Contents
- Advanced application settings
- Configuring a proxy server
- Configuring global exclusions
- Exclude process memory from scans
- Selecting the interception mode for file operations
- Configuring detection of applications that hackers can use to harm
- Enabling application stability monitoring
- Configuring application startup settings
- Limiting the use of resident memory by the application
- Limiting the use of memory and processor resources
- Limiting the number of Custom Scan tasks
- Configuring the transfer of data to Kaspersky Security Center storage
- Configuring permissions for task management
- Enabling or disabling monitoring of namespaces
Advanced application settings
You can configure the following additional application settings:
- Using a proxy server in the application.
- Global exclusions to exclude mount points from file operation interception for the File Threat Protection and Anti-Cryptor components and the Malware Scan, Critical Areas Scan, and Removable Drives Scan tasks.
- Exclude process memory from scans.
- File operations interception mode.
- Detection of legitimate applications that threat intruders can use to compromise devices or data.
- Application stability monitoring.
- Application startup settings.
- Limit on the use of memory and processor resources for scan tasks.
- Limit on the use of resident memory by the application.
- Limit on the number of Custom Scan tasks that a non-privileged user can start simultaneously.
- Settings for the transfer of data to the Kaspersky Security Center storage.
- Task management permissions.
- Enabling or disabling namespace scanning.
Configuring a proxy server
You can configure proxy server settings if the users of the client devices use a proxy server to connect to the internet. The Kaspersky Embedded Systems Security application can use a proxy server to connect to Kaspersky activation servers, to update sources for databases and application modules, to Kaspersky Security Network, and when verifying website certificates using the Web Threat Protection component.
The proxy server is disabled by default.
If you use an activation code to activate devices in an isolated network segment without internet access, you can use Kaspersky Security Center Administration Server as a proxy server for access to Kaspersky activation servers.
Configuring proxy server settings in the Web Console
In the Web Console, you can configure use of a proxy server in the policy properties (Application settings → General settings → Proxy server settings).
Proxy server settings
Setting |
Description |
|---|---|
Do not use proxy server |
If this option is selected, the application does not use a proxy server. |
Specify the proxy server settings |
If you select this option the application uses the specified proxy server settings to connect to Kaspersky activation servers, to update sources for databases and application modules, to Kaspersky Security Network, and when verifying website certificates using the Web Threat Protection component. |
Address |
Field for entering the proxy server's IP address or domain name. This field is available if the Use the specified proxy server settings option is selected. |
Port |
Field for entering the proxy server's port. Default value: 3128. This field is available if the Use the specified proxy server settings option is selected. |
Use proxy server authentication |
Enables or disables proxy server authentication using a user name and password. This check box is available if the Use the specified proxy server settings option is selected. This check box is cleared by default. When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised. |
User name |
Entry field for the user name used for proxy server authentication. The entry field is available if the Use proxy server authentication check box is selected. |
Edit |
Allows you to specify a password for authenticating on the proxy server. The Password field cannot be edited. By default, the password is empty. To specify a password, click Edit. In the window that opens, enter the password and click OK. It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months. Clicking the Show button in the window displays the password in clear text in the password entry window. The button is available if the Use proxy server authentication check box is selected. |
Use Kaspersky Security Center as a proxy server for application activation |
Enables or disables the use of Kaspersky Security Center Administration Server as a proxy server for accessing Kaspersky activation servers. This is necessary when activating the application in an isolated network segment without internet access using an activation code. If this check box is selected, the application gains access to activation servers via the Administration Server that has internet access. This check box is cleared by default. |
Configuring proxy server settings in the Administration Console
In the Administration Console, you can configure the use of a proxy server in the policy properties (General settings → Proxy server settings).
