Kaspersky Endpoint Security 11.2.0 for Linux
- Distribution kit
- Hardware and software requirements
What's new
Installing the application
- Installing Kaspersky Endpoint Security using the command line
- Initial configuration of the application in interactive mode
- Initial configuration of the application in automatic mode
- Settings of the Kaspersky Endpoint Security initial setup configuration file
- Installing Network Agent using the command line
- Initial configuration of the Network Agent using the command line
- About Kaspersky Endpoint Security administration web plug-in
- Installing Kaspersky Endpoint Security via Kaspersky Security Center
  - Creating the application installation package
  - Autoinstall.ini configuration file settings
- Installing Kaspersky Endpoint Security using the Web Console
- Getting started using Kaspersky Security Center
- Activating the application using Kaspersky Security Center
- Running the application on Astra Linux in closed software environment mode
- Configuring permissive rules in the SELinux system
Updating the application from a previous version
- Updating the application from the command line
- Updating the application using Kaspersky Security Center
Uninstalling the application
- Uninstalling Kaspersky Endpoint Security using the command line
- Uninstalling the application using the Administration Console
- Uninstalling the application using Kaspersky Security Center Web Console
Application licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the activation code
- About the key file
- About subscription
About providing and processing data
Managing the application using the command line
- Starting and stopping the application
- Displaying Help on the commands
- Enabling the display of events
- Viewing information about the application
- Description of the application commands
- Using filters to limit query results
- Exporting and importing application settings
- Setting the application memory usage limit
- Application components integrity check
- General application settings
- Encrypted connections scan
  - Encrypted connections scan settings
  - Managing encrypted connections scan settings
- User roles
Managing application tasks using the command line
- View the list of tasks
- Creating a new task
- Editing task settings using a configuration file
- Editing task settings using the command line
- Resetting task settings to their default values
- Starting and stopping a task
- Managing scan scopes from the command line
- Managing exclusion scopes from the command line
- Viewing a task state
- Scheduling a task
- Deleting a task
File Threat Protection task (File_Threat_Protection, ID:1)
- Special considerations for scanning symbolic links and hard links
- File Threat Protection task settings
- Specifying an exclusion scope
Virus Scan task (Scan_My_Computer, ID:2)
- About the Virus Scan task
- Virus Scan task settings
Custom Scan task (Scan_File, ID:3)
- About the Custom Scan task
- Custom Scan task settings
Critical Areas Scan task (Critical_Areas_Scan, ID:4)
Update task (Update, ID:6)
- About update sources
- Update task settings
Rollback task (Rollback, ID:7)
Licensing task (License, ID:9)
- Adding an active key
- Adding a reserve key
- Removing an active key
- Removing a reserve key
Storage management task (Backup, ID:10)
- Storage management task settings
- Viewing IDs of the objects in the Storage
- Restoring objects from the Storage
- Removing objects from the Storage
System Integrity Monitoring task (System_Integrity_Monitoring, ID:11)
- On-access File Integrity Monitoring (OAFIM)
- On-demand File Integrity Monitoring (ODFIM)
- On-access File Integrity Monitoring task settings
- On-demand File Integrity Monitoring settings
Firewall Management task (Firewall_Management, ID:12)
- About network packet rules
- About dynamic rules
- About the predefined network zone names
- Firewall Management task settings
- Adding a network packet rule
- Deleting a network packet rule
- Changing the execution priority of a network packet rule
- Adding a network address to a zone section
- Deleting a network address from a zone section
Anti-Cryptor task (Anti_Cryptor, ID:13)
- About blocking access to devices
- Anti-Cryptor task settings
- Viewing the list of blocked devices
- Allowing blocked devices
Web Threat Protection task (Web_Threat_Protection, ID:14)
Device Control task (Device_Control, ID:15)
- About access rules
- Device Control task settings
- Viewing a list of connected devices in the command line
Removable Drives Scan task (Removable_Drives_Scan, ID:16)
Network Threat Protection task (Network_Threat_Protection, ID:17)
Container Scan task (Container_Scan, ID:18)
- Container scan task settings
- Integration with Jenkins
Custom Container Scan task (Custom_Container_Scan, ID:19)
Behavior Detection task (Behavior_Detection, ID:20)
Application Control task (Application_Control, ID:21)
- About Application Control rules
- Application Control task settings
- Viewing the list of created categories
Inventory Scan task (Inventory_Scan, ID:22)
- Inventory Scan task settings
- Viewing a list of detected applications
Participating in Kaspersky Security Network
- Enabling and disabling Kaspersky Security Network usage from the command line
- Checking the connection to Kaspersky Security Network using the command line
Integration with Kaspersky Managed Detection and Response
KESL container
- Deploying and activating KESL container
- Configuring KESL container
- Working with REST API
Events and reports
- Viewing events
- Viewing reports
Managing the application using Kaspersky Security Center Administration Console
- Starting and stopping the application on a client device
- Viewing the protection status of a device
- Viewing application settings
- Updating application databases and modules
  - Updating from a server repository
  - Updating using Kaspersky Update Utility
- Managing policies in the Administration Console
  - Creating a policy
  - Editing policy settings
- Policy settings
- Managing tasks in the Administration Console
- Task settings
- Configuring integration with Kaspersky Managed Detection and Response
- Configuring KESL container settings
- Manually checking the connection with the Administration Server. Klnagchk utility
- Manually connecting to the Administration Server. Klmover utility
Remote application administration using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
- Logging in and out of the Web Console and Cloud Console
- Starting and stopping the application on a client device
- Updating application databases and modules
- Viewing the protection status of a device
- Managing policies in the Web Console
- Policy settings
- Managing tasks in the Web Console
- Task settings
- Configuring integration with Kaspersky Managed Detection and Response
- Configuring KESL container settings
Managing application using graphical user interface
- Application interface
- Task management
- Configuring Kaspersky Security Network
- Viewing reports
- Viewing objects in the Storage
- Viewing licensing information
- Creating a trace file
Contact Technical Support
- How to get technical support
- Technical Support via Kaspersky CompanyAccount
- Contents and storage of trace files
- Contents and storage of dump files
Appendices
- Appendix 1. Resource consumption optimization
- Appendix 2. Default task configuration files
- Appendix 3. Command line return codes
- Appendix 4. Managing KESL container using REST API
- Appendix 5. Configuring interaction with Kaspersky Anti-Virus for Linux Mail Server
Sources of information about the application
Glossary
- Active key
- Active policy
- Administration group
- Administration Server
- Application activation
- Application databases
- Application settings
- Backup
- Database of malicious web addresses
- Database of phishing web addresses
- Exclusion
- False positive
- File mask
- Group policy
- Group task
- Infected object
- Kaspersky update servers
- License
- License certificate
- Object disinfection
- Policy
- Proxy server
- Reserve key
- Startup objects
- Subscription
- Trusted device
- Trusted zone
Information about third-party code
Trademark notices

Kaspersky Endpoint Security 11.2.0 for Linux

Kaspersky Endpoint Security 11.2.0 for Linux (hereinafter also referred to as Kaspersky Endpoint Security) protects computers running the Linux operating systems against malware. Threats can enter the system via network data links or from removable drives.

