration. Use of data from Kaspersky Security
Network ensures a faster response time by KESS when encountering zero-day threats.
With the user’s consent, the application can use checksums (MD5) of the analyzed files when
using KSN. Request to the Kaspersky Security Network take place when Real-time anti-virus
scan, On-demand anti-virus scan or Applications verification are executed.
Exploit Prevention provides the ability to protect applications running on the embedded
systems from exploits. KESS controls the integrity of protected processes and takes the actions
in order to reduce the potential risks and side-effects of vulnerability exploitations.
Application Launch Control allows the execution of files matched against a defined whitelist.
Programs that are not in this list are blocked. KESS allows or denies the executable files
launch, scripts launch, MSI packages launch, driver loading, and DLL modules loading via
specified applications launch control rules, KSN conclusions, or according to the Default Deny
principle. You can create the applications launch control rules both manually and automatically
for a computer (by settings the events of a local Applications Launch Control task) and for a
group of computers (via Kaspersky Security Center denied launches report).
Device Control, a component that restricts an unauthorized connection of devices and a use of
already connected. KESS allows or restricts usage of storage devices connected to a protected
computer via USB. External devices control is based on the allow rules and the Default Deny
principle. Rules for the Device Control are generated automatically based on system data about
registered storage devices, or by the Rule Generator for Device Control task.
File Integrity Monitor (FIM) tracks actions performed under the specified files and folders.
KESS checks the integrity of the monitored objects based on information about file operations
that have been detected in the monitoring scope.
Logs Inspection monitors the integrity of the protected environment based on the results of an
inspection of Windows Event Log. KESS alerts the administrator in case any patterns of
abnormal activity are detected on a protected system and that might be an evidence of abuse
attempt.
Firewall Management takes over the control of Windows Firewall. KESS provides a reliable
and ergonomic solution for network connection protection via interception of the OS firewall
settings management.
Kaspersky Security Center is an optional management component for KESS used to
distribute security policies, signature updates and provide reports across all of the managed
KESS instances.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 4
PREPARE ENVIRONMENT
It is assumed that customer will manage the KESS application with Kaspersky Security Center and has
one already implemented.
REVIEW KESS REQUIREMENTS
Hardware requirements
KESS can protect devices with a limited RAM (at least 256 MB) and hard disk space (at least 100 MB).
Minimum processor requirements:
o For 32-bit Microsoft Windows operating systems: Intel® Pentium® III.
o For 64-bit Microsoft Windows operating systems: Intel Pentium IV.
RAM:
o 256 MB if Applications Launch Control is installed on a computer running a Microsoft®
Windows operating system.
o 512 MB if all application components are installed on a computer running a Microsoft
Windows operating system.
Hard disk space:
o 50 MB required for Applications Launch Control component.
o 500 MB required for all product components.
Software requirements
You can install KESS on a hardware running one of the following Microsoft Windows operating systems:
Windows XP Embedded SP3 x86
Windows XP Pro SP2 / SP3 x86 / x64
Windows Embedded POSReady 2009 x86
Windows Embedded Standard 7 SP1 x86 / x64
Windows Embedded Enterprise 7 SP1 x86 / x64
Windows Embedded POSReady 7 x86 / х64
Windows 7 Pro / Enterprise SP1 x86 / х64
Windows Embedded 8.1 Industry Pro / Enterprise x86 / x64
Windows Embedded 8.1 Pro x86 / x64
Windows Embedded 8.0 Standard x86 / x64
Windows 8 Pro / Enterprise x86 / х64
Windows 8.1 Pro / Enterprise x86 / х64
Windows 10 Pro / Enterprise x86 / х64
Windows 10 RS 1 Pro / Enterprise x86 / х64
Windows 10 RS 2 Pro / Enterprise x86 / х64
Windows 10 IoT Ent x86 / х64
Microsoft Windows Installer 3.1 must be installed in order for Kaspersky Embedded Systems Security to
install and work properly on a computer running Windows XP.
The Filter Manager component and Administration Support Tools are required in order for Kaspersky
Embedded Systems Security to install and work properly on a computer running embedded operating
systems.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 5
CONFIGURE NETWORK
If KESS remote administration methods are desirable then corresponding network ports outlined below
must be opened.