Proxy server settings
Setting |
Description |
|---|---|
Do not use proxy server |
If this option is selected, the application does not use a proxy server. |
Specify the proxy server settings |
If you select this option the application uses the specified proxy server settings to connect to Kaspersky activation servers, to update sources for databases and application modules, to Kaspersky Security Network, and when verifying website certificates using the Web Threat Protection component. |
Address and port |
Fields for entering the proxy server's IP address or domain name as well as its port. Default port: 3128. These fields are available if the Use the specified proxy server settings option is selected. |
Use proxy server authentication |
This check box enables or disables proxy server authentication using a user name and password. This check box is available if the Use the specified proxy server settings option is selected. This check box is cleared by default. When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised. |
User name |
Entry field for the user name used for proxy server authentication. The entry field is available if the Use proxy server authentication check box is selected. |
Password |
Entry field for entering the user password for proxy server authentication. It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months. Clicking the Show button causes the user's password to be displayed in clear text in the Password field. By default, the user password is hidden and is displayed as asterisks. The text box and the button are available if the Use proxy server authentication check box is selected. |
Use Kaspersky Security Center as a proxy server for application activation |
Enables or disables the use of Kaspersky Security Center Administration Server as a proxy server for accessing Kaspersky activation servers. This is necessary when activating the application in an isolated network segment without internet access using an activation code. If this check box is selected, the application gains access to activation servers via the Administration Server that has internet access. This check box is cleared by default. |
Configuring proxy server settings in the command line
You can enable or disable the use of a proxy server by application components in the command line with the help of the UseProxy and ProxyServer settings in the general application settings.
You can edit the setting using command line options or a configuration file that contains all general application settings.
The UseProxy setting can take the following values:
Yes- enable the use of a proxy server.No: disable the proxy server.
The ProxyServer setting lets you specify proxy server settings in the following format: <connection protocol>://[<user>[:<password>]@]<proxy server address>[:<port>], where:
<user>is a user name for proxy server authentication.<password>is a user password for proxy server authentication.<proxy server address>is the IP address or domain name of the proxy server.<port>is the proxy server port.
Connecting to a proxy server over HTTPS is not supported.
When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.
Page topConfiguring global exclusions
You can configure exclusion of mount points from file operation interception for the File Threat Protection and Anti-Cryptor components, as well as from scanning by the Malware Scan and Critical Areas Scan tasks. Exclusion of mount points allows you to exclude local or remote directories mounted on a device from interception of file operations. In addition, global exclusions affect the Removable Drives Scan task.
Configuring global exclusions in the Web Console
In the Web Console, you can configure use of global exclusions in the policy properties (Application settings → General settings → Global exclusions).
The table in the Global exclusions section contains mount points to be excluded from file operation interception.
The Path column displays the paths to the excluded mount points. The table is empty by default.
Adding a mount point exclusion window
Mount point settings
Setting |
Description |
|---|---|
File system, access protocol, and path |
In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:
|
Access protocol |
You can select the remote access protocol in the drop-down list:
This drop-down list is available if the Mounted type is selected in the drop-down list of file systems. |
Path |
Field for entering the path to the mount point that you want to exclude from file operation interception. You can use masks to specify the path. This field is available if the Local type is selected in the drop-down list of file systems. |
Name of shared resource |
The field for entering the name of the file system shared resource, where the directories that you want to add to the file operation interception exclusions are located. The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list. |
Configuring global exclusions in the Administration Console
In the Administration Console, you can configure use of global exclusions in the policy properties (General settings → Global exclusions).
The Excluded mount points group of settings contains a Configure button. Clicking this button opens the Excluded mount points window.
The list in the window contains the paths to the excluded mount points. By default, the list is empty.
You can add, edit, and delete items in the list.
Page topMount point path window
Mount point settings
Setting |
Description |
|---|---|
File system, access protocol, and path |
The settings block lets you set the location of the mount point. In the drop-down list of file systems, you can select the type of file system where the directories that you want to add to scan exclusions are located:
|
If Mounted is selected in the drop-down list of file systems, you can select the remote access protocol in the drop-down list on the right:
|
|
If Local is selected in the drop-down list of file systems, then in the input field you can enter a path to a mount point that you want to exclude from file operation interception. You can use masks to specify the path. |
|
Filesystem name |
The field for entering the name of the file system where the directories that you to exclude from file operation interception are located. The field is available if the Mounted type is selected in the drop-down list of file systems and the Custom item is selected in the drop-down list on the right. |
Configuring global exclusions in the command line
You can define mount point exclusions in the command line via the ExcludedMountPoint.item_# option in the general application settings.
You can edit the setting using command line options or a configuration file that contains all general application settings.
