Table of contents

Copyright

 

 

 

Dear User,

Thank you for choosing Kaspersky Lab as your security software provider. We hope that this document helps you to use our product.

Attention! This document is the property of AO Kaspersky Lab (herein also referred to as Kaspersky Lab): all rights to this document are reserved by the copyright laws of the Russian Federation and by international treaties. Illegal reproduction and distribution of this document or parts hereof incur civil, administrative, or criminal liability under applicable law.

Any type of reproduction or distribution of any materials, including translations, is allowed only with the written permission of Kaspersky Lab.

This document, and graphic images related to it, may be used for informational, non-commercial, and personal purposes only.

Kaspersky Lab reserves the right to amend this document without additional notification.

Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any materials used in this document to which rights are held by third parties, or for any potential harms associated with use of the document.

Document revision date: 01.03.2018

© 2018 AO Kaspersky Lab. All Rights Reserved.

https://www.kaspersky.com
https://support.kaspersky.com

Page top

About this document

The User's Guide for Kaspersky Endpoint Security 10 Service Pack 1 for Linux (hereinafter referred to as "Kaspersky Endpoint Security") is intended for professionals who install and administer Kaspersky Endpoint Security, as well as for those who provide technical support to organizations that use Kaspersky Endpoint Security.

You can use the information in this Guide to:

This Guide will also help you learn about sources of information on the application and ways to receive technical support.

In this section

In this Guide

Document conventions

Page top

In this Guide

This Guide contains the following sections:

Sources of information about the application

This section lists the sources of information about the application.

Kaspersky Endpoint Security

This section provides a description of the application's capabilities and brief information about its components. You will learn about the contents of the distribution kit, and which services are available to registered users of the application.

Installing the application

This section contains information on installing Kaspersky Endpoint Security on your computer and completing initial configuration.

Removing the application

This section contains information on removing the application from your computer.

Application licensing

This section covers the main aspects of application licensing.

Starting and stopping the application

This section provides information about how to start, restart, and close the application from the command line.

General settings of Kaspersky Endpoint Security

This section provides information about general application settings.

Managing Kaspersky Endpoint Security tasks using command line

This section contains information about the types of Kaspersky Endpoint Security tasks and instructions on how to manage those tasks using command line.

Real-time protection task (File_Monitoring ID:1)

This section contains information on the real-time protection task, as well as instructions on configuring the settings of this task.

On-demand scan task (Scan_My_Computer ID:2)

This section contains information on the on-demand scan task, as well as instructions on configuring the settings of this task.

Custom scan task (Scan_File ID:3)

This section contains information on the custom scan task, as well as instructions on configuring the settings of this task.

Boot sector scan task (Boot_Scan ID:4)

This section contains information on the boot sectors scan task, as well as instructions on configuring the settings of this task.

Process memory scan task (Memory_Scan ID_5)

This section contains information on the process memory scan task, as well as instructions on configuring the settings of this task.

Update task (Update ID:6)

This section contains information about updating anti-virus databases and application modules (hereinafter collectively referred to as "updates"), and instructions on how to configure update settings.

Update rollback task (Rollback ID:7)

This section contains information on the update rollback task, as well as instructions on how to manage this task.

Update retranslation task (Retranslate ID:8)

This section contains information about anti-virus databases and application updates retranslation, and instructions on how to configure the settings of this task.

License task (License ID:9)

This section contains information on the license task, as well as instructions on how to manage this task.

Storage management task (Backup ID:10)

This section provides instructions on configuring Storage settings, and information about which actions can be performed on objects in Storage.

File Integrity Monitoring task (Integrity_Monitoring ID:11)

This section contains information on the File Integrity Monitoring task, as well as instructions on how to manage this task.

Firewall Manager task (Firewall ID:12)

This section contains information on the Firewall Manager task, as well as instructions on how to manage this task.

Anti-Cryptor task (AntiCryptor ID:13)

This section contains information on the Anti-Cryptor task, as well as instructions on how to manage this task.

Participating in Kaspersky Security Network

This section contains information about participation in Kaspersky Security Network, and instructions on how to enable or disable use of Kaspersky Security Network.

Using Kaspersky Endpoint Security graphical user interface

This section contains information about the application graphical user interface and instructions on how to enable or disable it.

Contacting the Technical Support Service

This section describes the ways to get technical support and the terms on which it is available.

Appendices

This section contains information on the default settings of configuration files and command line return codes. Also this section contains instructions on how to configure Kaspersky Anti-Virus for Linux Mail Server.

AO Kaspersky Lab

This section provides information about Kaspersky Lab.

Information about third-party code

This section provides information about third-party code.

Trademark notices

This section covers trademarks mentioned in the document.

Glossary

This section contains a list of terms mentioned in the document and their respective definitions.

Index

This section allows you to quickly find required information within the document.

Page top

Document conventions

This document uses the following conventions (see table below).

Document conventions

 

Sample text

Description of document convention

Note that...

Warnings are highlighted in red and boxed. Warnings show information about actions that may have unwanted consequences.

We recommended that you use...

Notes are boxed. Notes provide additional and reference information.

 

 

Example:

 

Examples are given on a light-blue background under the heading "Example".

Update means...

The Databases are out of date event occurs.

The following elements are italicized in the text:

  • New terms
  • Names of application statuses and events

Press ENTER.

Press ALT+F4.

Names of keyboard keys appear in bold and are capitalized.

Key names joined by a + (plus) sign represent key combinations. Such keys must be pressed simultaneously.

Click the Enable button.

Names of application interface elements, such as entry fields, menu items, and buttons, are set off in bold.

To configure a task schedule:

Introductory phrases of instructions are italicized and are accompanied by the arrow sign.

In the command line, type help.

The following message then appears:

Specify the date in dd:mm:yy format.

The following types of text content are set off with a special font:

  • Text in the command line
  • Text of messages that the application displays on screen
  • Data to be entered using the keyboard

<User name>

Variables are enclosed in angle brackets. Instead of the variable, insert the corresponding value, not including the angle brackets.

Page top

Sources of information about the application

Kaspersky Endpoint Security page on the Kaspersky Lab website

On the Kaspersky Endpoint Security page on the Kaspersky Lab website, you can view general information about the application, its functions, and features.

Kaspersky Endpoint Security page in the Knowledge Base

The Knowledge Base is a section on the Kaspersky Lab Technical Support website.

On the Kaspersky Endpoint Security page in the Knowledge Base, you can read articles that provide useful information, recommendations, and answers to frequently asked questions on how to buy, install, and use the application.

Articles in the Knowledge Base may provide answers to questions that relate both to Kaspersky Endpoint Security as well as to other Kaspersky Lab applications. Articles in the Knowledge Base may also contain Technical Support news.

Discuss Kaspersky Lab applications on the Forum

If your question does not require an immediate answer, you can discuss it with Kaspersky Lab experts and other users on our forum.

On the forum you can view existing topics, leave your comments, and create new discussion topics.

An Internet connection is required to access website resources.

If you can't find a solution to your problem, contact Technical Support.

In this section

Sources of information for independent research

Discussing Kaspersky Lab applications on the Forum

Page top

Sources of information for independent research

You can use the following sources of information about Kaspersky Endpoint Security to research on your own:

If you cannot find the solution to an issue on your own, we recommend that you contact Technical Support.

An Internet connection is required for access to website resources.

Kaspersky Endpoint Security page on the Kaspersky Lab website

On the Kaspersky Endpoint Security page you can view general information about the application and its functions and features.

The Kaspersky Endpoint Security page contains a link to the online store, where you can buy or renew your license for the application.

Kaspersky Endpoint Security page in the Knowledge Base

The Knowledge Base is a section on the Kaspersky Lab Technical Support website.

On the Kaspersky Endpoint Security page in the Knowledge Base you can read articles that provide useful information, recommendations, and answers to frequently asked questions on how to purchase, install, and use the application.

Articles in the Knowledge Base may provide answers to questions that relate both to Kaspersky Endpoint Security as well as to other Kaspersky Lab applications. Articles in the Knowledge Base may also contain news from Technical Support.

Help materials included with the application

The application includes full help and context help.

Full help provides information on how to configure and use Kaspersky Endpoint Security.

Context help provides information about Kaspersky Endpoint Security windows, describes Kaspersky Endpoint Security settings and contains links to task descriptions where those settings are used.

Help can be included in the distribution kit or located on the Kaspersky Lab website. If online help is available, a browser window is opened when online help is accessed. An Internet connection is required for viewing online help.

Documentation

The application user guide provides information about how to install, activate, and configure the application, as well as about use of the application. The document also describes the application interface and ways of performing the most typical user tasks.

Page top

Discussing Kaspersky Lab applications on the Forum

If your question does not require an immediate answer, you can discuss it with Kaspersky Lab experts and other users on our forum.

On the forum you can view existing topics, leave your comments, and create new discussion topics.

Page top

Kaspersky Endpoint Security 10 Service Pack 1 for Linux

This section describes the functions, components, and distribution kit of Kaspersky Endpoint Security, and provides a list of hardware and software requirements of Kaspersky Endpoint Security.

In this section

About Kaspersky Endpoint Security

What's new

Distribution kit

Hardware and software requirements

Page top

About Kaspersky Endpoint Security

Kaspersky Endpoint Security protects computers running Linux® operating systems against malware. Threats can infiltrate the system via network data transfer channels or from removable drives.

The application lets you:

Page top

What's new

Kaspersky Endpoint Security 10 Service Pack 1 for Linux offers the following features and improvements:

Page top

Distribution kit

The distribution kit includes the Kaspersky Endpoint Security installation package containing the following files:

Page top

Hardware and software requirements

To ensure proper operation of Kaspersky Endpoint Security, your computer must meet the following requirements:

Minimum general requirements:

Software requirements:

Page top

Installing the application

This section contains instructions on how to install the installer package (hereinafter referred to as the "package") for Kaspersky Endpoint Security and Network Agent.

In this section

About installing Kaspersky Endpoint Security

Installing the Kaspersky Endpoint Security package

Initial configuration of Kaspersky Endpoint Security settings

Automatic initial configuration of Kaspersky Endpoint Security

Installing Kaspersky Endpoint Security via Kaspersky Security Center

Installing Network Agent

Upgrading an old application version

Configuring permissions in the SELinux system

Configuring permissions in the AppArmor system

Page top

About installing Kaspersky Endpoint Security

Kaspersky Endpoint Security is distributed in packages in the DEB and RPM formats.

To work with Kaspersky Endpoint Security, you must perform the following:

  1. Install the Kaspersky Endpoint Security package.
  2. Run the settings update script.
  3. Install the Network Agent package and the Kaspersky Endpoint Security administration plug-in if you are planning to manage Kaspersky Endpoint Security using Kaspersky Security Center.

Root rights are required to access the application files and directories during the installation and application update downloading and applying.

Page top

Installing the Kaspersky Endpoint Security package

Kaspersky Endpoint Security is distributed in packages in the DEB and RPM formats.

To install Kaspersky Endpoint Security from an RPM package to a 32-bit operating system, execute the following command:

# rpm -i kesl-10.1.0-<build number>.i386.rpm

To install Kaspersky Endpoint Security from an RPM package to a 64-bit operating system, execute the following command:

# rpm -i kesl-10.1.0-<build number>.x86_64.rpm

To install Kaspersky Endpoint Security from a DEB package to a 32-bit operating system, execute the following command:

# dpkg -i kesl-10.1.0-<build number>_i386.deb

To install Kaspersky Endpoint Security from a DEB package to a 64-bit operating system, execute the following command:

# dpkg -i kesl_10.1.0-<build number>_amd64.deb

Page top

Initial configuration of Kaspersky Endpoint Security settings

After installing Kaspersky Endpoint Security, you must run the script for post-installation configuration of Kaspersky Endpoint Security. The post-installation configuration script for Kaspersky Endpoint Security is included in the Kaspersky Endpoint Security package.

If you have not complete the procedure for initial configuration of Kaspersky Endpoint Security, the computer's anti-virus protection will not work.

To start the Kaspersky Endpoint Security post-installation configuration script, execute the following command:

# /opt/kaspersky/kesl/bin/kesl-setup.pl

The post-installation configuration script requests Kaspersky Endpoint Security parameter values step-by-step.

The post-installation configuration script must be run with root privileges after installation of the Kaspersky Endpoint Security package is complete.

You can upgrade Kaspersky Endpoint Security 10 for Linux to Kaspersky Endpoint Security 10 Service Pack 1 for Linux.

Kaspersky Anti-Virus 8.0 for Linux File Server cannot be upgraded to Kaspersky Endpoint Security 10 Service Pack 1 for Linux. You must uninstall the previous version of the application before installing Kaspersky Endpoint Security 10 Service Pack 1 for Linux.

Page top

Step 1. Selecting the locale

At this step, you must assign the locale that will be used during operation of Kaspersky Endpoint Security.

You can assign the locale in the format defined in RFC 3066.

To receive a full list of locale values, execute the following command:

# locale -a

By default, the application suggests using the locale that is set for root.

Page top

Step 2. Accepting the End User License Agreement

At this step, you must either agree or decline the terms of the End User License Agreement.

You can view the text by using the less utility. To navigate through the text, use the arrow keys or the B (to move back one screen) and F (to move forward one screen) keys. To obtain help, use the H key. To finish your review, use the Q key.

After exiting viewing mode, enter one of the following values:

If you do not agree to the terms of the End User License Agreement, the application terminates the Kaspersky Endpoint Security configuration process.

Page top

Step 3. Accepting the Privacy Policy

At this step, you must either agree or decline the terms of the Privacy Policy.

You can view the text by using the less utility. To navigate through the text, use the arrow keys or the B (to move back one screen) and F (to move forward one screen) keys. To obtain help, use the H key. To finish your review, use the Q key.

After exiting viewing mode, enter one of the following values:

If you do not agree to the Privacy Policy, the application terminates the Kaspersky Endpoint Security configuration process.

Page top

Step 4. Participating in Kaspersky Security Network

At this step, you must either accept or decline the terms of the Kaspersky Security Network Statement. The file containing the text of the Kaspersky Security Network Statement is located in the directory /opt/kaspersky/kesl/doc/ksn_license.<language ID>.

Enter one of the following values:

Refusal to participate in Kaspersky Security Network does not interrupt the Kaspersky Endpoint Security installation process. You can enable, disable, or change the Kaspersky Security Network mode at any time.

Page top

Step 5. Determining the type of file operation interceptor

At this step, the type of file operation interceptor for the utilized operating system is determined. For operating systems that do not support fanotify technology, kernel module compilation is started. The kernel module is required for operation of the real-time protection task.

To compile the kernel module, the System.map-<kernel version> file must be present in the /boot/ directory.

If the script finds the operating system's Module kernel source code in the default directory, the application will use the path to this directory. Otherwise, you will have to specify the path to the Module kernel source code.

If the necessary packages are not detected during the Module kernel compilation process, Kaspersky Endpoint Security attempts to download them on its own. If it fails to download the packages, an error message is displayed.

You can compile the kernel module later after initial configuration of Kaspersky Endpoint Security is complete.

Page top

Step 6. Downloading Kaspersky Endpoint Security anti-virus databases

At this step, you can download Kaspersky Endpoint Security anti-virus databases to your computer. Anti-virus databases contain descriptions of threat signatures and methods of countering them. Kaspersky Endpoint Security uses these records when searching for threats and neutralizing them. Kaspersky Lab virus analysts regularly add new records about new threats.

To download Kaspersky Endpoint Security anti-virus databases to your computer, you must enter yes as your answer.

Enter no if you do not want to immediately download anti-virus databases.

The default answer is yes.

The application will provide anti-virus protection for the computer only after downloading the Kaspersky Endpoint Security anti-virus databases.

You can start Update task without using the initial configuration script.

Page top

Step 7. Configuring proxy server settings

At this step, you must specify the proxy server settings if you are using a proxy server to access the Internet. An Internet connection is required for downloading Kaspersky Endpoint Security anti-virus databases from the update servers.

To configure proxy server settings, perform one of the following actions:

By default, the application suggests the answer no.

You can configure the proxy server settings without using the initial configuration script.

Page top

Step 8. Enabling automatic update of anti-virus databases

At this step, you can enable automatic updates of anti-virus databases.

Enter yes to enable automatic update of anti-virus databases. By default, Kaspersky Endpoint Security checks for available anti-virus database updates every 60 minutes. If updates are available, Kaspersky Endpoint Security downloads the updated anti-virus databases.

Enter no if you do not want Kaspersky Endpoint Security to automatically update the anti-virus databases.

You can enable automatic updates of anti-virus databases without using the initial configuration script by managing the update task schedule.

Page top

Step 9. Activating the application

At this step, you must activate the application with an activation code or a key file.

To activate the application with an activation code, you must enter the activation code.

To activate the application using a key file, you must specify the full path to the key file.

If no activation code or key file is specified, the application will be activated using a trial key for one month.

You can install a key file without using the initial configuration script.

Page top

Step 10. Configuring graphical user interface

At this step, you can enable the use of the graphical user interface (GUI).

Enter one of the following values:

You can enable or disable the use of the graphical user interface at any time.

Page top

Automatic initial configuration of Kaspersky Endpoint Security

You can perform automatic initial configuration of Kaspersky Endpoint Security. The application sets the values of settings as specified in the initial setup configuration file.

To start automatic initial configuration of Kaspersky Endpoint Security, execute the following command:

kesl-setup.pl --autoinstall=<full path to the initial configuration file>

Page top

Settings of the Kaspersky Endpoint Security initial setup configuration file

The Kaspersky Endpoint Security initial setup configuration file contains the settings presented in the table below.

Settings of the Kaspersky Endpoint Security initial setup configuration file

Setting

Description

Available values

EULA_AGREED

Required setting

Acceptance of the terms of the End User License Agreement

yes—You must accept the terms of the End User License Agreement to continue the application installation procedure

no—Do not accept the End User License Agreement. The application installation will be interrupted

PRIVACY_POLICY_AGREED

Required setting

Acceptance of the Privacy Policy

yes—You must accept the Privacy Policy to to continue the application installation procedure

no—Do not accept the Privacy Policy. The application installation will be interrupted

USE_KSN

Acceptance of the Kaspersky Security Network Statement

yes—Accept the Kaspersky Security Network Statement

no—Do not accept the Kaspersky Security Network Statement

SERVICE_LOCALE

Optional setting

Locale used during operation of  Kaspersky Endpoint Security

The locale in the format specified by RFC 3066.

If the SERVICE_LOCALE setting is not specified, the system locale is set by default.

INSTALL_LICENSE

Activation code or key file

UPDATER_SOURCE

Updates source

  • SCServer—Use the Kaspersky Security Center Administration Server as the update source
  • KLServers—Use the Kaspersky Lab servers as the update source
  • update source address

PROXY_SERVER

Address of the proxy server used to connect to the Internet

  • proxy server address
  • no—Do not use a proxy server

UPDATE_EXECUTE

Start database update task during setup

  • yes—Start update task
  • no—Do not start update task

KERNEL_SRCS_INSTALL

Automatic start of kernel module compilation

  • yes—Compile kernel module
  • no—Do not compile kernel module

USE_GUI

Enable the use of the graphical user interface

  • yes—Enable the use of the graphical user interface
  • no—Disable the use of the graphical user interface

IMPORT_SETTINGS

Use application settings from a configuration file

  • yes—Use application settings from a configuration file
  • no—Do not use application settings from a configuration file

If you want to change the settings in the initial setup configuration file for Kaspersky Endpoint Security, enter the values of settings in the format parameter_name=parameter_value (the application does not process spaces between a parameter name and its value).

Page top

Installing Kaspersky Endpoint Security via Kaspersky Security Center

You can install Kaspersky Endpoint Security to a computer via Kaspersky Security Center.

More details about this type of application installation can be found in the Kaspersky Security Center documentation.

Page top

Installing Network Agent

Installation of Network Agent is required if you are planning on managing Kaspersky Endpoint Security via Kaspersky Security Center.

The Network Agent installation process must be started with root privileges.

