[Topic 296586]

Kaspersky Embedded Systems Security 3.4 for Linux Help

What's new

What's new in Kaspersky Embedded Systems Security 3.4 for Linux

Hardware and software requirements

• Hardware and software requirements of the application
  
  

Getting started

• Updating the application from a previous version
• Preparing to install the application
• Installation and initial configuration of the application
• Updating application databases and modules on the command line during initial configuration
• Updating application databases on the command line using the predefined update task (after initial configuration)
• Getting started using Kaspersky Security Center
  
  

Licensing

• Application licensing
• Application activation and license key management
• Activating the application during initial configuration on the command line
• Activating the application and managing license keys on the command line (after initial configuration)
• Activating the application using Kaspersky Security Center
  
  

Monitoring & Reporting

• Viewing the protection status of a device and information about application performance
• Viewing information about the operation of an application in the command line
• Viewing events and reports
  
  

Data provision and protection of personal information

• Data provision
  
  

Additional features

• Advanced configuration of the application
• Using Kaspersky Security Network
• Backup
  
  

Optimizing operating system resource consumption

• Resource consumption optimization
  
  

Contact Technical Support

• Troubleshooting
• Contact Technical Support

Page top

[Topic 296567]

Kaspersky Embedded Systems Security 3.4 for Linux

Kaspersky Embedded Systems Security 3.4 for Linux ("Kaspersky Embedded Systems Security", "Application") is designed for protecting devices running Linux operating systems against various types of threats, including network and scam attacks.

The application allows you to protect both physical devices and virtual machines.

The application is not intended for industrial processes that use automated control systems. To protect devices in such systems, we recommend using Kaspersky Industrial CyberSecurity for Linux Nodes.

The following functional components and tasks of the application provide the main functions of device protection and control:

• File Threat Protection prevents infection of the file system on the user device. The File Threat Protection component starts automatically when Kaspersky Embedded Systems Security is launched and scans all files that are opened, saved, and started in real time.

  You can also scan protected devices on demand using the following scan tasks:

  • Malware Scan. The application scans for the presence of malware in file system objects located on local disks of the device, as well as mounted and shared resources, which are accessed via SMB and NFS protocols. You can use this task to perform a full or custom scan of the device.
  • Critical Areas Scan. The application scans boot sectors, startup objects, process memory, and kernel memory.
• Removable Drives Scan. The Removable Drives Scan component allows you to monitor the connection of media to the device in real time and scan removable media with its boot sectors for malware. Kaspersky Embedded Systems Security can scan the following removable drives: CDs, DVDs, Blu-ray discs, flash drives (including USB modems), external hard drives, and floppy disks.
• Web Threat Protection. The Web Threat Protection component allows you to scan inbound traffic, prevent downloads of malicious files from the Internet, and block phishing, adware, and other malicious websites. Kaspersky Embedded Systems Security can scan encrypted connections.
• Network Threat Protection. The Network Threat Protection component allows you to scan inbound network traffic for activity that is typical for network attacks.
• Firewall Management. The Firewall Management component allows you to monitor the firewall settings of the operating system and filter all network activity in accordance with the network packet rules that you have configured.
• Anti-Cryptor. The Anti-Cryptor component allows you to scan remote devices' calls to files located in local directories with network access via SMB/NFS protocols and protect files from remote malicious encryption.
• Device Control. The Device Control component allows you to manage user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks. User access to devices is governed by access regimes and access rules that you have configured.
• Application Control. The Application Control component allows you to manage the launch of applications on user devices. This reduces the risk of device infection by restricting access to applications. Application launching is regulated by the Application Control rules that you have configured.
• Inventory. The Inventory task provides information about all applications executable files stored on the client devices. This information can be useful, for example, for creating Application Control rules.
• Behavior Detection. The Behavior Detection component allows you to monitor for any malicious activity from applications in the operating system. When malicious activity is detected, Kaspersky Embedded Systems Security can terminate the process of the application that performs malicious activity.
• System Integrity Monitoring allows you to track changes to files and directories of the operating system. The System Integrity Monitoring component monitors the actions performed with objects from the monitoring scope specified in the component settings in real time. You can use the System Integrity Check task to check the integrity of the system on demand. The check is performed by comparing the current states of objects included in the monitoring scope with their initial states, which were previously established as a baseline.

Kaspersky Embedded Systems Security allows you to detect infected objects and neutralize the threats detected in them. For this, the application can use:

• Application databases to detect and disinfect infected files. During the scan process, the application analyzes each file for the presence of a threat: it compares the file code with the code of a specific threat and looks for possible matches.
• Kaspersky Security Network. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Embedded Systems Security to various threats, improves the performance of some protection components, and reduces the likelihood of false positives.

Prior to disinfection or removal, Kaspersky Embedded Systems Security saves backup copies of files in the Backup located on the device. If after disinfection, you partially or completely lose access to important information in a disinfected file, you can restore the file from the copy.

While performing scan tasks, Kaspersky Embedded Systems Security can disinfect and delete files that are protected from modification: files with the 'immutable' and 'append-only' attributes and files in directories with the 'immutable' and 'append-only' attributes. Backup stores copies of these files that were created before disinfection or deletion. You can restore files from backup copies, if necessary. When scan tasks are completed, the 'immutable' and 'append-only' attributes of disinfected files are reset.

Kaspersky Embedded Systems Security can operate in Notify-only mode. Notify-only mode is an operation mode for the application in which, if a threat is detected, application components and tasks do not attempt to disinfect or delete malicious objects, deny access or block the activity of applications. Instead, the application only informs the user about the detected threat.

To keep the application up to date, additional application functions are provided:

• Activating the application with a key file or activation code.
• Updating the databases and application modules from Kaspersky update servers, via the Administration Server, or from a user-specified source on schedule and on demand.
• User access control for the application functions according to the user roles.
• Notification of the administrator about events that occurred while the application was running.
• Integrity check of application components using the integrity check tool.

You can manage Kaspersky Embedded Systems Security using the following methods:

• Using Kaspersky Security Center through the Kaspersky Security Center Web Console, Kaspersky Security Center Cloud Console, or the Administration Console.
• Using control commands from the command line.
• Using a graphical user interface.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may not be available in the application in the territory of the USA.

In this Help section Distribution kit Hardware and software requirements

Page top

[Topic 296579]

Distribution kit

You can download the files that are included in the Kaspersky Embedded Systems Security distribution kit, as well as the files needed to remotely install the application using Kaspersky Security Center, on the Kaspersky website.

The Kaspersky Embedded Systems Security distribution kit includes the following files:

• kess-3.4.0-<build number>.i386.rpm, kess_3.4.0-<build number>_i386.deb

  Contain the main application files. Packages can be installed to 32-bit operating systems based on the type of package manager.

• kess-3.4.0-<build number>.x86_64.rpm, kess_3.4.0-<build number>_amd64.deb

  Contain the main application files. Packages can be installed to 64-bit operating systems based on the type of package manager.

• kess-gui-3.4.0-<build number>.i386.rpm, kess-gui-3.4.0-<build number>_i386.deb

  Contain the files of the application graphical user interface. Packages can be installed to 32-bit operating systems based on the type of package manager.

• kess-gui-3.4.0-<build number>.x86_64.rpm, kess-gui-3.4.0-<build number>_amd64.deb

  Contain the files of the application graphical user interface. Packages can be installed to 64-bit operating systems based on the type of package manager.

• kess-3.4.0.<build number>.zip

  Contains the files used for remote application installation using Kaspersky Security Center, including license.<language ID> and ksn_license.<language ID> files.

  Kaspersky Security Center Network Agent is not included in the distribution kit. You can download it on the application download page in the Kaspersky Security Center section.

• ksn_license.<language ID>

  This file contains the text of the Statement on Kaspersky Security Network.

• license.<language ID>

  This file contains the text of the End User License Agreement. The End User License Agreement specifies the terms for using the application.

Editing configuration files of the application on your on using means not described in the application documentation or not recommended by Technical Support may cause poor performance and failures of the application and operating system, reduced protection of your device, inaccessible and corrupted data, as well as the sending of additional statistics to KSN getting turned on.

Page top

[Topic 264262]

Hardware and software requirements

This section contains the hardware and software requirements for Kaspersky Embedded Systems Security.

In this section Hardware requirements Software requirements Supported versions of Kaspersky Security Center

Page top

[Topic 296653]

Hardware requirements

Kaspersky Embedded Systems Security has the following hardware requirements:

Minimum hardware requirements:

• Core 2 Duo 1.86 GHz or faster processor
• swap partition at least 1 GB
• 1 GB of RAM for 32-bit operating systems, 2 GB of RAM for 64-bit operating systems
• 4 GB of free hard disk space for installation of the application and storage of temporary and log files
• When using a graphical user interface, the monitor must be capable of displaying windows 1000 pixels wide and 600 pixels high (if screen scaling is applied, these dimensions are also scaled)

Page top

[Topic 296652]

Software requirements

To install Kaspersky Embedded Systems Security, one of the following operating systems must be installed on the device:

• Supported 32-bit operating systems:
  • Debian GNU/Linux 11.0 and later.
  • Debian GNU/Linux 12.0 and later.
• Supported 64-bit operating systems:
  • AlmaLinux OS 9.0 and later.
  • AlterOS 7.5 and later.
  • Astra Linux Special Edition RUSB.10015-01 (operational update 1.7).
  • Astra Linux Special Edition RUSB.10015-01 (operational update 1.8).
  • CentOS Stream 9.
  • Debian GNU/Linux 11.0 and later.
  • Debian GNU/Linux 12.0 and later.
  • EMIAS 1.0 and later.
  • EulerOS 2.0 SP10.
  • Oracle Linux 9.0 and later.
  • Red Hat Enterprise Linux 8.0 and later.
  • Red Hat Enterprise Linux 9.0 and later.
  • Rocky Linux 9.0 and later.
  • SUSE Linux Enterprise Server 15 and later.
  • Ubuntu 20.04 LTS.
  • Ubuntu 22.04 LTS.
  • Ubuntu 24.04 LTS.
  • ALT SP Workstation release 10.
  • ALT SP Server release 10.
  • RED OS 7.3.
  • RED OS 8.0.
  • ROSA "Cobalt" 7.9 Workstation.
  • ROSA "Cobalt" 7.9 Server.
  • ROSA "Chrome" 12 Workstation.

Due to technical limitations of fanotify, the application does not support the following file systems: autofs, binfmt_misc, cgroup, configfs, debugfs, devpts, devtmpfs, fuse, fuse.gvfsd-fuse, gfs2, gvfs, hugetlbfs, mqueue, nfsd, proc, parsecfs, pipefs, pstore, usbfs, rpc_pipefs, securityfs, selinuxfs, sysfs, tracefs.

Page top

[Topic 296729]

Supported versions of Kaspersky Security Center

Kaspersky Embedded Systems Security is compatible with the following Kaspersky Security Center versions:

• Kaspersky Security Center 14.2 Windows. You can manage the Kaspersky Embedded Systems Security application in the Administration Console using the administration MMC plug-in and in the Kaspersky Security Center Web Console using the administration web plug-in.
• Kaspersky Security Center 15.2 Linux. The web administration plug-in can be used to administer Kaspersky Embedded Systems Security through Kaspersky Security Center Web Console.

Kaspersky Security Center Network Agent is required to manage Kaspersky Embedded Systems Security through Kaspersky Security Center.

Kaspersky Security Center Network Agent is not included in the Kaspersky Embedded Systems Security distribution kit. You can download it on the application download page in the Kaspersky Security Center section.

Page top

[Topic 296578]

What's new

Kaspersky Embedded Systems Security now has the following new features and improvements:

• The Application Control component has been improved. Now you can configure execution prevention for application other than those signed with trusted signatures.
• More settings of the Inventory task. Now you can select an action with the "Golden image" category when a task finishes.
• New cloud mode of the application, in which the application uses a lightweight version of the anti-malware databases. This lets you reduce the load on device memory.
• The application can be automatically restarted after an update. When updating, the application now automatically restarts to save the administrator the additional step of restarting the application.
• New settings that let you limit CPU usage have been added to the general application settings. At the same time, the ScanPriority setting was removed from scan tasks of the ODS and InventoryScan types.
• Now you can disable protection components and scan tasks after the application is installed. An installation with protection components disabled can be convenient, for example, in order to reproduce a problem in the operation of the application and create a trace file.
• The configuration file of the application now includes settings for defining the directory for storing dump files and the minimum required free disk space after creating dump files.
• We added the ability to view the remote application installation log and manage the tracing process in the Web Console properties of the managed device or in the Administration Console using the remote diagnostics utility.
• Now you can export and import a list of trusted devices for the Device Control component in the application administration plug-ins.
• Now you can export and import per-process exclusions for the Behavior Detection component in the application management plug-ins.
• Now you can configure the application to interact directly with KSN servers if the KSN Proxy service becomes unavailable.
• In the application management plug-ins, in the Storages -> Backup section, you can send a file to Kaspersky for scanning.
• The graphical user interface implements the ability to inform the user about the operation of application components and tasks in "Notify only" mode, in which, if a threat is detected, application components and tasks do not attempt to disinfect or remove malicious objects, deny access, or block the activity of programs, but instead only inform the user that a threat was detected. The administration plug-ins also now have a notification that "Notify only" mode has been enabled for the File Threat Protection and Device Control components.
• The newly implemented application stability monitoring functionality allows you to track the number of times the application terminates abnormally and notify the administrator about the unstable operation of the application.
• Now you can configure the display of pop-up notifications when managing the graphical user interface of the application. You can now enable or disable the display of pop-up notifications in the GUI using the Web Console, Administration Console, or command line.
• Improved command line options for task scheduling. Now you can configure a task to be stopped when it reaches maximum execution time.
• Improved Firewall Management component. Now you can specify multiple IP addresses or IP address ranges for a network packet rule.
• Now you can view statistics for the most frequently scanned files and applications, as well as a list of mount points detected on the protected device. To improve performance, you can now exclude the files that are most frequently scanned by the File Threat Protection component, the paths to applications that are most frequently scanned by the Behavior Detection component, and the mount points detected on the device.
• Now you can collect application performance metrics that can help analyze the impact of Kaspersky Embedded Systems Security on operating system performance.
• The procedure for initial configuration of the application in interactive mode now includes a check for the existence of users in privileged groups. The check for the presence of SELinux in the system has also been improved.
• The user is now better informed thanks to new events, improved event texts, an expanded list of event attributes, and an unification of events in plug-ins and the command line.
• Container protection and scanning is not provided as separate functionality. If you had Container Scan tasks configured in the previous version of the application, after updating the application, these tasks become unavailable and are not displayed. Scanning files in containers being started is possible as part of File Threat Protection when namespace scanning is enabled.
• List of supported operating systems is updated.

Page top

[Topic 264265]

Preparing to install Kaspersky Embedded Systems Security

Before starting installation of Kaspersky Embedded Systems Security, you need to perform the following actions:

• Check that your device meets the hardware and software requirements of the application.
• Be sure third-party anti-virus software is not installed on your device.
• Be sure that Kaspersky Endpoint Agent for Linux is not installed on your device. If Kaspersky Endpoint Agent for Linux is installed, during the installation process you will see a message about the need to manually remote it.
• Make sure that the Perl interpreter 5.10 or later is installed on your device.
• Make sure the semanage utility is installed in the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
• Make sure that the required dependencies for installing the GUI package are available on your device. If the device is in an isolated network segment and does not have access to the repositories of the package manager, we recommend to check the list of dependencies on the reference device, and then download and distribute the packages to all devices before installing the GUI.
• On devices with operating systems that do not support fanotify technology, make sure that the following are installed:
  • Packages for compiling applications and running tasks (gcc, binutils, glibc, glibc-devel, make)
  • Package with header files of the operating system kernel for compiling Kaspersky Embedded Systems Security modules.
• Install one of the following packages on your device depending on the operating system:
  • On devices running the SUSE Linux Enterprise Server 15 operating system, the insserv-compat package must be installed.
  • On devices running the Red Hat Enterprise Linux 8 or RED OS operating system, install the perl-Getopt-Long package.
  • On devices running the Red Hat Enterprise Linux or RED OS operating systems, install the perl-File-Copy package. This package is required for the initial application configuration script to work, but may be absent by default.
• By default, Astra Linux operating systems block ptrace (Disable ptrace capability), which may affect the operation of Kaspersky Embedded Systems Security. For Kaspersky Embedded Systems Security to work correctly, unblock ptrace when installing Astra Linux. If Astra Linux is already installed, see the Astra Linux Help Center website for instructions on how to enable/disable this mode (Configuring protection and blocking mechanisms in the Blocking ptrace section).
• For the Firewall Management, Web Threat Protection and Network Threat Protection components to work, the iptables utility needs to be installed on your device.
• For the Kaspersky Embedded Systems Security administration MMC plug-in to work, Microsoft Visual C++ 2015 Redistributable Update 3 RC (see https://www.microsoft.com/en-us/download/details.aspx?id=52685) must be installed on device where Kaspersky Security Center Administration Server is installed.
• For the application to run correctly, make sure that the root account is the owner of the following directories and that only the owner has the right to write to them: /var, /var/opt, /var/opt/kaspersky, /var/log/kaspersky, /opt, /opt/kaspersky, /usr/bin, /usr/lib, /usr/lib64.
• Make sure that file descriptor limits recommended by the operating system vendor are configured in the operating system. To check the limit, run the command cat /proc/sys/fs/file-max. When the application is running, the operating system may use significantly more descriptors. In general, we recommend disabling the file limit by specifying fs.file-max=9223372036854775807 in the /etc/sysctl.conf file. After changing the value of this setting, you must restart the operating system.

Page top

[Topic 263902]

Installation and initial configuration of Kaspersky Embedded Systems Security

You need to prepare for installation before installing Kaspersky Embedded Systems Security.

These scenarios describe the installation and post-installation configuration of Kaspersky Embedded Systems Security, the installation and configuration of Kaspersky Security Center Network Agent and the installation of Kaspersky Embedded Systems Security management plug-ins. The installation scenario depends on the mode in which you plan to use Kaspersky Embedded Systems Security.

The application installation procedure involves the following steps:

1. Installation and post-installation configuration of the Network Agent

   If you plan to manage Kaspersky Embedded Systems Security using Kaspersky Security Center, install and configure Kaspersky Security Center Network Agent on the protected device.

