Kaspersky Embedded Systems Security for Linux

Print Support Send link

Kaspersky Embedded Systems Security 3.3 for Linux
- Distribution kit
- Hardware and software requirements
Preparing to install the application
Installing the application
- Deploying the application using the command line
- Installing and configuring Kaspersky Security Center Network Agent
  - Installing Network Agent using the command line
  - Initial configuration of the Network Agent using the command line
- Installing Kaspersky Embedded Systems Security administration plug-ins
  - About Kaspersky Embedded Systems Security MMC administration plug-in
  - About Kaspersky Embedded Systems Security administration web plug-in
- Deploying the application using Kaspersky Security Center
- Running the application on Astra Linux in closed software environment mode
- Configuring permissive rules in the SELinux system
Uninstalling the application
- Uninstalling the application using the command line
- Uninstalling the application using the Administration Console
- Uninstalling the application using Kaspersky Security Center Web Console
Application licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the activation code
- About the key file
- About subscription
Data provision
- Data provided when using an activation code
- Data provided when downloading updates from Kaspersky update servers
- Data sent to Kaspersky Security Center
- Data provided when following links in the application interface
- Data provided when using Kaspersky Security Network
Managing the application using the command line
- Starting and stopping the application
- Displaying Help on the commands
- Enabling automatic addition of kess-control commands (bash completion)
- Enabling the display of events
- Viewing information about the application
- Description of the application commands
- Using filters to limit query results
- Exporting and importing application settings
- Setting the application memory usage limit
- User roles
- General application settings
- Managing application tasks using the command line
- Encrypted connections scan
File Threat Protection task (File_Threat_Protection, ID:1)
- Special considerations for scanning symbolic links and hard links
- File Threat Protection task settings
- Specifying an exclusion scope
- Optimizing network directory scanning
Malware Scan task (Scan_My_Computer, ID:2)
Custom Scan task (Scan_File, ID:3)
Critical Areas Scan task (Critical_Areas_Scan, ID:4)
Update task (Update, ID:6)
- About update sources
- Update task settings
Rollback task (Rollback, ID:7)
Licensing task (License, ID:9)
- Adding an active key
- Adding a reserve key
- Removing an active key
- Removing a reserve key
Storage management task (Backup, ID:10)
- Storage management task settings
- Viewing IDs of the objects in the Storage
- Restoring objects from the Storage
- Removing objects from the Storage
System Integrity Monitoring task (System_Integrity_Monitoring, ID:11)
- On-access File Integrity Monitoring (OAFIM)
- On-demand File Integrity Monitoring (ODFIM)
- On-access File Integrity Monitoring task settings
- On-demand File Integrity Monitoring settings
Firewall Management task (Firewall_Management, ID:12)
- About network packet rules
- About dynamic rules
- About the predefined network zone names
- Firewall Management task settings
- Adding a network packet rule
- Deleting a network packet rule
- Changing the execution priority of a network packet rule
- Adding a network address to a zone section
- Deleting a network address from a zone section
Anti-Cryptor task (Anti_Cryptor, ID:13)
- About blocking access to devices
- Anti-Cryptor task settings
- Viewing the list of blocked devices
- Allowing blocked devices
Web Threat Protection task (Web_Threat_Protection, ID:14)
Device Control task (Device_Control, ID:15)
- About access rules
- Device Control task settings
- Viewing the list of connected devices on the command line
Removable Drives Scan task (Removable_Drives_Scan, ID:16)
Network Threat Protection task (Network_Threat_Protection, ID:17)
Container Scan task (Container_Scan, ID:18)
- Container scan task settings
- Integration with Jenkins
Custom Container Scan task (Custom_Container_Scan, ID:19)
Behavior Detection task (Behavior_Detection, ID:20)
Application Control task (Application_Control, ID:21)
- About Application Control rules
- Application Control task settings
- Viewing the list of created categories
Inventory task (Inventory_Scan, ID:22)
- Inventory task settings
- Viewing a list of detected applications
Using Kaspersky Security Network
- Enabling and disabling use of Kaspersky Security Network using the command line
- Checking the connection to Kaspersky Security Network using the command line
Events and reports
- Viewing events
- Viewing reports
Managing the application using the Administration Console
- Starting and stopping the application on a client device
- Viewing the protection status of a device
- Viewing application settings
- Updating application databases and modules
- Managing policies in the Administration Console
  - Creating a policy
  - Editing policy settings
- Policy settings
- Managing tasks in the Administration Console
- Task settings
- Manually checking the connection with the Administration Server. Klnagchk utility
- Manually connecting to the Administration Server. Klmover utility
- Remote diagnostics of client devices. Kaspersky Security Center remote diagnostics utility
Remote application administration using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
- Logging in and out of the Web Console and Cloud Console
- Starting and stopping the application on a client device
- Viewing the protection status of a device
- Updating application databases and modules
- Managing policies in the Web Console
- Policy settings
- Managing tasks in the Web Console
- Task settings
- Configuring remote diagnostics of client devices
Managing application using graphical user interface
- Application interface
- Task management
- Configuring Kaspersky Security Network
- Viewing reports
- Viewing objects in the Storage
- Viewing licensing information
- Creating a trace file
Application components integrity check
Contact Technical Support
- Technical Support via Kaspersky CompanyAccount
- Contents and storage of trace files
- Contents and storage of dump files
Appendices
- Appendix 1. Resource consumption optimization
- Appendix 2. Application configuration files
- Appendix 3. Command line return codes
Sources of information about the application
Glossary
- Active key
- Active policy
- Administration group
- Administration Server
- Application activation
- Application databases
- Application settings
- Database of malicious web addresses
- Database of phishing web addresses
- Exclusion
- False positive
- File mask
- Group policy
- Group task
- Infected object
- Kaspersky update servers
- License
- License certificate
- Object disinfection
- Policy
- Proxy server
- Reserve key
- Startup objects
- Subscription
- Trusted device
- Trusted zone
Information about third-party code
Trademark notices

[Topic 251963]

Kaspersky Embedded Systems Security 3.3 for Linux

Kaspersky Embedded Systems Security 3.3 for Linux ("Kaspersky Embedded Systems Security", "Application") protects devices running Linux operating systems against various types of threats, including network and scam attacks.

The application is not intended for industrial processes that use automated control systems. To protect devices in these systems, we recommend using Kaspersky Industrial CyberSecurity for Linux Nodes.

The application is used to:

Scan file system objects located on local disks of your device, as well as mounted and shared resources, which are accessed via SMB and NFS protocols.
Scan objects in the file system both in real time using the File Threat Protection task and on demand using scan tasks.
Scan startup objects, boot sectors, process memory, and kernel memory.
Detect infected objects and neutralize threats detected in them.
Automatically select an action to neutralize the threat.
Save backup copies of files before disinfection or deletion and restore files from backups.
Manage tasks and configure their settings.
Add keys and activate the application using activation codes.
Update the application with service packs.
Update application databases from Kaspersky update servers, via the Administration Server, or from a user-specified source on schedule and on demand.
Use application databases to detect and disinfect infected files. During the scan process, the application analyzes each file for the presence of a threat: it compares the file code with the code of a specific threat and looks for possible matches.
Monitor the integrity of the system or specified files and report changes. System Integrity Monitoring can be performed in continuous monitoring mode and in on-demand scan mode.
Manage the operating system firewall and restore the set of firewall rules if they were changed.
Protect files in local directories with network access via SMB / NFS from remote malicious encryption.
Analyze traffic sent to users' devices via HTTP / HTTPS and FTP and check if web addresses are malicious or phishing.
Configure flexible restrictions on access to data storage devices (hard disks, removable disks, CD / DVD drives), data transfer equipment (modems), data conversion devices (printers) and interfaces for connecting devices (USB, FireWire).
Check removable drives when connected to your device.
Check incoming network traffic for activity typical of network attacks.
Check containers, images and namespaces.
Receive information about application actions on your device.
Configure encrypted connections scan settings.
Control the start of applications and restrict access to applications on user devices to help reduce the risk of client device infections.
Get information about all executable files of the applications installed on client devices using the Inventory Scan task, which can be useful, for example, for creating Application Control rules.
Use Kaspersky Security Network. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Embedded Systems Security to various threats, improves the performance of some protection components, and reduces the likelihood of false positives.
Allow users without root permissions to manage the application functions.
Notify the administrator about events that occurred while the application was running.
Check the integrity of application components using the integrity check tool.