Source Destination Port Protocol Purpose
Kaspersky Security Embedded system 15000 UDP Request for
Center synchronization from
KSC (optional)
Update Agent Embedded system 15001 UDP Connection with
Update agent in case
of multicast1 (optional)
KESS remote Embedded system 135 TCP Management via
console remote console
(optional)
DOWNLOAD REQUIRED FILES
Please visit http://support.kaspersky.com/kess2#downloads and download the following software
required for KESS evaluation:
1. KESS distribution: https://products.s.kaspersky-
labs.com/english/workstations/kess/kess2.0.0.385_en.exe
2. KSC application management plugin: https://products.s.kaspersky-
labs.com/english/workstations/kess/klcfginst.exe
SETUP AND DEPLOY
Depending on desirable management mode KESS deployment process consist of the following general
steps.
In case of management via local/remote application management console the steps will be the
following:
1. KESS installation on the embedded device that should be protected.
2. KESS management console installation (local or remote).
If management via KSC is preferred, then the steps are:
1. Deploying KSC Network Agent onto the target embedded system.
2. Creating remote installation package for KESS.
3. Deploying KESS remotely.
1 To decrease the volume of transferred data or the number of connections to Update Agents, Update Agents have the multicast
function. This allows an Update Agent to distribute updates and installation packages to each client of the group during a single
session. If multicast is enabled, administration server transfers new and changed files to Update Agents after updates are
downloaded in the repository. Update Agents start multicasting these files, without waiting for clients’ requests.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 6
KESS LOCAL DEPLOYMENT
This section describes the step-by-step installation process using installation wizard.
1. Run KESS installation file on a computer, where you want it to be installed.
2. KESS installation files unpacking
wizard starts.
3. Specify a folder, where installation
files will be unpacked.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 7
4. After extracting the files an installation
manager starts automatically.
In order to start installation of KESS
click Protect computer with Anti-Virus
Bases link from the installation menu.
5. Proceed with the installation wizard
steps.
6. Accept the EULA.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 8
7. Select the installation type. We
recommend to select Custom
installation type in order to have more
control on the installation options.
Recommended configuration does not
include all the available software
components.
8. Since the Firewall management
component installation is disabled by
default manually select this
component to be installed in the
system.
9. Accept the KSN agreement.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 9
10. Specify an installation path.
11. Configure additional settings:
Enable real-time protection after
installation.
Add Microsoft recommended files to
exclusions.
Add Kaspersky Lab recommended
files to exclusions.
12. You also can specify a configuration
file created for KESS.
If no configuration file is specified,
default values are used for all KESS
settings.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 10
13. Specify a .key file for activating the
application with a license key.
You can skip this step by clicking Next
and add a license key after
installation.
14. On this step click Next to start
installation process.
15. Wait until installation finishes and
close the wizard.
Now you have KESS application installed on a protected system.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 11
KESS MANAGEMENT CONSOLE INSTALLATION
In order to be able to manage KESS application settings it is needed to install an application
management console. The console can be installed on a local system, where KESS application is
already installed, or on a remote computer. Follow the steps bellow to proceed with the installation.
1. Run setup.exe from the folder where KESS installation files were unpacked.
2. Select Install Kaspersky Embedded
Systems Security Console link from
the installation manager’s menu.
3. Proceed with the installation wizard
steps.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 12
4. Accept the EULA.
5. Select the installation type.
6. Specify the software components to
be installed in the system.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 13
7. Specify the installation path.
8. Check if the console will be used to
manage the application remotely.
9. Click Install button in order to start
the installation process.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 14
10. Wait until installation finishes and
close the wizard.
Now you have the management console installed and ready to configure KESS application settings.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 15
KESS DEPLOYMENT VIA KSC
Kaspersky Security Center (KSC) provides the tools to perform remote installation of applications. To
perform an installation of KESS it is necessary to have Network Agent installed on a protected system.
For more information on how to install applications using KSC check the KSC administrator’s guide:
https://docs.s.kaspersky-labs.com/english/kasp10.0_sc_admguideen.pdf.
The steps bellow describe how to create KESS remote installation package and install it on a protected
system.
