Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

[Topic 202235]

Application settings tab

On the Application settings tab, you can select a section containing the settings you want to configure.

Sections and subsections

Section

Subsections

Essential Threat Protection

File Threat Protection

Scan exclusions

Firewall Management

Web Threat Protection

Network Threat Protection

Advanced Threat Protection

Kaspersky Security Network

Anti-Cryptor

System Integrity Monitoring

Application Сontrol

Device Control

Behavior Detection

Local Tasks

Task management

Removable Drives Scan

General settings

Proxy server settings

Application settings

Container Scan settings

Network settings

Global exclusions

Storage settings

Page top

[Topic 246052]

File Threat Protection

File Threat Protection prevents infection of the file system on the user device. File Threat Protection starts automatically with the default settings upon Kaspersky Embedded Systems Security start. It resides in the device operating memory and scans all files that are opened, saved, and launched.

File Threat Protection settings

Setting

Description

File Threat Protection enabled / disabled

This toggle button enables or disables File Threat Protection on all managed devices.

The check toggle button is switched on by default.

File Threat Protection mode

In this drop-down list, you can select the File Threat Protection mode:

  • Smart check (default value) – scan a file when there is an attempt to open it and scan it again when there is an attempt to close it if the file has been modified. If a process accesses and modifies a file multiple times in a certain period, the application scans the file again only when the process closes it for the last time.
  • When opened – scan the file on an attempt to open it for reading, execution, or modification.
  • When opened and modified – scan a file on an attempt to open it, and scan it again on an attempt to close it if the file has been modified.

First action

In this drop-down list, you can select the first action to be performed by the application on an infected object that has been detected:

  • Disinfect the object. A copy of the infected object will be moved to the Storage.
  • Remove the object. A copy of the infected object will be moved to the Storage.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it (default value).
  • Block access to the object.

Second action

In this drop-down list, you can select the second action to be performed by the application on an infected object, in case the first action is unsuccessful:

  • Disinfect the object. A copy of the infected object will be moved to the Storage.
  • Remove the object. A copy of the infected object will be moved to the Storage.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it.
  • Block access to the object (default value).

Scan scopes

Clicking the Configure scan scopes link opens the Scan scopes window.

Scan archives

This check box enables or disables scan of archives.

If the check box is selected, the application scans the archives.

To scan an archive, the application has to unpack it first, which may slow down scanning. You can reduce the archive scan duration by enabling and configuring the Skip object if scan takes longer than (sec) and Skip objects larger than (MB) settings.

If the check box is cleared, the application does not scan the archives.

This check box is cleared by default.

Scan SFX archives

This check box enables or disables self-extracting archive scans. Self-extracting archives are archives that contain an executable extraction module.

If the check box is selected, the application scans self-extracting archives.

If the check box is cleared, the application does not scan self-extracting archives.

This check box is available if the Scan archives check box is unchecked.

This check box is cleared by default.

Scan mail databases

This check box enables or disables scans of mail databases of Microsoft Outlook, Outlook Express, The Bat!, and other mail applications.

If the check box is selected, the application scans mail database files.

If the check box is cleared, the application does not scan mail database files.

This check box is cleared by default.

Scan mail format files

This check box enables or disables scan of files of plain-text email messages.

If this check box is selected, the application scans plain-text messages.

If this check box is cleared, the application does not scan plain-text messages.

This check box is cleared by default.

Skip text files

Temporary exclusion of files in text format from scans.

If the checkbox is selected, Kaspersky Embedded Systems Security does not scan text files if they are reused by the same process for 10 minutes after the most recent scan. This setting makes it possible to optimize scans of application logs.

If this check box is unselected, Kaspersky Embedded Systems Security scans text files.

This check box is cleared by default.

Skip object if scan takes longer than (sec)

A field for specifying the maximum time to scan an object, in seconds. After the specified time, the application stops scanning the object.

Available values: 0–9999. If the value is set to 0, the scan time is unlimited.

The default value is 60.

Skip objects larger than (MB)

The field for specifying the maximum size of an archive to scan, in megabytes.

Available values: 0–999999. If the value is set to 0, the application scans objects of any size.

The default value is 0.

Log clean objects

This check box enables or disables logging of the ObjectProcessed event.

If this check box is selected, the application logs the ObjectProcessed event for all scanned objects.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Log unprocessed objects

This check box enables or disables logging of the ObjectNotProcessed event if a file cannot be processed during scan.

If this check box is selected, the application logs the ObjectNotProcessed event.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Log packed objects

This check box enables or disables logging of the PackedObjectDetected event for all packed objects that are detected.

If this check box is selected, the application logs the PackedObjectDetected event.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Use iChecker technology

This check box enables or disables scan of only new and modified since the last scan files.

If the check box is selected, the application scans only new files or the files modified since the last scan.

If the check box is cleared, the application scans the files regardless of the creation or modification date.

The check box is selected by default.

Use heuristic analysis

This check box enables or disables heuristic analysis during an object scan.

The check box is selected by default.

Heuristic analysis level

If the Use heuristic analysis check box is selected, you can select the heuristic analysis level in the drop-down list:

  • Light is the least detailed scan with minimal system load.
  • Medium is a medium scan with balanced system load.
  • Deep is the most detailed scan with maximum system load.
  • Recommended (default value) is the optimal level recommended by Kaspersky experts. It ensures an optimal combination of quality of protection and impact on the performance of protected servers.

Page top

[Topic 236891]

Scan scopes window

The table contains the scan scopes. The application will scan files and directories located in the paths specified in the table. By default, the table contains one scan scope that includes all directories of the local file system.

Scan scope settings

Setting

Description

Scope name

Scan scope name.

Path

Path to the directory that the application scans.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Move up button moves the selected item up in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 202257_4]

Add scan scope window

In this window, you can add and configure scan scopes.

Scan scope settings

Setting

Description

Scan scope name

Field for entering the scan scope name. This name will be displayed in the table in the Scan scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application processes this scan scope.

If this check box is cleared, the application does not process this scan scope. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol and path

You can select the type of file system in the drop-down list:

  • Local (default value) – local directories. If this item is selected, you need to indicate the path to the local directory.
  • Mounted – Mounted remote or local directories. If this item is selected, you need to indicate the protocol or name of the file system.
  • Shared — The protected server's file system resources accessible via the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.
  • All shared — All of the protected server's file system resources accessible via the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Shared or Mounted type is selected in the drop-down list of file systems.

Path

This is the entry field for specifying the path to the directory that you want to include in the scan scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default – the application scans all directories of the local file system.

This field is available if the Local type is selected in the drop-down list of file systems.

If the Local type is selected in the drop-down list of file systems, and the path is not specified, the application scans all directories of the local file system.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the scan scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 248956]

Scan exclusions

Scan exclusion is a set of conditions. When these conditions are met, Kaspersky Embedded Systems Security does not scan the objects for viruses and other malware. You can also exclude objects by masks and threat names, and configure exclusions for processes.

Settings of scan exclusions

Setting

Description

Exclusion scopes

Clicking the Configure exclusions link opens the Exclusion scopes window. In this window, you can define the list of scan exclusions.

Exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window. In this window, you can configure the exclusion of objects from scans by name mask.

Exclusions by threat name

Clicking the Configure exclusions by threat name link opens the Exclusions by threat name window. In this window, you can configure the exclusion of objects from scans based on threat name.

Exclusions by process

Clicking the Configure exclusions by process link opens the Exclusions by process window. In this window, you can exclude the activity of processes.

Page top

[Topic 249321]

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from scan.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 197613]

Add exclusion scope window

In this window, you can add and configure exclusion scopes.

Exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables the exclusion of the scope when the application is running.

If the check box is selected, the application excludes this scope from scan or protection during its operation.

If this check box is cleared, the application includes this scan or protection scope during its operation. You can later exclude this scope from scan or protection by selecting the check box.

The check box is selected by default.

File system, access protocol and path

In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:

  • Local, for local directories.
  • Mounted, for remote directories mounted on the device.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

Entry field for the path to the directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are only applied to objects in the directory specified in the Path field.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 248957]

Exclusions by mask window

You can configure the exclusion of objects from scans based on name mask. The application will not scan files whose names contain the specified mask. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 202356]

Exclusions by threat name window

You can configure the exclusion of objects from scans based on threat name. The application will not block the specified threats. By default, the list of threat names is empty.

You can add, edit, and delete threat names.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected threat from the exclusion list.

This button is available if at least one threat name is selected in the list.

Clicking the threat name in the table opens the Threat name window. In this window, you can edit the name of the threat to be excluded from a scan.

Clicking the Add button opens the Threat name window. In this window, you can define the name of the threat to be excluded from a scan.

Page top
[Topic 246682]

Exclusions by process window

The table contains the exclusion scopes for exclusion by process The exclusion scope for exclusion by process lets you exclude from scans the activity of the indicated process and files modified by the indicated process. By default, the table includes two exclusion scopes that contain paths to the Network Agents. You can remove these exclusions, if necessary.

Exclusion scope settings for exclusion by process

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Full path to excluded process.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top
[Topic 249195]

Trusted process window

In this window, you can add and configure exclusion scopes for exclusion by process.

Exclusion scope settings

Setting

Description

Process-based exclusion scope name

Field for entering the Process-based exclusion scope name. This name will be displayed in a table in the Exclusions by process window.

The entry field must not be blank.

Use / Do not use this exclusion

This toggle button enables or disables this scan scope exclusion.

The check toggle button is switched on by default.

Apply to child processes

Exclude child processes of the excluded process indicated by the Path to excluded process setting.

This check box is cleared by default.

Path to excluded process

Full path to the process you want to exclude from scans.

File system, access protocol and path

This group of settings lets you set scan exclusions for files modified by the process.

In the drop-down list of file systems, you can select the type of file system of the directories to be excluded from scans:

  • Local, for local directories.
  • Mounted – mounted directories.
  • Shared displays server file system resources accessible via the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.
  • All shared displays all server file system resources accessible via the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

     

The Access protocol drop-down list is available if Mounted or Shared is selected in the drop-down list of file systems.

Path

In the input field, you can enter the path to the directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are applied to objects only inside the directory indicated in the File system, access protocol and path block.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 248959]

Firewall Management

The operating system firewall protects personal data that is stored on the user's device. The firewall blocks most threats to the operating system when the device is connected to the Internet or a LAN. Firewall Management detects all network connections by the user's device and provides a list of IP addresses, as well as an indication of the default network connection's status.

The Firewall Management component filters all network activity according to the network packet rules. Configuring network packet rules lets you specify the desired level of the device protection, from blocking Internet access for all applications to allowing unlimited access.

It is recommended to disable other operating system firewall management tools before enabling the Firewall Management component.

Firewall Management settings

Setting

Description

Firewall Management enabled / disabled

This toggle button enables or disables Firewall Management.

The toggle button is switched off by default.

Network packet rules

Clicking the Configure network packet rules link opens the Network packet rules window. In this window, you can configure the list of network packet rules that are applied by the Firewall Management component when it detects the network connection attempt.

Available networks

Clicking the Configure available networks link opens the Available networks window. In this window, you can configure the list of networks that the Firewall Management component will monitor.

Incoming connections

In this drop-down list, you can select the action to be performed for incoming network connections:

  • Allow network connections (default value).
  • Block network connections.

Incoming packets

In this drop-down list you can select the action to be performed for incoming packets:

  • Allow incoming packets (default value).
  • Block incoming packets.

Always add allowing rules for Network Agent ports

This check box enables or disables automatic adding allowing rules for Network Agent ports.

The check box is selected by default.

Page top

[Topic 202310]

Network packet rules window

The Network packet rules table contains network packet rules that the Firewall Management component uses for network activity monitoring. You can configure the settings described in the table below for network packet rules.

Network packet rules settings

Setting

Description

Name

Network packet rule name.

Action

Action to be performed by Firewall Management when it detects the network activity.

Local address

Network addresses of devices that have Kaspersky Embedded Systems Security installed and can send and/or receive network packets.

Remote address

Network addresses of remote devices that can send and/or receive network packets.

Logging

This column shows if the application logs actions of the network packet rule.

If the value is Yes, the application logs the actions of the network packet rule.

If the value is No, the application does not log the actions of the network packet rule.

By default, the table of network packet rules is empty.

You can add, edit, delete, move up, and move down network packet rules in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 202312_1]

Network packet rule window

In this window, you can configure the network packet rule.

Network packet rule settings

Setting

Description

Rule name

The field for entering the name of the network packet rule.

Action

In the drop-down list, you can select an action to be performed by the Firewall Management component when it detects network activity:

  • Block network activity.
  • Allow network activity (default value).

Protocol

In the drop-down list, you can select the type of data transfer protocol for which you want to monitor network activity:

  • Any (default value)
  • GRE
  • ICMP
  • ICMPv6
  • IGMP
  • TCP
  • UDP

Specify ICMP type

This check box lets you specify the ICMP type. The Firewall Management component monitors messages of the specified type sent by the host or gateway.

If this check box is selected, the field for entering the ICMP type is displayed.

This check box is displayed only if ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list.

This check box is cleared by default.

Specify ICMP code

This check box lets you specify the ICMP code. The Firewall Management component monitors messages of the type specified in the field under the ICMP type check box, with the code specified in the field under the ICMP code check box, and sent by the host or gateway.

If this check box is selected, the field for entering the ICMP code is displayed.

This check box is displayed only if ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list. It is available only if the Specify ICMP type check box is selected.

This check box is cleared by default.

Direction

In this drop-down list, you can specify the direction of the monitored network activity:

  • Incoming packets (default value). If this option is selected, the Firewall Management component monitors incoming packets.
  • Incoming. If this option is selected, the Firewall Management component monitors incoming network activity.
  • Incoming/Outgoing. If this option is selected, the Firewall Management component monitors both incoming and outgoing network activity.
  • Incoming/Outgoing packets. If this option is selected, the Firewall Management component monitors both incoming and outgoing packets.
  • Outgoing packets. If this option is selected, the Firewall Management component monitors outgoing packets.
  • Outgoing. If this option is selected, the Firewall Management component monitors outgoing network activity.