The application lets you:

Scan file system objects located on local disks of the computer, as well as mounted and shared resources, which are accessed via SMB and NFS protocols.
Scan objects in the file system both in real time using the File Threat Protection task and on demand using virus scan tasks.
Scan startup objects, boot sectors, process memory, and kernel memory.
Detect infected objects and neutralize detected threats.
Automatically select an action to neutralize the threat.
Save backup copies of files before disinfection or deletion and restore files from backups.
Manage tasks and configure their parameters.
Add keys and activate the program using activation codes.
Update the program with service packs.
Update application databases from Kaspersky update servers, via the Administration Server, or from a user-defined source by schedule or on demand.
Use application databases to detect and disinfect infected files. During the scan process, the program analyzes each file for the presence of a threat: it compares the file code with the code of a specific threat and looks for possible matches.
Monitor the integrity of the system or specified files and report changes. System Integrity Monitoring can be performed in continuous monitoring mode and in on-demand scan mode.
Manage the operating system firewall and, if necessary, restore the set of firewall rules that have been changed.
Protect files in local directories with network access via SMB / NFS from remote malicious encryption.
Analyze traffic sent to users' computers via HTTP / HTTPS and FTP and check if web addresses are malicious or phishing.
Configure flexible restrictions on access to data storage devices (hard disks, removable disks, CD / DVD drives), data transfer equipment (modems), data conversion devices (printers) and interfaces for connecting devices to computers (USB, FireWire).
Check removable drives when connected to a computer.
Check incoming network traffic for activity typical of network attacks.
Scan containers, images and namespaces, as well as use Kaspersky Endpoint Security as a container application (hereinafter referred to as KESL container).
Receive information about the actions of programs on the computer.
Configure encrypted connections scan settings.
Control the launch of programs on users' computers, which reduces the risk of computer infection by restricting access to programs.
Get information about all executable files of the applications installed on computers using the Inventory task, which can be useful, for example, for creating application control rules.
Participate in Kaspersky Security Network. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to various threats, improves the performance of some protection components, and reduces the likelihood of false positives.
Configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response (MDR) to enable continuous search, detection and elimination of threats aimed at your organization.
Allow users without root permissions to manage the application functions.
Notify the administrator about events that occurred while the program was running.
Check the integrity of program components using the Integrity Checker utility.

You can manage Kaspersky Endpoint Security using the following methods:

Using application control commands from the command line.
Using Kaspersky Security Center Administration Console.
Using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console.
Using a graphical user interface.

In the territory of the USA, the update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality will no longer be available in the application starting 12:00 AM Eastern Daylight Time (EDT) September 10, 2024 in compliance with trade restrictions.

In this Help section

Setting	Description	Values
EULA_AGREED	Required setting. Acceptance of the terms of the End User License Agreement.	`yes` – accept the terms of the End User License Agreement to continue installing the application. `no` – do not accept the End User License Agreement. The application installation will be interrupted
PRIVACY_POLICY_AGREED	Required setting. Acceptance of the Privacy Policy.	`yes` – accept the Privacy Policy to continue installing the application. `no` – do not accept the Privacy Policy. The application installation will be interrupted
USE_KSN	Acceptance of Kaspersky Security Network Statement.	`yes` – accept Kaspersky Security Network Statement. `no` – do not accept Kaspersky Security Network Statement.
LOCALE	Optional setting. The locale used for the application events sent to Kaspersky Security Center.	The locale in the format specified by RFC 3066. If the `Locale` setting is not specified, the operating system locale is used. If the application fails to determine the operating system localization language or the operating system localization is not supported, the default value will be used – `en_US.utf8`. The locale of the graphical interface and the application command line depends on the value of the LANG environment variable. If the locale that is not supported by Kaspersky Endpoint Security is specified as the value of the LANG environment variable, the graphical interface and the command line are displayed in English.
INSTALL_LICENSE	Activation code or key file.	No
UPDATER_SOURCE	Update source.	`SCServer` – use the Kaspersky Security Center Administration Server as the update source. `KLServers` – use Kaspersky servers as the update source. Update source address
PROXY_SERVER	Address of the proxy server used to connect to the Internet.	Proxy server address
UPDATE_EXECUTE	Start database update task during setup.	`yes` – start update task. `no` – do not start update task.
KERNEL_SRCS_INSTALL	Automatic start of kernel module compilation.	`yes` – compile kernel module. `no` – do not compile kernel module.
ADMIN_USER	A user to whom you can grant the administrator role (admin).	No

Comparison operator	Description
`>`	Greater than
`<`	Less than
`like`	Matches the specified value (when specifying the value, you can use masks %, see the example below)
`==`	Equal to
`!=`	Not equal to
`>=`	Greater than or equal to
`<=`	Less than or equal to

Setting	Description	Values
`SambaConfigPath`	Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the `AllShared` or `Shared:SMB` values can be used for the `Path` option.	The standard directory of the SAMBA configuration file on the computer is specified by default. Default value: /etc/samba/smb.conf. The application must be restarted after this setting is changed.
`NfsExportPath`	The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the `AllShared` or `Shared:NFS` values can be used for the `Path` option.	The standard directory of the NFS configuration file on the computer is specified by default. Default value: /etc/exports. The application must be restarted after this setting is changed.
`CoreDumps`	Enables creation of a dump file when application failure occurs.	`Yes` (default value) – Create a dump file when application failure occurs. `No` – Do not create a dump file when application failure occurs.
`StartupTraces`	Enables generation of trace files at application startup.	`Yes` – Enable generation of trace files at application startup. `No` (default value) – Disable generation of trace files at application startup.
`TraceLevel`	Enables trace file generation and specifies the level of detail of the trace file.	`Detailed` – Generate a detailed trace file. `NotDetailed` – Generate a trace file that contains error messages. `None` (default value) — Do not generate a trace file.
`TraceFolder`	The directory that stores the application's trace files. Trace files contain information about the operating system, and may also contain personal data.	Default value: /var/log/kaspersky/kesl. If you specify a different directory, make sure that the account under which Kaspersky Endpoint Security is running has read/write permissions for this directory. Root privileges are required to access the default trace files directory. The application must be restarted after this setting is changed.
`TraceMaxFileCount`	Specifies the maximum number of application trace files.	`1–10000` The default value is `5`. The application must be restarted after this setting is changed.
`TraceMaxFileSize`	Specifies the maximum size of an application trace file (in megabytes).	`1–1000` The default value is `500`. The application must be restarted after this setting is changed.
`BlockFilesGreaterMaxFileNamePath`	Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, virus scan tasks skip this file during scanning. This setting is not available for operating systems that use the fanotify technology.	`4096–33554432` The default value is `16384`.
`DetectOtherObjects`	Enable detection of legitimate software that could be used by intruders to harm computers or user data.	`Yes`— Enable detection of legitimate software that could be used by intruders to harm computers or user data. `No` (default value)— Disable detection of legitimate software that could be used by intruders to harm computers or user data.
`NamespaceMonitoring`	Enable scanning of namespaces and containers.	`Yes` (default value) — Enable scanning of namespaces and containers. `No` — Disable scanning of namespaces and containers.
`InterceptorProtectionMode`	Mode for intercepting files when the File Threat Protection task is running. This setting also affects the operation of the Anti-Cryptor, Device Control and Removable Drive Scan.	`Full` (default value) – block the files while they are being scanned by the task that uses the file interceptor. `Info` — do not block the files while they are being scanned by the task that uses the file interceptor. If the `Info` value is selected, your computer protection level is reduced.
`UseKSN`	Enables participation in Kaspersky Security Network.	`Basic` — Enable participation in Kaspersky Security Network without sending statistics. `Extended` — Enable participation in Kaspersky Security Network and send statistics. `No` (default value) — Disable participation in Kaspersky Security Network.
`UseMDR`	Enables Managed Detection and Response.	`Yes` – enable Managed Detection and Response. `No` (default value) – disable Managed Detection and Response.
`UseProxy`	Enable the use of proxy servers for Kaspersky Security Network, activation of the application, and updates.	`Yes` - enable the use of a proxy server. `No` (default) - Disable the use of a proxy server.
`ProxyServer`	Proxy server settings in the format `[user[:password]@]host[:port]`.	—
`MaxEventsNumber`	The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events.	The default value is `500000`. If `0` is specified, events are not saved.
`LimitNumberOfScanFileTasks`	The maximum number of Scan_File tasks that a non-privileged user can simultaneously start on a computer. This setting does not limit the number of tasks that a user with root privileges can start.	`0–4294967295` The default value is `0`. If `0` is specified, a non-privileged user cannot start Scan_File tasks. If you installed the graphical user interface package when installing the application, the default value of the `LimitNumberOfScanFileTasks` parameter is set to `5`.
`UseSyslog`	Enable logging of information about events to syslog Root privileges are required to access syslog.	`Yes` — Enable logging of information about events to syslog. `No` (default value) — Disable logging of information about events to syslog.
`EventsStoragePath`	The database directory where the application saves information about events. Root privileges are required to access the default event database.	Default value: /var/opt/kaspersky/kesl/private/storage/events.db.
`ExcludedMountPoint.item_#`	The mount point to be excluded from the scan scope for the tasks that use a file operation interceptor (File Threat Protection and Anti-Cryptor). You can specify several mount points to be excluded from scans. Mount points must be specified in the same way as they are displayed in the `mount` command output. The `ExcludedMountPoint.item_#` setting is left unspecified by default.	`AllRemoteMounted` — Exclude all remote directories mounted on the computer using SMB and NFS protocols from file operation interception. `Mounted:NFS` — Exclude all remote directories mounted on the computer using the NFS protocol from file operation interception. `Mounted:SMB` — Exclude all remote directories mounted on the computer using the SMB protocol from file operation interception. `Mounted:<file system type>` — Exclude all mounted directories with the specified file system type from file operation interception. `/mnt` — Exclude objects in the /mnt mount point (including subdirectories) from file operation interception. This directory is used as the temporary mount point for removable drives. `<path that contains the` `/mnt/user` `or` `/mnt//user_share>` — Exclude objects in mount points whose names contain the specified mask from file operation interception. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir//file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.

