Finding Kaspersky AV on your Windows endpoints
Late last week, the U.S. Federal Communications Commission announced it had added Russian-based Kaspersky Lab to its Covered List, maintained by the FCC to identify “entities that pose an unacceptable risk to U.S. national security.” This follows a 2017 action by the U.S. Department of Homeland Security which bars installing/running Kaspersky software on U.S. government systems via Binding Operational Directive 17-01 (cited expressly by the FCC in its Public Notice). The consequences of the FCC’s announcement differ a bit from that of BODs, with entities listed in the FCC’s Covered List being prohibited from receiving support through the agency’s Universal Service Fund.
How do I find my Windows endpoints that have Kaspersky with runZero? #
runZero’s modern network scanning engine is powered by research, which allows the platform to identify endpoints with endpoint running anti-virus (AV), like Kaspersky, over the network, without authentication.
To get started, you can scan your network with runZero to collect your asset inventory. Then, from the Asset Inventory, use the following pre-built query to locate Windows assets within your network that have Kaspersky installed:
edr.name:"Kaspersky"

Note that some products from other manufacturers bundle Kaspersky components within them. The above query will surface any Windows assets which have such a product installed.
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable Kaspersky assets?
Get started

Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.
Similar Content
September 29, 2023
How to find WS_FTP Server instances?
How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …
Read MoreSeptember 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …
Read MoreSeptember 12, 2023
How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …
Read More