2. Installing the Kaspersky Embedded Systems Security management plug-in

   If you plan to manage Kaspersky Embedded Systems Security using Kaspersky Security Center, install the Kaspersky Embedded Systems Security management plug-in. Depending on the console used to manage Kaspersky Security Center, the following administration plug-ins are used:

   • The Kaspersky Embedded Systems Security administration web plug-in lets you manage the application using Kaspersky Security Center Cloud Console and Kaspersky Security Center Web Console. The web plug-in is installed on the device that has the Kaspersky Security Center Web Console installed.
   • The Kaspersky Embedded Systems Security administration MMC plug-in lets you manage the application using Kaspersky Security Center Administration Console. The MMC plug-in is installed on the device where Kaspersky Security Center Administration Console is installed.
3. Installing application packages and graphical user interface

   Kaspersky Embedded Systems Security is distributed in the DEB and RPM packages. There are separate packages for the application and for the graphical user interface. Install Kaspersky Embedded Systems Security and, if necessary, the graphical user interface from packages in the appropriate format.

   You can perform installation in one of the following ways:

   • Using Kaspersky Security Center.
   • Using the command line.
4. Kaspersky Embedded Systems Security post-installation configuration

   The application needs initial configuration to prepare it for operation and enable the protection of the client device.

   If you installed Kaspersky Embedded Systems Security using Kaspersky Security Center, the initial configuration was performed automatically during installation in accordance with the parameters specified in the installation package. After completing the installation, go through the Getting started procedure.

   If you installed Kaspersky Embedded Systems Security using the command line, run the initial configuration script or perform the initial configuration in automatic mode after installation is completed.

   If initial configuration of the application has not been completed on a device, you cannot use or update the application on that device.

In this Help section The installation and initial configuration of Kaspersky Security Center Network Agent Installing the Kaspersky Embedded Systems Security management plug-ins Installing and initially configuring the application using Kaspersky Security Center Installing and initially configuring the application using the command line Configuring allowing rules in the SELinux system Running the application on Astra Linux OS in closed software environment mode

Page top

[Topic 263907]

The installation and initial configuration of Kaspersky Security Center Network Agent

Network Agent facilitates the client device's connection with the Kaspersky Security Center Administration Server. It must be installed on every client device that will be connected to Kaspersky Security Center, the centralized remote management system.

Before you begin installing the Network Agent on Linux devices, you must perform some preparatory steps. For instructions on how to prepare devices for installing Network Agent, please refer to the Kaspersky Security Center Help. The procedure depends on the operating system.

You can perform the installation and initial configuration of Network Agent:

• Remotely from the administrator's workstation using the Kaspersky Security Center Web Console or the Administration Console. The Network Agent
  installation package

  A set of files created for remote installation of Kaspersky applications using Kaspersky Security Center. The installation package contains the settings required to install the application and ensure its operation immediately after the installation. The values of the settings correspond to the default values of the application settings. The installation package is created using the .kud file included in the application distribution kit.

  A set of files created for remote installation of Kaspersky applications using Kaspersky Security Center. The installation package contains the settings required to install the application and ensure its operation immediately after the installation. The values of the settings correspond to the default values of the application settings. The installation package is created using the .kud file included in the application distribution kit.

  A set of files created for remote installation of Kaspersky applications using Kaspersky Security Center. The installation package contains the settings required to install the application and ensure its operation immediately after the installation. The values of the settings correspond to the default values of the application settings. The installation package is created using the .kud file included in the application distribution kit.

  is used for remote installation.
• Using the command line:
  • In silent mode with an answer file. An answer file is a text file that contains a custom set of settings for the installation and initial configuration of Network Agent. For a description of installation options and initial configuration of Network Agent, please refer to the Kaspersky Security Center Help (the "Installing Network Agent for Linux in silent mode (with an answer file)" section).
  • Interactively from an RPM or DEB package depending on your package manager. In this case, after installation, you need to perform the initial configuration of the Network Agent using a script.

For details on how to install Network Agent, refer to the Kaspersky Security Center Help system.

Page top

[Topic 263911]

Installing the Kaspersky Embedded Systems Security management plug-ins

The following Kaspersky Embedded Systems Security administration plug-ins are used to manage Kaspersky Embedded Systems Security using Kaspersky Security Center:

• The Kaspersky Embedded Systems Security administration web plug-in lets you manage the application using Kaspersky Security Center Cloud Console and Kaspersky Security Center Web Console.
• The Kaspersky Embedded Systems Security administration MMC plug-in lets you manage the application using Kaspersky Security Center Administration Console.

You can install management plug-ins for different versions of Kaspersky Embedded Systems Security simultaneously. This allows you to manage the application by using the policies created with different administration plug-in versions.

You can also convert policies and tasks created with previous versions of the administration plug-in to newer versions.

In this section Installing the Kaspersky Embedded Systems Security web plug-in Installing the Kaspersky Embedded Systems Security MMC plug-in

Page top

[Topic 263913]

Installing the Kaspersky Embedded Systems Security web plug-in

The Kaspersky Embedded Systems Security administration web plug-in must be installed on the client device that has the Kaspersky Security Center Web Console installed. The functionality of the web plug-in is available to all administrators who have access to Kaspersky Security Center Web Console in a browser.

You can install the web plug-in as follows:

• Using the Quick Start Wizard for Kaspersky Security Center Web Console.

  Kaspersky Security Center Web Console automatically prompts you to run the Quick Start Wizard when connecting Kaspersky Security Center Web Console to the Administration Server for the first time. You can also run the Initial Configuration Wizard in the Kaspersky Security Center Web Console interface (Device discovery and deployment → Deployment and assignment → Quick Start Wizard). The Quick Start Wizard can also check if the installed web plug-ins are up to date and download the necessary updates. For more information on the Initial Configuration Wizard for Kaspersky Security Center Web Console, please refer to Kaspersky Security Center Help section.

• Manually, using a distribution kit from the list of Kaspersky Web plug-ins or from an external source.

To install the Kaspersky Embedded Systems Security web plug-in manually:

1. In the main window of the Kaspersky Security Center Web Console, select Settings → Web plug-ins.

   A list of installed web plug-ins opens.

2. Start the installation of the Kaspersky Embedded Systems Security web plug-in by one of the following ways:
   • Installation from the list of Kaspersky web plug-ins:
     1. Click Add.

        A list of all available Kaspersky Web plug-ins opens. The list is updated automatically after new versions of web plug-ins are released.

     2. Find the Kaspersky Embedded Systems Security <version number> for Linux web plug-in in the list and click its name.
     3. In the window that opens with a description of the web plug-in, click the Install plug-in button.
     4. Wait for the installation to complete and click OK in the information window.
   • Installation of the web plug-in from an external source (the archives required for installing the web plug-ins are included in the distribution kit):
     1. Click the Add from file button.
     2. In the window that opens, specify the path to the ZIP archive with the distribution kit for the web plug-in and the path to the signed file in TXT format. This file is in the archive with the web plug-in.
     3. Click Add.
     4. Wait for the installation to complete and click OK in the information window.

The new plug-in is displayed in the list of installed web plug-ins (Settings → Web Plug-ins).

If you select a language that is not included in Kaspersky Embedded Systems Security distribution package in the properties of Kaspersky Security Center Administration Server, the License Agreement and the entire Kaspersky Security Center Web Console interface will be displayed in English.

Page top

[Topic 263912]

Installing the Kaspersky Embedded Systems Security MMC plug-in

The Kaspersky Embedded Systems Security administration MMC plug-in must be installed on the same client device where the Kaspersky Security Center Administration Console is installed.

Before installing the Kaspersky Embedded Systems Security administration MMC plug-in, make sure that Kaspersky Security Center and Redist C++ 2015 (Microsoft Visual C++ 2015 Redistributable) are installed.

To install the MMC plug-in,

on the device where the Kaspersky Security Center Administration Console is installed, run the executable file klcfginst.msi.

The file is included in the Kaspersky Embedded Systems Security distribution kit.

After installation, the administration MMC plug-in is displayed in the list of installed administration MMC plug-ins in the properties of the Kaspersky Security Center Administration Server.

To view the list of installed management MMC plug-ins:

1. In the Kaspersky Security Center Administration Console tree, select the Administration Server <server name> node and open the Administration Server properties window in one of the following ways:
   • using the Properties item in the Administration Server <server name> node context menu;
   • by clicking the Administration Server properties link located in the workspace of the Administration Server <server name> node in the Administration Server section.
2. In the list on the left, in the Advanced section, select the Information about the installed application administration plug-ins section.

   In the right part of the window, the list of installed management plug-ins displays the administration MMC plug-in for Kaspersky Embedded Systems Security: Kaspersky Embedded Systems Security <version number> for Linux.

Page top

[Topic 263904]

Installing and initially configuring the application using Kaspersky Security Center

You can install Kaspersky Embedded Systems Security on a client device remotely from the administrator's workstation using the Kaspersky Security Center Web Console or the Administration Console.

Installation using Kaspersky Security Center involves the following steps:

1. Creating an installation package.

   For the remote installation, Kaspersky Embedded Systems Security installation package is used. The Kaspersky Embedded Systems Security installation package is the same for all supported operating systems and processor architecture types. You can create the installation package using the Kaspersky Security Center Web Console or the Administration Console.

   You can specify the initial configuration settings using the autoinstall.ini configuration file included in the installation package, or in the properties of the installation package (this method is available only in the Web Console).

   You can add the following to the installation package that you are creating:

   • License key for automatic activation of the application during installation
   • Pre-downloaded application databases to avoid having to update the databases after installation

   You can also activate the application and update the databases as part of the getting started procedure

2. Deploying the Kaspersky Embedded Systems Security application on devices in the corporate network.

   Kaspersky Security Center Web Console supports the following main deployment methods:

   • Installing the application using the Protection Deployment Wizard.
   • Installing the application using the remote installation task.

   The Kaspersky Security Center Administration Console supports the following main deployment methods:

   • Installing the application using the Remote Installation Wizard.
   • Installing the application using the remote installation task.

   For a description of the deployment procedures, see the Kaspersky Security Center Help.

   If necessary, you can view the application remote installation log by using remote diagnostics of the Kaspersky Security Center client device.

3. Getting started.

   Before using the application, you need to complete the initial configuration of the application and prepare the application for operation.

   If initial configuration of the application has not been completed on a device, you cannot use or update the application on that device.

To use Kaspersky Security Center to manage Kaspersky Embedded Systems Security installed on client devices, you need to put these devices in

. Before starting Kaspersky Embedded Systems Security installation, you can create Kaspersky Security Center administration groups to which you want to move the devices with the application installed, and configure the rules to automatically move the devices to these administration groups. If rules for moving devices to the administration groups are not configured, Kaspersky Security Center moves all the devices that have the Administration Agent installed and are connected to Administration Server to the Unassigned devices list. In this case, you need to manually move computers to the administration groups (refer to the Kaspersky Security Center Help for details).

In this section Creating an installation package in the Web Console Creating an installation package in the Administration Console Preparing an archive with application databases in order to create an installation package with integrated databases Autoinstall.ini configuration file settings Getting started using Kaspersky Security Center

Page top

[Topic 273175]

Creating an installation package in the Web Console

In Kaspersky Security Center Web Console, you can create an installation package in one of the following ways:

• From an archive file that you have prepared previously.
• From a distribution kit hosted on Kaspersky servers.

To prepare an archive for creating an installation package:

1. Download the kess.zip archive from the application download page. It is located in the Kaspersky Embedded Systems Security for Linux -> Additional distribution → Files for Product remote installation section.
2. Unpack the kess.zip archive to a folder accessible to Kaspersky Security Center Administration Server. Place the distribution files, that correspond to the type of operating system where you want to install the application and the type of its package manager, to the same folder:
   • To install Kaspersky Embedded Systems Security:
     • kess-3.4.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
     • kess_3.4.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
     • kess_3.4.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
     • kess_3.4.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)
   • To install the graphical user interface of the application:
     • kess-gui-3.4.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
     • kess-gui-3.4.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
     • kess-gui-3.4.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
     • kess-gui-3.4.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)

     If you do not want to install the graphical user interface, do not add these files to the folder; this will make the installation package smaller.

   If you do not plan to use the graphical interface, disable it by editing the appropriate setting (USE_GUI=No) in the properties of the created installation package or in the autoinstall.ini configuration file. Otherwise, the installation will fail.

   If you want to use the created installation package with different operating systems or package managers, place the files for all the types of operating systems and package managers that you need in the directory.

3. If you want to use offline application databases downloaded in advance:
   1. Place prepared archives with databases for all your operating system types into the folder.
   2. In initial configuration settings, disable the database update task after installing the application. You can configure the corresponding parameter in the properties of the created installation package or in the autoinstall.ini configuration file (UPDATE_EXECUTE=no). The autoinstall.ini file is located in the directory where you extracted the kess.zip archive.
4. If you want to perform the initial configuration of the application using a configuration file, open the autoinstall.ini configuration file and edit it as necessary.

   You can also perform the initial configuration of the application later in the properties of the created installation package on the Settings tab.

5. Place all prepared files in an archive in ZIP, CAB, TAR, or TAR.GZ format with any name.

To create an installation package for Kaspersky Embedded Systems Security in Kaspersky Security Center Web Console:

1. In the main Web Console window, select one of the following sections:
   • Device discovery and deployment → Deployment and assignment → Installation packages.
   • Operations → Repositories → Installation packages.

   A list of installation packages available on the Administration Server opens.

2. Click Add.

   The wizard for creating an installation package will start. Follow the instructions of the Wizard.

3. On the first page of the wizard, select the method for creating an installation package:
   • Create an installation package from a file. The installation package will be created from an archive that you have prepared in advance.
   • Create the installation package for a Kaspersky application. The installation package will be created from a distribution package located on Kaspersky servers.

   Kaspersky Security Center Cloud Console does not allow creation of installation packages from a file.

4. Depending on the selected package creation method:
   • Specify the package name, click the Browse button, and specify the path to the archive that you have prepared for creating the installation package.
   • Select Kaspersky Embedded Systems Security distribution package. In the window on the right, read the information about the distribution package and click the Download and create installation package button. The installation package creation process starts.
5. When prompted by the Wizard, read the License Agreement between you and Kaspersky and the Privacy Policy that describes the processing and transmission of data. To continue creating the installation package, you must confirm that you have read and accept the full terms of the End User License Agreement and the Privacy Policy.
6. Complete the wizard.

   The installation package will be created and added to the list of installation packages. Using the installation package, you can install the application on devices in the corporate network or update the application version.

7. If necessary, edit initial configuration settings (see the table below). To do this, open the properties of the installation package and go to Settings tab.

   Initial configuration settings

   Section	Description
   Specify the locale.	Select this check box if you want to specify the locale to be used by the application. In the displayed field, enter the locale in the RFC 3066 format. If this setting is not specified, the default locale is used.
   Activate the application	Select this check box if you want to activate the application during installation. In the displayed field, enter the activation code. You can also activate the application after installation.
   Select the update source.	Select the update source for databases and application modules: Kaspersky update servers. Kaspersky Security Center. Other source in the local or global network. If you select this option, enter the address of the update source in the field that opens.
   Run the database update task after installation.	Select this check box if you want to run the databases and application modules update task after installing the application.
   Specify the proxy server settings.	Select this check box if you use a proxy server for internet access. In the displayed field, enter the proxy server address in one of the following formats: <connection protocol>://<IP address of the proxy server>:<port number> if the proxy server connection does not require authentication <connection protocol>://<user name>:<password>@<IP address of the proxy server>:<port number> if the proxy server connection requires authentication Connecting to a proxy server over HTTPS is not supported.
   Install kernel source	Select this check box to automatically start of kernel module compilation.
   Use the graphical user interface.	Select this check box if you plan to install the graphical user interface of the application (the files for installing the graphical interface are included in the installation package).
   Specify a user with the admin role	Select the check box to specify the user to be assigned the administrator (admin) role. In the displayed field, enter the user name.
   Configure SELinux automatically	Select the check box to automatically configure SELinux to work with Kaspersky Embedded Systems Security.
   Remove users from privileged groups	Select this check box to remove users from the 'kessadmin' and 'kessaudit' privileged groups before installing the application. If the check box is selected and the 'nogroup' group does not exist, the installation fails and you are prompted to manually remove users from privileged groups.
   Disable protection components and scan tasks when the application is started for the first time after installation.	Select this check box if, after completing the installation process, you want to run the application with protection components and scan tasks disabled. An installation with protection components disabled can be convenient, for example, in order to reproduce a problem in the operation of the application and create a trace file. If you enable the necessary components and tasks, the enabled components and tasks will continue to work after the application is restarted.

Page top

[Topic 273064]

Creating an installation package in the Administration Console

Before creating an installation package for Kaspersky Embedded Systems Security, you need to prepare the files to be included in the package.

To prepare files for creating an installation package:

1. Download the kess.zip archive from the application download page. It is located in the Kaspersky Embedded Systems Security for Linux -> Additional distribution → Files for Product remote installation section.
2. Unpack the kess.zip archive to a folder accessible to Kaspersky Security Center Administration Server. Place the distribution files, that correspond to the type of operating system where you want to install the application and the type of its package manager, to the same folder:
   • To install Kaspersky Embedded Systems Security:
     • kess-3.4.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
     • kess_3.4.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
     • kess_3.4.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
     • kess_3.4.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)
   • To install the graphical user interface of the application:
     • kess-gui-3.4.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
     • kess-gui-3.4.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
     • kess-gui-3.4.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
     • kess-gui-3.4.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)

     If you do not want to install the graphical user interface, do not add these files to the folder; this will make the installation package smaller.

   If you do not plan to install the graphical interface, you need to opt out by setting USE_GUI=No in the autoinstall.ini configuration file. Otherwise, the installation will fail.

   If you want to use the created installation package with different operating systems or package managers, place the files for all the types of operating systems and package managers that you need in the directory.

3. If you want to use offline application databases downloaded in advance:
   1. Place prepared archives with databases for all your operating system types into the folder.
   2. In initial configuration settings, disable the database update task after installing the application. To do this, open the autoinstall.ini configuration file and set UPDATE_EXECUTE=no. The autoinstall.ini file is located in the directory where you extracted the kess.zip archive.

   If you want to prepare the initial configuration settings of the application, open the autoinstall.ini configuration file and edit it as necessary.

To create an installation package for Kaspersky Embedded Systems Security in the Administration Console of Kaspersky Security Center:

1. In the console tree, select Additional → Remote installation → Installation packages.
2. Click the Create installation package button.

   The wizard for creating an installation package will start.

3. In the wizard window that opens, click the Create installation package for a Kaspersky application button.
4. Enter the name of the new installation package and proceed to the next step.
5. Select Kaspersky Embedded Systems Security distribution package. To do this, open a standard Windows browsing window using the Browse button and specify the path to the kess.kud file. The file is located in the directory where you extracted the kess.zip archive.

   The application name is displayed in the window.

   Proceed to the next step.

6. Read the License Agreement between you and Kaspersky and the Privacy Policy that describes the processing and transmission of data.

   To continue creating the installation package, you must confirm that you have read and accept the full terms of the End User License Agreement and the Privacy Policy. To confirm, in the window that opens, select both check boxes.

   Proceed to the next step.

7. The wizard downloads the files required to install the application to Kaspersky Security Center Administration Server. Wait for the download to finish.
8. Complete the wizard.

