Kaspersky, the Moscow-based cyber security company that competes with the likes of Norton, Trellix, and CrowdStrike, is having a bad week. The US government has banned the sale of Kaspersky products and services, globally, to all US persons wherever they are located. This ban goes into effect on or around July 24, 2024.
The definition of US persons is incredibly broad, quoting the US Bureau of Industry and Security:
The Final Determination imposes a prohibition globally on Kaspersky providing specified products and services to any U.S. person, defined as a U.S. business or citizen, wherever located; any permanent resident alien, wherever located; or any entity organized under the laws of the United States or any jurisdiction within the United States, including such entity's foreign branches.
This comprehensive ban has been a long time coming. US government agencies and contractors have been forbidden from using Kaspersky products since 2018. In 2022, the FCC enacted a rule to ban Kaspersky from telecommunications networks and their contractors.
The final determination document will be published as an official form on Jun 24, 2024, in the meantime you can read the unpublished PDF version.
In addition to branded products, Kaspersky software is often white-labeled and integrated into third-party products. Customers of these products are not required to discontinue use, but Kaspersky is prohibited from providing product updates and anti-virus signature updates after September 28th, 2024. This deadline requires third-party vendors to either replace the Kaspersky components or fall behind on updates, effectively rendering them obsolete as anti-virus solutions.
Although this prohibition is against Kaspersky selling products and services to US persons, and there are no direct penalties for US persons continuing to use Kaspersky products and services, there are civil and criminal consequences for US persons that assist Kaspersky in prohibited transactions. This likely bans any future payments to Kaspersky or resale of Kaspersky products by partners.
Given the potential civil and criminal penalties involved with assisting Kaspersky in prohibited transactions, your first stop is your accounting team. Auditing credit card statements for references to Kaspersky helps, but is not enough; their partner ecosystem is massive, and it’s easy to miss a line item for Kaspersky on an invoice.
Moving on to the IT side, the easy option is your existing software inventory. If you use a product such as Flexera, or have connected integrations with software sources into your runZero inventory, finding branded Kaspersky products is straightforward.
Searching the runZero Software Inventory for “kaspersky” will find the obvious installations:
https://console.runzero.com/inventory/software-groups?search=kaspersky
Keep in mind that searching by software package name will NOT find white-labeled and integrated Kaspersky components in third-party software.
A major challenge for software inventory is incomplete visibility. Unmanaged assets, vendor-provided virtual appliances, and BYOD systems provide little to no insight into their installed software. As a result, runZero has invested deeply into remote, unauthenticated fingerprinting of software components, including those made by Kaspersky. A 2022 blog post touched on how to find Windows systems with the Kaspersky anti-virus components, but did not elaborate on the how. A 2021 blog post linked to our general methodology, but did not go into detail for EDR detection, or Kaspersky specifically.
In light of the now global ban on Kaspersky products for US persons, it makes sense to share additional information on remote detection with the community. If you are an existing runZero user (including our free Community Edition), the following Asset Inventory query will identify most Windows installations of Kaspersky anti-virus software, even when packaged in third-party software:
https://console.runzero.com/inventory?search=edr.name%3AKaspersky
This is simple enough, but how does it work?
runZero’s scanner will enumerate the Windows DCERPC Endpoint Mapper that runs on TCP port 135. This enumeration returns a list of registered DCOM components, and Kaspersky software registers unique IDs, even when a Kaspersky component has been bundled into third-party software. This method is not comprehensive; network firewalls that block port 135/tcp and different installation methods (kavscan.exe integrations) can result in missing results, but it works surprisingly well at scale. runZero’s public cloud has identified thousands of US-based systems with Kaspersky installations through this method.
The specific UUID patterns for Kaspersky include “d866a1d0-e615-4457-9699-3a53efb275e3” and any UUID ending with "4b50-525250524f50", "4b50-52524f424a53", and "4b50-525250494453".
These UUIDs can be obtained by running the legacy “rpcdump.exe” utility from older Windows resource kits, or more easily through the incredible Impacket library and its rpcdump.py utility. Metasploit’s module works great too.
