Kaspersky Endpoint Security 12.0 for Linux Help
Kaspersky Endpoint Security 12.0 for Linux
- About Kaspersky Endpoint Security usage modes
- Distribution kit
- Hardware and software requirements
What's new
Preparing to install the application
Installing the application
- Deploying the application using the command line
- Installing and configuring Kaspersky Security Center Network Agent
  - Installing Network Agent using the command line
  - Initial configuration of the Network Agent using the command line
- Installing Kaspersky Endpoint Security administration plug-ins
  - About the Kaspersky Endpoint Security administration MMC plug-in
  - About Kaspersky Endpoint Security administration web plug-in
- Deploying the application using Kaspersky Security Center
- Running the application on Astra Linux in closed software environment mode
- Configuring allowing rules in the SELinux system
Updating the application from a previous version
- Updating the application using the command line
- Updating the application using Kaspersky Security Center
Uninstalling the application
- Uninstalling the application using the command line
- Uninstalling the application using the Administration Console
- Uninstalling the application using Kaspersky Security Center Web Console
Application licensing
- About the End User License Agreement
- About the license
- About the license certificate
- About the license key
- About the activation code
- About the key file
- About subscription
- Comparison of application features across different licenses
Data provision
- Data provided when using an activation code
- Data provided when downloading updates from Kaspersky update servers
- Data transferred when using the application in Light Agent mode
- Data sent to Kaspersky Security Center
- Data provided when following links in the application interface
- Data provided when using Kaspersky Security Network
- Data provided when using Kaspersky Anti Targeted Attack Platform
Managing the application using the command line
- Starting and stopping the application
- Displaying Help on the commands
- Enabling automatic addition of kesl-control commands (bash completion)
- Enabling the display of events
- Viewing information about the application
- Description of the application commands
- Using filters to limit query results
- Exporting and importing application settings
- Setting the application memory usage limit
- User roles
- General application settings
- Managing application tasks using the command line
- Encrypted connections scan
File Threat Protection task (File_Threat_Protection, ID:1)
- Special considerations for scanning symbolic links and hard links
- File Threat Protection task settings
- Specifying an exclusion scope
- Optimizing network directory scanning
Malware Scan task (Scan_My_Computer, ID:2)
Custom Scan task (Scan_File, ID:3)
Critical Areas Scan task (Critical_Areas_Scan, ID:4)
Update task (Update, ID:6)
- About update sources
- Starting and stopping a task
- Update task settings
Rollback task (Rollback, ID:7)
Licensing task (License, ID:9)
- Adding an active key
- Adding a reserve key
- Removing an active key
- Removing a reserve key
Storage management task (Backup, ID:10)
- Storage management task settings
- Viewing IDs of the objects in the Storage
- Restoring objects from the Storage
- Removing objects from the Storage
System Integrity Monitoring task (System_Integrity_Monitoring, ID:11)
- On-access File Integrity Monitoring (OAFIM)
- On-demand File Integrity Monitoring (ODFIM)
- On-access File Integrity Monitoring task settings
- On-demand File Integrity Monitoring settings
Firewall Management task (Firewall_Management, ID:12)
- About network packet rules
- About dynamic rules
- About the predefined network zone names
- Firewall Management task settings
- Adding a network packet rule
- Deleting a network packet rule
- Changing the execution priority of a network packet rule
- Adding a network address to a zone section
- Deleting a network address from a zone section
Anti-Cryptor task (Anti_Cryptor, ID:13)
- About blocking access to devices
- Anti-Cryptor task settings
- Viewing the list of blocked devices
- Allowing blocked devices
Web Threat Protection task (Web_Threat_Protection, ID:14)
Device Control task (Device_Control, ID:15)
- About access rules
- Device Control task settings
- Viewing the list of connected devices on the command line
Removable Drives Scan task (Removable_Drives_Scan, ID:16)
Network Threat Protection task (Network_Threat_Protection, ID:17)
Container Scan task (Container_Scan, ID:18)
- Container scan task settings
- Integration with Jenkins
Custom Container Scan task (Custom_Container_Scan, ID:19)
Behavior Detection task (Behavior_Detection, ID:20)
Application Control task (Application_Control, ID:21)
- About Application Control rules
- Application Control task settings
- Viewing the list of created categories
Inventory Scan task (Inventory_Scan, ID:22)
- Inventory task settings
- Viewing a list of detected applications
Kaspersky Endpoint Detection and Response (KATA) Integration task (KATAEDR, ID:24)
- Kaspersky Endpoint Detection and Response (KATA) Integration task settings
- Managing certificates for connecting to KATA servers
Using Kaspersky Security Network
- Enabling and disabling use of Kaspersky Security Network using the command line
- Enabling and disabling cloud mode from the command line
- Checking the connection to Kaspersky Security Network using the command line
Integration with Kaspersky Managed Detection and Response
KESL container
- Deploying and activating KESL container
- Configuring KESL container
- Working with REST API
Events and reports
- Viewing events
- Viewing reports
Managing the application using the Administration Console
- Starting and stopping the application on a client device
- Viewing the protection status of a device
- Viewing application settings
- Updating application databases and modules
- Managing policies in the Administration Console
  - Creating a policy
  - Editing policy settings
- Policy settings
- Managing tasks in the Administration Console
- Task settings
- Configuring integration with Kaspersky Managed Detection and Response
- Configuring KESL container settings
- Manually checking the connection with the Administration Server. Klnagchk utility
- Manually connecting to the Administration Server. Klmover utility
- Remote diagnostics of client devices. Kaspersky Security Center remote diagnostics utility
Remote application administration using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console
- Logging in and out of the Web Console and Cloud Console
- Starting and stopping the application on a client device
- Viewing the protection status of a device
- Updating application databases and modules
- Managing policies in the Web Console
- Policy settings
- Managing tasks in the Web Console
- Task settings
- Configuring integration with Kaspersky Managed Detection and Response
- Configuring KESL container settings
- Configuring remote diagnostics of client devices
Managing application using graphical user interface
- Application interface
- Task management
- Configuring Kaspersky Security Network
- Viewing reports
- Viewing objects in the Storage
- Viewing licensing information
- Creating a trace file
Application components integrity check
Contact Technical Support
- Technical Support via Kaspersky CompanyAccount
- About trace files
- About dump files
Appendices
- Appendix 1. Resource consumption optimization
- Appendix 2. Application configuration files
- Appendix 3. Command line return codes
- Appendix 4. Managing KESL container using REST API
- Appendix 5. Configuring interaction with Kaspersky Anti-Virus for Linux Mail Server
Sources of information about Kaspersky Endpoint Security
Glossary
- Active key
- Active policy
- Administration group
- Administration Server
- Application activation
- Application databases
- Application settings
- Database of malicious web addresses
- Database of phishing web addresses
- Exclusion
- False positive
- File mask
- Group policy
- Group task
- Infected object
- Integration Server
- Kaspersky update servers
- License
- License certificate
- Light Agent
- Object disinfection
- Policy
- Proxy server
- Reserve key
- Startup objects
- Subscription
- SVM
- Trusted device
Information about third-party code
Trademark notices

Kaspersky Endpoint Security 12.0 for Linux Help

Kaspersky Endpoint Security 12.0 for Linux

This intended audience of this Help are technical professionals responsible for installing and administering the Kaspersky Endpoint Security application, as well as supporting organizations that use Kaspersky Endpoint Security. This Help is intended for professionals who are familiar with operating systems and Linux, have mastered the basic techniques of managing them, and have experience using the Kaspersky Security Center remote centralized management system for Kaspersky applications.

Kaspersky Endpoint Security 12.0 for Linux ("Kaspersky Endpoint Security", "application") protects devices running Linux operating systems against various types of threats, including network and scam attacks. You can use Kaspersky Endpoint Security as part of Kaspersky Security for Virtualization Light Agent to protect virtual machines running Linux guest operating systems.