The created installation package is located in the tree of the Administration Console of Kaspersky Security Center in the Additional → Remote installation → Installation packages folder. You can use the same installation package many times.

Page top

[Topic 266691]

Preparing an archive with application databases in order to create an installation package with integrated databases

You can create an installation package for remote installation and include pre-downloaded application databases in it. This may be useful, for example, if you are installing the application on a device with the Astra Linux Special Edition operating system. If you are using an installation package with integrated databases, the application is installed with the databases already functional; in this case, you do not need to update the databases immediately after installation.

To create an archive with databases for installing the application:

1. Install and perform the initial configuration of Kaspersky Embedded Systems Security on the device using the command line or using Kaspersky Security Center.
2. Update the application databases. You can update the databases during the initial configuration of the application or after installation by running a task of an Update type in the command line or an Update task in the Kaspersky Security Center Administration Console or the Kaspersky Security Center Web Console.
3. Copy the contents of the /var/opt/kaspersky/kess/private/updates/ directory to one of the following subdirectories, depending on the architecture of the operating system for which you are creating the installation package with integrated databases: /i386/ or /x86_64/.
4. Place the directories with the databases into a kess-bases.tgz archive, preserving the structure of nested directories. You can place only one subdirectory with databases for the required architecture of the operating system in the archive, or if you plan to create an installation package for installation on several operating systems with different architectures, you can place all the subdirectories with databases (/i386/ or /x86_64/) into a single archive for different architectures.
5. You can use the created archive with application databases when creating an installation package in the Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console.

Page top

[Topic 197593]

Autoinstall.ini configuration file settings

In the autoinstall.ini configuration file, you can specify the settings shown in the table below. The set of applicable settings depends on the application usage mode.

Autoinstall.ini configuration file settings

If you want to change the settings in the autoinstall.ini configuration file, specify the values of settings in the following format: <setting_name>=<setting_value> (the application does not process spaces between the name of a setting and its value).

Page top

[Topic 197573]

Getting started using Kaspersky Security Center

After deploying Kaspersky Embedded Systems Security through Kaspersky Security Center, you must prepare the application for operation. To do so:

1. Activate the application if activation was not performed using the key added to the installation package of the application.

   You can create and execute an activation task using the Administration Console or Kaspersky Security Center Web Console, as well as distribute the license key from the Kaspersky Security Center key storage to the devices.

2. Update the databases and application modules if you did not add pre-downloaded application databases to the installation package of the application. You can use the Update task, which is created automatically by the initial configuration wizard of Kaspersky Security Center after installing the administration MMC plug-in or the Kaspersky Embedded Systems Security administration web plug-in.

   Kaspersky Embedded Systems Security protects the device only after the application databases are updated.

3. Configure a
   policy

   A policy determines the application settings and manages the access to configuration of an application installed on devices within an administration group. An individual policy must be created for each application. You can create an unlimited number of various policies for applications installed on the devices in each administration group, but only one policy can be applied to each application at a time within an administration group.

   for centralized management of the application using Kaspersky Security Center Administration Console or Web Console. You can use a policy that is created automatically by the initial configuration wizard of Kaspersky Security Center after installing the administration MMC plug-in or the Kaspersky Embedded Systems Security administration web plug-in.

   You can also configure the application management tasks using the Administration Console or the Web Console.

Page top

[Topic 263905]

Installing and initially configuring the application using the command line

You can install the Kaspersky Embedded Systems Security application on a client device using the command line.

Installation using the command line involves the following steps:

1. Installing the application and the graphical interface of the application. You can choose one of the following installation options:
   • Install the application with the graphical interface.
   • Install the application without the graphical interface.
   • Install the graphical interface on the device where the application is installed.

     It is not possible to install the graphical interface on a device on which the application is not installed.

   If the version of the apt package manager is lower than 1.1.X, use the dpkg/rpm package manager (depending on the operating system) for installation.

2. Initial configuration of the application

   The application needs initial configuration to prepare it for operation and enable the protection of the client device.

   If initial configuration of the application has not been completed on a device, you cannot use or update the application on that device.

   Initial configuration of the application is performed by running the special initial configuration script from the distribution kit of Kaspersky Embedded Systems Security. You can perform the initial configuration of the application in interactive mode or in automatic mode.

In this section Installing the application using the command line Post-installation configuration of the application in interactive mode Post-installation configuration of the application in automatic mode Settings in the configuration file for post-installation configuration

Page top

[Topic 233694]

Installing the application using the command line

Installing the application without the graphical interface.

To install Kaspersky Embedded Systems Security from an RPM package on a 32-bit operating system, execute the following command:

# rpm -i kess-3.4.0-<build number>.i386.rpm

To install Kaspersky Embedded Systems Security from an RPM package on a 64-bit operating system, execute the following command:

# rpm -i kess-3.4.0-<build number>.x86_64.rpm

To install Kaspersky Embedded Systems Security from a DEB package on a 32-bit operating system, execute the following command:

# apt-get install ./kess_3.4.0-<build number>_i386.deb

To install Kaspersky Embedded Systems Security from a DEB package on a 64-bit operating system, execute the following command:

# apt-get install ./kess_3.4.0-<build number>_amd64.deb

Installing the graphical interface of the application

To install the graphical interface from the RPM package to a 32-bit operating system, execute the following command:

# rpm -i kess-gui-3.4.0-<build number>.i386.rpm

To install the graphical interface from the RPM package to a 32-bit operating system, execute the following command:

# rpm -i kess-gui-3.4.0-<build number>.x86_64.rpm

To install the graphical interface from the DEB package to a 32-bit operating system, execute the following command:

# apt-get install ./kess-gui_3.4.0-<build number>_i386.deb

To install the graphical interface from the DEB package to a 64-bit operating system, execute the following command:

# apt-get install ./kess-gui_3.4.0-<build number>_amd64.deb

Page top

[Topic 197897]

Post-installation configuration of the application in interactive mode

To perform initial configuration of the application in interactive mode, you need to run the initial configuration script of the Kaspersky Embedded Systems Security application.

You must run the initial configuration script as root.

To run the initial configuration script, execute the following command:

# /opt/kaspersky/kess/bin/kess-setup.pl

The script requests the values of Kaspersky Embedded Systems Security settings step-by-step. The script finishing and the console being released indicate that the post-installation configuration is completed.

To check the return code, execute the following command:

echo $?

If the command returns code 0, the initial configuration of the application has finished successfully.

Kaspersky Embedded Systems Security can protect the device only after the application databases are updated.

In this section Selecting the locale Viewing the End User License Agreement and the Privacy Policy Accepting the End User License Agreement Accepting the Privacy Policy Using Kaspersky Security Network Removing users from privileged groups Assigning the Administrator role to a user Determining the file operation interceptor type Enabling automatic configuration of SELinux Configuring the update source Configuring proxy server settings Starting an application database update Enabling automatic application database update Application activation

Page top

[Topic 197898]

Selecting the locale

At this step, the application displays the list of supported locale identifiers in RFC 3066 format.

Specify the locale in the format as identified in this list. This locale will be used for application events sent to Kaspersky Security Center, as well as for the texts of the License Agreement, Privacy Policy, and Kaspersky Security Network Statement.

The locale of the graphical interface and the application command line depends on the value of the LANG environment variable. If the locale that is not supported by Kaspersky Embedded Systems Security is specified as the value of the LANG environment variable, the graphical interface and the command line are displayed in English.

Page top

[Topic 199016]

Viewing the End User License Agreement and the Privacy Policy

At this step, read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

Page top

[Topic 197899]

Accepting the End User License Agreement

At this step, you must either accept or decline the terms of the End User License Agreement.

After exiting viewing mode, enter one of the following values:

• yes (or y), if you accept the terms of the End User License Agreement.
• no (or n), if you do not accept the terms of the End User License Agreement.

If you did not accept the terms and conditions of the End User License Agreement, the Kaspersky Embedded Systems Security setup process is aborted.

Page top

[Topic 197900]

Accepting the Privacy Policy

At this step, you must either accept or decline the terms of the Privacy Policy.

After exiting viewing mode, enter one of the following values:

• yes (or y), if you accept the terms of the Privacy Policy.
• no (or n), if you do not accept the terms of the Privacy Policy.

If you did not accept the terms and conditions of the Privacy Policy, the Kaspersky Embedded Systems Security setup process is aborted.

Page top

[Topic 197266]

Using Kaspersky Security Network

At this step, you must either accept or decline the terms of use of the Kaspersky Security Network Statement. The file ksn_license.<language ID> containing the text of the Kaspersky Security Network Statement is located in the directory /opt/kaspersky/kess/doc/.

Enter one of the following values:

• yes (or y), if you accept the terms of the Kaspersky Security Network Statement. This enables the extended KSN mode.
• no (or n), if you do not accept the terms of the Kaspersky Security Network Statement.

Refusal to participate in Kaspersky Security Network does not interrupt the initial configuration of Kaspersky Embedded Systems Security. You can enable, disable, or change the Kaspersky Security Network mode at any time.

If Kaspersky Security Network is enabled, the cloud mode is automatically enabled, in which Kaspersky Embedded Systems Security uses the lightweight version of malware databases.

Page top

[Topic 93536]

Removing users from privileged groups

This step is displayed only if users are detected in the kessadmin group and/or in the kessaudit group.

At this step, specify whether or not to remove users from the kessadmin and kessaudit privileged groups. Users included in the kessadmin and kessaudit groups get privileged access to the application's functions.

Enter yes to remove all detected users from the kessadmin and/or kessaudit group. Users whose primary group is kessadmin or kessaudit are moved to the nogroup group. If there is no nogroup group, the installation will fail and you will be prompted to manually remove users from privileged groups.

Enter no if you do not want the application to remove users from the privileged groups.

Page top

[Topic 206406]

Assigning the Administrator role to a user

At this step, you can grant the administrator (admin) role to the user.

Enter the name of the user to whom you want to grant the administrator role.

You can grant the administrator role to the user later at any time.

Page top

[Topic 197903]

Determining the file operation interceptor type

At this step, the file operation interceptor type for the utilized operating system is determined. For operating systems that do not support fanotify technology, kernel module compilation will begin.

If all the required packages are available, the kernel module will be automatically compiled when the File Threat Protection task starts.

If, during the compilation of the kernel module, any dependencies are not found on the device, the Kaspersky Embedded Systems Security application suggests installing the relevant packages. If the package download fails, an error message will be displayed.

Page top

[Topic 237159]

Enabling automatic configuration of SELinux

This step is displayed only if SELinux is installed on your operating system.

At this step, you can enable automatic configuration of SELinux for working with Kaspersky Embedded Systems Security.

Enter yes to enable automatic configuration of SELinux. If SELinux cannot be configured automatically, the application displays an error message and prompts the user to configure SELinux manually.

Enter no if you do not want the application to automatically configure SELinux.

By default, the application suggests yes.

If necessary, you can manually configure SELinux to work with the application later, after completing the post-installation configuration of Kaspersky Embedded Systems Security.

Page top

[Topic 197626]

Configuring the update source

At this step, you must specify the update source for databases and application modules. The application databases contain descriptions of the threat signatures and methods of countering them. The application uses these records when searching and neutralizing threats. Kaspersky virus analysts regularly add new records about threats.

Enter one of the following values:

• KLServers: the application receives updates from one of the Kaspersky update servers.
• SCServer: the application downloads updates to the protected device from Kaspersky Security Center Administration Server installed in your organization. You can select this update source if you use Kaspersky Security Center for centralized administration of device protection in your organization.
• <URL>: the application downloads updates from a custom source. You can specify the address of the custom source of updates in the local area network or on the Internet.
• <path> – the application receives updates from the specified directory.

Page top

[Topic 197275]

Configuring proxy server settings

At this step, you must specify the proxy server settings if you are using a proxy server to access the Internet. Internet connection is required to download the application databases from the update servers.

To configure proxy server settings, perform one of the following actions:

• If you use a proxy server to connect to the Internet, specify the address of the proxy server using one of the following formats:
  • <connection protocol>://<IP address of the proxy server>:<port number> if the proxy server connection does not require authentication
  • <connection protocol>://<user name>:<password>@<IP address of the proxy server>:<port number> if the proxy server connection requires authentication

    Connecting to a proxy server over HTTPS is not supported.

    When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.

• If you do not use a proxy server to connect to the Internet, enter no as your answer.

By default, the application suggests no.

You can configure the proxy server settings later, without using the post-installation configuration script.

Page top

[Topic 197635]

Starting an application database update

At this step, you can run the application database update task on the client device.

If you do not want to start to download the application databases, enter no.

If you want to start the database update task on the device, enter yes.

By default, the application suggests yes.

If yes is selected, the application will be automatically restarted after the databases are updated.

Kaspersky Embedded Systems Security protects the device only after the application databases are updated.

You can start the Update task later without using the initial configuration script.

Page top

[Topic 197256]

Enabling automatic application database update

At this step, you can enable automatic update of the application databases.

Enter yes to enable automatic application database update. By default, the application checks for available database updates every 60 minutes. If updates are available, the application downloads the updated databases.

Enter no if you do not want the application to automatically update the databases.

You can enable automatic database update later without using the post-installation configuration by configuring the update task schedule.

Page top

[Topic 197616]

Application activation

At this step, you can activate the application using an activation code or a key file.

To activate the application using an activation code, enter the activation code.

To activate the application using a key file, specify the full path to the key file.

If no activation code or key file is specified, the application is activated using a trial key for one month.

You can activate the application later without using the initial configuration script.

Page top

[Topic 197909]

Post-installation configuration of the application in automatic mode

To perform the initial configuration of the application in automatic mode:

1. Prepare a configuration file that contains the initial configuration settings. You can create this file or copy the necessary structure from the autoinstall.ini configuration file used for remote installation of the application using Kaspersky Security Center.
2. Pass the path to the configuration file to the initial configuration script of the Kaspersky Embedded Systems Security application.

   You must run the initial configuration script as root.

To start the post-installation configuration of the application in automatic mode, run the following command:

# /opt/kaspersky/kess/bin/kess-setup.pl --autoinstall=<post-installation configuration file>

where <initial configuration file> is the path to the configuration file that contains the initial configuration settings.

When the post-installation configuration script is finished and releases the console, the post-installation configuration of the application is complete.

To check the return code, execute the following command:

echo $?

If the command returns code 0, the initial configuration of the application has finished successfully.

Kaspersky Embedded Systems Security can protect the device only after the application databases are updated.

To correctly update application modules after the script has finished, you may need to restart the application. Check the status of updates for the application using the kess-control --app-info command.

Page top

[Topic 197289]

Settings in the configuration file for post-installation configuration

In the post-installation configuration file, you can specify the settings shown in the table below. The set of applicable settings depends on the application usage mode.

Settings in the configuration file for post-installation configuration

If you want to change the settings in the configuration file for initial setup of the application, specify the values of settings in the following format: <setting_name>=<setting_value> (the application does not process spaces between the name of a setting and its value).

Page top

[Topic 263929]

Configuring permissions in the SELinux system

If SELinux could not be configured automatically during the post-installation configuration of the application, or if you declined automatic configuration, you can manually configure SELinux to work with Kaspersky Embedded Systems Security.

To manually configure SELinux to work with the application:

1. Switch SELinux to permissive mode:
   • If SELinux has been activated, run the following command:

     # setenforce Permissive

   • If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
2. Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
3. If you are using a custom SELinux policy instead of the default targeted policy, assign a label to each source executable file of Kaspersky Embedded Systems Security in accordance with the SELinux policy being used; to do so, run the following commands:

   # semanage fcontext -a -t bin_t <executable file>

   # restorecon -v <executable file>

   where <executable file> is:

   • /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/libexec/kess
   • /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/bin/kess-control
   • /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/libexec/kess-gui
   • /var/opt/kaspersky/kess/3.4.0.<build number>_<installation timestamp>/opt/kaspersky/kess/shared/kess
4. Run the following tasks:
   • File Threat Protection task:

     kess-control --start-task 1

   • Critical Areas Scan task:

     kess-control --start-task 4 -W

   It is recommended to run all the tasks that you plan to run while using Kaspersky Embedded Systems Security.

5. Start the graphical user interface if you plan to use it.
6. Ensure that there are no errors in the audit.log file:

   # grep kess /var/log/audit/audit.log

7. If there are errors in the audit.log file, create and download a new rule module based on the blocking records in order to fix the errors, and then relaunch all the tasks that you plan to run while using Kaspersky Embedded Systems Security; to do so, run the following commands:

   # grep kess /var/log/audit/audit.log | audit2allow -M kess

   # semodule -i kess.pp

   If new audit messages related to Kaspersky Embedded Systems Security appear, the file with the rule module file must be updated.

8. Switch SELinux to blocking mode:

   # setenforce Enforcing

If you use a custom SELinux policy, manually assign a label to Kaspersky Embedded Systems Security source executable files after installing application updates (follow steps 1, 3–8).

For additional information, please refer to the documentation on the relevant operating system.

Page top

[Topic 263928]

Running the application on Astra Linux OS in closed software environment mode

This section describes how to start the application in the Astra Linux Special Edition operating system.

For Astra Linux Special Edition (operational update 1.7) and Astra Linux Special Edition (operational update 1.8)

To start the application on the Astra Linux Special Edition operating system (update 1.7 or 1.8):

1. Specify the following setting in the /etc/digsig/digsig_initramfs.conf file:

   DIGSIG_ELF_MODE=1

2. Install the compatibility package:

   apt install astra-digsig-oldkeys

3. Create a directory for the application key:

   mkdir -p /etc/digsig/keys/legacy/kaspersky/

4. Locate the application key (/opt/kaspersky/kess/shared/kaspersky_astra_pub_key.gpg) in the directory created at the previous step:

   cp kaspersky_astra_pub_key.gpg /etc/digsig/keys/legacy/kaspersky/

5. Update the initramfs image:

   update-initramfs -u -k all

The application graphical user interface can be used during mandatory access control sessions.

Page top

[Topic 263930]

Updating the application from a previous version

You can update Kaspersky Embedded Systems Security 3.3 for Linux to Kaspersky Embedded Systems Security 3.4 for Linux.

You need to prepare for installation before updating Kaspersky Embedded Systems Security.

The application update procedure involves the following steps:

1. Updating the Kaspersky Security Center Network Agent

   If you are managing Kaspersky Embedded Systems Security using Kaspersky Security Center, you must update the Network Agent on the protected devices. The update is performed by installing a new version of Network Agent.

   If the Network Agent is not updated, the application cannot be managed using Kaspersky Security Center.

   On a device running the Astra Linux Special Edition operating system, we recommend to update Network Agent remotely using Kaspersky Security Center, since updating using the command line in the Kaspersky Security Center administration console creates a new copy of the same managed device, and the old one becomes inaccessible.

   The application continues working correctly during the Network Agent update.