To install Network Agent from an RPM package to a 32-bit operating system, execute the following command:

# rpm -i klnagent-<build number>.i386.rpm

To install Network Agent from an RPM package to a 64-bit operating system, execute the following command:

# rpm -i klnagent64-<build number>.x86_64.rpm

To install Network Agent from a DEB package to a 32-bit operating system, execute the following command:

# dpkg -i klnagent_<build number>_i386.deb

To install Network Agent from a DEB package to a 64-bit operating system, execute the following command:

# dpkg -i klnagent64_<build number>_amd64.deb

After installing the package, start the Kaspersky Endpoint Security post-installation configuration script by executing the following command:

Page top

Initial configuration of Network Agent settings

If you plan to manage Kaspersky Endpoint Security via Kaspersky Security Center, you must configure the Network Agent settings.

To configure the Network Agent settings:

  1. Execute the command:
    • for a 32-bit operating system:

      # /opt/kaspersky/klnagent/lib/bin/setup/postinstall.pl

    • for a 64-bit operating system:

      # /opt/kaspersky/klnagent64/lib/bin/setup/postinstall.pl

  2. Specify the DNS name or IP address of the Administration Server.
  3. Specify the port number of the Administration Server.

    Port 14000 is used by default.

  4. If you want to use an SSL connection, specify the SSL port number of the Administration Server.

    Port 13000 is used by default.

  5. Do one of the following:
    • Enter yes if you want to use an SSL connection.
    • Enter no if you do not want to use an SSL connection.

    By default, SSL connection is enabled.

  6. If necessary, specify the connection gateway mode:
    • 0—Do not use connection gateway.
    • 1—Use this Network Agent as connection gateway.
    • 2—Connect to Administration Server through connection gateway.

For more detailed information about configuring Network Agent, please refer to the Kaspersky Security Center documentation.

Page top

Upgrading an old application version

You can upgrade Kaspersky Endpoint Security 10 for Linux to Kaspersky Endpoint Security 10 Service Pack 1 for Linux.

You can upgrade the old version of the application as follows:

When upgrading a previous version of the application to Kaspersky Endpoint Security 10 Service Pack 1 for Linux, you do not have to remove the previous version of the application. We recommend quitting all active applications before upgrading a previous application version.

Page top

Upgrading the application from the command line

You can upgrade Kaspersky Endpoint Security 10 for Linux to Kaspersky Endpoint Security 10 Service Pack 1 for Linux locally by performing the procedure below.

A restart of the operating system or application may be required after the upgrade procedure is complete.

To upgrade the application:

  1. Run the required Kaspersky Endpoint Security 10 Service Pack 1 for Linux package installation.

    Kaspersky Endpoint Security 10 for Linux is stopped, and the application settings and event log are exported.

  2. Run the post-installation configuration script.

    The post-installation configuration script requests Kaspersky Endpoint Security parameter values step-by-step.

    Accepting the End User License Agreement (EULA) and the Privacy Policy is mandatory.

    The application settings and event log are transferred to the upgraded application version; new settings are set to the default values. When the application settings are transferred, the application stops.

  3. If necessary, restart the operating system or the application.

If an error occurred during the application upgrade procedure, the application cannot be automatically restored to the previous version. An error message is displayed.

If the transfer of application settings fails for any reason, the application is set to the default values.

Page top

Upgrading the application using Kaspersky Security Center

You can remotely upgrade Kaspersky Endpoint Security 10 for Linux to Kaspersky Endpoint Security 10 Service Pack 1 for Linux using Kaspersky Security Center by performing the following procedure.

To upgrade the application managed by the Kaspersky Security Center policy:

  1. Upgrade Network Agent.

    If Network Agent is not upgraded, the application cannot be managed through Kaspersky Security Center.

    The application functions correctly during a Network Agent upgrade.

  2. Remotely install Kaspersky Endpoint Security 10 Service Pack 1 for Linux.

More details about this type of application upgrade can be found in the Kaspersky Security Center documentation.

Page top

Configuring permissions in the SELinux system

To create an SELinux module with rules required for operation of Kaspersky Endpoint Security:

  1. Switch SELinux to permissive mode:
    • If SELinux has been activated, execute the following command:

      # setenforce Permissive

    • If SELinux was disabled, in the configuration file /etc/selinux/config specify the SELINUX=permissive parameter value and restart the operating system.
  2. Run the following tasks:
    • real-time protection task:

      kesl-control --start-t 1

    • process memory scan task:

      kesl-control --start-t 4 -W

    • boot sector scan task:

      kesl-control --start-t 5 -W

  3. Create a rules module on the basis of blocking records:

    grep kesl /var/log/audit/audit.log | audit2allow -M kesl

    Ensure that the generated list contains only rules related to Kaspersky Endpoint Security.

  4. Load the new rules module:

    # semodule -i kesl.pp

  5. Switch SELinux to enforcing mode:

    # setenforce Enforcing

If new audit messages related to Kaspersky Endpoint Security appear, the rules module file needs to be updated.

For additional information, please refer to the documentation on the relevant operating system.

Page top

Configuring permissions in the AppArmor system

To update the AppArmor profiles required to run Kaspersky Endpoint Security:

  1. Make sure that the AppArmor module is loaded by using one of the following methods:
    • systemctl status apparmor
    • /etc/init.d/apparmor status
  2. Create a Kaspersky Endpoint Security profile:
    1. In the first console, execute the following commands:

      cd /etc/apparmor.d

      aa-genprof /opt/kaspersky/kesl/libexec/kesl

    2. In the second console, run the following tasks:
      • real-time protection task:

        kesl-control --start-t 1

      • process memory scan task:

        kesl-control --start-t 4 -W

      • boot sector scan task:

        kesl-control --start-t 5 -W

      • update task:

        kesl-control --start-t 6 -W

    3. In the first console, press S. After event scanning completes, press F.
  3. Switch the created Kaspersky Endpoint Security profile to message display mode:

    aa-complain opt.kaspersky.kesl.libexec.kesl

  4. After the application has run for several days, update the profile by running the following command:

    aa-logprof

    Specify the Allow or Glob permissions for all files that Kaspersky Endpoint Security used during this period.

  5. Switch the Kaspersky Endpoint Security profile to blocking mode:

    aa-enforce opt.kaspersky.kesl.libexec.kesl

If new audit messages related to Kaspersky Endpoint Security appear, the rules module file needs to be updated.

For additional information, please refer to the documentation on the relevant operating system.

Page top

Removing the application

This section contains instructions on how to remove Kaspersky Endpoint Security locally or via Kaspersky Security Center.

In this section

Local removal of Kaspersky Endpoint Security

Removing Kaspersky Endpoint Security via Kaspersky Security Center

Page top

Local removal of Kaspersky Endpoint Security

While the application is being removed, all tasks of Kaspersky Endpoint Security will be stopped.

To uninstall Kaspersky Endpoint Security that was installed from an RPM package, execute the following command:

# rpm -e kesl

To uninstall Kaspersky Endpoint Security that was installed from a DEB package, execute the following command:

# dpkg -r kesl

To remove Network Agent that was installed from an RPM package, execute the following command:

# rpm -e klnagent

To remove Network Agent that was installed from a DEB package, execute the following command:

# dpkg -r klnagent

The application automatically performs the removal procedure. When completed, the application displays a message containing the results of removal.

After Kaspersky Endpoint Security removal, the license database remains, which can be used when installing the application again.

Page top

Removing Kaspersky Endpoint Security via Kaspersky Security Center

You can remove Kaspersky Endpoint Security via Kaspersky Security Center. To do so, you must create and start a removal task for Kaspersky Endpoint Security.

For more details about creating and starting a Kaspersky Endpoint Security removal task, please refer to the Kaspersky Security Center documentation.

Page top

Application licensing

This section covers the main aspects of application licensing.

In this section

About the End User License Agreement

About the license

About the license certificate

About the activation code

About the key

About the key file

About subscription

About data provision

Page top

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the application.

Read through the terms of the License Agreement carefully before you start using the application.

You can view the terms of the License Agreement in the following ways:

By confirming that you agree with the End User License Agreement when installing the application, you signify your acceptance of the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must abort application installation and must not use the application.

Page top

About the license

A license is a time-limited right to use the application, granted under the End User License Agreement.

A current license entitles you to the following kinds of services:

The scope of services and application usage term depend on the type of license under which the application is activated.

The following license types are provided:

We recommend renewing the license before its expiration to ensure maximum protection of your computer against security threats.

Page top

About the license certificate

License Certificate—Document provided with the key file or activation code.

The License Certificate contains the following license information:

Page top

About the activation code

Activation code—Unique sequence of twenty Latin letters and numerals. You have to enter an activation code in order to add a key that activates Kaspersky Endpoint Security. You receive the activation code at the email address that you provided when you bought Kaspersky Endpoint Security or ordered the trial version of Kaspersky Endpoint Security.

To activate the application using the activation code, Internet access is required to connect to Kaspersky Lab's activation servers.

If the activation code has been lost after activation of the application, you can restore the activation code. You may need the activation code to register a Kaspersky CompanyAccount, for example. To restore an activation code, you must contact Kaspersky Lab Technical Support.

Page top

About the key

Key—Sequence of bits with which you can activate and subsequently use the application in accordance with the terms of the End User License Agreement. A key is generated by Kaspersky Lab.

You can add a key to the application in one of the following ways: apply a key file or enter an activation code. After you add a key to the application, the key is displayed in the application interface as a unique alphanumeric sequence.

Kaspersky Lab can black-list a key over violations of the End User License Agreement. If the key has been black-listed, you have to add a different key to continue using the application.

There are two types of keys: active and additional.

Active key—Key that is currently used by the application. A trial or commercial license key can be added as the active key. The application cannot have more than one active key.

Additional key—Key that certifies the right to use the application but is not currently being used. An additional key automatically becomes active when the license associated with the current active key expires. An additional key can be added only if the active key is available.

A key for a trial license can be added only as the active key. A key for a trial license cannot be added as an additional key.

Page top

About the key file

A key file is a file with the .key extension that you receive from Kaspersky Lab. Key files are designed to activate the application by adding a key.

You receive a key file at the email address that you provided when you bought Kaspersky Endpoint Security or ordered the trial version of Kaspersky Endpoint Security.

You do not need to connect to Kaspersky Lab activation servers in order to activate the application with a key file.

You can recover a key file if it is accidentally deleted. You may need a key file to register with Kaspersky CompanyAccount.

To recover a key file, do one of the following:

Page top

About subscription

Subscription for Kaspersky Endpoint Security is a purchase order for the application with specific parameters (subscription expiry date, number of devices protected). You can order a subscription for Kaspersky Endpoint Security from your service provider (such as your ISP). A subscription can be renewed manually or automatically, or you may cancel your subscription. You can manage your subscription on the website of the service provider.

Subscription can be limited (for one year, for example) or unlimited (without an expiry date). To keep Kaspersky Endpoint Security working after expiry of the limited subscription term, you have to renew your subscription. Unlimited subscription is renewed automatically if the vendor's services have been prepaid on time.

In the case of limited subscription, upon its expiry you may be offered a grace period for renewing subscription, during which time the application will retain its functionality. The service provider decides whether or not to grant a grace period and, if so, determines the duration of the grace period.

To use Kaspersky Endpoint Security under subscription, you have to apply the activation code received from the service provider. After the activation code is applied, the active key is installed. The active key defines the license for using the application under subscription. An additional key can be installed only using an activation code and cannot be installed using a key file or under subscription.

The application functionality available by subscription can correspond to the application functionality for the following types of commercial license: Standard, Kaspersky Business Space Security, Kaspersky Enterprise Space Security. Licenses of these types are designed for protecting file servers, workstations, and mobile devices, and support the use of control components on workstations and mobile devices.

The possible subscription management options may vary with each service provider. The service provider may not offer a grace period for renewing subscription, during which time the application will retain its functionality.

Activation codes purchased under subscription may not be used to activate previous versions of Kaspersky Endpoint Security.

Page top

About data provision

In accepting the End User License Agreement, you agree to automatically transfer information on your use of the product, as well as the type, version and localization of the program installed, the unique identifier of the program installer and type of installation, and data on active and additional keys (including license type, validity period, date of program activation and date the license expires, the number of the license, the current state of the license, the activation server interaction protocol version).

By accepting the terms of the Kaspersky Security Network Statement, you also agree to automatically transmit the following information:

Should the program be activated with an activation code, in order to receive statistical information on the distribution and use of the License Holder's products, you agree to automatically provide the version of the program being utilized (including information on installed program updates, the program installation identifier, and information on licenses), the version of the operating system, and program component identifiers active at the time the information is provided.

Kaspersky Lab protects any information thus received in accordance with law and applicable Kaspersky Lab rules.

Kaspersky Lab uses any received information in anonymized form and as general statistics only. Aggregate statistics are automatically generated from the source information received, and do not contain any personal or other confidential data. The original information received is destroyed as new information is accumulated (once a year). Aggregate statistics are stored indefinitely.

Read the End User License Agreement and visit the Kaspersky Lab website to learn more about how we collect, process, store, and destroy information about application usage after you accept the End User License Agreement and concur with the KSN Statement. The license.<language ID> and ksn_license.<language ID> files contain the End User License Agreement and Kaspersky Security Network Statement and are part of the program distribution package.

Page top

Starting and stopping the application

By default, Kaspersky Endpoint Security starts automatically when the operating system is booted (at the default level of execution for each operating system). Kaspersky Endpoint Security starts all service tasks as well as custom tasks whose schedule settings is set to PS.

If you stop Kaspersky Endpoint Security, all running tasks will be interrupted. After restarting Kaspersky Endpoint Security, the interrupted custom tasks will not be automatically resumed. Only those custom tasks whose schedule settings is set to PS, will be restarted.

To start Kaspersky Endpoint Security, execute the following command:

/etc/init.d/kesl-supervisor start

To stop Kaspersky Endpoint Security, execute the following command:

/etc/init.d/kesl-supervisor stop

To restart Kaspersky Endpoint Security, execute the following command:

/etc/init.d/kesl-supervisor restart

To display the status of Kaspersky Endpoint Security, execute the following command:

/etc/init.d/kesl-supervisor status

To start Kaspersky Endpoint Security in the systemd system, execute the following command:

systemctl start kesl-supervisor

To stop Kaspersky Endpoint Security in the systemd system, execute the following command:

systemctl stop kesl-supervisor

To restart Kaspersky Endpoint Security in the systemd system, execute the following command:

systemctl restart kesl-supervisor

To display the status of Kaspersky Endpoint Security in the systemd system, execute the following command:

systemctl status kesl-supervisor

Application state monitoring

The application state is monitored by the watchdog service. The watchdog service is automatically started on the application start.

In case of the application crash, a dump file is generated, and the application is restarted automatically. The /var/opt/kaspersky/kesl directory, excluding dump files, is backed up.

Page top

General settings of Kaspersky Endpoint Security

This section describes general settings of Kaspersky Endpoint Security.

After modifying the general settings of Kaspersky Endpoint Security, restart the application.

General settings of the configuration file have the following values:

SambaConfigPath

Directory that stores the Samba configuration file. The Samba configuration file is needed to ensure that the AllShared or Shared:SMB values are applied for the Path option.

The standard directory of the SAMBA configuration file on the computer is specified by default.

Default value: /etc/samba/smb.conf

NfsExportPath

Directory storing the NFS configuration file. The NFS configuration file is needed to ensure that the AllShared or Shared:NFS values are applied for the Path option.

The standard directory of the NFS configuration file on the computer is specified by default.

Default value: /etc/exports

TraceFolder

Directory in which Kaspersky Endpoint Security stores trace log files.

If you specify a different directory, make sure that the account under which Kaspersky Endpoint Security is running has read/write permissions for this directory.

Default value: /var/log/kaspersky/kesl

TraceLevel

Trace log level of detail.

Available values:

Detailed—Most detailed trace log.

NotDetailed—The trace log contains error notifications.

None—Does not create a trace log.

Default value: None.

BlockFilesGreaterMaxFileNamePath

Blocks access to files for which the full path length exceeds the defined parameter value specified in bytes.

If the complete path to the file being scanned exceeds the value of this setting, on-demand scan tasks skip this file during scanning.

Available values: 4096 – 33554432.

Default value: 16384.

DetectOtherObjects

Enables / disables the detection of legitimate software that could be used by hackers to harm computers or data of users.

Available values:

Yes—Enable the detection of legitimate software that could be used by hackers to harm computers or data of users.

No—Disable the detection of legitimate software that could be used by hackers to harm computers or data of users.

Default value: No.

UseKSN

Enables / disables participation in Kaspersky Security Network.

Available values:

No—Disable participation in Kaspersky Security Network.

Basic—Enable participation in Kaspersky Security Network without sending statistics.

Extended—Enable participation in Kaspersky Security Network with sending statistics.

Default value: No.

UseProxy

Enables / disables use of a proxy for Kaspersky Security Network, activation of the application, and updates.

Available values:

Yes—Enable use of a proxy.

No—Disable use of a proxy.

Default value: No.

ProxyServer

Proxy server settings in the format [user[:password]@]host[:port].

MaxEventsNumber

Maximum number of events that will be stored by Kaspersky Endpoint Security. When the specified number of events is exceeded, Kaspersky Endpoint Security deletes the oldest events.

Default value: 500000.

LimitNumberOfScanFileTasks

Maximum number of Scan_File tasks that a non-privileged user can simultaneously start on a computer. This parameter does not limit the number of tasks that a user with root privileges can start. If the value 0 is defined, a non-privileged user cannot start Scan_File tasks.

Available values: 0 – 4294967295.

Default value: 0.

If the USE_GUI setting was set to yes during the application installation, the default value for the LimitNumberOfScanFileTasks is 5.

UseSysLog

Enables / disables the logging of information about events to syslog. In certain cases, the application cannot generate and save an event. Then information is saved to syslog.

Yes—Enable the logging of information about events to syslog.

No—Disable the logging of information about events to syslog.

Default value: No.

UIReportsForRootOnly

Enables / disables viewing reports for users from graphical user interface.

Yes—Allow only root user to view reports in GUI.

No—Allow unprivileged users to view reports in GUI. Also, unprivileged users will be able to create and start up to 5 custom scan tasks.

Default value: No.

EventsStoragePath

Database file in which Kaspersky Endpoint Security saves information about events.

Default value: /var/opt/kaspersky/kesl/events.db

In this section

Commands for managing Kaspersky Endpoint Security settings and tasks

Displaying Kaspersky Endpoint Security command Help

Enabling the display of events

Viewing information about the application

Kaspersky Endpoint Security commands

Exporting and importing application settings

Page top

Commands for managing Kaspersky Endpoint Security settings and tasks

This section provides information about the commands used to manage Kaspersky Endpoint Security settings and tasks.

Page top

Receiving the general settings of Kaspersky Endpoint Security

The command --get-app-settings displays the general settings of Kaspersky Endpoint Security. Using this command, you can also receive the general settings of Kaspersky Endpoint Security that were assigned using the command keys.

You can use this command to edit the general settings of Kaspersky Endpoint Security installed on the computer:

  1. Save the general settings of Kaspersky Endpoint Security in the configuration file using the option --get-app-settings.
  2. Open the created configuration file, edit the necessary settings and save the changes.
  3. Import the settings from the configuration file to Kaspersky Endpoint Security using the option --set-app-settings. Kaspersky Endpoint Security will apply the new values of the settings after you stop and restart Kaspersky Endpoint Security.

You can use the created configuration file to import the settings to Kaspersky Endpoint Security installed on another computer.

Command syntax

kesl-control [-T] --get-app-settings [--file <configuration file name>]

kesl-control [-T] --get-app-settings

Arguments and keys

--file <name of configuration file>

Name of the configuration file in which Kaspersky Endpoint Security settings will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created.

Example:

Export the general settings of Kaspersky Endpoint Security to a file named kesl_сonfig.ini. Save the created file in the current directory:

kesl-control --get-app-settings --file kesl_config.ini

Page top

Editing the general settings of Kaspersky Endpoint Security

The command --set-app-settings sets the general settings of Kaspersky Endpoint Security using the command keys or imports the general settings of Kaspersky Endpoint Security from the specified configuration file.