The application is not intended for use in industrial processes involving automated control systems. To protect devices in these systems, we recommend using Kaspersky Industrial CyberSecurity for Linux Nodes.

The application is used to:

Scan objects in the file system both in real time using the File Threat Protection task and on demand using scan tasks. Including:
- Scan file system objects located on local disks of your device, as well as mounted and shared resources, which are accessed via SMB and NFS protocols.
- Scan startup objects, boot sectors, process memory, and kernel memory.
- Check removable drives when connected to your device.
- Scan containers, images and namespaces, as well as use Kaspersky Endpoint Security as a container application (hereinafter referred to as KESL container).
  The KESL container functionality is not supported if Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments.
Detect infected objects and neutralize threats detected in them.
- Use application databases to detect and disinfect infected files. During the scan process, the application analyzes each file for the presence of a threat: it compares the file code with the code of a specific threat and looks for possible matches.
- Use Kaspersky Security Network. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to various threats, improves the performance of some protection components, and reduces the likelihood of false positives.
- Automatically select an action to neutralize the threat.
Save backup copies of files before disinfection or deletion and restore files from backups.
Protect files in local directories with network access via SMB / NFS from remote malicious encryption.
Manage the operating system firewall and restore the set of firewall rules if they were changed.
Analyze traffic sent to users' devices via HTTP / HTTPS and FTP and check if web addresses are malicious or phishing.
Configure encrypted connections scan settings.
Check incoming network traffic for activity typical of network attacks.
Configure flexible restrictions on access to data storage devices (hard disks, removable disks, CD / DVD drives), data transfer equipment (modems), data conversion devices (printers) and interfaces for connecting devices (USB, FireWire).
Receive information about application actions on your device.
Control the start of applications and restrict access to applications on user devices to help reduce the risk of client device infections.
Get information about all executable files of the applications installed on client devices using the Inventory Scan task, which can be useful, for example, for creating Application Control rules.
Monitor the integrity of the system or specified files and report changes. System Integrity Monitoring can be performed in continuous monitoring mode and in on-demand scan mode.
Configure the application to work in "Notify only" mode. Notify only is a mode in which, if a threat is detected, application components and tasks do not attempt to disinfect or remove malicious objects, deny access, or block program activity, but instead only inform the user that a threat was detected.

Additional features are provided to keep the application up to date and extend the functionality of the application. The application is used to:

Activate the application using a key file or activation code.
If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, activation is performed on the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent).
Update application databases and modules from Kaspersky update servers, via the Administration Server, or from a user-specified source on a schedule and on demand.
If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the application receives updates of databases and application modules from the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent).
Configure integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response to enable continuous search, detection and elimination of threats aimed at your organization.
Configure integration of Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA), a component of the Kaspersky Anti Targeted Attack Platform solution, to ensure the protection of your organization's IT infrastructure and timely detect threats including zero-day attacks, targeted attacks and advanced persistent threats.
Differentiate user access to application functions according to user roles.
Notify the administrator about events that occurred while the application was running.
Check the integrity of application components using the integrity check tool.

You can manage Kaspersky Endpoint Security using the following methods:

Using control commands from the command line.
Using Kaspersky Security Center Administration Console.
Using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console.
Using a graphical user interface.
If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, management of the application using Kaspersky Security Center Cloud Console and the graphical user interface is not available.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may not be available in the application in the territory of the USA.

In this Help section

About Kaspersky Endpoint Security usage modes

Distribution kit

Hardware and software requirements

Page top

[Topic 93769]

About Kaspersky Endpoint Security usage modes

You can use Kaspersky Endpoint Security in one of the following modes:

Standalone. Kaspersky Endpoint Security is used as a standalone application for protecting devices running Linux operating systems.
In Light Agent mode to protect virtual environments (as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent). Kaspersky Endpoint Security is used as the
Light Agent
Kaspersky Endpoint Security for Virtualization Light Agent component. Installed on each virtual machine that needs to be protected.

component of the Kaspersky Hybrid Cloud Security for Virtualization Light Agent solution to protect virtual machines running Linux guest operating systems.

The application is used in standalone mode by default.

If you want to use the application in Light Agent mode, you need to do the following:

Install Kaspersky Endpoint Security on each virtual machine that needs to be protected using Kaspersky Hybrid Cloud Security for Virtualization Light Agent. You can also install the application on a virtual machine template.
During installation, you need to specify in one of the following ways that the application will be used in Light Agent mode:
- During the post-installation configuration of the application in interactive or automatic mode (if installed using the command line);
- in the autoinstall.ini configuration file, which is included in the application installation package (if installed using Kaspersky Security Center).
After Kaspersky Endpoint Security is installed, you cannot change the application usage mode.

When selecting Light Agent mode, you can also configure the following settings for Kaspersky Endpoint Security in Light Agent mode:
- The role of the virtual machine that you want to protect, in the virtual infrastructure: server or workstation. The role of a virtual machine determines the license under which the application will be used on this virtual machine as well as the available functionality.
- VDI protection mode. It is recommended to enable this mode if you are installing the application on a virtual machine template that will be used to create temporary virtual machines. VDI protection mode optimizes the operation of Kaspersky Endpoint Security on temporary virtual machines.
Configure the settings for connecting Light Agent to
SVMs
Secure virtual machine – a special virtual machine on which the scanserver service (Protection Server, a component of Kaspersky Endpoint Security for Virtualization Light Agent) is installed.

and the settings for connecting Light Agent to the
Integration Server
Kaspersky Endpoint Security for Virtualization Light Agent component. Interacts between Kaspersky Endpoint Security components and the virtual infrastructure.

.
Kaspersky Endpoint Security in Light Agent mode interacts with other components of the Kaspersky Hybrid Cloud Security for Virtualization Light Agent solution: the Integration Server and the Protection Server installed on the SVM (for more information, see the Kaspersky Endpoint Security for Virtualization Light Agent Help). To interact with the Protection Server, Kaspersky Endpoint Security establishes and maintains a connection to the SVM on which this Protection Server is installed.

A connection to the Integration Server is required if you want Light Agents to receive information about the SVM through the Integration Server, or if you want to protect the connection between the Protection Server and the Light Agent.

You can configure the connection settings in a Kaspersky Endpoint Security policy using Kaspersky Security Center Administration Console or using Kaspersky Security Center Web Console.

You can obtain information about application operation in Light Agent mode, as well as information about the connection to the Integration Server and SVMs, by using the following commands: --ksvla-info, --viis-info, and --svm-info.

Information about the application usage mode is displayed in Kaspersky Security Center in the properties of Kaspersky Endpoint Security on the managed device in the Components section. Information is displayed in the Light Agent mode for protecting virtual environments line as follows:

The Running status means that the application is being used in Light Agent mode;
The Not installed status means that the application is being used in standalone mode.

About activating the application in Light Agent mode

If Kaspersky Endpoint Security is used in Light Agent mode, the application does not need to be activated separately. You activate Kaspersky Hybrid Cloud Security for Virtualization Light Agent; activation is performed on the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent) by adding a license key to the SVM. For more details, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.

After activating the solution and connecting the Light Agent to the SVM, the Protection Server component sends license information to the Light Agent. When selecting an SVM to connect to, Light Agent considers, among other settings, the type of license key added to the SVM. The Light Agent does not connect to the SVM if the type of key added to the SVM does not match the role of the protected virtual machine in the virtual infrastructure (server or workstation). For more details, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.

You can view information about the license used by Light Agent for Linux on the protected virtual machine with the Light Agent using the -L --query command.

License keys cannot be managed using the Add key task or via the Kaspersky Endpoint Security command for adding and deleting license keys.

About updating application databases and modules in Light Agent mode

Kaspersky Endpoint Security in Light Agent mode uses malware databases, which are required for the application to work as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent. Kaspersky Endpoint Security receives application database and module updates from the Protection Server. For more details, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.