You can manage Kaspersky Embedded Systems Security using the following methods:

Using control commands from the command line.
Using Kaspersky Security Center Administration Console.
Using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console.
Using a graphical user interface.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may not be available in the application in the territory of the USA.

In this Help section

Setting	Description	Values
EULA_AGREED	Required setting. Acceptance of the terms of the End User License Agreement.	`yes`: accept the terms of the End User License Agreement to continue the application installation. `no`: do not accept the End User License Agreement. The application installation will be terminated.
PRIVACY_POLICY_AGREED	Required setting. Acceptance of the Privacy Policy.	`yes`: accept the Privacy Policy to continue the application installation. `no`: do not accept the Privacy Policy. The application installation will be terminated.
USE_KSN	Required setting. Acceptance of Kaspersky Security Network Statement.	`yes` – accept Kaspersky Security Network Statement. `no` – do not accept Kaspersky Security Network Statement.
LOCALE	Optional setting. The locale used for the application events sent to Kaspersky Security Center.	Locale in the format specified by RFC 3066. If the `Locale` setting is not specified, the operating system locale is used. If the application fails to determine the operating system localization language or the operating system localization is not supported, the default value will be used – `en_US.utf8`. The locale of the graphical interface and the application command line depends on the value of the `LANG` environment variable. If the locale that is not supported by Kaspersky Embedded Systems Security is specified as the value of the `LANG` environment variable, the graphical interface and the command line are displayed in English.
INSTALL_LICENSE	Activation code or key file.
UPDATER_SOURCE	Update source.	`SCServer` – use the Kaspersky Security Center Administration Server as the update source. `KLServers` – use Kaspersky servers as the update source. Update source address
PROXY_SERVER	Address of the proxy server used to connect to the Internet.	Proxy server address
UPDATE_EXECUTE	Start application database update task during setup.	`yes` – start update task. `no` – do not start update task.
KERNEL_SRCS_INSTALL	Automatic start of kernel module compilation.	`yes` – compile kernel module. `no` – do not compile kernel module.
ADMIN_USER	A user to whom you can grant the administrator role (admin).
CONFIGURE_SELINUX	Automatic configuration of SELinux for working with Kaspersky Embedded Systems Security.	yes – configure SELinux to work with Kaspersky Embedded Systems Security. no – do not configure SELinux to work with Kaspersky Embedded Systems Security.

Section	Description
Specify the locale.	Select this check box to specify the locale used during the application operation. Locale in the format specified by RFC 3066. If this setting is not specified, the default locale is used.
Activate the application	Select this check box to specify the activation code.
Update source	Specify the update source: Kaspersky update servers. Kaspersky Security Center Administration Server. Other source in the local or global network.
Run update task after installation.	Select this check box to run the Update task after the application is installed.
Specify proxy server settings	Select this check box to specify the address of the proxy server used to connect to the Internet.
Install kernel source	Select this check box to automatically start of kernel module compilation.
Use GUI	Select this check box to enable the use of the graphical user interface.

Comparison operator	Description
`>`	Greater than
`<`	Less than
`like`	Matches the specified value (when specifying the value, you can use masks %, see the example below)
`==`	Equal to
`!=`	Not equal to
`>=`	Greater than or equal to
`<=`	Less than or equal to

Role name	Role in application	OS user	Permissions
Administrator	admin	kessadmin	Manage all application and task settings. Manage application licensing. Assigning roles to users. Revoking user roles (the administrator has no right to revoke the admin role from himself). View and manage users' Storages.
User	user	kessuser	Manage only Scan_File tasks. Start and stop Update tasks. View reports for the tasks created by this user. View specific events that are common for all application users.
Auditor	audit	kessaudit	Viewing application settings View application status. View all tasks, their settings, and start schedules. View all events. View all objects in the Storage.
—	—	nokess	No role is assigned in the application, no permissions.

Setting	Description	Values
`SambaConfigPath`	Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the `AllShared` or `Shared:SMB` values can be used for the `Path` setting.	The standard directory of the SAMBA configuration file on the computer is specified by default. Default value: /etc/samba/smb.conf. The application must be restarted after this setting is changed.
`NfsExportPath`	The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the `AllShared` or `Shared:NFS` values can be used for the `Path` setting.	The standard directory of the NFS configuration file on the computer is specified by default. Default value: /etc/exports. The application must be restarted after this setting is changed.
`TraceLevel`	Enables trace file generation and specifies the level of detail of the trace file.	`Detailed` – Generate a detailed trace file. `MediumDetailed` – Generate a trace file that contains informational messages and error messages. `NotDetailed` – Generate a trace file that contains error messages. `None` (default value) — Do not generate a trace file.
`TraceFolder`	The directory that stores the application's trace files. Trace files contain information about the operating system, and may also contain personal data.	Default value: /var/log/kaspersky/kess. If you specify a different directory, make sure that the account under which Kaspersky Embedded Systems Security is running has read/write permissions for this directory. Root privileges are required to access the default trace files directory. The application must be restarted after this setting is changed.
`TraceMaxFileCount`	Maximum number of application trace files.	1–10000 Default value: 10. The application must be restarted after this setting is changed.
`TraceMaxFileSize`	Specifies the maximum size of an application trace file (in megabytes).	1–1000 Default value: 500. The application must be restarted after this setting is changed.
`BlockFilesGreaterMaxFileNamePath`	Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, scan tasks skip this file during scanning. This setting is not available for operating systems that use the fanotify technology.	4096–33554432 Default value: 16384. After changing the value of this setting, the File Threat Protection task needs to be restarted.
`DetectOtherObjects`	Enables detection of legitimate software that could be used by intruders to harm computers or user data.	`Yes`— Enable detection of legitimate software that could be used by intruders to harm computers or user data. `No` (default value) — Disable detection of legitimate software that could be used by intruders to harm computers or user data.
`NamespaceMonitoring`	Enable scanning of namespaces and containers.	`Yes` (default value) — Enable scanning of namespaces and containers. `No` — Disable scanning of namespaces and containers.
`InterceptorProtectionMode`	File interceptor mode when executing tasks that use the file operation interceptor (File Threat Protection, Anti-Cryptor, Device Control, Removable Drives Scan). This setting affects the execution of File Threat Protection, Device Control and Removable Drive Scan.	`Block` (default value) – block the files while they are being scanned by the task that uses the file interceptor. A request to any file has to wait for scan results. When detecting infected objects, the application performs the actions specified in the `FirstAction` and `SecondAction` settings of the File Threat Protection task. `Notify` — do not block the files while they are being scanned by the task that uses the file interceptor. Requests to any file is allowed, scanning is done asynchronously. When detecting infected objects, the application only records the event in the event log. The actions specified in the `FirstAction` and `SecondAction` settings of the File Threat Protection task are skipped. If the `Notify` value is selected, the protection level of your device is reduced.
`UseKSN`	Enabling Kaspersky Security Network usage:	`Basic` — enable the Kaspersky Security Network usage without sending statistics. `Extended` — Enable Kaspersky Security Network usage and send statistics. `No` (default value) — disable the Kaspersky Security Network usage.
`UseProxy`	Enables use of a proxy server by Kaspersky Embedded Systems Security components. A proxy server can be used to communicate with Kaspersky Security Network, to activate the application, and when updating application databases and modules.	`Yes` - enable the use of a proxy server. `No` (default) - Disable the use of a proxy server.
`ProxyServer`	Proxy server settings in the format [user[:password]@]host[:port]. When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.	—
`MaxEventsNumber`	The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events.	Default value: 500000. If 0 is specified, events are not saved.
`LimitNumberOfScanFileTasks`	The maximum number of Scan_File tasks that a non-privileged user can simultaneously start on a device. This setting does not limit the number of tasks that a user with root privileges can start.	0–4294967295 Default value: 0. If 0 is specified, a non-privileged user cannot start Scan_File tasks. If you installed the graphical user interface package when installing the application, the `LimitNumberOfScanFileTasks` settings has the default value `5`.
`UseSyslog`	Enable logging of information about events to syslog Root privileges are required to access syslog.	`Yes` — Enable logging of information about events to syslog. `No` (default value) — Disable logging of information about events to syslog.
`EventsStoragePath`	The database directory where the application saves information about events. Root privileges are required to access the default event database.	Default value: /var/opt/kaspersky/kess/private/storage/events.db.
`ExcludedMountPoint.item_#`	The mount point to be excluded from the scan scope for tasks that use a file operation interceptor (File Threat Protection and Anti-Cryptor). You can specify several mount points to be excluded from scans. Mount points must be specified in the same way as they are displayed in the `mount` command output. The `ExcludedMountPoint.item_#` setting is left unspecified by default.	`AllRemoteMounted` — Exclude all remote directories mounted on the device using SMB and NFS protocols from file operation interception. `Mounted:NFS` — Exclude all remote directories mounted on the device using the NFS protocol from file operation interception. `Mounted:SMB` — Exclude all remote directories mounted on the device using the SMB protocol from file operation interception. `Mounted:<file system type>` — Exclude all mounted directories with the specified file system type from file operation interception. `/mnt` — Exclude objects in the /mnt mount point (including subdirectories) from file operation interception. This directory is used as the temporary mount point for removable drives. `<path that contains the` `/mnt/user` `or` `/mnt//user_share>` — Exclude objects in mount points whose names contain the specified mask from file operation interception. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir//file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.
`MemScanExcludedProgramPath.item_#`	Exclude process memory from scans. The application does not scan the memory of the indicated process.	`<full path to process>` – Do not scan the process in the indicated local directory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.

