Contents
- Managing the application using the command line
- Starting and stopping the application
- Displaying Help on the commands
- Enabling automatic addition of kess-control commands (bash completion)
- Enabling the display of events
- Viewing information about the application
- Description of the application commands
- Using filters to limit query results
- Exporting and importing application settings
- Setting the application memory usage limit
- User roles
- General application settings
- Managing application tasks using the command line
- View the list of tasks
- Creating a new task
- Editing task settings using a configuration file
- Editing task settings using the command line
- Resetting task settings to their default values
- Starting and stopping a task
- Viewing a task state
- Scheduling a task
- Managing scan scopes from the command line
- Managing exclusion scopes from the command line
- Deleting a task
- Encrypted connections scan
Managing the application using the command line
You can manage Kaspersky Embedded Systems Security using the command line. All actions are available from the command line, including task management and configuring application settings.
Starting and stopping the application
By default, Kaspersky Embedded Systems Security starts automatically when the operating system is booted (at the default level of execution for each operating system). The application starts all service tasks as well as user tasks with starting mode set to PS in the schedule settings.
If you stop the application, all running tasks will be interrupted. After restarting the application, paused user tasks are not resumed automatically. Only user tasks with starting mode set to PS in the schedule settings are restarted.
To run the application, the root account must be the owner of the following directories and only the owner must have write access to them: /var, /var/opt, /var/opt/kaspersky, /var/log/kaspersky, /opt, /opt/kaspersky, /usr/bin, /usr/lib, /usr/lib64.
Starting, restarting, and stopping Kaspersky Embedded Systems Security
To start the application in systemd, execute the following command:
systemctl start kess
To stop the application in systemd, execute the following command:
systemctl stop kess
To restart the application in systemd, execute the following command:
systemctl restart kess
To start the application in the system without systemd, execute the following command:
/etc/init.d/kess start
To stop the application in the system without systemd, execute the following command:
/etc/init.d/kess stop
To restart the application in the system without systemd, execute the following command:
/etc/init.d/kess restart
Monitoring the status of Kaspersky Embedded Systems Security
The Kaspersky Embedded Systems Security status is monitored by the watchdog service. The watchdog service is automatically launched when the application starts.
In the event of an application crash, a dump file is generated and the application is restarted automatically.
To display the application status in systemd, execute the following command:
systemctl status kess
To display the application status in the system without systemd, execute the following command:
/etc/init.d/kess status
Displaying Help on the commands
The kess-control --help <set of application commands> command displays help for the application commands.
Command syntax
kess-control --help [<set of application commands>]
<set of application commands>
Available values:
-T – Commands for managing tasks and general application settings.
-C – Commands for managing general container scan settings.
-N – Commands for managing encrypted connections scan settings.
-L – Commands for managing the Licensing task.
-E – Commands for managing application events.
-B – Commands for managing the Storage Management task.
-F – Commands for managing the Firewall Management task.
-H – Commands for managing the Anti-Cryptor task.
-D – Commands for managing the Device Control task.
-A – Commands for managing the Application Control task.
-U – Commands for managing users and user roles.
-S – Statistical commands.
-W – Display events.
Enabling automatic addition of kess-control commands (bash completion)
Kess-control commands can be automatically added for the bash shell.
To enable automatic addition of kess-control commands in the current bash shell session, run the following command:
source /opt/kaspersky/kess/shared/bash_completion.sh
To enable automatic addition for all new bash shell sessions, run the following command:
echo "source /opt/kaspersky/kess/shared/bash_completion.sh" >> ~/.bashrc
Enabling the display of events
The kess-control -W command enables display of the current application events. The command returns the name of the event and additional information about the event.
You can use this command either separately to display all current application events or together with the kess-control --start-task command to display only events related to the running task.
You can also use the kess-control -W command with the --query flag to specify filter conditions to display specific events.
Command syntax
kess-control -W
Examples: Enable the display of current application events:
Enable display of the current events of the task with ID=1:
Enable display of the current events of the TaskStateChanged type:
|
Viewing information about the application
The kess-control --app-info command displays information about the application.
Command syntax
kess-control [-S] --app-info [--json]
Result of command execution:
- Name. Application names.
- Version. Current application version.
- Policy. Indicates whether the Kaspersky Security Center policy is applied.
- License information. License information or license key status.
- Subscription status. Subscription status. This field is displayed if the application is started under a subscription.
- License expiration date. Date and time when the license expires, in UTC.
- Storage status. Storage status.
- Storage space usage. Storage size.
- Last run date of the Scan_My_Computer task. Time of the last Malware Scan task.
- Date when the application databases were last released. Date and time the application databases were last released.
- Application databases. Displays whether the application databases have been downloaded.
- Kaspersky Security Network settings. Information about Kaspersky Security Network use.
- File Threat Protection. Status of the File Threat Protection task.
- Container monitoring. Displays information about container scan settings.
- System Integrity Monitoring. Status of the System Integrity Monitoring task.