Remote address

In this drop-down list, you can specify network addresses of the remote devices that can send and receive network packets:

  • Any address (default value). If this option is selected, the network rule controls network packets sent and received by remote devices with any IP address.
  • All subnet addresses. If this option is selected, the network rule controls network packets sent and received by remote devices with the IP addresses associated with the selected network type: Public networks, Local networks, or Trusted networks.
  • Specified address. If this option is selected, the network rule controls network packets sent and received by the remote devices with IP addresses specified in the Address field.

Specify remote ports

This check box allows you to specify the port numbers of the remote devices between which the connection must be monitored.

If this check box is selected, the field for entering port numbers is displayed.

This check box is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list.

This check box is cleared by default.

Local address

In this drop-down list, you can specify the network addresses of the devices with Kaspersky Embedded Systems Security installed that can send and receive network packets:

  • Any address (default value). If this item is selected, the network rule controls sending and receiving of network packets by the devices with Kaspersky Embedded Systems Security installed and with any IP address.
  • Specified address. If this item is selected, the network rule controls the specified in the Address field network addresses of the devices with Kaspersky Embedded Systems Security installed that can send and receive network packets.

Specify local ports

This check box allows you to specify the port numbers of the local devices between which the connection must be monitored.

If this check box is selected, the field for entering port numbers is displayed.

This check box is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list.

This check box is cleared by default.

Log events

This check box lets you specify whether the actions of the network rule are recorded in the report.

If the check box is selected, the application writes the actions of the network rule to the report.

If the check box is cleared, the application does not write the actions of the network rule to the report.

This check box is cleared by default.

Page top

[Topic 202313]

Available networks window

The Available networks table contains the networks controlled by the Firewall Management component. The table of available networks is empty by default.

Available networks settings

Setting

Description

IP address

Network IP address.

Network type

Network type (Public network, Local network, or Trusted network).

You can add, edit, and delete available networks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 210497_1]

Network connection window

In this window, you can configure the network connection that the Firewall Management component will monitor.

Network connection

Setting

Description

IP address

The field for entering IP address of the network.

Network type

You can select the type of the network:

  • Public
  • Local
  • Trusted

     

Page top

[Topic 214875_1]

Web Threat Protection

While the Web Threat Protection component is running, Kaspersky Embedded Systems Security scans inbound traffic and prevents downloads of malicious files from the Internet and also blocks phishing, adware, or other malicious websites.

The application scans HTTP, HTTPS, and FTP traffic. Also, the application scans websites and IP addresses. You can specify the network ports or network port ranges to be monitored

To monitor HTTPS traffic, enable encrypted connection scans. To monitor FTP traffic, select the Monitor all network ports check box.

Web Threat Protection settings

Setting

Description

Web Threat Protection enabled / disabled

This toggle button enables or disables the Web Threat Protection component.

The toggle button is switched off by default.

Action on threat detection

In this section, you can specify the action that the application performs on the web resource where the dangerous object is detected:

  • Inform the user when a dangerous object is detected in web traffic. Web Threat Protection allows this object to be downloaded to the device. At that, the application logs the information about the dangerous object and adds it to the list of active threats.
  • Block access to all dangerous objects detected in web traffic, display a notification about the blocked access attempts, and log information about the dangerous objects (default value).

Detect malicious objects

This check box enables or disables checking of links against the databases of malicious web addresses.

The check box is selected by default.

Detect phishing links

This check box enables or disables checking of links against the databases of phishing web addresses.

The check box is selected by default.

Use heuristic analysis for detecting phishing links

This check box enables or disables the use of heuristic analysis for detecting phishing links.

This check box is available if the Detect phishing links check box is selected, and is selected by default.

Detect adware

This check box enables or disables checking links against the databases of adware web addresses.

This check box is cleared by default.

Detect legitimate applications that may be used by hackers to harm devices or data

This check box enables or disables checking links against the databases of legitimate applications that can be used by hackers to harm devices or data.

This check box is cleared by default.

Trusted web addresses

This table contains addresses of URLs and web pages whose content you consider trusted.

You can only add HTTP/HTTPS web addresses to the list of trusted web addresses.

You can use masks to specify web addresses. Masks are not supported to specify IP addresses.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

By default, the table is empty.

You can add, edit, and remove web addresses in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 234620]

Web address window

In this window, you can add a web address or a web address mask to the list of trusted web addresses.

You can add only HTTP/HTTPS web addresses to the list of trusted web addresses. You can use masks to specify web addresses. Masks are not supported to specify IP addresses.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

Page top
[Topic 202328_1]

Network Threat Protection

While the Network Threat Protection component is running, the application scans inbound network traffic for activity that is typical for network attacks. Network Threat Protection is started by default when the application starts.

The application receives the numbers of the TCP ports from the current application databases and scans incoming traffic for these ports. Upon detecting an attempt of a network attack that targets your device, the application blocks network activity from the attacking device and logs an event about the detected network activity.

To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.

Network Threat Protection settings

Setting

Description

Network Threat Protection enabled / disabled

This toggle button enables or disables Network Threat Protection.

The check toggle button is switched on by default.

Action on threat detection

Actions performed upon detection of network activity that is typical of network attacks.

  • Inform user. The application allows network activity and logs information about detected network activity.
  • Block network activity from an attacking device and log information about detected network activity (default value).

Blocking attacking devices enabled / disabled

This toggle button enables or disables blocking network activity when a network attack attempt is detected.

The check toggle button is switched on by default.

Block the attacking host for (min)

In this field you can specify the duration an attacking device is blocked in minutes. After the specified time, Kaspersky Embedded Systems Security allows network activity from this device.

Available values: integer from 1 to 32768.

Default value: 60.

Trusted IP addresses

The table contains a list of IP addresses. Network attacks from these addresses will not be blocked. By default, the list is empty.

You can add, edit, and remove IP addresses in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 11396]

IP address window

In this window, you can add and edit IP addresses. Network attacks from these IP addresses will not be blocked by Kaspersky Embedded Systems Security.

IP addresses

Setting

Description

Enter an IP address (IPv4 or IPv6)

Entry field for an IP address.

You can specify IP addresses of IPv4 and IPv6 versions.

Page top

[Topic 202336_1]

Kaspersky Security Network

To increase the protection of devices and user data, Kaspersky Embedded Systems Security can use Kaspersky's cloud-based knowledge base Kaspersky Security Network (KSN) to check the reputation of files, Internet resources, and software. The use of Kaspersky Security Network data ensures a faster response to various threats, high protection component performance, and fewer false positives.

Kaspersky Embedded Systems Security supports the following infrastructure solutions to work with Kaspersky's reputation databases:

  • Kaspersky Security Network (KSN) – A solution that receives information from Kaspersky and sends data about objects detected on user devices to Kaspersky for additional verification by Kaspersky analysts and to add to reputation and statistical databases.
  • Kaspersky Private Security Network (KPSN) – A solution that allows users of devices with Kaspersky Embedded Systems Security installed to access the reputation databases of Kaspersky, as well as other statistical data, without sending data to Kaspersky from their devices. KPSN is designed for corporate clients who can't use Kaspersky Security Network, for example, for the following reasons:
    • No connection of local workplaces to the Internet
    • Legal prohibition or corporate security restrictions on sending any data outside the country or the organization's local network

After changing the Kaspersky Embedded Systems Security license, submit the details of the new key to the service provider in order to be able to use KPSN. Otherwise, data exchange with KPSN will be impossible due to an authentication error.