Setting	Description	Values
`OnAccessContainerScanAction`	Action to be performed on a container when an infected object is detected. This setting is available when using the application under a license that supports this function. For scanning, the settings of the File Threat Protection task are used. The action performed on a container when an infected object is detected also depends on the File Threat Protection task settings (see the table below).	`StopContainerIfFailed` (default value) — Stop the container if an infected object cannot be disinfected or deleted. `StopContainer` — Stop the container when an infected object is detected. `Skip` — Do not perform any action on containers when an infected object is detected.
`UseDocker`	Use the Docker environment.	`Yes` (default value) — Use the Docker environment. `No` — Do not use the Docker environment.
`DockerSocket`	Docker socket path or URI (Universal Resource Identifier).	Default value: /var/run/docker.sock.
`UseCrio`	Use the CRI-O environment.	`Yes` (default value) — Use the CRI-O environment. `No` — Do not use the CRI-O environment.
`CrioConfigFilePath`	Path to the CRI-O configuration file.	Default value: /etc/crio/crio.conf.
`UsePodman`	Use the Podman utility.	`Yes` (default value) — Use the Podman utility. `No` — Do not use the Podman utility.
`PodmanBinaryPath`	Path to the Podman utility executable file.	Default value: /usr/bin/podman.
`PodmanRootFolder`	Path to the root directory of the container storage.	Default value: /var/lib/containers/storage.
`UseRunc`	Use the runc utility.	`Yes` (default value) — Use the runc utility. `No` — Do not use the utility.
`RuncBinaryPath`	Path to the runc utility executable file.	Default value: /usr/bin/runc.
`RuncRootFolder`	Path to the root directory of the container state storage.	Default value: /run/runc-ctrs.

Value of the FirstAction / SecondAction or the InterceptorProtectionMode setting	Action performed on the container when the StopContainerIfFailed action is selected
`Disinfect`	Stop the container if disinfection of an infected object fails.
`Remove`	Stop the container if an infected object removal fails.
`Block` or `Notify`	Do not perform any action on containers when an infected object is detected.

Task	Task name in the command line	Task ID	Task type
File Threat Protection	File_Threat_Protection	1	OAS
Malware Scan	Scan_My_Computer	2	ODS
Custom Scan	Scan_File	3	ODS
Critical Areas Scan	Critical_Areas_Scan	4	ODS
Update	Update	6	Update
Rollback	Rollback	7	Rollback
Licensing	License	9	License
Storage management	Backup	10	Backup
System Integrity Monitoring	System_Integrity_Monitoring	11	OAFIM
Firewall Management	Firewall_Management	12	Firewall
Anti-Cryptor	Anti_Cryptor	13	AntiCryptor
Web Threat Protection	Web_Threat_Protection	14	WTP
Device Control	Device_Control	15	DeviceControl
Removable Drives Scan	Removable_Drives_Scan	16	RDS
Network Threat Protection	Network_Threat_Protection	17	NTP
Container Scan	Container_Scan	18	ContainerScan
Custom Container Scan	Custom_Container_Scan	19	ContainerScan
Behavior Detection	Behavior_Detection	20	BehaviorDetection
Application Сontrol	Application_Control	21	AppControl
Inventory	Inventory_Scan	22	InventoryScan

Setting	Description	Values

`EncryptedConnectionsScan`	Enables or disables encrypted traffic scan. For the FTP protocol, encrypted connections scan is disabled by default.	`Yes` (default value) — Enable encrypted connection scans. `No` — Disable encrypted connection scans. The application does not decrypt the encrypted traffic.
`EncryptedConnectionsScanErrorAction`	Specifies the action to perform when an encrypted connection scan error occurs on a website.	`AddToAutoExclusions` (default value) — Add the domain where an error occurred to the list of domains with scan errors. The application will not monitor encrypted network traffic when this domain is visited. `Disconnect` — Block the network connection.
`CertificateVerificationPolicy`	Specifies the way Kaspersky Embedded Systems Security checks certificates. If a certificate is self-signed, the application does not perform the additional verification.	`FullCheck` (default value) — The application uses the Internet to check and download the missing chains that are required to verify a certificate. `LocalCheck` — The application does not use the Internet to verify a certificate.
`UntrustedCertificateAction`	Specifies the action to perform when an encrypted connection scan error occurs on a website.	`Allow` (default value) — Allow network connections established while visiting a domain with an untrusted certificate. `Block` — Block network connections established while visiting a domain with an untrusted certificate.
`ManageExclusions`	Enables or disables the use of the encrypted connection scan exclusions.	`Yes` — Do not scan websites specified in the `[Exclusions.item_#]` section. `No` (default value) — Scan all websites.
`MonitorNetworkPorts`	Specifies the way Kaspersky Embedded Systems Security monitors network ports.	`Selected` (default value) — Monitor only network ports specified in the `[NetworkPorts.item_#]` section (see below). `All` — Monitor all network ports. Specifying this value may significantly increase an operating system load.
The [Exclusions.item_#] section contains domains excluded from scans. The application does not scan encrypted connections established when visiting specified domains.
`DomainName`	Specifies the domain name. You can use masks to specify the domain.	The default value is not defined.
The [NetworkPorts.item_#] section contains the network ports monitored by the application.
`PortName`	Network port description.	The default value is not defined.
`Port`	Network port numbers to be monitored by the application.	`1` – `65535` The default value is not defined.