The ExcludedMountPoint.item_# option accepts the following values:
AllRemoteMounted— Exclude all remote directories mounted on the device using SMB and NFS protocols from file operation interception.Mounted:NFS— Exclude all remote directories mounted on the device using the NFS protocol from file operation interception.Mounted:SMB— Exclude all remote directories mounted on the device using the SMB protocol from file operation interception.Mounted:<file system type>— Exclude all mounted directories with the specified file system type from file operation interception./mnt— Exclude objects in the /mnt mount point (including subdirectories) from file operation interception. This directory is used as the temporary mount point for removable drives.<path that contains the/mnt/user*or/mnt/**/user_share>— Exclude objects in mount points whose names contain the specified mask from file operation interception.
You can specify several mount points to exclude from scanning.
Mount points must be specified in the same way as they are displayed in the mount command output.
Exclude process memory from scans
You can exclude process memory from scans. The application does not scan the memory of the specified processes.
Configuring exclusions in the Web Console
In the Web Console, you can configure excluding process memory from scans in the policy properties (Application settings → General settings → Application settings).
Clicking Configure exclusion of process memory from scans under Exclude process memory from scans opens the Exclude process memory from scans window, where you can create a list of exclusions.
The list in the Exclude process memory from scans window contains the paths to processes that the application excludes from process memory scanning. You can use masks to specify the path. By default, the list is empty.
You can add, edit, and delete items in the list.
Configuring exclusions in the Administration Console
In the Administration Console, you can configure excluding process memory from scans in the policy properties (General settings → Excluding process memory).
Clicking Configure under Exclude process memory from scans opens a window where you can create a list of exclusions.
The list in the Exclude process memory from scans window contains the paths to processes that the application excludes from process memory scanning. You can use masks to specify the path. By default, the list is empty.
You can add, edit, and delete items in the list.
Configuring exclusions on the command line
You can configure excluding process memory from scans in the command line using the MemScanExcludedProgramPath.item_# option in the general application settings.
You can edit the setting using command line options or a configuration file that contains all general application settings.
MemScanExcludedProgramPath.item_# contains the full path to the process in the local directory. You can use masks to specify the path.
You can specify several processes to exclude from scanning.
Page topSelecting the interception mode for file operations
The file operation interception mode affects the File Threat Protection and Device Control components.
- For the duration of the scan, the application can block access to files that are being scanned by the File Threat Protection component. By default, access is blocked: any access to the scanned file must wait until the scan results are in. If the scan detects no threats in the file, the application allows access to the file. When detecting infected objects, the application takes the actions specified in the First action (
FirstAction) and Second action (SecondAction) settings for File Threat Protection.You can choose not to block access to files that are being scanned by the File Threat Protection component. In that case, the scan is performed asynchronously.
- The application can block access to files on the device while the Device Control component is deciding if access to the device can be granted. By default, access is blocked: any access to files on the managed device must wait until the scan results are in. The application allows access to files if after the scan, Device Control allows access to the device that contains the files.
You can disable file access blocking on the device monitored by the Device Control component. In that case, Device Control determines if access to the device can be allowed in asynchronous mode.
Configuring in the Web Console
In the Web Console, you can configure the file operation interception mode in the policy properties (Application settings → General settings → Application settings, File operation interception mode section).
The Block access to files during scans check box enables or disables the blocking of access to files while they are being scanned by the File Threat Protection and Device Control components.
The check box is selected by default.
If the check box is cleared, access to any file is allowed for the duration of the scan, and the scan runs in asynchronous mode.
Configuring in the Administration Console
In the Administration Console, you can configure the file operation interception mode in the policy properties (General settings → Application settings, File operation interception mode section).
The Block access to files during scans check box enables or disables the blocking of access to files while they are being scanned by the File Threat Protection and Device Control components.
The check box is selected by default.
If the check box is cleared, access to any file is allowed for the duration of the scan, and the scan runs in asynchronous mode.
Configuring in the command line
You can configure the file operation interception mode in the command line using the FileBlockDuringScan setting in the general application settings.
You can edit the setting using command line options or a configuration file that contains all general application settings.
