Kaspersky Security Center 10

Management Pack for Kaspersky Security Center 10

In Kaspersky Security Center, you can monitor the condition of the Administration Server and managed products with Microsoft System Center Operations Manager (SCOM). The information from Kaspersky Security Center servers are collected with the SNMP service. Management is performed through the xml file imported to SCOM.
Read More...

How to adjust SCOM monitoring settings in Kaspersky Security Center 10

The article concerns the following versions of Kaspersky Security Center 10:

Service Pack 3 (version 10.5.1781.0)
Service Pack 2 Maintenance Release 1 (version 10.4.343)

How it works

Every six hours, SCOM runs the Reg.Discovery_x86 and Reg.Discovery_x64 tasks. The tasks select the computers with the ServerID parameter in the HKEY_LOCAL_MACHINE \SOFTWARE\ KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags and HKEY_LOCAL_MACHINE \SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags registry branches among the managed computers in SCOM.

Kaspersky Security Center is supposed to be installed on the selected computers. The group of computers forms a set of objects of the KL.KSC class. For each object of the KL.KSC class, the task which reads values the statistics parameters of Kaspersky Security Center through SNMP runs every 30 minutes.

List of managed parameters

Value	Numeric data type	OID	Description
noAntivirusSoftware	INTEGER { on(1), off(0) }	.1.3.6.1.4.1.23668.1093.1.1.2.1	This reason shows that in administration's groups too many hosts without Antivirus software.
hostsLicenceExpired	Counter32	.1.3.6.1.4.1.23668.1093.1.1.10	The number of hosts with the expired licence.
updatesStatus	INTEGER { OK(0), Info(1), Warning(2), Critical(3) }	.1.3.6.1.4.1.23668.1093.1.2.1	Up to date base's status.
serverNotUpdated	INTEGER { on(1), off(0) }	.1.3.6.1.4.1.23668.1093.1.2.2.1	This reason shows that server was not updated for a long time.
hostsNotUpdated	Counter32	.1.3.6.1.4.1.23668.1093.1.2.4	The number of hosts not up to date.
hostsAntivirusNotRunning	Counter32	.1.3.6.1.4.1.23668.1093.1.3.3	The number of hosts without running antivirus.
hostsRealtimeNotRunning	Counter32	.1.3.6.1.4.1.23668.1093.1.3.4	The number of hosts without running real time protection.
hostsRealtimeLevelChanged	Counter32	.1.3.6.1.4.1.23668.1093.1.3.5	The number of hosts with not acceptable level of real time protection.
hostsNotScannedLately	Counter32	.1.3.6.1.4.1.23668.1093.1.4.3	The number of hosts that has not been scanned lately.
hostsNotConnectedLongTime	Counter32	.1.3.6.1.4.1.23668.1093.1.5.5	The number of hosts that has not connected to the server for a long time.
criticalEventsCount	Counter32	.1.3.6.1.4.1.23668.1093.1.6.3	The number of critical events on the server.
hostsTooManyThreats	Counter32	.1.3.6.1.4.1.23668.1093.1.3.2.5	The number of hosts with too many threats.
logicalNetworkStatus	INTEGER { OK(0), Info(1), Warning(2), Critical(3) }	.1.3.6.1.4.1.23668.1093.1.5.1	Status of the logical network of the Administration Server.
eventsStatus	INTEGER { OK(0), Info(1), Warning(2), Critical(3) }	.1.3.6.1.4.1.23668.1093.1.6.1	Status of the event's subsystem.

Each of the data types is controlled by a separate monitor. Monitors can be divided into 3 types:

Monitors for the INTEGER data type with statuses Health and Critical (on = 1, off= 0 );
Monitors for the INTEGER data type with statuses Health, Warning and Critical (OK=0, Info=1, Warning=2, Critical=3) ;
Monitors for Counter32 data type with Health, Warning, and Critical statuses.

All monitors of this type have their thresholds:

OK is less or equals 3
Warning is more than 3 and less than 10
Critical is more than 10

Each monitor generates a warning when the value is Warning or Critical. All warnings are removed automatically when the issue is fixed.

SNMP settings

Computer with the Administration Server:

Go to Services
Select SNMP (SNMP Service)
Open the SNMP Service properties
Go to the Traps tab
In the Community name and Trap Destination fields, specify the name or IP address of the computer on which SCOM is installed.
By default, Community name “public” is used in Management Pack
Go to the Security tab
Select the check box Send authentication trap.
Add the Community name on the Traps tab and specify the READ ONLY permissions in the Accepted community names field.
Select the check box Accept SNMP packets from any hosts.
If the check box Accept SNMP packets from these hosts is selected, you must specify the name or the IP address of the computer on which System Center Operations Manager is installed.

Computer with System Center Operations Manager.

Go to Services
Select SNMP (SNMP Service)
Open the SNMP Service properties
Go to the Security tab
Set the name "public" in the Community name field and set NOTIFY for permissions.
Select the check box Accept SNMP packets from any hosts.
If the check box Accept SNMP packets from these hosts/ you must specify the name or the IP address of the computer on which Kaspersky Security Center is installed.

Make sure the settings work correctly using Net-SNMP or ManageEngine MibBrowser

Configuring System Center Operations Manager

By default, “public” is used for Community name in Management Pack.
Set the Community name value before importing:

Download the file KL.KSC.xml
In the section <Discovery ID="KL.KSC.Server.Discovery" Target="KL.KSC.Reg" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal"> edit line 98 Community='public'.

Change the search tasks schedule:

Download the file KL.KSC.xml
Set a custom time value
- For computers with Kaspersky Security Center installed, the period of running is set to 6 hours (21600 seconds) by default.
  Edit the line <Frequency>21600</Frequency> in the section <Discovery ID="KL.KSC.Reg.Discovery" Target="Windows!Microsoft.Windows.Computer" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal">.
- By default, the task of collecting KSC statistics through SNMP is run every 30 minutes (1800 seconds).
  Edit the line <IntervalSeconds>1800</IntervalSeconds> in the section <Discovery ID="KL.KSC.Server.Discovery" Target="KL.KSC.Reg" Enabled="true" ConfirmDelivery="false" Remotable="true" Priority="Normal">.

You can change Community name and the schedule after the import to SCOM. To do it, edit the properties of the objects Reg.Discovery and Server.Discovery in the Authoring section of the SCOM console.

Importing Management Pack KL.KSC.xml to SCOM

Open the SCOM management panel
Click Create → Group for class KL.KSC.
In the group, create State View and Alert View
Select the parameters for monitoring on the Display tab.
Set custom thresholds for monitors, if necessary.

Management Pack KB

Management Packs

Management Pack	Version
KL.KSC	1.0.0.10

Elements

TypeDefinitions

EntityTypes

ClassType (2)

Monitoring

Discovery (3)
Monitors

UnitMonitor (13)