Setting	Description	Values

`UseExcludeMasks`	Enables monitoring scope exclusions for objects specified by the `ExcludeThreats.item_#` setting. This setting only applies if a value is specified for the `ExcludeMasks.item_#` setting.	`Yes` — Exclude objects specified by the `ExcludeMasks.item_#` setting from the monitoring scope. `No` (default value) — Do not exclude objects specified by the `ExcludeMasks.item_#` setting from the monitoring scope.
`ExcludeMasks.item_#`	Excludes objects from monitoring by names or masks. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format. Before specifying a value for this setting, make sure that the `UseExcludeMasks` setting is enabled. You can specify several masks. Each mask must be specified on a new line with a new index.	The default value is not defined.
The [ScanScope.item_#] section contains the monitoring scopes of the System Integrity Monitoring task. At least one monitoring scope must be specified for the task. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of monitoring scope; contains additional information about the monitoring scope.	The default value is not defined.
`UseScanArea`	Enables monitoring of the specified scope.	`Yes` (default value) — Monitor the specified scope. `No` — Do not monitor the specified scope.
`Path`	Path to the monitoring directory.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. Default value: /opt/kaspersky/kess/
`AreaMask.item_#`	Monitoring scope limitation. Within the monitoring scope, the application scans only the objects that are specified using the masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (all objects are monitored)
The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the monitoring exclusion scope, which contains additional information about the monitoring exclusion scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from monitoring.	`Yes` (default value) — Exclude the specified scope from monitoring. `No` — Do not exclude the specified scope from monitoring.
`Path`	Path to the directory with objects excluded from monitoring.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The default value is not defined.
`AreaMask.item_#`	Limitation of monitoring exclusion scope. In the monitoring exclusion scope, the application only excludes the objects that are specified using masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (exclude all objects from monitoring)

Setting	Description	Values

`RebuildBaseline`	Enables rebuilding a baseline after the ODFIM task has finished.	`Yes` — Rebuild a baseline after the ODFIM task has finished. `No` (default value) — Do not rebuild a baseline after the ODFIM task has finished.
`CheckFileHash`	Enables hash check (SHA-256).	`Yes` — Enable hash check. `No` (default value) — Disable hash check.
`TrackDirectoryChanges`	Enables directory monitoring.	`Yes` — Monitor directories. `No` (default value) — Do not monitor directories.
`TrackLastAccessTime`	Enables tracking last file access time. In the Linux operating systems it is the `noatime` setting.	`Yes` — Track last file access time. `No` (default value) — Do not track last file access time.
`UseExcludeMasks`	Enables monitoring scope exclusions for objects specified by the `ExcludeMasks_#` setting. This setting only applies if a value is specified for the `ExcludeMasks_#` setting.	`Yes` — Exclude objects specified by the `ExcludeMasks_#` setting from the monitoring scope. `No` (default value) — Do not exclude objects specified by the `ExcludeMasks_#` setting from the monitoring scope.
`ExcludeMasks_#`	Excludes objects from monitoring by names or masks. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format. Before specifying a value for this setting, make sure that the `UseExcludeMasks` setting is enabled. You can specify several masks. Each mask must be specified on a new line with a new index.	The default value is not defined.
The [ScanScope.item_#] section contains the monitoring scopes of the System Integrity Monitoring task. At least one monitoring scope must be specified for the task. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of monitoring scope; contains additional information about the monitoring scope.	The default value is not defined.
`UseScanArea`	Enables monitoring of the specified scope.	`Yes` (default value) — Monitor the specified scope. `No` — Do not monitor the specified scope.
`Path`	Path to the monitoring directory.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. Default value: /opt/kaspersky/kess/
`AreaMask.item_#`	Monitoring scope limitation. Within the monitoring scope, the application scans only the objects that are specified using the masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (all objects are monitored)
The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the monitoring exclusion scope, which contains additional information about the monitoring exclusion scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from monitoring.	`Yes` (default value) — Exclude the specified scope from monitoring. `No` — Do not exclude the specified scope from monitoring.
`Path`	Path to the directory with objects excluded from monitoring.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The default value is not defined.
`AreaMask.item_#`	Limitation of monitoring exclusion scope. In the monitoring exclusion scope, the application only excludes the objects that are specified using masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (exclude all objects from monitoring)

Setting	Description	Values

`DefaultIncomingAction`	The default action to perform on an inbound connection if no network rules apply to this connection type.	`Allow` (default value) — Allow inbound connections. `Block` — Block inbound connections.
`DefaultIncomingPacketAction`	The default action to perform on an incoming packet if no network packet rules apply to this connection type.	`Allow` (default value) — Allow incoming packets. `Block` — Block incoming packets.
`OpenNagentPorts`	Adds Network Agent dynamic rules to the network packet rules.	`Yes` (default value) – Add Network Agent dynamic rules to the network packet rules. `No` – Do not add Network Agent dynamic rules to the network packet rules.
The [PacketRules.item_#] section contains network packet rules for the Firewall Management task. You can specify several `[PacketRules.item_#]` sections in any order. The application processes the scopes by index in ascending order. Each `[PacketRules.item_#]` section contains the following settings:
`Name`	Network packet rule name.	Default value: `Packet rule #<n>`, where n is an index.
`FirewallAction`	Action to be performed on connections specified in this network packet rule.	`Allow` (default value) — Allow network connections. `Block` — Block network connections.
`Protocol`	Type of protocol for which network activity is to be monitored.	`Any` (default value) — The Firewall Management task monitors all network activity. `TCP` `UDP` `ICMP` `ICMPv6` `IGMP` `GRE`
`RemotePorts`	Port numbers of the remote devices whose connection is monitored. This setting can only be specified if the `Protocol` setting is set to `TCP` or `UDP`. An integer or interval can be specified for this setting.	`Any` (default value) — Monitor all remote ports. `0` – `65535`.
`LocalPorts`	Port numbers of the local devices whose connection is monitored. This setting can only be specified if the `Protocol` setting is set to `TCP` or `UDP`. An integer or interval can be specified for this setting.	`Any` (default value) — Monitor all local ports. `0` – `65535`.
`ICMPType`	ICMP packet type. This setting can only be specified if the `Protocol` setting is set to `ICMP` or `ICMPv6`.	`Any` (default value) — Monitor all ICMP packet types. Integer number according to the data transfer protocol specification.
`ICMPCode`	ICMP packet code. This setting can only be specified if the `Protocol` setting is set to `ICMP` or `ICMPv6`.	`Any` (default value) — Monitor all ICMP packet codes. Integer number according to the data transfer protocol specification.
`Direction`	Direction of the monitored network activity.	`IncomingOutgoing` or `InOut` (default value) — Monitor both inbound and outbound connections. `Incoming` or `In` — Monitor inbound connections. `Outgoing` or `Out` — Monitor outbound connections. `IncomingPacket` or `InPacket` — Monitor incoming packets. `OutgoingPacket` or `OutPacket` — Monitor outgoing packets. `IncomingOutgoingPacket` or `InOutPacket` — Monitor both incoming and outgoing packets.
`RemoteAddress`	The network addresses of the remote devices that can send and receive network packets.	`Any` (default value) — Monitor network packets sent and/or received by remote devices with any IP address. `Trusted` — Predefined network zone for trusted networks. `Local` — Predefined network zone for local networks. `Public` — Predefined network zone for public networks. `d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64.
`LocalAddress`	Network addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets.	`Any` (default value) — Monitor network packets sent and/or received by local devices with any IP address. `d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64.
`LogAttempts`	Specify whether you want the actions of the network rule to be included in the report.	`Yes` — Include actions in the report. `No` (default value) — Do not include actions in the report.
The [NetworkZonesPublic] section contains network addresses associated with public networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)
The [NetworkZonesLocal] section contains network addresses associated with local networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)
The [NetworkZonesTrusted] section contains network addresses associated with trusted networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)