The FileBlockDuringScan option accepts the following values:
Yes(default value) to block access to files for the duration of the scan by the File Threat Protection and Device Control components.Noto allow access to files during the scan. Requests to any file is allowed, scanning is done asynchronously.This file operation interception mode has less impact on the system performance, but there is a risk that a threat in a file will not be disinfected or deleted if the file can, for example, change its name during a scan before the application makes a decision on the status of the file.
Configuring detection of applications that hackers can use to harm
You can enable or disable detection of legitimate applications that intruders can use to compromise devices or data.
Configuring in the Web Console
In the Web Console, you can detection of legitimate applications that intruders can use to compromise devices or data in the policy properties (Application settings → General settings → Application settings, Scan settings section).
The Detect legitimate applications that intruders can use to compromise devices or data check box enables or disables detection of legitimate applications that intruders can use to compromise the device or data of the user.
This check box is cleared by default.
Configuring in the Administration Console
In the Administration Console, you can detection of legitimate applications that intruders can use to compromise devices or data in the policy properties (General settings → Application settings, Scan settings section).
The Detect legitimate applications that intruders can use to compromise devices or data check box enables or disables detection of legitimate applications that intruders can use to compromise the device or data of the user.
This check box is cleared by default.
Configuring in the command line
In the command line, you can enable or disable detection of legitimate applications that intruders can use to compromise devices or data by using the DetectOtherObjects setting in the general application settings.
You can edit the setting using command line options or a configuration file that contains all general application settings.
DetectOtherObjects accepts the following values:
Yes: enable detection of legitimate applications that intruders can use to compromise devices or data.No: do not enable detection of legitimate applications that intruders can use to compromise devices or data.
Enabling application stability monitoring
You can enable or disable the Kaspersky Embedded Systems Security stability monitoring that lets you track the number of times the application terminates abnormally and notify the administrator about the unstable operation of the application.
Configuring in the Web Console
In the Web Console, you can enable or disable application stability monitoring in the policy properties (Application settings → General settings → Application settings, Advanced application settings section).
The Enable application stability monitoring check box enables or disables monitoring of the state of the Kaspersky Embedded Systems Security application.
This check box is cleared by default.
To apply the setting, you must restart the application.
If the application is unstable, the following message is displayed in the properties of the device with the installed application: <Number> abnormal halts of the application since <date and time>.
Configuring in the Administration Console
In the Administration Console, you can enable or disable application stability monitoring in the policy properties (General settings → Application settings, Advanced application settings section).
The Enable application stability monitoring check box enables or disables monitoring of the state of the Kaspersky Embedded Systems Security application.
This check box is cleared by default.
To apply the setting, you must restart the application.
If the application is unstable, the following message is displayed in the properties of the device with the installed application: <Number> abnormal halts of the application since <date and time>.
Configuring in the command line
On the command line, you can configure application stability monitoring using the TrackProductCrashes, ProductHealthLogFile, WarnThreshold, WarnAfter_#_crash and WarnRemovingThreshold settings in the kess.ini configuration file.
The TrackProductCrashes setting lets you enable or disable application stability monitoring. This setting can take the following values:
Yes/true– enable application stability monitoring.No/false– do not enable application stability monitoring.
The ProductHealthLogFile setting lets you specify the path to a file used for application stability monitoring. Default value: /var/opt/kaspersky/kess/private/kess_health.log.
The WarnThreshold setting lets you set the time interval (in seconds) in which the application must experience the specified number of abnormal halts before displaying a notification about unstable operation. Default value: 3600 seconds.
The WarnRemovingThreshold setting lets you set the time interval (in seconds) after which the application's unstable status will be cleared. Default value: 86400 seconds.
The WarnAfter_#_crash setting lets you set the number of abnormal halts of the application that are required before displaying a notification about unstable application operation. The setting can take values from 0 to 10. Default value: 10. If the value is 0, an unstable application notification is not displayed.
Configuring application startup settings
You can configure the application startup settings.
Setting a limit in the Web Console
In the Web Console, you can configure the application startup settings in the policy properties (Application settings → General settings → Application settings, Application startup settings section).
Application startup settings
Setting |
Description |
|---|---|
Maximum consecutive unsuccessful attempts to start the application |
The input field for the maximum number of consecutive unsuccessful attempts to start the application. Default value: 5. |
Maximum time to wait for application start (min) |
The input field for the maximum time to wait for the application to start (in minutes), after which the kess process is restarted. Default value: 3. |
Setting a limit in the Administration Console
In the Administration Console, you can configure the application startup settings in the policy properties (General settings → Application settings, Application startup settings section).
