Ycsecurity/malware-defense/kaspersy-install-in-yc

Deploying Kaspersky Antivirus in Yandex.Cloud (Compute Instance, COI)

The purpose of the demo is to deploy the Kaspersky solution and remotely install agents in Yandex.Cloud to provide antivirus protection for:

• Windows and Linux VMs.
• Containers in COI(Container Optimised Image).

Detailed workshop analysis in the video:

Table of contents:

• Diagram
• Description
• Preparation and prerequisites
• Infrastructure deployment
• Setting up KSC
• Installing antivirus software on VMs
  • Remote installation on Linux VMs, including COI installation
  • Remote installation on Windows VMs
  • Antivirus health check on VMs
  • Antivirus health check in COI containers

Diagram:

Description:

The following tasks will be run during the workshop:

• Installing the infrastructure using Terraform (Infrastructure as a Code).
• Installation, basic configuring, and running tests Kaspersky Security for Virtual and Cloud Environments (PAYG).

Preparation and prerequisites

• Install and configure YC CLI.
• Install Terraform.
• Install additional software: RDP Client.

System requirements for target VMs

The workshop uses Kaspersky Endpoint Security 11.2.0 for Linux. See the system requirements for the OS.

Infrastructure deployment:

• Download the archive with files kaspersy-install-in-yc.zip.
• Go to the folder with the downloaded files.
• Fill out the required parameters in the variables.tf file: 'token,cloud_id,folder_id` (see comments in the file).
• Execute commands: terraform init terraform apply
• After executing the commands, confirm the action and enter: Enter a value: yes

The infrastructure is ready:

Setting up KSC:

• Wait for 3 minutes.

• Connect to the KSC server via RDP to an external address. The IP address will be displayed in the command line output. Login: Administrator. To get a password, enter the command:

  terraform output ksc-pass
  

  Wait for KSC installation to complete (at this time, follow steps 3-5).

• Terraform will save the SSH key at the following path: C:\private.pem. Remove unneeded rights from the file, leaving only the administrators group: right-click on the file → Security → Advanced → Disable Inheritance.

• Add a passphrase to the SSH key using CMD:

ssh-keygen -p -f C:\private.pem 
(specify the passphrase)

• Download KES 11.2 to the KSC machine: the archive updates.zip.

• Create an installation package for KES 11.2:

• Advanced → Remote Installation → Installation Packages → Create ins. packet.

• Select the option: Create from Kasp. applications.

• Specify the .kud file from C:\Users\Administrator\Desktop\kesl-11.2.0.4528

• Install the management plugin by running the updates/klcfginst.msi file.

• Create device groups (Managed Devices → New Group):

• Linux.

• Windows.

• Create rules for moving devices to groups (Unassigned Devices → Configure rules):

• Linux "192.168.30.0/24";

• Windows "192.168.20.0/24".

• Create network polling rules for the same subnets: Advanced → Device Discovery → IP ranges (be sure to right-click on IP ranges → Enable poll)

Installing antivirus software on VMs

Kaspersky antivirus software consists of two parts: the management agent and the antivirus software Kaspersky Endpoint Security for Linux (KESL), Kaspersky Security for Windows Server (KSWS). There are several ways to install the antivirus on VMs:

• Remotely, using SSH or Windows credentials.
• Using a local installation script (for more information, see the documentation).

Remote installation on Linux VMs, including COI installation

• Create a task for automatic installation of the antivirus agent + KESL:
• Create a task from the Managed Device → Linux folder (you can schedule it).
• Specify SSH credentials for the certificate (user: 'yc-user`), select the KES 11.2 package and agent 12.

• Wait until installation completes.

• Create the tasks:

• Downloading updates to the KSC repository.

• KESL database update on machines.

• Full check.

• Go to the VM list and check that the antivirus is installed.

Remote installation on Windows VMs

• Log in via RDP using the administrator account (you generated the password previously via Terraform) on the Win0 or Win1 VM, then run commands in the PowerShell to uninstall Windows Defender:

sc query WinDefend
Uninstall-WindowsFeature -Name Windows-Defender
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

• Create a task for the auto-installation of the antivirus agent + KSWS:
• Create a task from the Managed Device → Windows folder (you can schedule it).
• Specify the Windows credentials: administrator (you generated the password previously via Terraform), then select package 11.1 and agent 12.

• Wait for the agent and antivirus to be installed on the VMs.

• Go to the VM list and check that the antivirus is installed.

Antivirus health check on VMs (Linux and Windows):

• Log in via SSH to any Linux machine and run the command:

sudo wget https://secure.eicar.org/eicar.com.txt

The download has been blocked. In the events of this machine, check that the threat has been detected.

• Log in via RDP to any Windows machine, download an instance of the eicar virus — https://secure.eicar.org/eicar.com.txt
• Go to the properties of any Windows machine, make sure that the antivirus has deleted the eicar.com.txt file.

Antivirus health check in COI containers:

Learn more about scanning containers: https://support.kaspersky.com/KES4Linux/11.1.0/ru-RU/191702.htm

Container-lin has already been downloaded to the VM, and the vulnerable docker image (https://hub.docker.com/r/jerbi/eicar) is running

• Create a container scanning task on the container-lin VM:
• Log in to Tasks.

• Create new task → KESL 11.2 → container scanning.

• Make sure that the detection of a malicious container image is visible in the events.