Databases on protected virtual machines are updated using a special Update local task of Kaspersky Endpoint Security, where the folder on the SVM is specified as the update source. The update task starts automatically. You cannot delete this task or change its settings.

Update sources other than a folder on SVMs are not supported. The use of group update tasks is not supported.

The last application database and module update is also rolled back on the Protection Server. After rolling back the application database and module update on the SVMs, a special Update local task is automatically started on the protected virtual machine. The task causes the Light Agent to return to using the previous set of application database and modules.

The use of Rollback local and group tasks of Kaspersky Endpoint Security is not supported.

Other features of using the application in Light Agent mode

If Kaspersky Endpoint Security is used in Light Agent mode:

The KESL container functionality is not supported.
Application management using Kaspersky Security Center Cloud Console and the graphical user interface is not available.
iChecker technology is not used for scanning and protection. Scan optimization is implemented by means of the Protection Server.
The use of cloud databases is not supported.
Kaspersky Endpoint Security can interact with KSN servers using a KSN proxy server. Direct interaction with KSN is not supported.
A proxy server is not used when connecting to the Integration Server or KSN servers.

Page top

[Topic 250484]

Distribution kit

The distribution kit includes Kaspersky Endpoint Security installation package containing the following files:

kesl-12.0-<build number>.i386.rpm, kesl_12.0-<build number>_i386.deb
Contain the main application files. Packages can be installed to 32-bit operating systems based on the type of package manager.
kesl-12.0-<build number>.x86_64.rpm, kesl_12.0-<build number>_amd64.deb
Contain the main application files. Packages can be installed to 64-bit operating systems based on the type of package manager.
kesl-12.0-<build number>.aarch64.rpm, kesl_12.0-<build number>_arm64.deb
Contain the main application files. Packages for the relevant package manager can be installed on 64-bit operating systems for the Arm architecture.
kesl-gui-12.0-<build number>.i386.rpm, kesl-gui_12.0-<build number>_i386.deb
Contain the files of the application graphical user interface. Packages can be installed to 32-bit operating systems based on the type of package manager.
kesl-gui-12.0-<build number>.x86_64.rpm, kesl-gui_12.0-<build number>_amd64.deb
Contain the files of the application graphical user interface. Packages can be installed to 64-bit operating systems based on the type of package manager.
kesl-gui-12.0-<build number>.aarch64.rpm, kesl-gui_12.0-<build number>_arm64.deb
Contain the files of the application graphical user interface. Packages for the relevant package manager can be installed on 64-bit operating systems for the Arm architecture.
kesl-12.0.<build number>.zip
Contains the files used for remote application installation using Kaspersky Security Center, including license.<language ID> and ksn_license.<language ID> files.

Kaspersky Security Center Network Agent is not included in the distribution kit. You can download it on the application download page in the Kaspersky Security Center section.
docker-service-kesl64-12.0-<build number>.tgz
Contains files for creating an image of a KESL container application.
ksn_license. <language ID>
Contains the text of the Statement on Kaspersky Security Network.
license. <language ID>
Contains the text of the License Agreement. The End User License Agreement specifies the terms for using the application.

Editing configuration files of the application on your on using means not described in the application documentation or not recommended by Technical Support may cause poor performance and failures of the application and operating system, reduced protection of your device, inaccessible and corrupted data, as well as the sending of additional statistics to KSN getting turned on.

Page top

[Topic 245117]

Hardware and software requirements

This section contains the hardware and software requirements for Kaspersky Endpoint Security.

In this section

Hardware requirements

Software requirements

Supported versions of Kaspersky Security Center

Supported versions of Kaspersky Anti Targeted Attack Platform

Page top

[Topic 261258]

Hardware requirements

Kaspersky Endpoint Security has the following hardware requirements:

Minimum hardware requirements:

Core 2 Duo 1.86 GHz or faster processor
swap partition at least 1 GB
1 GB of RAM for 32-bit operating systems, 2 GB of RAM for 64-bit operating systems
4 GB of free hard disk space for installation of the application and storage of temporary and log files
When using a graphical user interface, the monitor must be capable of displaying windows 1000 pixels wide and 600 pixels high (if screen scaling is applied, these dimensions are also scaled)
if Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, a virtual network interface with a bandwidth of 100 Mbit/s

Minimum hardware requirements for the Arm architecture:

Armv8.2-A Kunpeng 920 or Armv8-A Baikal-M (BE-M1000) processor or m-TrusT Terminal
swap partition at least 1 GB
2 GB of RAM
3 GB of free hard disk space for installation of the application and storage of temporary and log files
When using a graphical user interface, the monitor must be capable of displaying windows 1000 pixels wide and 600 pixels high (if screen scaling is applied, these dimensions are also scaled)

Using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments is not supported on operating systems based on the Arm architecture.

Page top

[Topic 261283]

Software requirements

To install Kaspersky Endpoint Security, one of the following operating systems must be installed on the device:

32-bit operating systems:
- CentOS 6.7 and later.
  Using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments is not supported on devices running CentOS 6.x operating systems.
- Debian GNU/Linux 11.0 and later.
- Debian GNU/Linux 12.0 and later.
- Mageia 4.
  Integration of the Kaspersky Endpoint Security application with Kaspersky Endpoint Detection and Response (KATA) is not supported on devices running the Mageia 4 operating system.
- Red Hat Enterprise Linux 6.7 and later.
  Using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments is not supported on devices running Red Hat Enterprise Linux 6.x operating systems.
- ALT 8 SP Workstation.
- ALT 8 SP Server.
- ALT Workstation 10
- ALT SP Workstation release 10.
64-bit operating systems:
- AlmaLinux OS 8 and later.
- AlmaLinux OS 9 and later.
- AlterOS 7.5 and later.
- Amazon Linux 2.
- Astra Linux Common Edition 2.12.
- Astra Linux Special Edition RUSB.10015-01 (operational update 1.5).
- Astra Linux Special Edition RUSB.10015-01 (operational update 1.6).
- Astra Linux Special Edition RUSB.10015-01 (operational update 1.7).
- Astra Linux Special Edition RUSB.10015-01 (operational update 1.8).
- Astra Linux Special Edition RUSB.10015-16 (release 1) (operational update 1.6).
- Astra Linux Special Edition RUSB.10015-03 (operational update 7.6).
- Astra Linux Special Edition RUSB.10015-37 (operational update 7.7).
  Using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments is not supported on devices running Astra Linux operating systems in mandatory access control and closed software environment modes.
- CentOS 6.7 and later.
  Using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments is not supported on devices running CentOS 6.x operating systems.
- CentOS 7.2 and later.
- CentOS Stream 8.
- CentOS Stream 9.
- Debian GNU/Linux 11.0 and later.
- Debian GNU/Linux 12.0 and later.
- EMIAS 1.0 and later.
- EulerOS 2.0 SP5.
- Kylin 10.
- Linux Mint 20.3 and up.
- Linux Mint 21.1 and later.
- openSUSE Leap 15.0 and later.
- Oracle Linux 7.3 and later.
- Oracle Linux 8.0 and later.
- Oracle Linux 9.0 and later.
- Red Hat Enterprise Linux 6.7 and later.
  Using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments is not supported on devices running Red Hat Enterprise Linux 6.x operating systems.
- Red Hat Enterprise Linux 7.2 and later.
- Red Hat Enterprise Linux 8.0 and later.
- Red Hat Enterprise Linux 9.0 and later.
- Rocky Linux 8.5 and later.
- Rocky Linux 9.1.
- SberLinux 8.8 (Dykhtau).
- SUSE Linux Enterprise Server 12.5 or later.
- SUSE Linux Enterprise Server 15 or later.
- Ubuntu 20.04 LTS.
- Ubuntu 22.04 LTS.
- ALT 8 SP Workstation.
- ALT 8 SP Server.
- ALT Workstation 10.
- ALT Server 10.
- ALT SP Workstation release 10.
- ALT SP Server release 10.
- Atlant, Alcyone build, version 2022.02.
- GosLinux 7.17.
- GosLinux 7.2.
- MSVSPHERE 9.2 SERVER.
- MSVSPHERE 9.2 ARM.
- RED OS 7.3.
- RED OS 8.0.
- ROSA Cobalt 7.9.
- ROSA Chrome 12.
- SynthesisM Client 8.6.
- SynthesisM Server 8.6.
64-bit operating systems for the Arm architecture:
- Astra Linux Special Edition RUSB.10152-02 (operational update 4.7).
- CentOS Stream 9.
- EulerOS 2.0 SP8.
- SUSE Linux Enterprise Server 15.
- Ubuntu 22.04 LTS.
- ALT Workstation 10.
- ALT Server 10.
- ALT SP Workstation release 10.
- ALT SP Server release 10.
- RED OS 7.3.
Using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments is not supported on operating systems for the Arm architecture.