2. Updating the Kaspersky Embedded Systems Security management plug-in

   If you are managing Kaspersky Embedded Systems Security using Kaspersky Security Center, you must update the Kaspersky Embedded Systems Security administration web plug-in or MMC plug-in, depending on the console that you are using to manage Kaspersky Security Center.

3. Updating the application and graphical user interface on protected devices

   You must update the application installed on protected devices. If you are using the application GUI, you also need to update the GUI.

   You can update the application and the application's graphical user interface in the following ways:

   • Remotely using Kaspersky Security Center.
   • Locally from the command line.

If an error occurs while updating the application, the update is rolled back and the previous version of the application is started. In this case, an error message will be displayed, but the package manager (rpm/dpkg) will indicate the new version.

Even if Kaspersky Embedded Systems Security is launched before the update process start, if the update is completed successfully, a new application version is launched.

When you update the application to a newer version, the dump files of the previous version are deleted.

After updating the application, it is recommended to run the database update task.

In this Help section About updating Kaspersky Embedded Systems Security management plug-ins Updating the application using Kaspersky Security Center Updating the application using the command line Special considerations when setting parameter values when updating the application

Page top

[Topic 264103]

About updating Kaspersky Embedded Systems Security management plug-ins

The management plug-in for Kaspersky Embedded Systems Security is updated by installing the new version of the management plug-in. Depending on the Kaspersky Security Center administration console that you use, you have to install:

• Kaspersky Embedded Systems Security administration web plug-in
• Kaspersky Embedded Systems Security administration MMC plug-in

Policies and tasks configured for Kaspersky Embedded Systems Security 3.3 for Linux are not compatible with the updated version of the application. If you use the Kaspersky Security Center Administration Console to manage the application, then after updating the administration MMC plug-in, you can convert policies and tasks using the Kaspersky Security Center Policies and Tasks Batch Conversion Wizard (see more details in the Kaspersky Security Center Help).

The converted policies and tasks have names "<Original policy/task name> (converted)".

For most settings, converted policies and tasks use the values configured for the previous version of the application. Some settings are assigned special values. The settings that were not configured in the policies and tasks of the previous version take default values in the converted policies and tasks.

The procedure for converting policies and tasks is not available in Kaspersky Security Center Web Console. If you use the Web Console to manage the application, you must create new policies and tasks for the application in Kaspersky Security Center. You can migrate some values of settings of policies and tasks from a previous version of a policy or task to a new one by exporting and importing settings.

Management plug-ins of the previous version continue to work after installing the new version of Kaspersky Embedded Systems Security management plug-ins. You can use them to manage the previous version of Kaspersky Embedded Systems Security.

If you have updated the application on all client devices, you can uninstall the Kaspersky Embedded Systems Security management plug-ins of the previous version.

Page top

[Topic 197756]

Updating the application using Kaspersky Security Center

The application and graphical user interface are updated by remotely installing the new version of the application packages and graphical user interface on the protected device.

Updating using Kaspersky Security Center involves the following steps:

1. Creating an installation package.

   For the remote installation, Kaspersky Embedded Systems Security installation package is used. You can create the installation package using the Kaspersky Security Center Web Console or the Administration Console.

2. Deploying the Kaspersky Embedded Systems Security application on devices in the corporate network.

   Kaspersky Security Center Web Console supports the following main deployment methods:

   • Installing the application using the Protection Deployment Wizard.
   • Installing the application using the remote installation task.

   The Kaspersky Security Center Administration Console supports the following main deployment methods:

   • Installing the application using the Remote Installation Wizard.
   • Installing the application using the remote installation task.

   For a description of the deployment procedures, see the Kaspersky Security Center Help.

Page top

[Topic 197396]

Updating the application using the command line

Updating the application using the command line is performed by installing a new version of the application on the device from an RPM or DEB format package depending on the type of package manager.

If the conditions of the End User License Agreement and/or the Privacy Policy have changed in the new version of the application, you must accept the new conditions during the update. Read the new version of the End User License Agreement and/or the Privacy Policy:

• The new version of the End User License Agreement is located in the (~/.kess/<application version>/license.<language ID>) directory.
• The new version of the Privacy Policy is located in the (~/.kess/<application version>/license.<language ID>) directory.

If you do not accept the conditions of the End User License Agreement and/or the Privacy Policy, the application will not be updated.

If the terms of the Kaspersky Security Network Statement changed in the new version of the application, you need to accept or decline the new terms of use for participating in Kaspersky Security Network. Read the new version of the document located in the (~/.kess/<application version>/ksn_license.<language ID>) directory. Refusing to use Kaspersky Security Network will not halt the Kaspersky Embedded Systems Security update process. You can enable, disable, or change Kaspersky Security Network mode later.

If you used KSN and accepted the conditions of the Kaspersky Security Network Statement in a previous version of the application, you need to accept the conditions of the Kaspersky Security Network Statement when updating the application. Otherwise, use of KSN will be disabled.

To accept the terms of the new agreements during the upgrade, use the variables KESS_EULA_AGREED=yes, KESS_PRIVACY_POLICY_AGREED=yes, and KESS_USE_KSN=yes/no.

To update the application:

1. Install the application package using the following command, depending on the package manager. If you have the graphical user interface of the previous version of the application installed, then you also need to start the package containing the files of the graphical user interface.
   • for an RPM package.

     # [KESS_EULA_AGREED=yes] [KESS_PRIVACY_POLICY_AGREED=yes] [KESS_USE_KSN=yes/no] rpm -U --replacefiles --replacepkgs kess-3.4.0-<build number>.<arch>.rpm [kess-gui-3.4.0-<build number>.<arch>.rpm]

     where <arch> is the architecture type:

     • i386 – for 32-bit operating systems
     • x86_64 – for 64-bit operating systems

     On an operating system with a package manager of the RPM type, if the application package and the GUI package are both installed, we do not recommend updating only one of the packages without the other.

   • for a DEB package:

     # [KESS_EULA_AGREED=yes] [KESS_PRIVACY_POLICY_AGREED=yes] [KESS_USE_KSN=yes/no] apt-get install ./kess_3.4.0-<build number>_<arch>.deb [./kess-gui_3.4.0-<build number>_<arch>.deb]

     where <arch> is the architecture type:

     • i386 – for 32-bit operating systems
     • amd64 – for 64-bit operating systems

     On an operating system with a package manager of the dpkg type, if the application package and the GUI package are both installed, either of the packages cannot be updated without the other.

2. Kaspersky Embedded Systems Security restarts automatically.

If you use the command line to manage the application, then after upgrading, most application settings use the values configured for the previous version of the application. Some settings are assigned special values. Settings that were missing in the previous version of the application take on default values in the new version of the application.

Changes to the application settings made after the update is complete and before the application restarts are not saved.

Page top

[Topic 275634]

Special considerations when setting parameter values when updating the application

If you use Kaspersky Security Center Administration Console to manage the application, you can convert policies and tasks to use the values of policy and task settings configured for the previous version of the application (for more information, see the Kaspersky Security Center Help). The procedure for converting policies and tasks is not available in Kaspersky Security Center Web Console.

After updating the application using the command line, most settings carry over from the previous version of the application. You can also migrate application settings by exporting settings to a file and then importing them from that file.

Default values are assigned to settings that did not exist in the previous version of the application. Some settings are assigned special values.

Kaspersky Security Network settings

After converting a policy in the MMC plug-in, the Kaspersky Security Network settings in the policy properties depend on whether you accepted or rejected the terms of the Kaspersky Security Network Statement in the Policies and Tasks Batch Conversion Wizard:

• If you accepted the terms of the Statement, the Extended KSN mode option is selected.
• If you rejected the terms of the Statement, the Do not use KSN option is selected.

The conversion of policies is not supported by the web plug-in.

After upgrading the application on the command line, the UseKSN setting is set to No if when updating you set KESS_USE_KSN=No, and UseKSN=Extended is applied if you set KESS_USE_KSN=Yes. In other cases, the value of the UseKSN setting does not change after the update.

Cloud mode settings

After converting a policy in the MMC plug-in, the Enable cloud mode check box is cleared.

The conversion of policies is not supported by the web plug-in.

After updating the application on the command line, the CloudMode setting is set to No.

Container scan settings

If you had Container Scan tasks created and configured in the previous version of the application, after updating the application, these tasks are unavailable and are not displayed.

Page top

[Topic 263936]

Uninstalling the application

Uninstalling the Kaspersky Embedded Systems Security involves the following steps:

1. Uninstalling the application and graphical user interface of the application

   Uninstall the packages of the application and, if you are using the graphical user interface, the packages of the graphical user interface from the protected devices.

   You can uninstall both the application package and the graphical user interface package, or uninstall only the graphical user interface package. It is not possible to uninstall only the application package if the graphical user interface package is installed.

   You can uninstall the application and the application's graphical user interface in the following ways:

   • Remotely using Kaspersky Security Center.
   • Locally from the command line.

   While the application is being uninstalled, all Kaspersky Embedded Systems Security tasks will be stopped on the device.

2. Removing Network Agent

   If you were using Kaspersky Security Center to manage Kaspersky Embedded Systems Security, you must uninstall the Network Agent from protected devices.

   You can uninstall Network Agent in the following ways:

   • Remotely using Kaspersky Security Center.
   • Locally from the command line.
3. Installing the Kaspersky Embedded Systems Security management plug-in

   If you were using Kaspersky Security Center to manage Kaspersky Embedded Systems Security, you must uninstall the Kaspersky Embedded Systems Security administration web plug-in or MMC plug-in, depending on the console that you were using to manage Kaspersky Security Center.

After removing the application, all information saved by the application is deleted, except for the license database. Installed application certificates are also removed. The license database is saved, and you can use it to reinstall the application.

If the application was installed in a systemd, the systemd settings are restored to their initial state after the application uninstallation.

In this Help section Uninstalling the application and Network Agent using Kaspersky Security Center Uninstalling the application using the command line Network Agent removal using the command line Removing Kaspersky Embedded Systems Security management plug-ins

Page top

[Topic 197594]

Uninstalling the application and Network Agent using Kaspersky Security Center

You can remotely uninstall Kaspersky Embedded Systems Security and Network Agent from the client devices.

Uninstallation is performed using the remote uninstallation of applications task in Kaspersky Security Center Web Console or in the Administration Console. For more details, refer to the Kaspersky Security Center Help system.

If you want to remove only the graphical user interface without removing the application, specify the USE_GUI=No setting value in the autoinstall.ini configuration file and start the remote application installation task.

Uninstallation is performed in the background. After the application uninstallation finishes, you will be prompted to restart the client device.

Page top

[Topic 197596]

Uninstalling the application using the command line

Removing the application package and the graphical user interface package

To uninstall the application and the graphical user interface installed from the RPM packages, carry out the following command:

# rpm -e kess kess-gui

To uninstall the application and the graphical user interface installed from the DEB packages, carry out the following command:

# apt-get purge kess kess-gui

Uninstalling the application package without the graphical user interface package

To uninstall the application installed from the RPM package without removing the graphical user interface, carry out the following command:

# rpm -e kess

To uninstall the application installed from the DEB package without removing the graphical user interface, carry out the following command:

# apt-get purge kess

Removing the graphical user interface package

To remove the graphical user interface that was installed from the RPM package, execute the following command:

# rpm -e kess-gui

To remove the graphical user interface that was installed from the DEB package, execute the following command:

# apt-get purge kess-gui

After the uninstallation procedure is complete, a message about the results of the uninstallation is displayed.

Page top

[Topic 197234]

Network Agent removal using the command line

To uninstall the Network Agent installed on a 32-bit operating system from an RPM package, carry out the following command:

# rpm -e klnagent

To uninstall the Network Agent installed on a 64-bit operating system from an RPM package, carry out the following command:

# rpm -e klnagent64

To uninstall the Network Agent installed on a 32-bit operating system from a DEB package, carry out the following command:

# apt-get purge klnagent

To uninstall the Network Agent installed on a 64-bit operating system from a DEB package, carry out the following command:

# apt-get purge klnagent64

After the uninstallation procedure is complete, a message about the results of the uninstallation is displayed.

Page top

[Topic 197236]

Removing Kaspersky Embedded Systems Security management plug-ins

The Kaspersky Embedded Systems Security administration web plug-in is uninstalled in Kaspersky Security Center Web Console from the list of installed plug-ins (Settings → Web Plug-ins).

To remove the Kaspersky Embedded Systems Security administration MMC plug-in:

1. Close the Kaspersky Security Center Administration Console.
2. On the device where the Kaspersky Security Center Administration Console is installed, open the Windows registry editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\28\Plugins.

   This key contains information about all administration plug-ins installed in the Administration Console. The name of the managed application is in the DisplayName value.

3. Select the section corresponding to the relevant version of the Kaspersky Embedded Systems Security application plug-in.
4. Open and copy the UninstallString value.
5. Open the command prompt as administrator, paste the copied value and press Enter.

Page top

[Topic 289986]

Application licensing

This section contains information about the basic concepts associated with licensing Kaspersky applications, as well as information about the specifics of activating the Kaspersky Embedded Systems Security application.

After activating the application, we recommend monitoring the license validity period in order to renew the license in a timely manner when necessary. You can use Kaspersky Security Center or the command line on a protected device to view information about license keys used by Kaspersky Embedded Systems Security.

In this Help section About the End User License Agreement About the license About the license certificate About the license key About the activation code About the key file About subscription Application activation and license key management Viewing information about used license keys

Page top

[Topic 99599]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the application.

Read through the terms of the End User License Agreement carefully before you start using the application.

You can review the terms of the End User License Agreement for the Kaspersky Embedded Systems Security solution and the Privacy Policy, which describes the processing and transmission of data, in the following ways:

• By reading the text in the license.<language ID> file. This file is included in the application distribution kit.
• During Kaspersky Embedded Systems Security installation.

  By confirming your consent to the text of the End User License Agreement and Privacy Policy when creating the application installation package (if installed using Kaspersky Security Center) or during the initial application configuration (if installing using the command line), you accept the terms of the End User License Agreement and Privacy Policy If you do not accept the terms of the End User License Agreement or Privacy Policy, you must cancel the installation of the application and may not use the application.

• After installing the Kaspersky Embedded Systems Security.

  After the application is installed, the files containing the text of the Kaspersky Embedded Systems Security End User License Agreement and the Privacy Policy are located on the protected device in the /opt/kaspersky/kess/doc/license.<language ID> folder.

Page top

[Topic 69240]

About the license

License is a time-limited right to use Kaspersky Embedded Systems Security, granted under the End User License Agreement.

The list of available functions and the validity period of the application depend on the license under which the application is used.

The following license types are provided:

• Trial – a free license intended for trying out the application.

  Trial licenses have a short validity period. When the trial license expires, all Kaspersky Embedded Systems Security features become disabled. To continue using the application, you need to purchase a commercial license.

  You can use the application under a trial license for only one trial period.

• Commercial is a paid license.

  The main functions of the application stop working when a commercial license expires. To continue using Kaspersky Embedded Systems Security, you need to renew the commercial license. After the license expires, you can no longer use the application and must uninstall it from the device.

  It is recommended to renew the license before its expiration date to ensure continued protection of your device against security threats.

Page top

[Topic 73976]

About the license certificate

The License Certificate is a document provided together with the key file or activation code.

A license certificate contains the following information about the license provided:

• License key or order number
• Information about the license user
• Information about the application that can be activated under the provided license
• Restrictions on the number of licensing units (for example, devices on which the application can be used under the license)
• License validity start date
• License expiration date or validity period
• License type

Page top

[Topic 209867]

About the license key

The license key is a sequence of bits that can be used to activate the application for further usage in accordance with the terms of the End User License Agreement. License key is generated by Kaspersky experts.

You can add a license key to the application using one of the following methods: by applying a key file or by entering an activation code. After you add a key to the application, the license key is displayed in the application interface as a unique alphanumeric sequence.

The license key may be blocked by Kaspersky, if the terms of the End User License Agreement are violated. If the license key is blocked, add another license key for proper application operation.

A license key may be active or reserve.

Active license key is currently used to run the application. A license key for a trial or commercial license can be added as the active key. The application cannot have more than one active license key.

Reserve license key is a license key that entitles the user to use the application, but is not currently in use. The reserve license key automatically becomes active when the license associated with the current active license key expires. A reserve license key can be added only if an active license key is already added.

A trial license key can only be added as an active license key. A trial license key cannot be added as a reserve license key.

Page top

[Topic 69430]

About the activation code

An activation code is a unique sequence of twenty Latin letters and numbers. You have to enter an activation code in order to add a license key for activating Kaspersky Embedded Systems Security. You receive the activation code at the email address that you provided when you bought Kaspersky Embedded Systems Security or requested the trial version of Kaspersky Embedded Systems Security.

To activate the application with an activation code, you need Internet access in order to connect to Kaspersky activation servers.

If you lost your activation code after activating the application, contact the Kaspersky partner from whom you purchased the license.

Page top

[Topic 69431]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. Key files are intended to add a license key for activating the application.

You receive a key file at the email address that you provided when you bought Kaspersky Embedded Systems Security or ordered the trial version of Kaspersky Embedded Systems Security.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can restore a key file if it has been accidentally deleted. You may need a key file to register a Kaspersky CompanyAccount, for example.

To restore your key file, perform any of the following actions:

• Contact the license seller.
• Get the key file on the Kaspersky website when you have an activation code.

Page top

[Topic 201930]

About subscription

Subscription for Kaspersky Embedded Systems Security is a purchase order for the application with specific settings (subscription expiry date, number of devices protected). You can order a subscription for Kaspersky Embedded Systems Security from your service provider (such as your internet service provider). You can renew or cancel your subscription. You can manage your subscription on the website of the service provider.

Subscription can be limited (for one year, for example) or unlimited (without an expiry date). To continue using the application after the limited subscription expires, you need to renew your subscription. Unlimited subscription is renewed automatically if the vendor's services have been prepaid on time.

Upon a limited subscription's expiry, you may be offered a grace period to renew the subscription. During this period the application retains its functionality. The service provider decides whether or not to grant a grace period and, if so, determines the duration of the grace period.

The set of options for managing your subscription may vary depending on your service provider. The service provider might not provide a grace period for renewing the subscription where the application retains its functionality.

To use Kaspersky Embedded Systems Security under a subscription, you need to use the activation code received from the service provider. After you apply the activation code, an active key corresponding to the license to use the application under subscription is added to the application. A reserve key can only be added when you use an activation code and cannot be added for a key file or subscription.

Activation codes purchased under subscription may not be used to activate previous versions of Kaspersky Embedded Systems Security.

Page top

[Topic 197595]

Application activation and license key management

Activation is the process of activating a license that allows you to use a fully functional version of the application until the license expires.

To activate the Kaspersky Embedded Systems Security application on a protected device, you need to add a main license key to the application.