Use of Kaspersky Security Network is voluntary. Kaspersky Embedded Systems Security suggests using KSN during installation. You can start or stop using KSN at any time.

There are two options for using KSN:

  • KSN with statistics sharing (extended KSN mode) – you can receive information from the Kaspersky knowledge base, while Kaspersky Embedded Systems Security automatically sends statistical information to KSN obtained during its operation. The application can also send to Kaspersky for additional scanning certain files (or parts of files) that intruders can use to harm the device or data.
  • KSN without statistics sharing – you can receive information from the Kaspersky knowledge base, while Kaspersky Embedded Systems Security does not send anonymous statistics and data about the types and sources of threats.

You can start or stop using Kaspersky Security Network at any time. You can also select another Kaspersky Security Network usage option.

No personal data is collected, processed, or stored. Detailed information about the storage, and destruction, and/or submission to Kaspersky of statistical information generated during participation in KSN is available in the Kaspersky Security Network Statement and on Kaspersky's website.

You can read the text of the Kaspersky Security Network Statement in the Kaspersky Security Network Statement window, which can be opened by clicking the Kaspersky Security Network Statement link.

Kaspersky Security Network settings

Setting

Description

Do not use KSN

By selecting this option, you decline to use Kaspersky Security Network.

KSN with statistics sharing (extended KSN mode)

By selecting this option, you accept the terms of use of Kaspersky Security Network. You will be able to receive information from Kaspersky's online knowledge base about the reputation of files, web resources, and software. Also, anonymous statistics and information about the types and sources of various threats will be sent to Kaspersky to improve Kaspersky Security Network.

KSN without statistics sharing

By selecting this option, you accept the terms of use of Kaspersky Security Network. You will be able to receive information from Kaspersky's online knowledge base about the reputation of files, web resources, and software.

Kaspersky Security Network Statement

Clicking this link opens the Kaspersky Security Network Statement window. In this window, you can read the text of the Kaspersky Security Network Statement.

Page top

[Topic 246795]

Kaspersky Security Network Statement

In this window, you can read the text of the Kaspersky Security Network Statement and accept its terms and conditions.

Kaspersky Security Network settings

Setting

Description

I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement

By selecting this option, you confirm that you want to use the Kaspersky Security Network, and you have fully read, understood, and accept the terms and conditions of the Kaspersky Security Network Statement that is displayed.

I do not accept the terms and conditions of the Kaspersky Security Network Statement

By selecting this option, you confirm that you do not want to use Kaspersky Security Network.

Page top

[Topic 246797]

Anti-Cryptor

Anti-Cryptor allows you to protect your files in local directories with network access by SMB/NFS protocols from remote malicious encryption.

While the Anti-Cryptor component is running, Kaspersky Embedded Systems Security scans remote devices calls to access the files located in the shared network directories of the protected device. If the application considers a remote device actions on network file resources to be malicious encrypting, this device is added to a list of untrusted devices and loses access to the shared network directories. The application does not consider activity to be malicious encryption if it is detected in the directories excluded from the protection scope of the Anti-Cryptor component.

For the Anti-Cryptor component to operate correctly, at least one of the services (Samba or NFS) must be installed in the operating system. For the NFS service, the rpcbind package must be installed.

Anti-Cryptor operates correctly with the SMB1, SMB2, SMB3, NFS3, TCP/UDP, and IP/IPv6 protocols. Working with NFS2 and NFS4 protocols is not supported. It is recommended to configure your server settings so that the NFS2 and NFS4 protocols cannot be used to mount resources.

Anti-Cryptor does not block access to network file resources until the device activity is identified as malicious. So, at least one file will be encrypted before the application detects malicious activity.

Anti-Cryptor settings

Setting

Description

Anti-Cryptor protection enabled / disabled

This toggle button enables or disables protection of files in the local directories with network access by SMB/NFS protocols from remote malicious encryption.

The toggle button is switched off by default.

Protection scopes

Clicking the Configure protection scope link opens the Protection scopes window.

Untrusted hosts blocking enabled / disabled

This toggle button enables or disables untrusted hosts blocking.

The check toggle button is switched on by default.

Block untrusted host for (min)

In this field you can specify the untrusted host blocking duration in minutes. After the specified time, Kaspersky Embedded Systems Security removes the untrusted devices from the list of blocked devices. The access of the host to network file resources is restored automatically, after it is deleted from the list of untrusted hosts.

If a compromised host is blocked and you change this setting value, the blocking time for this host will not change. The blocking time is not a dynamic value, and it is calculated at the moment of blocking.

Available values: integer from 1 to 4294967295.

Default value: 30.

Exclusions

Clicking the Configure exclusions link opens the Exclusion scopes window.

Exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window.

Page top

[Topic 202351]

Protection scopes window

The table contains protection scopes of the Anti-Cryptor component. The application will scan files and directories located in the paths specified in the table. By default, the table contains one scan scope that includes all directories of the local file system.

Protection scope settings

Setting

Description

Scope name

Protection scope name.

Path

Path to the directory that the application protects.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security protects objects in the specified scopes in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 202352]

Add scan scope window

In this window, you can add or configure protection scope for the Anti-Cryptor component.

Protection scope settings

Setting

Description

Scan scope name

Field for entering the protection scope name. This name will be displayed in the table in the Protection scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application processes this protection scope during the component operation.

If this check box is cleared, the application does not process this protection scope during the component operation. You can later include this scope in the component operation settings by selecting the check box.

The check box is selected by default.

File system, access protocol and path

You can select the type of file system in the drop-down list:

  • Local (default value) – local directories.
  • Shared displays server file system resources accessible via the Samba or NFS protocol.
  • All shared displays all server file system resources accessible via the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.

This drop-down list is available if the Shared option is selected in the drop-down list of file systems.

Path

The entry field for specifying the path to the directory that you want to include in the protection scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

This field is available if the Local type is selected in the drop-down list of file systems.

The field must not be blank.

By default, the / path is specified (root directory).

Masks

This list contains name masks of the objects that the application scans during operation of the Anti-Cryptor component.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 202353]

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from scan.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 210496_3]

Add exclusion scope window

In this window, you can add and configure exclusion scopes.

Exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables the exclusion of the scope when the application is running.

If the check box is selected, the application excludes this scope from scan or protection during its operation.

If this check box is cleared, the application includes this scan or protection scope during its operation. You can later exclude this scope from scan or protection by selecting the check box.

The check box is selected by default.

File system, access protocol and path

In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:

  • Local, for local directories.
  • Mounted, for remote directories mounted on the device.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

Entry field for the path to the directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are only applied to objects in the directory specified in the Path field.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 248957_1]

Exclusions by mask window

You can configure the exclusion of objects from scans based on name mask. The application will not scan files whose names contain the specified mask. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 202356_1]

System Integrity Monitoring

System Integrity Monitoring is designed to track the actions performed on files and directories in the monitoring scope specified in the component operation settings. You can use System Integrity Monitoring to track the file changes that may indicate a security breach on a protected device.