Due to technical limitations of fanotify, the application does not support the following file systems: autofs, binfmt_misc, cgroup, configfs, debugfs, devpts, devtmpfs, fuse, fuse.gvfsd-fuse, gfs2, gvfs, hugetlbfs, mqueue, nfsd, proc, parsecfs, pipefs, pstore, usbfs, rpc_pipefs, securityfs, selinuxfs, sysfs, tracefs.

Page top

[Topic 261284]

Supported versions of Kaspersky Security Center

Kaspersky Endpoint Security is compatible with the following Kaspersky Security Center versions:

Kaspersky Security Center 13.2. The MMC administration plug-in can be used to administer Kaspersky Endpoint Security via Administration Console.
Kaspersky Security Center 14. Kaspersky Endpoint Security can be administered through Administration Console using the MMC administration plug-in and through Kaspersky Security Center Web Console using the web administration plug-in.
Kaspersky Security Center 14 Linux. The web administration plug-in can be used to administer Kaspersky Endpoint Security through Kaspersky Security Center Web Console.
Kaspersky Security Center Linux includes a version of Administration Server intended for installation on a device running the Linux operating system. Kaspersky Security Center Linux interacts with Administration Server through Kaspersky Security Center Web Console. For more information about Kaspersky Security Center Linux, see its documentation.

Some functionality of Kaspersky Security Center 14, e.g. features tied to Kaspersky Security Network, are unavailable in Kaspersky Security Center 14 Linux. You can manage Kaspersky Security Network usage through Kaspersky Security Center running on Windows.
Kaspersky Security Center 14.2. Kaspersky Endpoint Security can be administered through Administration Console using the administration MMC plug-in and through Kaspersky Security Center Web Console using the administration web plug-in.
Kaspersky Security Center 14.2 Linux. The web administration plug-in can be used to administer Kaspersky Endpoint Security through Kaspersky Security Center Web Console.
Kaspersky Security Center 15 Linux. The web administration plug-in can be used to administer Kaspersky Endpoint Security through Kaspersky Security Center Web Console.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments (as part of Kaspersky Security for Virtualization Light Agent), we recommend to manage the application using one of the following versions of Kaspersky Security Center.

Kaspersky Security Center 14.2.
Kaspersky Security Center 15 Linux.

Kaspersky Security Center Network Agent is required to manage Kaspersky Endpoint Security through Kaspersky Security Center.

Kaspersky Security Center Network Agent is not included in the Kaspersky Endpoint Security distribution kit. You can download it on the application download page in the Kaspersky Security Center section.

Page top

[Topic 268002]

Supported versions of Kaspersky Anti Targeted Attack Platform

Kaspersky Endpoint Security is compatible with the following versions of Kaspersky Anti Targeted Attack Platform:

Kaspersky Anti Targeted Attack Platform 5.0. Supported
with limitations
A server of this version of Kaspersky Anti Targeted Attack Platform can process a limited scope of data from the Kaspersky Endpoint Security application:
- The Delete File and Terminate Process tasks are not supported.
- Management of network isolation of hosts is not supported.
- Searching for indicators of compromise using IOC files is not supported.
.
Kaspersky Anti Targeted Attack Platform 5.1. Supported with limitations.
Kaspersky Anti Targeted Attack Platform 6.0.

For more details about the Kaspersky Anti Targeted Attack Platform solution, please refer to the Kaspersky Anti Targeted Attack Platform Help.

Page top

[Topic 245686]

What's new

Kaspersky Endpoint Security now boasts the following features and improvements:

Kaspersky Endpoint Security can now be used in one of two modes: in Light Agent mode to protect virtual environments or in standalone mode. In Light Agent mode for protecting virtual environments, the application is used as a Light Agent component as part of the Kaspersky Security for Virtualization Light Agent solution and lets you protect virtual machines running Linux guest operating systems. In standalone mode, Kaspersky Endpoint Security is used as a standalone application to protect devices running Linux operating systems.
The Integration with Kaspersky Endpoint Detection and Response (KATA) task has gained new response actions aimed at ensuring security functions using commands received from Kaspersky Anti Targeted Attack Platform: Delete File task, Terminate Process task, IOC Scan task, and the ability to enable network isolation for the device.
The application now restarts automatically when updating using the command line and when updating using an autopatch. When updating, the application now automatically restarts to save the administrator the additional step of restarting the application.
The logic for saving information to dump files has been improved. The application configuration file has new settings that let you specify the directory for storing dump files and the minimum free disk space after creating dump files.
We added the ability to set a limit on processor utilization in the general application settings. Additionally, the ScanPriority setting was removed for ODS, Inventory Scan, Container Scan, and Custom Container Scan tasks.
We implemented cloud mode for Kaspersky Endpoint Security. If Kaspersky Endpoint Security is used in standalone mode (and not in Light Agent mode) and you are using KSN in the application, you can enable cloud mode. If cloud mode is enabled, Kaspersky Endpoint Security uses a lightweight version of the malware databases. This lets you reduce the load on device memory.
We added the ability to configure the application running in standalone mode to interact directly with KSN servers when the KSN Proxy service is unavailable.
The user is now better informed thanks to new events, improved event texts, an expanded list of event attributes, and an unification of events in plug-ins and the command line.
The procedure for initial application configuration has new steps related to selecting Light Agent mode and checking for users in privileged groups. The check for the presence of SELinux in the system has also been improved.
The configuration file for automatic initial application configuration has a new setting that lets you disable protection components and scan tasks when starting the application after installation. Installing the application with protection components disabled can be convenient, for example, in order to reproduce a problem in the operation of the application and create a trace file.
We added the ability to use unique tag combinations to specify a container or image to expand the protection scope and exclusion scope for File Threat Protection.
Device Control has been improved. We added the ability to export and import a list of trusted devices in Kaspersky Endpoint Security administration plug-ins. The MMC plug-in interface for this component has also been improved.
We added the ability to export and import exclusions by process for the Behavior Detection task in Kaspersky Endpoint Security administration plug-ins.
The graphical user interface implements the ability to inform the user about the operation of application components and tasks in "Notify only" mode, in which, if a threat is detected, application components and tasks do not attempt to disinfect or remove malicious objects, deny access, or block program activity, but instead only inform the user that a threat was detected. The administration plug-ins also now have a notification that "Notify only" mode has been enabled for the File Threat Protection and Device Control components.
We added the ability to view the remote application installation log and manage the tracing process in the Web Console properties of the managed device or in the Administration Console using the remote diagnostics utility.
In the Kaspersky Endpoint Security administration plug-in, in the Storages -> Backup section, we added the ability to send a file to Kaspersky for scanning.
We reduced the execution time for requests when running the Web Threat Protection task by caching the processes that initiate these requests.
The total wait time when copying files has been reduced by caching the function call for obtaining the username.
In new Linux kernels (beginning with version 3.4), you can now read the memory of processes without stopping them, thereby improving stability. Processes are no longer suspended when scanning memory. This reduces delays in services that ensure uninterrupted data processing, including for software that organizes the operation of clusters.
In the REST API for managing KESL containers, we added a request for obtaining information about the current state of a KESL container and the application status parameters that determine the state of the KESL container (the status of the application, license, and databases).
The list of supported operating systems has been updated.

