Kaspersky Embedded Systems Security 3.3 for Linux

Kaspersky

Online Help

Kaspersky Embedded Systems Security for Linux

Print Support Send link

General application settings

General application settings

This section contains information about commands for managing general application settings and container scan settings.

In this section

Description of the general application settings

Editing general application settings

Description of general container scan settings

Editing general container scan settings

Page top

Description of the general application settings

This section describes the values of the general settings of the Kaspersky Embedded Systems Security configuration file (see the table below).

General application settings

Setting	Description	Values
`SambaConfigPath`	Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the `AllShared` or `Shared:SMB` values can be used for the `Path` setting.	The standard directory of the SAMBA configuration file on the computer is specified by default. Default value: /etc/samba/smb.conf. The application must be restarted after this setting is changed.
`NfsExportPath`	The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the `AllShared` or `Shared:NFS` values can be used for the `Path` setting.	The standard directory of the NFS configuration file on the computer is specified by default. Default value: /etc/exports. The application must be restarted after this setting is changed.
`TraceLevel`	Enables trace file generation and specifies the level of detail of the trace file.	`Detailed` – Generate a detailed trace file. `MediumDetailed` – Generate a trace file that contains informational messages and error messages. `NotDetailed` – Generate a trace file that contains error messages. `None` (default value) — Do not generate a trace file.
`TraceFolder`	The directory that stores the application's trace files. Trace files contain information about the operating system, and may also contain personal data.	Default value: /var/log/kaspersky/kess. If you specify a different directory, make sure that the account under which Kaspersky Embedded Systems Security is running has read/write permissions for this directory. Root privileges are required to access the default trace files directory. The application must be restarted after this setting is changed.
`TraceMaxFileCount`	Maximum number of application trace files.	1–10000 Default value: 10. The application must be restarted after this setting is changed.
`TraceMaxFileSize`	Specifies the maximum size of an application trace file (in megabytes).	1–1000 Default value: 500. The application must be restarted after this setting is changed.
`BlockFilesGreaterMaxFileNamePath`	Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, scan tasks skip this file during scanning. This setting is not available for operating systems that use the fanotify technology.	4096–33554432 Default value: 16384. After changing the value of this setting, the File Threat Protection task needs to be restarted.
`DetectOtherObjects`	Enables detection of legitimate software that could be used by intruders to harm computers or user data.	`Yes`— Enable detection of legitimate software that could be used by intruders to harm computers or user data. `No` (default value) — Disable detection of legitimate software that could be used by intruders to harm computers or user data.
`NamespaceMonitoring`	Enable scanning of namespaces and containers.	`Yes` (default value) — Enable scanning of namespaces and containers. `No` — Disable scanning of namespaces and containers.
`InterceptorProtectionMode`	File interceptor mode when executing tasks that use the file operation interceptor (File Threat Protection, Anti-Cryptor, Device Control, Removable Drives Scan). This setting affects the execution of File Threat Protection, Device Control and Removable Drive Scan.	`Block` (default value) – block the files while they are being scanned by the task that uses the file interceptor. A request to any file has to wait for scan results. When detecting infected objects, the application performs the actions specified in the `FirstAction` and `SecondAction` settings of the File Threat Protection task. `Notify` — do not block the files while they are being scanned by the task that uses the file interceptor. Requests to any file is allowed, scanning is done asynchronously. When detecting infected objects, the application only records the event in the event log. The actions specified in the `FirstAction` and `SecondAction` settings of the File Threat Protection task are skipped. If the `Notify` value is selected, the protection level of your device is reduced.
`UseKSN`	Enabling Kaspersky Security Network usage:	`Basic` — enable the Kaspersky Security Network usage without sending statistics. `Extended` — Enable Kaspersky Security Network usage and send statistics. `No` (default value) — disable the Kaspersky Security Network usage.
`UseProxy`	Enables use of a proxy server by Kaspersky Embedded Systems Security components. A proxy server can be used to communicate with Kaspersky Security Network, to activate the application, and when updating application databases and modules.	`Yes` - enable the use of a proxy server. `No` (default) - Disable the use of a proxy server.
`ProxyServer`	Proxy server settings in the format [user[:password]@]host[:port]. When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.	—
`MaxEventsNumber`	The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events.	Default value: 500000. If 0 is specified, events are not saved.
`LimitNumberOfScanFileTasks`	The maximum number of Scan_File tasks that a non-privileged user can simultaneously start on a device. This setting does not limit the number of tasks that a user with root privileges can start.	0–4294967295 Default value: 0. If 0 is specified, a non-privileged user cannot start Scan_File tasks. If you installed the graphical user interface package when installing the application, the `LimitNumberOfScanFileTasks` settings has the default value `5`.
`UseSyslog`	Enable logging of information about events to syslog Root privileges are required to access syslog.	`Yes` — Enable logging of information about events to syslog. `No` (default value) — Disable logging of information about events to syslog.
`EventsStoragePath`	The database directory where the application saves information about events. Root privileges are required to access the default event database.	Default value: /var/opt/kaspersky/kess/private/storage/events.db.
`ExcludedMountPoint.item_#`	The mount point to be excluded from the scan scope for tasks that use a file operation interceptor (File Threat Protection and Anti-Cryptor). You can specify several mount points to be excluded from scans. Mount points must be specified in the same way as they are displayed in the `mount` command output. The `ExcludedMountPoint.item_#` setting is left unspecified by default.	`AllRemoteMounted` — Exclude all remote directories mounted on the device using SMB and NFS protocols from file operation interception. `Mounted:NFS` — Exclude all remote directories mounted on the device using the NFS protocol from file operation interception. `Mounted:SMB` — Exclude all remote directories mounted on the device using the SMB protocol from file operation interception. `Mounted:<file system type>` — Exclude all mounted directories with the specified file system type from file operation interception. `/mnt` — Exclude objects in the /mnt mount point (including subdirectories) from file operation interception. This directory is used as the temporary mount point for removable drives. `<path that contains the` `/mnt/user` `or` `/mnt//user_share>` — Exclude objects in mount points whose names contain the specified mask from file operation interception. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir//file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.
`MemScanExcludedProgramPath.item_#`	Exclude process memory from scans. The application does not scan the memory of the indicated process.	`<full path to process>` – Do not scan the process in the indicated local directory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.

