How to find Kaspersky products with runZero

|
Updated

Kaspersky, the Moscow-based cyber security company that competes with the likes of Norton, Trellix, and CrowdStrike, is having a bad week. The US government has banned the sale of Kaspersky products and services, globally, to all US persons wherever they are located. This ban goes into effect at 12:00 AM EDT on July 20, 2024.

The definition of US persons is incredibly broad, quoting the US Bureau of Industry and Security:

The Final Determination imposes a prohibition globally on Kaspersky providing specified products and services to any U.S. person, defined as a U.S. business or citizen, wherever located; any permanent resident alien, wherever located; or any entity organized under the laws of the United States or any jurisdiction within the United States, including such entity's foreign branches.

This comprehensive ban has been a long time coming. US government agencies and contractors have been forbidden from using Kaspersky products since 2018. In 2022, the FCC enacted a rule to ban Kaspersky from telecommunications networks and their contractors.

The final determination document was published in the Federal Register on Jun 24, 2024.

In addition to branded products, Kaspersky software is often white-labeled and integrated into third-party products. Customers of these products are not required to discontinue use, but Kaspersky is prohibited from providing product updates and anti-virus signature updates after September 28th, 2024. This deadline requires third-party vendors to either replace the Kaspersky components or fall behind on updates, effectively rendering them obsolete as anti-virus solutions.

Although this prohibition is against Kaspersky selling products and services to US persons, and there are no direct penalties for US persons continuing to use Kaspersky products and services, there are civil and criminal consequences for US persons that assist Kaspersky in prohibited transactions. This likely bans any future payments to Kaspersky or resale of Kaspersky products by partners.

Given the potential civil and criminal penalties involved with assisting Kaspersky in prohibited transactions, your first stop is your accounting team. Auditing credit card statements for references to Kaspersky helps, but is not enough; their partner ecosystem is massive, and it’s easy to miss a line item for Kaspersky on an invoice.

Moving on to the IT side, the easy option is your existing software inventory. If you use a product such as Flexera, or have connected integrations with software sources into your runZero inventory, finding branded Kaspersky products is straightforward.

Searching the runZero Software Inventory for “kaspersky” will find the obvious installations:

https://console.runzero.com/inventory/software-groups?search=kaspersky

Keep in mind that searching by software package name will NOT find white-labeled and integrated Kaspersky components in third-party software.

A major challenge for software inventory is incomplete visibility. Unmanaged assets, vendor-provided virtual appliances, and BYOD systems provide little to no insight into their installed software. As a result, runZero has invested deeply into remote, unauthenticated fingerprinting of software components, including those made by Kaspersky. A 2022 blog post touched on how to find Windows systems with the Kaspersky anti-virus components, but did not elaborate on the how. A 2021 blog post linked to our general methodology, but did not go into detail for EDR detection, or Kaspersky specifically.

In light of the now global ban on Kaspersky products for US persons, it makes sense to share additional information on remote detection with the community. If you are an existing runZero user (including our free Community Edition), the following Asset Inventory query will identify most Windows installations of Kaspersky anti-virus software, even when packaged in third-party software:

https://console.runzero.com/inventory?search=edr.name%3AKaspersky

This is simple enough, but how does it work?

runZero’s scanner will enumerate the Windows DCERPC Endpoint Mapper that runs on TCP port 135. This enumeration returns a list of registered DCOM components, and Kaspersky software registers unique IDs, even when a Kaspersky component has been bundled into third-party software. This method is not comprehensive; network firewalls that block port 135/tcp and different installation methods (kavscan.exe integrations) can result in missing results, but it works surprisingly well at scale. runZero’s public cloud has identified thousands of US-based systems with Kaspersky installations through this method.

The specific UUID patterns for Kaspersky include “d866a1d0-e615-4457-9699-3a53efb275e3” and any UUID ending with "4b50-525250524f50", "4b50-52524f424a53", and "4b50-525250494453".

These UUIDs can be obtained by running the legacy “rpcdump.exe” utility from older Windows resource kits, or more easily through the incredible Impacket library and its rpcdump.py utility. Metasploit’s module works great too.

Kaspersky is best known for its anti-virus product, but also offers a massive suite of products and services, encompassing everything from enterprise EDR to anti-drone hardware.



runZero is continuing to investigate additional detection methods, both for the common anti-virus components and the wider Kaspersky product suite.