Setting	Description	Values
`OnAccessContainerScanAction`	Action to be performed on a container when an infected object is detected. This setting is only available if the application is activated under Kaspersky Hybrid Cloud Security Enterprise license. The action performed on a container when an infected object is detected also depends on the File Threat Protection task settings (see the table below). Actions on an infected object inside a container are described in the Container Scan task settings.	`StopContainerIfFailed` (default value) — Stop the container if an infected object cannot be disinfected or deleted. `StopContainer` — Stop the container when an infected object is detected. `Skip` — Do not perform any action on containers when an infected object is detected.
`UseDocker`	Use the Docker environment.	`Yes` (default value) — Use the Docker environment. `No` — Do not use the Docker environment.
`DockerSocket`	Docker socket path or URI (Universal Resource Identifier).	Default value: /var/run/docker.sock.
`UseCrio`	Use the CRI-O environment.	`Yes` (default value) — Use the CRI-O environment. `No` — Do not use the CRI-O environment.
`CrioConfigFilePath`	Path to the CRI-O configuration file.	Default value: /etc/crio/crio.conf.
`UsePodman`	Use the Podman utility.	`Yes` (default value) — Use the Podman utility. `No` — Do not use the Podman utility.
`PodmanBinaryPath`	Path to the Podman utility executable file.	Default value: /usr/bin/podman.
`PodmanRootFolder`	Path to the root directory of the container storage.	Default value: /var/lib/containers/storage.
`UseRunc`	Use the runc utility.	`Yes` (default value) — Use the runc utility. `No` — Do not use the utility.
`RuncBinaryPath`	Path to the runc utility executable file.	Default value: /usr/bin/runc.
`RuncRootFolder`	Path to the root directory of the container state storage.	Default value: /run/runc-ctrs.

Value of the FirstAction / SecondAction or the InterceptorProtectionMode setting	Action that the application performs on the container when the StopContainerIfFailed action is selected
`Disinfect`	Stop the container if disinfection of an infected object fails.
`Remove`	Stop the container if an infected object removal fails.
`Block`	Do not perform any action on containers when an infected object is detected.
`Info`	Do not perform any action on containers when an infected object is detected.

Setting	Description	Values

`EncryptedConnectionsScan`	Enables or disables encrypted traffic scan. For the FTP protocol, encrypted connections scan is disabled by default.	`Yes` (default value) — Enable encrypted connection scans. `No` — Disable encrypted connection scans. The application does not decrypt the encrypted traffic.
`EncryptedConnectionsScanErrorAction`	Specifies the action to perform when an encrypted connection scan error occurs on a website.	`AddToAutoExclusions` (default value) — Add the domain where an error occurred to the list of domains with scan errors. The application will not monitor encrypted network traffic when this domain is visited. `Disconnect` — Block the network connection.
`CertificateVerificationPolicy`	Specifies the way Kaspersky Endpoint Security checks certificates. If a certificate is self-signed, the application does not perform the additional verification.	`FullCheck` (default value) — The application uses the Internet to check and download the missing chains that are required to verify a certificate. `LocalCheck` — The application does not use the Internet to verify a certificate.
`UntrustedCertificateAction`	Specifies the action to perform when an encrypted connection scan error occurs on a website.	`Allow` (default value) — Allow network connections established while visiting a domain with an untrusted certificate. `Block` — Block network connections established while visiting a domain with an untrusted certificate.
`ManageExclusions`	Enables or disables the use of the encrypted connection scan exclusions.	`Yes` — Do not scan websites specified in the `[Exclusions.item_#]` section. `No` (default value) — Scan all websites.
`MonitorNetworkPorts`	Specifies the way Kaspersky Endpoint Security monitors network ports.	`Selected` (default value) — Monitor only network ports specified in the `[NetworkPorts.item_#]` section (see below). `All` — Monitor all network ports. Specifying this value may significantly increase an operating system load.
The [Exclusions.item_#] section contains domains excluded from scans. The application does not scan encrypted connections established when visiting specified domains.
`DomainName`	Specifies the domain name. You can use masks to specify the domain.	The default value is not defined.
The [NetworkPorts.item_#] section contains the network ports monitored by the application.
`PortName`	Network port description.	The default value is not defined.
`Port`	Network port numbers to be monitored by the application.	`1` – `65535` The default value is not defined.

Role name	Role in application	OS user	Permissions
Administrator	admin	kesladmin	Manage all application and task settings. Manage application licensing. Assigning roles to users. Revoking user roles (the administrator has no right to revoke the admin role from himself). View and manage users' Storages.
User	user	kesluser	Manage only Scan_File tasks. Start and stop Update tasks. View reports for the tasks created by this user. View specific events that are common for all application users.
Auditor	audit	keslaudit	Viewing application settings View application status. View all tasks, their settings, and start schedules. View all events. View all objects in the Storage.
—	—	nokesl	No role is assigned in the application, no permissions.

Task	Task name in the command line	Task ID	Task type
File Threat Protection	File_Threat_Protection	1	OAS
Virus scan	Scan_My_Computer	2	ODS
Custom Scan	Scan_File	3	ODS
Critical Areas Scan	Critical_Areas_Scan	4	ODS
Update	Update	6	Update
Rollback	Rollback	7	Rollback
Licensing	License	9	License
Storage management	Backup	10	Backup
System Integrity Monitoring	System_Integrity_Monitoring	11	OAFIM
Firewall Management	Firewall_Management	12	Firewall
Anti-Cryptor	Anti_Cryptor	13	AntiCryptor
Web Threat Protection	Web_Threat_Protection	14	WTP
Device Control	Device_Control	15	DeviceControl
Removable Drives Scan	Removable_Drives_Scan	16	RDS
Network Threat Protection	Network_Threat_Protection	17	NTP
Container Scan	Container_Scan	18	ContainerScan
Custom Container Scan	Custom_Container_Scan	19	ContainerScan
Behavior Detection	Behavior_Detection	20	BehaviorDetection
Application Control	Application_Control	21	AppControl
Inventory Scan	Inventory_Scan	22	InventoryScan

Setting	Description	Values

`UseExcludeMasks`	Enables monitoring scope exclusions for objects specified by the `ExcludeThreats.item_#` setting. This setting only applies if a value is specified for the `ExcludeMasks.item_#` setting.	`Yes` — Exclude objects specified by the `ExcludeMasks.item_#` setting from the monitoring scope. `No` (default value) — Do not exclude objects specified by the `ExcludeMasks.item_#` setting from the monitoring scope.
`ExcludeMasks.item_#`	Excludes objects from monitoring by names or masks. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format. Before specifying a value for this setting, make sure that the `UseExcludeMasks` setting is enabled. You can specify several masks. Each mask must be specified on a new line with a new index.	The default value is not defined.
The [ScanScope.item_#] section contains the monitoring scopes of the System Integrity Monitoring task. At least one monitoring scope must be specified for the task. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of monitoring scope; contains additional information about the monitoring scope.	The default value is not defined.
`UseScanArea`	Enables monitoring of the specified scope.	`Yes` (default value) — Monitor the specified scope. `No` — Do not monitor the specified scope.
`Path`	Path to the monitoring directory.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. Default value: /opt/kaspersky/kesl/
`AreaMask.item_#`	Monitoring scope limitation. Within the monitoring scope, the application scans only the objects that are specified using the masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (all objects are monitored)
The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the monitoring exclusion scope, which contains additional information about the monitoring exclusion scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from monitoring.	`Yes` (default value) — Exclude the specified scope from monitoring. `No` — Do not exclude the specified scope from monitoring.
`Path`	Path to the directory with objects excluded from monitoring.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The default value is not defined.
`AreaMask.item_#`	Limitation of monitoring exclusion scope. In the monitoring exclusion scope, the application only excludes the objects that are specified using masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (exclude all objects from monitoring)