If you did not activate the Kaspersky Embedded Systems Security application during installation (by adding a key to the installation package or by running the initial configuration script), you need to activate the installed application in one of the following ways:

• Remotely, using Kaspersky Security Center:
  • Using the Add key task.
  • By distributing a license key stored on the Administration Server to the client devices.
• On the command line using administration commands.

You can also add a reserve key to the application. A reserve key becomes active when the license associated with the active key expires or when the active key is deleted. Availability of a reserve key allows you to avoid application functionality limitation when your license expires.

A reserve license key can be added only after adding an active license key.

You can view information about license keys remotely added to the application using Kaspersky Security Center or the command line on a protected device.

You can also use the graphical user interface to activate the application and manage license keys.

In this section Activating the application using Kaspersky Security Center License key management in the command line

Page top

[Topic 98768]

Activating the application using Kaspersky Security Center

You can add license keys to the application through Kaspersky Security Center in the following ways:

• Using the Add key task.

  This method allows you to add a license key to a specific device or the devices included in an administration group. When creating a task, it uses the key that is added to the Kaspersky Security Center key store. You can add a license key to the key store in advance or when creating the activation task.

• By distributing a license key stored on Kaspersky Security Center Administration Server to the client devices.

  This method lets you automatically add a key to the client devices that are already connected to Kaspersky Security Center, and to new client devices. To use this method, first add the key to the Kaspersky Security Center key store.

You can use the Kaspersky Security Center Web Console or Kaspersky Security Center Administration Console to create tasks for adding a key to the application, adding a key to the key store, and distributing the key to the client devices.

Adding keys using the Kaspersky Security Center Web Console.

To add a key to Kaspersky Security Center key storage using the Web Console:

1. In the Web Console main window, select Operations → Kaspersky Licenses.
2. Click Add.
3. In the window that opens, select how to add the key to the repository:
   • Enter the activation code to add a key using an activation code.
   • Add a key file to add a key using a key file.
4. Depending on the key adding method you selected at the previous step, do one of the following:
   • Enter the activation code and click Submit.
   • Click the Select key file button and in the window that opens, select a file with the .key extension.
5. Click Close.

The added key will appear in the list of keys.

To add a key to the application via the Web Console using the Add key task:

1. In the main window of the Web Console, select Assets (Devices) → Tasks.

   The list of tasks opens.

2. Click Add.

   The Task Wizard starts.

3. Configure the task settings:
   1. In the Application drop-down list, select the application name: Kaspersky Embedded Systems Security.
   2. In the Task type drop-down list, select Add Key.
   3. In the Task name field, enter a brief description, such as Activation of Kaspersky Embedded Systems Security.
   4. In the Devices to which the task will be assigned section, select the task scope. Click Next.
4. Select devices according to the selected task scope option. Click Next.

   The Kaspersky Security Center key storage window opens.

5. If you have previously added a key to Kaspersky Security Center key storage, select the key from in the list and click Next.
6. If the required key cannot be found in the key storage, click the Add key button.
   1. In the window that opens, select how to add the key to the repository:
      • Enter the activation code to add a key using an activation code.
      • Add a key file to add a key using a key file.
   2. Depending on the key adding method you selected at the previous step, do one of the following:
      • Enter the activation code and click Submit.
      • Click the Select key file button and in the window that opens, select a file with the .key extension.
   3. Read the information about the key and click Close.
   4. The added key will appear in the list of keys. Select it from the list and click Next.
7. Read the information about the license and click Next.
8. Complete the wizard.

   A new task will be displayed in the list of tasks.

9. Select the check box next to the task. Click the Start button.

In the properties of the Add key task, you can add a reserve key to the application. A reserve key becomes active when the license associated with the active key expires or when the active key is deleted. Availability of a reserve key allows you to avoid application functionality limitation when your license expires.

If you are adding a reserve key but no active key has been added to the application yet, the task ends with an error.

To add a key using the Web Console by distributing a key stored on the Administration Server to the devices:

1. In the Web Console main window, select Operations → Kaspersky Licenses.
2. Open the key properties using the link with the name of the application for that the key is intended to.
3. On the General tab, select the Automatically distribute a license key to managed devices check box.
4. Click Save.

The license key is automatically distributed to the appropriate client devices.

A new license key is added to a device only if the application has not yet been activated on the device or if the license expires in less than 14 days.

During the automatic distribution of a key as an active or a reserve key, the licensing limit on the number of devices (set in the key properties) is taken into account. If the licensing limit is reached, distribution of this key to the devices stops automatically. You can view the number of devices to which the key has been added and other information in the key properties on the Devices tab.

Special considerations for the activation process in Kaspersky Security Center Cloud Console

A trial version is provided for the Kaspersky Security Center Cloud Console. The trial version is a special version of Kaspersky Security Center Cloud Console designed to familiarize a user with the features of Cloud Console. In this version, you can perform actions in a workspace for a period of 30 days. All managed applications, including Kaspersky Embedded Systems Security, are automatically activated under Kaspersky Security Center Cloud Console trial license. However, you cannot activate Kaspersky Embedded Systems Security using its own trial license when the trial license for the Cloud Console expires. For more details about Cloud Console, please refer to Kaspersky Security Center Cloud Console documentation.

The trial version of Kaspersky Security Center Cloud Console does not allow you to subsequently switch to a commercial version. Any trial workspace will be automatically deleted with all its contents after the 30-day period expires.

Page top

[Topic 197283]

License key management in the command line

To manage license keys on a device, you can use license key management commands.

To add an active license key to the application, run the following command:

kess-control [-L] --add-active-key <path to the key file> / <activation code>

where:

• <path to the key file> – path to the key file. If the key file is located in the current directory, it is sufficient to specify only the file name.
• <activation code> – activation code.

To add a reserve license key to the application, run the following command:

kess-control [-L] --add-reserve-key <path to the key file> / <activation code>

If an active key has not yet been added to the application on the device, the command fails.

To remove an active key, run the following command:

kess-control [-L] --remove-active-key

To remove a reserve key, run the following command:

kess-control [-L] --remove-reserve-key

Page top

[Topic 197624]

Viewing information about used license keys

You can view information about the license keys being used by Kaspersky Embedded Systems Security in the following ways:

• In Kaspersky Security Center, in the properties of the Add key task.

  In the properties of the Add key task, you can find information about the key that this task adds to the application.

• In Kaspersky Security Center, in the properties of the relevant Kaspersky application installed on the client device.

  In the properties of the Kaspersky Embedded Systems Security application on the protected device, you can find information about the active and reserve keys added to the application on this device. You can view the properties of the application using the Web Console as well as the Administration Console.

• In Kaspersky Security Center, in the license key usage report.

  You can view the license key usage report using the Web Console (Monitoring & reporting → Reports), as well as the Administration Console (Reports tab). To view the report, you need to select the "Report on usage of license keys" template in the list of reports and start generating the report.

• In Kaspersky Security Center, in the Kaspersky Security Center license key store.

  You can open the key store using the Web Console (Operations → Kaspersky licenses) or using the Administration Console (Kaspersky licenses folder). The store displays information about all keys added to Kaspersky Security Center Administration Server.

• On a device with Kaspersky Embedded Systems Security installed. You can view information about the license used by the Kaspersky Embedded Systems Security application on the command line.

You can also use notifications about Kaspersky Security Center events to get information about the used license keys and the licenses associated with them. The application sends information about expired licenses and license violations to the Kaspersky Security Center Administration Server.

If you use Kaspersky Security Center to manage the application, by default, information about license keys being added and removed and about license term expiration is recorded in the operating system log.

In this section Viewing information about license keys on a device using the Web Console Viewing information about license keys on a device using the Administration Console Viewing information about the license and the key in the command line

Page top

[Topic 294245]

Viewing information about license keys on a device using the Web Console

To view information about license keys added to the device in the Web Console:

1. In the main window of the Web Console, select Assets (Devices) → Managed devices.

   The list of managed devices opens.

2. Select the administration group containing the necessary device. To do so, click the link in the Current path field above the list of managed devices and select an administration group in the window that opens.

   The list displays only the managed devices for the selected administration group.

3. In the list, find the device for which you want to view information and click the device name.
4. This opens a managed device properties window; in that window, go to the Applications tab.
5. In the list of applications installed on the device, click the name of the Kaspersky Embedded Systems Security 3.4 for Linux application.
6. This opens the Kaspersky Embedded Systems Security 3.4 for Linux window; in that window, open the General tab, Licenses section.

   This section displays information about license keys added to the application and the licenses associated with these keys.

   • License key status is the status of the key: active or reserve.
   • Application name is the name of the license associated with the key and information about this license.
   • License key is the license key, a unique alphanumeric sequence.
   • License type can be trial, commercial, or subscription.
   • Activation date is the date when this key was added.
   • Expiration date is the date when your right to use the application activated with the current key expires.

Page top

[Topic 294246]

Viewing information about license keys on a device using the Administration Console

To view information about the license keys added to the device in Kaspersky Security Center Administration Console:

1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the required device.
2. In the workspace, select the Devices tab.
3. In the list of managed devices, select the required device and double-click it to open the Properties: <Task name> window.
4. In the window that opens with the properties of the managed device, select the Applications section.

   The right part of the window displays a list of Kaspersky applications installed on the device.

5. Select Kaspersky Embedded Systems Security 3.4 for Linux and double-click it to open the application properties window. Alternatively, you can click the Properties button in the lower part of the window.
6. This opens the Kaspersky Embedded Systems Security 3.4 for Linux settings window; in that window, go to the License keys section.

   This section contains information about the active and reserve license keys:

   • Serial number – unique alphanumeric sequence.
   • Status – The status of the license key, e.g. active or reserve.
   • Type: type of license (commercial or trial).
   • License validity period — Number of days during which you can use the application activated with this key.
   • License limit — Number of devices on which you can use the key.
   • Activation date (this field is only available for the active key): date when the active key was added.
   • License expiration date (this field is only available for the active key): date when the application can no longer be used with the current active key.

Page top

[Topic 264031]

Viewing information about the license and the key in the command line

In the command line, using the -L --query command, you can view information about the active and reserve license keys added to the application, and about the license under which the application has been activated.

To view information about the license keys and license on the device, run the following command:

kess-control -L --query [--json]

where --json: output data in JSON format. If the --json option is not specified, the settings are output in the INI format.

As a result of the command execution, the following information will be displayed in the console:

• Information about the active license key, if this key has been added:
  • Date and time when the license for using the application expires.
  • Number of days before the end of the license term.
  • Information about the limitation of protection functions.
  • Information about the limitation of the function for updating application databases.
  • Information about the status of the license key.
  • The type of license associated with the key.
  • Licensing limitation of the key (the number of licensing units).
  • Name of the application that the key is intended to activate.
  • Active license key (unique alphanumeric sequence).
  • Activation date.
• Information about the reserve license key, if a reserve key has been added.
  • Date and time when the license for using the application expires.
  • Information about the limitation of protection functions.
  • Information about the limitation of the function for updating application databases.
  • Information about the status of the license key.
  • The type of license associated with the key.
  • Licensing limitation of the key (the number of licensing units).
  • Name of the application that the key is intended to activate.
  • Reserve license key (unique alphanumeric sequence).
  • Date and time when the license associated with the active key expires, in UTC.

You can also get information about the license under which the application is being used when viewing information about the operation of the application using the kess-control --app-info command.

Page top

[Topic 250618]

Data provision

This section describes the information that Kaspersky Embedded Systems Security may store on the device and automatically send to Kaspersky during its operation.

Kaspersky protects any information thus received in accordance with law and the applicable rules of Kaspersky. Data is transmitted over encrypted channels.

For more detailed information about the processing, storage, and destruction of information obtained during the use of the application and transmitted to Kaspersky, please read the End User License Agreement, the KSN Statement, and refer to the Privacy Policy on the Kaspersky website. The license.<language ID> and ksn_license.<language ID> files containing the End User License Agreement and Kaspersky Security Network Statement are included in the application distribution package.

In this Help section Data provided when using an activation code Data provided when downloading updates from Kaspersky update servers Data sent to Kaspersky Security Center Data provided when following links in the application interface Data provided when using Kaspersky Security Network

Page top

[Topic 197229]

Data provided when using an activation code

If Kaspersky Embedded Systems Security is activated using an activation code, in order to verify if the application is legally used and to obtain statistical information on the distribution and use of the application, you agree to provide the following information to Kaspersky in automatic mode:

• Type, version, and localization of the installed application
• Versions of installed application updates
• Device ID and application installation ID on the device
• Activation code that was used to activate the application
• ID of the current license
• Application license key creation date and time
• Date and time on the user device
• Application license term expiration date and time
• Type, version, and bit size of the operating system

Page top

[Topic 197589]

Data provided when downloading updates from Kaspersky update servers

If you use Kaspersky update servers to download updates, in order to increase efficiency of the update procedure and to obtain statistical information on distribution and use of the application, you agree to automatically provide to Kaspersky the following information:

• Application ID derived from the license
• Full version of the application
• Application license ID
• Type of application license used
• Application installation ID (PCID)
• ID of the application update start
• Web address being processed

Page top

[Topic 276650]

Data sent to Kaspersky Security Center

During operation, Kaspersky Embedded Systems Security saves and submits to Kaspersky Security Center the following information, which may contain personal and confidential data:

• Information about the databases used by the application:
  • List of the database categories required by the application
  • Date and time when the databases were released and loaded into the application
  • Date when the downloaded application database updates were released
  • Time of the last application database update
  • Number of records in the currently used application databases
• Application license information:
  • License serial number and type
  • License validity period in days
  • Number of devices covered by the license
  • Start and end dates of license term
  • License key status
  • Date and time of the last successful synchronization with activation servers if the application was activated using an activation code
  • Identifier of the application for which the license is intended
  • Functionality available under the license
  • Name of the organization for which the license is provided
  • Additional information if the application is used under subscription (subscription flag, subscription expiration date and the number of days available for renewing the subscription, subscription provider web address, current subscription status and the reason for this status), date and time when the application was activated on the device
  • Expiration date and time of the application license on the device
• Information about the application updates:
  • List of updates to be installed or removed
  • Update release date and the sign of the Critical status
  • Name, version, and short description of the update
  • Link to the detailed description of the update
  • Identifier and text of the End User License Agreement and the Privacy Policy for the application updates
  • Identifier and text of Kaspersky Security Network Statement for the application updates
  • Indicator showing if the update can be removed
  • Versions of the application policy and administration plug-in
  • Web address for downloading the application administration plug-in
  • Names, version, and installation dates of the installed application updates
  • Error code and description if the update installation or removal completed with an error
  • Sign and reason for the device or application restart necessity because of the application update
• User agreement or disagreement with the terms and conditions of Kaspersky Security Network Statement, End User License Agreement and Privacy Policy
• List of tags assigned to the device
• List of device statuses and reasons they are assigned.
• The overall status of the application and the status of all its components; information about policy compliance, real-time protection status of the device, application stability status, information about the application stopping.
• Date and time of the last device scan; number of scanned objects; number of detected malicious objects; number of blocked, deleted and disinfected objects; number of objects that cannot be disinfected; number of scan errors; number of detected network attacks
• Data on the currently applied values of the application settings
• Current status and execution results of group tasks and local tasks, and settings of the tasks.
• Information about external devices connected to the client device (ID, name, type, manufacturer, description, serial number, VID/PID)
• Information about backup copies of files in the Backup storage (name, path, size and type of the object, description of the object, name of the detected threat, version of the application database which is used to detect the threat, date and time when the object was moved to the Backup storage), actions on the objects in the Backup storage (removed, restored), and the files by administrator request.
• Information about the operation of each application component and about the execution of each task represented as events:
  • Date and time of event
  • Name and type of event
  • Event severity level
  • Name of the task or the application component running when the event occurred
  • Information about the application that triggered the event: application name, path to the file on the disk, process identifier, setting values​ (if the application launch or settings modification event is triggered)
  • User ID
  • Name of the initiator (task scheduler, application, Kaspersky Security Center, or a user) whose actions triggered the event
  • Name and identifier of the user who initiated access to the file
  • Object or action processing result (description, type, name, threat level and accuracy, file name and type of operation on the device, application decision on the operation)
  • Information about the object (object name and type, path to the object on the disk, object version, size, information about the performed action, event trigger description, description of the reason for not processing and skipping the object)
  • Device information (manufacturer name, device name, path, device type, bus type, identifier, VID/PID, system device flag, name of the device access rule schedule)
  • Information about blocking and unblocking the device; information about blocked connections (name, description, device name, protocol, remote address and port, local address and port, packet rules, actions)
  • Information about requested web address
  • Information about detected objects
  • Type, method, and ID of the detection
  • Information about the performed action
  • Information about the application databases (date when the downloaded database updates are released, information on the database usage, database usage errors, information on canceling the installed database updates)
  • Information about encryption detection (ransomware name; name of the device where encryption was detected; information about blocking and unblocking the device)
  • Application settings and network settings
  • Information about the triggered Application Control rule (name and type) and the result of applying the rule
  • Information about active and blocked connections (name, description, and type)
  • Information about blocking and unblocking access to untrusted devices
  • Information about the use of KSN (KSN connection status, KSN infrastructure, identifier of the KSN Statement in extended mode, acceptance of the KSN Statement in extended mode, identifier of the KSN Statement, acceptance of the KSN Statement)
  • Information about certificates (domain name, subject name, issuer name, expiration date, certificate status, certificate type, date certificate was added, issue date, serial number, SHA256 thumbprint)
  • Scan task statistics: number of scanned objects; number of threats found; number of infected objects; number of probably infected objects; number of disinfected objects; number of objects added to Backup; number of deleted objects; number of not disinfected objects; number of scan errors; number of password-protected objects; number of skipped objects
  • Information about threat development chains: name of the online list of threat development chains, ID of the threat development chain
• Information about operation of the system integrity scan task (name, type, path) and information about the system baseline
• Information about network activity, packet rules, and network attacks
• User role information:
  • Name and identifier of the user who initiated changing the user role
  • User role
  • Name of the user who has been assigned or revoked the role
• Information about executable files of applications detected on the client device (name, path, type, and hash of the file; list of categories to which the application belongs; KL category to which the application belongs; trust group to which the application belongs; time of the first file launch; name and version of the application; name of the application vendor; information about the certificate used to sign the application: serial number, thumbprint, issuer, subject, release date, expiration date, and public key).

Page top

[Topic 250630]

Data provided when following links in the application interface

By following the links in the Kaspersky Embedded Systems Security interface, you agree to the following information being automatically sent to Kaspersky:

• Full version of the application
• Application locale
• Application ID (PID)
• Link name

Page top

[Topic 250631]

Data provided when using Kaspersky Security Network

If you use Kaspersky Security Network in extended mode, you agree to automatically provide Kaspersky with all the data listed in the Kaspersky Security Network Statement. Additionally, files (or parts of files) that intruders may use to harm the device and the data stored in its operating system may be sent to Kaspersky for scanning.