- Firewall Management. Status of the Firewall Management task.
- Anti-Cryptor. Status of the Anti-Cryptor task.
- Web Threat Protection. Status of the Web Threat Protection task.
- Device Control. Status of the Device Control task.
- Removable Drives Scan. Status of the Removable Drives Scan task.
- Network Threat Protection. Status of the Network Threat Protection task.
- Behavior Detection. Status of the Behavior Detection task.
- Application Control. Status of the Application Control task.
- Application update status. Displays application update actions and the actions to be performed by the user.
- Unstable application operation. Information about application failure and dump file creation is displayed. This field is displayed if a failure occurred the last time the application was launched.
Description of the application commands
Displaying Help on application commands
--help – displays Help on application commands.
Displaying application events
-W – enables the display of application events.
Statistics commands
-S is a prefix indicating that the command belongs to the statistics command group.
[-S] --app-info – displays information about the application.
[-S] --omsinfo --file <file name and path> – creates a JSON file for integration with Microsoft Operations Management Suite.
Commands for managing application tasks and settings
-T is a prefix indicating that the command belongs to the group of commands for managing application settings and tasks.
[-T] --get-app-settings --file <file name and path> – displays the general application settings.
[-T] --set-app-settings --file <file name and path> – sets the general application settings.
[-T] --export-settings --file <full path to the configuration file> – exports the application settings to the configuration file.
[-T] --import-settings --file <full path to the configuration file> – imports the application settings from the configuration file.
[-T] --update-application – updates the application.
[-T] --get-task-list – displays a list of existing application tasks.
[-T] --get-task-state <task ID>|<task name> – displays the status of the specified task.
[-T] --create-task <task name> --type <task type> --file <file name and path> – creates a task of the specified type and imports the settings from the specified configuration file into the task.
[-T] --delete-task <task ID>|<task name> – deletes the task.
[-T] --start-task <task ID>|<task name> [-W] [--progress] – starts the task.
[-T] --stop-task <task ID>|<task name> – stops the task.
[-T] --suspend-task <task ID>|<task name> – pauses the task. The Update task cannot be paused.
[-T] --resume-task <task ID>|<task name> – resumes the task. The Update task cannot be resumed.
[-T] --scan-file <path> [--action <action>] – creates and starts a temporary Custom scan task (task name: Scan_File, task ID – 3).
[-T] --scan-container <container|image[:tag]> – creates a temporary Custom Container Scan task (task name: Custom_Container_Scan, task ID – 19). After the scan is complete, the temporary task is automatically deleted.
[-T] --get-settings <task ID>|<task name> --file <file name and directory> – displays the task settings.
[-T] --set-settings <task ID>|<task name> [<parameters>] [--file <file name and directory>] [--add-path <path>] [--del-path <path>] [--add-exclusion <exclusion>] [--del-exclusion <exclusion>] – sets the task settings.
[-T] --set-settings [<task ID>|<task name>] --set-to-default – restores the task settings to their default values.
[-T] --set-schedule <task ID>|<task name> --file <file name and path> – sets the task schedule settings or imports them into the task from the configuration file.
[-T] --get-schedule <task ID>|<task name> --file <file name and path> – displays the task schedule settings or saves them to the configuration file.
Commands for managing container scan settings
-C is a prefix indicating that the command belongs to the group of commands for managing container scan settings.
[-C] --get-container-settings --file <file name and path> – displays the general container scan settings.
[-C] --set-container-settings --file <file name and path> – sets the general container scan settings.
Commands for managing encrypted connections scan settings
-N is a prefix indicating that the command belongs to the group of commands for managing encrypted connections scan settings.
-N --query user – displays a list of encrypted connections scan exclusions added by the user.
-N --query auto – displays a list of encrypted connections scan exclusions added by the application.
-N --query kl – displays a list of encrypted connections scan exclusions received from Kaspersky databases.
-N --clear-web-auto-excluded – clears the list of domains that the application automatically excluded from encrypted connections scan.
[-N] {--get-net-settings} [--file <file name and path>] – saves encrypted connection scan settings to an INI file.
[-N] {--set-net-settings} [--file <file name and path>] – sets encrypted connection scan settings.
[-N] --add-certificate --file <path to certificate file> – adds a certificate to the trusted certificate list.
[-N] --remove-certificate <certificate subject> – removes a certificate from the trusted certificate list.
[-N] --list-certificates – displays the trusted certificate list.
Commands for managing users and roles
-U is a prefix indicating that the command belongs to the group of commands for managing users and roles.
[-U] --get-user-list – displays a list of users and roles.
[-U] --grant-role <role> <user> – grants a role to a specified user.
[-U] --revoke-role <role> <user> – revokes a role from a specified user.
Licensing commands
-L is a prefix indicating that the command belongs to the group of commands used to manage license keys.
[-L] --add-active-key <activation code>|<key file> – adds an active key.
[-L] --add-reserve-key <activation code>|<key file> – adds a reserve key.
[-L] --remove-active-key – removes the active key.