Setting	Description	Values

`RebuildBaseline`	Enables rebuilding a baseline after the ODFIM task has finished.	`Yes` — Rebuild a baseline after the ODFIM task has finished. `No` (default value) — Do not rebuild a baseline after the ODFIM task has finished.
`CheckFileHash`	Enables hash check (SHA-256).	`Yes` — Enable hash check. `No` (default value) — Disable hash check.
`TrackDirectoryChanges`	Enables directory monitoring.	`Yes` — Monitor directories. `No` (default value) — Do not monitor directories.
`TrackLastAccessTime`	Enables tracking last file access time. In the Linux operating systems it is the `noatime` setting.	`Yes` — Track last file access time. `No` (default value) — Do not track last file access time.
`UseExcludeMasks`	Enables monitoring scope exclusions for objects specified by the `ExcludeMasks_#` setting. This setting only applies if a value is specified for the `ExcludeMasks_#` setting.	`Yes` — Exclude objects specified by the `ExcludeMasks_#` setting from the monitoring scope. `No` (default value) — Do not exclude objects specified by the `ExcludeMasks_#` setting from the monitoring scope.
`ExcludeMasks_#`	Excludes objects from monitoring by names or masks. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format. Before specifying a value for this setting, make sure that the `UseExcludeMasks` setting is enabled. You can specify several masks. Each mask must be specified on a new line with a new index.	The default value is not defined.
The [ScanScope.item_#] section contains the monitoring scopes of the System Integrity Monitoring task. At least one monitoring scope must be specified for the task. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of monitoring scope; contains additional information about the monitoring scope.	The default value is not defined.
`UseScanArea`	Enables monitoring of the specified scope.	`Yes` (default value) — Monitor the specified scope. `No` — Do not monitor the specified scope.
`Path`	Path to the monitoring directory.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. Default value: /opt/kaspersky/kesl/
`AreaMask.item_#`	Monitoring scope limitation. Within the monitoring scope, the application scans only the objects that are specified using the masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (all objects are monitored)
The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the monitoring exclusion scope, which contains additional information about the monitoring exclusion scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from monitoring.	`Yes` (default value) — Exclude the specified scope from monitoring. `No` — Do not exclude the specified scope from monitoring.
`Path`	Path to the directory with objects excluded from monitoring.	You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. The default value is not defined.
`AreaMask.item_#`	Limitation of monitoring exclusion scope. In the monitoring exclusion scope, the application only excludes the objects that are specified using masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (exclude all objects from monitoring)

Setting	Description	Values

`DefaultIncomingAction`	The default action to perform on an inbound connection if no network rules apply to this connection type.	`Allow` (default value) — Allow inbound connections. `Block` — Block inbound connections.
`DefaultIncomingPacketAction`	The default action to perform on an incoming packet if no network packet rules apply to this connection type.	`Allow` (default value) — Allow incoming packets. `Block` — Block incoming packets.
`OpenNagentPorts`	Adds Network Agent dynamic rules to the network packet rules.	`Yes` (default value) – Add Network Agent dynamic rules to the network packet rules. `No` – Do not add Network Agent dynamic rules to the network packet rules.
The [PacketRules.item_#] section contains network packet rules for the Firewall Management task. You can specify several `[PacketRules.item_#]` sections in any order. The application processes the scopes by index in ascending order. Each `[PacketRules.item_#]` section contains the following settings:
`Name`	Network packet rule name.	Default value: `Packet rule #<n>`, where n is an index.
`FirewallAction`	Action to be performed on connections specified in this network packet rule.	`Allow` (default value) — Allow network connections. `Block` — Block network connections.
`Protocol`	Type of protocol for which network activity is to be monitored.	`Any` (default value) — The Firewall Management task monitors all network activity. `TCP` `UDP` `ICMP` `ICMPv6` `IGMP` `GRE`
`RemotePorts`	Port numbers of the remote devices whose connection is monitored. This setting can only be specified if the `Protocol` setting is set to `TCP` or `UDP`. An integer or interval can be specified for this setting.	`Any` (default value) — Monitor all remote ports. `0` – `65535`.
`LocalPorts`	Port numbers of the local devices whose connection is monitored. This setting can only be specified if the `Protocol` setting is set to `TCP` or `UDP`. An integer or interval can be specified for this setting.	`Any` (default value) — Monitor all local ports. `0` – `65535`.
`ICMPType`	ICMP packet type. This setting can only be specified if the `Protocol` setting is set to `ICMP` or `ICMPv6`.	`Any` (default value) — Monitor all ICMP packet types. Integer number according to the data transfer protocol specification.
`ICMPCode`	ICMP packet code. This setting can only be specified if the `Protocol` setting is set to `ICMP` or `ICMPv6`.	`Any` (default value) — Monitor all ICMP packet codes. Integer number according to the data transfer protocol specification.
`Direction`	Direction of the monitored network activity.	`IncomingOutgoing` or `InOut` (default value) — Monitor both inbound and outbound connections. `Incoming` or `In` — Monitor inbound connections. `Outgoing` or `Out` — Monitor outbound connections. `IncomingPacket` or `InPacket` — Monitor incoming packets. `OutgoingPacket` or `OutPacket` — Monitor outgoing packets. `IncomingOutgoingPacket` or `InOutPacket` — Monitor both incoming and outgoing packets.
`RemoteAddress`	The network addresses of the remote devices that can send and receive network packets.	`Any` (default value) — Monitor network packets sent and/or received by remote devices with any IP address. `Trusted` — Predefined network zone for trusted networks. `Local` — Predefined network zone for local networks. `Public` — Predefined network zone for public networks. `d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64.
`LocalAddress`	Network addresses of devices that have Kaspersky Endpoint Security installed and can send and/or receive network packets.	`Any` (default value) — Monitor network packets sent and/or received by local devices with any IP address. `d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64.
`LogAttempts`	Specify whether you want the actions of the network rule to be included in the report.	`Yes` — Include actions in the report. `No` (default value) — Do not include actions in the report.
The [NetworkZonesPublic] section contains network addresses associated with public networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)
The [NetworkZonesLocal] section contains network addresses associated with local networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)
The [NetworkZonesTrusted] section contains network addresses associated with trusted networks. You can specify several IP addresses or subnets of IP addresses.
`Address.item_#`	Specifies IP addresses or subnets of IP addresses.	`d.d.d.d` — IPv4 address, where d is a decimal number from 0 to 255. `d.d.d.d/p` — Subnet of IPv4 addresses, where p is a number from 0 to 32. `x:x:x:x:x:x:x:x` — IPv6 address, where x is a hexadecimal number from 0 to ffff. `x:x:x:x::0/p` — Subnet of IPv6 addresses, where p is a number from 0 to 64. Default value: "" (no network addresses in this zone)