Finally, although US persons are no longer able to purchase Kaspersky, they can watch this amazing music video:


The list of banned products and services includes (but is not limited to):

1. Kaspersky Standard Plan

2. Kaspersky Plus Plan

3. Kaspersky Premium Plan

4. Kaspersky Anti-Virus

5. Kaspersky Internet Security

6. Kaspersky Total Security

7. Kaspersky Password Manager

8. Kaspersky Safe Kids

9. Kaspersky VPN Secure Connection

10. Kaspersky Rescue Disk

11. Kaspersky Internet Security for Android

12. Kaspersky VPN & Antivirus for IOS

13. Essential Security

14. Cloud-Based Security-Kaspersky Endpoint Security Cloud

15. Advanced Cloud Security- Kaspersky Endpoint Security Cloud Plus

16. Kaspersky Small Office Security

17. Kaspersky Small Office Security for File Server

18. Kaspersky Small Office Security for Personal Computer

19. Cloud-Based Security- Kaspersky Endpoint Security Cloud

20. Advanced Cloud Security- Kaspersky Endpoint Security Cloud Plus

21. Ultimate Cloud Security- Kaspersky Endpoint Security Cloud Pro

22. Kaspersky Endpoint Security Cloud

23. Kaspersky Total Security for Business

24. Kaspersky Endpoint Security for Business Advanced

25. Kaspersky Endpoint Security for Business SELECT

26. Kaspersky Hybrid Cloud Security

27. Kaspersky Optimum Security

28. Kaspersky EDR Optimum

29. Kaspersky MDR Optimum

30. Kaspersky Security for Internet Gateway

31. Kaspersky Security for Mail Server

32. Kaspersky Security for Microsoft Office 365

33. Kaspersky Vulnerability and Patch Management

34. Kaspersky Network Attached Storage Security

35. Security Foundations (For every organization)

36. Optimum Security (For small IT security teams)

37. Expert Security (For fully formed IT security and SOC teams)

38. Kaspersky Endpoint Security for Business

39. Kaspersky Endpoint Detection and Response Expert

40. Kaspersky Endpoint Detection and Response Optimum

41. Kaspersky CyberTrace

42. Kaspersky Managed Detection and Response

43. Kaspersky Anti Targeted Attack Platform

44. Kaspersky Industrial CyberSecurity

45. Kaspersky Embedded Systems Security

46. Kaspersky SD-WAN

47. Kaspersky Private Security Network

48. Kaspersky Threat Attribution Engine

49. Kaspersky DDoS Protection

50. Kaspersky Research Sandbox

51. Kaspersky Mobile Device Security

52. Kaspersky Security for Storage

53. Kaspersky Extended Detection and Response (XDR)

54. Kaspersky Container Security

55. Kaspersky Managed Protection

56. Kaspersky Targeted Attack Discovery

57. Kaspersky Penetration Testing

58. Kaspersky Application Security Assessment

59. Kaspersky Anti-Virus SDK

60. Kaspersky Scan Engine

61. Kaspersky SafeStream ll

62. Kaspersky Anti-Spam SDK

63. Kaspersky Online File Reputation

64. Kaspersky Mobile Security SDK

65. Kaspersky Web Filter

66. Kaspersky Who Calls SDK

67. Kaspersky Anti-Virus for UEFI

68. Kaspersky Lab Managed Service Providers partner program (MSP)

69. National Cybersecurity

70. Industrial Cybersecurity

71. Finance Services Cybersecurity

72. Healthcare Cybersecurity

73. Transportation Cybersecurity

74. Retail Cybersecurity

75. Telecom Cybersecurity

76. Kaspersky Endpoint Security for Business

77. Kaspersky Automotive Secure Gateway

78. Kaspersky Automotive Adaptive Platform

79. Kaspersky Machine Learning for Anomaly Detection

80. Kaspersky IoT Infrastructure Security

81. Kaspersky IoT Secure Gateway 100

Written by HD Moore

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More about HD Moore

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find FortiManager instances on your network
How to find FortiManager instances on your network using runZero
Rapid Response
How to find SolarWinds Web Help Desk services on your network
CISA has announced that CVE-2024-28987 is actively being exploited in SolarWinds' Web Help Desk software. Here's how to find potentially affected...
Rapid Response
How to find SuperMicro BMCs
Supermicro released a vulnerability advisory for a critical CVE that allows for remote code execution (CVE-2024-36435). Here's how to find impacted...
Rapid Response
How to find OpenPrinting CUPS services on your network
Several vulnerabilities within OpenPrinting CUPS potentially allow for remote code execution. Here's how to find impacted assets.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved