Kaspersky Embedded Systems Security for Linux
3.4.0
English

Contents

Behavior Detection

The Behavior Detection component allows you to monitor for any malicious activity from applications in the operating system. When malicious activity is detected, Kaspersky Embedded Systems Security can terminate the process of the application that performs malicious activity.

The Behavior Detection component is enabled automatically with the default settings when Kaspersky Embedded Systems Security starts.

You can enable, disable, and configure Behavior Detection:

  • Select an action to be performed by Kaspersky Embedded Systems Security upon detecting malicious activity in the operating system: inform the user or block the application that performs malicious activity.
  • Exclude process activity from scans.

In this Help section

Configuring Behavior Detection in the Web Console

Configuring Behavior Detection in the Administration Console

Configuring Behavior Detection in the command line
Page top
[Topic 265714]

Configuring Behavior Detection in the Web Console

In the Web Console, you can configure Behavior Detection settings in the policy properties (Application settings Advanced Threat Protection Behavior Detection).

Behavior Detection component settings

Setting

Description

Behavior Detection enabled / disabled

This toggle button enables or disables the Behavior Detection component.

The check toggle button is switched on by default.

Action on malware activity detection

The action to be performed by Kaspersky Embedded Systems Security upon detecting malicious activity in the operating system:

  • Inform user. Kaspersky Embedded Systems Security does not terminate the process that performs malicious activity; it only records the detection of malicious activity in the event log.
  • Block the application that performs malicious activity (default value). Kaspersky Embedded Systems Security terminates the process that performs malicious activity and logs information about the detected malicious activity.

Exclusions by process

Clicking the Configure exclusions by process link opens the Exclusions by process window. In this window, you can exclude the activity of processes.

Page top

[Topic 197647]

Exclusions by process window

The table contains the exclusion scopes for exclusion by process The exclusion scope for exclusion by process lets you exclude the activity of the indicated process and files modified by the indicated process. By default, the table is empty.

Exclusion scope settings for exclusion by process

Setting

Description

Exclude / Do not exclude trusted processes from scans

The switch enables or disables the configured exclusions by process in the operation of the Behavior Detection component.

The toggle button is switched off by default.

Exclusion scope name

Exclusion scope name.

Path

Full path to excluded process.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

You can also import the list of exclusions from a file by clicking Import and export the list of added exclusions to a file by clicking Export. When importing, you will be prompted to replace the list of exclusions or add the exclusions to the existing list.

Page top
[Topic 197235]

Adding a process exclusion scope window

In this window, you can add and configure exclusion scopes for exclusion by process.

Exclusion scope settings

Setting

Description

Process-based exclusion scope name

Field for entering the Process-based exclusion scope name. This name will be displayed in a table in the Exclusions by process window.

The entry field must not be blank.

Use this exclusion

This check box enables or disables this scan scope exclusion when the application is running.

The check box is selected by default.

Path to excluded process

Full path to the process you want to exclude from scans. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The entry field must not be blank.

Apply to child processes

Exclude child processes of the excluded process indicated by the Path to excluded process setting.

This check box is cleared by default.

Page top

[Topic 237043]

Configuring Behavior Detection in the Administration Console

In the Administration Console, you can configure Behavior Detection settings in the policy properties (Advanced Threat Protection Behavior Detection).

Behavior Detection component settings

Setting

Description

Enable Behavior Detection

This check box enables or disables the Behavior Detection component.

The check box is selected by default.

Action on malware activity detection

The action to be performed by Kaspersky Embedded Systems Security upon detecting malicious activity in the operating system:

  • Block the application that performs malicious activity (default value). Kaspersky Embedded Systems Security terminates the process that performs malicious activity and logs information about the detected malicious activity.
  • Inform user. Kaspersky Embedded Systems Security does not terminate the process that performs malicious activity; it only records the detection of malicious activity in the event log.

Use exclusions by process

This check box enables or disables exclusions by process in the operation of the Behavior Detection component.

This check box is cleared by default.

The Configure button opens the Exclusions by process window. In this window, you can exclude the activity of processes.

Page top

[Topic 197287]

Exclusions by process window

The table contains the exclusion scopes for exclusion by process The exclusion scope for exclusion by process lets you exclude the activity of an indicated process. By default, the table is empty.

Exclusion scope settings for exclusion by process

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Full path to excluded process.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

You can also import the list of exclusions from a file by clicking Advanced -> Import and export the list of added exclusions to a file by clicking Advanced -> Export selected or Advanced -> Export all. When importing, you will be prompted to replace the list of exclusions or add the exclusions to the existing list.

Page top

[Topic 197974]

Trusted process window

In this window, you can add and configure exclusion scopes for exclusion by process.

Exclusion scope settings for exclusion by process

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in a table in the Exclusions by process window.

Path to excluded process

Full path to the process you want to exclude from scans. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The entry field must not be blank.

Apply to child processes

Exclude child processes of the excluded process indicated by the Path to excluded process setting.

This check box is cleared by default.

Use this scope

The check box enables or disables this exclusion scope.

If this check box is selected, the application excludes this scope.

If this check box is cleared, the application includes this scope. You can later exclude this scope by selecting the check box.

The check box is selected by default.

Page top

[Topic 237210]

Configuring Behavior Detection in the command line

You can manage application Behavior Detection in the operating system via the command line by using the Behavior_Detection predefined task.

The Behavior Detection task runs by default. You can start and stop the task manually.

You can configure Behavior Detection by editing the settings of the Behavior Detection predefined task.

Behavior Detection task setting

Setting

Description

Values

TaskMode

Action performed by the application when malicious activity is detected in the operating system.

Block (default value) – terminate the process of the application performing malicious activity.

Notify – do not terminate the process performing malicious activity; only log detection of malicious activity in the event log.

UseTrustedPrograms

Excluding processes from scans.

Yes – do not scan the activity of the indicated processes.

No (default value) – scan all processes.

The [TrustedPrograms.item_#] section contains processes that are excluded from scans. Kaspersky Embedded Systems Security does not monitor the activity of the specified processes.

ProgramPath

Path to excluded process.

<full path to process> – Do not scan the process in the indicated local directory. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

ApplyToDescendants

Exclude child processes of the excluded process specified by the ProgramPath setting from scans.

Yes – exclude the specified process and all its child processes from scans.

No (default value) – exclude only the specified process from scans, do not exclude its child processes from scans.

ProgramDesc

Description of the excluded process.

 

UseTrustedProgram

Enables the exclusion of the specified process from scanning.

Yes (default value) - enable exclusion of the specified process from scanning.

No - do not exclude the specified process from scanning.

Page top

[Topic 197655]