Setting	Description	Values

`UseHostBlocker`	Enables untrusted hosts blocking. If untrusted hosts blocking is disabled, the application still scans the actions of the remote devices on network file resources for malicious encryption when the Anti-Cryptor task is running. If malicious activity is detected, the EncryptionDetected event is created, but the attacking device is not blocked.	`Yes` (default value): enable untrusted hosts blocking. `No`: disable untrusted hosts blocking.
`BlockTime`	The time an untrusted device is blocked (in minutes). If a compromised host is blocked, and you change a value for the `BlockTime` setting, the blocking time for this host will not change. The blocking time is not a dynamic value, and is calculated at the moment of blocking.	Integer from 1 to 4294967295. Default value: 30.
`UseExcludeMasks`	Enables protection scope exclusions for objects specified by the `ExcludeMasks.item_#` setting. This setting only applies if a value is specified for the `ExcludeMasks.item_#` setting.	`Yes` — Exclude objects specified by the `ExcludeMasks.item_#` setting from the protection scope. `No` (default value) — Do not exclude objects specified by the `ExcludeMasks.item_#` setting from the protection scope.
`ExcludeMasks.item_#`	Excludes objects from the protection scope by names or masks. You can use this setting to exclude an individual file from the specified protection scope by name or exclude several files at once using masks in the shell format. Before specifying a value for this setting, make sure that the `UseExcludeMasks` setting is enabled. If you want to specify several masks, specify each mask on a new line with a new index.	The default value is not defined.
The [ScanScope.item_#] section contains the scopes protected by the application. For the Anti-Cryptor task, you need to specify at least one protection scope; you can only specify shared directories. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of protection scope; contains additional information about the protection scope.	Default value: `All shared directories`.
`UseScanArea`	Enables protection of the specified scope. To run the task, enable protection of at least one scope.	`Yes` (default value) — Protect the specified scope. `No` — Do not protect the specified scope.
`AreaMask.item_#`	Protection scope limitation. In the protection scope, the application protects only the objects that are specified using the masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (protect all objects)
`Path`	Path to the directory with the objects to be protected.	`<path to local directory>` – Protect a local directory accessible via SMB/NFS. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. `AllShared` (default value) — Protect all resources accessible via SMB/NFS. `Shared:SMB` — Protect resources accessible via SMB. `Shared:NFS` — Protect resources accessible via NFS.
The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section are not scanned. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the protection exclusion scope, which contains additional information about the exclusion scope.	Default value: `All objects`.
`UseScanArea`	Excludes the specified scope from protection.	`Yes` (default value) — Exclude the specified scope from protection. `No` — Do not exclude the specified scope from protection.
`AreaMask.item_#`	Limitation of the protection exclusion scope. In the exclusion scope, the application excludes only the objects that are specified using masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (exclude all objects).
`Path`	Path to the directory with objects excluded from protection.	`<path to local directory>` — Exclude objects in the specified directory from protection. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. `Mounted:NFS`– Exclude the remote directories mounted on a client device using the NFS protocol from protection. `Mounted:SMB`– Exclude the remote directories mounted on a client device using the Samba protocol from protection. `AllRemoteMounted`– Exclude all remote directories mounted on a client device using the Samba and NFS protocols from protection.

Setting	Description	Values
`ActionOnDetect`	Specifies the action to be performed upon detection of an infected object in web traffic.	`Notify` — Allow the detected object to be downloaded, display a notification about the blocked access attempt, and log information about the infected object. `Block` (default value) — Block access to the detected object, display a notification about the blocked access attempt, and log information about the infected object.
`CheckMalicious`	Specifies whether links will be checked against the database of malicious web addresses.	`Yes` (default value) — Check if the links are listed in the malicious links database. `No` — Do not check if the links are listed in the malicious links database.
`CheckPhishing`	Specifies whether links will be checked against the database of phishing web addresses.	`Yes` (default value) — Check if the links are listed in the phishing links database. `No` — Do not check if the links are listed in the phishing links database.
`UseHeuristicForPhishing`	Specifies whether heuristic analysis must be used to scan web pages for phishing links.	`Yes` (default value) — Use heuristic analysis to detect phishing links. If this value is specified, the level of heuristic analysis is `Light` (the least thorough scan with minimal load on the system). You cannot change the heuristic analysis level for the Web Threat Protection task. `No` — Do not use heuristic analysis to detect phishing links.
`CheckAdware`	Specifies whether links must be checked against the database of adware web addresses.	`Yes` — Check if the links are listed in the adware links database. `No` (default value) — Do not check if the links are listed in the adware links database.
`CheckOther`	Specifies whether links must be checked against the database of web addresses that contain legal software that may be used by criminals to damage your device or personal data.	`Yes` — Check if the links are listed in the database of web addresses that contain legal software that may be used by intruders to damage your device or personal data. `No` (default value) — Do not check if the links are listed in the database of web addresses that contain legal software that may be used by intruders to damage your device or personal data.
`UseTrustedAddresses`	Enables or disables the usage of a list of trusted web addresses. The application does not analyze information from trusted web addresses to check them for viruses or other dangerous objects. You can specify trusted web addresses using the `TrustedAddresses.item_#` setting.	`Yes` (default value) — Use a list of trusted web addresses. `No` — Do not use a list of trusted web addresses.
`TrustedAddresses.item_#`	Specifies trusted web addresses.	The default value is not defined. You can use masks to specify web addresses. When creating an address mask, use an asterisk () as a placeholder for one or more characters. If you enter the abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/*/page_0-9abcdef.html means www.virus.com//page_0-9abcdef.html). Masks are not supported to specify IP addresses.

Setting	Description	Values
`ActionOnDetect`	Actions performed upon detection of network activity that is typical of network attacks.	`Notify` – allow network activity, log information about detected network activity. `Block` (default value) – block network activity and log information about it.
`BlockAttackingHosts`	Blocking network activity from attacking devices.	`Yes` (default value) — Block network activity from an attacking device. `No` — Allow network activity from an attacking computer.
`BlockDurationMinutes`	Specifies how long attacking devices will be blocked (in minutes).	1 – 32768 Default value: 60.
`UseExcludeIPs`	The usage of a list of IP addresses whose network activity will not be blocked when a network attack is detected. The application will only log information about dangerous activity from these devices. You can add IP addresses to the exclusion list by using the `ExcludeIPs.item_#` setting. By default, the list is empty.	`Yes` — Use the list of excluded IP addresses. `No` (default value) — Do not use the list of excluded IP addresses.
`ExcludeIPs.item_#`	Specifies an IP address whose network activity will not be blocked by the application.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. The default value is not defined.

Setting	Description	Values

`TaskMode`	Action performed by the application when malicious activity is detected in the operating system.	`Block` (default value) – terminate the process of the application performing malicious activity. `Notify` – do not terminate the process performing malicious activity; only log detection of malicious activity in the event log.
`UseTrustedPrograms`	Excluding processes from scans.	`Yes` – do not scan the activity of the indicated processes. `No` (default value) – scan all processes.
The [TrustedPrograms.item_#] section contains processes that are excluded from scans. Kaspersky Embedded Systems Security does not monitor the activity of the specified processes.
`ProgramPath`	Path to excluded process.	`<full path to process>` – Do not scan the process in the indicated local directory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.
`ApplyToDescendants`	Exclude child processes of the excluded process specified by the `ProgramPath` setting from scans.	`Yes` – exclude the specified process and all its child processes from scans. `No` (default value) – exclude only the specified process from scans, do not exclude its child processes from scans.
`ProgramDesc`	Description of the excluded process.