You can use this command to edit the general settings of Kaspersky Endpoint Security:

  1. Save the general settings of Kaspersky Endpoint Security in the configuration file using the option --get-app-settings.
  2. Open the created configuration file, edit the necessary settings and save the changes.
  3. Import the settings from the configuration file to Kaspersky Endpoint Security using the option --set-app-settings. Kaspersky Endpoint Security will apply the new values of the settings after you stop and restart Kaspersky Endpoint Security using the options --stop-app and --start-app or using the option --restart-app.

Command syntax

kesl-control [-T] --set-app-settings --file <configuration file name>

kesl-control [-T] --set-app-settings <parameter name>=<parameter value> <parameter name>=<parameter value>

Arguments and keys

--file <name of configuration file>

Name of the configuration file whose settings will be imported into Kaspersky Endpoint Security; includes the full path to the file.

Example:

Import the general settings from the configuration file named /home/test/kav_сonfig.ini to Kaspersky Endpoint Security:

kesl-control --set-app-settings --file /home/test/kav_сonfig.ini

Set the low detalization level for the trace log:

kesl-control --set-app-settings TraceLevel=NotDetailed

Page top

Displaying Kaspersky Endpoint Security command Help

The command kesl-control with the key --help <set of Kaspersky Endpoint Security commands> returns Help on Kaspersky Endpoint Security commands.

Command syntax

kesl-control --help [<set of commands of Kaspersky Endpoint Security>]

<set of commands of Kaspersky Endpoint Security>

Available values:

[-T]—Commands for managing the tasks and general settings of Kaspersky Endpoint Security.

[-L]—Key management commands.

[-B]—Storage management commands.

[-E]—Commands for managing Kaspersky Endpoint Security events.

[-F]—Commands for managing the Firewall task.

[-H]—Commands for managing the Anti-Cryptor task.

[-S]—Statistical commands.

-W—Event monitoring.

Page top

Enabling the display of events

The command -W enables the display of Kaspersky Endpoint Security events. You can use this command either separately to display all Kaspersky Endpoint Security events or together with the --start-task command to display only events associated with the running task. You can use --query with the -W flag to display only specific events.

The command returns the name of the event and additional information about the event.

Command syntax

kesl-control -W

Example:

Enable the display of Kaspersky Endpoint Security events:

kesl-control -W

Page top

Viewing information about the application

The command --app-info displays information about Kaspersky Endpoint Security.

Command syntax

kesl-control [-S] --app-info

Result of command execution

Name

Application name.

Version

Current application version.

Key status

Status of the key.

Subscription status

Status of the subscription. This field is displayed if the application is run under subscription.

License expiration date

License expiration date.

Storage state

State of the Storage. Displays information about time or size limitations.

Storage space usage

Size of Storage.

Last run date of the Scan_My_Computer task

Time at which the last Scan_My_Computer task was run.

Last release date of databases

Time when the databases were last released.

Anti-virus databases loaded

Displays whether or not anti-virus databases have been downloaded.

Anti-virus databases records

Number of records in anti-virus databases.

KSN state

Participating in Kaspersky Security Network state.

File monitoring

State of file monitoring component.

Integrity monitoring

State of File Integrity Monitoring component.

Firewall

State of the Firewall manager component.

Anti-Cryptor

State of the Anti-Cryptor component.

Application update state

Displays the application updates availability.

Page top

Kaspersky Endpoint Security commands

You can modify the values of Kaspersky Endpoint Security settings.

The following are the rules for using Kaspersky Endpoint Security commands:

Displaying Kaspersky Endpoint Security command Help

--help

Displays Help for Kaspersky Endpoint Security commands.

Display Kaspersky Endpoint Security events

-W

Enables the display of Kaspersky Endpoint Security events.

Commands for managing Kaspersky Endpoint Security settings and tasks

-T

Prefix indicating that the command belongs to the group of commands used for managing Kaspersky Endpoint Security settings / managing tasks (optional).

[-S] --app-info

Displays general information about Kaspersky Endpoint Security.

[-Т] --get-app-settings --file <file name and directory>

Returns the general settings of Kaspersky Endpoint Security.

[-T] --set-app-settings --file <file name and directory>

Sets the general settings of Kaspersky Endpoint Security.

[-T] --get-task-list

Returns the list of existing Kaspersky Endpoint Security tasks.

[-T] --get-task-state <task ID>|<task name>

Displays the status of the specified task.

[-T] --create-task <task name> --type <task type> --file <file name and directory>

Creates a task of the specified type; imports the settings from the specified configuration file into the task.

[-T] --delete-task <task ID>|<task name>

Deletes the task.

[-T] --start-task <task ID>|<task name> [-W] [--progress] [--file <file name and directory>]

Starts the task.

[-T] --stop-task <task ID>|<task name>

Stops the task.

[-T] --suspend-task <task ID>|<task name>

Suspends the task.

[-T] --resume-task <task ID>|<task name>

Resumes the task.

[-T] --get-settings <task ID>|<task name> --file <file_name_and_directory>

Returns task settings.

[-T] --set-settings <task ID>|<task name> [<parameters>] [--file <file name and directory>] [--add-path <path>] [--del-path <path>] [--add-exclusion <exclusion>] [--del-exclusion <exclusion>]

Sets task settings.

[-T] --scan-file <path> [--action <action>]

Creates and starts a temporary Scan_File task.

[-T] --import-settings <--file file>

Imports the application setting to the configuration file.

[-T] --update-application

Updates the application.

[-S] --omsinfo --file <path>

Creates a file in JSON format for integration with Microsoft Operations Management Suite.

Key management commands

-L

Prefix indicating that the command belongs to the group of commands used to manage keys.

[-L] --install-active-key <activation code>|<key file>

Adds the active key.

[-L] --install-additional-key <activation code>|<key file>

Adds the additional key.

[-L] --revoke-active-key

Removes the active key.

[-L] --revoke-additional-key

Removes the additional key.

[-L] --query

Displays information about the key.

Commands for Firewall Manager task

[-F] --add-rule [--name <string>] [--action <action>] [--protocol <protocol>] [--direction <directory>] [--remote <remote>] [--local <local>] [--at <index>]

Adds a new rule.

[-F] --del-rule [--name <string>] [--index <index>]

Deletes a rule.

[-F] --move-rule [--name <string>] [--index <index>] [--at <index>]

Changes the rule priority.

[-F] --add-zone [--zone <zone>] [--address <address>]

Adds an IP address to the zone.

[-F] --del-zone [--zone <zone>] [--address <address>] [--index <index>]

Deletes an IP address from the zone.

-F --query

Displays information.

Commands for Anti-Cryptor task

[-H] --get-blocked-hosts

Displays a list of blocked hosts.

[-H] --allow-hosts

Unblocks untrusted hosts.

Commands for managing Storage

-B

Prefix indicating that the command belongs to the group of commands used to manage Storage.

[-B] --mass-remove --query

Clears the Storage, fully or selectively.

[-B] --query --limit --offset

Displays information about objects in Storage:

--limit

Maximum number of objects for which information is displayed.

--offset

Number of records by which to offset from the start of the sample.

[-B] --restore <object ID> --file <file name and directory>

Restores an object from Storage.

Commands used to manage the event log

-E

Prefix indicating that the command belongs to the group of commands used to manage the event log.

[-E] --query --limit --offset --file <file name and directory> --db <db file>

Maximum number of events for which information is displayed.

--query

Returns information about the filtered events from the event log or the specified log rotation file.

--offset

Number of records by which to offset from the start of the sample.

--db

Database file name.

Task schedule management commands

[-T] --set-schedule <task ID>|<task name> --file <file name and directory>

Sets the task schedule settings / imports them from the configuration file into the task.

[-T] --get-schedule <task ID>|<task name> --file <file name and directory>

Returns the task schedule settings.

RuleType=Once|Monthly|Weekly|Daily|Hourly|Minutely|Manual|PS|BR

Task launch schedule.

PS—Start the task after starting Kaspersky Endpoint Security.

BR—Start the task after anti-virus databases are updated.

StartTime=[year/month/month_day] [hh]:[mm]:[ss]; [<month_day>|<week_day>]; [<period>]

Task start time.

RandomInterval=<min.>

Task run interval, if several tasks are running at the same time (in minutes).

ExecuteTimeLimit=<min.>

Limit the duration of task execution (in minutes).

RunMissedStartRules

Enables / disables the start of a skipped task after Kaspersky Endpoint Security is started.

Page top

Exporting and importing application settings

Kaspersky Endpoint Security allows you to export and import all application settings for troubleshooting, verifying settings, or for easier application configuring on other computers.

When exporting settings, all application and task settings are saved to a configuration file. This configuration file is used for importing settings to configure the application.

Kaspersky Endpoint Security must be started when you import or export settings. After importing settings, the application must be restarted.

If the application is managed via Kaspersky Security Center, settings importing is not available.

When importing or exporting settings from the older application version, new settings are set to default values. When matching configuration files of new and older application versions, the return code will be 1.

Importing settings to an older application version is unavailable.

When importing application settings, the UseKSN setting is set to No. To start or resume participating in Kaspersky Security Network, you need to specify UseKSN=Basic or UseKSN=Extended.

After importing application settings, internal task IDs can be changed. We recommend to use task names to manage them.

To export application settings to a configuration file, execute the following command:

kesl-control --export-settings [--file full path to configuration file]

To configure the application using settings from a configuration file (import settings), execute the following command:

kesl-control --import-settings --file full path to configuration file

Page top

Managing Kaspersky Endpoint Security tasks using command line

This section contains information about the types of Kaspersky Endpoint Security tasks and instructions on how to manage those tasks.

In this section

About Kaspersky Endpoint Security tasks

Viewing a list of Kaspersky Endpoint Security tasks

Creating a task

Editing task settings using configuration file

Editing task settings using command line

Starting and stopping a task

Managing scan scopes from command line

Managing exclusion scopes from command line

Viewing a task state

Pausing and resuming a task

Scheduling a task

Receiving task schedule settings

Editing task schedule settings

Deleting a task

Page top

About Kaspersky Endpoint Security tasks

You can manage the operation of Kaspersky Endpoint Security using tasks locally on computers (using the command line or configuration files), as well as centrally via Kaspersky Security Center.

There are two types of tasks for working with Kaspersky Endpoint Security:

You can manage the following tasks:

ID—Number that Kaspersky Endpoint Security assigns to the task when it is created.

You can perform the following actions with tasks:

Page top

Viewing a list of Kaspersky Endpoint Security tasks

To view a list of Kaspersky Endpoint Security tasks, execute the following command:

kesl-control [-T] --get-task-list

A list of Kaspersky Endpoint Security tasks is displayed.

The following information is displayed for each task:

If a user is prohibited to view and edit task settings, information about Scan_File, Backup, License, File_Monitoring, Integrity_Monitor, and Anti_Cryptor tasks is displayed. Information about other tasks is not available.

If your license does not cover the Anti-Cryptor and File Integrity Monitoring functionality, information on the corresponding tasks will not be displayed.

For more information, see About Kaspersky Endpoint Security tasks section.

Page top

Creating a task

You can create tasks with default settings or with settings specified in a configuration task.

Tasks of OAS, Firewall, OAFIM, License, Backup, and AntiCryptor types cannot be created.

To create a task with default settings, execute the following command:

kesl-control [-T] --create-task <task name> --type <task type>

Here:

A task of the specified type is created with default settings.

To create a task with settings specified in a configuration file, execute the following command:

kesl-control [-T] --create-task <task name> --type <task type> --file <full path to the configuration file>

Here:

A task of the specified type is created with settings specified in a configuration file.

Page top

Editing task settings using configuration file

To edit a task settings by changing the configuration file:

  1. Save a task settings to the configuration file:

    kesl-control --get-settings <task name>|<task ID> --file <full path to file>

  2. Open the created configuration file for editing.
  3. Edit the required settings in the configuration file.
  4. Save the changes in the configuration file.
  5. Import the settings from the configuration file into the task:

    kesl-control --set-settings <task name>|<task ID> --file <full path to file>

As a result, the task is running with updated settings.

Page top

Editing task settings using command line

To edit a task settings using command line:

  1. Specify the required setting value:

    kesl-control --set-settings <task name or ID> setting=value [setting=value]

    Kaspersky Endpoint Security changes the specified setting.

  2. Make sure the setting value is changed in a task configuration file:

    kesl-control --get-settings <task name or ID>

If you add a new scan scope or exclusion scope not specifying all settings, a scope with default settings is added to a configuration file.

Example:

To specify a new scan scope, execute the following command:

--set-settings 100 ScanScope.item_0001.UseScanArea=Yes ScanScope.item_0001.Path=/home

A new section describing a scan scope is added to the configuration file for the task with ID=100:

[ScanScope.item_0001]

AreaDesc=

UseScanArea=Yes

Path=/home

AreaMask.item_0000=*

Page top

Starting and stopping a task

You cannot start or stop Backup and License tasks.

To start the task, execute the following command:

kesl-control --start-task <task ID>|<task name>

To stop the task, execute the following command:

kesl-control --stop-task <task ID>|<task name>

Page top

Managing scan scopes from command line

You can add or delete a scan scope with specified Path for OAS, ODS, OAFIM, ODFIM, and Anti-Cryptor tasks from command line.

To add a new scan scope, execute the following command:

kesl-control --set-settings <task ID or name> --add-path <path>

A new [ScanScope.item_#] section is added to a task configuration file. Kaspersky Endpoint Security scans objects located in the directory specified by the Path parameter.

If a [ScanScope.item_#] section for the specified Path already exists, a duplicate section is not added to the configuration file. If the UseScanArea settings was set to No, after executing this command, the value becomes Yes, and objects located in this directory are scanned.

To delete a scan scope, execute the following command:

kesl-control --set-settings <task ID or name> --del-path <path>

A [ScanScope.item_#] section that contains the specified path is deleted from a task configuration file. Kaspersky Endpoint Security does not scan objects located in the directory specified by the Path parameter.

Page top

Managing exclusion scopes from command line

You can add or delete an exclusion scope with specified Path for OAS, ODS, OAFIM, ODFIM, and Anti-Cryptor tasks from command line.

To add a new exclusion scope, execute the following command:

kesl-control --set-settings <task ID or name> --add-exclusion <path>

A new [ExcludedFromScanScope.item_#] section is added to a task configuration file. Kaspersky Endpoint Security excludes objects located in the directory specified by the Path parameter.

If a [ExcludedFromScanScope.item_#] section for the specified Path already exists, a duplicate section is not added to the configuration file. If the UseScanArea settings was set to No, after executing this command, the value becomes Yes, and objects located in this directory are excluded from scan.

To delete an exclusion scope, execute the following command:

kesl-control --set-settings <task ID or name> --del-exclusion <path>

A [ExcludedFromScanScope.item_#] section that contains the specified path is deleted from a task configuration file. Kaspersky Endpoint Security does not exclude objects located in the directory specified by the Path parameter.

Page top

Viewing a task state

You can view a task state.

To view a task state, execute the following command:

kesl-control --get-task-state <task ID>|<task name>

Here:

Kaspersky Endpoint Security tasks can be in one of the following states:

Page top

Pausing and resuming a task

You can pause and resume the following types of tasks: ODS, BootScan, MemoryScan, Rollback, Retranslate and Update.

To suspend a task, execute the following command:

kesl-control --suspend-task <task ID>|<task name>

The task is paused after the command has been executed.

To resume a task, execute the following command:

kesl-control --resume-task <task ID>|<task name>

The task is resumed after the command has been executed.

Page top

Scheduling a task

To configure a task schedule:

  1. Save task schedule settings to a configuration file executing the following command:

    kesl-control --get-schedule <task ID>|<task name>

  2. Open the configuration file for editing.
  3. Specify the schedule settings.
  4. Save the changes in the configuration file.
  5. Import the schedule settings into the task executing the following command:

    kesl-control --set-schedule <task ID>|<task name> --file <full path to file>

Page top

Receiving task schedule settings

The command --get-schedule returns the task schedule settings. Using this command, you can also receive the task schedule settings that were assigned using the command keys.

You can use this command to edit the task schedule:

  1. Save the schedule settings in the configuration file using the command --get-schedule.
  2. Open the created configuration file, edit the necessary settings and save the changes.
  3. Import the settings from the configuration file to Kaspersky Endpoint Security using the command --set-schedule. Kaspersky Endpoint Security will immediately apply the new values for the schedule settings.

Command syntax

kesl-control [-T] --get-schedule <task ID>|<task name> [--file <configuration file name>]

kesl-control [-T] --get-schedule <task ID>|<task name> <parameter name>

Arguments and keys

<task ID>

Identification number of the task in Kaspersky Endpoint Security.

<task name>

Task name.

--file <name of configuration file>

Name of the configuration file in which the schedule settings will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created.

Example:

Save Kaspersky Endpoint Security settings to a file named update_schedule.ini. Save the created file in the current directory:

kesl-control --get-schedule 6 --file update_schedule.ini

Return the Update task schedule:

kesl-control --get-schedule 6

Page top

Editing task schedule settings

The command --set-schedule sets the task schedule settings using the command keys or imports the task schedule settings from the specified configuration file.

You can use this command to edit the settings of Kaspersky Endpoint Security:

  1. Save the schedule settings in the configuration file executing the command --get-schedule.
  2. Open the created configuration file, edit the necessary settings and save the changes.
  3. Import the settings from the configuration file to Kaspersky Endpoint Security executing the command -T --set-schedule. Kaspersky Endpoint Security will immediately apply the new values for the schedule settings.

Command syntaxs

kesl-control --set-schedule <task ID>|<task name> --file <configuration file name>

kesl-control --set-schedule <task ID>|<task name> <parameter name>=<parameter value> <parameter name>=<parameter value>

Arguments and keys

<task ID>

Identification number of the task in Kaspersky Endpoint Security.

<task name>

Task name.

--file <name of configuration file>

Name of the configuration file whose schedule settings will be imported into the task; includes the full path to the file.

Example:

Import the schedule settings from the configuration file named /home/test/on_demand_schedule.ini into the task with ID=2:

kesl-control --set-schedule 2 --file /home/test/on_demand_schedule.ini

Page top

Deleting a task

You can delete tasks that you have created (custom tasks).

To delete a task, execute the following command:

kesl-control --delete-task <task ID>|<task name>

Page top

Real-time protection task (File_Monitoring ID:1)

This section contains information about the real-time protection task.

In this section

About real-time protection

About infected files

Special considerations for scanning symbolic links and hard links

Real-time protection task settings

Specifying global exclusion scope

Page top

About real-time protection

Real-time protection prevents infection of the file system of the computer. A real-time protection task is created with the default settings when Kaspersky Endpoint Security is installed to the computer. By default, the real-time protection task starts automatically when Kaspersky Endpoint Security starts. The task resides in the computer's RAM and scans all opened, saved, and active files. You can stop and start the task.

You cannot create custom real-time protection tasks. You can modify the settings of the predefined real-time protection task.

Real-time protection settings are contained in the configuration file used by the real-time protection task.

Page top

About infected files

Kaspersky Endpoint Security uses anti-virus databases when scanning files. These databases contain files with fragments of malicious code and the algorithms used for disinfecting objects that contain such threats. Anti-virus databases enable detection of known threats in the files being scanned.

If a file contains code that fully matches the code of a known threat, Kaspersky Endpoint Security assigns the status of Infected to the file.

Page top

Special considerations for scanning symbolic links and hard links

Kaspersky Endpoint Security lets you scan symbolic links and hard links to files.

Scanning symbolic links

Kaspersky Endpoint Security scans symbolic links only if the file referenced by the symbolic link is within the protection scope of the real-time protection task or within the scan scope of the on-demand scan task.

If the file referenced by the symbolic link is not within the protection scope or scan scope of the task, the application does not scan this file. However, if the file contains malicious code, the security of the computer is at risk.