Page top

[Topic 248502]

Preparing to install the application

General actions

Before starting installation of Kaspersky Endpoint Security, you need to perform the following actions:

Check that your device meets the hardware and software requirements of the application.
Be sure third-party anti-virus software is not installed on your device.
Be sure that Kaspersky Endpoint Agent for Linux is not installed on your device. If Kaspersky Endpoint Agent for Linux is installed, during the installation process you will see a message about the need to manually remote it.
Be sure that an interpreter for Perl version 5.10 or higher is installed on your device.
On devices with operating systems that do not support fanotify technology, make sure that the following are installed:
- Packages for compiling applications and running tasks (gcc, binutils, glibc, glibc-devel, make);
- Package with header files of the operating system kernel for compiling Kaspersky Endpoint Security modules.
Install one of the following packages on your device depending on the operating system:
- On devices running the SUSE Linux Enterprise Server 15 operating system, the insserv-compat package must be installed.
- On devices running the Red Hat Enterprise Linux 8 or RED OS operating system, install the perl-Getopt-Long package.
- On devices running the Red Hat Enterprise Linux or RED OS operating systems, install the perl-File-Copy package. This package is required for the initial application configuration script to work, but may be absent by default.
By default, Astra Linux operating systems block ptrace (Disable ptrace capability), which may affect the operation of Kaspersky Endpoint Security. For Kaspersky Endpoint Security to work correctly, unblock ptrace when installing Astra Linux. If Astra Linux is already installed, see the Astra Linux Help Center website for instructions on how to enable/disable this mode (Configuring protection and blocking mechanisms in the Blocking ptrace section).
If your device uses a Linux kernel lower than 3.16, then in order for the Kaspersky Endpoint Detection and Response (KATA) Integration task to work correctly, you need to make sure the auditd service is not started and not installed.
For the Firewall Management, Web Threat Protection and Network Threat Protection tasks to work, the iptables utility needs to be installed on your device.
For the Kaspersky Endpoint Security administration plug-in to work, Microsoft Visual C++ 2015 Redistributable Update 3 RC (see https://www.microsoft.com/en-us/download/details.aspx?id=52685) must be installed on the Administration Server.
To run the application, make sure that the root account is the owner of the following directories and that only the owner has the right to write to them: /var, /var/opt, /var/opt/kaspersky, /var/log/kaspersky, /opt, /opt/kaspersky, /usr/bin, /usr/lib, /usr/lib64.

Additional actions before installing Kaspersky Endpoint Security in Light Agent mode

If you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments (as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent), you must perform the following additional actions before starting the installation of Kaspersky Endpoint Security:

Make sure that the following packages are installed on the virtual machines that you want to protect, depending on the virtual infrastructure in which Kaspersky Hybrid Cloud Security for Virtualization Light Agent is deployed:
- In a Microsoft Hyper-V infrastructure, the Integration Services package must be installed on the virtual machines.
- In a VMware vSphere infrastructure, the VMware Tools package must be installed on the virtual machines.
- In a Citrix Hypervisor infrastructure, XenTools must be installed on the virtual machines.
- In a HUAWEI FusionSphere infrastructure, the HUAWEI Tools package must be installed on the virtual machines.
- In an infrastructure based on KVM, TIONIX Cloud Platform, OpenStack, Astra Linux, or Viola Virtualization Server, QEMU Guest Agent must be installed on virtual machines.

Make sure that the settings of network equipment or software that monitor traffic between virtual machines allow network traffic to pass through the ports that are used for interaction between Kaspersky Endpoint Security in Light Agent mode and other components of Kaspersky Hybrid Cloud Security for Virtualization Light Agent. For more details about the solution components, please refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.

Ports used for operation of the Light Agent

Port and protocol	Direction	Purpose and description
7271 TCP	From the Light Agent to the Integration Server.	For interaction between the Light Agent and the Integration Server.
8000 UDP	From the SVM to the Light Agent.	For transmitting information about available SVMs to Light Agents using a list of SVM addresses.
8000 UDP	From the Light Agent to SVMs.	For the Light Agent to receive information about the status of the SVM.
11111 TCP	From the Light Agent to SVMs.	For transmitting service requests (for example, to obtain license information) from the Light Agent to the Protection Server when the connection is unprotected.
11112 TCP	From the Light Agent to SVMs.	For transmitting service requests (for example, to obtain license information) from the Light Agent to the Protection Server when the connection is protected.
9876 TCP	From the Light Agent to SVMs.	For forwarding file scan requests from the Light Agent to the Protection Server when the connection is unprotected.
9877 TCP	From the Light Agent to SVMs.	For transmitting file scan requests from the Light Agent to the Protection Server when the connection is protected.
80 TCP	From the Light Agent to SVMs.	For updating databases and application modules of the solution on the Light Agent.
15000 UDP	From Kaspersky Security Center to SVMs.	For managing the Protection Server via Kaspersky Security Center.
15000 UDP	From Kaspersky Security Center to Light Agents.	For managing the Light Agent via Kaspersky Security Center.
13000 TCP	From the Light Agent to Kaspersky Security Center.	For managing the Light Agent via Kaspersky Security Center when the connection is protected.
14000 TCP	From the Light Agent to Kaspersky Security Center.	For managing Light Agent via Kaspersky Security Center when the connection is unprotected.

Page top

[Topic 248501]

Installing the application

You need to prepare for installation before installing Kaspersky Endpoint Security.

The scenarios below describe how to install and perform initial configuration of Kaspersky Endpoint Security, how to install and configure Kaspersky Security Center Network Agent and how to install Kaspersky Endpoint Security administration plug-ins. The installation scenario depends on the mode in which you plan to use Kaspersky Endpoint Security.

Standalone mode

If you plan to use Kaspersky Endpoint Security in standalone mode, installation and initial configuration of Kaspersky Endpoint Security consists of the following steps:

Installation and initial configuration of the Network Agent
If you plan to manage Kaspersky Endpoint Security using Kaspersky Security Center, install and configure Kaspersky Security Center Network Agent on the protected device.
Installing the Kaspersky Endpoint Security administration plug-in
If you plan to manage Kaspersky Endpoint Security using Kaspersky Security Center, install the Kaspersky Endpoint Security administration plug-in. Depending on the console used to manage Kaspersky Security Center, the following administration plug-ins are used:
- The Kaspersky Endpoint Security administration MMC plug-in lets you manage the application using Kaspersky Security Center Administration Console. The MMC plug-in is installed on the device where Kaspersky Security Center Administration Console is installed.
- The Kaspersky Endpoint Security management web plug-in lets you manage the application using Kaspersky Security Center Cloud Console and Kaspersky Security Center Web Console. The web plug-in is installed on the device that has Kaspersky Security Center Web Console installed.
Installing application packages and graphical user interface
Kaspersky Endpoint Security and the graphical user interface are distributed in DEB and RPM format packages. Install Kaspersky Endpoint Security and, if necessary, the graphical user interface from packages in the appropriate format.

You can install the application using the command line or using Kaspersky Security Center by means of the Administration Console or Kaspersky Security Center Web Console.
Initial configuration of Kaspersky Endpoint Security
The initial configuration must be performed to enable the protection of the client device.

If you installed Kaspersky Endpoint Security using the command line, run the initial configuration script or perform the initial configuration in automatic mode.

If you installed Kaspersky Endpoint Security using Kaspersky Security Center, go through the Getting started procedure.

Light Agent mode

Using Kaspersky Endpoint Security in Light Agent mode to protect virtual environments is not supported on operating systems based on the Arm architecture.