Page top

Editing general application settings

Root privileges are required to change application settings.

To edit the general application settings:

Save the general application settings to the configuration file using the --get-app-settings command:
kess-control [-T] --get-app-settings --file <configuration file path>
Open the created configuration file, edit the necessary settings, and save the changes.
Import the settings from the configuration file into the application using the --set-app-settings command:
kess-control [-T] --set-app-settings --file <configuration file path>

To enable use of Kaspersky Security Network, run the kess-control --set-settings command with the --accept-ksn flag as follows: kess-control --set-app-settings UseKSN=Basic|Extended --accept-ksn.

Kaspersky Embedded Systems Security applies the new values of the settings after restart.

You can use the created configuration file to import the settings into the application installed on another device.

The kess-control --get-app-settings command

The kess-control --get-app-settings command displays the general application settings. You can also use this command to export the general application settings to a configuration file.

Command syntax

kess-control [-T] --get-app-settings [--file <configuration file path>] [--json]

Arguments and keys

--file <configuration file path> – path to the configuration file where the application settings will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created. If you do not specify the --file option, the general application settings will be displayed on the console.

--json – format of the configuration file where the application settings will be saved. If a file format is not specified, the settings will be exported to an INI file.

Example:

Export the general application settings to a file named kess_config.ini. Save the created file in the current directory:

kess-control --get-app-settings --file kess_config.ini

The kess-control --set-app-settings command

The kess-control --set-app-settings command sets the general application settings using the command options or imports the general application settings from the specified configuration file.

Command syntax

kess-control [-T] --set-app-settings <setting name>=<setting value> <setting name>=<setting value>

kess-control [-T] --set-app-settings --file <configuration file path> [--json]

Arguments and keys

--file <configuration file path> – full path to the configuration file to import the settings into the application.

--json – format of the configuration file to import the settings into the application. If a file format is not specified, the application attempts to import settings from an INI file. If the import fails, an error is displayed.