Scanning hard links

When Kaspersky Endpoint Security processes a file that has more than one hard link, the application selects an action based on the assigned action to take on objects:

When you restore a file with a hard link from Storage, Kaspersky Endpoint Security creates a copy of the source file with the name of the hard link that was moved to Storage. Connections with the remaining hard links to the source file will not be restored.

Page top

Real-time protection task settings

This section provides information about the settings you can specify for the real-time protection task.

All available values and default values for each setting are described.

ScanArchived

Enables / disables scanning of archives (including SFX self-extracting archives). Kaspersky Endpoint Security detects threats in archives but does not disinfect them. The following archive types are supported: .zip; .7z*; .7-z; .rar; .iso; .cab; .jar; .bz;.bz2;.tbz;.tbz2; .gz;.tgz; .arj.

Available values:

Yes—Scan archives.

No—Do not scan archives.

Default value: No.

ScanSfxArchived

Enables / disables scanning of self-extracting archives only (archives that contain an executable extraction module).

Available values:

Yes—Scan self-extracting archives.

No—Do not scan self-extracting archives.

Default value: No.

ScanMailBases

Enables / disables scanning of email databases of Microsoft Outlook®, Outlook Express, The Bat! and other mail clients.

Available values:

Yes—Scan files of email databases.

No—Do not scan files of email databases.

Default value: No.

ScanPlainMail

Enables / disables scanning of plain text email messages.

Available values:

Yes—Scan plain text email messages.

No—Do not scan plain text email messages.

Default value: No.

SizeLimit

Specifies the maximum size of an object to be scanned (in megabytes). If an object to be scanned is larger than the specified value, Kaspersky Endpoint Security skips the object.

This setting is used together with the UseSizeLimit setting.

Available values:

0 – 999,999.

0—Kaspersky Endpoint Security scans objects of any size.

Default value: 0.

TimeLimit

Specifies maximum duration for the object scan (in seconds). Kaspersky Endpoint Security stops scanning an object if it takes longer than the number of seconds specified by this parameter.

This setting is used together with the UseTimeLimit setting.

Available values:

0 – 9999.

0—The object scan duration is unlimited.

Default value: 60.

FirstAction

Selection of the first action to be performed by Kaspersky Endpoint Security on infected objects.

In real-time protection tasks, before performing the action specified by you on an object, Kaspersky Endpoint Security blocks access to the object by applications that attempt to access it.

Available values:

Cure (disinfect)—Kaspersky Endpoint Security attempts to disinfect an object by saving a copy of it in Storage. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected) Kaspersky Endpoint Security leaves the object unchanged. If the first action is set to Cure, it is recommended to specify the second action using the SecondAction setting.

Remove—Kaspersky Endpoint Security removes the infected object after first creating a backup copy of it.

Recommended (perform recommended action)—Kaspersky Endpoint Security automatically selects and performs an action on the object based on information about the threat detected in the object. For example, Kaspersky Endpoint Security immediately removes Trojans since they do not incorporate themselves into other files and therefore they do not need to be disinfected.

Block—Kaspersky Endpoint Security blocks access to the infected object. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by Kaspersky Endpoint Security on infected objects. Kaspersky Endpoint Security performs the second action if the first action fails.

The values of the SecondAction setting are the same as the values of the FirstAction setting.

If Block or Remove is selected as the first action, a second action does not need to be specified. It is recommended to specify two actions in other cases. If you have not specified a second action, Kaspersky Endpoint Security applies Block as the second action.

Default value: Block.

UseExcludeMasks

Enables / disables the scan exclusion of objects specified using the ExcludeMasks setting.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting.

No—Do not exclude objects specified by the ExcludeMasks setting.

Default value: No.

ExcludeMasks

Excludes objects from scanning by name or mask. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in command shell format.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

UseExcludeThreats

Enables or disables the scan exclusion of objects with threats specified using the ExcludeThreats setting.

Available values:

Yes—Exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

No—Do not exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

Default value: No.

ExcludeThreats

Excludes objects from scanning by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude a single object from scanning, specify the full name of the threat detected in this object – the Kaspersky Endpoint Security string with the verdict that the object is infected.

E.g., you may be using a utility to collect information about your network. To keep Kaspersky Endpoint Security from blocking it, add the full name of the threat contained in it to the list of threats excluded from scanning.

You can find the full name of the threat detected in the object in the Kaspersky Endpoint Security log. You can also find the full name of the threat on the website of the Virus Encyclopedia (). To find the name of a threat, enter the application name in the Search field.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

ReportCleanObjects

Enables / disables logging of information about scanned objects that Kaspersky Endpoint Security has deemed non-infected.

You can enable this setting, for example, to make sure that a particular object has been scanned by Kaspersky Endpoint Security.

Available values:

Yes—Log information about non-infected objects.

No—Do not log information about non-infected objects.

Default value: No.

ReportPackedObjects

Enables / disables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by Kaspersky Endpoint Security.

Available values:

Yes—Log information about scanning objects within archives.

No—Do not log information about scanning objects within archives.

Default value: No.

ReportUnprocessedObjects

Enables / disables the logging of information about unscanned objects.

Available values:

Yes—Log information about unscanned objects.

No—Do not log information about unscanned objects.

Default value: No.

UseAnalyzer

Enables / disables Heuristic Analyzer.

Heuristic analysis enables the application to detect new threats even before they become known to virus analysts.

Available values:

Yes—Enable Heuristic Analyzer.

No—disable Heuristic Analyzer.

Default value: Yes.

HeuristicLevel

Heuristic analysis level.

You can specify the heuristic analysis level. The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Available values:

Light—The least thorough scan with minimal load on the system.

Medium—Medium heuristic analysis level with a balanced load on the operating system.

Deep—The most thorough scan with maximal load on the operating system.

Recommended—recommended value.

Default value: Recommended.

UseIChecker

Enables / disables the use of iChecker technology.

Available values:

Yes—Enable use of iChecker technology.

No—Disable use of iChecker technology.

Default value: Yes.

ScanByAccessType

You can use this setting to specify the real-time protection mode. The ScanByAccessType setting is applied only in real-time protection tasks.

Available values:

SmartCheck—Scan a file when there is an attempt to open it, and scan it again when there is an attempt to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and modifies it, the application scans the object again only when the process closes it for the last time.

OpenAndModify—Scan a file when there is an attempt to open it, and scan it again when there is an attempt to close it if the file has been modified.

Open—Scan the file when an attempt is made to open it for reading or for execution or modification.

Default value: SmartCheck.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan scope, which contains additional information about the scan scope. The maximum length of the string specified using this setting is 4096 characters.

Default value: All objects.

Example:

AreaDesc="Scan mail databases"

UseScanArea

This setting enables / disables scanning of the specified scope. To run the task, you must include at least one area to scan.

Available values:

Yes—Scan the specified scope.

No—Do not scan the specified scope.

Default value: Yes.

AreaMask

You can use this setting to restrict the scan scope.

In the scan scope, Kaspersky Endpoint Security scans only the files that are indicated using command shell masks.

If this setting is not specified, Kaspersky Endpoint Security scans all objects in the scan scope. You can specify several values for this setting.

Default value: * (scan all objects).

Example:

AreaMask=*doc

Path

You can use this setting to specify the path to objects to scan.

The value of the Path setting consists of two elements: <file system type>:<access protocol>. It may also contain the path to the directory in the local file system.

Available values:

<path to local directory>—Scan objects in the specified directory.

Shared:NFS—Scan the computer's file system resources that are accessible via the NFS protocol.

Shared:SMB—Scan the computer's file system resources that are accessible via the SMB protocol.

AllRemoteMounted—Scan all remote directories mounted on the computer using the SMB and NFS protocols.

AllShared—Scan all of the computer's file system resources shared via the SMB and NFS protocols.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan exclusion scope. Contains additional information about the exclusion scope.

The default value is not defined.

Example:

AreaDesc="Exclude separate SAMBA"

UseScanArea

This setting enables / disables scanning of the specified scope.

Available values:

Yes—Excludes the specified scope.

No—Does not exclude the specified scope.

Default value: Yes.

Path

You can use this setting to specify the path to objects excluded from scanning.

The value of the Path setting consists of two elements: <file system type>:<access protocol>. It may also contain the path to the directory in the local file system.

Available values:

<path to local directory>—Exclude objects in the specified directory from scanning.

Shared:NFS—Exclude the computer's file system resources that are accessible via the NFS protocol.

Shared:SMB—Exclude the computer's file system resources that are accessible via the Samba protocol.

AllRemoteMounted—Exclude all remote directories mounted on the computer using the SMB and NFS protocols.

AllShared—Exclude all of the computer file system resources shared via the SMB and NFS protocols.

Page top

Specifying global exclusion scope

You can specify a global exclusion scope for the real-time protection task. Files in the global exclusion scope are excluded from the real-time protection scopes.

To create a global exclusion scope,

  1. Save the real-time protection task settings to a file using the following command:

    kesl-control --get-settings <task name or task ID> --file <full path to the configuration file>

  2. Add [ExcludedFromScanScope.item_#] sections to the created file. Each [ExcludedFromScanScope.item_#] section includes the following settings:
    • AreaMask-specifies file name masks for files to be excluded from the protection scope.
    • AreaDesc-specifies the unique name of the exclusion scope.
    • Path-specifies the path to the files to be excluded from the protection scope.
  3. Import settings from the configuration file to the real-time protection task using the following command:

    kesl-control --set-settings <task name or task ID> --file <full path to the configuration file>

Page top

On-demand scan task (Scan_My_Computer ID:2)

This section contains information about the on-demand scan task.

In this section

About on-demand scan

On-demand scan task settings

Page top

About on-demand scan

An on-demand scan is a one-time full or custom scan of files on a computer performed by Kaspersky Endpoint Security. Kaspersky Endpoint Security can perform multiple on-demand scan tasks at the same time.

By default, Kaspersky Endpoint Security creates one predefined on-demand scan task – full scan. The application scans all objects located on local drives of the computer, as well as all mounted and shared objects that are accessed via the Samba and NFS protocols with the recommended security settings.

Users can create custom on-demand scan tasks.

By default, Kaspersky Endpoint Security also creates a predefined custom scan task.

If the application was restarted by the watchdog or manually by a user during an on-demand scan run, a task is interrupted. The application logs the OnDemandTaskInterrupted event.

Page top

On-demand scan task settings

This section provides information about the settings you can specify for the on-demand scan task.

All available values and default values for each setting are described.

ScanArchived

Enables / disables scanning of archives (including SFX self-extracting archives). Kaspersky Endpoint Security detects threats in archives but does not disinfect them. The following archive types are supported: .zip; .7z*; .7-z; .rar; .iso; .cab; .jar; .bz;.bz2;.tbz;.tbz2; .gz;.tgz; .arj.

Available values:

Yes—Scan archives.

No—Do not scan archives.

Default value: Yes.

ScanSfxArchived

Enables / disables scanning of self-extracting archives only (archives that contain an executable extraction module).

Available values:

Yes—Scan self-extracting archives.

No—Do not scan self-extracting archives.

Default value: Yes.

ScanMailBases

Enables / disables scanning of email databases of Microsoft Outlook®, Outlook Express, The Bat! and other mail clients.

Available values:

Yes—Scan files of email databases.

No—Do not scan files of email databases.

Default value: No.

ScanPlainMail

Enables / disables scanning of plain text email messages.

Available values:

Yes—Scan plain text email messages.

No—Do not scan plain text email messages.

Default value: No.

UseSizeLimit

Enables / disables use of the SizeLimit setting (maximum size of an object to be scanned).

Available values:

Yes—Apply the SizeLimit parameter.

No—Do not apply the SizeLimit parameter.

Default value: No.

SizeLimit

Specifies the maximum size of an object to be scanned (in megabytes). If an object to be scanned is larger than the specified value, Kaspersky Endpoint Security skips the object.

This setting is used together with the UseSizeLimit setting.

Available values:

0 – 999,999.

0—Kaspersky Endpoint Security scans objects of any size.

Default value: 0.

UseTimeLimit

Enables / disables use of the TimeLimit setting (maximum duration of an object scan).

Available values:

Yes—Apply the TimeLimit parameter.

No—Do not apply the TimeLimit parameter.

Default value: No.

TimeLimit

Specifies maximum duration for the object scan (in seconds). Kaspersky Endpoint Security stops scanning an object if it takes longer than the number of seconds specified by this parameter.

This setting is used together with the UseTimeLimit setting.

Available values:

0 – 9999.

0—The object scan duration is unlimited.

Default value: 0.

FirstAction

Selection of the first action to be performed by Kaspersky Endpoint Security on infected objects.

Available values:

Cure (disinfect)—Kaspersky Endpoint Security attempts to disinfect an object by saving a copy of it in Storage. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected) Kaspersky Endpoint Security leaves the object unchanged. If the first action is set to Cure, it is recommended to specify the second action using the SecondAction setting.

Remove—Kaspersky Endpoint Security removes the infected object after first creating a backup copy of it.

Recommended (perform recommended action)—Kaspersky Endpoint Security automatically selects and performs an action on the object based on information about the threat detected in the object. For example, Kaspersky Endpoint Security immediately removes Trojans since they do not incorporate themselves into other files and therefore they do not need to be disinfected.

Skip—Kaspersky Endpoint Security does not attempt to disinfect or delete an infected object. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by Kaspersky Endpoint Security on infected objects. Kaspersky Endpoint Security performs the second action if the first action fails.

The values of the SecondAction setting are the same as the values of the FirstAction setting.

If Skip or Remove is selected as the first action, a second action does not need to be specified. It is recommended to specify two actions in other cases. If you have not specified a second action, Kaspersky Endpoint Security applies Skip as the second action.

Default value: Skip.

UseExcludeMasks

Enables / disables the scan exclusion of objects specified using the ExcludeMasks setting.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting.

No—Do not exclude objects specified by the ExcludeMasks setting.

Default value: No.

ExcludeMasks

Excludes objects from scanning by name or mask. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in command shell format.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

UseExcludeThreats

Enables or disables the scan exclusion of objects with threats specified using the ExcludeThreats setting.

Available values:

Yes—Exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

No—Do not exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

Default value: No.

ExcludeThreats

Excludes objects from scanning by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude a single object from scanning, specify the full name of the threat detected in this object – the Kaspersky Endpoint Security string with the verdict that the object is infected.

E.g., you may be using a utility to collect information about your network. To keep Kaspersky Endpoint Security from blocking it, add the full name of the threat contained in it to the list of threats excluded from scanning.

You can find the full name of the threat detected in the object in the Kaspersky Endpoint Security log. You can also find the full name of the threat on the website of the Virus Encyclopedia (). To find the name of a threat, enter the application name in the Search field.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

ReportCleanObjects

Enables / disables logging of information about scanned objects that Kaspersky Endpoint Security has deemed non-infected.

You can enable this setting, for example, to make sure that a particular object has been scanned by Kaspersky Endpoint Security.

Available values:

Yes—Log information about non-infected objects.

No—Do not log information about non-infected objects.

Default value: No.

ReportPackedObjects

Enables / disables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by Kaspersky Endpoint Security.

Available values:

Yes—Log information about scanning objects within archives.

No—Do not log information about scanning objects within archives.

Default value: No.

ReportUnprocessedObjects

Enables / disables the logging of information about unscanned objects.

Available values:

Yes—Log information about unscanned objects.

No—Do not log information about unscanned objects.

Default value: No.

UseAnalyzer

Enables / disables Heuristic Analyzer.

Heuristic analysis enables the application to detect new threats even before they become known to virus analysts.

Available values:

Yes—Enable Heuristic Analyzer.

No—Disable Heuristic Analyzer.

Default value: Yes.

HeuristicLevel

Heuristic analysis level.

You can specify the heuristic analysis level. The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Available values:

Light—The least thorough scan with minimal load on the system.

Medium—Medium heuristic analysis level with a balanced load on the operating system.

Deep—The most thorough scan with maximal load on the operating system.

Recommended—Recommended value.

Default value: Recommended.

UseIChecker

Enables / disables the use of iChecker technology.

Available values:

Yes—Enable use of iChecker technology.

No—Disable use of iChecker technology.

Default value: Yes.

ScanByAccessType

You can use this setting to specify the real-time protection mode. The ScanByAccessType setting is applied only in real-time protection tasks.

Available values:

SmartCheck—Scan a file when there is an attempt to open it, and scan it again when there is an attempt to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and modifies it, the application scans the object again only when the process closes it for the last time.

OpenAndModify—Scan a file when there is an attempt to open it, and scan it again when there is an attempt to close it if the file has been modified.

Open—Scan the file when an attempt is made to open it for reading or for execution or modification.

Default value: SmartCheck.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan scope, which contains additional information about the scan scope. The maximum length of the string specified using this setting is 4096 characters.

The default value: All objects.

Example:

AreaDesc="Scan mail databases"

UseScanArea

This setting enables / disables scanning of the specified scope. To run the task, you must include at least one area to scan.

Available values:

Yes—Scan the specified scope.

No—Do not scan the specified scope.

The default value: Yes.

AreaMask

You can use this setting to restrict the scan scope.

In the scan scope, Kaspersky Endpoint Security scans only the files that are indicated using command shell masks.

If this setting is not specified, Kaspersky Endpoint Security scans all objects in the scan scope. You can specify several values for this setting.

The default value: * (scan all objects).

Example:

AreaMask=*doc

Path

You can use this setting to specify the path to objects to scan.

The value of the Path setting consists of two elements: <file system type>:<access protocol>. It may also contain the path to the directory in the local file system.

Available values:

<path to local directory>—Scan objects in the specified directory.

Shared:NFS—Scan the computer's file system resources that are accessible via the NFS protocol.

Shared:SMB—Scan the computer's file system resources that are accessible via the SMB protocol.

AllRemoteMounted—Scan all remote directories mounted on the computer using the SMB and NFS protocols.

AllShared—Scan all of the computer's file system resources shared via the SMB and NFS protocols.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan exclusion scope. Contains additional information about the exclusion scope.

The default value is not defined.

Example:

AreaDesc="Exclude separate SAMBA"

UseScanArea

This setting enables / disables scanning of the specified scope.

Available values:

Yes—Excludes the specified scope.

No—Does not exclude the specified scope.

Default value: Yes.

Path

You can use this setting to specify the path to objects excluded from scanning.

The value of the Path setting consists of two elements: <file system type>:<access protocol>. It may also contain the path to the directory in the local file system.

Available values:

<path to local directory>—Exclude objects in the specified directory from scanning.

Shared:NFS—Exclude the computer's file system resources that are accessible via the NFS protocol.

Shared:SMB—Exclude the computer's file system resources that are accessible via the Samba protocol.

AllRemoteMounted—Exclude all remote directories mounted on the computer using the SMB and NFS protocols.

AllShared—Exclude all of the computer's file system resources shared via the SMB and NFS protocols.

Page top

Custom scan task (Scan_File ID:3)

This section contains information about the custom scan task.

In this section

About custom scan task

Custom scan task settings

Page top

About custom scan task

A custom scan task uses settings that are applied by --scan-file command.

You can scan a file or a directory using the following command:

--scan-file <file path>

The application creates a temporary on-demand scan (ODS) task with settings from the Scan_File task. After scan completion, the temporary task is deleted automatically.

You can change scan parameters for the temporary Scan_File task from the command line.

Page top

Custom scan task settings

This section provides information about the settings you can specify for the custom scan task.

All available values and default values for each setting are described.

ScanArchived

Enables / disables scanning of archives (including SFX self-extracting archives). Kaspersky Endpoint Security detects threats in archives but does not disinfect them. the following archive types are supported: .zip; .7z*; .7-z; .rar; .iso; .cab; .jar; .bz;.bz2;.tbz;.tbz2; .gz;.tgz; .arj.

Available values:

Yes—Scan archives.

No—Do not scan archives.

Default value: Yes.

ScanSfxArchived

Enables / disables scanning of self-extracting archives only (archives that contain an executable extraction module).

Available values:

Yes—Scan self-extracting archives.

No—Do not scan self-extracting archives.