[-L] --remove-reserve-key – removes the reserve key.
-L --query – displays information about the license key.
Commands for managing the Firewall Management task
-F is a prefix indicating that the command belongs to the group of commands for managing the Firewall Management task.
[-F] --add-rule [--name <string>] [--action <action>] [--protocol <protocol>] [--direction <directory>] [--remote <remote>] [--local <local>] [--at <index>] – adds a new rule.
[-F] --del-rule [--name <string>] [--index <index>] – deletes a rule.
[-F] --move-rule [--name <string>] [--index <index>] [--at <index>] – changes the rule priority.
[-F] --add-zone [--zone <zone>] [--address <address>] – adds an IP address to the zone.
[-F] --del-zone [--zone <zone>] [--address <address>] [--index <index>] – deletes an IP address from the zone.
-F --query – displays information about the task.
Commands for managing the Anti-Cryptor task
-H is a prefix indicating that the command belongs to the group of commands for managing the Anti-Cryptor task.
[-H] --get-blocked-hosts – displays a list of blocked computers.
[-H] --allow-hosts – unblocks untrusted devices.
Commands for managing Device Control tasks
-D is a prefix indicating that the command belongs to the Device Control group of commands.
[-D] --get-device-list – displays a list of devices connected to the computer.
Commands for managing the Application Control task
-A is a prefix indicating that the command belongs to the Application Control group of commands.
[-A] --get-app-list – displays the list of applications detected on the computer while executing the Inventory Scan task.
[-A] --get-categories – displays a list of created Application Control categories.
Commands for managing the Storage
-B is a prefix indicating that the command belongs to the group of commands used to manage the Storage.
[-B] --mass-remove --query – clears the Storage completely or selectively.
-B --query <filter> – displays information about the objects in the Storage that match the filter conditions.
[-B] --restore <object ID> --file <file name and path> – restores an object from Storage.
Commands used to manage the event log
-E is a prefix indicating that the command belongs to the group of commands used to manage the event log.
-E --query <filter> --db <database file> -n <number> --file <file name and path> [--json] – outputs information about events that match filter conditions from the event log database to the specified file.
Where:
<number> – number of the latest events of the selection (number of records from the end of the selection) to be displayed.
<filter> – filter conditions to limit the query results.
<file name and path> – name and path of the file where you want to save the events.
<database file> – name and path to the event log database file.
Page topUsing filters to limit query results
You can use a filter to limit the query results for the following commands:
- Getting information about application events:
kess-control -E --query "<logical expression>" - Displaying information about the objects in the Storage:
kess-control -B --query "<logical expression>" - Removing the selected objects from the Storage:
kess-control -B --mass-remove --query "<logical expression>"
You can use multiple logical expressions to specify a filter by combining them using the AND operator. Logical expressions must be enclosed in quotation marks.
Syntax
"<field> <comparison operator> '<value>'"
"<field> <comparison operator> '<value>' and <field> <comparison operator> '<value>'"
Comparison operator
Comparison operator |
Description |
|---|---|
|
Greater than |
|
Less than |
|
Matches the specified value (when specifying the value, you can use masks %, see the example below) |
|
Equal to |
|
Not equal to |
|
Greater than or equal to |
|
Less than or equal to |
Examples: Get information about files in the Storage that have the High severity level:
Get information about events that contain the text "etc" in the FileName field:
Get events of the ThreatDetected type:
Output ThreatDetected events generated by ODS tasks:
Get events generated after the date specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970):
Get events generated after the date specified in YYYY-MM-DD hh:mm:ss format:
|
Exporting and importing application settings
Kaspersky Embedded Systems Security allows you to export and import all application settings for troubleshooting, verifying settings, or simplifying the application's configuration on other user devices.
When you export settings, all application and task settings are saved to a configuration file. This configuration file is used to import the application's configuration settings.
The application must be launched when settings are imported or exported. After the settings are imported, the application must be restarted.
When importing or exporting settings from an older application version, new settings are set to default values. Importing settings to an older application version is not supported.
Export settings
The kess-control --export-settings command is for exporting settings.
Command syntax
kess-control --export-settings --file <configuration file path> [--json]
Arguments and keys
--file <configuration file path> – full path to the configuration file where the application settings will be saved.
--json – format of the configuration file where the application settings will be saved. If a file format is not specified, the settings will be exported to an INI file.
Import settings
The kess-control --import-settings command is for importing settings.
If the application is managed via Kaspersky Security Center, importing settings is not supported.
Command syntax
kess-control --import-settings --file <configuration file path> [--json]
Arguments and keys
--file <configuration file path> – full path to the configuration file from which the application settings will be imported.
--json – format of the configuration file from which the application settings will be imported. If a file format is not specified, the application attempts to import settings from an INI file. If the import fails, an error is displayed.
When you import application settings, the UseKSN setting is set to No. To start or resume the Kaspersky Security Network usage, specify UseKSN=Basic or UseKSN=Extended.