To use the component, a license that includes the corresponding function is required.

System Integrity Monitoring settings

Setting

Description

System Integrity Monitoring enabled / disabled

This toggle button enables or disables System Integrity Monitoring.

The toggle button is switched off by default.

Monitoring scopes

Clicking the Configure monitoring scopes link opens the Monitoring scopes window.

Monitoring exclusions

Clicking the Configure monitoring exclusion scopes link opens the Exclusion scopes window.

Exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window.

Page top

[Topic 202363]

Monitoring scopes window

The table contains monitoring scopes for the System Integrity Monitoring component. The application monitors files and directories located in the paths specified in the table. By default, the table contains the Kaspersky internal objects (/opt/kaspersky/kess/) monitoring scope.

Monitoring scope settings for System Integrity Monitoring

Setting

Description

Scope name

Monitoring scope name.

Path

Path to the directory that the application protects.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security scans objects in the specified scopes, in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top

[Topic 202280]

Add monitoring scope window

In this window, you can add and configure monitoring scope for the System Integrity Monitoring component.

Monitoring scope settings

Setting

Description

Scan scope name

Field for entering the monitoring scope name. This name will be displayed in the table in the Monitoring scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application controls this monitoring scope during the operation.

If this check box is cleared, the application does not control this monitoring scope during the operation. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol and path

Entry field for the path to the local directory that you want to include in the monitoring scope. You can use masks to specify the path. The field must not be blank.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default – the application scans all directories of the local file system.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 218554]

Exclusion scopes window

The table contains monitoring exclusion scopes for the System Integrity Monitoring component. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from monitoring.

Status

Indicates whether the application excludes this scope from monitoring during the component operation.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 202410_1]

Add exclusion scope window

In this window, you can add or configure the monitoring exclusion scope for the System Integrity Monitoring component.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window. The entry field must not be blank.

Use this scope

The check box enables or disables the exclusion of the scope from monitoring when the application is running.

If this check box is selected, the application excludes this scope from monitoring during the component operation.

If this check box is cleared, the application monitors this scope during the component operation. You can later exclude this scope from monitoring by selecting the check box.

The check box is selected by default.

File system, access protocol and path

Entry field for the path to the local directory that you want to add to the exclusion scope. You can use masks to specify the path. The field must not be blank.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

Masks

The list contains name masks of the objects that the application excludes from the monitoring.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 219604]

Exclusions by mask window

You can configure the exclusion of objects from monitoring based on name masks. The application does not scan the files with the names containing the specified masks. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 202412_2]

Application Сontrol

During execution of the Application Control task, Kaspersky Embedded Systems Security controls the launching of applications on user devices. This helps reduce the risk of device infection by restricting access to applications. Application launching is regulated by Application Control rules.

Application Control can operate in two modes:

  • Denylist. In this mode Kaspersky Embedded Systems Security allows all users to launch any applications that are not specified in the Application Control rules. This is the default operation mode of the Application Control component.
  • Allowlist. In this mode Kaspersky Embedded Systems Security prevents all users from launching any applications that are not specified in the Application Control rules.

For each Application Control operation mode, separate rules can be created and an action can be specified: apply rules or test rules. Kaspersky Embedded Systems Security performs this action when it detects an attempt to start an application.

The Application Control settings are described in the following table.

Application Control settings

Setting

Description

Application Control enabled / disabled

This toggle button enables or disables Application Control.

The toggle button is switched off by default.

Application Control action

The action that Kaspersky Embedded Systems Security performs upon detecting an attempt to start an application that matches the configured rules:

  • Test rules. If you select this option, Kaspersky Embedded Systems Security tests the rules and generates an event about detection of the applications that match the rules.
  • Apply rules (default value). If you select this option, Kaspersky Embedded Systems Security applies Application Control rules and performs the action specified in the rules.

Application Control mode

Application Control task operation mode:

  • Allowlist. If you select this option, Kaspersky Embedded Systems Security prevents all users from launching any applications except those specified in the Application Control rules.
  • Denylist (default value). If you select this option, Kaspersky Embedded Systems Security allows all users to launch any applications except those specified in the Application Control rules.

Application Control rules

Clicking the Configure rules link opens the Application Control rules window.

Page top

[Topic 246368]

Application Control rules window

The Application Control rules table has the tabs with the rules for each operation mode: Denylist (active) and Allowlist. Both tabs of the Application Control rules table are empty by default.

Application Control rules settings

Setting

Description

Category

The name of the application category that is used by the rule.

Status

Operation status of the Application Control rule:

  • Enabled – the rule is enabled, Application Control applies this rule during operation.
  • Disabled – the rule is disabled and is not used when the Application Control is running.
  • Test – Application Control allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.

You can add, modify and remove Application Control rules.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Page top

[Topic 246370]

Application Control rule window

In this window, you can configure the settings for the Application Control rule.

Configuring an Application Control rule

Setting

Description

Rule description

Description of the Application Control rule.

Status

You can select the operation status of the Application Control rule:

  • Enabled – the rule is enabled, Application Control applies this rule during operation.
  • Disabled – the rule is disabled and is not used when the Application Control is running.
  • Test – Application Control allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.

Category

Clicking the Configure category link opens the Application Control categories window.

Access control list

The table contains a list of users or user groups to which the Application Control rule applies, and the types of access assigned to them, and consists of the following columns:

  • Principal name is a name of the user or user group to which the Application Control rule applies.
  • Access – access type (allow or block launching applications). This toggle button switches access type: Allow launching the applications or Block launching the applications.

     

You can add, edit, and delete users or user groups.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top

[Topic 246371]

Application Control categories window

In this window, you can add a new category or configure the category settings for an Application Control rule.

Kaspersky Embedded Systems Security does not support use of the KL categories of Kaspersky Security Center.

Application Control categories

Setting

Description

Category name

List to search for the added Application Control categories.

Add

Clicking the button starts the category creation wizard. Follow the instructions of the Wizard.

Edit

Clicking this button opens the category properties window, where you can change the category settings.

Page top

[Topic 246372]

Select user or group window

In this window, you can specify a local or domain user or user group for which you want to configure a rule.

Configuring an Application Control rule

Setting

Description

Manually

If this option is selected, in the field below enter the name of the local or domain user or the name of a user group, to which the Application Control rule will apply.

List of groups or users

If this option is selected, in the search field you can enter search criteria for the name of the user or name of the user group, to which the Application Control rule will apply, or you can select the name of the user group in the list below.

Page top

[Topic 247145]

Device Control

When the Device Control task is running, Kaspersky Embedded Systems Security manages user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks. Device Control manages user access to devices using the access rules.

When a device, access to which is denied by the Device Control task, connects to a client device, the application denies the users specified in the rule access to this device and displays a notification. During attempts to read and write on this device, the application silently blocks the users specified in the rule from reading/writing.

