Installation on Windows systems

This section describes the process of installing Kaspersky CyberTrace on Windows systems.

Installation methods

On Windows systems, you can install Kaspersky CyberTrace by two methods:

Windows Installer

To install Kaspersky CyberTrace by using Windows Installer:

  1. Make sure that the computer you plan to use for running Feed Service meets the hardware and software requirements.
  2. Make sure that the computer can send events to the computer on which a SIEM solution is installed and can receive events from the SIEM computer.
  3. Run the .msi file of the Windows Installer package.
  4. Accept the End User License Agreement (EULA).

    If you continue installation, Kaspersky CyberTrace is installed to C:\Program Files\Kaspersky Lab\Kaspersky CyberTrace. This folder is called %service_dir% in this document.

  5. Specify the following settings:
    • The IP address, port of a proxy server to connect to, and the login and password (if necessary).

      Leave the text fields for these parameters empty if no proxy server is used.

    • The path to the PEM-formatted certificate to be used for updating feeds.

      The path to the certificate must conform to the current locale. If this Unicode path does not conform to the current locale, Windows Installer displays an error message: "Invalid PEM file".

      The list of the feeds you can use will be loaded automatically. The specified certificate will replace the certificate %service_dir%\dmz\feeds.pem.

      If the certificate is not specified, only demo feeds will be available.

    • The feeds to be used by Feed Service and that will be regularly updated.

      You can use the feeds that you purchase or the demo feeds. You must use at least one feed.

    • The IP address and port to connect to a SIEM solution.

      The IP address must consist of four octets in decimal format, each octet separated by a dot and having a value of less than 256.

    • The IP address and port that Feed Service will listen on for incoming events.

      The IP address must consist of four octets in decimal format, each octet separated by a dot and having a value of less than 256.

Windows Installer adds services to the Windows services list. If the Installer is launched under a Windows account that does not have rights to modify the Windows services list, the password for an administrator account will be requested.

After you finish the installation process, the following objects will start:

Also, the following task will be added to Windows Task Scheduler:

After Kaspersky CyberTrace is installed you can check whether everything is in working order. See subsection "Checking that the components of Kaspersky CyberTrace work properly" below.

Windows installation by .zip file

To install Kaspersky CyberTrace by unpacking the .zip archive manually:

  1. Make sure that the computer you plan to use for running Feed Service meets the hardware and software requirements.
  2. Make sure that the computer can send events to the computer on which a SIEM solution is installed and can receive events from the SIEM computer.
  3. Unpack the contents of the installation archive to any folder on the computer that you want to use for running the service. Hereinafter, this folder will be referred to as %service_dir%.

    The recommended folder is C:\Program Files\Kaspersky Lab\Kaspersky CyberTrace.

  4. Read the End User License Agreements (EULAs) for Kaspersky CyberTrace and Kaspersky Threat Data Feeds. The EULAs are located at %service_dir%\doc\license.rtf.

    If you agree to the terms of the EULAs, proceed to the next step.

  5. Accept the EULAs:
    1. In the %service_dir%\bin\kl_feed_service.conf file (hereinafter referred to as the Feed Service configuration file) find the following line:

      <EULA>rejected</EULA>

    2. If you accept the EULAs, change the line to the following:

      <EULA>accepted</EULA>

    3. In the %service_dir%\bin\kl_feed_util.conf file (hereinafter referred to as Feed Utility configuration file) find the following line:

      <EULA>rejected</EULA>

    4. If you accepted the EULAs, change the line to the following:

      <EULA>accepted</EULA>

  6. Do one of the following:
    • If you want to install CyberTrace Web, generate an SSL certificate for CyberTrace Web. You can use either a self-signed certificate or a certificate signed by a trusted CA:
      • To generate a self-signed certificate, run the following command from the command line:

        %service_dir%\tools\openssl.exe req -x509 -nodes -days 345 -subj /C=RU/CN=127.0.0.1 -newkey rsa:2048 -extensions EXT -keyout %service_dir%\httpsrv\kl_feed_service_private.pem -out %service_dir%\httpsrv\kl_feed_service_cert.pem -config %service_dir%\tools\openssl.cnf

      • To generate a trusted certificate, follow the instruction in section "Generating certificates for CyberTrace Web".
    • If you do not want to install CyberTrace Web, perform the following steps in succession:
      • In the %service_dir%\bin\kl_feed_service.conf file, find the following line:

        <HTTPServer enabled="true">

      • Change the line to:

        <HTTPServer enabled="false">

  7. Select the feeds that must be downloaded and processed by Feed Utility:
    1. In the %service_dir%\bin\kl_feed_util.conf file, find the feeds that you want to download and process.
    2. For each of the feeds, find the following attribute:

      enabled="false"

    3. For each of the feeds, change the value of the attribute to true:

      enabled="true"

  8. Specify the feeds that must not be processed by Feed Service:
    1. In the %service_dir%\bin\kl_feed_service.conf file, find the feeds that you will not use.
    2. For each of the feeds, find the following attribute:

      enabled="true"

    3. For each of the feeds, change the value of the attribute to false:

      enabled="false"

    The lists of the enabled feeds in the Feed Utility configuration file and the Feed Service configuration file must be the same.

  9. Specify the IP address and port (or the Windows named pipe) to which Feed Service will send outgoing events in the OutputSettings > ConnectionString element of the Feed Service configuration file.
  10. Specify the IP address and port (or the Windows named pipe) that Feed Service will listen on for incoming events in the InputSettings > ConnectionString element of the Feed Service configuration file.
  11. If you want to use Log Scanner, specify the IP address and port (or the Windows named pipe) that the utility will use to interact with Feed Service in the Connection element of the Log Scanner configuration file.

    The Log Scanner configuration file is located at %service_dir%\log_scanner\log_scanner.conf.

  12. If you have a commercial certificate for downloading feeds, replace the %service_dir%\dmz\feeds.pem demo certificate with your commercial certificate.
  13. If you want Feed Utility to access Kaspersky Lab servers through a proxy server, specify the proxy setting by running the utility with the --set-proxy option:

    kl_feed_util --set-proxy 'user:pass@proxy.example.com:3128' -c ..\bin\kl_feed_util.conf

  14. If you want to use custom regular expressions to parse the events sent by various sources, add the <Source> elements with custom regular expressions to the Feed Service configuration file. For information on how to create regular expressions, see section "About regular expressions".
  15. Add Feed Service and its watchdog service to Windows and create a scheduled task to update feeds at regular intervals by running the %service_dir%\install.bat file as Administrator.

Checking that the components of Kaspersky CyberTrace work properly

To check whether the components of Kaspersky CyberTrace work properly:

  1. Run the kl_control.bat script with the status option.

    Run this script as Administrator. The result displayed in the console must be similar to that depicted in the figure below.

    kl_control.bat output

  2. Call the following command to check whether the services have been added to Task Scheduler Windows:

    schtasks /query /tn KasperskyFeedServiceUpdate

    The result that appears in the console must be similar to that depicted in the figure below.

    schtasks output

If the result of these commands is not similar to the information displayed in the figures, contact your technical account manager (ТАМ) for assistance.

Page top