After application settings are imported, internal task IDs may change. It is recommended to use task names to manage them.
Setting the application memory usage limit
You can specify the memory usage limit for Kaspersky Embedded Systems Security during scan tasks (ODS and OAS), in megabytes.
This setting limits only the amount of memory used when scanning files. That means that the total amount of memory required by the application can be more than the value of this setting.
The minimum value is 2 MB. Default value is 8192 MB. If the specified value is less than 2 MB, then the application uses the minimum value (2 MB). If the specified value is greater than the amount of RAM, then the application will use only 25% of the RAM. This value cannot be changed.
To specify a limit on memory use when scanning files:
- Stop Kaspersky Embedded Systems Security.
- Open the /var/opt/kaspersky/kess/common/kess.ini file for editing.
- Add the following setting to the [General] section:
ScanMemoryLimit=<amount of memory in megabytes> - Start Kaspersky Embedded Systems Security.
The new memory usage limit for scanning files will be in effect after the application starts.
Page topUser roles
Access to Kaspersky Embedded Systems Security functions is provided to users in accordance with their roles. A role is a set of rights and privileges for managing the application.
The four groups of system users are created in the operating system: kessadmin, kessuser, kessaudit, and nokess. When you assign an application role to a system user, the user is added to the corresponding group of roles (see the Roles table below). When you revoke a role from a user, this user is removed from the corresponding group of roles.
If no application role is assigned to a system user, that user belongs to a separate group of users without rights.
Thus, the roles correspond to the four groups of operating system users:
- kessadmin – the Administrator role
- kessuser – the User role
- kessaudit – the Auditor role
- nokess is assigned to a user if no other roles are assigned. In this case, the user belongs to a separate group of users without privileges
The table below describes the application roles and their permissions.
User roles
Role name |
Role in application |
OS user |
Permissions |
|---|---|---|---|
Administrator |
admin |
kessadmin |
Manage all application and task settings. Manage application licensing. Assigning roles to users. Revoking user roles (the administrator has no right to revoke the admin role from himself). View and manage users' Storages. |
User |
user |
kessuser |
Manage only Scan_File tasks. Start and stop Update tasks. View reports for the tasks created by this user. View specific events that are common for all application users. |
Auditor |
audit |
kessaudit |
Viewing application settings View application status. View all tasks, their settings, and start schedules. View all events. View all objects in the Storage. |
— |
— |
nokess |
No role is assigned in the application, no permissions. |
Viewing a list of users and roles
To view a list of users and their roles, execute the following command:
kess-control [-U] --get-user-list
Assigning a role to a user
To assign a role to a specific user, execute the following command:
kess-control [-U] --grant-role <role> <user>
Example: To assign the audit role to the user test15:
|
Revoking a user role
To revoke a role from a specific user, execute the following command:
kess-control [-U] --revoke-role <role> <user>
Example: To revoke the audit role from the user test15:
|
General application settings
This section contains information about commands for managing general application settings and container scan settings.
Description of the general application settings
This section describes the values of the general settings of the Kaspersky Embedded Systems Security configuration file (see the table below).
General application settings
Setting |
Description |
Values |
|---|---|---|
|
Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the |
The standard directory of the SAMBA configuration file on the computer is specified by default. Default value: /etc/samba/smb.conf. The application must be restarted after this setting is changed. |
|
The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the |
The standard directory of the NFS configuration file on the computer is specified by default. Default value: /etc/exports. The application must be restarted after this setting is changed. |
|
Enables trace file generation and specifies the level of detail of the trace file. |
|
|
The directory that stores the application's trace files. Trace files contain information about the operating system, and may also contain personal data.
|
Default value: /var/log/kaspersky/kess. If you specify a different directory, make sure that the account under which Kaspersky Embedded Systems Security is running has read/write permissions for this directory. Root privileges are required to access the default trace files directory. The application must be restarted after this setting is changed. |
|
Maximum number of application trace files.
|
1–10000 Default value: 10. The application must be restarted after this setting is changed. |
|
Specifies the maximum size of an application trace file (in megabytes). |
1–1000 Default value: 500. The application must be restarted after this setting is changed. |
|
Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, scan tasks skip this file during scanning. This setting is not available for operating systems that use the fanotify technology. |
4096–33554432 Default value: 16384. After changing the value of this setting, the File Threat Protection task needs to be restarted. |
|
Enables detection of legitimate software that could be used by intruders to harm computers or user data. |
|
|
Enable scanning of namespaces and containers. |
|
|
File interceptor mode when executing tasks that use the file operation interceptor (File Threat Protection, Anti-Cryptor, Device Control, Removable Drives Scan). This setting affects the execution of File Threat Protection, Device Control and Removable Drive Scan. |
If the |
|
Enabling Kaspersky Security Network usage: |
|
|
Enables use of a proxy server by Kaspersky Embedded Systems Security components. A proxy server can be used to communicate with Kaspersky Security Network, to activate the application, and when updating application databases and modules. |
|
|
Proxy server settings in the format [user[:password]@]host[:port]. When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised. |
— |
|
The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events. |
Default value: 500000. If 0 is specified, events are not saved. |
|
The maximum number of Scan_File tasks that a non-privileged user can simultaneously start on a device. This setting does not limit the number of tasks that a user with root privileges can start. |
0–4294967295 Default value: 0. If 0 is specified, a non-privileged user cannot start Scan_File tasks. If you installed the graphical user interface package when installing the application, the |
|
Enable logging of information about events to syslog Root privileges are required to access syslog. |
|
|
The database directory where the application saves information about events. Root privileges are required to access the default event database. |
Default value: /var/opt/kaspersky/kess/private/storage/events.db. |
|
The mount point to be excluded from the scan scope for tasks that use a file operation interceptor (File Threat Protection and Anti-Cryptor). You can specify several mount points to be excluded from scans. Mount points must be specified in the same way as they are displayed in the The |
|
|
Exclude process memory from scans. The application does not scan the memory of the indicated process. |
|
Editing general application settings
Root privileges are required to change application settings.