1. Expand the Remote Installation
section and switch to the Installation
packages container. Click Create a
new installation package to start
package creation wizard.
2. Select Create installation package
for a Kaspersky Lab application
option.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 16
3. Define a package’s name.
4. Click Browse to specify a location of
the ess.kud file.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 17
5. Please note, that there are two
ess.kud files intended to:
create a package with all components
(located in product folder);
create a package without the
components that use AV bases
(located in product_no_avbases
folder).
6. Accept the EULA.
7. Wait until the installation files will be uploaded to an Administration server and Close the wizard.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 18
8. Select the created installation
package and click Install application
link.
9. Select the remote installation mode.
10. Select devices for installation.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 19
11. Define additional task settings.
12. Select an appropriate license key.
You can skip this step and add a key
later.
13. Select an action to perform if
application requires an OS restart
after installation.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 20
14. If KSC Network Agent is not installed
on a target device, specify account
which will be used for installation.
15. Finish the task creation and close the
wizard.
16. The task starts automatically after
you finish the wizard.
17. Wait until task finishes.
After the task is completed KESS
application will be installed on a
protected system.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 21
LICENSE ACTIVATION
For KESS to be up and running it is necessary to activate the application with product activation code or
key file. The section bellow shows how to perform activation.
1. Open KESS Console and switch to
the Licensing section. Click the Add
key or Add activation code link.
2. Add an appropriate activation code or
key file.
3. You can also use a KSC Activate application task in order to deploy license key remotely.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 22
If a protected system doesn’t have the
Network Agent installed and therefore is
not managed by means of KSC the Real-
Time File Protection and KSN Usage
tasks don’t start after adding a license
key. In this case you have to start the
tasks manually via KESS Console…
…or KSC by applying policy.
After completing the activation you have KESS ready to protect your embedded system.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 23
CAPABILITY SCENARIOS
The following scenarios are designed to help you experience the key features of KESS. They highlight
most important functionality of KESS and take you through its features demo. You can go through them
in order or start with the one that is interested for you at most. They can be demonstrated in any order.
The steps included in «Setup and deploy» section are mandatory to proceed.
The scenarios are:
1. Anti-malware protection
2. Application Launch Control
3. Device Control
4. Process memory protection
5. File Integrity Monitoring
6. Log Inspection
There are also two scenarios outlined separately in Appendix A:
1. Software distribution control
2. Application service and settings protection
These scenarios considered as advanced and can be demonstrated depending on the customer needs.
Each of the scenarios allows you to evaluate and identify how KESS can assist in alleviating security
problems, or provide you with the basis for a plan to take advantage of KESS.
ANTI-MALWARE PROTECTION
This basic scenario will help you to understand if antivirus is up and running. We will use EICAR test
virus file for this purpose. Please refer to this article to get more information about EICAR:
http://support.kaspersky.com/viruses/general/459.
To be able to download or create such test file it is necessary to disable protection first.
Evaluation steps:
Ensure that protection is enabled
Create EICAR with notepad
Get the error/warning message
Review local logs and KSC events
Expected results:
EICAR-test virus file is successfully detected.
Step-by-step instruction:
1. Ensure that Real-time protection task is enabled.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 24
2. On the protected system create a X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-
new text document, paste the ANTIVIRUS-TEST-FILE!$H+H*
following string into it and save the
file.
3. You will get the following terminal
message right after the file saving
attempt.
KESS also will register a corresponding
event in the task log…
…and send the event to the KSC.
APPLICATION LAUNCH CONTROL
This scenario demonstrate how application launch control (ALC) can blocks the launch of untrusted
programs. You will create a simple script, acting as untrusted program that should be blocked by ALC.
Then you will apply a rule generator task to a reference computer so that the script will be automatically
treated as trusted according to the created rule.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 25
Evaluation steps:
Create and run the script that starts calculator application.
Configure policy and enable ALC.
Run the script again and get error/warning saying that the application startup is denied.
Apply rule generator task.
Ensure that the script is treated as trusted.
Expected results:
Untrusted application launch is disabled by ALC. After allow rules is applied, the application is
whitelisted and allowed to launch.