Setting	Description	Values

`UseHostBlocker`	Enables untrusted hosts blocking. If untrusted hosts blocking is disabled, the application still scans the actions of the remote devices on network file resources for malicious encryption when the Anti-Cryptor task is running. If malicious activity is detected, the EncryptionDetected event is created, but the attacking device is not blocked.	`Yes` (default value): enable untrusted hosts blocking. `No`: disable untrusted hosts blocking.
`BlockTime`	The time an untrusted device is blocked (in minutes). If a compromised host is blocked, and you change a value for the `BlockTime` setting, the blocking time for this host will not change. The blocking time is not a dynamic value, and is calculated at the moment of blocking.	Integer from 1 to 4294967295. Default value: 30.
`UseExcludeMasks`	Enables protection scope exclusions for objects specified by the `ExcludeMasks.item_#` setting. This setting only applies if a value is specified for the `ExcludeMasks.item_#` setting.	`Yes` — Exclude objects specified by the `ExcludeMasks.item_#` setting from the protection scope. `No` (default value) — Do not exclude objects specified by the `ExcludeMasks.item_#` setting from the protection scope.
`ExcludeMasks.item_#`	Excludes objects from the protection scope by names or masks. You can use this setting to exclude an individual file from the specified protection scope by name or exclude several files at once using masks in the shell format. Before specifying a value for this setting, make sure that the `UseExcludeMasks` setting is enabled. If you want to specify several masks, specify each mask on a new line with a new index.	The default value is not defined.
The [ScanScope.item_#] section contains the scopes protected by the application. For the Anti-Cryptor task, you need to specify at least one protection scope; you can only specify shared directories. You can specify several [ScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of protection scope; contains additional information about the protection scope.	Default value: `All shared directories`.
`UseScanArea`	Enables protection of the specified scope. To run the task, enable protection of at least one scope.	`Yes` (default value) — Protect the specified scope. `No` — Do not protect the specified scope.
`AreaMask.item_#`	Protection scope limitation. In the protection scope, the application protects only the objects that are specified using the masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (protect all objects)
`Path`	Path to the directory with the objects to be protected.	`<path to local directory>` – Protect a local directory accessible via SMB/NFS. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. `AllShared` (default value) — Protect all resources accessible via SMB/NFS. `Shared:SMB` — Protect resources accessible via SMB. `Shared:NFS` — Protect resources accessible via NFS.
The [ExcludedFromScanScope.item_#] section contains the objects to be excluded from all [ScanScope.item_#] sections. The objects that match the rules of any [ExcludedFromScanScope.item_#] section are not scanned. The format of the [ExcludedFromScanScope.item_#] section is similar to the format of the [ScanScope.item_#] section. You can specify several [ExcludedFromScanScope.item_#] sections in any order. The application processes the scopes by index in ascending order. The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the protection exclusion scope, which contains additional information about the exclusion scope.	Default value: `All objects`.
`UseScanArea`	Excludes the specified scope from protection.	`Yes` (default value) — Exclude the specified scope from protection. `No` — Do not exclude the specified scope from protection.
`AreaMask.item_#`	Limitation of the protection exclusion scope. In the exclusion scope, the application excludes only the objects that are specified using masks in the shell format. You can specify several `AreaMask.item_#` items in any order. The application processes the scopes by index in ascending order.	Default value: `*` (exclude all objects).
`Path`	Path to the directory with objects excluded from protection.	`<path to local directory>` — Exclude objects in the specified directory from protection. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name. `Mounted:NFS`– Exclude the remote directories mounted on a client device using the NFS protocol from protection. `Mounted:SMB`– Exclude the remote directories mounted on a client device using the Samba protocol from protection. `AllRemoteMounted`– Exclude all remote directories mounted on a client device using the Samba and NFS protocols from protection.

Setting	Description	Values
`ActionOnDetect`	Specifies the action to be performed upon detection of an infected object in web traffic.	`Notify` — Allow the detected object to be downloaded, display a notification about the blocked access attempt, and log information about the infected object. `Block` (default value) — Block access to the detected object, display a notification about the blocked access attempt, and log information about the infected object.
`CheckMalicious`	Specifies whether links will be checked against the database of malicious web addresses.	`Yes` (default value) — Check if the links are listed in the malicious links database. `No` — Do not check if the links are listed in the malicious links database.
`CheckPhishing`	Specifies whether links will be checked against the database of phishing web addresses.	`Yes` (default value) — Check if the links are listed in the phishing links database. `No` — Do not check if the links are listed in the phishing links database.
`UseHeuristicForPhishing`	Specifies whether heuristic analysis must be used to scan web pages for phishing links.	`Yes` (default value) — Use heuristic analysis to detect phishing links. If this value is specified, the level of heuristic analysis is `Light` (the least thorough scan with minimal load on the system). You cannot change the heuristic analysis level for the Web Threat Protection task. `No` — Do not use heuristic analysis to detect phishing links.
`CheckAdware`	Specifies whether links must be checked against the database of adware web addresses.	`Yes` — Check if the links are listed in the adware links database. `No` (default value) — Do not check if the links are listed in the adware links database.
`CheckOther`	Specifies whether links must be checked against the database of web addresses that contain legal software that may be used by criminals to damage your computer or personal data.	`Yes` — Check if the links are listed in the database of web addresses that contain legal software that may be used by intruders to damage your computer or personal data. `No` (default value) — Do not check if the links are listed in the database of web addresses that contain legal software that may be used by intruders to damage your computer or personal data.
`UseTrustedAddresses`	Enables or disables the usage of a list of trusted web addresses. The application does not analyze information from trusted web addresses to check them for viruses or other dangerous objects. You can specify trusted web addresses using the `TrustedAddresses.item_#` setting.	`Yes` (default value) — Use a list of trusted web addresses. `No` — Do not use a list of trusted web addresses.
`TrustedAddresses.item_#`	Specifies trusted web addresses. You can use masks to specify web addresses. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. To exclude the mount point `/dir`, you need to specifically indicate `/dir` (no asterisk). The mask `/dir/` excludes all mount points at the level below `/dir` but not `/dir` itself. The `/dir/*` mask excludes all mount points below the level of `/dir` but not `/dir` itself. You can use a single `?` character to represent any one character in the file or directory name. Masks are not supported to specify IP addresses.	The default value is not defined.

Setting	Description	Values
`BlockAttackingHosts`	Enables or disables blocking of network activity from attacking computers.	`Yes` (default value) — Block network activity from attacking computers. `No` — Allow network activity from attacking computers.
`BlockDurationMinutes`	Specifies how long attacking computers will be blocked (in minutes).	`1` – `32768` The default value is `60`.
`UseExcludeIPs`	Enables or disables the usage of a list of IP addresses whose network activity will not be blocked when a network attack is detected. The application will only log information about dangerous activity from these computers. You can add IP addresses to the exclusion list by using the `ExcludeIPs.item_#` parameter. By default, the list is empty.	`Yes` — Use the list of excluded IP addresses. `No` (default value) — Do not use the list of excluded IP addresses.
`ExcludeIPs.item_#`	Specifies an IP address whose network activity will not be blocked by the application.	d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255. d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32. x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff. x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64. The default value is not defined.

