hi, i'm aozora!

sysadmin ∙ sysengineer ∙ cybsec

< Back
Blog Image
"Bypassing" Kaspersky's Network Agent Anti-Tampering..
Feb 26, 2025

What are you even talking about?

First of all, Kaspersky Network Agent is what allows connection between the Administration Server (eithr on-prem or Tenant-Based) and the Kaspersky controlled devices. It is a required component of the Kaspersky Security Center and must be installed on each endpoint to manage Kaspersky Endpoint Agent.

Seems confusing? I agree.

Alright.. Why did you need that? Why would I ever need that?

A customer of ours used both products I absolutely despise: Kaspersky Anti-Virus and Checkpoint Firewalls. I have NEVER had a nice experience with either of these.

Thankfully, with American Laws and Kaspersky being pretty much banned from the whole word, this customer decided to change to my (for now) favourite EDR: Crowdstrike!

Alright, let's uninstall Kaspersky from these Servers and setup Level 1 in Crowdstrike.. Wait, whoever installed Kaspersky didn't save the key.

So yeah, while the Endpoint Agent could be removed with KAVRemover, Network Agent couldn't. Although it only provided a bridge between the services and wouldn't interfere with Crowdstrike, it was still taking up a considerable amount of space, so it was imperative to uninstall.

Attempting to Bypass the Anti-Tampering

First of all, I tried to just.. reset the password. However Kaspersky has an absolutely TERRIBLE practice of hard-locking your Tenant as soon as your subscription ends, which locked us from releasing the machines.

After trying to uninstall this stupid software by all means possible, I decided it would be smarter to understand HOW it protected itself, and try and attack it from there.

Turns out, it was pretty simple, and the only thing gluing it to the Operating System was.. a Registry Key. Although I did not know WHAT Registry Key it was, I knew there was software that deleted these kinds of stuff. So I had the brilliant idea of running Revo's Uninstaller in Production Servers!

In all seriousness: Managing a Server is a VERY serious matter and you shouldn't be installing software just for the sake of it. There was no other option and I HAD to try this.

Revo initially prompted me to follow Kaspersky's default uninstaller, but that wouldn't work. I selected it to do a System Scan for traces of the file and voilá! All the registry keys were there. Guess what? As soon as they were deleted you could just.. Delete the files.

You could, from years on end, just delete Kaspersky's Network Agent and block communication with the Administration Server without many restraints.

I'm sorry, but coming from one of the oldest, most well-known and respected brands of traditional Anti-Virus Softwares, I was expeting more. MUCH more. Glad these guys are getting fucking nuked.


To be finished!