Step-by-step instructions:
Create script
1. On the protected system create script.bat file with the following content:
@echo off
@echo Starting calculator...
pause
calc
Save the file in C:\ATM_soft folder
2. Run the script. After you press any
key, the calculator starts.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 26
Configure policy and enable ALC
1. On the KSC open KESS policy
properties, switch to the Local
activity control section and click
Settings button in the Application
Launch Control area.
2. Application Launch Control settings
window opens.
On the General tab change Task
mode to Operating. You also can
leave the ALC operation mode by
default (Statistics Only). In this case
ALC will not block an application
startup but only create a warning
event in the task log.
In the Rules area change Rules
combination to Add policy rules to
the local rules. This saves you from
having to manually import the rules
later.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 27
3. Switch to Task Management tab.
4. Select Enable radio button in order to
start the ALC.
5. Apply the policy.
Check how ALC works
1. Run the script on the protected
system.
You will get an error as shown on the
picture, saying that you don’t have
permissions to start the application.
2. Review the events in KSC.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 28
3. You also can leave the ALC
operation mode by default (Statistics
Only).
In this case you will get a warning
messages in the task log.
Apply rule generator task
1. On the KSC create a new task for the
group containing computers with
KESS installed.
Select Rule Generator for
Application Launch Control task
type.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 29
2. At this step click Add button in order
to specify a folder where applications
that you want to add to whitelist are
located.
3. Specify a folder where the script.bat
file is located.
Mark Scripts checkbox to consider
scripts while crawling the folder.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 30
4. Proceed to next step.
Mark Add allowing rules to the list
of Application Launch Control rules
option in order to add newly created
rules to the KESS ALC rules list right
after the rule generator task
completes.
Specify the xml file name and
location to export the rule generator
task results.
Leave other settings by default for
testing purposes.
5. Define the task schedule settings if
necessary.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 31
6. Specify an account under which task
will run.
7. Define the task name on the next step.
8. Finish the wizard and start the task.
Check the result
Run the script.bat file on the protected system and notice no ALC events registered in KSC.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 32
DEVICE CONTROL
This scenario shows the capability of device control component. While preparing this document a
system with already connected DVD-drive was used. This demo shows how to deny the use of devices
except those already connected to the system.
Evaluation steps:
Create allow rules via rule generator task
Configure policy
Add new device (another DVD-drive) and review events
Expected results:
Newly connected DVD-ROM device is blocked.
Step-by-step instructions:
Create allow rules via rule generator task
1. On the KSC create a new task for the
group containing computers with
KESS installed.
Select Rule Generator for Device
Control task type.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 33
2. Change Mode to Consider currently
connected mass storages only.
Specify a path to the xml file, in which
the rules will be exported.
3. Leave task schedule setting
unchanged.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 34
4. If necessary, change account from
which the task will be performed.
5. Define the task name.
Finish the wizard and start the task.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 35
Import policy rules and enable device control
1. Open KESS policy properties in
KSC.
Switch to Local activity control and
click Settings button in the Device
Control area.
Ensure that the lock is closed in
order to force the policy applying.
2. On the General tab change Task
mode to Operating.
Click Rules list button to add rules.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 36
3. Click Add button, select Import
rules from XML file and Replace
existing rules option from the
context menus.
4. Select the device control whitelist
XML file created with rule generator
task.
It is located on the protected system
where the rule generator task was
performed.
5. Note the rule have been added.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 37
6. Switch to the Task management tab
and mark Enable in the Task start
area.
Check the result
1. Add any other device to the
protected system.
In this demo we use additional CD-
ROM drive as an untrusted device.
Check the protected system’s device
manager. Note that the device was
physically connected but denied by
device control.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 38
2. Review the event registered in KSC.
EXPLOITS PREVENTION
This scenario shows exploit prevention capability. The scenario is very simple to demonstrate, since we
will use wicar.org web resource to demonstrate how KESS protects the exploitation of Internet Explorer
Remote Code Execution Vulnerability CVE-2014-6332. The vulnerability exists in Internet Explorer 3.0
until version 11 within Windows95 up to Windows 10.
Evaluation steps:
Configure policy to enable exploit prevention component.
Open wicar.org web resource with Internet Explorer on protected system.
Select a test payload.