Under Application startup settings, clicking the Configure button opens the Application startup settings window, in which you can edit the application startup settings (see the table below).
Application startup settings
Setting |
Description |
|---|---|
Maximum consecutive unsuccessful attempts to start the application |
The input field for the maximum number of consecutive unsuccessful attempts to start the application. Default value: 5. |
Maximum time to wait for application start (min) |
The input field for the maximum time to wait for the application to start (in minutes), after which the kess process is restarted. Default value: 3. |
Setting a limit on the command line
On the command line, you can configure application startup settings using the MaxRestartCount and StartupTimeout settings in the kess.ini configuration file.
The MaxRestartCount setting lets you set the maximum number of unsuccessful consecutive attempts to start the application. The setting can take values from 1 to 10. Default value: 5.
The StartupTimeout setting lets you set the maximum time to wait for the application to start (in minutes), after which the kess process will be restarted. The setting can take values from 1 to 60. Default value: 3.
Limiting the use of resident memory by the application
You can configure a limit on the application's use of resident memory. By default, the limit is set automatically.
Setting a limit in the Web Console
In the Web Console, you can enable or disable the resident memory usage limit in the policy properties (Application settings → General settings → Application settings, Advanced application settings section).
In the Advanced application settings section, the Configure memory usage link opens a window where you can configure the resident memory usage limit (see the table below).
Settings
Setting |
Description |
|---|---|
Resident memory usage by the application |
In the drop-down list, you can select how to limit resident memory usage:
|
Memory usage limit (%) |
Input field for the memory usage limit (as a percentage). Default value: 50. |
Memory usage limit (MB) |
Input field for the memory usage limit (in megabytes). Default value: 2000. |
Setting a limit in the Administration Console
In the Administration Console, you can configure the resident memory usage limit in the policy properties (General settings → Application settings).
In the Advanced application settings section, clicking the Configure button opens the Additional settings window, in which you can configure the resident memory usage limit (see the table below).
Settings
Setting |
Description |
|---|---|
Application memory usage |
In the drop-down list, you can select how to limit resident memory usage:
|
Memory usage limit (%) |
Input field for the memory usage limit (as a percentage). Default value: 50. |
Memory usage limit (MB) |
Input field for the memory usage limit (in megabytes). Default value: 2000. |
Setting a limit on the command line
In the command line, you can configure the resident memory usage limit using the MaxMemory setting in the kess.ini configuration file.
The MaxMemory setting can take the following values:
off– the resident set size is not limited.<value>%– a value between 1 and 100, expressing a percentage of memory.<value>MB– a value in megabytes.lowest/<value>%/<value>MB– the smaller value between the value as a percentage and the value in megabytes.highest/<value>%/<value>MB– the larger value between the value as a percentage and the value in megabytes.auto– up to 50% of available memory, but not less than 2 GB and not more than 16 GB.
Default value: auto.
Limiting the use of memory and processor resources
You can set a limit on CPU usage for scan tasks. No limit is set by default. You can also configure memory usage limits for scan tasks. The default limit is 8192 megabytes.
Setting a limit in the Web Console
In the Web Console, you can enable and disable the CPU utilization limit and configure the memory usage limit for scan tasks in the policy properties (Application settings → General settings → Application settings, Performance section).
Settings
Setting |
Description |
|---|---|
Memory usage limit for scan tasks (MB) |
Input field for the memory usage limit for scan tasks (in megabytes). Default value: 8192. |
Limit CPU usage by scan tasks (%) |
The checkbox enables or disables the CPU utilization limit for the Malware Scan, Critical Areas Scan, and Inventory tasks. If the check box is selected, the maximum utilization of all processor cores will not exceed the number specified in Upper limit (%). This check box is cleared by default. |
Setting a limit in the Administration Console
In the Administration Console, you can enable and disable the CPU utilization limit and configure the memory usage limit for scan tasks in the policy properties (General settings → Application settings, Performance section).
Clicking Configure under Performance opens the Performance settings for scan tasks window, in which you can configure limits in the CPU and memory usage section (see table below).