Default value: Yes.

ScanMailBases

Enables / disables scanning of email databases of Microsoft Outlook®, Outlook Express, The Bat! and other mail clients.

Available values:

Yes—Scan files of email databases.

No—Do not scan files of email databases.

Default value: No.

ScanPlainMail

Enables / disables scanning of plain text email messages.

Available values:

Yes—Scan plain text email messages.

No—Do not scan plain text email messages.

Default value: No.

UseSizeLimit

Enables / disables use of the SizeLimit setting (maximum size of an object to be scanned).

Available values:

Yes—Apply the SizeLimit parameter.

No—Do not apply the SizeLimit parameter.

Default value: No.

SizeLimit

Specifies the maximum size of an object to be scanned (in megabytes). If an object to be scanned is larger than the specified value, Kaspersky Endpoint Security skips the object.

This setting is used together with the UseSizeLimit setting.

Available values:

0 – 999,999.

0—Kaspersky Endpoint Security scans objects of any size.

Default value: 0.

UseTimeLimit

Enables / disables use of the TimeLimit setting (maximum duration of an object scan).

Available values:

Yes—Аpply the TimeLimit parameter.

No—Do not apply the TimeLimit parameter.

Default value: No.

TimeLimit

Specifies maximum duration for the object scan (in seconds). Kaspersky Endpoint Security stops scanning an object if it takes longer than the number of seconds specified by this parameter.

This setting is used together with the UseTimeLimit setting.

Available values:

0-9999.

0—The object scan duration is unlimited.

Default value: 0.

FirstAction

Selection of the first action to be performed by Kaspersky Endpoint Security on infected objects.

Available values:

Cure (disinfect)—Kaspersky Endpoint Security attempts to disinfect an object by saving a copy of it in Storage. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected) Kaspersky Endpoint Security leaves the object unchanged. If the first action is set to Cure, it is recommended to specify the second action using the SecondAction setting.

Remove—Kaspersky Endpoint Security removes the infected object after first creating a backup copy of it.

Recommended (perform recommended action)—Kaspersky Endpoint Security automatically selects and performs an action on the object based on information about the threat detected in the object. For example, Kaspersky Endpoint Security immediately removes Trojans since they do not incorporate themselves into other files and therefore they do not need to be disinfected.

Skip—Kaspersky Endpoint Security does not attempt to disinfect or delete an infected object. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by Kaspersky Endpoint Security on infected objects. Kaspersky Endpoint Security performs the second action if the first action fails.

The values of the SecondAction setting are the same as the values of the FirstAction setting.

If Skip or Remove is selected as the first action, a second action does not need to be specified. It is recommended to specify two actions in other cases. If you have not specified a second action, Kaspersky Endpoint Security applies Skip as the second action.

Default value: Skip.

UseExcludeMasks

Enables / disables the scan exclusion of objects specified using the ExcludeMasks setting.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting.

No—Do not exclude objects specified by the ExcludeMasks setting.

Default value: No.

ExcludeMasks

Excludes objects from scanning by name or mask. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in command shell format.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

UseExcludeThreats

Enables or disables the scan exclusion of objects with threats specified using the ExcludeThreats setting.

Available values:

Yes—Exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

No—Do not exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

Default value: No.

ExcludeThreats

Excludes objects from scanning by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude a single object from scanning, specify the full name of the threat detected in this object – the Kaspersky Endpoint Security string with the verdict that the object is infected.

E.g., you may be using a utility to collect information about your network. To keep Kaspersky Endpoint Security from blocking it, add the full name of the threat contained in it to the list of threats excluded from scanning.

You can find the full name of the threat detected in the object in the Kaspersky Endpoint Security log. You can also find the full name of the threat on the website of the Virus Encyclopedia (). To find the name of a threat, enter the application name in the Search field.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

ReportCleanObjects

Enables / disables logging of information about scanned objects that Kaspersky Endpoint Security has deemed non-infected.

You can enable this setting, for example, to make sure that a particular object has been scanned by Kaspersky Endpoint Security.

Available values:

Yes—Log information about non-infected objects.

No—Do not log information about non-infected objects.

Default value: No.

ReportPackedObjects

Enables / disables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by Kaspersky Endpoint Security.

Available values:

Yes—Log information about scanning objects within archives.

No—Do not log information about scanning objects within archives.

Default value: No.

ReportUnprocessedObjects

Enables / disables the logging of information about unscanned objects.

Available values:

Yes—Log information about unscanned objects.

No—Do not log information about unscanned objects.

Default value: No.

UseAnalyzer

Enables / disables Heuristic Analyzer. Heuristic analysis enables the application to detect new threats even before they become known to virus analysts.

Available values:

Yes—Enable Heuristic Analyzer.

No—Disable Heuristic Analyzer.

Default value: Yes.

HeuristicLevel

Heuristic analysis level.

You can specify the heuristic analysis level. The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Available values:

Light—The least thorough scan with minimal load on the system.

Medium—Medium heuristic analysis level with a balanced load on the operating system.

Deep—The most thorough scan with maximal load on the operating system.

Recommended—Recommended value.

Default value: Recommended.

UseIChecker

Enables / disables the use of iChecker technology.

Available values:

Yes—Enable use of iChecker technology.

No—Disable use of iChecker technology.

Default value: Yes.

ScanByAccessType

You can use this setting to specify the real-time protection mode. The ScanByAccessType setting is applied only in real-time protection tasks.

Available values:

SmartCheck—Scan a file when there is an attempt to open it, and scan it again when there is an attempt to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and modifies it, the application scans the object again only when the process closes it for the last time.

OpenAndModify—Scan a file when there is an attempt to open it, and scan it again when there is an attempt to close it if the file has been modified.

Open—Scan the file when an attempt is made to open it for reading or for execution or modification.

Default value: SmartCheck.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan scope, which contains additional information about the scan scope. The maximum length of the string specified using this setting is 4096 characters.

Default value: All objects.

Example:

AreaDesc="Scan mail databases"

UseScanArea

This setting enables / disables scanning of the specified scope. To run the task, you must include at least one area to scan.

Available values:

Yes—Scan the specified scope.

No—Do not scan the specified scope.

Default value: Yes.

AreaMask

You can use this setting to restrict the scan scope.

In the scan scope, Kaspersky Endpoint Security scans only the files that are indicated using command shell masks.

If this setting is not specified, Kaspersky Endpoint Security scans all objects in the scan scope. You can specify several values for this setting.

Default value: * (scan all objects).

Example:

AreaMask=*doc

Path

You can use this setting to specify the path to objects to scan.

The value of the Path setting consists of two elements: <file system type>:<access protocol>. It may also contain the path to the directory in the local file system.

Available values:

<path to local directory>—Scan objects in the specified directory.

Shared:NFS—Scan the computer's file system resources that are accessible via the NFS protocol.

Shared:SMB—Scan the computer's file system resources that are accessible via the SMB protocol.

AllRemoteMounted—Scan all remote directories mounted on the computer using the SMB and NFS protocols.

AllShared—Scan all of the computer's file system resources shared via the SMB and NFS protocols.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan exclusion scope. Contains additional information about the exclusion scope.

The default value is not defined.

Example:

AreaDesc="Exclude separate SAMBA"

UseScanArea

This setting enables / disables scanning of the specified scope.

Available values:

Yes—Excludes the specified scope.

No—Does not exclude the specified scope.

Default value: Yes.

Path

You can use this setting to specify the path to objects excluded from scanning.

The value of the Path setting consists of two elements: <file system type>:<access protocol>. It may also contain the path to the directory in the local file system.

Available values:

<path to local directory>—Exclude objects in the specified directory from scanning.

Shared:NFS—Exclude the computer's file system resources that are accessible via the NFS protocol.

Shared:SMB—Exclude the computer's file system resources that are accessible via the Samba protocol.

AllRemoteMounted—Exclude all remote directories mounted on the computer using the SMB and NFS protocols.

AllShared—Exclude all of the computer's file system resources shared via the SMB and NFS protocols.

Page top

Boot sector scan task (Boot_Scan ID:4)

This section contains information about the boot sector scan task.

In this section

About boot sector scan task

Boot sector scan task settings

Page top

About boot sector scan task

Boot sector scan task lets you scan boot sectors not specifying a scan scope.

Page top

Boot sector scan task settings

This section provides information about the settings you can specify for the boot sector scan task.

All available values and default values for each setting are described.

UseExcludeMasks

Enables / disables the scan exclusion of objects specified using the ExcludeMasks setting.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting.

No—Do not exclude objects specified by the ExcludeMasks setting.

Default value: No.

ExcludeMasks

Excludes objects from scanning by name or mask. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in command shell format.

The default value is not defined.

UseExcludeThreats

Enables or disables the scan exclusion of objects with threats specified using the ExcludeThreats setting.

Available values:

Yes—Exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

No—Do not exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

Default value: No.

ExcludeThreats

Excludes objects from scanning by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude a single object from scanning, specify the full name of the threat detected in this object – the Kaspersky Endpoint Security string with the verdict that the object is infected.

E.g., you may be using a utility to collect information about your network. To keep Kaspersky Endpoint Security from blocking it, add the full name of the threat contained in it to the list of threats excluded from scanning.

You can find the full name of the threat detected in the object in the Kaspersky Endpoint Security log. You can also find the full name of the threat on the website of the Virus Encyclopedia (). To find the name of a threat, enter the application name in the Search field.

The setting value is case-sensitive.

The default value is not defined.

ReportCleanObjects

Enables / disables logging of information about scanned objects that Kaspersky Endpoint Security has deemed non-infected.

You can enable this setting, for example, to make sure that a particular object has been scanned by Kaspersky Endpoint Security.

Available values:

Yes—Log information about non-infected objects.

No—Do not log information about non-infected objects.

Default value: No.

ReportUnprocessedObjects

Enables / disables logging of information about files that have not been processed for some reason.

Available values:

Yes—Log the information about unprocessed objects. Setting this parameter value to Yes for a long period is not recommended, since logging a large amount of information may reduce the application performance

No—Do not log the information about unprocessed objects

Default value: No

UseAnalyzer

Enables / disables Heuristic Analyzer. Heuristic analysis enables the application to detect new threats even before they become known to virus analysts.

Available values:

Yes—Enable Heuristic Analyzer.

No—Disable Heuristic Analyzer.

Default value: Yes.

HeuristicLevel

Heuristic analysis level.

You can specify the heuristic analysis level. The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Available values:

Light—The least thorough scan with minimal load on the system.

Medium—Medium heuristic analysis level; balanced load on the system.

Deep—The most thorough scan with maximal load on the operating system.

Recommended—Recommended value.

Default value: Recommended.

Action

Selection of the action to be performed by Kaspersky Endpoint Security on infected objects.

Available values:

Cure (disinfect)—Kaspersky Endpoint Security attempts to disinfect an object by saving a copy of it in Storage. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected) Kaspersky Endpoint Security leaves the object unchanged.

Skip—Kaspersky Endpoint Security does not attempt to disinfect or delete an infected object. Information about the infected object is logged.

Default value: Cure.

Page top

Process memory scan task (Memory_Scan ID:5)

This section contains information about the process memory scan task.

In this section

About process memory scan task

Process memory scan task settings

Page top

About process memory scan task

Process memory scan task lets you scan the process memory not specifying a scan scope.

Page top

Process memory scan task settings

This section provides information about the settings you can specify for the process memory scan task.

All available values and default values for each setting are described.

UseExcludeThreats

Enables or disables the scan exclusion of objects with threats specified using the ExcludeThreats setting.

Available values:

Yes—Exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

No—Do not exclude from scanning the objects containing threats specified using the ExcludeThreats setting.

Default value: No.

ExcludeThreats

Excludes objects from scanning by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude a single object from scanning, specify the full name of the threat detected in this object—the Kaspersky Endpoint Security string with the verdict that the object is infected.

E.g., you may be using a utility to collect information about your network. To keep Kaspersky Endpoint Security from blocking it, add the full name of the threat contained in it to the list of threats excluded from scanning.

You can find the full name of the threat detected in the object in the Kaspersky Endpoint Security log. You can also find the full name of the threat on the website of the Virus Encyclopedia (). To find the name of a threat, enter the application name in the Search field.

The setting value is case-sensitive.

The default value is not defined.

ReportCleanObjects

Enables / disables logging of information about scanned objects that Kaspersky Endpoint Security has deemed non-infected.

You can enable this setting, for example, to make sure that a particular object has been scanned by Kaspersky Endpoint Security.

Available values:

Yes—Log information about non-infected objects.

No—Do not log information about non-infected objects.

Default value: No.

ReportUnprocessedObjects

Enables / disables logging of information about files that have not been processed for some reason.

Available values:

Yes—Log the information about unprocessed objects. Setting this parameter value to Yes for a long period is not recommended, since logging a large amount of information may reduce the application performance

No—Do not log the information about unprocessed objects

Default value: No

Action

Selection of the action to be performed by Kaspersky Endpoint Security on infected objects.

Available values:

Cure (disinfect)—Kaspersky Endpoint Security attempts to disinfect an object by saving a copy of it in Storage. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected) Kaspersky Endpoint Security leaves the object unchanged.

Skip—Kaspersky Endpoint Security does not attempt to disinfect or delete an infected object. Information about the infected object is logged.

Default value: Cure.

Page top

Update task (Update ID:6)

This section contains information about the Update task.

In this section

About database and application module updates

About update sources

Update task settings

Installing application update manually

Page top

About database and application module updates

Updating the databases and application modules of Kaspersky Endpoint Security ensures up-to-date protection on your computer. New viruses and other types of malware appear worldwide on a daily basis. Kaspersky Endpoint Security databases contain information about threats and ways of neutralizing them. To detect threats quickly, you are urged to regularly update the databases and application modules.

Regular updates require a license in effect. If there is no current license, you will be able to perform an update only once.

The main update source for Kaspersky Endpoint Security is Kaspersky Lab update servers.

Your computer must be connected to the Internet to successfully download the update package from Kaspersky Lab update servers. By default, the Internet connection settings are determined automatically. If you use a proxy server, you need to adjust the connection settings.

While performing an update, the following objects are downloaded and installed on your computer:

While updating, the application and databases on your computer are compared against the up-to-date version at the update source. If your current databases and application modules differ from their respective up-to-date versions, the missing portion of the updates is installed on your computer.

If the databases are obsolete, the update package may be large, which may cause additional Internet traffic (up to several dozen MB).

Page top

About update sources

An update source is a resource that contains updates for databases and application modules of Kaspersky Endpoint Security. Update sources include FTP or HTTP servers (such as Kaspersky Security Center and Kaspersky Lab update servers) and local or network directories mounted by the user.

In the predefined update task, the default source of updates are the Kaspersky Lab update servers. The update servers contain updates for databases and application modules for many Kaspersky Lab applications. Updates are downloaded via HTTP protocols.

If, for some reason, you are not able to use the Kaspersky Lab update servers as the update source, you can receive updates from a custom update source such as a local or network directory (SMB / NFS) mounted by the user, or an FTP or HTTP server specified by you. You can specify a custom update source in the configuration file of the update task.

Page top

Update task settings

This section provides information about the settings you can specify for the Update task.

All available values and default values for each setting are described.

SourceType

This setting lets you select the source from which Kaspersky Endpoint Security will receive updates.

Available values:

KLServers—Kaspersky Endpoint Security receives updates from one of the Kaspersky Lab update servers. Updates are downloaded via the HTTP protocol.

SCServer—Kaspersky Endpoint Security downloads updates to the protected computer from Kaspersky Security Center Administration Server installed on the local network. You can select this update source if you use the Kaspersky Security Center application for centralized administration of anti-virus protection of computers in your organization.

Custom—Kaspersky Endpoint Security downloads updates from the custom source specified in the [CommonSettings:CustomSources] section. You can specify directories on HTTP servers or directories on any device mounted on the protected computer, including directories on remote computers mounted via the Samba or NFS protocols.

Default value: KLServers.

UseKLServersWhenUnavailable

You can use this setting to configure Kaspersky Endpoint Security to access the Kaspersky Lab update servers if all custom update sources are unavailable.

Available values:

Yes—Kaspersky Endpoint Security connects to Kaspersky Lab update servers if all custom update sources are unavailable.

No—Kaspersky Endpoint Security does not connect to Kaspersky Lab update servers if all custom update sources are unavailable.

Default value: Yes.

IgnoreProxySettingsForKLServers

This setting lets you configure the use of a proxy server for connecting to Kaspersky Lab update servers.

Available values:

Yes—Kaspersky Endpoint Security does not use a proxy server to connect to the Kaspersky Lab update servers.

No—Kaspersky Endpoint Security uses a proxy server to connect to the Kaspersky Lab update servers.

Default value: No.

IgnoreProxySettingsForCustomSources

This setting lets you configure the use of a proxy server for connecting to custom sources of updates. You need to enable this setting if you require access to a proxy server in order to connect to any of the custom HTTP update servers.

Available values:

Yes—Kaspersky Endpoint Security does not use a proxy server to connect to the custom update sources.

No—Kaspersky Endpoint Security uses a proxy server to connect to the custom update sources.

Default value: No.

ApplicationUpdateMode

Specifies the application updates downloading and installation mode.

Available values:

Disable—Do not download and install the application updates

DownloadOnly—Download the application updates, but do not install them

DownloadAndInstall—Automatically download and install the application updates

Default value: DownloadOnly

ConnectionTimeout

You can use this setting to specify the time to wait (in seconds) for a response from an update source such as an HTTP server while attempting to connect to it. If an update source does not respond within the specified time interval, Kaspersky Endpoint Security contacts the next update source on the list.

You can use only integers within the range from 0 to 120.

Default value: 10.

The [CustomSources.item_#] section contains the following settings:

URL

This section lets you specify the address of the custom source of updates in the local area network or on the Internet.

The default value is not defined.

Example:

URL=http://example.com/bases/ – address of the HTTP server with the directory containing the updates.

URL=/home/bases/ – directory on the protected computer containing the application databases.

Enabled

This setting lets you enable or disable use of the update source specified in the URL setting. Use of at least one update source must be enabled before the task can run.

Available values:

Yes—Kaspersky Endpoint Security uses the update source.

No—Kaspersky Endpoint Security does not use the update source.

The default value is not defined.

Example:

Enabled=Yes

Page top

Installing application update manually

You can manually install the application update from the command line. Kaspersky Endpoint Security must be installed on your computer to install the application update.

To install Kaspersky Endpoint Security update from an RPM package, execute the following command:

# rpm –U <rpm package name>.rpm

To install Kaspersky Endpoint Security update from a DEB package, execute the following command:

# dpkg -i <deb package name>.deb

The application update process is started.

The application or operating system restart may be required. The corresponding message is displayed. After the application or operating system restart, the updated version of Kaspersky Endpoint Security is started.

After the application update, accepting the End User License Agreement and / or Kaspersky Security Network Statement may be required.

To accept the End User License Agreement,

  1. Read the text of the End User License Agreement.
  2. If you are agree with the text of the End User License Agreement, specify the environment variable:
    • # KESL_EULA_AGREED=Yes rpm -U <rpm package name>.rpm for a rpm package.
    • # KESL_EULA_AGREED=Yes dpkg -i <deb package name>.deb for a deb package.

To accept the Kaspersky Security Network Statement,

  1. Read the text of the Kaspersky Security Network Statement.
  2. If you are agree with the text of the Kaspersky Security Network Statement, specify the environment variable:
    • # KESL_USE_KSN=Yes rpm -U <rpm package name>.rpm for a rpm package.
    • # KESL_ USE_KSN=Yes dpkg -i <deb package name>.deb for a deb package.

Page top

Update rollback task (Rollback ID:7)

This section contains information about the update rollback task.

The update rollback task is run to roll back the last successful databases update.

This task does not have any settings.

For more information on managing the update rollback task, see section "Managing Kaspersky Endpoint Security tasks using command line".

Page top

Update retranslation task (Retranslate ID:8)

This section contains information about the update retranslation task.