Device Control settings

Setting

Description

Device Control enabled / disabled

This toggle button enables or disables Device Control.

The check toggle button is switched on by default.

Configure trusted devices

Clicking this link opens the Trusted devices window. In this window, you can add devices to a list of trusted devices by ID or by selecting them from the list of devices detected on the client devices.

Device Control action

Action performed by the application when an attempt is made to access a device to which access is denied in accordance with Device Control rules.

  • Test rules. If you select this option, Kaspersky Embedded Systems Security tests the access rules and generates an event about detection of an attempt to access a device.
  • Apply rules (default value). If you select this option, Kaspersky Embedded Systems Security applies Access Control rules and performs the action specified in the rules.

Configure settings for device types

Clicking this link opens the Device types window. In this window, you can configure access rules for various types of devices.

Configure settings for connection buses

Clicking this link opens the Connection buses window. In this window, you can configure access rules for connection buses.

Page top

[Topic 197568]

Trusted devices window

The table contains a list of trusted devices. The table is empty by default.

Trusted device settings

Setting

Description

Device ID

Trusted device ID.

Device name

Name of a trusted device.

Device type

Trusted device type (for example, Hard drive or Smart card reader).

Host name

Name of the client device the trusted device is connected to.

Comment

Comment related to a trusted device.

You can add a device to the list of trusted devices by the device ID or by selecting the required device in the list of devices detected on the user device.

You can edit and delete trusted devices in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Page top
[Topic 246343]

Trusted device (Device ID) window

In this window, you can add a device to the list of trusted devices by its identifier.

Adding device by ID

Setting

Description

Device ID

Entry field for a device ID or device ID mask. You can manually specify the device ID or copy the ID of the required device from the Devices detected on hosts list.

To specify an identifier, you can use the following wildcards: * (any sequence of characters) or ? (any single character). For example, you can specify the USBSTOR* mask to allow access to all USB drives.

Comment

Entry field for a comment (optional). This field is available after you enter the device ID, and click the Next button.

Page top

[Topic 246347]

Trusted device window (List of detected devices)

In this window you can add a device to the list of trusted devices by selecting it in the list of existing managed devices.

Information about existing devices is available only if an active policy exists and synchronization with the Network Agent has been completed (the synchronization interval is specified in the Network Agent policy properties; the default setting is 15 minutes). If you create a new policy and there are no other active ones, the list will be empty.

Adding device from list

Setting

Description

Device type

In this drop-down list, you can select type of devices to be displayed in the Devices detected on hosts table.

Device ID mask

Entry field for a device ID mask.

Comment

Entry field for a comment (optional). This field is available after you select the devices, and click the Next button.

Clicking the Filter button opens the window, where you can set up the filtering of displayed information about devices.

Page top
[Topic 246348]

Device types window

In this window, you can configure access rules for various types of devices.

Access rules for device types

Setting

Description

Access to data storage devices

The table contains the following columns:

  • Type represents device types (for example, Hard drives, Printers).
  • Access represents the access mode for devices of this type. You can select one of the following access modes:
    • Allow, to allow access to devices of this type.
    • Block, to block access to devices of this type.
    • Depends on bus (default value), to allow or block access to devices depending on the access rule for a bus used for connecting a device.
    • By rule – allow or block access to devices, depending on the access rule and schedule. You can configure the access rule and its schedule by clicking the required device type.

Access to other devices

The table contains the following columns:

  • Type – type of device (for example, Input devices, Sound adapters).
  • Access represents the access mode for devices of this type. You can select one of the following access modes:
    • Allow, to allow access to devices of this type.
    • Block, to block access to devices of this type. The Block access rule cannot be selected for network adapters.
    • Depends on bus (default value), to allow or block access to devices depending on the access rule for a bus used for connecting a device.

Page top

[Topic 238846]

Device access rules window

In this window, you can configure access rules and schedules for the selected device type.

Device access rules and schedules

Setting

Description

Access to device

Access rule for devices of the selected type:

  • Allow: allow access to devices of the selected type.
  • Block: prohibit access to devices of the selected type.
  • Depends on bus (default value), to allow or block access to devices depending on the access rule for a bus used for connecting a device.
  • By rule – allow or block access to devices, depending on the access rule and schedule.

List of device access rules

The table contains a list of access rules and consists of the following columns:

  • Access schedule – names of existing access schedules.
  • Users and/or groups of users – names of users or names of user groups, to which the access rule will apply.
  • Access – access type for the schedule: Allow (grant access to devices of the selected type) or Block (deny access to devices of the selected type).

By default, the table contains the Default schedule access schedule, which provides all users with full access to devices (the \Everyone option is selected in the list of users and groups) at any time, if access by the connection bus is allowed for this type of device.

You can add, edit, and delete access rules.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top

[Topic 247147]

Device access rules window

In this window, you can configure the device access rule.

Device access rule

Setting

Description

Device access rule settings

Access to devices of the selected type:

  • Allow (default value) – provide access to the devices of the selected type.
  • Block: prohibit access to devices of the selected type.

Users and/or user groups

Name of the user or user group to which the rule applies.

The default value is \All (all users).

You can add, edit, and delete users or user groups.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Schedule for access to devices

Schedule for the specified users' access to devices. The default value is Default schedule. The Default schedule link opens the Schedules window, in which you can configure a different access schedule.

Page top

[Topic 247148]

Select user or group window

In this window, you can specify a local or domain user or user group for which you want to configure an access rule.

Configuring an access rule

Setting

Description

Manually

If this option is selected, in the field below enter the name of the local or domain users or the name of a user group, to which the device access rule will apply.

List of groups or users

If this option is selected, in the search field you can enter search criteria for the name of the user or name of the user group, to which the device access control rule will apply, or you can select the name of the user group in the list below.

Page top

[Topic 247150]

Schedules window

In this window, you can specify the schedule for the selected device access rule.

You can add, edit, and delete access schedule.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

You cannot delete the Default schedule.

Page top

[Topic 202423]

Schedule for access to devices window

In this window, you can configure the device access schedule. You can configure schedules only for hard drives, removable drives, floppy disks, and CD/DVD drives.

In the General settings->Application settings section, if the Block access to files during scans check box is cleared, then it is not possible to block access to devices using a device access schedule.

Schedule for access to devices

Setting

Description

Name

Entry field for the access schedule name.

Time intervals

The table where you can select time intervals for the schedule (days and hours).

Intervals highlighted in green are included to the schedule.

To exclude an interval from the schedule, click the corresponding cells. Intervals excluded from the schedule are highlighted in gray.

By default, all intervals (24/7) are included to the schedule.

Page top

[Topic 202424_1]

Connection buses window

In this window, you can configure access rules for connection buses.

Connection rules for buses

Setting

Description

Connection bus

Connection bus used to connect devices to the client device:

  • FireWire
  • USB

Access

This toggle button enables or disables access to devices that use this connection bus:

  • Allow (default value), to provide access to the devices connected using this connection bus.
  • Block, to deny access to the devices connected using this connection bus.

Page top

[Topic 202425]

Behavior Detection

By default, the Behavior Detection component starts when Kaspersky Embedded Systems Security starts and monitors the malicious activity of the applications in the operating system. When malicious activity is detected, Kaspersky Embedded Systems Security can terminate the process of the application that performs malicious activity.