Settings
Setting |
Description |
|---|---|
Limit CPU usage by scan tasks (%) |
The checkbox enables or disables the CPU utilization limit for the Malware Scan, Critical Areas Scan, and Inventory tasks. If the check box is selected, the maximum utilization of all processor cores will not exceed the percentage specified in the field on the right. This check box is cleared by default. |
Memory usage limit for scan tasks (MB) |
Input field for the memory usage limit for scan tasks (in megabytes). Default value: 8192. |
Setting a limit on the command line
On the command line, you can configure CPU usage limits for tasks of certain types (ODS and InventoryScan) using the UseOnDemandCPULimit and OnDemandCPULimit settings in the general application settings.
You can edit the setting using command line options or a configuration file that contains all general application settings.
UseOnDemandCPULimit accepts the following values:
Yes: enable the CPU usage limit for ODS and InventoryScan tasks.Noto disable the CPU usage limit for tasks.
The OnDemandCPULimit option sets the maximum utilization level for all processor cores (as a percentage) when running ODS and InventoryScan tasks. The option accepts values between 10 and 100. Default value 100.
On the command line, you can configure memory usage limits for certain task types (ODS and InventoryScan) using the ScanMemoryLimit setting in the kess.ini configuration file. Default value: 8192.
Limiting the number of Custom Scan tasks
You can set a limit on the number of custom scan tasks that a non-privileged user can simultaneously run on a device. There is no limit on the number of tasks that a user with root privileges can run.
Setting a limit in the Web Console
In the Web Console, you can limit the number of custom scan tasks that an unprivileged user can simultaneously run on the device in the policy properties (Application settings → General settings → Application settings, Performance section).
Clicking the Configure the maximum number of custom scan tasks link in the Performance section opens a window in which you can specify a value between 0 and 100,000 in the Maximum number of custom scan tasks field. Default value: 0. If 0 is specified, a non-privileged user cannot start custom scan tasks.
Setting a limit in the Administration Console
In the Administration Console, you can limit the number of custom scan tasks that an unprivileged user can simultaneously run on the device in the policy properties (General settings → Application settings, Performance section).
Clicking the Configure button in the Performance section opens the Performance settings for scan tasks window, in which you can specify a value from 0 to 100,000 in the Number of custom scan tasks section, Maximum number of custom scan tasks field. Default value: 0. If 0 is specified, a non-privileged user cannot start custom scan tasks.
Setting a limit on the command line
You can configure the limit on the number of concurrent custom scan tasks on the command line using the LimitNumberOfScanFileTasks setting in the general application settings.
You can edit the setting using command line options or a configuration file that contains all general application settings.
LimitNumberOfScanFileTasks accepts values from 0 to 100000. If 0 is specified, a non-privileged user cannot start custom scan tasks. Default value: 5.
Configuring the transfer of data to Kaspersky Security Center storage
In Kaspersky Security Center, you can enable or disable the transfer of data about files in Backup, unprocessed files, and connected devices to the Kaspersky Security Center storage.
A general list of files placed in Backup by Kaspersky applications on client devices is kept in Kaspersky Security Center and is available in the Web Console (Advanced → Repositories → Backup) and in the Web Console (Operations → Repositories → Backup).
Information about unprocessed files is displayed in the list of active threats in the Web Console (Operations → Repositories → Active threats) and in the Administration Console (Advanced → Repositories → Active threats).
Information about devices installed on or connected to a client device is displayed in the list of hardware in the Web Console (Operations → Repositories → Hardware) and in the Administration Console (Advanced → Repositories → Hardware). Data is transferred if Device Control is enabled.
Information about applications discovered on the client device is displayed in the list of applications in the Web Console (Operations → Third-party applications → Applications registry) and in the Administration Console (Advanced → Application management → Applications registry). Data is transferred if Application Control is enabled.
Enabling or disabling the transfer of data in the Web Console
In the Web Console, you can enable or disable the transfer of data to the Administration Server in the policy properties (Application settings → General settings → Storage settings, the Information sent to the Administration Server section).