To edit the general application settings:
- Save the general application settings to the configuration file using the --get-app-settings command:
kess-control [-T] --get-app-settings --file <configuration file path> - Open the created configuration file, edit the necessary settings, and save the changes.
- Import the settings from the configuration file into the application using the --set-app-settings command:
kess-control [-T] --set-app-settings --file <configuration file path>To enable use of Kaspersky Security Network, run the
kess-control --set-settingscommand with the--accept-ksnflag as follows:kess-control --set-app-settings UseKSN=Basic|Extended --accept-ksn.
Kaspersky Embedded Systems Security applies the new values of the settings after restart.
You can use the created configuration file to import the settings into the application installed on another device.
The kess-control --get-app-settings command
The kess-control --get-app-settings command displays the general application settings. You can also use this command to export the general application settings to a configuration file.
Command syntax
kess-control [-T] --get-app-settings [--file <configuration file path>] [--json]
Arguments and keys
--file <configuration file path> – path to the configuration file where the application settings will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created. If you do not specify the --file option, the general application settings will be displayed on the console.
--json – format of the configuration file where the application settings will be saved. If a file format is not specified, the settings will be exported to an INI file.
Example: Export the general application settings to a file named kess_config.ini. Save the created file in the current directory:
|
The kess-control --set-app-settings command
The kess-control --set-app-settings command sets the general application settings using the command options or imports the general application settings from the specified configuration file.
Command syntax
kess-control [-T] --set-app-settings <setting name>=<setting value> <setting name>=<setting value>
kess-control [-T] --set-app-settings --file <configuration file path> [--json]
Arguments and keys
--file <configuration file path> – full path to the configuration file to import the settings into the application.
--json – format of the configuration file to import the settings into the application. If a file format is not specified, the application attempts to import settings from an INI file. If the import fails, an error is displayed.
Examples: Import general settings into the application from the configuration file /home/test/kess_config.ini:
Set the detail level for the trace file to low:
Add a mount point to be excluded from scan scope by tasks that use a file operation interceptor (File Threat Protection and Anti-Cryptor):
|
Description of general container scan settings
This section describes the values of the general container and namespace scan settings (see the table below). Integration with Docker container management system, CRI-O framework, and Podman and runc utilities is supported.
Namespace and container scans can be enabled using the NamespaceMonitoring setting described in the general application settings.
General container and namespace scan settings
Setting |
Description |
Values |
|---|---|---|
|
Action to be performed on a container when an infected object is detected. This setting is available when using the application under a license that supports this function. For scanning, the settings of the File Threat Protection task are used. The action performed on a container when an infected object is detected also depends on the File Threat Protection task settings (see the table below). |
|
|
Use the Docker environment. |
|
|
Docker socket path or URI (Universal Resource Identifier). |
Default value: /var/run/docker.sock. |
|
Use the CRI-O environment. |
|
|
Path to the CRI-O configuration file. |
Default value: /etc/crio/crio.conf. |
|
Use the Podman utility. |
|
|
Path to the Podman utility executable file. |
Default value: /usr/bin/podman. |
|
Path to the root directory of the container storage. |
Default value: /var/lib/containers/storage. |
|
Use the runc utility. |
|
|
Path to the runc utility executable file. |
Default value: /usr/bin/runc. |
|
Path to the root directory of the container state storage. |
Default value: /run/runc-ctrs. |
Actions performed on a container when an infected object is detected may vary depending on the specified values of the FirstAction and SecondAction settings of the File Threat Protection task and on the value of the InterceptorProtectionMode setting, one of the general application settings (see the table below).
Dependence of actions performed on containers on the specified actions performed on infected objects
Value of the FirstAction / SecondAction or the InterceptorProtectionMode setting |
Action performed on the container when the StopContainerIfFailed action is selected |
|---|---|
|
Stop the container if disinfection of an infected object fails. |
|
Stop the container if an infected object removal fails. |
|
Do not perform any action on containers when an infected object is detected. |
Editing general container scan settings
Editing general container scan settings
Root privileges are required to change application settings.