If you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments, installation and initial configuration of Kaspersky Endpoint Security consists of the following steps:

Installation and initial configuration of the Network Agent
Install and configure Kaspersky Security Center Agent on virtual machines and virtual machine templates.

If you are installing Network Agent on a template that will be used to create temporary virtual machines, it is recommended to configure settings that allow you to optimize performance on temporary virtual machines. For more details about installing on a virtual machine template, refer to the Help for Kaspersky Security for Virtualization Light Agent.
Installing the Kaspersky Endpoint Security administration plug-in
Install a Kaspersky Endpoint Security administration plug-in. Depending on the console used to manage Kaspersky Security Center, the following administration plug-ins are used:
- The Kaspersky Endpoint Security administration MMC plug-in lets you manage the application using Kaspersky Security Center Administration Console. The MMC plug-in is installed on the device where Kaspersky Security Center Administration Console is installed.
- The Kaspersky Endpoint Security management web plug-in lets you manage the application using Kaspersky Security Center Cloud Console and Kaspersky Security Center Web Console. The web plug-in is installed on the device that has Kaspersky Security Center Web Console installed.
Installing application packages
Kaspersky Endpoint Security is distributed in packages in the DEB and RPM formats. Install Kaspersky Endpoint Security from a package of the required format.

The graphical user interface is not supported if Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments.

You can install the application using the command line or using Kaspersky Security Center by means of the Administration Console or Kaspersky Security Center Web Console.

If installing via Kaspersky Security Center, you need to select Light Agent mode in the autoinstall.ini file (KSVLA_MODE=yes) and include this file in the installation package used when installing the application. If you install Kaspersky Endpoint Security on a template that will be used to create temporary virtual machines, it is recommended to also configure the VDI_MODE=yes setting in the autoinstall.ini file, which allows you to optimize the operation on temporary virtual machines.
Initial configuration of Kaspersky Endpoint Security
The initial configuration must be performed to enable the protection of the client device.
- If you installed Kaspersky Endpoint Security using the command line, run the initial configuration script or perform the initial configuration in automatic mode. You need to select Light Agent mode in one of the following ways:
  - Enter yes in the Specifying the application usage step of the initial configuration script.
  - Specify the KSVLA_MODE=yes setting in the initial setup configuration file.
  If you install Kaspersky Endpoint Security on a template that will be used to create temporary virtual machines, it is recommended to also configure the setting, which allows you to optimize the operation on temporary virtual machines. For more details about installing on a virtual machine template, refer to the Help for Kaspersky Security for Virtualization Light Agent.
- If you installed Kaspersky Endpoint Security using Kaspersky Security Center, go through the Getting started procedure.

In this Help section

Deploying the application using the command line

Installing and configuring Kaspersky Security Center Network Agent

Installing Kaspersky Endpoint Security administration plug-ins

Deploying the application using Kaspersky Security Center

Running the application on Astra Linux in closed software environment mode

Configuring allowing rules in the SELinux system

Page top

[Topic 198107]

Deploying the application using the command line

Kaspersky Endpoint Security is distributed in the DEB and RPM packages. There are separate packages for the application and for the graphical user interface.

You can perform the following actions when installing the application:

Install only the application package, without the graphical user interface.
Install the graphical user interface package.
It is not possible to install the graphical user interface package on a client device that does not have the application package installed.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments (as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent), the graphical user interface is not supported. You need to install only the application package without the graphical user interface.

If the version of the apt package manager is lower than 1.1.X, use the dpkg/rpm package manager (depending on the operating system) for installation.

After the application installation using the command line is completed, perform the post-installation configuration of the application by running the post-installation configuration script or in the automatic mode.

In this section

Installing the application using the command line

Post-installation configuration of the application in interactive mode

Post-installation configuration of the application in automatic mode

Settings in the configuration file for post-installation configuration

Page top

[Topic 233694]

Installing the application using the command line

Installing the application without the graphical interface.

To install Kaspersky Endpoint Security from an RPM package on a 32-bit operating system, execute the following command:

# rpm -i kesl-12.0-<build number>.i386.rpm

To install Kaspersky Endpoint Security from an RPM package on a 64-bit operating system, execute the following command:

# rpm -i kesl-12.0-<build number>.x86_64.rpm

To install Kaspersky Endpoint Security from an RPM package on a 64-bit operating system for the Arm architecture, execute the following command:

# rpm -i kesl-12.0-<build number>.aarch64.rpm

To install Kaspersky Endpoint Security from a DEB package on a 32-bit operating system, execute the following command:

# apt-get install ./kesl_12.0-<build number>_i386.deb

To install Kaspersky Endpoint Security from a DEB package on a 64-bit operating system, execute the following command:

# apt-get install ./kesl_12.0-<build number>_amd64.deb

To install Kaspersky Endpoint Security from a DEB package on a 64-bit operating system for the Arm architecture, execute the following command:

# apt-get install ./kesl_12.0-<build number>_arm64.deb

Installing the graphical interface of the application

To install the graphical interface from the RPM package to a 32-bit operating system, execute the following command:

# rpm -i kesl-gui-12.0-<build number>.i386.rpm

To install the graphical interface from the RPM package to a 64-bit operating system, execute the following command:

# rpm -i kesl-gui-12.0-<build number>.x86_64.rpm

To install the graphical interface from an RPM package on a 64-bit operating system for the Arm architecture, execute the following command:

# rpm -i kesl-gui-12.0-<build number>.aarch64.rpm

To install the graphical interface from the DEB package to a 32-bit operating system, execute the following command:

# apt-get install ./kesl-gui_12.0-<build number>_i386.deb

To install the graphical interface from the DEB package to a 64-bit operating system, execute the following command:

# apt-get install ./kesl-gui_12.0-<build number>_amd64.deb

To install the graphical interface from a DEB package on a 64-bit operating system for the Arm architecture, execute the following command:

# apt-get install ./kesl-gui_12.0-<build number>_arm64.deb

Page top

[Topic 197897]

Post-installation configuration of the application in interactive mode

After installing Kaspersky Endpoint Security using the command line, perform the initial configuration of the application by running the initial configuration script. The initial configuration script is included in the Kaspersky Endpoint Security distribution kit.

Performing the post-installation configuration after installing the application using the command line is required to enable the protection of the client device.

To run the Kaspersky Endpoint Security initial configuration script, execute the following command:

# /opt/kaspersky/kesl/bin/kesl-setup.pl

The initial configuration script must be run with the root privileges after the installation of Kaspersky Endpoint Security package is finished. The script requests the values of Kaspersky Endpoint Security settings step-by-step. The script finishing and the console being released indicate that the post-installation configuration is completed.

To check the return code, execute the following command:

echo $?

If the command returns 0, the post-installation configuration of the application is completed successfully.

Kaspersky Endpoint Security protects the device only after the application databases are updated.

In this section

Selecting the application usage mode

Defining the role of the virtual machine

Enabling VDI protection mode

Selecting the locale

Viewing the End User License Agreement and the Privacy Policy

Accepting the End User License Agreement

Accepting the Privacy Policy

Using Kaspersky Security Network

Removing users from privileged groups

Assigning the Administrator role to a user

Determining the file operation interceptor type

Enabling automatic configuration of SELinux

Configuring the update source

Configuring proxy server settings

Starting an application database update

Enabling automatic application database update

Application activation

Page top

[Topic 82654]

Selecting the application usage mode

At this step, select the Kaspersky Endpoint Security usage mode:

Enter yes if you want to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments.
Enter no if you want to use Kaspersky Endpoint Security in standalone mode.

After the initial configuration is complete, you cannot change the application usage mode.

Page top

[Topic 90255]

Defining the role of the virtual machine

This step is displayed only if at the first step you selected to use Kaspersky Endpoint Security in Light Agent mode for protecting virtual environments.

