Kaspersky Embedded Systems Security for Linux
3.4.0
English

Contents

Configuring File Threat Protection in the Web Console

In the Web Console, you can manage File Threat Protection in the policy properties (Application settings Essential Threat Protection File Threat Protection).

File Threat Protection component settings

Setting

Description

File Threat Protection enabled / disabled

This toggle switch enables or disables File Threat Protection component on all managed devices.

The check toggle button is switched on by default.

File Threat Protection mode

In this drop-down list, you can select the File Threat Protection component mode:

  • Smart check (default value) – scan a file when there is an attempt to open it and scan it again when there is an attempt to close it if the file has been modified. If a process accesses and modifies a file multiple times in a certain period, the application scans the file again only when the process closes it for the last time.
  • When opened – scan the file on an attempt to open it for reading, execution, or modification.
  • When opened and modified – scan a file on an attempt to open it, and scan it again on an attempt to close it if the file has been modified.

First action

In this drop-down list, you can select the first action to be performed by the application on an infected object that has been detected:

  • Disinfect the object. A copy of the infected object will be moved to the Backup.
  • Remove the object. A copy of the infected object will be moved to the Backup.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it (default value).
  • Block access to the object.

Second action

In this drop-down list, you can select the second action to be performed by the application on an infected object, in case the first action is unsuccessful:

  • Disinfect the object. A copy of the infected object will be moved to the Backup.
  • Remove the object. A copy of the infected object will be moved to the Backup.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it.
  • Block access to the object (default value).

Scan scopes

Clicking the Configure scan scopes link opens the Protection scopes window.

Scan archives

This check box enables or disables scan of archives.

If the check box is selected, the application scans the archives.

To scan an archive, the application has to unpack it first, which may slow down scanning. You can reduce the duration of archive scans by enabling and configuring the Skip file that is scanned for longer than (sec) and Skip file larger than (MB) settings.

If the check box is cleared, the application does not scan the archives.

This check box is cleared by default.

Scan SFX archives

This check box enables or disables self-extracting archive scans. Self-extracting archives are archives that contain an executable extraction module.

If the check box is selected, the application scans self-extracting archives.

If the check box is cleared, the application does not scan self-extracting archives.

This check box is available if the Scan archives check box is unchecked.

This check box is cleared by default.

Scan mail databases

This check box enables or disables scans of mail databases of Microsoft Outlook, Outlook Express, The Bat!, and other mail applications.

If the check box is selected, the application scans mail database files.

If the check box is cleared, the application does not scan mail database files.

This check box is cleared by default.

Scan mail format files

This check box enables or disables scan of files of plain-text email messages.

If this check box is selected, the application scans plain-text messages.

If this check box is cleared, the application does not scan plain-text messages.

This check box is cleared by default.

Skip text files

Temporary exclusion of files in text format from scans.

If the check box is selected, the application does not scan text files if they are used by the same process within 10 minutes after the most recent scan. This setting makes it possible to optimize scans of application logs.

If the check box is cleared, the application will scan text files.

This check box is cleared by default.

Skip file that is scanned for longer than (sec)

In this field, you can specify the maximum time to scan a file, in seconds. After the specified time, the application stops scanning the file.

Available values: 0–9999. If the value is set to 0, the scan time is unlimited.

The default value is 60.

Skip file larger than (MB)

In this field, you can specify the maximum size of a file to scan, in megabytes.

Available values: 0–999999. If the value is set to 0, the application scans files of any size.

The default value is 0.

Log clean objects

This check box enables or disables logging of the ObjectProcessed event.

If this check box is selected, the application logs the ObjectProcessed event for all scanned objects.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Log unprocessed objects

This check box enables or disables logging of the ObjectNotProcessed event if a file cannot be processed during scan.

If this check box is selected, the application logs the ObjectNotProcessed event.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Log packed objects

This check box enables or disables logging of the PackedObjectDetected event for all packed objects that are detected.

If this check box is selected, the application logs the PackedObjectDetected event.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Use iChecker technology

This check box enables or disables scan of only new and modified since the last scan files.

If the check box is selected, the application scans only new files or the files modified since the last scan.

If the check box is cleared, the application scans the files regardless of the creation or modification date.

The check box is selected by default.

Use heuristic analysis

This check box enables or disables heuristic analysis during an object scan.

The check box is selected by default.

Heuristic analysis level

If the Use heuristic analysis check box is selected, you can select the heuristic analysis level in the drop-down list:

  • Light is the least detailed scan with minimal system load.
  • Medium is a medium scan with balanced system load.
  • Deep is the most detailed scan with maximum system load.
  • Recommended (default value) is the optimal level recommended by Kaspersky experts. It ensures an optimal combination of quality of protection and impact on the performance of protected servers.

In this section

Protection scopes window

Add protection scope window

File Threat Protection exclusions
Page top
[Topic 261133]

Protection scopes window

The table contains the scan scopes. The application will scan files and directories located in the paths specified in the table. By default, the table contains one protection scope that includes all shared directories.