Settings for the transfer of data to the Kaspersky Security Center storage
Setting |
Description |
|---|---|
About files in Backup |
This check box enables or disables the transfer of data about files in Backup to the Administration Server. The check box is selected by default. |
About unprocessed files |
This check box enables or disables sending notifications about the files, which were not processed during the scan, to the Administration Server. The check box is selected by default. |
About installed devices |
This check box enables or disables the transfer of data about devices installed on a client device or connected to it, to the Administration Server. The check box is selected by default. |
About applications found on the device |
This check box enables or disables the sending of the list of applications that the Inventory task discovers on the client device to the Administration Server. The check box is selected by default. |
Enabling and disabling the transfer of data in the Administration Console
Information sent to the Administration ServerIn the Administration Console, you can enable or disable the transfer of data to the Administration Server in the policy properties (General settings → Storage settings, the Information sent to the Administration Server section).
Clicking Configure in the Information sent to the Administration Server section opens the Data transfer settings window, in which you can enable or disable the transfer of data to the Administration Server.
Settings for the transfer of data to the Kaspersky Security Center storage
Setting |
Description |
|---|---|
About files in Backup |
This check box enables or disables the transfer of data about files in Backup to the Administration Server. The check box is selected by default. |
About unprocessed files |
This check box enables or disables sending notifications about the files, which were not processed during the scan, to the Administration Server. The check box is selected by default. |
About installed devices |
This check box enables or disables the transfer of data about devices installed on a client device or connected to it, to the Administration Server. The check box is selected by default. |
About applications found on the device |
This check box enables or disables the sending of the list of applications that the Inventory task discovers on the client device to the Administration Server. The check box is selected by default. |
Configuring permissions for task management
You can define the following user permissions in Kaspersky Security Center:
- Viewing local tasks created in Kaspersky Embedded Systems Security If the Kaspersky Security Center policy prohibits users from viewing and editing local tasks, information about the Scan_My_Computer, Critical_Areas_Scan, Inventory_Scan, Update, and Rollback tasks is not available.
- Viewing tasks created in Kaspersky Security Center on client devices
Configuring in the Web Console
In the Web Console, you can set the permission to view tasks in the policy properties (Application settings → Local Tasks → Task management).
Task management settings
Setting |
Description |
|---|---|
Allow users to view and manage local tasks |
This check box allows or blocks the users from viewing local tasks created in Kaspersky Embedded Systems Security and control of these tasks on the managed client devices. This check box is cleared by default. |
Allow users to view and manage tasks created through KSC |
The check box allows or prohibits the users from viewing tasks created in Kaspersky Security Center Web Console and managing these tasks on managed client devices. This check box is cleared by default. |
Configuring in the Administration Console
In the Administration Console, you can set the permission to view tasks in the policy properties (Local Tasks → Task management).
Task management settings
Setting |
Description |
|---|---|
Allow users to view and manage local tasks |
This check box allows or blocks the users from viewing local tasks created in Kaspersky Embedded Systems Security and control of these tasks on the managed client devices. This check box is cleared by default. |
Allow users to view and manage tasks created through KSC |
The check box allows or prohibits the users from viewing the tasks created in Kaspersky Security Center and managing these tasks on the managed client devices. This check box is cleared by default. |
Enabling or disabling monitoring of namespaces
You can enable or disable the use of the system namespace mechanism. This mechanism is used in container systems and sessions with mandatory access control in Astra Linux operating systems.
Configuring namespace monitoring in the Web Console
In the Web Console, you can enable or disable the namespace mechanism in the policy properties (Application settings → General settings → Container Scan settings).
The Namespace and container scan enabled / disabled toggle switch enables or disables the use of the namespace mechanism on supported operating systems.
The check toggle button is switched on by default.
Configuring namespace monitoring in the Administration Console
In the Administration Console, you can enable or disable the namespace mechanism in the policy properties (Application settings → General settings → Container Scan settings).
The Enable monitoring of namespaces and containers check box enables or disables the use of the namespace mechanism on supported operating systems.
The check box is selected by default.
Configuring namespace monitoring on the command line
You can enable or disable the use of namespace mechanism on the command line by using the NamespaceMonitoring setting in the general application settings.
You can edit the setting using command line options or a configuration file that contains all general application settings.
The NamespaceMonitoring setting can take the following values:
Yes(default value) – Enable the namespace mechanism.No– disable the namespace mechanism.