The ksn_license.<language ID> file with the text of the Kaspersky Security Network Statement is included in the application distribution kit.

Page top

[Topic 264153]

Application management concept

To manage Kaspersky Embedded Systems Security, you can use:

• Kaspersky Security Center;
• the command line;
• the graphical user interface.

The set of actions that you can perform using the Kaspersky Embedded Systems Security graphical user interface is limited.

This section describes the specifics of managing the application via Kaspersky Security Center and the command line, and also describes the main methods of working in the Kaspersky Security Center administration consoles and in the command line.

In this Help section Managing the application using Kaspersky Security Center Managing the application using the command line

Page top

[Topic 264152]

Managing the application using Kaspersky Security Center

Kaspersky Security Center allows you to remotely and centrally manage the operation of Kaspersky Embedded Systems Security on client devices. You can remotely install and uninstall, start, and stop Kaspersky Embedded Systems Security; configure settings for the application, as well as for the individual components and tasks of the application; and start and stop tasks on the managed devices.

You can use the following Kaspersky Security Center administration consoles to manage Kaspersky Embedded Systems Security via Kaspersky Security Center:

• Kaspersky Security Center Administration Console (hereinafter also referred to as Administration Console). This is a Microsoft Management Console (MMC) snap-in that is installed on the administrator's workstation and provides a user interface for the Administration Server and Network Agent administrative services.

  The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Administration Console is provided by the administration MMC plug-in (hereinafter also referred to as the "MMC plug-in").

  This Help describes how to manage the Administration Console of Kaspersky Security Center 14.2 Windows.

• Kaspersky Security Center Web Console (hereinafter also referred to as Web Console). This is a web interface for managing a protection system based on Kaspersky applications. You can work in Kaspersky Security Center Web Console using a browser on any device that has access to the Administration Server.

  The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Web Console is provided by the administration web plug-in (hereinafter also simply referred to as web plug-in).

  This Help describes how to manage the Web Console of Kaspersky Security Center 15.2 Linux.

• Kaspersky Security Center Cloud Console. This is a cloud-based administration console within the cloud version of the Kaspersky Security Center application, also known as the Kaspersky Security Center Cloud Console. Interface of the Cloud console is similar to Kaspersky Security Center Web Console interface. The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Cloud Console is also provided by the web plug-in.

The MMC plug-in and web plug-in allow you to create policies and tasks in Kaspersky Security Center for managing the operation of Kaspersky Embedded Systems Security:

• A policy is a set of settings that is applied on all devices in an administration group. Policies allow you to apply identical application settings to all client devices within an administration group.

  The Kaspersky Embedded Systems Security policy defines the general settings for the operation of Kaspersky Embedded Systems Security and the settings for the operation of individual functional components of the application on devices where the policy is applied.

• Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center run on the protected devices and implement Kaspersky Embedded Systems Security functions such as on-demand scan, application activation, and updates to the databases and modules of the application.

  In Kaspersky Security Center, you can create tasks to be performed on an individual device (local tasks), tasks for all devices in the administration group (group tasks), or tasks for a random selection of devices (tasks for sets of devices).

Regardless of the Kaspersky Security Center administration console that you use, you must assign the devices on which Kaspersky Embedded Systems Security is installed to administration groups in order to manage Kaspersky Embedded Systems Security on these devices using Kaspersky Security Center. You can create administration groups in Kaspersky Security Center before Kaspersky Embedded Systems Security installation and configure rules to automatically move the devices to administration groups. You can also manually move the devices to the administration groups after installing Kaspersky Embedded Systems Security (for details, refer to Kaspersky Security Center documentation).

In this section About Kaspersky Embedded Systems Security management plug-ins Kaspersky Security Center policies Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center Logging in and out of the Web Console and Cloud Console Managing policies in the Web Console Managing policies in the Administration Console Managing tasks in the Web Console Managing tasks in the Administration Console

Page top

[Topic 264115]

About Kaspersky Embedded Systems Security management plug-ins

The following management plug-ins are required for managing Kaspersky Embedded Systems Security using Kaspersky Security Center:

• Kaspersky Embedded Systems Security administration web plug-in (hereinafter also referred to as the web plug-in) facilitates interaction between Kaspersky Embedded Systems Security and Kaspersky Security Center using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console.

  The web plug-in must be installed on the device that has Kaspersky Security Center Web Console installed. Management of Kaspersky Embedded Systems Security using the web plug-in is available to all administrators who have access to the Kaspersky Security Center Web Console in a browser.

• The Kaspersky Embedded Systems Security administration MMC plug-in (hereinafter also referred to as the MMC plug-in) facilitates interaction between Kaspersky Embedded Systems Security and Kaspersky Security Center using the Administration Console.

  The MMC plug-in must be installed on the device where the Kaspersky Security Center Administration Console is installed.

The Kaspersky Embedded Systems Security management plug-ins let you manage Kaspersky Embedded Systems Security using policies and tasks.

For more details about administration plug-ins, refer to Kaspersky Security Center documentation.

Page top

[Topic 264966]

Kaspersky Security Center policies

A policy is a set of Kaspersky Embedded Systems Security settings that are applied to all client devices included in the administration group.

Multiple policies with different values of the settings can be configured for a single application. However, there can be only one active policy at a time for an application within an administration group. When you create a new policy, all other policies within an administration group become inactive. You can change the policy status later.

Policies have a hierarchy, similarly to administration groups. By default, a child policy inherits the settings from the parent policy. A child policy is a policy of a nested hierarchy level, that is, a policy for nested administration groups and secondary Administration Servers. You can enable inheritance of the settings from the parent policy.

You can locally modify the values of the settings specified by the policy for individual devices within the administration group, if modification of these settings is not prohibited by the policy.

Each policy setting has a "lock" attribute that indicates whether child policy settings and local application settings can be modified. The "lock" status of a setting within policy properties determines whether or not an application setting on a client device can be edited:

• When a setting is "locked" (), you cannot edit its value locally or in the policies of the nested hierarchy level. The setting value specified by the policy is used for all client devices within the administration group and nested groups.
• When a setting is "unlocked" (), you can edit its value locally or in the policies of the nested hierarchy level. If setting values are specified locally or in policy properties of a nested hierarchy level for client devices within an administration group, the setting value specified in the policy properties is not applied.

In the web plug-in and in the MMC plug-in, the number of parameters with "locks" is different. The web plug-in includes "locks" that are not present in the MMC plug-in.

Using policy profiles allows you to flexibly configure operation settings for the application. A policy profile may contain settings that differ from the "base" policy settings and apply to client devices when the configured conditions (activation rules) are met. Using policy profiles allows you to flexibly configure operation settings for different devices. You can create and configure profiles in the Policy profiles section of the policy properties.

Profile settings that are locked with a "padlock" override policy settings. That is, if the profile setting locked with a "padlock" is different from the policy setting, the application applies the setting from the profile. However, lists of settings are merged, supplementing each other. That is, if the settings in the list from the profile are missing from the "basic" policy, they are added to the resulting list of settings.

However, some lists are not merged, in which case the settings from the profile override the settings of the "basic" policy:

• Exclusions by process in the File Threat Protection and Behavior Detection components
• Protection scopes in the File Threat Protection and Anti-Cryptor components
• Monitoring scopes in the System Integrity Monitoring component
• List of rules (in the Application Control rules window) in the Application Control component
• Process memory exclusions in application settings
• Trusted domains in network settings
• Trusted root certificates in network settings
• Monitored ports in network settings

After the policy is applied for the first time, the application settings change in accordance with the policy settings.

If the application is not running when the policy is deleted, after application is started, this policy continues to be applied on the device and the application continues to operate with the settings specified by this policy.

For more details about policies and policy profiles, refer to the Kaspersky Security Center Help system.

Page top

[Topic 263939]

Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center

You can create the following types of tasks in Kaspersky Security Center for Kaspersky Embedded Systems Security:

• local tasks to run on individual devices;
• group tasks to run on devices within an administration group;
• tasks for sets of devices to run on multiple devices, regardless of their inclusion in administration groups.

  The tasks for the sets of devices are performed only on the devices that are specified in the task settings. If new devices are added to the device selection for which the task is created, this task is not applied to the new devices. To apply the task to these computers, you must create a new task or edit the settings of the existing task.

You can create any number of group tasks, tasks for a sets of devices, or local tasks.

The tasks are executed only if Kaspersky Embedded Systems Security is running on the devices.

General information about tasks created in Kaspersky Security Center is provided in Kaspersky Security Center documentation.

The following tasks are provided for managing Kaspersky Embedded Systems Security in Kaspersky Security Center:

• Malware Scan. During the task execution, the application scans the device areas that are specified in the task settings for viruses and other malware.
• Critical Areas Scan. During the task execution, the application scans boot sectors, startup objects, process memory, and kernel memory.
• Inventory. During the task execution, the application receives information about all executable files stored on the devices.
• System Integrity Check. During the task execution, the application determines changes of each object by comparing the current state of the monitored object to its original state, which was previously established as a baseline.
• Add Key. During the task execution, the application adds a key, including a reserve one, to activate the application.
• Update. During the task execution, the application updates the databases in accordance with the configured update settings.
• Rollback. During the task execution, the application rolls back the last database update.

Page top

[Topic 202114]

Logging in and out of the Web Console and Cloud Console

Kaspersky Security Center Web Console

To log in to the Web Console, you need to know the web address and the port number of the Administration Server specified during the Web Console installation (port 8080 is used by default). JavaScript must also be enabled in your browser.

To log in to Web Console:

1. In your browser, go to the <Administration Server web address>:<port number> address.

   The login page is displayed.

2. Enter the user name and password for your account.

   It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months.

3. Click Log in.

   If the Administration Server is not responding, or if you enter incorrect credentials, an error message is displayed.

After logging in, a dashboard is displayed with the last language and theme used.

For more details about the Web Console interface, refer to Kaspersky Security Center documentation.

To log out of Web Console:

select <Account name> → Exit in the lower left corner of the screen.

The Web Console is closed, and the login page is displayed.

Kaspersky Security Center Cloud Console

For the Kaspersky Security Center Cloud Console, use a web token to log in to your account on the Cloud Console portal.

For detailed information about Kaspersky Security Center Cloud Console, refer to the Kaspersky Security Center Cloud Console documentation.

Page top

[Topic 264229]

Managing policies in the Web Console

You can perform the following actions with the policies in the Web Console:

• Create a policy.
• Edit policy settings.

  If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

• Export and import policy settings.
• Copy and move a policy.
• Delete a policy.
• Change a policy status.
• Create policy profiles.

For general information about working with policies, refer to the Kaspersky Security Center Help system.

In this section Creating a policy in the Web Console Changing policy settings in the Web Console Policy settings in the Web Console

Page top

[Topic 264968]

Creating a policy in the Web Console

To create a policy in the Web Console:

1. In the main window of the Web Console, select Assets (Devices) → Policies and policy profiles.

   A list of policies and policy profiles opens.

2. Select the administration group containing the devices to which the policy should be applied. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select the administration group in the window that opens.
3. Click Add.

   The Policy Wizard starts.

4. In the displayed window, select an application name from the list.

   Proceed to the next step of the wizard.

5. Decide whether you want to use Kaspersky Security Network. Carefully read the Kaspersky Security Network Statement and do one of the following:
   • If you agree with all the terms and conditions of the Statement and want the application to use Kaspersky Security Network, select I confirm that I have fully read, understand, and accept the terms and conditions of Kaspersky Security Network Statement.
   • If you do not want to use Kaspersky Security Network, select I do not accept the terms and conditions of the Kaspersky Security Network Statement and confirm your decision in the window that opens.

   Refusal to use Kaspersky Security Network does not interrupt the policy creation process. At any time, you can enable or disable use of Kaspersky Security Network or change the KSN mode for managed devices in the policy settings.

   Proceed to the next step of the wizard.

6. The General tab of the new policy settings window opens. Specify a name for the new policy.

   You can also configure the following policy settings:

   • Policy status:
     • Active. The policy that is currently applied to the device. If this option is selected, this policy becomes active on the device upon the next device synchronization with the Administration Server. This option is selected by default.
     • Inactive. The policy that is not currently applied to the device. If this option is selected, the policy becomes inactive but remains in the Policies folder. You can activate the inactive policy later.
   • Policy settings inheritance:
     • Inherit settings from parent policy. If this option is enabled, the policy settings values are inherited from the upper-level group policy and, therefore, are locked. The check toggle button is switched on by default.
     • Enforce settings inheritance for child policies If this option is enabled, the settings values of the child policies are locked. The toggle button is switched off by default.

   For general information about the policy settings, refer to Kaspersky Security Center Help section.

7. If you want to configure other policy settings, go to the Application settings tab and make the necessary changes.

   You can also change the policy settings later.

8. Click Save.

The created policy will be displayed in the list of policies.

For general information about managing policies, please refer to the Kaspersky Security Center Help.

Page top

[Topic 264319]

Changing policy settings in the Web Console

To edit policy settings in the Web Console:

1. In the main window of the Web Console, select Assets (Devices) → Policies and policy profiles.

   The list of policies opens.

2. Select the administration group containing the devices to which the policy is applied. To do so, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.

   The list displays the policies configured for the selected administration group.

3. Click the name of the required policy in the list.

   The policy properties window opens.

4. Modify the policy settings on the Application settings tab.
5. Click the Save button to save the changes made.

The policy is saved with the updated settings.

Page top

[Topic 265040]

Policy settings in the Web Console

You can configure policy settings on the Application settings tab of the policy properties window.

Policy settings

Page top

[Topic 264230]

Managing policies in the Administration Console

You can perform the following actions with the policies in the Kaspersky Security Center Administration Console:

• Create a policy.
• Edit policy settings.

  If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

• Export and import policy settings.
• Delete a policy.
• Change a policy status.
• Create policy profiles.

For general information about working with policies, please refer to the Kaspersky Security Center Help.

In this section Creating a policy using the Administration Console Changing policy settings in the Kaspersky Security Center Administration Console Policy settings in the Administration Console

Page top

[Topic 264967]

Creating a policy using the Administration Console

To create a policy in the Administration Console:

1. In the Administration Console tree, in the Managed devices folder, select the administration group containing the devices to which the policy should be applied.

   You can view the list of devices that are part of an administration group on the Devices tab of the folder with the name of this administration group.

2. In the workspace, select the Policies tab.
3. Click the New policy button to start the New policy wizard.

   You can also start the Wizard by clicking the Create → Policy item in the context menu in the list of policies.

4. In the first step of the Wizard, select Kaspersky Embedded Systems Security 3.4 for Linux from the list.

   Proceed to the next step of the wizard.

5. Enter a name for the new policy.
6. To use the settings from the previous version of Kaspersky Embedded Systems Security policy in the policy being created, select the Use policy settings for the earlier application version check box.

   Proceed to the next step of the wizard.

7. Decide whether you want to use Kaspersky Security Network. Carefully read the Kaspersky Security Network Statement and do one of the following:
   • If you agree with all the terms and conditions of the Statement and want the application to use Kaspersky Security Network, select I confirm that I have fully read, understand, and accept the terms and conditions of Kaspersky Security Network Statement.
   • If you do not want to use Kaspersky Security Network, select I do not accept the terms and conditions of the Kaspersky Security Network Statement and confirm your decision in the window that opens.

   Refusal to use Kaspersky Security Network does not interrupt the policy creation process. At any time, you can enable or disable use of Kaspersky Security Network or change the KSN mode for managed devices in the policy settings.

   Proceed to the next step of the wizard.

8. If necessary, configure the general settings for File Threat Protection.

   Proceed to the next step of the wizard.

9. If necessary, edit the File Threat Protection settings that have been configured by default.

   Proceed to the next step of the wizard.

10. If necessary, configure the exclusions from File Threat Protection.

    Proceed to the next step of the wizard.

11. If necessary, modify the default actions for infected objects.

    Proceed to the next step of the wizard.

12. Complete the New Policy Wizard.

The created policy is displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.

You can change the policy settings later. For general information about managing policies, refer to the Kaspersky Security Center Help system.

Page top

[Topic 264320]

Changing policy settings in the Kaspersky Security Center Administration Console

To edit policy settings in the Administration Console:

1. In the tree of the Kaspersky Security Center Administration Console, in the Managed devices folder, open the folder with the name of the administration group that includes the required devices.
2. In the workspace, select the Policies tab.
3. In the list of policies, select the required policy and double-click it to open the Properties: <Policy name> window.

   You can also open the policy properties window by using the Properties item in the policy context menu or by clicking the Configure policy settings link located to the right of the list of policies in the section with the policy settings.

4. Edit the policy settings.
5. In the Properties: <Policy name> window, click OK to save the changes.

Page top

[Topic 264316]

Policy settings in the Administration Console

You can configure policy settings in the sections and subsections of the policy properties window. For information about configuring general policy settings and event settings, refer to Kaspersky Security Center Help section.

Policy settings

Page top

[Topic 265019]

Managing tasks in the Web Console

You can perform the following actions with the tasks for Kaspersky Embedded Systems Security in the Web Console:

• Create new tasks.
• Edit task settings.

  If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

• Start, stop, pause, and resume tasks.

  The Update task cannot be paused or resumed, it can only be started or stopped.

• Export and import tasks.
• Delete tasks.

In the list of tasks, you can monitor the task execution results: view the task status and the statistics for task performance on the devices. You can also create a selection of events to monitor the task execution (Monitoring and reports → Event selections). For details on event selection, refer to Kaspersky Security Center documentation.

Task execution results are also saved locally on the device and in Kaspersky Security Center reports.

For general information about task management, refer to the Kaspersky Security Center Help system.

If the device is managed by a policy, it may not be possible to view and manage tasks created in Kaspersky Security Center using the command line or the graphical interface of the application.

In this section Creating tasks in the Web Console Changing task settings in the Web Console Starting, stopping, pausing, and resuming tasks in the Web Console

Page top

[Topic 265044]

Creating tasks in the Web Console

To create a task for a group or set of devices in the Web Console:

1. In the main window of the Web Console, select Assets (Devices) → Tasks.

   The list of tasks opens.

2. Click Add.

   The Task Wizard starts.

3. In the first step of the Wizard, perform the following actions:
   1. In the Application drop-down list, select Kaspersky Embedded Systems Security 3.4 for Linux.
   2. In the Task type drop-down list, select the type of task that you want to create.
   3. In the Task name field, enter a name for the new task.
   4. In the Devices to which the task will be assigned section, select the method for defining the task scope. The task scope comprises the devices on which the task will be run:
      • Select the Assign task to an administration group option if the task is to be run on all devices included in a specific administration group.
      • Select the Specify device addresses manually, or import addresses from a list option if the task is to be run on the specified devices.
      • Select the Assign task to a device selection option if the task is to be run on devices included in the device selection according to a predefined criterion. For information on how to create a device selection, refer to the Kaspersky Security Center Help system.