Review the event in KSC.
Expected results:
Vulnerability exploitation is prevented.
Step-by-step instructions:
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 39
1. Open KESS policy properties in a
KSC. Switch to the Real-time
protection section and click Settings
button in the Exploit Prevention
area.
2. Process memory protection settings
tab opens. Select Protect the
memory of processes from
exploitation of vulnerabilities in the
mode checkbox. Select Terminate
on exploit radio button.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 40
3. Switch to the Protected processes
tab. Ensure that iexplore.exe process
is in the list of protected processes.
Save and apply the policy.
4. On the protected system open
Internet Explorer and navigate
through this link:
http://www.wicar.org/test-
malware.html.
Select MS14-064 test payload. After
you click the button, blank page
opens.
5. Review an event registered in KSC
and find the event about detected
exploit.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 41
FILE INTEGRITY MONITORING
This demo shows the capability of file integrity monitor (FIM) component. During this demo you will
configure the monitoring scope of the component, make some changes in the scope and review the
alerts generated by FIM.
Evaluation steps:
Create test folder to be added to monitoring area
Configure policy to enable FIM
Delete file from monitoring area
Review events
Expected results:
Modification of objects within monitoring area is detected.
Step-by-step instructions:
1. On the protected system create test folder in “C:\Files”.
2. Create some files which will be monitored by FIM, i.e. test.txt.
3. Open KESS policy properties, switch
to the System inspection section.
Click Settings button in the File
Integrity Monitor area.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 42
4. On the General tab add a monitoring
scope by clicking Add button in the
Monitoring scope area.
5. Add C:\Files folder to monitoring
scope. The path to the folder
containing files must be entered with
* mark after backslash: C:\Files\*.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 43
6. Start the task by selecting Enable
radio button on the Task
management tab.
Save and apply the policy.
7. Edit the test.txt file in the monitoring scope to trigger FIM.
8. Review the event registered in KSC
and ensure that the file was modified.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 44
LOG INSPECTION
This scenario shows how the log inspection component must be configured to detect a brute-force
attacks. Since the component parses Windows event logs, the audit policy must be changed that way
so the logon events were audited.
Evaluation steps:
Modify OS audit policy.
Change KESS settings via KESS console, set Log Inspection triggers.
Emulate a brute-force attack.
Review task log.
Expected results:
Brute-force attack emulation is detected.
Step-by-step instructions:
1. On the protected system run
secpol.msc.
2. Modify local audit policy. Open Audit
logon events policy properties.
Enable audit successful and failed
login attempts by checking Success
and Failure checkboxes.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 45
3. Open Log inspection task settings in
KESS local or remote console.
4. Switch to the Triggers tab and
configure trigger for Brute force
attack detection heuristic. Set
Number of logon failures to 3 per
300 seconds.
5. Try to login into the protected system 3 times with invalid credentials.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 46
6. Review the task log. The following
event should occur: There are
patterns of possible brute-force attack
in the system.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 47
CONCLUSION
This simplified guide is intended for a quick evaluation of the product features, using a narrow scope of
work. It does not replace the product documentation and detailed deployment guides.
KESS provides reliable protection for embedded systems and has a flexible modular architecture,
including File Anti Malware Protection, Exploit prevention, Application Launch Control, Device Control,
File Integrity Monitor, Log Inspection and Firewall management components aim to provide best
protection from logical attacks on ATM/POS and other embedded devices.
In Appendix A you can find the advanced scenarios which can be demonstrated to show additional KESS
advantage, these are:
Software distribution control
Application service and settings protection
Through the evaluation you have learned how to deploy KESS and demonstrate its core features and
business value.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 48
APPENDIX A: ADVANCED CAPABILITY SCENARIOS
SOFTWARE DISTRIBUTION CONTROL
Software distribution control (SDC) is a feature of application control designed to secure software
installation and update processes. The point is that application installed from a trusted distribution
package or started by a trusted application will be implicitly whitelisted.
In the scenario bellow the software installation on a protected system is denied according to
organization’s security policy. You have to do a remote installation of a packaged application via KSC
management plugin and whitelist the application being deployed through this channel.