In this section

About Update retranslation task

Update retranslation task settings

Page top

About Update retranslation task

The update retranslation task allows you to download databases and application updates to the selected directory. The updates will not be installed.

Retranslated update databases can be used only by the application with the same build number.

Page top

Update retranslation task settings

This section provides information about the settings you can specify for the update retranslation task.

All available values and default values for each setting are described.

SourceType

This setting lets you select the source from which Kaspersky Endpoint Security will receive updates.

Available values:

KLServers—Kaspersky Endpoint Security receives updates from one of the Kaspersky Lab update servers. Updates are downloaded via the HTTP protocol.

SCServer—Kaspersky Endpoint Security downloads updates to the protected computer from Kaspersky Security Center Administration Server installed on the local network. You can select this update source if you use the Kaspersky Security Center application for centralized administration of anti-virus protection of computers in your organization.

Custom—Kaspersky Endpoint Security downloads updates from the custom source specified in the [CommonSettings:CustomSources] section. You can specify directories on HTTP servers or directories on any device mounted on the protected computer, including directories on remote computers mounted via the Samba or NFS protocols.

Default value: KLServers.

UseKLServersWhenUnavailable

You can use this setting to configure Kaspersky Endpoint Security to access the Kaspersky Lab update servers if all custom update sources are unavailable.

Available values:

Yes—Kaspersky Endpoint Security connects to Kaspersky Lab update servers if all custom update sources are unavailable.

No—Kaspersky Endpoint Security does not connect to Kaspersky Lab update servers if all custom update sources are unavailable.

Default value: Yes.

IgnoreProxySettingsForKLServers

This setting lets you configure the use of a proxy server for connecting to Kaspersky Lab update servers.

Available values:

Yes—Kaspersky Endpoint Security does not use a proxy server to connect to the Kaspersky Lab update servers.

No—Kaspersky Endpoint Security uses a proxy server to connect to the Kaspersky Lab update servers.

Default value: No.

IgnoreProxySettingsForCustomSources

This setting lets you configure the use of a proxy server for connecting to custom sources of updates. You need to enable this setting if you require access to a proxy server in order to connect to any of the custom HTTP update servers.

Available values:

Yes—Kaspersky Endpoint Security does not use a proxy server to connect to the custom update sources.

No—Kaspersky Endpoint Security uses a proxy server to connect to the custom update sources.

Default value: No.

ConnectionTimeout

You can use this setting to specify the time to wait (in seconds) for a response from an update source such as an HTTP server while attempting to connect to it. If an update source does not respond within the specified time interval, Kaspersky Endpoint Security contacts the next update source on the list.

You can use only integers within the range from 0 to 120.

Default value: 10.

RetranslationFolder

You can use this setting to specify the directory to which updates will be copied. If the specified directory does not exist, Kaspersky Endpoint Security creates it while running the update retranslation task.

The [CustomSources.item_#] section contains the following settings:

URL

This section lets you specify the address of the custom source of updates in the local area network or on the Internet.

The default value is not defined.

Example:

URL=http://example.com/bases/ – address of the HTTP server with the directory containing the updates.

URL=/home/bases/ – directory on the protected computer containing the application databases.

Enabled

This setting lets you enable or disable use of the update source specified in the URL setting. Use of at least one update source must be enabled before the task can run.

Available values:

Yes—Kaspersky Endpoint Security uses the update source.

No—Kaspersky Endpoint Security does not use the update source.

The default value is not defined.

AutoPatchDownload

Enables / disables the automatic application updates downloading.

Available values:

Yes—Automatically download application updates

No—Do not download application updates automatically

Default value: Yes

Page top

License task (License ID:9)

This section contains information about the License task.

In this section

About License task

Adding an active key

Adding an additional key

Removing the active key

Removing the additional key

Entering an additional activation code

Page top

About License task

The License task allows you to manage Kaspersky Endpoint Security keys and activation codes.

Page top

Adding an active key

The command --install-active-key adds an active key. For details about keys, please refer to the section "About the key".

Command syntax

kesl-control [-L] --install-active-key <path to key file>|<activation code>

Arguments and keys

<path to the key file>

The path to the key file; if the key file is located in the current directory, it is sufficient to specify only the file name.

Example:

Add the key from file /home/test/00000001.key as the active key:

kesl-control --install-active-key /home/test/00000001.keу

Page top

Adding an additional key

The command --install-additional-key adds an additional key. For details about keys, please refer to the section "About the key".

If an active key is not installed, the additional key will be installed as the primary key.

Command syntax

kesl-control [-L] --install-additional-key <path to key file>

Arguments and keys

<path to the key file>

The path to the key file; if the key file is located in the current directory, it is sufficient to specify only the file name.

Example:

Install an additional key from the file /home/test/00000002.key:

kesl-control --install-additional-key /home/test/00000002.key

Page top

Removing the active key

The command --revoke-active-key removes the active key.

Command syntax

kesl-control [-L] --revoke-active-key

Page top

Removing the additional key

The command --revoke-additional-key removes the additional key.

Command syntax

kesl-control [-L] --revoke-additional-key

Page top

Entering an additional activation code

The command --install-additional-key enters the additional activation code. For more details on activation codes, see section "About the activation code".

Command syntax

kesl-control [-L] --install-additional-key <activation code>

Page top

Storage management task (Backup ID:10)

This section contains information about the Storage management task.

In this section

About Storage

Storage management task settings

Viewing IDs of objects in Storage

About restoring objects from the Storage

Restoring objects from the Storage

Removing objects from Storage

Page top

About Storage

Storage is a list of backup copies of files that have been deleted or modified during the disinfection process. Backup copy is a file copy created at the first attempt to disinfect or delete this file. Backup copies of files are stored in a special format and do not pose a threat.

Sometimes it is not possible to maintain the integrity of files during disinfection. If you partially or completely lose access to important information in a disinfected file after disinfection, you can attempt to restore the disinfected copy of the file to its original directory.

Page top

Storage management task settings

This section provides information about the settings you can specify for the Storage management task.

All available values and default values for each setting are described.

DaysToLive

Time period for storing objects in Storage (in days).

To remove the time limit for storing objects in Storage, specify the value 0.

Default value: 90.

BackupSizeLimit

Maximum size of Storage.

When the maximum Storage size is reached, Kaspersky Endpoint Security deletes the oldest objects.

Available values:

0 – 999,999 (in megabytes).

To remove the Storage size limit, specify the value 0.

Default value: 0.

BackupFolder

Path to the Storage directory. You can specify a custom Storage directory that is different from the default directory.

You can use directories on any computer devices to serve as Storage. It is not recommended to assign directories that are located on remote computers, such as those mounted via the Samba and NFS protocols.

Kaspersky Endpoint Security starts to place objects into the specified directory after you import the settings from the file into the Storage task and restart Kaspersky Endpoint Security.

If the specified directory does not exist or is unavailable, Kaspersky Endpoint Security uses the default Storage directory.

Default value is: /var/opt/kaspersky/kesl/objects-backup/

Page top

Viewing IDs of objects in Storage

When an object is placed in Storage, Kaspersky Endpoint Security assigns a numeric ID to it. The ID is used to perform actions on the object, such as restoring or removing the object from Storage.

To view the IDs of objects in Storage,

execute the command: kesl-control -B --query

The object ID is displayed in the ObjectId string.

Page top

About restoring objects from the Storage

Kaspersky Endpoint Security stores files in Storage in encrypted form to keep the protected server safe from their potential harmful effects.

You can restore objects from Storage. You may need to restore objects from Storage in the following cases:

Restoring infected objects may lead to computer infection.

You can save the object under a new name when restoring it from Storage.

Page top

Restoring objects from the Storage

To restore an object from Storage, do one of the following:

Page top

Removing objects from Storage

To remove an object from Storage, execute the following command:

kesl-control -B --mass-remove --query "ObjectId == 'object ID>'"

To remove several objects from Storage, execute the following command:

kesl-control -B --mass-remove --query "<field><comparison operator> '<value>' [and <field> <comparison operator>'<value>' ]* ]

To remove all objects from Storage, execute one of the following commands:

kesl-control -B --mass-remove

or

kesl-control -B --mass-remove --query

Page top

File Integrity Monitoring task (Integrity_Monitoring ID:11)

This section contains information about the File Integrity Monitoring task.

In this section

About File Integrity Monitoring

On-access File Integrity Monitoring (OAFIM)

On-demand File Integrity Monitoring (ODFIM)

On-access File Integrity Monitoring task settings

On-demand File Integrity Monitoring settings

Page top

About File Integrity Monitoring

The File Integrity Monitoring task is designed to track actions performed with the files and directories in the monitoring scopes specified in the task settings. You can use the task to find file changes that may indicate a security breach on the protected server. You can also configure file changes to be tracked during periods when monitoring is interrupted.

To use File Integrity Monitoring functionality, you must purchase an extended license that covers this functionality. File Integrity Monitoring is disabled by default.

File integrity monitoring can be performed in real-time mode by running the On-access File Integrity Monitoring (OAFIM) task. Also, On-demand File Integrity Monitoring (ODFIM) tasks can be created and run.

Both OAFIM and ODFIM tasks send notifications about changes to an object access control list. For the OAFIM task, details about what exactly was changed are not reported. For the ODFIM task, information is reported about attribute changes and file / directory moves are reported.

Page top

On-access File Integrity Monitoring (OAFIM)

While the OAFIM task is running, each object change is determined trough real-time interception of file operations in real-time mode. When an object changes, Kaspersky Endpoint Security sends an event to the Kaspersky Security Center administration server. A file checksum is not calculated during the task run. The OAFIM task does not monitor changes in files (attributes and content) with hard links, that are not located in a monitoring scope.

Kaspersky Endpoint Security monitors file operations on specific files or in scopes specified in the parameters of the task.

Monitoring scopes

Monitoring scopes for File Integrity Monitoring tasks must always be specified. The administrator can change scanning and monitoring scopes in real-time mode. If no monitoring scope is specified, task settings cannot be saved in the configuration file. When a monitoring scope or exclusion scope is added, the application does not check whether the specified directory exists.

You can specify several monitoring scopes.

Monitoring exclusion scopes

You can create exclusions for the monitoring scope. Exclusions are specified for individual scopes, and work only for the indicated monitoring scope. You can specify several exclusion scopes.

Exclusions have a higher priority than the monitoring scope and are not monitored by a task, even if a specific directory or file is in the monitoring scope. If the settings for one of the rules specify a monitoring scope that is at a lower level than a directory specified in exclusions, the monitoring scope is not considered when the task is run.

To specify exclusions, you can use the same command line shell masks that are used to specify monitoring scopes.

Monitored parameters

Changes to the following parameters are monitored during the File Integrity Monitoring task run:

The technical limitations of the Linux operating system prevent the File Integrity Monitoring component from detecting which administrator or process has made a change to a file.

Page top

On-demand File Integrity Monitoring (ODFIM)

While the ODFIM task is running, each object change is determined by comparing the current state of the monitored objects with the original state, which was previously established as a baseline.

You can create several ODFIM tasks.

Baseline

The baseline is established during the first run of the ODFIM task on the computer. For each ODFIM task, a separate baseline is created. The task is performed only if the baseline corresponds to the monitoring scope. If the baseline does not match the monitoring scope, Kaspersky Endpoint Security generates an event about file integrity violation.

You can rebuild a baseline for a task using the corresponding parameter. The baseline is rebuilt after an ODFIM task has finished.

Also, a baseline is rebuilt when the parameters of a task change, for example, if a new monitoring scope is added. The baseline will be rebuilt during the next task run.

The ODFIM task creates storage for baselines on a computer that has the File integrity Monitoring component installed.

You can delete a baseline only if you delete the corresponding ODFIM task.

Page top

On-access File Integrity Monitoring task settings

This section describes the settings you can specify for the on-access File Integrity Monitoring task.

All available values and default values for each setting are described below.

UseExcludeMasks

Enables or disables exclusion, from the monitoring scope, of objects that are specified by the ExcludeMasks setting.

The UseExcludeMasks setting works only if the ExcludeMasks setting is specified.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting from the monitoring scope

No—Do not exclude objects specified by the ExcludeMasks setting from the monitoring scope

Default value: No

ExcludeMasks

Specifies a list of masks that define objects to be excluded from the monitoring scope.

Before specifying this setting, make sure that the UseExcludeMasks setting value is set to Yes.

Masks are specified in command shell format.

If you want to specify several masks, each mask must be specified on a new line with the new index specified (ExcludeMasks.item_0000, ExcludeMasks.item_0001).

Default value: not defined

Section [ScanScope.item_#]

The [ScanScope.item_#] sections specify scopes to be monitored by the File Integrity Monitoring task. At least one monitoring scope must be specified for the task.

You can define several [ScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by item index, in ascending order.

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the monitoring scope.

UseScanArea

Enables or disables monitoring of the specified scope.

Available values:

Yes—Monitor a specified scope

No—Do not monitor a specified scope

Default value: Yes

Path

Specifies the full path to the object or directories to be monitored.

Default value: /opt/kaspersky/kesl/

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be monitored.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes, in ascending order.

Default value: * (all objects will be processed)

Section [ExcludedFromScanScope.item_#]

The [ExcludedFromScanScope.item_#] sections specify the objects to be excluded from all [ScanScope.item_#] sections.

All objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. An [ExcludedFromScanScope.item_#] section format is similar to the format of a [ScanScope.item_#] section.

You can define several [ExcludedFromScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by item index, in ascending order.

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the scope to be excluded from monitoring.

UseScanArea

Specifies whether the specified scope will be excluded from monitoring.

Available values:

Yes—Exclude a specified scope from the monitoring

No—Do not exclude the specified scope from the monitoring

Default value: Yes

Path

Specifies the path to the objects or directories to be excluded from monitoring.

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be excluded from monitoring.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes, in ascending order.

Default value: * (all objects will be monitored)

Page top

On-demand File Integrity Monitoring settings

This section describes the settings that you can specify for the on-demand File Integrity Monitoring task.

All available values and default values for each setting are described.

RebuildBaseline

Enables or disables rebuilding a baseline after an ODFIM task has finished.

Available values:

Yes—Rebuild a baseline after an ODFIM task has finished

No—Do not rebuild a baseline after an ODFIM task has finished

Default value: No

CheckFileHash

Enables or disables a hash (SHA-256) check.

Available values:

Yes—Enable a hash check

No—Disable a hash check

Default value: No

TrackDirectoryChanges

Enables or disables monitoring of directories.

Available values:

Yes—Monitor directories

No—Do not monitor directories

Default value: No

TrackLastAccessTime

Enables or disables checking of the last time the file was accessed. (In Linux operating systems this is the noatime parameter.)

Available values:

Yes—Check the last time the file was accessed

No—Do not check the last time the file was accessed

Default value: No

UseExcludeMasks

Enables or disables exclusion from the monitoring scope of objects specified by the ExcludeMasks setting.

This setting works only with the ExcludeMasks setting specified.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting from the monitoring scope

No— Do not exclude objects specified by the ExcludeMasks setting from the monitoring scope

Default value: No

ExcludeMasks

Specifies a list of masks that define objects to be excluded from the monitoring scope.

Before specifying this setting, make sure that the UseExcludeMasks setting value is set to Yes.

Masks are specified in command shell format.

If you want to specify several masks, each mask must be specified on a new line with new index specified (ExcludeMasks.item_0000, ExcludeMasks.item_0001).

Default value: not defined

Section [ScanScope.item_#]

The [ScanScope.item_#] sections specify scopes to be monitored by the File Integrity Monitoring task. At least one monitoring scope must be specified for the task.

You can define several [ScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by item index, in ascending order.

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the monitoring scope.

UseScanArea

Enables or disables monitoring of the specified scope.

Available values:

Yes—Monitor a specified scope

No—Do not monitor a specified scope

Default value: Yes

Path

Specifies the full path to the object or directories to be monitored.

Default value: /opt/kaspersky/kesl/

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be monitored.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes, in ascending order.

Default value: * (all objects will be processed)

Section [ExcludedFromScanScope.item_#]

The [ExcludedFromScanScope.item_#] sections specify the objects to be excluded from all [ScanScope.item_#] sections.

All objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. An [ExcludedFromScanScope.item_#] section format is similar to the format of a [ScanScope.item_#] section.

You can define several [ExcludedFromScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by item index, in ascending order.

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the scope to be excluded from monitoring.

UseScanArea

Specifies whether the specified scope will be excluded from monitoring.

Available values:

Yes—Exclude a specified scope from monitoring

No—Do not exclude the specified scope from monitoring

Default value: Yes

Path

Specifies the path to the objects or directories to be excluded from monitoring.

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be excluded from monitoring.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes, in ascending order.

Default value: * (all objects will be monitored)

Page top

Firewall Manager task (Firewall ID:12)

This section contains information about the Firewall Manager task.

In this section

About Firewall Manager

About network packet rules

About dynamic rules

About the predefined network zone names

Firewall Manager task settings

Adding network packet rule

Deleting network packet rule

Changing execution priority of network packet rule

Adding network address to zone section

Deleting network address from zone section

Page top

About Firewall Manager

During use on local area networks (LANs) and the Internet, a computer is exposed to viruses, other malware, and a variety of attacks that exploit vulnerabilities in operating systems and software.

The operating system firewall protects personal data that is stored on the user's computer. The firewall blocks most potential threats to the operating system when the computer is connected to the Internet or a LAN. Firewall Manager detects all network connections of the user's computer and provides a list of IP addresses, as well as an indication of the status of the default network connection.

The Firewall Manager component filters all network activity according to network packet rules. Configuring network packet rules lets you specify the desired level of computer protection, from blocking Internet access for all applications to allowing unlimited access.

While the Firewall Manager task is running, Kaspersky Endpoint Security manages the parameters and rules of the operating system firewall. The application blocks any configuration of the operating system firewall parameters when, for example, a program or tool adds or deletes a rule. Kaspersky Endpoint Security checks the operating system firewall every 60 seconds and, if necessary, restores a set of the firewall rules. The checking period cannot be changed.

Checking of the operating system firewall continues when the Firewall Manager task is stopped. This allows the application to restore dynamic rules.

When the Firewall Manager task is stopped (when the component deleted, or the application is stopped or uninstalled), Kaspersky Endpoint Security does not change the operating system firewall rules, and does not control changes to its settings.

All outbound connections are allowed by default (default action setting), unless the corresponding blocking rules for the Firewall Manager task are specified. The default action is performed with the lowest priority: if no other network packet rule has been triggered or if no network packet rules have been specified, the connection is allowed.

Before the Firewall Manager task is enabled, we recommend that you disable other OS firewall management tools.

Page top

About network packet rules

Network packet rules are allowed or blocked actions that are performed by Firewall Manager when it detects a network connection attempt.

Network packet rules impose restrictions on network packets regardless of the program. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol.

Firewall Manager specifies certain network packet rules by default. You can create your own network packet rules, and specify an execution priority for each network packet rule.

Page top

About dynamic rules

Kaspersky Endpoint Security components can add and delete dynamic rules to the firewall that are required for correct functioning. For example, Network Agent adds dynamic rules that allow connections to Kaspersky Security Center initiated both by the application and by Kaspersky Security Center.

The Firewall Manager task does not control dynamic rules and does not block access to network resources for the application components. Dynamic rules do not depend on the Firewall Manager task state (started / stopped) or its settings changes. An execution priority of the dynamic rules is higher than a priority of the network packet rules. Kaspersky Endpoint Security restores a set of dynamic rules if any of them were deleted, for example, using the iptables utility.

You can view a set of dynamic rules (using the kesl-control –F –query command) but you cannot change the settings for dynamic rules.

Page top

About the predefined network zone names

The Firewall controls all network connections on the user's computer. You can add a network address to one of the following predefined zones:

Page top

Firewall Manager task settings

This section provides information about the settings that you can specify for the Firewall Manager task.

All available values and default values for each setting are described.

DefaultIncomingAction

The default action to perform on an inbound connection if no network rules can be applied to this kind of the connection.