Behavior Detection component settings

Setting

Description

Behavior Detection enabled / disabled

This toggle button enables or disables the Behavior Detection component.

The check toggle button is switched on by default.

Behavior Detection component operating mode

The action to be performed by Kaspersky Embedded Systems Security upon detecting malicious activity in the operating system:

  • Inform user. Kaspersky Embedded Systems Security does not terminate the process that performs malicious activity; it only records the detection of malicious activity in the event log.
  • Block the application that performs malicious activity (default value). Kaspersky Embedded Systems Security terminates the process that performs malicious activity and logs information about the detected malicious activity.

Exclusions by process

Clicking the Configure exclusions by process link opens the Exclusions by process window. In this window, you can exclude the activity of processes.

Page top

[Topic 237048]

Exclusions by process window

The table contains the exclusion scopes for exclusion by process The exclusion scope for exclusion by process lets you exclude the activity of the indicated process and files modified by the indicated process. By default, the table is empty.

Exclusion scope settings for exclusion by process

Setting

Description

Exclude / Do not exclude trusted processes from scans

The switch enables or disables the configured exclusions by process in the operation of the Behavior Detection component.

The toggle button is switched off by default.

Exclusion scope name

Exclusion scope name.

Path

Full path to excluded process.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top
[Topic 197235]

Adding a process exclusion scope window

In this window, you can add and configure exclusion scopes for exclusion by process.

Exclusion scope settings

Setting

Description

Process-based exclusion scope name

Field for entering the Process-based exclusion scope name. This name will be displayed in a table in the Exclusions by process window.

The entry field must not be blank.

Use this exclusion

This check box enables or disables this scan scope exclusion when the application is running.

The check box is selected by default.

Path to excluded process

Full path to the process you want to exclude from scans. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The entry field must not be blank.

Apply to child processes

Exclude child processes of the excluded process indicated by the Path to excluded process setting.

This check box is cleared by default.

Page top

[Topic 237043]

Managing tasks

You can configure the ability to view and manage Kaspersky Embedded Systems Security tasks on managed devices.

Task management settings

Setting

Description

Allow users to view and manage local tasks

This check box allows or blocks the users from viewing local tasks created in Kaspersky Embedded Systems Security and control of these tasks on the managed client devices.

This check box is cleared by default.

Allow users to view and manage tasks created through KSC

The check box allows or prohibits the users from viewing tasks created in Kaspersky Security Center Web Console and managing these tasks on managed client devices.

This check box is cleared by default.

Page top

[Topic 233441]

Removable Drives Scan

When the Removable Drives Scan task is running, the application scans the removable device and its boot sectors for viruses and other malware. The following removable drives are scanned: CDs, DVDs, Blu-ray discs, flash drives (including USB modems), external hard drives, and floppy disks.

Removable drives scan task settings

Setting

Description

Removable drives scan enabled / disabled

This option enables or disables the scan of removable drives when they are connected to the user device.

The toggle button is switched off by default.

Action on a removable drive connection

In the drop-down list, you can select an action to be performed by the application upon connection of removable drives to the user device:

  • Do not scan removable drives when connected (default value).
  • Quick scan – only scan files of certain types on removable drives (except CD/DVD drives and Blu-ray discs) and do not unpack compound objects. For the quick scan, the default settings of the File Threat Protection component are used.
  • Detailed scan – scan all files on removable drives (except CD/DVD drives and Blu-ray discs). For a detailed scan, the default settings of the Malware Scan task are used.

Action on a CD / DVD drive connection

In the drop-down list, you can select an action to be performed by the application upon connection of CD/DVD drives and Blu-ray discs to the user device:

  • Do not scan CD/DVD drives and Blu-ray discs when connected (default value).
  • Quick scan – only scan files of certain types on CD/DVD drives and Blu-ray discs. For the quick scan, the default settings of the File Threat Protection component are used.
  • Detailed scan – scan all files on CD/DVD drives and Blu-ray discs. For a detailed scan, the default settings of the Malware Scan task are used.

Block access to the removable drive while scanning

This check box enables or disables blocking of files on the connected drive during execution of the Removable Drives Scan task.

This check box is cleared by default.

Page top

[Topic 247217]

Proxy server settings

You can configure proxy server settings if the users of the client devices use a proxy server to connect to the internet. Kaspersky Embedded Systems Security may use a proxy server to connect to Kaspersky servers, for example, when updating application databases and modules or when communicating with Kaspersky Security Network.

Proxy server settings

Setting

Description

Do not use proxy server

If this option is selected, Kaspersky Embedded Systems Security does not use a proxy server.

Use specified proxy server settings

If this option is selected, Kaspersky Embedded Systems Security uses the specified proxy server settings.

Address

Field for entering the proxy server's IP address or domain name.

This field is available if the Use specified proxy server settings option is selected.

Port

Field for entering the proxy server's port.

Default value: 3128.

This field is available if the Use specified proxy server settings option is selected.

Use user name and password

Enables or disables proxy server authentication using a user name and password.

This check box is available if the Use specified proxy server settings option is selected.

This check box is cleared by default.

When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.

User name

Entry field for the user name used for proxy server authentication.

This entry field is available if the Use user name and password check box is selected.

Edit

Allows you to specify a password for authenticating on the proxy server. The Password field cannot be edited. By default, the password is empty.

To specify a password, click Edit. In the window that opens, enter the password and click OK.

Password must not contain any of the following characters: "&'<>#%/?@.

Clicking the Show button in the window displays the password in clear text in the password entry window.

This button is available if the Use user name and password check box is selected.

Use Kaspersky Security Center as a proxy server for the application activation

This check box enables or disables use of Kaspersky Security Center as a proxy server for application activation.

If this check box is selected, Kaspersky Embedded Systems Security uses Kaspersky Security Center as a proxy server for the application activation.

This check box is cleared by default.

Page top

[Topic 197958]

Application settings

You can configure the general settings of Kaspersky Embedded Systems Security.

General application settings

Setting

Description

Detect legitimate applications that may be used by hackers to harm devices or data

This check box enables or disables the detection of legitimate software that could be used by hackers to harm computers or data of users.

This check box is cleared by default.

Event notifications

Clicking the Configure event notifications link opens the Notification settings window. In this window, you can select the events that the application logs in the operating system log (syslog). To do this, select the check box next to each type of event that you want to log.

You can also select the check box next to the event severity level (Functional failures, Informational messages, Warnings, Critical events). In this case, the check boxes will be automatically selected next to each type of event that belongs to the group of the selected importance level.

All check boxes are cleared by default.

Block files during scan

This check box enables or disables the blocking of access to files while they are being scanned by the File Threat Protection, Anti-Cryptor, and Device Control components or the Removable Drives Scan task.

Removing the flag enables information mode for File Threat Protection, Device Control and Removable Drive Scan.

The check box is selected by default.

Excluding process memory from scan

The Configure excluding process memory from scan link opens the Excluding process memory from scan window where you can create a list of processes to exclude during process memory scans.