Setting	Description	Values

`AppControlMode`	Application Control task operation mode.	`AllowList` – Kaspersky Endpoint Security prevents users from launching any applications that are not specified in the application control rules. `DenyList` (default value) – Kaspersky Endpoint Security allows users to launch any applications that are not specified in the application control rules.
`AppControlRulesAction`	Action performed by Kaspersky Endpoint Security when a user attempts to launch an application prohibited by the application control rules.	`ApplyRules` (default value) – Kaspersky Endpoint Security applies Application Control rules and performs the action specified in the rules. `TestRules` – Kaspersky Endpoint Security tests the rules and generates an event about the detection of an application that meets the rule.
The [Categories.item_#] section contains the following settings:
`Name`	Name of the created application category to which the rule applies.
`UseIncludes`	Usage of inclusive conditions to trigger the rule.	`Yes` – apply the rule to the application if the application meets at least one inclusive condition. `No` (default value) – do not apply the rule to the application, even if the application meets the inclusive conditions.
`IncludeFileNames.item_#`	Name of the executable file that triggers the rule. You can use masks to specify the file name. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. To exclude the mount point `/dir`, you need to specifically indicate `/dir` (no asterisk). The mask `/dir/` excludes all mount points at the level below `/dir` but not `/dir` itself. The `/dir/*` mask excludes all mount points below the level of `/dir` but not `/dir` itself. You can use a single `?` character to represent any one character in the file or directory name.
`IncludeFolders.item_#`	Name of the directory with the application's executable file that triggers the rule. You can use masks to specify the directory name. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. To exclude the mount point `/dir`, you need to specifically indicate `/dir` (no asterisk). The mask `/dir/` excludes all mount points at the level below `/dir` but not `/dir` itself. The `/dir/*` mask excludes all mount points below the level of `/dir` but not `/dir` itself. You can use a single `?` character to represent any one character in the file or directory name.
`IncludeHashes.item_#`	Hash (SHA-256) of the executable file that triggers the rule.
`UseExcludes`	Usage of excluding conditions to trigger the rule.	`Yes` – do not apply the rule to the application if the application meets at least one exclusive condition or does not meet any of the inclusive conditions. `No` (default value) – apply the rule to the application, even if the application meets at least one exclusive condition.
`ExcludeFileNames.item_#`	Name of the executable file that triggers the rule. You can use masks to specify the file name. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. To exclude the mount point `/dir`, you need to specifically indicate `/dir` (no asterisk). The mask `/dir/` excludes all mount points at the level below `/dir` but not `/dir` itself. The `/dir/*` mask excludes all mount points below the level of `/dir` but not `/dir` itself. You can use a single `?` character to represent any one character in the file or directory name.
`ExcludeFolders.item_#`	Name of the directory with the application's executable file that triggers the rule. You can use masks to specify the directory name. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. To exclude the mount point `/dir`, you need to specifically indicate `/dir` (no asterisk). The mask `/dir/` excludes all mount points at the level below `/dir` but not `/dir` itself. The `/dir/*` mask excludes all mount points below the level of `/dir` but not `/dir` itself. You can use a single `?` character to represent any one character in the file or directory name.
`ExcludeHashes.item_#`	Hash (SHA-256) of the executable file that triggers the rule.
The [AllowListRules.item_#] section contains a list of application control rules for the `AllowList` operation mode. Each [AllowListRules.item_#] section contains the following settings:
`Description`	Description of the application control rule.
`AppControlRuleStatus`	Operation status of the application control rule.	`On` (default value) – the rule is enabled, Kaspersky Endpoint Security applies this rule when the Application Control task is running. `Off` – the rule is not used when the Application Control task is running. `Test` – Kaspersky Endpoint Security allows applications covered by the rule to be launched, but logs information about the launch of these applications in the report.
`Category`	Name of the created application category to which the rule applies. You can specify the "Golden Image" category.
The [AllowListRules.item_#.ACL.item_#] section contains a list of users who are allowed or denied to run applications.
`Access`	Access type assigned to a user or user group.	`Allow` (default value) — Allow running applications. `Block` – Deny running applications.
`Principal`	User or user group to which the Application Control rule applies.	`\Everyone` (default value): the rule applies to all users. `<user name>`: name of the user to whom the rule applies. `@<group name>`: name of the group of users to whom the rule applies.
The [DenyListRules.item_#] section contains a list of application control rules for the `DenyList` operation mode. Each [DenyListRules.item_#] section contains the following settings:
`Description`	Description of the application control rule.
`AppControlRuleStatus`	Operation status of the application control rule.	`On` (default value) – the rule is enabled, Kaspersky Endpoint Security applies this rule when the Application Control task is running. `Off` – the rule is not used when the Application Control task is running. `Test` – Kaspersky Endpoint Security allows applications covered by the rule to be launched, but logs information about the launch of these applications in the report.
`Category`	Name of the created application category to which the rule applies. You can specify the "Golden Image" list of applications as a category.
The [DenyListRules.item_#.ACL.item_#] section contains a list of users who are allowed or denied to run applications.
`Access`	Access type assigned to a user or user group.	`Allow` – Allow running applications. `Block` (default value) – Block running applications.
`Principal`	User or user group to which the Application Control rule applies.	`\Everyone` (default value): the rule applies to all users. `<user name>`: name of the user to whom the rule applies. `@<group name>`: name of the group of users to whom the rule applies.

Setting	Description	Values

`ScanScripts`	Enables script scanning.	`Yes` (default value) — Scan scripts. `No` — Do not scan scripts.
`ScanBinaries`	Enables binary files scanning (elf, java, and pyc).	`Yes` (default value) — Scan binaries. `No` — Do not scan binaries.
`ScanAllExecutable`	Enables the scanning of files with an executable bit.	`Yes` (default value) — Scan files with an executable bit. `No` — Do not scan files with an executable bit.
`ScanPriority`	Task priority. Task priority is a setting that combines a number of internal Kaspersky Endpoint Security settings and process start settings. By using this setting, you can specify the way the application consumes system resources for running tasks.	`Idle` — Run the task with a low priority: no more than 10% of processor resource consumption. Specify this value to release the application resources for other tasks, including user processes. The current scan task takes longer to complete. `Normal` (default value) — Run the task with a normal priority: no more than 50% of all processors resources. `High` — Run the task with a high priority, without limiting the consumption of processor resources. Specify this value to perform the current scan task faster.
`CreateGoldenImage`	Enables creation of the "Golden Image" category of applications based on the list of applications detected on the device by the Inventory Scan task. If `CreateGoldenImage=Yes`, then the "Golden Image" application category can be used in the application control rules.	`Yes`: create the "Golden Image" category of applications. `No` (default value): do not create the "Golden Image" category of applications.
The [ScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of inventory scope; contains additional information about the inventory scope. The maximum length of the string specified using this setting is 4096 characters.	Default value: `All objects`.
`UseScanArea`	Enables scans of the specified inventory scope. To run the task, enable scans of at least one inventory scope.	`Yes` (default value) — Scan the specified inventory scope. `No` — Do not scan the specified inventory scope.
`AreaMask`	Inventory scope limitation. In the inventory scope, the application scans only the files that are specified using the masks in the shell format. If this setting is not specified, the application scans all the objects in the inventory scope. You can specify several values for this setting.	The default value is `*` (scan all objects).
`Path`	Path to the directory with objects to be scanned.	`<path to local directory>` — Scan objects in the specified directory. Default value: `/usr/bin`
The [ExcludedFromScanScope.item_#] section contains the following settings:
`AreaDesc`	Description of the inventory exclusion scope; contains additional information about the inventory scope.	The default value is not defined.
`UseScanArea`	Excludes the specified scope from the inventory.	`Yes` (default value) — Exclude the specified scope. `No` — Do not exclude the specified scope.
`AreaMask`	Limiting the inventory exclusion scope using shell masks. If this setting is not specified, the application excludes all the objects in the inventory scope. You can specify several values for this setting.	Default value: `*` (exclude all objects).
`Path`	Path to the directory with objects to be excluded.	`<path to local directory>` — Exclude objects in the specified directory from scan. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.

Setting description	Available values	Default value
Port for listening to REST API		`8085`
Event severity level	`debug` `info` `warning` `error` `critical` `noset`	`noset`
Authorization key	If the `KRAS4D_XAPIKEY` setting is specified, each request is verified for the presence of the x-api-key header and if its content matches the value of the `KRAS4D_XAPIKEY` setting. If these conditions are not met, the request is rejected. If this setting is missing, verification is not performed.	No
Activation code or key file	To activate a KESL container using an activation code, when running the KESL container specify the activation code in the configuration file or pass the activation code in an environment variable: `docker run ... -e KRAS4D_ACTIVATION='<activation code>'` To activate a KESL container using a key file, when running the KESL container specify the key file in the configuration file or pass the key file in an environment variable: `docker run ... -e KRAS4D_ACTIVATION='<key file>' -e KRAS4D_KEYPATH=/root/kesl-service/keys -v <path to the directory with keys>:/root/kesl-service/keys ...` To activate a KESL container using a key file, the /root/kesl-service/keys mount point is required.	No
Additional scan settings	The optional `KRAS4D_SCANOPTIONS` setting allows you to configure the settings of the Container Scan task: `docker run ... -e KRAS4D_SCANOPTIONS='<settings>'` where `<settings>` are the settings of the Container Scan task.	No
Additional update settings	The optional `KRAS4D_UPDATEOPTIONS` setting allows you to configure the settings of the Update task. `docker run ... -e KRAS4D_UPDATEOPTIONS='<settings>'` where `<settings>` are the settings of the Update task, the `SourceType` and `ApplicationUpdateMode` settings as well as the settings in the `CustomSources.item_#` section.	No
Update the application databases when KESL container starts	By default, the application databases are downloaded to the /var/opt/kaspersky/kesl/common/updates directory when the KESL container is started. To implement the joint operation of several KESL containers with one instance of the application databases and to speed up the launch of the KESL container, it is recommended to move this directory to the computer where the KESL container is installed by means of mounting: `docker run ... -v <path to the database directory>:/var/opt/kaspersky/kesl/common/updates`	`True`
Do not process the image if it already exists in the target repository.		`False`
Name of the settings configuration file.		kesl-service.config