Kaspersky is best known for its anti-virus product, but also offers a massive suite of products and services, encompassing everything from enterprise EDR to anti-drone hardware.
runZero is continuing to investigate additional detection methods, both for the common anti-virus components and the wider Kaspersky product suite.
Finally, although US persons are no longer able to purchase Kaspersky, they can watch this amazing music video:
The list of banned products and services includes (but is not limited to):
1. Kaspersky Standard Plan
2. Kaspersky Plus Plan
3. Kaspersky Premium Plan
4. Kaspersky Anti-Virus
5. Kaspersky Internet Security
6. Kaspersky Total Security
7. Kaspersky Password Manager
8. Kaspersky Safe Kids
9. Kaspersky VPN Secure Connection
10. Kaspersky Rescue Disk
11. Kaspersky Internet Security for Android
12. Kaspersky VPN & Antivirus for IOS
13. Essential Security
14. Cloud-Based Security-Kaspersky Endpoint Security Cloud
15. Advanced Cloud Security- Kaspersky Endpoint Security Cloud Plus
16. Kaspersky Small Office Security
17. Kaspersky Small Office Security for File Server
18. Kaspersky Small Office Security for Personal Computer
19. Cloud-Based Security- Kaspersky Endpoint Security Cloud
20. Advanced Cloud Security- Kaspersky Endpoint Security Cloud Plus
21. Ultimate Cloud Security- Kaspersky Endpoint Security Cloud Pro
22. Kaspersky Endpoint Security Cloud
23. Kaspersky Total Security for Business
24. Kaspersky Endpoint Security for Business Advanced
25. Kaspersky Endpoint Security for Business SELECT
26. Kaspersky Hybrid Cloud Security
27. Kaspersky Optimum Security
28. Kaspersky EDR Optimum
29. Kaspersky MDR Optimum
30. Kaspersky Security for Internet Gateway
31. Kaspersky Security for Mail Server
32. Kaspersky Security for Microsoft Office 365
33. Kaspersky Vulnerability and Patch Management
34. Kaspersky Network Attached Storage Security
35. Security Foundations (For every organization)
36. Optimum Security (For small IT security teams)
37. Expert Security (For fully formed IT security and SOC teams)
38. Kaspersky Endpoint Security for Business
39. Kaspersky Endpoint Detection and Response Expert
40. Kaspersky Endpoint Detection and Response Optimum
41. Kaspersky CyberTrace
42. Kaspersky Managed Detection and Response
43. Kaspersky Anti Targeted Attack Platform
44. Kaspersky Industrial CyberSecurity
45. Kaspersky Embedded Systems Security
46. Kaspersky SD-WAN
47. Kaspersky Private Security Network
48. Kaspersky Threat Attribution Engine
49. Kaspersky DDoS Protection
50. Kaspersky Research Sandbox
51. Kaspersky Mobile Device Security
52. Kaspersky Security for Storage
53. Kaspersky Extended Detection and Response (XDR)
54. Kaspersky Container Security
55. Kaspersky Managed Protection
56. Kaspersky Targeted Attack Discovery
57. Kaspersky Penetration Testing
58. Kaspersky Application Security Assessment
59. Kaspersky Anti-Virus SDK
60. Kaspersky Scan Engine
61. Kaspersky SafeStream ll
62. Kaspersky Anti-Spam SDK
63. Kaspersky Online File Reputation
64. Kaspersky Mobile Security SDK
65. Kaspersky Web Filter
66. Kaspersky Who Calls SDK
67. Kaspersky Anti-Virus for UEFI
68. Kaspersky Lab Managed Service Providers partner program (MSP)
69. National Cybersecurity
70. Industrial Cybersecurity
71. Finance Services Cybersecurity
72. Healthcare Cybersecurity
73. Transportation Cybersecurity
74. Retail Cybersecurity
75. Telecom Cybersecurity
76. Kaspersky Endpoint Security for Business
77. Kaspersky Automotive Secure Gateway
78. Kaspersky Automotive Adaptive Platform
79. Kaspersky Machine Learning for Anomaly Detection
80. Kaspersky IoT Infrastructure Security
81. Kaspersky IoT Secure Gateway 100