To edit the general container scan settings:
- Save the general container scan settings to the configuration file using the --get-container-settings command:
kess-control [-C] --get-container-settings --file <configuration file name> - Open the created configuration file, edit the necessary container scan settings and save the changes.
- Import the container scan settings from the configuration file into the application using the command --set-container-settings:
kess-control [-C] --set-container-settings --file <configuration file name>
Kaspersky Embedded Systems Security will apply the new values of the settings after you restart it.
The kess-control --get-container-settings command
The kess-control --get-container-settings command displays the general container scan settings. You can also use this command to export the general container scan setting to the configuration file.
Command syntax
kess-control [-C] --get-container-settings [--file <configuration file name>]
Arguments and keys
--file <configuration file name> – name of the configuration file where the container scan settings are saved.
If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created.
The kess-control --set-container-settings command
The kess-control --set-container-settings command sets the general container scan settings using the command keys, or imports the general container scan settings from the specified configuration file.
Command syntax
kess-control [-C] --set-container-settings --file <configuration file name>
kess-control [-C] --set-container-settings <setting name>=<setting value> <setting name>=<setting value>
Arguments and keys
--file <configuration file name> – name of the configuration file, including the full path to the file; the container scan settings from this file will be imported into the application.
Managing application tasks using the command line
You can manage the application operation using tasks locally on the device (using the command line or configuration files), as well as using Administration Console or Kaspersky Security Center Web Console.
There are two types of tasks for working with the application:
- Predefined task — a task created during installation of the application. Predefined tasks cannot be created or deleted, but you can modify the settings of these tasks.
- A user task that you can create or delete on your own. You can create the following types of user tasks: ODS, Update, Rollback, ODFIM, ContainerScan, and InventoryScan.
Task ID is an identifier that the application assigns to the task at creation. IDs for user tasks are starting from 100. All tasks (including deleted tasks) have unique IDs. The application does not reuse the identifiers of the deleted tasks. The identifier of a new task is the next successive number to the identifier of the latest created task.
Task names are not case-sensitive.
The application's predefined tasks are listed in the table.
Application tasks
Task |
Task name in the command line |
Task ID |
Task type |
|---|---|---|---|
File_Threat_Protection |
1 |
OAS |
|
Scan_My_Computer |
2 |
ODS |
|
Scan_File |
3 |
ODS |
|
Critical_Areas_Scan |
4 |
ODS |
|
Update |
6 |
Update |
|
Rollback |
7 |
Rollback |
|
License |
9 |
License |
|
Backup |
10 |
Backup |
|
System_Integrity_Monitoring |
11 |
OAFIM |
|
Firewall_Management |
12 |
Firewall |
|
Anti_Cryptor |
13 |
AntiCryptor |
|
Web_Threat_Protection |
14 |
WTP |
|
Device_Control |
15 |
DeviceControl |
|
Removable_Drives_Scan |
16 |
RDS |
|
Network_Threat_Protection |
17 |
NTP |
|
Container_Scan |
18 |
ContainerScan |
|
Custom_Container_Scan |
19 |
ContainerScan |
|
Behavior_Detection |
20 |
BehaviorDetection |
|
Application_Control |
21 |
AppControl |
|
Inventory_Scan |
22 |
InventoryScan |
You can perform the following actions with tasks:
- start and stop tasks.
- create and delete user tasks.
- Edit task settings.
View the list of tasks
To view the list of application tasks, execute the following command:
kess-control [-T] --get-task-list [--json]
where:
--json – output format for the list of application tasks. If a file format is not specified, the output will be an INI file.
The list of Kaspersky Embedded Systems Security tasks will be displayed.
The following information will be displayed for each task:
If Kaspersky Security Center policy prohibits users from viewing and editing tasks locally, information will only be displayed about the Scan_File, Backup, License, File_Threat_Protection, System_Integrity_Monitoring, and Anti_Cryptor tasks. Information about other tasks is not available.
Creating a new task
You can create tasks with default settings or with settings specified in a configuration file.
You can create only the following types of user tasks: ODS, Update, Rollback, ODFIM, ContainerScan, and InventoryScan.
To create a task with default settings, execute the following command:
kess-control [-T] --create-task <task name> --type <task type>
where:
<task name>is the name you assign to the new task;<task type>is the type of task.
A task of the specified type is created with default settings.
To create a task with the settings specified in the configuration file, execute the following command:
kess-control [-T] --create-task <task name> --type <task type> --file <file path> [--json]
where:
<task name>is the name you assign to the new task;<task type>is the type of task;<path to file>is the full path to the configuration file.
A task of the specified type is created with settings specified in a configuration file.
Editing task settings using a configuration file
To edit task settings by changing a configuration file:
- Save task settings to the configuration file:
kess-control --get-settings <task ID>|<task name> --file <full path to the file> [--json] - Open the created configuration file for editing.