Available values:

Allow—Allow inbound connection

Block—Block inbound connection

Default value: Allow

DefaultIncomingPacketAction

The default action to perform on an incoming packet if no network packet rules can be applied to this kind of the connection.

Available values:

Allow—Allow incoming packet

Block—Block incoming packet

Default value: Allow

Section [PacketRules.item_xxxx]

The [PacketRules.item_#] sections specify network packet rules for the Firewall Manager task.

You can define several [PacketRules.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by an item index, in ascending order.

Each [PacketRules.item_#] section contains the following settings:

Name

A network packet rule name.

Default value: Network rule #<n>; where, n is an index.

FirewallAction

Action to be performed on connections specified in this network packet rule.

Available values:

Allow—Allow network connection

Block—Block network connection

Default value: Allow

Protocol

Type of protocol for which network activity is to be monitored.

Available values:

Any—The Firewall Manager monitors all network activity

TCP

UDP

ICMP

ICMPv6

IGMP

GRE

Default value: Any

RemotePorts

Port numbers of the remote computers between which the connection is to be monitored.

This setting can be specified only if the Protocol setting value was set to TCP or UDP.

Integer or interval can be specified for this setting.

Available values:

Any—All remote ports are monitored

0-65535

Default value: Any

LocalPorts

Port numbers of the local computers between which the connection is to be monitored.

This setting can be specified only if the Protocol setting value was set to TCP or UDP.

Integer or interval can be specified for this setting.

Available values:

Any—All local ports are monitored

0-65535

Default value: Any

ICMPType

ICMP packet type.

This setting can be specified only if the Protocol setting value was set to ICMP or ICMPv6.

Available values:

Any—All ICMP packet types are monitored

Integer according to a data transfer protocol specification

Default value: Any

ICMPCode

ICMP packet code.

This setting can be specified only if the Protocol setting value was set to ICMP or ICMPv6.

Available values:

Any—All ICMP packet codes are monitored

Integer according to a data transfer protocol specification

Default value: Any

Direction

Direction of the monitored network activity.

Available values:

IncomingOutgoing—Monitor both inbound and outbound connections

Incoming—Monitor inbound connections

Outgoing—Monitor outbound connections

IncomingPacket—Monitor incoming packets

OutgoingPacket—Monitor outgoing packets

IncomingOutgoingPacket—Monitor both incoming and outgoing connections

Default value: IncomingOutgoing

RemoteAddress

The network addresses of remote computers that can send and / or receive network packets.

Available values:

Any—Monitor network packets sent and/or received by remote computers with any IP address

Trusted—All Trusted networks

Local—All Local networks

Public—All Public networks

d.d.d.d—IPv4 address; where, d is a decimal number 0-255

d.d.d.d/p—Subnet of IPv4 addresses; where, p is a number 0-32

x:x:x:x:x:x:x:x—IPv6 address; where, x is a hexadecimal number 0-ffffff

x:x:x:x::0/p—Subnet of IPv6 addresses; where, p is a number 0-64

Default value: Any

LocalAddress

Network addresses of computers that have Kaspersky Endpoint Security installed and can send and / or receive network packets.

Available values:

Any—Monitor network packets sent and/or received by remote computers with any IP address

d.d.d.d—IPv4 address; where, d is a decimal number 0-255

d.d.d.d/p—Subnet of IPv4 addresses; where, p is a number 0-32

x:x:x:x:x:x:x:x—IPv6 address; where, x is a hexadecimal number 0-ffffff

x:x:x:x::0/p—Subnet of IPv6 addresses; where, p is a number 0-64

Default value: Any

LogAttempts

Specify whether you want the actions of the network rule to be included in the report.

Available values:

Yes—Report actions

No—Do not report actions

Default value: No

Section [NetworkZonesPublic]

The [NetworkZonesPublic] section specifies network addresses associated with Public networks.

You can specify several IP addresses or subnets of IP addresses.

Address.item_xxxx

Available values:

d.d.d.d—IPv4 address; where, d is a decimal number 0-255

d.d.d.d/p—Subnet of IPv4 addresses; where, p is a number 0-32

x:x:x:x:x:x:x:x—IPv6 address; where, x is a hexadecimal number 0-ffffff

x:x:x:x::0/p—Subnet of IPv6 addresses; where, p is a number 0-64

Default value: “” (no network addresses in this zone)

Section [NetworkZonesLocal]

The [NetworkZonesLocal] section specifies network addresses associated with Local networks.

You can specify several IP addresses or subnets of IP addresses.

Address.item_xxxx

Available values:

d.d.d.d—IPv4 address; where, d is a decimal number 0-255

d.d.d.d/p—Subnet of IPv4 addresses; where, p is a number 0-32

x:x:x:x:x:x:x:x—IPv6 address; where, x is a hexadecimal number 0-ffffff

x:x:x:x::0/p—Subnet of IPv6 addresses; where, p is a number 0-64

Default value: “” (no network addresses in this zone)

Section [NetworkZonesTrusted]

The [NetworkZonesTrusted] section specifies network addresses associated with Trusted networks.

You can specify several IP addresses or subnets of IP addresses.

Address.item_xxxx

Available values:

d.d.d.d—IPv4 address; where, d is a decimal number 0-255

d.d.d.d/p—Subnet of IPv4 addresses; where, p is a number 0-32

x:x:x:x:x:x:x:x—IPv6 address; where, x is a hexadecimal number 0-ffffff

x:x:x:x::0/p—Subnet of IPv6 addresses; where, p is a number 0-64

Default value: “” (no network addresses in this zone)

Page top

Adding network packet rule

You can manually add a network packet rule.

You can add only one network packet rule at a time.

To add a network packet rule, execute the following command:

kesl-control -F --add-rule --name <rule name> --action <action> --protocol <protocol> --direction <direction> --remote <remote address> --local <local address> --at <index in a list of network packet rules>

A section containing new network packet rule settings is added to the Firewall Manager task configuration file. If you did not specify a certain parameter in the command, the default value is set.

The –at option lets you specify the index of the rule being created, in the list of network packet rules. If the –at option is not specified, or its value is larger than the number of rules in the list, the new rule is added into the end of the list.

Page top

Deleting network packet rule

You can manually delete a network packet rule.

You can delete only one network packet rule at a time.

To delete a network packet rule, execute one of the following commands:

A section with network packet rules settings is deleted from the configuration file of the Firewall Manager task.

If the list of network packet rules does not contain a rule with a specified name or index, an error occurs.

Page top

Changing execution priority of network packet rule

You can manually change an execution priority for a network packet rule.

To change an execution priority for a network packet rule, execute the following command:

kesl-control -F --move-rule [--name <name>|--index <index>] --at <index>

The network packet rule priority is changed to the specified index.

Page top

Adding network address to zone section

You can manually add network addresses associated with a certain type of network to the configuration file of the Firewall Manager task.

To add a network address to the zone, execute the following command:

kesl-control -F --add-zone <Public|Local|Trusted> --address <address>

A network address is added to the specified zone section in the task configuration file.

Page top

Deleting network address from zone section

You can manually delete network addresses associated with a certain type of network from the configuration file of the Firewall Manager task.

To delete a network address from the zone in a configuration task, execute the following command:

kesl_control -F --del-zone <zone> [--address <address>| --index <address index in the zone>]

The specified network address is deleted from the specified zone section in a configuration file.

If a zone contains several items with the same network address, the command –del-zone will not be executed.

If the specified network address or index does not exist, an error occurs.

Page top

Anti-Cryptor task (AntiCryptor ID:13)

This section contains information about the Anti-Cryptor task.

In this section

About Anti-Cryptor task

About untrusted hosts blocking

Anti-Cryptor task settings

Viewing list of blocked hosts

Allowing blocked hosts

Page top

About Anti-Cryptor task

The Anti-Cryptor task allows you to protect your files in the local directories with network access by SMB / NFS protocols from remote malicious encrypting.

While the Anti-Cryptor task is running, Kaspersky Endpoint Security scans remote computers' calls to access files located in the shared network directories of the protected device. If the application considers a remote computer's actions on network file resources to be malicious encrypting, then this computer is added to a list of untrusted hosts and loses access to the shared network directories.

Kaspersky Endpoint Security does not consider activity to be malicious encrypting if the detected encryption activity takes place in directories excluded from the scope of the Anti-Cryptor task.

By default, Kaspersky Endpoint Security blocks untrusted hosts' access to network file resources for 30 minutes.

The Anti-Cryptor task runs correctly with SMB1, SMB2, SMB3, NFS3, TCP / UDP, and IP / IPv6 protocols. Working with NFS2 and NFS4 protocols is not supported. We recommend to configure your server settings so that NFS2 and NFS4 protocols could not be used to mount resources.

The Anti-Cryptor task does not block access to network file resources until the host's activity is identified as malicious. So at least one file will be encrypted before the application detects a malicious activity.

Page top

About untrusted hosts blocking

When a malicious encryption activity is detected, Kaspersky Endpoint Security creates and enables a rule for the operating system firewall, that blocks a network traffic from a compromised host. A compromised host is added to the list of untrusted hosts. Kaspersky Endpoint Security blocks access to shared network directories for all remote hosts in the list of untrusted hosts. Information about blocked hosts from a protected server is sent to the Kaspersky Security Center.

Firewall rules created by the Anti-Cryptor cannot be deleted by using the iptables utility: Kaspersky Endpoint Security restores the set of rules once per minute. Use the --allow-hosts option to unblock a host.

By default Kaspersky Endpoint Security removes untrusted computers from the list in 30 minutes since they were added to the list. Computers' access to network file resources is restored automatically after they are deleted from the list of untrusted hosts. You can modify the list of blocked hosts and specify the time after which blocked computers are automatically unblocked.

Page top

Anti-Cryptor task settings

This section provides information about the settings you can specify for the Anti-Cryptor task.

All available values and default values for each setting are described.

UseHostBlocker

Enables or disables blocking of untrusted hosts.

If blocking of untrusted hosts is disabled, Kaspersky Endpoint Security still scans remote computers actions on network file resources for malicious encrypting when the Anti-Cryptor task is running. In case of malicious activity detection, the EncryptionDetected event is created, but an attacking host is not be blocked.

Available values:

Yes—Enable blocking of untrusted hosts

No—Disable blocking of untrusted hosts

Default value: Yes

BlockTime

Specifies the time to block an untrusted host (in minutes).

If a compromised host is blocked, and you change a value for the BlockTime setting, the blocking time for this host will not change. The blocking time is not a dynamic value, and is calculated at the moment of blocking.

Available values:

Integer from 1 to 4294967295

Default value: 30

UseExcludeMasks

Enables or disables the exclusion from protection scope of objects specified by the ExcludeMasks setting.

This setting works only with the ExcludeMasks setting specified.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting from the protection scope

No—Do not exclude objects specified by the ExcludeMasks setting from the protection scope

Default value: No

ExcludeMasks

Specifies a list of masks that define objects to be excluded from the protection scope.

Before specifying this parameter, make sure the UseExcludeMasks setting’s value is set to Yes.

Masks are specified in command shell format.

If you want to specify several masks, each mask must be specified on a new line with new index specified (ExcludeMasks.item_0000, ExcludeMasks.item_0001).

Default value: not defined

Section [ScanScope.item_#]

[ScanScope.item_#] sections specify scopes to be protected by Kaspersky Endpoint Security. At least one protection scope must be specified for the Anti-Cryptor task.

For the Anti-Cryptor task only shared directories can be specified.

You can define several [ScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by an item index in ascending order.

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the protection scope.

Default value: AllSharedFolders

UseScanArea

Enables or disables protection of the specified scope.

Available values:

Yes—Protect a specified scope

No—Do not protect a specified scope

Default value: Yes

Path

Specifies the path to the objects to be protected.

Available values:

absolute path available via SMB / NFS (for example, Path=/tmp)

AllShared—Protect all resources shared via SMB / NFS

Shared:SMB <path>—Protect resources shared via SMB

Shared:NFS <path>—Protect resources shared via NFS

Default value: AllShared

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be protected.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes in ascending order.

Default value: * (all objects will be processed)

Section [ExcludedFromScanScope.item_#]

[ExcludedFromScanScope.item_#] sections specify the objects to be excluded from all [ScanScope.item_#] sections.

All objects that match the rules of any [ExcludedFromScanScope.item_#] section will not be scanned. A [ExcludedFromScanScope.item_#] section format is similar to the format of a [ScanScope.item_#] section.

You can define several [ExcludedFromScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by an item index in ascending order

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the scope to be excluded from scanning.

Default value: All objects

UseScanArea

Specifies whether the specifies scope will be excluded from the protection.

Available values:

Yes—Exclude a specified scope from the protection

No—Do not exclude the specified scope from the protection

Default value: Yes

Path

Specifies the path to the objects to be excluded from the protection.

You can specify only an absolute path to a local directory (for example, /root /tmp/123) that will not be protected by the Anti-Cryptor.

Default value: not defined

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be excluded from the protection.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes in ascending order.

Default value: * (all objects will be processed)

Page top

Viewing list of blocked hosts

You can view a list of untrusted hosts blocked by the Anti-Cryptor task.

To view a list of blocked hosts, execute the following command:

kesl-control -H --get-blocked-hosts

Hosts blocked by the anti-Cryptor task will be displayed.

Page top

Allowing blocked hosts

You can manually unblock hosts that were blocked by the Anti-Cryptor task, and restore the network access for them.

To unblock hosts, execute the following command:

kesl-control [-H] --allow-hosts <host>

where <host> can be a list of valid IPv4 / IPv6 addresses (including addresses in short form) or / and a subnet. Also, you can specify hosts as a list.

Specified hosts are unblocked.

Examples:

IPv4 addresses:

dec - 192.168.0.1

dec - 192.168.0.0/24

IPv6 addresses:

hex - FEDC:BA98:7654:3210:FEDC:BA98:7654:3210

hex - FEDC:BA98:7654:3210:FEDC:BA98:7654:3210%1

hex - 2001:db8::ae21:ad12

hex - ::ffff:255.255.255.254

hex - ::

Page top

Participating in Kaspersky Security Network

This section contains information about participation in Kaspersky Security Network and instructions on how to enable or disable use of Kaspersky Security Network.

In this section

About participation in Kaspersky Security Network

Enabling and disabling use of Kaspersky Security Network

Checking the connection to Kaspersky Security Network

Enhanced protection with Kaspersky Security Network

Page top

About participation in Kaspersky Security Network

To protect your computer more effectively, Kaspersky Endpoint Security uses data that is gathered from users around the globe. Kaspersky Security Network is designed to collect such data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky Lab's online knowledge base with information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to new threats, improves the performance of some protection components, and reduces the likelihood of false positives.

Depending on the location of the infrastructure, there is a Global KSN service (the infrastructure is hosted by Kaspersky Lab servers) and a Private KSN service (the infrastructure is hosted by third-party servers, for example on the network of the Internet service provider).

After changing the license, submit the details of the new key to the service provider in order to be able to use Private KSN. Otherwise, data exchange with Private KSN will be impossible due to an authentication error.

Thanks to users who participate in KSN, Kaspersky Lab is able to promptly gather information about types and sources of threats, develop solutions for neutralizing them, and minimize the number of false alarms displayed by application components.

There are two ways to participate in KSN:

No personal data is collected, processed, or stored. More detailed information about submission of statistical information generated during participation in KSN, storage and destruction of such information is available in the Kaspersky Security Network Statement and on the Kaspersky Lab website at (http://www.kaspersky.com/privacy). The file with the text of the Kaspersky Security Network Statement is included in the application distribution kit.

User computers managed by Kaspersky Security Center Administration Server can interact with KSN via the KSN Proxy service.

The KSN Proxy service provides the following capabilities:

More details about the KSN Proxy service can be found in the Kaspersky Security Center documentation.

KSN Proxy settings can be configured in the properties of the of Kaspersky Security Center policy.

Participation in Kaspersky Security Network is voluntary. The application offers the user to participate in KSN during installation. Users can begin or discontinue participation in KSN at any time.

Page top

Enabling and disabling use of Kaspersky Security Network

To enable use of Kaspersky Security Network, execute one the following commands:

To disable use of Kaspersky Security Network, execute the following command:

kesl-control --set-app-settings UseKSN=No

To enable or disable use of Kaspersky Security Network with a configuration file, execute the following command:

kesl-control --set-app-settings --file <configuration file name>

If Kaspersky Endpoint Security installed on a computer runs under a policy that was assigned in Kaspersky Security Center, the value of the UseKSN parameter can only be changed by using Kaspersky Security Center.

If Kaspersky Endpoint Security installed on a computer stops running a policy, the UseKSN=No parameter value is set.

The file containing the text of the Kaspersky Security Network Statement is located in the directory /opt/kaspersky/kesl/doc/ksn_license.<language ID>.

Page top

Checking the connection to Kaspersky Security Network

To check the connection to Kaspersky Security Network, run the following command:

kesl-control --app-info

The KSN state string displays the status of the connection to Kaspersky Security Network:

A connection to Kaspersky Security Network may be absent for the following reasons:

Page top

Enhanced protection with Kaspersky Security Network

Kaspersky Lab offers an extra layer of protection to users through the Kaspersky Security Network. This protection method is designed to combat advanced persistent threats and zero-day attacks. Integrated cloud technologies and the expertise of Kaspersky Lab virus analysts make Kaspersky Endpoint Security the unsurpassed choice for protection against the most sophisticated network threats.

Details on enhanced protection in Kaspersky Endpoint Security are available on the Kaspersky Lab website.

Page top

Using Kaspersky Endpoint Security graphical user interface

This section describes working with Kaspersky Endpoint Security by using the graphical user interface (GUI).

In this section

Enabling and disabling graphical user interface locally

Application interface

Managing tasks and components

Reporting

Viewing objects in Storage

Creating a trace file

Page top

Enabling and disabling graphical user interface locally

You can enable or disable the Kaspersky Endpoint Security graphical user interface (GUI) locally from the command line.

Root privileges are required to enable or disable the GUI.

To enable or disable the GUI:

  1. Run the application configuration script:

    /opt/kaspersky/kesl/bin/kesl-setup.pl –G

  2. In the command line, do one of the following:
    • If you want to enable graphical user interface, press the Y key.

      If you enable the GUI, users without root privileges will be able to run on-demand scan tasks.

      If a user is logged in, a GUI will be launched for this user if all necessary libraries are available. The application icon appears in the notification area of the taskbar and shortcuts are created.

    • If you want to disable the GUI, press the N key.

      The application blocks users from starting the GUI. The application icon and shortcuts are removed.

Page top

Application interface

This section describes the primary elements of the application graphical user interface (GUI).

Page top

Application icon in the notification area

After the Kaspersky Endpoint Security graphical user interface is enabled, the application icon appears in the notification area on the right side of the taskbar.

The icon acts as a shortcut to the context menu and main window of the application.

The context menu of the application icon contains the following items:

You can open the context menu of the application icon by right-clicking the application icon in the notification area.

Page top

Main application window

The main window of Kaspersky Endpoint Security contains interface elements that provide access to the application functions.

The main application window is divided into several parts:

To open the main window of Kaspersky Endpoint Security, perform one of the following actions:

Page top

Managing tasks and components

By default, the Kaspersky Endpoint Security graphical user interface (GUI) allows you to start and stop the following tasks:

The Kaspersky Endpoint Security GUI also allows you to enable and disable the following components:

Also, you can manage your participation in Kaspersky Security Network.

Page top

Starting and stopping scan tasks

You can start and stop Full scan, On-demand scan, Boot sector scan, and Memory scan tasks by using the Kaspersky Endpoint Security GUI.

To start or stop a scan task,

  1. Open the main application window.
  2. In the main application window, click the Scan button to open the Scan window.
  3. Do one of the following:
    • If you want to start a task, click the Start button under the scan task that you want to start.

      The progress of the running task is displayed.

    • If you want to stop a task, click the Stop button under the scan task that you want to stop.

      The scan task stops, and information about scanned objects and detected threats is displayed.

  4. If necessary, you can click the Show report button to view the task report.

    The Reports window is available for non-root users only when the general application setting UIReportsForRootOnly is set to No. Otherwise, the Reports window is available only for a root user.