Page top

[Topic 246285]

Excluding process memory from scan window

The list contains paths to processes whose memory Kaspersky Embedded Systems Security excludes from process memory scans. You can use masks to specify the path. By default, the list is empty.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

You can add, edit, and delete items in the list.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected process path from the list.

This button is available if at least one process path is selected in the list.

The Edit button a window where you can change the process path. Kaspersky Embedded Systems Security excludes the memory of the indicated process from scans.

The Add button opens a window where you can enter the full path to a process. Kaspersky Embedded Systems Security excludes the memory of the indicated process from scans.

Page top
[Topic 236898_1]

Container scan settings

You can configure the settings for namespace and container scan by Kaspersky Embedded Systems Security.

Container scan settings

Setting

Description

Namespace and container scan enabled / disabled

This toggle button enables or disables namespace and container scans.

The check toggle button is switched on by default.

Action with container upon threat detection

You can select the action that the application performs on a container when it detects an infected object:

  • Skip container: if an infected object is detected, the application does not perform any action on the container.
  • Stop container: if an infected object is detected, the application stops the container.
  • Stop container if disinfection fails (default value) – the application stops the container if disinfection of the infected object fails.

This setting is available when using the application under a license that supports this function.

Use Docker

This check box enables or disables the use of the Docker environment.

The check box is selected by default.

Docker socket path

Entry field for the path or URI (Uniform Resource Identifier) of the Docker socket.

The default value is /var/run/docker.sock.

Use CRI-O

The check box enables or disables the use of the CRI-O environment.

The check box is selected by default.

File path

Entry field for the path to CRI-O configuration file.

Default value: /etc/crio/crio.conf.

Use Podman

The check box enables or disables the use of the Podman utility.

The check box is selected by default.

File path

Entry field for the path to the Podman utility executable file.

Default value: /usr/bin/podman.

Root folder

Entry field for the path to the root directory of the container storage.

Default value: /var/lib/containers/storage.

Use runc

The check box enables or disables the use of the runc utility.

The check box is selected by default.

File path

Entry field for the path to the runc utility executable file.

Default value: /usr/bin/runc.

Root folder

Entry field for the path to the root directory of the container state storage.

Default value: /run/runc-ctrs.

Page top

[Topic 207662]

Network settings

You can configure the settings of encrypted connection scans. These settings are used by the Web Threat Protection component.

When the encrypted connection scan settings are changed, the application generates a Network settings changed event.

Network settings

Setting

Description

Encrypted connections scan enabled / disabled

This toggle button enables or disables scanning of encrypted connections.

The check toggle button is switched on by default.

Trusted certificates

The Configure list of trusted certificates link opens a window where you can configure a list of trusted certificates. Trusted certificates are used when scanning encrypted connections.

Action when an untrusted certificate is encountered

You can select the action that the application performs on a container when it detects an untrusted certificate:

  • Allow connection to a domain with an untrusted certificate (default value).
  • Block connection to a domain with an untrusted certificate.

Action on errors during an encrypted connections scan

You can select the action that the application performs when an error occurs during an encrypted connection scan:

  • Add website to exclusions (default value) – add the domain that resulted in the error to the list of domains with scan errors and do not scan encrypted network traffic when this domain is visited.
  • Disconnect from website – block the network connection.

Certificate verification policy

You can select how the application verifies certificates:

  • Local check: the application does not use the internet to validate a certificate.
  • Full check (default value): the application uses the Internet to check and download the missing chains that are required to validate a certificate.

Trusted domains

Clicking the Configure list of trusted domains link opens the Trusted domains window.

Network ports

Clicking the Configure network port settings link opens the Network ports window, where you can specify the network ports to be monitored by the application.

Monitor all network ports

If this option is selected, the application monitors all network ports.

Monitor specified ports only

If this option is selected, the application monitors only the network ports specified in the Network ports window.

This option is selected by default.

Page top

[Topic 237096]

Trusted certificates window

You can configure a list of certificates considered trusted by Kaspersky Embedded Systems Security. The list of trusted certificates is used when scanning encrypted connections.

The following information is displayed for each certificate:

  • certificate subject
  • serial number
  • certificate issuer
  • certificate start date
  • certificate expiration date
  • SHA-256 certificate thumbprint

By default, the certificate list is empty.

You can add and remove certificates.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

See also:

Adding a trusted certificate window

Trusted domains window

Network ports window
Page top
[Topic 7588]

Adding a trusted certificate window

In this window, you can add a certificate that will be trusted by Kaspersky Embedded Systems Security.

The Add certificate link opens the standard file selection window. Indicate the path to the file that contains the certificate, in DER or PEM format.

After the certificate file is selected, the window displays certificate information and the file path.

Page top
[Topic 197621]

Trusted domains window

This list contains the domain names and domain name masks that will be excluded from encrypted connection scans.

Example: *example.com. For example, *example.com/* is incorrect because a domain address, not a web page, needs to be specified.

By default, the list is empty.

You can add, edit and remove domains from the list of trusted domains.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 238852]

Network ports window

This table contains the network ports monitored by the application if the Monitor specified ports only option is selected in the Network settings window.

The table contains two columns:

  • Port – monitored port.
  • Description – description of the monitored port.

By default, the table displays a list of network ports that are usually used for the transmission of mail and network traffic. The list of network ports is included in the application package.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 202457]

Global exclusions

The table contains mount points that will be excluded from the scan scope for the application components that use the file operation interceptor (File Threat Protection and Anti-Cryptor).

The Path column displays the paths to the excluded mount points. The table is empty by default.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top
[Topic 202461]

Adding a mount point exclusion window

Mount point settings

Setting

Description

File system, access protocol and path

In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:

  • Local: local mount points.
  • Mounted: remote directories mounted on the device using the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

Field for entering the path to the mount point that you want to exclude from file operation interception. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the file operation interception exclusions are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Page top

[Topic 248961]

Storage settings

The Storage is a list of backup copies of files that have been deleted or modified during the disinfection process. Backup copy is a file copy created at the first attempt to disinfect or delete this file. Backup copies of files are stored in a special format and do not pose a threat. By default, the Storage is located in the /var/opt/kaspersky/kess/common/objects-backup/ directory. Files in the Storage may contain personal data. Root privileges are required to access files in the Storage.

Storage settings

Setting

Description

Informing about unprocessed files enabled / disabled

This toggle button enables or disables sending notifications about the files, that cannot be processed during the scan, to the Administration Server.

The check toggle button is switched on by default.

Informing about installed devices enabled / disabled

This toggle button enables or disables sending information about the devices installed on the managed client device to the Administration Server.

The check toggle button is switched on by default.

Informing about files in Storage enabled / disabled

This toggle button enables or disables sending of notifications about files in the Storage to the Administration Server.

The check toggle button is switched on by default.

Store objects no longer than (days)

The entry field to specify the period for storing objects in the Storage.

Available values: 0–3653.

Default value: 90. If 0 is specified, the period for storing objects in the Storage is unlimited.

Maximum size of Storage (MB)

The entry field to specify the maximum size of the Storage (MB).

Available values: 0–999999. Default value: 0 (the size of Storage is unlimited).

Page top

[Topic 202462]