- Edit the required settings in the configuration file.
- Save the changes in the configuration file.
- Import the settings from the configuration file into the task:
kess-control --set-settings <task ID>|<task name> --file <full path to the file> [--json]
Task settings will be updated.
If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings command with the --accept flag.
Editing task settings using command line
To edit task settings using the command line:
- Specify the required setting value:
kess-control --set-settings <task ID>|<task name> <setting=value> [<setting=value>]The application changes the specified setting.
If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the
--set-settingscommand with the--acceptflag. - Make sure the setting value is changed in the task configuration file:
kess-control --get-settings <task ID>|<task name>
If you add a new scan scope or exclusion scope not specifying all settings, a scope with default settings is added to the configuration file.
Example: To specify a new scan scope, execute the following command:
A new section describing the scan scope is added to the task configuration file with ID=100:
|
Resetting task settings to their default values
Kaspersky Embedded Systems Security allows you to reset task settings to default values from command line.
Restoring default settings is not available for the License and Rollback tasks.
To reset task settings to their default values from the command line:
- Execute the following command:
kess-control --set-settings <task ID>|<task name> --set-to-defaultThe application changes the setting values to their defaults.
- Make sure the settings' values are changed in the task configuration file:
kess-control --get-settings <task ID>|<task name> --file <configuration file name>The task configuration file contains default values for all settings.
Starting and stopping a task
By default, the following tasks are automatically started when the application starts: File Threat Protection, Device Control, and Behavior Detection. The remaining tasks are stopped (their status is Stopped).
You can start a task at any time.
The Backup and License tasks cannot be started or stopped.
To start a task, execute the following command:
kess-control --start-task <task ID>|<task name>
To stop a task, execute the following command:
kess-control --stop-task <task ID>|<task name>
Viewing a task state
To view a task state, execute the following command:
kess-control --get-task-state <task ID>|<task name>
where:
<taskID>
The application tasks can have one of the following states:
Started—Task is running.Starting—Task is being launched.Stopped—Task has been stopped.Stopping—Task is stopping.
The ODS, ODFIM, and InventoryScan tasks can also have one of the following states:
Pausing— Task is pausing.Suspended— Task is suspended.Resuming— Task is resuming.
The Backup and License tasks cannot be started, suspended, or stopped. They can have only the Started state.
Scheduling a task
You can view and configure the schedule settings for the following task types: ODS, Update, Rollback, ODFIM, ContainerScan and InventoryScan.
Editing task schedule settings
To configure task schedule settings:
- Save task schedule settings to a configuration file by executing the following command:
kess-control --get-schedule <task ID>|<task name> --file <configuration file name> [--json] - Open the configuration file for editing.
- Specify the schedule settings.
- Save the changes in the configuration file.
- Import the schedule settings from the configuration file to the task using the following command:
kess-control --set-schedule <task ID>|<task name> --file <configuration file name> [--json]
The application will apply the new values of the schedule settings immediately.
Task schedule settings
The application provides the following settings for configuring the task launch schedule:
RuleType=Once|Monthly|Weekly|Daily|Hourly|Minutely|Manual|PS|BR
where:
Manual – start the task manually.
PS – start the task after starting the application.
BR – start the task after the application databases have been updated.
StartTime=[<year>/<month>/<day of the month>] [hh]:[mm]:[ss]; [<day of the month>|<day of the week>]; [<start periodicity>] – task start time. The StartTime setting is required if RuleType=Once|Monthly|Weekly|Daily|Hourly|Minutely.
RandomInterval=<minutes> – a time interval from 0 to the specified value (in minutes), which will be added to the task start time to avoid starting tasks at the same time.
RunMissedStartRules – enables launch of the missed task after the application starts.
Examples: To schedule the task to start every ten hours, specify the following settings:
To schedule the task to start every ten minutes, specify the following settings:
To schedule the task to start on the 15th of every month, specify the following settings:
To schedule the task to start on every Tuesday, specify the following settings:
To schedule the task to start every 11 days, specify the following settings:
|
The kess-control --get-schedule command
The kess-control --get-schedule command displays the task schedule settings or saves them to the specified configuration file.
Command syntax
kess-control [-T] --get-schedule <task ID>|<task name> [--file <configuration file name>] [--json]
Arguments and keys
<task ID> is the task identification number in the application.
<task name> is a name of a task.
--file <configuration file name> is the name of the configuration file where the schedule settings will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created.
Examples: Save the update task settings to a file named update_schedule.ini and save the created file in the current directory:
Display the Update task schedule:
|
The kess-control --set-schedule command
The kess-control --set-schedule command sets the task schedule settings using the command keys or imports the task schedule settings from the specified configuration file.
Command syntax
kess-control --set-schedule <task ID>|<task name> --file <configuration file name> [--json]
kess-control --set-schedule <task ID>|<task name> <setting name>=<setting value> <setting name>=<setting value>
Arguments and keys
<task ID> is the task identification number in the application.
<task name> is a name of a task.