   Proceed to the next step of the wizard.

4. Depending on the selected method for defining the task scope, perform one of the following actions:
   • In the administration group tree, select the check boxes next to the required administration groups.
   • In the list of devices, select the check boxes next to the required devices. If the required devices are not listed, you can add them in the following ways:
     • Using the Add devices button. You can add devices by name or IP address, add devices from a specified IP range, or select devices from the list of devices detected by the Administration Server when polling the corporate LAN.
     • Using the Import devices from file button. For the import, a TXT file with a list of device addresses is used, where each address must be on a separate line.
   • From the list, select the name of the selection containing the required devices.

   Proceed to the next step of the wizard.

5. To configure the task settings immediately after creation, in the last step of the Wizard, select the Open task properties window after creation check box. A task is created with the default settings.
6. Complete the wizard.

A new task will be displayed in the list of tasks.

To create a local task in the Web Console:

1. In the main window of the Web Console, select Assets (Devices) → Managed devices.

   The list of managed devices opens.

2. Select the administration group containing the necessary device. To do so, click the link in the Current path field above the list of managed devices and select an administration group in the window that opens.

   The list displays only the managed devices for the selected administration group.

3. In the list, find the device for which you want to create a task and click the device name.
4. This opens a managed device properties window; in that window, go to the Tasks tab.

   The list of tasks created for this device is displayed.

5. Click Add.

   The Task Wizard starts.

6. In the first step of the Wizard, perform the following actions:
   1. In the Application drop-down list, select Kaspersky Embedded Systems Security 3.4 for Linux.
   2. In the Task type drop-down list, select the type of task that you want to create.
   3. In the Task name field, enter a name for the new task.
7. To configure the task settings immediately after creation, in the last step of the Wizard, select the Open task properties window after creation check box. A task is created with the default settings.
8. Complete the wizard.

A new task will be displayed in the list of tasks.

Page top

[Topic 265045]

Changing task settings in the Web Console

To edit task settings in the Web Console:

1. In the main window of the Web Console, select Assets (Devices) → Tasks.

   The list of tasks opens.

2. Do one of the following:
   • To edit the settings of a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.

     The list displays only tasks configured for the selected administration group.

   • To edit the settings of a task that is run on one or multiple devices (a task for a set of devices), click the link in the Current path field in the upper part of the window and select the top node with the name of the Administration Server in the window that opens.

     The list displays all tasks created on the Administration Server.

3. In the list of tasks, select the required task and open the task properties window by clicking the link in the task name.
4. Configure the task settings:
   • On the General tab, you can edit the name of the task.
   • On the Application settings tab, you can configure specific task settings. The availability of configurable settings depends on the type of task.
   • On the Schedule tab, you can configure the task run schedule and additional settings for starting and stopping the task.

   The General, Results, Settings, Schedule, and Revision history tabs of the task properties window are standard for Kaspersky Security Center; for more details, refer to the Kaspersky Security Center Help system.

5. Click the Save button to save the changes made.

Page top

[Topic 264981]

Starting, stopping, pausing, and resuming tasks in the Web Console

To start, stop, pause, or resume a task in the Web Console:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

   The list of tasks opens.

2. Do one of the following:
   • To start or stop a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.

     The list displays only the tasks created for the selected administration group.

   • To start or stop a task that is run on one or multiple devices (a task for a set of devices), click the link in the Current path field in the upper part of the window and select the top node with the name of the Administration Server in the window that opens.

     The list displays all tasks created on the Administration Server.

3. In the list of tasks, check the box next to the name of the required task and click the action button above the list of tasks.

Page top

[Topic 264974]

Managing tasks in the Administration Console

You can perform the following actions with the tasks for Kaspersky Embedded Systems Security in the Administration Console:

• Create new tasks.
• Edit task settings.

  If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

• Start, stop, pause, and resume tasks.

  The Update task cannot be paused or resumed, it can only be started or stopped.

• Export and import tasks.
• Delete tasks.

In the list of tasks, you can monitor the task execution results: view the task status and the statistics for task performance on the devices.

Information on the progress and results of task execution can be viewed in the list of events that Kaspersky Embedded Systems Security sends to the Kaspersky Security Center Administration Server (on the Events tab in the workspace of the Administration Server <server name> node). You can also create a selection of events to monitor the execution of tasks. For details on event selection, refer to Kaspersky Security Center documentation.

Task execution results are also saved locally on the device and in Kaspersky Security Center reports.

For general information about task management, refer to the Kaspersky Security Center Help system.

If the device is managed by a policy, it may not be possible to view and manage tasks created in Kaspersky Security Center using the command line or the graphical interface of the application.

In this section Creating tasks in the Administration Console Changing task settings in the Administration Console Starting, stopping, pausing, and resuming tasks in the Administration Console

Page top

[Topic 264980]

Creating tasks in the Administration Console

To create a task for a group or set of devices in the Administration Console:

1. In the Administration Console, perform one of the following actions:
   • To create a task that will be run on devices included in the selected administration group, select this administration group in the console tree in the Managed devices folder, then select the Tasks tab in the workspace and click the New task button.

     The New task wizard starts for devices of the selected administration group.

   • To create a task that will be performed on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree and click the New task button in the workspace.

     The New task wizard starts for the set of devices.

2. At the first step of the wizard, select Kaspersky Embedded Systems Security 3.4 for Linux and the type of the task.

   Proceed to the next step of the wizard.

3. If you are creating a task for a set of devices, the Wizard prompts you to define the task scope. The task scope comprises the devices on which the task will be run.
   1. Specify the method for defining the task scope: select devices from the list of devices detected by the Administration Server; set device addresses manually; import a list of devices from a file or specify a previously configured selection of devices (for more details, refer to the Kaspersky Security Center Help system).
   2. Depending on the method you have specified for defining the task scope, in the window that opens, perform one of the following actions:
      • In the list of detected devices, specify the devices on which the task will be run. To do so, select the check box in the list to the left of the device name.
      • Click the Add or Add IP range button and enter the device addresses manually.
      • Click the Import button and select the TXT file containing the list of device addresses in the window that opens.
      • Click the Browse button and, in the window that opens, specify the name of the selection containing the devices on which the task will be run.

   Proceed to the next step of the wizard.

4. Configure the available task settings by following the instructions in the Wizard.
5. Enter the name of the new task and proceed to the next step in the Wizard.
6. To start the task immediately after the Wizard finishes, in the final step, select the Run task after the wizard finishes check box.
7. Complete the wizard.

   A new task will be displayed in the list of tasks.

To create a local task in the Administration Console:

1. In the Administration Console tree, in the Managed devices folder, select the administration group containing the necessary device.
2. In the workspace, select the Devices tab.
3. In the list of managed devices, select the required device and double-click it to open the Properties: <Task name> window.
4. In the displayed window with the properties of the managed device, select the Tasks section.

   The list of tasks created for this device is displayed.

5. Click Add.

   The Task Wizard starts.

6. At the first step of the wizard, select Kaspersky Embedded Systems Security 3.4 for Linux and the type of the task.

   Proceed to the next step of the wizard.

7. Enter a name for the new task and configure the available task settings following the instructions of the wizard.
8. Complete the wizard.

   A new task will be displayed in the list of tasks.

Page top

[Topic 265718]

Changing task settings in the Administration Console

To edit task settings in the Administration Console:

1. In the Administration Console, perform one of the following actions:
   • To edit the settings of a task that is run on devices included in the specified administration group, select this administration group in the console tree, then select the Tasks tab in the workspace.
   • To edit the settings of a task that is run on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree.
2. In the list of tasks, select the required task and double-click it to open the Properties: <Task name> window.

   You can also open the task properties window using the Properties item in the task context menu.

3. Edit the task settings. The availability of configurable settings depends on the type of task.

   The General, Notification, Schedule, and Revision history tabs of the task properties window are standard for Kaspersky Security Center; for more details, refer to the Kaspersky Security Center Help system.

4. Click Apply or OK in the Properties: <Task name> window to save the changes made.

Page top

[Topic 265719]

Starting, stopping, pausing, and resuming tasks in the Administration Console

To start, stop, pause, or resume a task in the Administration Console:

1. In the Administration Console, perform one of the following actions:
   • To start or stop a task that is run on devices included in the specified administration group, select this administration group in the console tree, then select the Tasks tab in the workspace.

     The list of tasks created for the selected administration group opens.

   • To start or stop a task that is run on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree.

     The list of all tasks created on the Administration Server opens.

2. In the list of tasks, select the required task, open the context menu of the task, and select the action that you want to perform.

Page top

[Topic 264003]

Managing the application using the command line

Using the command line, you can install, uninstall, start, and stop Kaspersky Embedded Systems Security on the device, and also manage the application locally.

The functional components of the application are supported by Kaspersky Embedded Systems Security local tasks that run in the operating system. You can enable or disable functional components of the application on a device by starting or stopping Kaspersky Embedded Systems Security tasks in the command line. One-time device scans are also performed by starting Kaspersky Embedded Systems Security tasks. You can define the settings for functional components on the device and the device scan settings by configuring the Kaspersky Embedded Systems Security task settings.

In addition to the task settings, the following settings are provided for configuring the application:

• Encrypted connections scan settings.
• General application settings that define the operation of the application as a whole and the operation of individual functions.

On the command line, Kaspersky Embedded Systems Security can be managed using Kaspersky Embedded Systems Security management commands.

In this section Enabling automatic addition of kess-control commands (bash completion) Task management in the command line Displaying task settings in the command line Editing task settings in the command line Configuring task schedule in the command line Managing general application settings in the command line Using filters to limit results of queries Exporting and importing application settings Managing user roles using the command line

Page top

[Topic 238601]

Enabling automatic addition of kess-control commands (bash completion)

Kess-control commands can be automatically added for the bash shell.

To enable automatic addition of kess-control commands in the current bash shell session, run the following command:

source /opt/kaspersky/kess/shared/bash_completion.sh

To enable automatic addition for all new bash shell sessions, run the following command:

echo "source /opt/kaspersky/kess/shared/bash_completion.sh" >> ~/.bashrc

Page top

[Topic 264195]

Task management in the command line

The following application tasks are provided for managing Kaspersky Embedded Systems Security using the command line:

• File Threat Protection. This task allows you to enable or disable File Threat Protection in real time and defines the settings for the File Threat Protection component. The task starts automatically when the application starts.
• Malware Scan. This task allows you to scan file system objects for malware on demand and defines the settings for the scan. You can use this task to perform a full or custom scan of the device.
• Critical Areas Scan. This task allows you to run a critical areas scan of the operating system on demand and defines the settings for the scan.
• Custom file scan. This task is designed for configuring and storing settings that are used when scanning the specified files and directories using the kess-control --scan-file command. As a result of the command execution, the application creates and starts a temporary file scan task.
• Removable Drives Scan. This task allows you to monitor the connection of removable media to the device in real time and defines the settings of the Removable Drives Scan and the scan of its boot sectors for malware.
• Web Threat Protection. This task allows you to enable or disable Web Threat Protection and defines the settings for the Web Threat Protection component.
• Network Threat Protection. This task allows you to enable or disable Network Threat Protection and defines the settings for the Network Threat Protection component.
• Anti-Cryptor. This task allows you to enable or disable the protection of files from remote malicious encryption and defines the settings for the Anti-Cryptor component.
• Firewall Management. This task allows you to enable or disable firewall management and defines the network connection control settings on the device.
• Application Control. This task allows you to enable or disable Application Control and defines the settings of the Application Control component.
• Inventory. The task allows you to obtain information about all the application executable files stored on the device.
• Device Control. This task allows you to enable or disable Device Control and defines the settings for the Device Control component. The task starts automatically when Kaspersky Embedded Systems Security starts.
• Behavior Detection. This task allows you to monitor malicious activity of applications in the operating system. The task starts automatically when Kaspersky Embedded Systems Security starts.
• System Integrity Monitoring. This task allows you to perform real-time monitoring of the actions performed with objects from the monitoring scope specified in the System Integrity Monitoring component settings.
• System Integrity Check. This task allows you to check for changes in files and directories that you have included in the monitoring scope, by comparing the current state of the monitored object with a previously recorded state.
• Licensing. This task provides the capability to activate an application installed on the device. The task starts automatically when the application starts, and it resides in the device operating memory. The task has no settings; license keys are managed using special management commands. The task cannot be started, stopped, or deleted.
• Update. You can use this task to perform scheduled and on-demand application database and module updates and edit update settings.
• Rollback. You can use this task to roll back the last update of application databases and modules.

Each application task has a name used on the command line, an ID, and a type (see the table below).

IDs are unique for all tasks, including deleted tasks. The application does not reuse the identifiers of the deleted tasks. The identifier of a new task is the next successive number to the identifier of the latest created task.

Task names are not case-sensitive.

During installation of the application, predefined tasks are created. These tasks cannot be deleted. Each predefined task has a name and ID.

Tasks that you create while working with the application are called user tasks. When you create the task, you specify the name for it. IDs for user tasks are defined and assigned by the application when the task is created. IDs for user tasks are starting from 100.

During operation, the application creates temporary scan tasks. Temporary task names and IDs are assigned by the application. Temporary tasks are automatically deleted when completed.

Application tasks

You can perform the following actions with tasks:

• Start and stop all predefined and user tasks except the License task.
• Suspend and resume ODS, ODFIM, and InventoryScan tasks.
• Create and delete user tasks. You can create the following types of tasks: ODS, Update, Rollback, ODFIM and InventoryScan.
• Change the settings for all user tasks and all predefined tasks, except for Rollback and License tasks.
• Configure the task start schedule.

In this section Viewing a list of tasks in the command line Viewing the status of a task in the command line Creating a task in the command line Starting, stopping, pausing, and resuming tasks in the command line Deleting a task in the command line

Page top

[Topic 264317]

Viewing a list of tasks in the command line

To view the list of application tasks, execute the following command:

kess-control --get-task-list [--json]

where:

--json – output format for the list of application tasks. If a file format is not specified, the output will be an INI file.

The list of Kaspersky Embedded Systems Security tasks will be displayed.

The following information will be displayed for each task:

• Name: the task name
• ID: the task ID
• Type: the task type
• State: the current state of the task

If the Kaspersky Security Center policy prohibits users from viewing and editing local tasks, information about the Scan_My_Computer, Critical_Areas_Scan, Inventory_Scan, Update, and Rollback tasks is not available.

Page top

[Topic 264963]

Viewing the status of a task in the command line

To view a task state, execute the following command:

kess-control --get-task-state <task ID/name> [--json]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --json is specified to output the settings in JSON format.

Application tasks can take the following main states:

• Started—Task is running.
• Starting—Task is being launched.
• Stopped—Task has been stopped.
• Stopping—Task is stopping.

The ODS, ODFIM, and InventoryScan tasks can also have one of the following states:

• Pausing — Task is pausing.
• Suspended — Task is suspended.
• Resuming — Task is resuming.

Page top

[Topic 264321]

Creating a task in the command line

You can create the following types of tasks: ODS, Update, Rollback, ODFIM, and InventoryScan.

You can create tasks with default settings or with settings specified in a configuration file.

To create a task with default settings, execute the following command:

kess-control -create-task <task name> --type <task name>

where:

• <task name> is the name that you specify for the new task.
• <task type> is the identifier for the type of the created task.

To create a task with the settings specified in the configuration file, execute the following command:

kess-control --create-task <task name> --type <task type> --file <configuration file path> [--json]

where:

• <task name> is the name that you specify for the new task.
• <task type> is the identifier for the type of the created task.
• <path to file> is the full path to the configuration file with the settings that will be used for creating the task.
• --json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

Page top

[Topic 264322]

Starting, stopping, pausing, and resuming tasks in the command line

You can start and stop predefined and user tasks, except for tasks of the License type.

You can suspend and resume tasks of ODS, ODFIM, and InventoryScan types.

To start a task, execute the following command:

kess-control --start-task <task ID/name> [-W] [--progress]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• [-W] is a command used in conjunction with the task start command to enable the display of current events associated with this task.
• Specify the [--progress] option if you want to display the progress of the task.

  Example: Start the task with ID 1 and enable the display of current events associated with the task: kess-control --start-task 1 -W

If an error occurs when starting a task and the task does not start, then after the application is restarted, an attempt is made to start the task again.

To stop a task, execute the following command:

kess-control --stop-task <task ID/name> [-W]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• [-W] is a command used in conjunction with the stop task command to enable the display of current events associated with this task.

To suspend a task, execute the following command:

kess-control --suspend-task <task ID/name>

To resume a task, execute the following command:

kess-control --resume-task <task ID/name>

Page top

[Topic 264323]

Deleting a task in the command line

You can delete only user tasks. Predefined tasks cannot be deleted.

To delete a task, execute the following command:

kess-control --delete-task <task ID/name>

where <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.

Page top

[Topic 264157]

Displaying task settings in the command line

You can display the current values of settings for all user tasks and all predefined tasks, except for Rollback and License tasks (these tasks have no settings).

You can output the current values of task settings to the console or to a configuration file that you can use to change task settings.

To output the current values of task settings to the console, execute the following command:

kess-control --get-settings <task ID/name> [--json]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current values of task settings to a configuration file, execute the following command:

kess-control --get-settings <task ID/name> --file <path to configuration file> [--json]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --file <configuration file path> is the path to the configuration file into which the task settings will be written. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
• --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

Page top

[Topic 265721]

Editing task settings in the command line

You can edit the settings for all user tasks and all predefined tasks, except for Rollback and License tasks.

On the command line, you can edit the settings of tasks using the kess-control --set-settings command:

• You can edit all task settings using the configuration file that contains the task settings. You can get the configuration file using the command for displaying task settings.
• You can edit individual task settings on the command line in the <setting name>=<setting value> format. You can get the current values of task settings using the command for displaying task settings.
• You can restore the task settings to their default values.

You can add or remove scan scopes and exclusion scopes using a configuration file that contains task settings or command line options. Configuring scan scopes and exclusion scopes is available for tasks with the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types.

In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion for the path: /.snapshots/*/snapshot/.

For some tasks, separate management commands are also provided that allow you to edit task settings.

In this section Editing task settings using a configuration file Editing task settings using the command line options Restoring default task settings in the command line

Page top

[Topic 197633]

Editing task settings using a configuration file

To edit values of task settings using a configuration file:

1. Output the task settings to the configuration file using the command kess-control --get-settings.
2. Open the configuration file and edit the values of the necessary settings.

   For tasks of the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types, you can add or remove scan scopes and exclusion scopes.

   If you want to add a scan scope, add a [ScanScope.item_ #] section with the following settings to the file:

   • AreaDesc is a description of the scan scope, which contains additional information about this scope.
   • UseScanArea enables scanning of the specified scope.
   • Path is a path to the directory with the objects to be scanned. You can specify a path to a local directory or enable scanning of remote directories mounted on a client device.
   • AreaMask.item_# is a limitation of the scan scope. You can specify a mask for the name of the files to be scanned. Scanning is enabled by default for all objects in the scan scope. You can specify multiple AreaMask.item_# items.