Protection scope settings

Setting

Description

Scope name

Scan scope name.

Path

Path to the directory that the application scans.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Move up button moves the selected item up in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 276345]

Add protection scope window

In this window, you can add and configure protection scopes.

Protection scope settings

Setting

Description

Scope name

Field for entering the protection scope name. This name will be displayed in the table in the Scan scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application processes this protection scope during operation.

If this check box is cleared, the application does not process this protection scope during operation. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

You can select the type of file system in the drop-down list:

  • Local (default value) – local directories. If this item is selected, you need to indicate the path to the local directory.
  • Mounted – Mounted remote or local directories. If this item is selected, you need to indicate the protocol or name of the file system.
  • Shared — The protected server's file system resources accessible via the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.
  • All shared — All of the protected server's file system resources accessible via the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Shared or Mounted type is selected in the drop-down list of file systems.

Path

The entry field for specifying the path to the directory that you want to include in the protection scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default – the application scans all directories of the local file system.

This field is available if the Local type is selected in the drop-down list of file systems.

If the Local type is selected in the drop-down list of file systems, and the path is not specified, the application scans all directories of the local file system.

Name of shared resource

The field for entering the name of the file system shared resource where the directories that you want to add to the protection scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 276393]

File Threat Protection exclusions

A protection exclusion is a set of conditions. When these conditions are met, Kaspersky Embedded Systems Security does not scan the objects for viruses and other malware. You can also exclude objects by masks and threat names, and configure exclusions for processes.

In the Web Console, you can configure File Threat Protection exclusions in the policy properties (Application settings Essential Threat ProtectionFile Threat Protection exclusions).

Settings of protection exclusions

Setting

Description

Exclusion scopes

Clicking the Configure exclusions link opens the Exclusion scopes window. In this window, you can define the list of protection exclusions.

Exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window. In this window, you can configure the exclusion of objects from scans by name mask.

Exclusions by threat name

Clicking the Configure exclusions by threat name link opens the Exclusions by threat name window. In this window, you can configure the exclusion of objects from scans based on threat name.

Exclusions by process

Clicking the Configure exclusions by process link opens the Exclusions by process window. In this window, you can exclude the activity of processes.

Page top

[Topic 275087]

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from scan.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 197613]

Add exclusion scope window

In this window, you can add and configure exclusion scopes.

Exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables the exclusion of the scope when the application is running.

If the check box is selected, the application excludes this scope from scan or protection during its operation.

If the check box is cleared, the application includes this scope in scan or protection during its operation. You can later exclude this scope from scan or protection by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:

  • Local, for local directories.
  • Mounted, for remote directories mounted on the device.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

Entry field for the path to the directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are only applied to objects in the directory specified in the Path field.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 248957]

Exclusions by mask window

You can configure the exclusion of objects from scans based on name mask. The application will not scan files whose names contain the specified mask. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 202356]

Exclusions by threat name window

You can configure the exclusion of objects from scans based on threat name. The application will not block the specified threats. By default, the list of threat names is empty.

You can add, edit, and delete threat names.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected threat from the exclusion list.

This button is available if at least one threat name is selected in the list.

Clicking the threat name in the table opens the Threat name window. In this window, you can edit the name of the threat to be excluded from a scan.

Clicking the Add button opens the Threat name window. In this window, you can define the name of the threat to be excluded from a scan.

Page top
[Topic 246682]

Exclusions by process window

The table contains the exclusion scopes for exclusion by process The exclusion scope for exclusion by process lets you exclude from scans the activity of the indicated process and files modified by the indicated process. By default, the table includes two exclusion scopes that contain paths to the Network Agents. You can remove these exclusions, if necessary.

Exclusion scope settings for exclusion by process

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Full path to excluded process.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top
[Topic 249195]

Trusted process window

In this window, you can add and configure exclusion scopes for exclusion by process.

Exclusion scope settings

Setting

Description

Process-based exclusion scope name

Field for entering the Process-based exclusion scope name. This name will be displayed in a table in the Exclusions by process window.

The entry field must not be blank.

Use / Do not use this exclusion

This toggle button enables or disables this scan scope exclusion.

The check toggle button is switched on by default.

Apply to child processes

Exclude child processes of the excluded process indicated by the Path to excluded process setting.

This check box is cleared by default.

Path to excluded process

Full path to the process you want to exclude from scans.

File system, access protocol, and path

This group of settings lets you set scan exclusions for files modified by the process.

In the drop-down list of file systems, you can select the type of file system of the directories to be excluded from scans:

  • Local, for local directories.
  • Mounted – mounted directories.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

     

The Access protocol drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

In the input field, you can enter the path to the directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are applied to objects only inside the directory indicated in the File system, access protocol, and path block.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 276346]