Setting	Description	Values

`AppControlMode`	Application Control task operation mode.	`AllowList` – Kaspersky Embedded Systems Security prevents users from launching any applications that are not specified in the Application Control rules. `DenyList` (default value) – Kaspersky Embedded Systems Security allows users to launch any applications that are not specified in the Application Control rules.
`AppControlRulesAction`	The action that Kaspersky Embedded Systems Security performs upon detecting an attempt to start an application.	`ApplyRules` (default value) – Kaspersky Embedded Systems Security applies Application Control rules and performs the action specified in the rules. `TestRules` – Kaspersky Embedded Systems Security tests the rules and generates an event about the detection of the applications that meet the rule.
The [Categories.item_#] section contains the following settings:
`Name`	Name of the created application category to which the rule applies.
`UseIncludes`	Usage of inclusive conditions to trigger the rule.	`Yes` – apply the rule to the application if the application meets at least one inclusive condition. `No` (default value) – do not apply the rule to the application, even if the application meets the inclusive conditions.
`IncludeFileNames.item_#`	Name of the executable file that triggers the rule.	You can use masks to specify the file name. You can use the * character (any sequence of characters) or the ? character (any one character) as the file or directory name mask. You can put the * character to represent any set of characters (including an empty set) in a file or directory name that includes the / character. For example, `/dir//file/` or `/dir/file*/`. You can put a single ? character to represent any one character (including `/`) in the file or directory name.
`IncludeFolders.item_#`	Name of the directory with the application's executable file that triggers the rule.	You can use masks to specify the directory name. You can use the * character (any sequence of characters) or the ? character (any one character) as the file or directory name mask. You can put the * character to represent any set of characters (including an empty set) in a file or directory name that includes the / character. For example, `/dir//file/` or `/dir/file*/`. You can put a single ? character to represent any one character (including `/`) in the file or directory name.
`IncludeHashes.item_#`	Hash (SHA-256) of the executable file that triggers the rule.
`UseExcludes`	Usage of excluding conditions to trigger the rule.	`Yes` – do not apply the rule to the application if the application meets at least one exclusive condition or does not meet any of the inclusive conditions. `No` (default value) – apply the rule to the application, even if the application meets at least one exclusive condition.
`ExcludeFileNames.item_#`	Name of the executable file that triggers the rule.	You can use masks to specify the file name. You can use the * character (any sequence of characters) or the ? character (any one character) as the file or directory name mask. You can put the * character to represent any set of characters (including an empty set) in a file or directory name that includes the / character. For example, `/dir//file/` or `/dir/file*/`. You can put a single ? character to represent any one character (including `/`) in the file or directory name.
`ExcludeFolders.item_#`	Name of the directory with the application's executable file that triggers the rule.	You can use masks to specify the directory name. You can use the * character (any sequence of characters) or the ? character (any one character) as the file or directory name mask. You can put the * character to represent any set of characters (including an empty set) in a file or directory name that includes the / character. For example, `/dir//file/` or `/dir/file*/`. You can put a single ? character to represent any one character (including `/`) in the file or directory name.
`ExcludeHashes.item_#`	Hash (SHA-256) of the executable file that triggers the rule.
The [AllowListRules.item_#] section contains a list of Application Control rules for the `AllowList` operation mode. Each [AllowListRules.item_#] section contains the following settings:
`Description`	Description of the Application Control rule.
`AppControlRuleStatus`	Operation status of the Application Control rule:	`On` (default value) – the rule is enabled, Kaspersky Embedded Systems Security applies this rule when the Application Control task is running. `Off` – the rule is not used when the Application Control task is running. `Test` – Kaspersky Embedded Systems Security allows applications covered by the rule to be launched, but logs information about the launch of these applications in the report.
`Category`	Name of the created application category to which the rule applies. You can specify the "Golden Image" category.
The [AllowListRules.item_#.ACL.item_#] section contains a list of users who are allowed or denied to run applications.
`Access`	Access type assigned to a user or user group.	`Allow` (default value) — Allow running applications. `Block` – Deny running applications.
`Principal`	User or user group to which the Application Control rule applies.	`\Everyone` (default value): the rule applies to all users. `<user name>`: name of the user to whom the rule applies. `@<group name>`: name of the group of users to whom the rule applies.
The [DenyListRules.item_#] section contains a list of Application Control rules for the `DenyList` operation mode. Each [DenyListRules.item_#] section contains the following settings:
`Description`	Description of the Application Control rule.
`AppControlRuleStatus`	Operation status of the Application Control rule:	`On` (default value) – the rule is enabled, Kaspersky Embedded Systems Security applies this rule when the Application Control task is running. `Off` – the rule is not used when the Application Control task is running. `Test` – Kaspersky Embedded Systems Security allows applications covered by the rule to be launched, but logs information about the launch of these applications in the report.
`Category`	Name of the created application category to which the rule applies. You can specify the "Golden Image" list of applications as a category.
The [DenyListRules.item_#.ACL.item_#] section contains a list of users who are allowed or denied to run applications.
`Access`	Access type assigned to a user or user group.	`Allow` – allow applications to start. `Block` (default value) – do not allow applications to start.
`Principal`	User or user group to which the Application Control rule applies.	`\Everyone` (default value): the rule applies to all users. `<user name>`: name of the user to whom the rule applies. `@<group name>`: name of the group of users to whom the rule applies.

Setting	Description	Values

`ScanScripts`	Enables script scanning.	`Yes` (default value) — Scan scripts. `No` — Do not scan scripts.
`ScanBinaries`	Enables binary files scanning (elf, java, and pyc).	`Yes` (default value) — Scan binaries. `No` — Do not scan binaries.
`ScanAllExecutable`	Enables the scanning of files with an executable bit.	`Yes` (default value) — Scan files with an executable bit. `No` — Do not scan files with an executable bit.
`ScanPriority`	Task priority. Task priority is a setting that combines a number of internal Kaspersky Embedded Systems Security settings and process start settings. By using this setting, you can specify the way the application consumes system resources for running tasks.	`Idle` — Run the task with a low priority: no more than 10% of processor resource consumption. Specify this value to release the application resources for other tasks, including user processes. The current scan task takes longer to complete. `Normal` (default value) — Run the task with a normal priority: no more than 50% of all processors resources. `High` — Run the task with a high priority, without limiting the consumption of processor resources. Specify this value to perform the current scan task faster.
`CreateGoldenImage`	Enables creation of the "Golden Image" category of applications based on the list of applications detected on the device by the Inventory Scan task. If `CreateGoldenImage=Yes`, then you can use the "Golden Image" application category in the Application Control rules.	`Yes`: create the "Golden Image" category of applications. `No` (default value): do not create the "Golden Image" category of applications.
The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of inventory scan scope; contains additional information about the inventory scan scope. The maximum length of the string specified using this setting is 4096 characters.	Default value: `All objects`.
`UseScanArea`	Enables scans of the specified inventory scope. To run the task, enable scans of at least one inventory scope.	`Yes` (default value) — Scan the specified inventory scope. `No` — Do not scan the specified inventory scope.
`AreaMask`	Inventory scope limitation. In the inventory scope, the application scans only the files that are specified using the masks in the shell format. If this setting is not specified, the application scans all the objects in the inventory scope. You can specify several values for this setting.	The default value is `*` (scan all objects).
`Path`	Path to the directory with objects to be scanned.	`<path to local directory>` — Scan objects in the specified directory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. Default value: `/usr/bin`
The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the inventory exclusion scope; contains additional information about the inventory scan scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from the inventory.	`Yes` (default value) — Exclude the specified scope. `No` — Do not exclude the specified scope.
`AreaMask`	Limiting the inventory exclusion scope using shell masks. If this setting is not specified, the application excludes all the objects in the inventory scope. You can specify several values for this setting.	Default value: `*` (exclude all objects)
`Path`	Path to the directory with objects to be excluded.	`<path to local directory>` — Exclude objects in the specified directory from scan. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.