Configuration file setting	Environment variable

Common section
port: <port for listening>	# KRAS4D_PORT=8085
sqlpath: <full path to the database file that contains scan results>	# KRAS4D_SQLPATH
certdir: <path to the directory with registry certificates>	# KRAS4D_CERTDIR
keypath: <path to the directory with license keys>	# KRAS4D_KEYPATH
tmppath: <full path to the temporary directory>	# KRAS4D_TMPPATH
logpath: <full path to the event log>	# KRAS4D_LOGPATH
loglevel: [noset\|debug\|info\|warning\|error\|critical]	# KRAS4D_LOGLEVEL
Control section
xapikey: <request authorization key>	# KRAS4D_XAPIKEY=None
forceupdate: <forced database update at container start [True\|False]>	# KRAS4D_FORCEUPDATE
activation: <activation code or key file name from /root/kesl-service/config/>	# KRAS4D_ACTIVATION
detectaction: [delete\|skip]	# KRAS4D_DETECTACTION
scanoptions: <scan settings [ScanArchived=yes ScanSfxArchived=yes ...]>	# KRAS4D_SCANOPTIONS
skipimageifexist: <do not scan the image if it already exists on the server to which the scanned image is to be copied>	# KRAS4D_SKIPIMAGEIFEXIST
Repositories section
<server>:<port>: address and port of the image registry that requires authorization when requesting for verification.
Credentials subsection
user: user name for authorization in the image registry
pass: password for authorization in the image registry

Section	Description
Essential Threat Protection	File Threat Protection Exclusion scopes Firewall Management Web Threat Protection Network Threat Protection
Advanced Threat Protection	Kaspersky Security Network Application Control Anti-Cryptor System Integrity Monitoring Device Control Behavior Detection
Local Tasks	Task management Removable Drives Scan
General settings	Proxy server settings Application settings Container Scan settings Managed Detection and Response Network settings Global exclusions Storage settings

Setting	Description
Enable File Threat Protection	This check box enables or disables File Threat Protection on all managed devices. The check box is selected by default.
File Threat Protection mode	In this drop-down list, you can select the File Threat Protection mode: Smart check (default value) – scan a file when there is an attempt to open it and scan it again when there is an attempt to close it if the file has been modified. If a process accesses and modifies a file multiple times in a certain period, the application scans the file again only when the process closes it for the last time. When opened – scan the file on an attempt to open it for reading, execution, or modification. When opened and modified – scan a file on an attempt to open it, and scan it again on an attempt to close it if the file has been modified.
Scan	This group of settings contains buttons that open windows where you can configure the scan scopes and scan settings.
Actions for infected objects	This group of settings contains the Configure button. Clicking this button opens the Actions for infected objects window, where you can configure the actions that Kaspersky Endpoint Security performs on detected infected objects.

Contents

Kaspersky Endpoint Security 11.2.0 for Linux

Distribution kit

Hardware and software requirements

What's new

Installing the application

Installing Kaspersky Endpoint Security using the command line

Initial configuration of the application in interactive mode

Selecting the locale

Viewing the End User License Agreement and the Privacy Policy

Accepting the End User License Agreement

Accepting the Privacy Policy

Using Kaspersky Security Network

Assigning the Administrator role to a user

Determining the file operation interceptor type

Configuring the update source

Configuring proxy server settings

Downloading application databases

Enabling automatic application database update

Application activation

Initial configuration of the application in automatic mode

Settings of the Kaspersky Endpoint Security initial setup configuration file

Installing Network Agent using the command line

Initial configuration of the Network Agent using the command line

About Kaspersky Endpoint Security administration web plug-in

Installing Kaspersky Endpoint Security via Kaspersky Security Center

Creating the application installation package

Autoinstall.ini configuration file settings

Installing Kaspersky Endpoint Security using the Web Console

Installation using the Protection Deployment Wizard

Creating an installation package

Updating databases in the installation package

Creating a remote installation task

Getting started using Kaspersky Security Center

Activating the application using Kaspersky Security Center

Running the application on Astra Linux in closed software environment mode

Configuring permissive rules in the SELinux system

Updating the application from a previous version

Updating the application from the command line

Updating the application using Kaspersky Security Center

Uninstalling the application

Removing Kaspersky Endpoint Security using the command line

Uninstalling the application using the Administration Console

Uninstalling the application using Kaspersky Security Center Web Console

Application licensing

About the End User License Agreement

About the license

About the license certificate

About the license key

About the activation code

About the key file

About subscription

About providing and processing data

Managing the application using the command line

Starting and stopping the application

Displaying Help on the commands

Enabling the display of events

Viewing information about the application

Description of the application commands

Using filters to limit query results

Exporting and importing application settings

Setting the application memory usage limit

Application components integrity check

General application settings

Description of the general application settings

Editing general application settings

Description of general Container Scan settings

Editing general Container Scan settings

Encrypted connections scan

Encrypted connections scan settings

Managing encrypted connections scan settings

User roles

Viewing a list of users and roles

Assigning a role to a user

Revoking a user role

Managing application tasks using the command line

View the list of tasks

Creating a new task

Editing task settings using a configuration file

Editing task settings using the command line

Setting	Description
Scope name	Scan scope name.
Path	Path to the directory that the application scans.
Status	The status indicates whether the application scans this scope.

Setting	Description
Scan scope name	Field for entering the scan scope name. This name will be displayed in the table in the Scan scopes window. The entry field must not be blank.
Use this scope	This check box enables or disables scans of this scope by the application. If this check box is selected, the application processes this scan scope. If this check box is cleared, the application does not process this scan scope. You can later include this scope in the component settings by selecting the check box. The check box is selected by default.
File system, access protocol, and path	The settings block lets you set the scan scope. You can select the file system type in the drop-down list of file systems: Local (default value) – local directories. If this item is selected, you need to indicate the path to the local directory. Mounted – Mounted remote or local directories. If this item is selected, you need to indicate the protocol or name of the file system. Shared — The protected server's file system resources accessible via the Samba or NFS protocol. All mounted: all remote directories mounted on the device using the Samba and NFS protocols. All shared — All of the protected server's file system resources accessible via the Samba and NFS protocols.
	If Shared or Mounted is selected in the drop-down list of file systems, you can select the remote access protocol in the drop-down list on the right: NFS: remote directories mounted on a device using the NFS protocol. Samba: remote directories mounted on a device using the Samba protocol. Custom – resources of the device's file system specified in the field below.
	If Local is selected in the drop-down list of file systems, then in the input field you can enter a path to a directory that you want to add to the scan scope. The / path is specified by default – the application scans all directories of the local file system. If the Local type is selected in the drop-down list of file systems, and the path is not specified, the application scans all directories of the local file system.
Filesystem name	The field for entering the name of the file system where the directories that you want to add to the scan scope are located. The field is available if the Mounted type is selected in the drop-down list of file systems and the Custom item is selected in the drop-down list on the right.
Masks	The list contains name masks for the objects that the application scans. By default the list contains the * mask (all objects). You can add, edit, or delete masks. Clicking the Delete button removes the selected item from the table. This button is available if at least one item is selected in the table. The selected element's settings are changed in a separate window. Clicking the Add button opens a window where you can specify the new item settings.