At this step, specify the role of the virtual machine (server or workstation) on which you are installing Kaspersky Endpoint Security:

Enter yes if you are using the virtual machine as a server.
Enter no if you are using a virtual machine as a workstation.

The role of a virtual machine determines the license under which the application will be used on this virtual machine as well as the available functionality.

Page top

[Topic 85820]

Enabling VDI protection mode

This step is displayed only if at the first step you selected to use Kaspersky Endpoint Security in Light Agent mode for protecting virtual environments.

At this step, you can enable VDI protection mode. This mode optimizes the operation of Kaspersky Endpoint Security on temporary virtual machines. If VDI protection mode is enabled, updates that require restarting the virtual machine are not installed. When receiving updates that require a restart, the Light Agent installed on the virtual machine sends a message to Kaspersky Security Center about the need to update the protected virtual machine template.

Specify yes if you want to enable VDI protection mode. This is recommended if you are installing Kaspersky Endpoint Security on a virtual machine template that will be used to create temporary virtual machines.

Specify no if you do not want to enable VDI protection mode. This is recommended if you are installing Kaspersky Endpoint Security on a persistent virtual machine or on a virtual machine template that will be used to create persistent virtual machines.

Page top

[Topic 197898]

Selecting the locale

At this step, the application displays the list of supported locale identifiers in RFC 3066 format.

Specify the locale in the format as identified in this list. This locale will be used for application events sent to Kaspersky Security Center, as well as for the texts of the License Agreement, Privacy Policy, and Kaspersky Security Network Statement.

The locale of the graphical interface and the application command line depends on the value of the LANG environment variable. If the locale that is not supported by Kaspersky Endpoint Security is specified as the value of the LANG environment variable, the graphical interface and the command line are displayed in English.

Page top

[Topic 199016]

Viewing the End User License Agreement and the Privacy Policy

At this step, read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

Page top

[Topic 197899]

Accepting the End User License Agreement

At this step, you must either accept or decline the terms of the End User License Agreement.

After exiting viewing mode, enter one of the following values:

yes (or y), if you accept the terms of the End User License Agreement.
no (or n), if you do not accept the terms of the End User License Agreement.

If you did not accept the terms and conditions of the End User License Agreement, the Kaspersky Endpoint Security setup process is aborted.

Page top

[Topic 197900]

Accepting the Privacy Policy

At this step, you must either accept or decline the terms of the Privacy Policy.

After exiting viewing mode, enter one of the following values:

yes (or y), if you accept the terms of the Privacy Policy.
no (or n), if you do not accept the terms of the Privacy Policy.

If you did not accept the terms and conditions of the Privacy Policy, the Kaspersky Endpoint Security setup process is aborted.

Page top

[Topic 197901]

Using Kaspersky Security Network

At this step, you must either accept or decline the terms of use of the Kaspersky Security Network Statement. The file ksn_license.<language ID> containing the text of the Kaspersky Security Network Statement is located in the directory /opt/kaspersky/kesl/doc/.

Enter one of the following values:

yes (or y), if you accept the terms of the Kaspersky Security Network Statement. This enables the extended KSN mode.
no (or n), if you do not accept the terms of the Kaspersky Security Network Statement.

Refusal to participate in Kaspersky Security Network does not interrupt the initial configuration of Kaspersky Endpoint Security. You can enable, disable, or change the Kaspersky Security Network mode at any time.

If Kaspersky Endpoint Security is used in standalone mode and you have enabled the use of Kaspersky Security Network, the application's cloud mode is automatically enabled. In this mode, Kaspersky Endpoint Security uses a lightweight version of the malware databases. In Light Agent mode for protecting virtual environments, use of the lightweight malware databases is not supported.

Page top

[Topic 93536]

Removing users from privileged groups

This step is displayed only if users are detected in the kesladmin group and/or in the keslaudit group.

At this step, specify whether or not to remove users from the kesladmin and keslaudit privileged groups. Users included in the kesladmin and keslaudit groups receive privileged access to the application's functions.

Enter yes to remove all detected users from the kesladmin and/or keslaudit group. Users whose primary group is kesladmin or keslaudit will be moved to the nogroup group. If there is no nogroup group, the installation will fail and you will be prompted to manually remove users from privileged groups.

Enter no if you do not want the application to remove users from the privileged groups.

Page top

[Topic 206406]

Assigning the Administrator role to a user

At this step, you can grant the administrator (admin) role to the user.

Enter the name of the user to whom you want to grant the administrator role.

You can grant the administrator role to the user later at any time.

Page top

[Topic 197903]

Determining the file operation interceptor type

At this step, the file operation interceptor type for the utilized operating system is determined. For operating systems that do not support fanotify technology, kernel module compilation will begin.

If all the required packages are available, the kernel module will be automatically compiled when the File Threat Protection task starts.

If, during the compilation of the kernel module, any dependencies are not found on the device, the Kaspersky Endpoint Security application suggests installing the relevant packages. If the package download fails, an error message will be displayed.

Page top

[Topic 237159]

Enabling automatic configuration of SELinux

This step is displayed only if SELinux is installed on your operating system.

At this step, you can enable automatic configuration of SELinux for working with Kaspersky Endpoint Security.

Enter yes to enable automatic configuration of SELinux. If SELinux cannot be configured automatically, the application displays an error message and prompts the user to configure SELinux manually.

Enter no if you do not want the application to automatically configure SELinux.

By default, the application suggests yes.

If necessary, you can manually configure SELinux to work with the application later, after the initial configuration of Kaspersky Endpoint Security is complete.

Page top

[Topic 197904]

Configuring the update source

This step is displayed only if you selected to use Kaspersky Endpoint Security in standalone mode at the first step. If Kaspersky Endpoint Security is used in Light Agent mode, Kaspersky Endpoint Security receives updates of databases and application modules for the Light Agent from the Protection Server.

At this step, specify the update sources for databases and application modules.

Enter one of the following values:

KLServers: the application receives updates from one of the Kaspersky update servers.
SCServer: the application downloads updates to the protected device from Kaspersky Security Center Administration Server installed in your organization. You can select this update source if you use Kaspersky Security Center for centralized administration of device protection in your organization.
<URL>: the application downloads updates from a custom source. You can specify the address of the custom source of updates in the local area network or on the Internet.
<path> – the application receives updates from the specified directory.

Page top

[Topic 197905]

Configuring proxy server settings

This step is displayed only if you selected to use Kaspersky Endpoint Security in standalone mode at the first step.

At this step, you must specify the proxy server settings if you are using a proxy server to access the Internet. Internet connection is required to download the application databases from the update servers.

To configure proxy server settings, perform one of the following actions:

If you use a proxy server to connect to the Internet, specify the address of the proxy server using one of the following formats:
- <IP address of the proxy server>:<port number>, if the proxy server connection does not require authentication;
- <user name>:<password>@<IP address of the proxy server>:<port number>, if the proxy server connection requires authentication.
  When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.
If you do not use a proxy server to connect to the Internet, enter no as your answer.

By default, the application suggests no.

You can configure the proxy server settings later without using the post-installation configuration script.

Page top

[Topic 197906]

Starting an application database update

At this step, you can run the application database update task on the client device. The application databases contain descriptions of the threat signatures and methods of countering them. The application uses these records when searching and neutralizing threats. Kaspersky virus analysts regularly add new records about threats.

If you do not want to start to download the application databases, enter no.

If you want to start the database update task on the device, enter yes.

By default, the application suggests yes.

If yes is selected, the application will be automatically restarted after the databases are updated.

Kaspersky Endpoint Security protects the device only after the application databases are updated.

You can start the Update task without using the initial configuration script.

Page top

[Topic 197907]

Enabling automatic application database update

At this step, you can enable automatic update of the application databases.

Enter yes to enable automatic application database update. By default, the application checks for available database updates every 60 minutes. If updates are available, the application downloads the updated databases.