Section	Subsections
Essential Threat Protection	File Threat Protection Exclusion scopes Exclusions by process Firewall Management Web Threat Protection Network Threat Protection
Advanced Threat Protection	Kaspersky Security Network Application Сontrol Anti-Cryptor System Integrity Monitoring Device Control Behavior Detection
Local Tasks	Task management Removable Drives Scan
General settings	Proxy server settings Application settings Container Scan settings Network settings Global exclusions Excluding process memory Storage settings

Setting	Description
Enable File Threat Protection	This check box enables or disables File Threat Protection on all managed devices. The check box is selected by default.
File Threat Protection mode	In this drop-down list, you can select the File Threat Protection mode: Smart check (default value) – scan a file when there is an attempt to open it and scan it again when there is an attempt to close it if the file has been modified. If a process accesses and modifies a file multiple times in a certain period, the application scans the file again only when the process closes it for the last time. When opened – scan the file on an attempt to open it for reading, execution, or modification. When opened and modified – scan a file on an attempt to open it, and scan it again on an attempt to close it if the file has been modified.
Scan	This group of settings contains buttons that open windows where you can configure the scan scopes and scan settings.
Actions for infected objects	This group of settings contains the Configure button. Clicking this button opens the Actions for infected objects window, where you can configure the actions that Kaspersky Embedded Systems Security performs on detected infected objects.

Contents

Kaspersky Embedded Systems Security 3.3 for Linux

Distribution kit

Hardware and software requirements

Preparing to install the application

Installing the application

Deploying the application using the command line

Installing the application using the command line

Post-installation configuration of the application in interactive mode

Selecting the locale

Viewing the End User License Agreement and the Privacy Policy

Accepting the End User License Agreement

Accepting the Privacy Policy

Using Kaspersky Security Network

Assigning the Administrator role to a user

Determining the file operation interceptor type

Enabling automatic configuration of SELinux

Configuring the update source

Configuring proxy server settings

Downloading application databases

Enabling automatic application database update

Application activation

Post-installation configuration of the application in automatic mode

Settings in the configuration file for post-installation configuration

Installing and configuring Kaspersky Security Center Network Agent

Installing Network Agent using the command line

Post-installation configuration of the Network Agent using the command line

Installing Kaspersky Embedded Systems Security administration plug-ins

About Kaspersky Embedded Systems Security MMC administration plug-in

About Kaspersky Embedded Systems Security administration web plug-in

Deploying the application using Kaspersky Security Center

Installing Kaspersky Embedded Systems Security using the Administration Console

Creating an installation package

Autoinstall.ini configuration file settings

Installing Kaspersky Embedded Systems Security using the Web Console

Creating an installation package

Installation using the Protection Deployment Wizard

Creating a remote installation task

Getting started using Kaspersky Security Center

Activating the application using Kaspersky Security Center

Running the application on Astra Linux in closed software environment mode

Configuring permissions in the SELinux system

Uninstalling the application

Uninstalling the application using the command line

Uninstalling the application using the Administration Console

Uninstalling the application using Kaspersky Security Center Web Console

Application licensing

About the End User License Agreement

About the license

About the license certificate

About the license key

About the activation code

About the key file

About subscription

Data provision

Data provided when using an activation code

Data provided when downloading updates from Kaspersky update servers

Data sent to Kaspersky Security Center

Data provided when following links in the application interface

Data provided when using Kaspersky Security Network

Managing the application using the command line

Starting and stopping the application

Displaying Help on the commands

Enabling automatic addition of kess-control commands (bash completion)

Enabling the display of events

Viewing information about the application

Description of the application commands

Using filters to limit query results

Exporting and importing application settings

Setting the application memory usage limit

User roles

Viewing a list of users and roles

Assigning a role to a user

Revoking a user role

General application settings

Description of the general application settings

Editing general application settings

Description of general container scan settings

Editing general container scan settings

Managing application tasks using the command line

Setting	Description
Scope name	Scan scope name.
Path	Path to the directory that the application scans.
Status	The status indicates whether the application scans this scope.

Setting	Description
Scan scope name	Field for entering the scan scope name. This name will be displayed in the table in the Scan scopes window. The entry field must not be blank.
Use this scope	This check box enables or disables scans of this scope by the application. If this check box is selected, the application processes this scan scope. If this check box is cleared, the application does not process this scan scope. You can later include this scope in the component settings by selecting the check box. The check box is selected by default.
File system, access protocol and path	The settings block lets you set the scan scope. You can select the file system type in the drop-down list of file systems: Local (default value) – local directories. If this item is selected, you need to indicate the path to the local directory. Mounted – Mounted remote or local directories. If this item is selected, you need to indicate the protocol or name of the file system. Shared — The protected server's file system resources accessible via the Samba or NFS protocol. All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols. All shared — All of the protected server's file system resources accessible via the Samba and NFS protocols.
	If Shared or Mounted is selected in the drop-down list of file systems, you can select the remote access protocol in the drop-down list on the right: NFS: remote directories mounted on a device using the NFS protocol. Samba: remote directories mounted on a device using the Samba protocol. Custom – resources of the device's file system specified in the field below.
	If Local is selected in the drop-down list of file systems, then in the input field you can enter a path to a directory that you want to add to the scan scope. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The / path is specified by default – the application scans all directories of the local file system. If the Local type is selected in the drop-down list of file systems, and the path is not specified, the application scans all directories of the local file system.
Filesystem name	The field for entering the name of the file system where the directories that you want to add to the scan scope are located. The field is available if the Mounted type is selected in the drop-down list of file systems and the Custom item is selected in the drop-down list on the right.
Masks	The list contains name masks for the objects that the application scans. By default the list contains the * mask (all objects). You can add, edit, or delete masks. Clicking the Delete button removes the selected item from the table. This button is available if at least one item is selected in the table. The selected element's settings are changed in a separate window. Clicking the Add button opens a window where you can specify the new item settings.