First you will configure ALC to work according to default deny principle and thus launch of all untrusted
applications including 7-Zip will be blocked. Then you will configure SDC to be able to install 7-Zip
remotely via KSC and add the application to implicit whitelist.
Evaluation steps:
Enable allow events logging
Create allow rules with rule generator task
Configure ALC via KSC policy
Download 7-zip installation package to protected system (http://www.7-zip.org/a/7z1604.msi)
Try to start installation, get error/warning.
Configure SDC (add klnagent.exe to trusted distribution packages list)
Perform remote installation of 7-zip via KSC
o Create installation package
o Deploy package
Run installed application on the protected system
Review results
Expected results:
7-zip is installed on a protected system and can be launched.
Step-by-step instructions:
Enable allow events logging
This step is necessary to get more detailed log.
1. On the protected system open KESS
Console and switch to the Logs and
notification section.
Click Properties link in the right
pane.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 49
2. Select Application Launch Control
component and change Importance
level to Informational events in
order to enable allow events to be
logged.
Create allow rules with rule generator task
This step describes how ALC rules are created with rule generator performed on a reference system.
1. On the KSC create a new task for the
group containing computers with
KESS installed.
Select Rule Generator for
Application Launch Control task
type.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 50
2. On this step leave the setting by
default. Thus we will create allow
rules based on the reference system.
3. Select Use SHA256 hash as criteria.
This will create more strict rules.
Specify a path to the xml file, in which
the rules will be exported.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 51
4. Leave the schedule settings
unchanged.
5. If necessary, change account from
which the task will be performed.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 52
6. Define a task name.
7. Finish the wizard and start the task.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 53
Configure policy
This step shows how to enable ALC using rules generated on the previous step.
1. On the KSC open KESS policy
properties, switch to the Local
activity control section and click
Settings button in the Application
Launch Control area.
Ensure that the lock is closed in order
to force the policy applying.
2. On the General tab change Task
mode to Operating.
In the Rules area change Rules
combination to Replace local rules
with policy rules.
Click Rules list button in order to
open the rules list.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 54
3. Click Add button, select Import rules
from XML file and Replace existing
rules option from the context menus.
4. Select the whitelist XML file created
with rule generator task.
It is located on the protected system
where the rule generator task was
performed.
5. Note the rules have been added.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 55
6. Switch to the Software Distribution
Control tab. Mark 2 checkboxes as
shown on the picture.
First one enables SDC in general and
the second one enables Windows
Installer server to implicitly whitelist
the applications deployed from the
MSI packages.
We don’t need to specify software
distribution applications and packages
in this demo, since we will use KSC
Network Agent (klnagent.exe) to
deliver software to the protected
system.
Klnagent.exe and msiexec.exe both
were whitelisted within the rule
generator task.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 56
7. Switch to the Task management tab
and mark Enable in the Task start
area.
Start installation of untrusted application
1. Download 7z1604.msi package from http://www.7-zip.org/download.html to the protected system.
2. Try to start an installation of 7-Zip.
You will get an error message in
terminal window. It means that the
installation was blocked by ALC.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 57
Perform remote installation via KSC
This step describes remote installation of an application via KSC.
1. On the KSC start installation package
creating wizard.
2. Select an application from Kaspersky
Lab database to create an installation
package.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 58
3. Define package name.
4. Select 7-zip 16.04 package from the
list.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 59
5. Complete the wizard.
6. Deploy the 7-Zip package on the
protected system by means of KSC
remote installation task.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 60
Review the results
At the end of this step you will notice that there are no explicit rules for installed application in the
whitelist. The application will be implicitly whitelisted by SDC.
1. Run installed application.
2. Open rules list in KESS policy
properties in KSC.
Check ALC rules for 7-Zip File
Manager (7zFM.exe).
3. Note that there are no allow rules for
the 7-Zip.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 61
4. Open ALC task logs in KESS
Console and note the allow event for
the 7 Zip.
It says that application startup was
allowed by trusted distribution
packages list.
SELF-DEFENSE
Protection from unauthorized shutdown of KESS service
This scenario shows how the access to the application service can be configured in order to protect the
application from shutdown by unauthorized personnel.