Page top

Starting and stopping update tasks

You can start and stop Update, Update rollback, and Update distribution tasks by using the Kaspersky Endpoint Security graphical user interface.

To start or stop an Update task or Update distribution task:

  1. Open the main application window.
  2. In the main application window, click the Update button to open the Update window.
  3. Do one of the following:
    • If you want to start a task, click the Start button under the task that you want to start.

      The progress of the running task is displayed.

      If the Update task finishes successfully, the Rollback update link becomes available, and you can roll back the last update.

    • If you want to stop a task, click the Stop button under the task that you want to stop.

      The task stops.

  4. If necessary, you can click the Show report button to view the task report.

    The Reports window is available for non-root users only when the general application setting UIReportsForRootOnly is set to No. Otherwise, the Reports window is available only for a root user.

To run an update rollback task:

  1. Open the main application window.
  2. In the main application window, click the Update button to open the Update window.
  3. In the Update section, click the Rollback update link to roll back the last successful database update.

Page top

Enabling and disabling application components

You can enable and disable the Real-time protection, Firewall Manager, Anti-Cryptor, and File Integrity Monitoring components using the Kaspersky Endpoint Security graphical user interface at any time. .

If a component is enabled, the Disable button is available. By default, only Real-time protection is enabled.

If a component is disabled, the Enable button is available.

To enable or disable a component:

  1. Open the main application window.
  2. In the lower part of the main application window, click the Settings button.

    The Settings window opens.

  3. In the Settings window, perform the following actions for the required component:
    • If you want to enable a component, click the Enable button.
    • If you want to disable a component, click the Disable button.
Page top

Managing participation in Kaspersky Security Network

You can manage your participation in Kaspersky Security Network at any time.

To enable Kaspersky Security Network:

  1. Open the main application window.
  2. In the lower part of the main application window, click the Settings button.

    The Settings window opens.

  3. In the Settings window, select one of the following options:
    • Kaspersky Security Network with statistics—To enable Kaspersky Security Network, obtain information from the knowledge base, and send anonymous statistics and information about the types and sources of new threats.
    • Kaspersky Security Network without statistics—To obtain information from the knowledge base, but not to send anonymous statistics and information about the types and sources of new threats.
  4. Click the Enable button.
  5. In the Participation in Kaspersky Security Network window, carefully read the Kaspersky Security Network Statement, and select one of the following options:
    • I confirm I have fully read, understood, and accept the terms and conditions of this KSN Statement—To enable Kaspersky Security Network.
    • I do not accept the terms and conditions of this KSN Statement—To disable using Kaspersky Security Network.
  6. Click OK.

    The OK button is unavailable, if the Not selected option is selected.

To disable Kaspersky Security Network:

  1. Open the main application window.
  2. In the lower part of the main application window, click the Settings button.

    The Settings window opens.

  3. In the Settings window, click the Disable button.
  4. In the window that opens, do one of the following:
    • Click Yes to confirm disabling Kaspersky Security Network.
    • Click Cancel to continue participating in Kaspersky Security Network.
Page top

Reporting

This section describes how you can view reports in the Kaspersky Endpoint Security graphical user interface.

Page top

Principles of managing reports

The Reports window is available for non-root users only when the general application setting UIReportsForRootOnly is set to No. Otherwise, the Reports window is available only for a root user.

Information about the performance of Kaspersky Endpoint Security tasks is recorded in reports.

Report data is presented in a table that contains a list of events. Each line in the table contains information about a separate event. Event attributes are located in the table columns. Events logged during the performance of various tasks have different sets of attributes.

The following reports, listed in a menu on the left, are available:

Reports use the following event importance levels:

For convenient processing of reports, you can modify the presentation of data on the screen in the following ways:

Page top

Viewing reports

The Reports window is available for non-root users only when the general application setting UIReportsForRootOnly is set to No. Otherwise, the Reports window is available only for a root user.

To view reports:

  1. Open the main application window.
  2. In the lower part of the main application window, click the Reports button.

    The Reports window opens.

  3. To view a specific report, in the left part of the Reports window, in the list of tasks, select the required task.

    A report is displayed in the right part of the window and contains a list of events in the operation of the selected Kaspersky Endpoint Security task.

    By default, events are sorted, in ascending order, by the values in the Date column. You can choose a different order by clicking the required column header.

  4. To view a detailed summary of each event in a report, select the relevant event in the report.

    The event summary is displayed in the lower part of the window.

Page top

Viewing objects in Storage

To view objects that Kaspersky Endpoint Security moved to the Storage:

  1. Open the main application window.
  2. Click the Storage button.

    In the window that opens, information about objects in Storage is displayed.

You can view the following information about objects in Storage:

You can restore objects from Storage to their original directories. You can also delete objects from Storage. Deleted objects cannot be restored in the future. Information about these actions is recorded in the event log.

Page top

Creating a trace file

To create a trace file:

  1. Open the main application window.
  2. Click the Support button.
  3. In the Support window, click the Tracing link.
  4. In the Level drop-down list, select the trace level.

    You are advised to clarify the required trace level with a Technical Support specialist. By default, the trace level is set to Diagnostic (300).

  5. To start the tracing process, click the Enable button.
  6. To stop the tracing process, click the Disable button.

Created trace files are stored in /var/log/kaspersky/kesl/ directory.

Page top

Contact Technical Support

This section describes how to get technical support and the terms on which it is available.

In this section

How to get technical support

Get technical support by phone

Technical Support via Kaspersky CompanyAccount

Using a trace file and AVZ script

Page top

How to get technical support

If you do not find a solution to your problem in the application documentation or in one of the sources of information about the application, we recommend that you contact Kaspersky Lab Technical Support. Technical Support specialists will answer any of your questions about installing and using the application.

Before contacting Technical Support, please read the support rules.

You can contact Technical Support in one of the following ways:

Technical support is available only to users who have purchased a license for use of the application. No technical support is provided to users of trial versions.

Page top

Get technical support by phone

You can call Technical Support specialists from most regions worldwide. You can find information about how to obtain technical support in your region and contact information for Technical Support on the Kaspersky Lab Technical Support website.

Before contacting Technical Support, please read the support rules.

Page top

Technical Support via Kaspersky CompanyAccount

Kaspersky CompanyAccount is a portal for companies that use Kaspersky Lab applications. The Kaspersky CompanyAccount portal is designed to facilitate interaction between users and Kaspersky Lab specialists through online requests. You can use Kaspersky CompanyAccount to track the status of your online requests and store a history of them as well.

You can register all of your organization's employees under a single account on Kaspersky CompanyAccount. A single account lets you centrally manage electronic requests from registered employees to Kaspersky Lab and also manage the privileges of these employees via Kaspersky CompanyAccount.

The Kaspersky CompanyAccount portal is available in the following languages:

To learn more about Kaspersky CompanyAccount, visit the Technical Support website.

Page top

Using a trace file and AVZ script

After you report a problem to Kaspersky Lab Technical Support specialists, they may ask you to generate a report with information about the operation of Kaspersky Endpoint Security and send it to Kaspersky Lab Technical Support. Technical Support specialists may also ask you to create a trace file. The trace file makes it possible to perform a step-by-step examination of the execution of application commands and determine when errors occur.

After Technical Support specialists analyze the data that you have sent, they can create an AVZ script and send it to you. By running AVZ scripts, it is possible to analyze active processes for threats, scan the computer for threats, disinfect or delete infected files, and create system scan reports.

Page top

Appendices

This section provides information that complements the primary text of the document.

In this section

Default task configuration files

Configuring collaboration: Kaspersky Anti-Virus for Linux Mail Server

Command line return codes

Page top

Default task configuration files

This section contains the default configuration files for Kaspersky Endpoint Security tasks.

You can change configuration files at any time. Also, you can change setting values from the command line.

Page top

Rules for editing configuration files of Kaspersky Endpoint Security

When editing a configuration file, adhere to the following rules:

A single quotation mark in the beginning or end of a string is considered an error.

Page top

Real-time protection task configuration file

ScanArchived=No

ScanSfxArchived=No

ScanMailBases=No

ScanPlainMail=No

TimeLimit=60

SizeLimit=0

FirstAction=Recommended

SecondAction=Block

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportPackedObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

UseIChecker=Yes

ScanByAccessType=SmartCheck

[ScanScope.item_0000]

AreaDesc=All objects

UseScanArea=Yes

Path=/

AreaMask.item_0000=*

Page top

On-demand scan task configuration file

ScanArchived=Yes

ScanSfxArchived=Yes

ScanMailBases=No

ScanPlainMail=No

TimeLimit=0

SizeLimit=0

FirstAction=Recommended

SecondAction=Skip

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportPackedObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

UseIChecker=Yes

[ScanScope.item_0000]

AreaDesc=All objects

UseScanArea=Yes

Path=/

AreaMask.item_0000=*

Page top

Custom scan task configuration file

ScanArchived=Yes

ScanSfxArchived=Yes

ScanMailBases=No

ScanPlainMail=No

TimeLimit=0

SizeLimit=0

FirstAction=Recommended

SecondAction=Skip

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportPackedObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

UseIChecker=Yes

[ScanScope.item_0000]

AreaDesc=All objects

UseScanArea=Yes

Path=/

AreaMask.item_0000=*

Page top

Boot sectors scan task configuration file

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

Action=Cure

Page top

Memory scan task configuration file

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportUnprocessedObjects=No

Action=Cure

Page top

Update task configuration file

SourceType="KLServers"

UseKLServersWhenUnavailable=Yes

IgnoreProxySettingsForKLServers=No

IgnoreProxySettingsForCustomSources=No

ApplicationUpdateMode=DownloadOnly

ConnectionTimeout=10

Page top

Update retranslation task configuration file

SourceType=KLServers

UseKLServersWhenUnavailable=Yes

ConnectionTimeout=10

ApplicationUpdateMode=DownloadOnly

Page top

Managing Storage task configuration file

DaysToLive=90

BackupSizeLimit=0

BackupFolder=/var/opt/kaspersky/kesl/common/objects-backup/

Page top

Firewall Manager task configuration file

DefaultIncomingAction=Allow

DefaultIncomingPacketAction=Allow

[NetworkZonesTrusted]

[NetworkZonesLocal]

[NetworkZonesPublic]

Page top

File integrity monitoring task configuration file

UseExcludeMasks=No

[ScanScope.item_0000]

AreaDesc=Kaspersky internal objects

UseScanArea=Yes

Path=/opt/kaspersky/kesl/

AreaMask.item_0000=*

Page top

Anti-Cryptor task configuration file

UseHostBlocker=yes

BlockTime=30

UseExcludeMasks=no

[ScanScope.item_0000]

AreaDesc=AllSharedFolders

UseScanArea=yes

Path=AllShared

AreaMask.item_0000=*

Page top

Configuring collaboration: Kaspersky Anti-Virus for Linux Mail Server

To configure the joint operation of Kaspersky Endpoint Security 10 and Kaspersky Anti-Virus for Linux Mail Server:

  1. Save the real-time protection task settings in the configuration file using the following command:

    kesl-control --get-settings 1 --file <full path to file>

  2. Open the created configuration file for editing.
  3. Add the following section to the created file:

    [ExcludedFromScanScope.item_#]

    Path=</var/opt/kaspersky/klms>

  4. Repeat the section specified above for all mail agents integrated with Kaspersky Anti-Virus for Linux Mail Server.
  5. To exclude the temporary directory of filters and services of Kaspersky Anti-Virus for Linux Mail Server from scanning, add the following section to the created file:

    [ExcludedFromScanScope.item_#]

    Path=/tmp/klmstmp

  6. Save the changes in the configuration file.
  7. Import settings from the configuration file to the real-time protection task by using the following command:

    kesl-control --set-settings 1 --file <full path to file>

Page top

Command line return codes

This section contains a description of return codes from the command line.

0 – command / task completed successfully.

1 – general error in command arguments.

2 – error in passed application settings.

64 – Kaspersky Endpoint Security is not running.

66 – anti-virus databases have not been downloaded (used only for the command --app-info).

67 – activation 2.0 ended with an error due to network problems.

68 – the command cannot be executed because the application is running under a policy.

128 – unknown error.

65 – all other errors.

Page top

AO Kaspersky Lab

Kaspersky Lab is a world-renowned vendor of systems protecting computers against digital threats, including viruses and other malware, unsolicited email (spam), and network and hacking attacks.

In 2008, Kaspersky Lab was rated among the world’s top four leading vendors of information security software solutions for end users (IDC Worldwide Endpoint Security Revenue by Vendor). Kaspersky Lab is the preferred vendor of computer protection systems for home users in Russia (IDC Endpoint Tracker 2014).

Kaspersky Lab was founded in Russia in 1997. It has since grown into an international group of companies with 38 offices in 33 countries. The company employs more than 3,000 skilled professionals.

Products. Kaspersky Lab products provide protection for all systems, from home computers to large corporate networks.

The personal product range includes security applications for desktop, laptop, and tablet computers, smartphones and other mobile devices.

The company offers protection and control solutions and technologies for workstations and mobile devices, virtual machines, file and web servers, mail gateways, and firewalls. The company's portfolio also features specialized products providing protection against DDoS attacks, protection for industrial control systems, and prevention of financial fraud. Used in conjunction with centralized management tools, these solutions ensure effective automated protection for companies and organizations of any size against computer threats. Kaspersky Lab products are certified by major test laboratories, compatible with software from diverse vendors, and optimized to run on many hardware platforms.

Kaspersky Lab virus analysts work around the clock. Every day they uncover hundreds of thousands of new computer threats, create tools to detect and disinfect them, and include their signatures in databases used by Kaspersky Lab applications.

Technologies. Many technologies that are now part and parcel of modern anti-virus tools were originally developed by Kaspersky Lab. It is no coincidence that many other developers use the Kaspersky Anti-Virus engine in their products, including: Alcatel-Lucent, Alt-N, Asus, BAE Systems, Blue Coat, Check Point, Cisco Meraki, Clearswift, D-Link, Facebook, General Dynamics, H3C, Juniper Networks, Lenovo, Microsoft, NETGEAR, Openwave Messaging, Parallels, Qualcomm, Samsung, Stormshield, Toshiba, Trustwave, Vertu, and ZyXEL. Many of the company’s innovative technologies are patented.

Achievements. Over the years, Kaspersky Lab has won hundreds of awards for its services in combating computer threats. Following tests and research conducted by the reputed Austrian test laboratory AV-Comparatives in 2014, Kaspersky Lab ranked among the top two vendors by the number of Advanced+ certificates earned and was ultimately awarded the Top Rated certificate. But Kaspersky Lab's main achievement is the loyalty of its users worldwide. The company’s products and technologies protect more than 400 million users, and its corporate clients number more than 270,000.

 

Kaspersky Lab website:

https://www.kaspersky.com

Virus encyclopedia:

https://securelist.com

Virus Lab:

https://virusdesk.kaspersky.com (for analyzing suspicious files and websites)

Kaspersky Lab’s web forum:

https://forum.kaspersky.com

 

Page top

Information about third-party code

Information about third-party code is contained in the file legal_notices.txt located in the application installation directory.

Page top

Trademark notices

Registered trademarks and service marks are the property of their respective owners.

Core is a trademark of Intel Corporation in the U.S. and/or other countries.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Microsoft, Outlook, Outlook Express, and Windows are registered trademarks of Microsoft Corporation in the United States and other countries.

Novell is a registered trademark of Novell Inc. in the United States and other countries.

Oracle is a registered trademark of Oracle and/or its affiliates.

Red Hat, Red Hat Enterprise Linux, and CentOS are registered trademarks of Red Hat Inc. in the United States and other countries.

Debian is a registered trademark of Software in the Public Interest, Inc.

SUSE is a registered trademark of SUSE LLC in the United States and other countries.

Page top

Glossary

Activation code

A code that you receive when purchasing a license for Kaspersky Endpoint Security. This code is required for activation of the application.

The activation code is a unique sequence of twenty letters and numbers in the format xxxxx-xxxxx-xxxxx-xxxxx.

Active key

A key that is currently used by the application.

Additional key

A key that certifies the right to use the application but is not currently being used.

Administration group

A set of computers that share common functions and a set of Kaspersky Lab applications installed on them. Computers are grouped so that they can be managed conveniently as a single unit. A group may include other groups. It is possible to create group policies and group tasks for each installed application in the group.

Administration Server

A component of Kaspersky Security Center that centrally stores information about all Kaspersky Lab applications that are installed within the corporate network. It can also be used to manage these applications.

Anti-virus databases

Databases that contain information about computer security threats known to Kaspersky Lab as of when the anti-virus databases are released. Entries in anti-virus databases allow malicious code to be detected in scanned objects. Anti-virus databases are created by Kaspersky Lab specialists and updated hourly.

Application administration plug-in

A specialized component that provides the interface for application management through Administration Console. Each application has its own plug-in. It is included in all Kaspersky Lab applications that can be managed by using Kaspersky Endpoint Security.

Backup

A special storage for backup copies of files, which are created before disinfection or deletion is attempted.

Disinfection

A method of processing infected objects that results in full or partial recovery of data. Not all infected objects can be disinfected.

Exclusion

An Exclusion is an object excluded from the scan by a Kaspersky Lab application. You can exclude from the scan files of certain formats, file masks, a certain area (for example, a folder or a program), application processes, or objects by threat type, according to the Virus Encyclopedia classification. Each task can be assigned a set of exclusions.

False positive

A situation when a Kaspersky Lab application considers a non-infected object to be infected because the object's code is similar to that of a virus.

File mask

Representation of a file name using wildcards. The standard wildcards used in file masks are * and ?, where * represents any number of any characters and ? stands for any single character.

Group task

A task defined for an administration group and executed on all the client computers included in that administration group.

Infectable object

An object which, due to its structure or format, can be used by intruders as a "container" to store and spread malicious code. As a rule, these are executable files, with such file extensions as .com, .exe, and .dll. The risk of penetration of malicious code into such files is quite high.

Infected object

An object of which a portion of code completely matches part of the code of known malware. Kaspersky Lab does not recommend accessing such objects.

Kaspersky Lab update servers

A list of Kaspersky Lab's HTTP and FTP servers from which the application downloads database updates to mobile devices.

License

A time-limited right to use the app, granted under the End User License Agreement.

License certificate

A document provided to you by Kaspersky Lab together with a key file or an activation code. This document contains information about the license provided.

Policy

A policy determines the settings of an application and manages the access to configuration of an application installed on computers within an administration group. An individual policy must be created for each application. You can create an unlimited number of various policies for applications installed on computers in each administration group, but only one policy can be applied to each application at a time within an administration group.

Program settings

Application settings that are common to all types of tasks and govern the overall operation of the application, such as application performance settings, report settings, and backup settings.

Proxy-server

A computer network service which allows users to make indirect requests to other network services. First, a user connects to a proxy server and requests a resource (e.g., a file) located on another server. Then the proxy server either connects to the specified server and obtains the resource from it or returns the resource from its own cache (if the proxy has its own cache). In some cases, a user's request or a server's response can be modified by the proxy server for certain purposes.

Real-time protection

The application's operating mode under which objects are scanned for the presence of malicious code in real time.

The application intercepts all attempts to open any object (read, write, or execute) and scans the object for threats. Uninfected objects are passed on to the user; objects containing threats or probably infected objects are processed according to the task settings (disinfected, deleted or quarantined).

Subscription

Enables use of the application within the selected parameters (expiration date and number of devices). You can pause or resume your subscription, renew it automatically, or cancel it.

Task

Functions performed by the Kaspersky Lab application are implemented as tasks, such as: Real-time file protection, Full computer scan, and Database update.

Task for specific computers

A task assigned for a set of client computers from arbitrary administration groups and performed on those hosts.

Task settings

Application settings that are specific for each task type.

Update

A function performed by a Kaspersky Lab application that enables it to keep computer protection up-to-date. During the update, an application downloads updates for its databases and modules from Kaspersky Lab update servers and automatically installs and applies them.

Page top