Setting	Description
Scan archives	This check box enables or disables scan of archives. If this check box is selected, Kaspersky Endpoint Security scans archives. The application detects infected objects in archives, but does not disinfect them. To scan an archive, the application has to unpack it first, which may slow down scanning. You can reduce the archive scan duration by enabling and configuring the Skip object if scan takes longer than (sec) and Skip objects larger than (MB) settings in the General scan settings section. If this check box is cleared, Kaspersky Endpoint Security does not scan archives. This check box is cleared by default.
Scan SFX archives	This check box enables or disables self-extracting archive scans. Self-extracting archives are archives that contain an executable extraction module. If this check box is selected, Kaspersky Endpoint Security scans self-extracting archives. If this check box is cleared, Kaspersky Endpoint Security does not scan self-extracting archives. This check box is available if the Scan archives check box is unchecked. This check box is cleared by default.
Scan mail databases	This check box enables or disables scan of mail databases of Microsoft Outlook, Outlook Express, The Bat!, and other mail applications. If this check box is selected, Kaspersky Endpoint Security scans mail database files. If this check box is cleared, Kaspersky Endpoint Security does not scan mail database files. This check box is cleared by default.
Scan mail format files	This check box enables or disables scan of files of plain-text email messages. If this check box is selected, Kaspersky Endpoint Security scans plain-text messages. If this check box is cleared, Kaspersky Endpoint Security does not scan plain-text messages. This check box is cleared by default.
Skip object if scan takes longer than (sec)	A field for specifying the maximum time to scan an object, in seconds. After the specified time is reached, Kaspersky Endpoint Security stops scanning the object. Available values: `0–9999`. If the value is set to `0`, the scan time is unlimited. The default value is `60`.
Skip objects larger than (MB)	The field for specifying the maximum size of an archive to scan, in megabytes. Available values: `0–999999`. If the value is set to `0`, Kaspersky Endpoint Security scans objects of any size. The default value is `0`.
Log clean objects	This check box enables or disables the logging of ObjectProcessed type events. If this check box is selected, Kaspersky Endpoint Security logs ObjectProcessed type events for all scanned objects. If this check box is cleared, Kaspersky Endpoint Security does not log ObjectProcessed type events for any scanned object. This check box is cleared by default.
Log unprocessed objects	This check box enables or disables the logging ObjectNotProcessed type events if a file cannot be processed during a scan. If this check box is selected, Kaspersky Endpoint Security logs ObjectNotProcessed type events. If this check box is cleared, Kaspersky Endpoint Security does not log ObjectNotProcessed type events. This check box is cleared by default.
Log packed objects	This check box enables or disables the logging of PackedObjectDetected type events for all packed objects that are detected. If this check box is selected, Kaspersky Endpoint Security logs PackedObjectDetected type events. If this check box is cleared, Kaspersky Endpoint Security does not log PackedObjectDetected type events. This check box is cleared by default.
Use iChecker technology	This check box enables or disables scan of only new and modified since the last scan files. If the check box is selected, Kaspersky Endpoint Security scans only new or modified since the last scan files. If the check box is cleared, Kaspersky Endpoint Security scans files regardless to the date of creation or modification. The check box is selected by default.
Use heuristic analysis	This check box enables or disables heuristic analysis during file scans. The check box is selected by default.
Heuristic analysis level	If the Use heuristic analysis check box is selected, you can select the heuristic analysis level in the drop-down list: Light is the least detailed scan with minimal system load. Medium is a medium scan with balanced system load. Deep is the most detailed scan with maximum system load. Recommended (default value) is the optimal level recommended by Kaspersky experts. It ensures an optimal combination of quality of protection and impact on the performance of protected servers.

Group of settings	Description
Exclusions	This group of settings contains the Configure button. Clicking this button opens the Exclusion scopes window. In this window, you can define the list of scopes to be excluded from scans.
Exclusions by mask	This group of settings contains the Configure button, which opens the Exclusions by mask window. In this window, you can configure the exclusion of objects from scans by name mask.
Exclusions by threat name	This group of settings contains the Configure button, which opens the Exclusions by threat name window. In this window, you can configure the exclusion of objects from scans based on threat name.

Setting	Description
Exclusion scope name	Exclusion scope name.
Path	Path to the directory excluded from scan.
Status	The status indicates whether the application uses this exclusion.

Setting	Description
Enable Firewall Management	This check box enables or disables Firewall Management. The check box is selected by default.
Network packet rules	This group of settings contains the Configure button. Clicking this button opens the Network packet rules window. In this window, you can configure network packet rules that are applied by the Firewall Management component when it detects the network connection attempt.
Available networks	This group of settings contains the Configure button. Clicking this button opens the List of available networks window. In this window, you can configure the list of networks that the Firewall Management component will monitor.
Incoming connections	In this drop-down list, you can select the action to be performed for incoming network connections: Allow network connections (default value). Block network connections.
Incoming packets	In this drop-down list you can select the action to be performed for incoming packets: Allow incoming packets (default value). Block incoming packets.
Always add allowing rules for Network Agent ports	This check box enables or disables automatic adding allowing rules for Network Agent ports. The check box is selected by default.

Setting	Description
Name	Network packet rule name
Action	Action to be performed by Firewall Management when it detects the network activity.
Local address	Network addresses of devices that have Kaspersky Endpoint Security installed and can send and/or receive network packets.
Remote address	Network addresses of remote devices that can send and/or receive network packets.
Logging	This column shows if the application logs actions of the network packet rule. If the value is Yes, the application logs the actions of the network packet rule. If the value is No, the application does not log the actions of the network packet rule.

Setting	Description
Protocol	You can select the type of data transfer protocol for which you want to monitor network activity: Any (default value) GRE ICMP ICMPv6 IGMP TCP UDP
Direction	You can specify the direction of network activity being monitored: Incoming packets. If this option is selected, the Firewall Management component monitors incoming packets. Incoming. If this option is selected, the Firewall Management component monitors incoming network activity. Incoming/Outgoing. If this option is selected, the Firewall Management component monitors both incoming and outgoing network activity. Incoming/Outgoing packets. If this option is selected, the Firewall Management component monitors both incoming and outgoing packets. Outgoing packets. If this option is selected, the Firewall Management component monitors outgoing packets. Outgoing. If this option is selected, the Firewall Management component monitors outgoing network activity.
ICMP type	You can specify the ICMP type. The Firewall Management component monitors messages of the specified type sent by the host or gateway. If the Specified option is selected, the field for entering the ICMP type will be displayed. This window is displayed if the ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list.
ICMP code	You can specify the ICMP code. The Firewall Management component monitors messages of the type specified in the ICMP type field and the code specified in the ICMP code field, sent by a host or gateway. If the Specified option is selected, the field for entering the ICMP code will be displayed. This window is displayed if the ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list.
Remote ports	You can specify the port numbers of the remote devices between which the connection is to be monitored. If the Specified option is selected, the field for entering the port numbers will be displayed. This window is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list.
Local ports	You can specify the port numbers of the local devices between which the connection is to be monitored. If the Specified option is selected, the field for entering the port numbers will be displayed. This window is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list.
Remote addresses	You can specify the network addresses of the remote devices that can send and receive network packets: Any address (default value). If this item is selected, the network rule controls network packets sent and/or received by remote devices with any IP address. Specified address. If this item is selected, the network rule controls the sending and receiving of network packets by remote devices with the IP addresses that are specified in the field below. By network type. If this item is selected, the network rule controls network packets sent and received by remote devices with the IP addresses associated with the selected network type: Public networks, Local networks, or Trusted networks.
Local addresses	You can specify the network addresses of the devices with Kaspersky Endpoint Security installed that can send and receive network packets: Any address (default value). If this option is selected, the network rule controls network packets sent and/or received by the devices with Kaspersky Endpoint Security installed regardless of their IP address. Specified address. If this option is selected, the network rule controls the network addresses of devices with Kaspersky Endpoint Security installed that can send and receive network packets. These network addresses are specified in the field below.
Action	You can select an action to be performed by the Firewall Management component when it detects network activity: Block network activity. Allow network activity (default value).
Logging	You can specify whether the actions of the network rule will be logged in the report.
Rule name	The field for entering the name of the network packet rule.

Setting	Description
IP address	Network IP address.
Network type	Network type (Public network, Local network, or Trusted network).

Setting	Description
Enable scans of incoming traffic on the device	This check box enables or disables incoming traffic scans on the computer. The check box is selected by default.
Trusted web addresses	This group of settings contains the Configure button, which opens the Trusted web addresses window, where you can specify the list of trusted web addresses. Kaspersky Endpoint Security will not scan the contents of websites whose web addresses are included in this list.
Action on threat detection	In the drop-down list, you can select the action to be performed by Kaspersky Endpoint Security on a web resource where a dangerous object is detected: Inform the user when a dangerous object is detected in web traffic. Web Threat Protection allows this object to be downloaded to the computer. Kaspersky Endpoint Security logs information about the dangerous object and adds information about the dangerous object to the list of active threats. Block access to all dangerous objects detected in web traffic, display a notification about the blocked access attempts, and log information about the dangerous objects (default value).
Scan settings	This group of settings contains the Configure button, which opens the Scan settings window, where you can configure the settings for scanning incoming traffic.