Installation on Windows systems

This section describes the process of installing Kaspersky CyberTrace on Windows systems.

After installation, make sure that only users with administrator rights have access to the folder where Kaspersky CyberTrace is installed.

We also recommend that you install and run anti-virus software before installing Kaspersky CyberTrace.

Installation methods

On Windows systems, you can install Kaspersky CyberTrace by running an executable installer. During the installation process, the installer generates certificates for Kaspersky CyberTrace Web and configures the Elasticsearch indicator database.

To install Kaspersky CyberTrace by using an executable installer:

  1. Make sure that the computer you plan to use for running Feed Service meets the hardware and software requirements.
  2. Make sure that the computer can send events to the computer on which a SIEM solution is installed and can receive events from the SIEM computer.
  3. Run the .exe file of the executable installer.

    You must run the executable installer from the Administrator account.

    As an option, you can specify the /accepteula parameter when you run the .exe file. In this case, the installer performs the installation without requiring any input. You can use this option only if you have read and accepted the End User License Agreement (EULA). A document with the End User License Agreement (EULA) is provided in the Distribution kit. We recommend installing Kaspersky CyberTrace without using this option.

  4. Accept the End User License Agreement (EULA).

    If you continue the installation, Kaspersky CyberTrace is installed to C:\Program Files\Kaspersky Lab\Kaspersky CyberTrace. This folder is called %service_dir% in this document.

  5. Kaspersky CyberTrace Web will be launched. The check box and the link to Kaspersky CyberTrace Web will be displayed:
    • By default, you will be directed to the Kaspersky CyberTrace Web page after installation. Clear this check box if you do not want to go to the web user interface.
    • Click the Kaspersky CyberTrace documentation link to find the credentials that are used to log in to Kaspersky CyberTrace Web.

To configure Kaspersky CyberTrace after it is installed:

  1. Perform the post-installation configuration by using the Initial Setup Wizard.
  2. Verify that everything is in working order. See subsection "Checking that the components of Kaspersky CyberTrace are running" below.

Perform the following procedure only if you cannot configure Kaspersky CyberTrace using Kaspersky CyberTrace Web.

To configure Kaspersky CyberTrace by editing its configuration files:

  1. Select the feeds that must be downloaded and processed by Feed Utility:
    1. In the %service_dir%\bin\kl_feed_util.conf file, find the feeds that you want to download and process.
    2. For each of the feeds, find the following attribute:

      enabled="false"

    3. For each of the feeds, change the value of the attribute to true:

      enabled="true"

  2. Specify the feeds that must not be processed by Feed Service:
    1. In the %service_dir%\bin\kl_feed_service.conf file, find the feeds that you will not use.
    2. For each of the feeds, find the following attribute:

      enabled="true"

    3. For each of the feeds, change the value of the attribute to false:

      enabled="false"

    The lists of the enabled feeds in the Feed Utility configuration file and the Feed Service configuration file must be the same.

  3. Specify the IP address and port (or the Windows-named pipe) to which Feed Service will send outgoing events in the OutputSettings > ConnectionString element of the Feed Service configuration file.
  4. Specify the IP address and port (or the Windows-named pipe) that Feed Service will listen on for incoming events in the InputSettings > ConnectionString element of the Feed Service configuration file.
  5. If you want to use Log Scanner, specify the IP address and port (or the Windows-named pipe) that the utility will use to interact with Feed Service in the Connection element of the Log Scanner configuration file.

    The Log Scanner configuration file is located at %service_dir%\log_scanner\log_scanner.conf.

  6. If you have a commercial certificate for downloading feeds, replace the %service_dir%\dmz\feeds.pem demo certificate with your commercial certificate.
  7. If you want Feed Utility to access Kaspersky servers through a proxy server, specify the proxy setting by running the utility with the --set-proxy option:

    kl_feed_util --set-proxy 'user:pass@proxy.example.com:3128' -c ..\bin\kl_feed_util.conf

  8. If you have a commercial license key, you can add it to Kaspersky CyberTrace by copying it to the %service_dir%\httpsrv\lic directory.
  9. If you want to use normalizing rules to process the events sent by various sources or if you want to use custom regular expressions to parse the events, add the <Source> elements with normalizing rules and custom regular expressions to the Feed Service configuration file.
  10. Restart Feed Service by running the %service_dir%\bin\kl_control.bat file as Administrator.

Checking that the components of Kaspersky CyberTrace are running

To check whether the components of Kaspersky CyberTrace are running:

Run the kl_control.bat script with the status option as Administrator. The result displayed in the console must be similar to that depicted in the figure below.

kl_control.bat output

If the result of these commands is not similar to the information displayed in the figures, contact your technical account manager (ТАМ) for assistance.

Page top