Setting	Description
Scan archives	This check box enables or disables scan of archives. If this check box is selected, Kaspersky Embedded Systems Security scans archives. To scan an archive, the application has to unpack it first, which may slow down scanning. You can reduce the archive scan duration by enabling and configuring the Skip object if scan takes longer than (sec) and Skip objects larger than (MB) settings in the General scan settings section. If this check box is cleared, Kaspersky Embedded Systems Security does not scan archives. This check box is cleared by default.
Scan SFX archives	This check box enables or disables self-extracting archive scans. Self-extracting archives are archives that contain an executable extraction module. If this check box is selected, Kaspersky Embedded Systems Security scans self-extracting archives. If this check box is cleared, Kaspersky Embedded Systems Security does not scan self-extracting archives. This check box is available if the Scan archives check box is unchecked. This check box is cleared by default.
Scan mail databases	This check box enables or disables scans of mail databases of Microsoft Outlook, Outlook Express, The Bat!, and other mail applications. If this check box is selected, Kaspersky Embedded Systems Security scans mail database files. If this check box is cleared, Kaspersky Embedded Systems Security does not scan mail database files. This check box is cleared by default.
Scan mail format files	This check box enables or disables scan of files of plain-text email messages. If this check box is selected, Kaspersky Embedded Systems Security scans plain-text messages. If this check box is cleared, Kaspersky Embedded Systems Security does not scan plain-text messages. This check box is cleared by default.
Skip text files	Temporary exclusion of files in text format from scans. If the checkbox is selected, Kaspersky Embedded Systems Security does not scan text files if they are reused by the same process for 10 minutes after the most recent scan. This setting makes it possible to optimize scans of application logs. If this check box is unselected, Kaspersky Embedded Systems Security scans text files. This check box is cleared by default.
Skip object if scan takes longer than (sec)	A field for specifying the maximum time to scan an object, in seconds. After the specified time is reached, Kaspersky Embedded Systems Security stops scanning the object. Available values: 0–9999. If the value is set to 0, the scan time is unlimited. Default value: 60.
Skip objects larger than (MB)	The field for specifying the maximum size of an archive to scan, in megabytes. Available values: 0–999999. If the value is set to 0, Kaspersky Embedded Systems Security scans objects of any size. Default value: 0.
Log clean objects	This check box enables or disables the logging of ObjectProcessed type events. If this check box is selected, Kaspersky Embedded Systems Security logs ObjectProcessed type events for all scanned objects. If this check box is cleared, Kaspersky Embedded Systems Security does not log ObjectProcessed type events. This check box is cleared by default.
Log unprocessed objects	This check box enables or disables the logging ObjectNotProcessed type events if a file cannot be processed during a scan. If this check box is selected, Kaspersky Embedded Systems Security logs ObjectNotProcessed type events. If this check box is cleared, Kaspersky Embedded Systems Security does not log ObjectNotProcessed type events. This check box is cleared by default.
Log packed objects	This check box enables or disables the logging of PackedObjectDetected type events for all packed objects that are detected. If this check box is selected, Kaspersky Embedded Systems Security logs PackedObjectDetected type events. If this check box is cleared, Kaspersky Embedded Systems Security does not log PackedObjectDetected type events. This check box is cleared by default.
Use iChecker technology	This check box enables or disables scan of only new and modified since the last scan files. If the check box is selected, Kaspersky Embedded Systems Security scans only new or modified since the last scan files. If the check box is cleared, Kaspersky Embedded Systems Security scans files regardless to the date of creation or modification. The check box is selected by default.
Use heuristic analysis	This check box enables or disables heuristic analysis during file scans. The check box is selected by default.
Heuristic analysis level	If the Use heuristic analysis check box is selected, you can select the heuristic analysis level in the drop-down list: Light is the least detailed scan with minimal system load. Medium is a medium scan with balanced system load. Deep is the most detailed scan with maximum system load. Recommended (default value) is the optimal level recommended by Kaspersky experts. It ensures an optimal combination of protection quality and impact on the performance of the protected devices.

Group of settings	Description
Exclusions	This group of settings contains the Configure button. Clicking this button opens the Exclusion scopes window. In this window, you can define the list of scopes to be excluded from scans.
Exclusions by mask	This group of settings contains the Configure button, which opens the Exclusions by mask window. In this window, you can configure the exclusion of objects from scans by name mask.
Exclusions by threat name	This group of settings contains the Configure button, which opens the Exclusions by threat name window. In this window, you can configure the exclusion of objects from scans based on threat name.

Setting	Description
Exclusion scope name	Exclusion scope name.
Path	Path to the directory excluded from scan.
Status	The status indicates whether the application uses this exclusion.

Setting	Description
Enable Firewall Management	This check box enables or disables Firewall Management. The check box is selected by default.
Network packet rules	This group of settings contains the Configure button. Clicking this button opens the Network packet rules window. In this window, you can configure network packet rules that are applied by the Firewall Management component when it detects the network connection attempt.
Available networks	This group of settings contains the Configure button. Clicking this button opens the List of available networks window. In this window, you can configure the list of networks that the Firewall Management component will monitor.
Incoming connections	In this drop-down list, you can select the action to be performed for incoming network connections: Allow network connections (default value). Block network connections.
Incoming packets	In this drop-down list you can select the action to be performed for incoming packets: Allow incoming packets (default value). Block incoming packets.
Always add allowing rules for Network Agent ports	This check box enables or disables automatic adding allowing rules for Network Agent ports. The check box is selected by default.

Setting	Description
Name	Network packet rule name.
Action	Action to be performed by Firewall Management when it detects the network activity.
Local address	Network addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets.
Remote address	Network addresses of remote devices that can send and/or receive network packets.
Logging	This column shows if the application logs actions of the network packet rule. If the value is Yes, the application logs the actions of the network packet rule. If the value is No, the application does not log the actions of the network packet rule.

Setting	Description
Protocol	You can select the type of data transfer protocol for which you want to monitor network activity: Any (default value) GRE ICMP ICMPv6 IGMP TCP UDP
Direction	You can specify the direction of network activity being monitored: Incoming packets. If this option is selected, the Firewall Management component monitors incoming packets. Incoming. If this option is selected, the Firewall Management component monitors incoming network activity. Incoming/Outgoing. If this option is selected, the Firewall Management component monitors both incoming and outgoing network activity. Incoming/Outgoing packets. If this option is selected, the Firewall Management component monitors both incoming and outgoing packets. Outgoing packets. If this option is selected, the Firewall Management component monitors outgoing packets. Outgoing. If this option is selected, the Firewall Management component monitors outgoing network activity.
ICMP type	You can specify the ICMP type. The Firewall Management component monitors messages of the specified type sent by the host or gateway. If the Specified option is selected, the field for entering the ICMP type will be displayed. This window is displayed if the ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list.
ICMP code	You can specify the ICMP code. The Firewall Management component monitors messages of the type specified in the ICMP type field, with the code specified in the ICMP code field, and sent by the host or gateway. If the Specified option is selected, the field for entering the ICMP code will be displayed. This window is displayed if the ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list.
Remote ports	You can specify the port numbers of the remote devices between which the connection is to be monitored. If the Specified option is selected, the field for entering the port numbers will be displayed. This window is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list.
Local ports	You can specify the port numbers of the local devices between which the connection is to be monitored. If the Specified option is selected, the field for entering the port numbers will be displayed. This window is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list.
Remote addresses	You can specify the network addresses of the remote devices that can send and receive network packets: Any address (default value). If this item is selected, the network rule controls network packets sent and/or received by remote devices with any IP address. Specified address. If this item is selected, the network rule controls the sending and receiving of network packets by remote devices with the IP addresses that are specified in the field below. By network type. If this item is selected, the network rule controls network packets sent and received by remote devices with the IP addresses associated with the selected network type: Public networks, Local networks, or Trusted networks.
Local addresses	You can specify the network addresses of the devices with Kaspersky Embedded Systems Security installed that can send and receive network packets: Any address (default value). If this option is selected, the network rule controls network packets sent and/or received by the devices with Kaspersky Embedded Systems Security installed regardless of their IP address. Specified address. If this option is selected, the network rule controls the network addresses of devices with Kaspersky Embedded Systems Security installed that can send and receive network packets. These network addresses are specified in the field below.
Action	You can select an action to be performed by the Firewall Management component when it detects network activity: Block network activity. Allow network activity (default value).
Logging	You can specify whether the actions of the network rule will be logged in the report.
Rule name	The field for entering the name of the network packet rule.

Setting	Description
IP address	Network IP address.
Network type	Network type (Public network, Local network, or Trusted network).

Setting	Description
Enable Web Threat Protection	This check box enables or disables Web Threat Protection. This check box is cleared by default.
Trusted web addresses	This group of settings contains the Configure button, which opens the Trusted web addresses window, where you can specify the list of trusted web addresses. Kaspersky Embedded Systems Security will not scan the contents of websites whose web addresses are included in this list.
Action on threat detection	Action that the application performs on a web resource where a dangerous object is detected: Block access to all dangerous objects detected in web traffic, display a notification about the blocked access attempts, and log information about the dangerous objects (default value). Inform the user when a dangerous object is detected in web traffic. Web Threat Protection allows this object to be downloaded to the device. At that, the application logs the information about the dangerous object and adds it to the list of active threats.
Scan settings	This group of settings contains the Configure button, which opens the Scan settings window, where you can configure the settings for scanning incoming traffic.