--file <configuration file name> is the name of the configuration file; the schedule settings from this file will be imported into the task; includes the full path to the file.
Example: Import the schedule settings from the configuration file named /home/test/on_demand_schedule.ini into the task with ID=2:
|
Managing scan scopes from the command line
You can add or delete a scan scope with a specified Path for OAS, ODS, OAFIM, ODFIM, and AntiCryptor tasks from the command line.
To add a new scan scope, execute the following command:
kess-control --set-settings <task ID>|<task name> --add-path <path>
A new [ScanScope.item_#] section will be added to the configuration file. The application scans the objects in the directory specified by the Path setting.
If a [ScanScope.item_#] section already exists for the specified Path setting, a duplicate section will not be added to the configuration file. If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be scanned.
To delete a scan scope, execute the following command:
kess-control --set-settings <task ID>|<task name> --del-path <path>
The [ScanScope.item_#] section that contains the specified path will be deleted from the task configuration file. The application will not scan the objects in the directory specified by the Path setting.
Managing exclusion scopes from the command line
You can add or delete an exclusion scope with a specified Path for OAS, ODS, OAFIM, ODFIM, and AntiCryptor tasks from the command line.
To add a new exclusion scope, execute the following command:
kess-control --set-settings <task ID>|<task name> --add-exclusion <path>
In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion for the path: /.snapshots/*/snapshot/.
A new [ExcludedFromScanScope.item_#] section will be added to the configuration file. The application will exclude objects in the directory specified by the Path setting from scans.
If an [ExcludedFromScanScope.item_#] section already exists for the specified Path setting, a duplicate section will not be added to the configuration file. If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be excluded from scans.
To delete an exclusion scope, execute the following command:
kess-control --set-settings <task ID>|<task name> --del-exclusion <path>
The [ExcludedFromScanScope.item_#] section that contains the specified path is deleted from the task configuration file. The application will not exclude objects in the directory specified by the Path setting from scans.
Deleting a task
You can only delete tasks that you have created. You cannot delete predefined tasks.
To delete a task, execute the following command:
kess-control --delete-task <task ID>|<task name>
Encrypted connections scan
You can configure settings for scanning the encrypted connections used in the Web Threat Protection task.
You can also configure the list of trusted certificates, which is used when scanning encrypted connections.
Encrypted connections scan settings
All available values and default values for each setting are described in the table below.
When the encrypted connection scan settings are changed, the application records a NetworkSettingsChanged event in the log file.
Encrypted connections scan settings
Setting |
Description |
Values |
|---|---|---|
|
Enables or disables encrypted traffic scan. For the FTP protocol, encrypted connections scan is disabled by default. |
|
|
Specifies the action to perform when an encrypted connection scan error occurs on a website. |
|
|
Specifies the way Kaspersky Embedded Systems Security checks certificates. If a certificate is self-signed, the application does not perform the additional verification. |
|
|
Specifies the action to perform when an encrypted connection scan error occurs on a website. |
|
|
Enables or disables the use of the encrypted connection scan exclusions. |
|
|
Specifies the way Kaspersky Embedded Systems Security monitors network ports. |
|
The [Exclusions.item_#] section contains domains excluded from scans. The application does not scan encrypted connections established when visiting specified domains. |
||
|
Specifies the domain name. You can use masks to specify the domain. |
The default value is not defined. |
The [NetworkPorts.item_#] section contains the network ports monitored by the application. |
||
|
Network port description. |
The default value is not defined. |
|
Network port numbers to be monitored by the application. |
The default value is not defined. |
Managing encrypted connections scan settings
You can manage encrypted connections scan settings from the command line.
To view the list of encrypted connection scan exclusions added by a user, execute the following command:
kess-control -N --query user
To view the list of encrypted connection scan exclusions added by a user, execute the following command:
kess-control -N --query auto
To view the list of encrypted connection scan exclusions received from the application databases, execute the following command:
kess-control -N --query kl
To clear a list of domains that the application automatically excluded from scan, execute the following command:
kess-control -N --clear-web-auto-excluded
To view encrypted connection scan settings, execute the following command:
kess-control [-N] --get-net-settings [--file <file path and name>]
The output format is INI.
To set encrypted connection scan settings, execute the following command:
kess-control [-N] --set-net-settings [--file <file path and name>]
Managing trusted certificates
You can set the list of certificates that will be trusted by the application. The list of trusted certificates is used when scanning encrypted connections.
You can manage the trusted certificate list from the command line.
To add a certificate to the trusted certificate list, run the following command:
kess-control [-N] --add-certificate <path to certificate>
where:
<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).
To remove a certificate from the trusted certificate list, run the following command:
kess-control [-N] --remove-certificate <certificate subject>
To view the list of trusted certificates, execute the following command:
kess-control [-N] --list-certificates
The following information is displayed for each certificate:
- certificate subject
- serial number
- certificate issuer
- certificate start date
- certificate expiration date
- SHA-256 certificate thumbprint