Examples:

Import general settings into the application from the configuration file /home/test/kess_config.ini:

kess-control --set-app-settings --file /home/test/kess_config.ini

Set the detail level for the trace file to low:

kess-control --set-app-settings TraceLevel=NotDetailed

Add a mount point to be excluded from scan scope by tasks that use a file operation interceptor (File Threat Protection and Anti-Cryptor):

kess-control --set-app-settings ExcludedMountPoint.item_0000="/data"

Page top

Description of general container scan settings

This section describes the values of the general container and namespace scan settings (see the table below). Integration with Docker container management system, CRI-O framework, and Podman and runc utilities is supported.

Namespace and container scans can be enabled using the NamespaceMonitoring setting described in the general application settings.

General container and namespace scan settings

Setting	Description	Values
`OnAccessContainerScanAction`	Action to be performed on a container when an infected object is detected. This setting is available when using the application under a license that supports this function. For scanning, the settings of the File Threat Protection task are used. The action performed on a container when an infected object is detected also depends on the File Threat Protection task settings (see the table below).	`StopContainerIfFailed` (default value) — Stop the container if an infected object cannot be disinfected or deleted. `StopContainer` — Stop the container when an infected object is detected. `Skip` — Do not perform any action on containers when an infected object is detected.
`UseDocker`	Use the Docker environment.	`Yes` (default value) — Use the Docker environment. `No` — Do not use the Docker environment.
`DockerSocket`	Docker socket path or URI (Universal Resource Identifier).	Default value: /var/run/docker.sock.
`UseCrio`	Use the CRI-O environment.	`Yes` (default value) — Use the CRI-O environment. `No` — Do not use the CRI-O environment.
`CrioConfigFilePath`	Path to the CRI-O configuration file.	Default value: /etc/crio/crio.conf.
`UsePodman`	Use the Podman utility.	`Yes` (default value) — Use the Podman utility. `No` — Do not use the Podman utility.
`PodmanBinaryPath`	Path to the Podman utility executable file.	Default value: /usr/bin/podman.
`PodmanRootFolder`	Path to the root directory of the container storage.	Default value: /var/lib/containers/storage.
`UseRunc`	Use the runc utility.	`Yes` (default value) — Use the runc utility. `No` — Do not use the utility.
`RuncBinaryPath`	Path to the runc utility executable file.	Default value: /usr/bin/runc.
`RuncRootFolder`	Path to the root directory of the container state storage.	Default value: /run/runc-ctrs.

Actions performed on a container when an infected object is detected may vary depending on the specified values of the FirstAction and SecondAction settings of the File Threat Protection task and on the value of the InterceptorProtectionMode setting, one of the general application settings (see the table below).

Dependence of actions performed on containers on the specified actions performed on infected objects

Value of the FirstAction / SecondAction or the InterceptorProtectionMode setting	Action performed on the container when the StopContainerIfFailed action is selected
`Disinfect`	Stop the container if disinfection of an infected object fails.
`Remove`	Stop the container if an infected object removal fails.
`Block` or `Notify`	Do not perform any action on containers when an infected object is detected.

Page top

Editing general container scan settings

Root privileges are required to change application settings.

To edit the general container scan settings:

Save the general container scan settings to the configuration file using the --get-container-settings command:
kess-control [-C] --get-container-settings --file <configuration file name>
Open the created configuration file, edit the necessary container scan settings and save the changes.
Import the container scan settings from the configuration file into the application using the command --set-container-settings:
kess-control [-C] --set-container-settings --file <configuration file name>

Kaspersky Embedded Systems Security will apply the new values of the settings after you restart it.

The kess-control --get-container-settings command

The kess-control --get-container-settings command displays the general container scan settings. You can also use this command to export the general container scan setting to the configuration file.

Command syntax

kess-control [-C] --get-container-settings [--file <configuration file name>]

Arguments and keys

--file <configuration file name> – name of the configuration file where the container scan settings are saved.

If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created.

The kess-control --set-container-settings command

The kess-control --set-container-settings command sets the general container scan settings using the command keys, or imports the general container scan settings from the specified configuration file.

Command syntax

kess-control [-C] --set-container-settings --file <configuration file name>

kess-control [-C] --set-container-settings <setting name>=<setting value> <setting name>=<setting value>

Arguments and keys

--file <configuration file name> – name of the configuration file, including the full path to the file; the container scan settings from this file will be imported into the application.

Page top

Contents

General application settings

Description of the general application settings

Editing general application settings

Description of general container scan settings

Editing general container scan settings