   If you want to add an exclusion scope, add an [ExcludedFromScanScope.item_#] section with the following settings to the file:

   • AreaDesc – a description of the exclusion scope, which contains additional information about the exclusion scope.
   • UseScanArea enables exclusion of the specified scope.
   • Path is a path to the directory with the objects to be excluded. You can specify a path to a local directory or exclude remote directories mounted on a client device. Possible values for the setting depend on the type of task.
   • AreaMask.item_# is a limitation of the exclusion scope. You can specify a mask for the name of the files that you want to exclude from the scan scope. By default, all objects in the scope are excluded.

     Example: [ExcludedFromScanScope.item_0000] AreaDesc= UseScanArea=Yes Path=/tmp/notchecked AreaMask.item_0000=*

   You can specify multiple [ScanScope.item_#] and [ExcludedFromScanScope.item_#] sections. The application processes the scopes by index in ascending order.

3. Save the configuration file.
4. Execute the command:

   kess-control --set-settings <task ID/name> --file <path to configuration file> [--json]

   where:

   • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
   • --file <configuration file path> is the full path to the configuration file from which the task settings will be imported.
   • Specify the --json option if you are importing settings from a JSON configuration file. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All values of task settings defined in the file will be imported into the application.

If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings command with the --accept option.

Page top

[Topic 197627]

Editing task settings using the command line options

Using the kess-control --set-settings command line options, you can edit individual values of task settings, as well as add or remove scan scopes and exclusion scopes for tasks of the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types.

Configuring individual task settings

To modify individual values of task settings using command line options, run the following command:

kess-control --set-settings <task ID/name> <setting name>=<setting value> [<setting name>=<setting value>]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• <setting name>=<setting value> is the name and value of one of the task settings. You can get the current values of task settings using the command for displaying task settings.

The values of the specified task settings will be changed.

If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings command with the --accept option.

Adding and removing a scan scope

To add a scan scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --add-path <path>

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --add-path <path> adds the path to the directory with the objects to be scanned.

A new [ScanScope.item_#] section will be added to the task settings. The application scans the objects in the directory specified by the Path setting. The remaining settings of the scan scope take default values.

If the task settings already contain a [ScanScope.item_#] section with the specified value for the Path setting, a duplicate section is not added.

If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be scanned.

To delete a scan scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --del-path <path>

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --del-path <path> deletes the path to the directory with the objects to be scanned.

The [ScanScope.item_#] section that contains the specified path will be deleted from the task settings. The application will not scan the objects in the specified directory.

Adding and removing an exclusion scope

To add an exclusion scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --add-exclusion <path>

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --add-exclusion <path> adds the path to the directory with the objects that you want to exclude from the scan.

A new [ExcludedFromScanScope.item_#] section will be added to the task settings. The application will exclude objects in the directory specified by the Path setting from scans. The remaining settings of the exclusion scope take default values.

If the task settings already contain an [ExcludedFromScanScope.item_#] section with the specified value for the Path setting, a duplicate section is not added.

If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be excluded from scans.

To delete an exclusion scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --del-exclusion <path>

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --del-exclusion <path> deletes the path to the directory with the objects to be excluded.

The [ExcludedFromScanScope.item_#] section that contains the specified path will be deleted from the task settings. The application will not exclude the objects in the specified directory from the scan.

Page top

[Topic 264194]

Restoring default task settings in the command line

You can restore the default settings for all user tasks and all predefined tasks, except for tasks of the Rollback and License types (these tasks have no settings).

To reset task settings to their default values, execute the following command:

kess-control --set-settings <task ID/name> --set-to-default

where <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.

The application changes the setting values to their defaults.

Page top

[Topic 264965]

Configuring task schedule in the command line

You can configure the schedule for running the following types of tasks: ODS, Update, Rollback, ODFIM, and InventoryScan.

You can output the current values of the settings for the task run schedule to the console or to a configuration file.

To output the current settings for the task run schedule to the console, execute the following command:

kess-control --get-schedule <task ID/name> [--json]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current settings for the task run schedule to a configuration file, execute the following command:

kess-control --get-schedule <task ID/name> --file <path to configuration file> [--json]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• --file <path to configuration file> is the path to the configuration file in which the settings for the task run schedule will be output. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
• --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

  Examples: Save the update task settings to a file named update_schedule.ini and save the created file in the current directory: kess-control --get-schedule 6 --file update_schedule.ini Display the update task schedule in the console: kess-control --get-schedule 6

You can edit the settings for the task run schedule in the following ways:

• Import the settings from a configuration file that contains all schedule settings.
• Using the command line, specify the individual settings for the task run schedule in the format <setting name >=<setting value >.

To edit the values of the settings for task run schedule using a configuration file, perform the following actions:

1. Output the task settings to the configuration file using the kess-control --get-schedule command.
2. Edit the values of the necessary settings in the file and save the changes.
3. Execute the command:

   kess-control --set-schedule <task ID/name> --file <configuration file path> [--json]

   where:

   • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
   • --file <configuration file path> is the full path to the configuration file from which the task schedule settings will be imported.
   • --json: specify this option if you are importing settings from a configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All values of the settings for the task run schedule defined in the file will be imported into the application.

To edit the individual values of the settings for the task run schedule using the command line, execute the following command:

kess-control --set-schedule <task ID/name> <setting name>=<setting value> [<setting name>=<setting value>]

where:

• <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
• <setting name>=<setting value> is the name and value of one of the settings for the task schedule.

The values of the specified settings for the task run schedule are modified.

Page top

[Topic 264277]

Managing general application settings in the command line

General application settings define the operation of the application as a whole and the operation of individual functions.

You can manage general application settings using special management commands:

• Output the current values of general application settings to the console or to a configuration file.
• Edit general application settings using a configuration file containing all general settings, or using command line options in the <setting name>=<setting value> format.

Using general settings, you can:

• Configure the use of Kaspersky Security Network and the light version of anti-malware databases in the application.
• Configure the use of a proxy server in the application.
• Select the file operation interception mode (block or do not block files during a scan).
• Configure exclusions from the mount points scan (global exclusions).
• Configure exclusions from the process memory scan.
• Enable or disable the detection of legitimate applications that intruders can use to compromise devices or data.
• Configure the use of event logs.
• Configure a limit on CPU resource usage by scan tasks (of the ODS type).
• Limit the number of user scan tasks that a non-privileged user can start simultaneously.

In this section Displaying general application settings Editing general application settings

Page top

[Topic 265722]

Displaying general application settings

You can output the current values of general application settings to the console or to a configuration file that you can use to edit task settings.

To output the current values of general application settings to the console, execute the following command:

kess-control --get-app-settings [--json]

where --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current values of general application settings to a configuration file, execute the following command:

kess-control --get-app-settings --file <configuration file path> [--json]

where:

• --file <configuration file path> is the path to the configuration file into which general settings of the application will be written. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
• --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

  Example: Display the general application settings to a file named kess_config.ini. Save the created file in the current directory: kess-control --get-app-settings --file kess_config.ini

Page top

[Topic 265724]

Editing general application settings

On the command line, you can edit the general application settings using the command kess-control --set-app-settings:

• You can edit all general settings using the configuration file that contains the general application settings. You can get the configuration file using the command for displaying general settings.
• You can edit individual settings using command line options in the <setting name>=<setting value> format. You can get the current values of general application settings using the command for displaying general settings.

To edit values of general application settings using a configuration file:

1. Output the general application settings to a configuration file.
2. Edit the values of the necessary parameters in the file and save the changes.
3. Execute the command:

   kess-control --set-app-settings --file <path to configuration file> [--json]

   where:

   • --file <path to configuration file> is the full path to the configuration file with the general application settings.
   • --json: specify this option if you are importing settings from a configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All the values of the general settings defined in the file will be imported into the application.

To edit general application settings using command line options, execute the following command:

kess-control --set-app-settings <setting name>=<setting value> [<setting name>=<setting value>]

where <setting name>=<setting value> is the name and value of one of the general application settings.

The values of the specified general settings will be changed.

Page top

[Topic 264094]

Using filters to limit results of queries

A filter allows you to limit the query results when executing application management commands.

Filter conditions are specified using one or more logical expressions, which are combined using the logical operator and. Filter conditions must be enclosed in quotation marks:

"<field> <comparison operator> '<value>'"

"<field> <comparison operator> '<value>' and <field> <comparison operator> '<value>'"

where:

• <field> is the name of the field for the database.
• <comparison operator> is one of the following comparison operators:
  • > is "greater than"
  • < is "less than"
  • like matches the specified value When specifying a value, you can use % masks: for example, the logical expression "FileName like '%etc%'" sets the limitation "contains the text "etc" in the FileName field"
  • == is "equal to"
  • != is "not equal to"
  • >= is "greater than or equal to"
  • <= is "less than or equal to"
• <value> is the value of the field. The value must be enclosed in single quotation marks (').

  You can specify a date value as UNIX time (the number of seconds that have elapsed since 00:00:00 (UTC), January 1, 1970) or in YYYY-MM-DD hh:mm:ss format. The user specifies the date and time in the user's local time zone, and the application displays them in the same time zone.

You can use a filter in the following application management commands:

• Display information about certain current events of the application:

  kess-control -W --query "<filter conditions>"

• Display information about certain application events in the event log:

  kess-control -E --query "<filter conditions>"

• Display information about certain objects in the Backup:

  kess-control -B --query "<filter conditions>"

• Delete certain objects from the Backup:

  kess-control -B --mass-remove --query "<filter conditions>"

  Examples: Get information about events that contain the text "etc" in the FileName field: kess-control -E --query "FileName like '%etc%'" Display information about events with the ThreatDetected type: kess-control -E --query "EventType == 'ThreatDetected'" Display information about events with the ThreatDetected type, created by tasks of the ODS type: kess-control -E --query "EventType == 'ThreatDetected' and TaskType == 'ODS'" Get information about the events generated after the date specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970): kess-control -E --query "Date > '1583425000'" Get information about the events generated after the date specified in YYYY-MM-DD hh:mm:ss format: kess-control -E --query "Date > '2022-12-22 18:52:45'" Get information about files in the Backup storage that have the High severity level: kess-control -B --query "DangerLevel == 'High'"

Page top

[Topic 265009]

Exporting and importing application settings

If Kaspersky Embedded Systems Security is managed via Kaspersky Security Center, importing settings is not supported.

Kaspersky Embedded Systems Security allows you to export and import all application settings for troubleshooting, verifying settings, or simplifying the application's configuration on other user devices. When exporting settings, all application settings (including encrypted connections scan settings, general application settings, and task settings) are saved in a configuration file. You can use this configuration file to import settings into the application.

The application must be launched when settings are imported or exported. After the settings are imported, the application must be restarted.

When importing or exporting settings from an older application version, new settings are set to default values. Importing settings to an older application version is not supported.

To export the application settings, execute the following command:

kess-control --export-settings --file <configuration file path> [--json]

where:

• --file <configuration file path> is the full path to the configuration file where the application settings will be saved.
• --json is specified to export the settings to the configuration file in JSON format. If the --json options is not specified, the settings will be exported to an INI file.

To import the application settings from the file, execute the following command:

kess-control --import-settings --file <configuration file path> [--json]

where:

• --file <configuration file path> is the full path to the configuration file from which you want to import settings into the application.
• --json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

When you import application settings from a file, the UseKSN and CloudMode settings are set to No. To start or resume the use of Kaspersky Security Network, set the value of the UseKSN setting to Basic or Extended. To enable cloud mode, you must set the CloudMode setting to Yes. Cloud mode is available if use of KSN is enabled.

After application settings are imported, internal task IDs may change. It is recommended to use task names to manage tasks.

Page top

[Topic 264128]

Managing user roles using the command line

Access to Kaspersky Embedded Systems Security functions via the command line is provided to users in accordance with their roles. A role is a set of rights and privileges for managing the application.

The four groups of system users are created in the operating system: kessadmin, kessuser, kessaudit, and nokess. When you assign an application role to a system user, the user is added to the corresponding group of roles (see the Roles table below). When you revoke a role from a user, this user is removed from the corresponding group of roles.

If no application role is assigned to a system user, that user belongs to a separate group of users without rights.

Thus, the roles correspond to the four groups of operating system users:

• kessadmin – the Administrator role
• kessuser – the User role
• kessaudit – the Auditor role
• nokess is assigned to a user if no other roles are assigned. In this case, the user belongs to a separate group of users without privileges

  User roles

  Role name	Role in application	OS user	Permissions
  Administrator	admin	kessadmin	Manage application settings and task settings. Manage application licensing. Assigning roles to users. Revoking user roles (the administrator has no right to revoke the admin role from himself). View and manage users' Storages.
  User	user	kessuser	Manage only user file scan tasks. Start and stop Update tasks. View reports for the tasks created by this user. View specific events that are common for all application users.
  Auditor	audit	kessaudit	Viewing application settings View application status. View all tasks, their settings, and start schedules. View all events. View all objects in Backup.
  —	—	nokess	No role is assigned in the application, no permissions.

In this section Viewing a list of users and roles Assigning a role to a user Revoking a user role

Page top

[Topic 197944]

Viewing a list of users and roles

To view a list of users and their roles, execute the following command:

kess-control [-U] --get-user-list

Page top

[Topic 197945]

Assigning a role to a user

To assign a role to a specific user, execute the following command:

kess-control [-U] --grant-role <role> <user>

Page top

[Topic 197946]

Revoking a user role

To revoke a role from a specific user, execute the following command:

kess-control [-U] --revoke-role <role> <user>

Page top

[Topic 263967]

Starting and stopping the application

After installing the Kaspersky Embedded Systems Security to a device, the application is started automatically. By default, the application then starts automatically when the operating system is booted (at the default level of execution for each operating system).

By default, when Kaspersky Embedded Systems Security is started, the following functional components of the application are started automatically:

• File Threat Protection.
• Device Control.
• Behavior Detection.
• Web Threat Protection—only if one of the supported browsers is installed in the operating system and local management of Web Threat Protection settings is allowed on the device (a policy is not applied or the "lock" is not set in the policy properties).
• Network Threat Protection—only if the Network Threat Protection settings on the device are defined through a policy. Network Threat Protection is enabled in the policy properties by default. If locally configured settings are applied on the device, Network Threat Protection is disabled by default.

When the application is started, service tasks are automatically started on the device to ensure the operation of additional application functions: the application activation function and the Backup function.

By default, the application also starts user tasks configured on the command line, for which the "after application startup" run mode (PS run mode) is configured.

If you stop the application, all tasks running on the device will be interrupted. Interrupted user tasks are not resumed automatically after the application is restarted.

In this Help section Starting and stopping the application using the Web Console Starting and stopping the application using the Administration Console Starting and stopping the application using the command line

Page top

[Topic 263953]

Starting and stopping the application using the Web Console

To start or stop the application remotely:

1. In the main window of the Web Console, select Assets (Devices) → Managed devices.

   The list of managed devices opens.

2. In the list, select the device on which you want to start or stop the application, and click the link with the device name to open the device properties window.
3. Select the Applications tab.
4. Select the Kaspersky Embedded Systems Security 3.4 for Linux check box.
5. Do one of the following:
   • To start the application, click the Start button.
   • To stop the application, click the Stop button.

You can monitor the application operation status by using the Protection status web widget in the Monitoring and reports / Dashboard window.

Page top

[Topic 263952]

Starting and stopping the application using the Administration Console

To start or stop the application on a client device:

1. In the Administration Console tree, in the Managed devices folder, select the administration group containing the necessary device.
2. In the workspace, select the Devices tab.
3. In the list of managed devices, select the device for which you want to start or stop the application. In the device context menu, select Properties.
4. In the Properties: <Device name> window, select the Applications section.

   The right part of the window displays a list of Kaspersky applications installed on the device.

5. Select Kaspersky Embedded Systems Security 3.4 for Linux.
6. Do one of the following:
   • To run the application, click the button to the right of the list of Kaspersky applications or select Start in the application context menu.
   • To stop the application, click the button to the right of the list of Kaspersky applications or select Stop in the application context menu.

Page top

[Topic 263951]

Starting and stopping the application using the command line

To run the application, the root account must be the owner of the following directories and only the owner must have write access to them: /var, /var/opt, /var/opt/kaspersky, /var/log/kaspersky, /opt, /opt/kaspersky, /usr/bin, /usr/lib, /usr/lib64.

Starting, restarting, and stopping Kaspersky Embedded Systems Security

To start the application, run the following command:

systemctl start kess

To stop the application, run the following command:

systemctl stop kess

To restart the application, run the following command:

systemctl restart kess

Monitoring the status of Kaspersky Embedded Systems Security

The Kaspersky Embedded Systems Security status is monitored by the watchdog service. The watchdog service is automatically launched when the application starts.

In the event of an application crash, a dump file is generated and the application is restarted automatically.

To export application settings, run the following command:

systemctl status kess

Page top

[Topic 264043]

Viewing the protection status of a device and information about application performance

You can view information about the protection status of a device, as well as the status of Kaspersky Embedded Systems Security and its components on the device.

You can get information about the protection status of a device in the following ways:

• In the Web Console or in the Administration Console, using the statuses of the client devices (OK, Critical, Warning). The device on which Kaspersky Security Center Network Agent is installed is a client device for Kaspersky Security Center. The status of a client device can change to Critical or Warning for the following reasons:
  • In accordance with the rules defined in Kaspersky Security Center. For example, the status changes if a security application is not installed on the device, a virus scan has not been performed in a long time, application databases are outdated, the license has expired, or the application is unstable. For more details on the reasons for changing statuses and configuring conditions for assigning statuses, refer to the Kaspersky Security Center Help system.
  • Kaspersky Security Center receives the device status from the managed application, i.e., from Kaspersky Embedded Systems Security.

    Receiving device status from a managed application must be enabled in Kaspersky Security Center in the lists of conditions for assigning the Critical and Warning statuses. Conditions for assigning device statuses are configured in the properties window of an administration group.

  For more details on client device statuses, refer to the Kaspersky Security Center Help system.

• In the Web Console or in the Administration Console, using the statuses of functional components of Kaspersky Embedded Systems Security on the device. In the properties of Kaspersky Embedded Systems Security installed on the device, a list of the functional components of the application is displayed. For each component, its status is displayed.
• On the command line, using the kess-control --app-info command. The command displays information about the operation of the application and the status of functional components and tasks of the application.

In this Help section Viewing the protection status of a device in the Web Console Viewing the protection status of a device in the Administration Console Viewing information about the operation of an application in the Web Console Viewing information about the operation of an application in the Administration Console Viewing information about the operation of an application in the command line Viewing application statistics Collecting system performance metrics

Page top