Evaluation steps:
Stop/start service via command line on behalf of domain administrator
Configure policy to deny access to the service for specified user/group
Check that service management is blocked for specified user/group
Expected results:
KESS service cannot be shut down by unauthorized person.
Step-by-step instructions:
1. On the protected system open
elevated command prompt and stop
Kaspersky Embedded Systems
Security Service by using net stop
“KAVFS” command.
2. Start the service using net start
“KAVFS” command.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 62
3. Open KESS policy properties, switch
to Advanced section. Click on the
Settings button in the User access
for Security service area.
4. Let say the user John doesn’t has to
have privileges to manage the KESS
service. Set Deny permissions for
John.
Save and apply the KESS policy.
5. Login into protected system as John
and try to stop the KESS service
using net stop “KAVFS” command.
The command must be executed from
elevated command prompt.
You will get the Access is denied message. This means that you successfully denied a user to
manage the KESS service.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 63
Protection from unauthorized changes of KESS settings
With the KESS console access protection scenario you can demonstrate how to set a password for the
console access in order to protect application management from unauthorized personnel.
Evaluation steps:
1. Set password in KSC policy
2. Try to access an application via local console
Expected results:
Unauthorized access to KESS settings via management console is impossible.
Step-by-step instructions:
1. In KSC open KESS policy properties,
switch to the Application settings
section and click Settings button in
the Security area.
2. Mark Apply password protection
checkbox and set a password. Save
and apply the policy.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 64
3. After the policy has been applied try to
connect to the KESS application using
local or remote KESS console. You
will get a password request window as
shown on the screenshot.
4. If you enter invalid password you’ll get
the following error:
Failed to retrieve application settings.
Reason: Incorrect password.
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 65
APPENDIX B: FURTHER READING
Page on the Kaspersky Lab website:
https://www.kaspersky.com/enterprise-security/embedded-systems
Page on the Technical Support website (Knowledge Base):
http://support.kaspersky.com/kess2
Administrator guide:
https://docs.s.kaspersky-labs.com/english/ess_admin_guide_en.pdf
User guide:
https://docs.s.kaspersky-labs.com/english/ess_user_guide_en.pdf
Kaspersky Lab forum:
http://forum.kaspersky.com
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 66
APPENDIX C: TROUBLESHOOTING AND FAQ
If you’re facing an unexpected behavior of the product during the PoC the general recommendation is
contact the Technical Support.
Before submitting an incident we recommend you to collect trace files during the problem reproduction.
Navigate through this link to learn how to collect trace files in KESS:
http://support.kaspersky.com/13766
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 67
APPENDIX D: KNOWN LIMITATIONS
Navigate through this link to review the list of known issues and limitations of KESS:
http://support.kaspersky.com/13726#block3
Kaspersky Embedded Systems Security 2.0: PROOF OF CONCEPT GUIDE 68
APPENDIX E: POC SUCCESS CRITERIA
# Task Success criteria Notes
1. Prepare environment
PoC environment meets all the imposed
1.1 Review KSV requirements
requirements.
All required network ports are opened in
1.2 Configure network (optional)
the right direction.
1.3 Download required files All required files are downloaded.
2. Setup and deploy
KESS is successfully deployed onto the
2.1 KESS local deployment
embedded system.
KESS management console is
2.2 KESS management console installation
successfully deployed.
KESS is successfully deployed via KSC
2.3 KESS deployment via KSC (optional)
onto the embedded system.
KESS is activated with valid activation
2.4 License activation
key.
3 Capability scenarios
EICAR-test virus file is successfully
3.1 Anti-malware protection
detected.
Untrusted application launch is disabled
by ALC. After allow rules is applied, the
3.2 Application launch control
application is whitelisted and allowed to
launch.
Newly connected DVD-ROM device is
3.3 Device control
blocked.
3.4 Exploits prevention Vulnerability exploitation is prevented.
Modification of objects within monitoring
3.6 File integrity monitoring
area is detected.
Brute-force attack emulation is
3.7 Log inspection
detected.
4 Advanced Capability scenarios (optional)
7-zip is installed on a protected system
4.1 Software distribution control
and can be launched.
KESS service cannot be shut down by
unauthorized person.
4.2 Self-defense
Unauthorized access to KESS settings
via management console is impossible.