Enter no if you do not want the application to automatically update the databases.

You can enable automatic database update without using the initial configuration script by configuring the update task schedule.

Page top

[Topic 197908]

Application activation

This step is displayed only if you selected to use Kaspersky Endpoint Security in standalone mode at the first step. If Kaspersky Endpoint Security is used in Light Agent mode, Kaspersky Endpoint Security receives information about the license from the Protection Server; there is no need to activate Kaspersky Endpoint Security separately.

At this step, activate the application using an activation code or a key file.

To activate the application using an activation code, enter the activation code.

To activate the application using a key file, specify the full path to the key file.

If no activation code or key file is specified, the application is activated using a trial key for one month.

You can activate the application later without using the post-installation configuration script.

Page top

[Topic 197909]

Post-installation configuration of the application in automatic mode

You can perform post-installation configuration of the application in automatic mode.

To launch the automatic initial setup of the application, carry out the following command:

# /opt/kaspersky/kesl/bin/kesl-setup.pl --autoinstall=<initial configuration file>

where <post-installation configuration file> is a path to the configuration file that contains post-installation configuration settings. You can create this file or copy the necessary structure from the autoinstall.ini configuration file used for remote installation of the application using Kaspersky Security Center.

When the post-installation configuration script is finished and releases the console, the post-installation configuration of the application is complete.

To check the return code, execute the following command:

echo $?

If the command returns 0, the post-installation configuration of the application is completed successfully.

Kaspersky Endpoint Security protects the device only after the application databases are updated.

To correctly update application modules after the script has finished, you may need to restart the application. Check the status of updates for the application using the kesl-control --app-info command.

Page top

[Topic 236947]

Settings in the configuration file for post-installation configuration

In the post-installation configuration file, you can specify the settings shown in the table below. The set of applicable settings depends on the application usage mode.

Settings in the configuration file for post-installation configuration

Setting	Description	Values
KSVLA_MODE	Kaspersky Endpoint Security usage mode.	`yes` - Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments (as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent). `no` - Kaspersky Endpoint Security is used in standalone mode.
SERVER_MODE	The role of the protected virtual machine (server or workstation). The setting is applied only if the application is used in Light Agent mode.	`yes` - the protected virtual machine is used as a server. `no` - the protected virtual machine is used as a workstation.
VDI_MODE	Enabling VDI protection mode to optimize application performance on temporary virtual machines. The setting is applied only if the application is used in Light Agent mode.	`yes` – enable VDI protection mode. This is recommended if you are installing Kaspersky Endpoint Security on a virtual machine template that will be used to create temporary virtual machines. `no` – do not enable VDI protection mode.
EULA_AGREED	Required setting. Acceptance of the terms of the End User License Agreement.	`yes`: accept the terms of the End User License Agreement to continue the application installation. `no` – do not accept the End User License Agreement. The application installation will be terminated.
PRIVACY_POLICY_AGREED	Required setting. Acceptance of the terms of the Privacy Policy.	`yes`: accept the Privacy Policy to continue installing the application. `no` – do not accept the terms and conditions of the Privacy Policy. The application installation will be terminated.
USE_KSN	Required setting. Enabling Kaspersky Security Network usage: To enable the use of KSN, the terms of the Kaspersky Security Network Statement must be accepted.	`yes` – accept the terms of the Kaspersky Security Network Statement and enable the use of KSN. `no` – do not accept the Kaspersky Security Network Statement. If Kaspersky Endpoint Security is used in standalone mode and you have enabled the use of KSN, the application's cloud mode is automatically enabled. In this mode, Kaspersky Endpoint Security uses a lightweight version of the malware databases.
GROUP_CLEAN	Required setting. Removing users from the kesladmin and keslaudit privileged groups.	`yes` - Remove users from the privileged groups. If the value is `yes` and there is no nogroup group, the installation will fail and you will be prompted to manually remove users from privileged groups. `no` - Do not remove users from the privileged groups.
LOCALE	Optional setting. The locale used for the application events sent to Kaspersky Security Center.	The locale in the format specified by RFC 3066. If the `Locale` setting is not specified, the operating system locale is used. If the application fails to determine the operating system localization language or the operating system localization is not supported, the default value will be used – `en_US.utf8`. The locale of the graphical interface and the application command line depends on the value of the `LANG` environment variable. If the locale that is not supported by Kaspersky Endpoint Security is specified as the value of the `LANG` environment variable, the graphical interface and the command line are displayed in English.
INSTALL_LICENSE	Activation code or key file. This setting applies only if the application is used in standalone mode.
UPDATER_SOURCE	Update source. This setting applies only if the application is used in standalone mode.	`SCServer` – use the Kaspersky Security Center Administration Server as the update source. `KLServers` – use Kaspersky servers as the update source. Update source address
PROXY_SERVER	Address of the proxy server used to connect to the Internet. This setting applies only if the application is used in standalone mode.	Proxy server address
UPDATE_EXECUTE	Start application database update task during setup. This setting applies only if the application is used in standalone mode.	`yes` – start update task. `no` – do not start update task.
KERNEL_SRCS_INSTALL	Automatic start of kernel module compilation.	`yes` – compile kernel module. `no` – do not compile kernel module.
ADMIN_USER	A user assigned the administrator role (admin).
CONFIGURE_SELINUX	Automatic configuration of SELinux for working with Kaspersky Endpoint Security.	`yes` – automatically configure SELinux to work with Kaspersky Endpoint Security. `no` – do not automatically configure SELinux to work with Kaspersky Endpoint Security.
DISABLE_PROTECTION	Disable protection components and scan tasks after the application is installed. An installation with protection components disabled can be convenient, for example, in order to reproduce a problem in the operation of the application and create a trace file. If you enable the necessary components and tasks after installing the application with the `DISABLE_PROTECTION=yes` parameter, the enabled components and tasks will continue to work after the application is restarted.	`yes` - Disable protection components and scan tasks when the application is started after installation. `no` - Do not disable protection components and scan tasks when the application is started after installation.

If you want to change the settings in the configuration file for initial setup of the application, specify the values of settings in the following format: <setting_name>=<setting_value> (the application does not process spaces between the name of a setting and its value).

Page top

[Topic 198105]

Installing and configuring Kaspersky Security Center Network Agent

Network Agent must be installed in order to manage Kaspersky Endpoint Security via Kaspersky Security Center.

Network Agent facilitates the client device's connection with the Kaspersky Security Center Administration Server. It must be installed on every client device that will be connected to Kaspersky Security Center, the centralized remote management system.

You can perform installation and post-installation configuration of Network Agent using the command line. Network Agent can also be installed and configured remotely using Kaspersky Security Center (for details, refer to Kaspersky Security Center documentation).

In this section

Installing Network Agent using the command line

Post-installation configuration of the Network Agent using the command line

Page top

[Topic 237152]

Installing Network Agent using the command line

The Network Agent installation process must be started with root privileges.

To install Network Agent from an RPM package to a 32-bit operating system, execute the following command:

# rpm -i klnagent-<build number>.i386.rpm

To install Network Agent from an RPM package to a 64-bit operating system, execute the following command:

# rpm -i klnagent64-<build number>.x86_64.rpm

To install Network Agent from an RPM package on a 64-bit operating system for the Arm architecture, execute the following command:

# rpm -i klnagent64-<build number>.aarch64.rpm

To install Network Agent from a DEB package to a 32-bit operating system, execute the following command:

# apt-get install ./klnagent_<build number>_i386.deb

To install Network Agent from a DEB package to a 64-bit operating system, execute the following command:

# apt-get install ./klnagent64_<build number>_amd64.deb

To install Network Agent from a DEB package on a 64-bit operating system for the Arm architecture, execute the following command:

# apt-get install ./klnagent64_<build number>_arm64.deb

After installing the package, perform initial configuration of the Network Agent.

Page top

[Topic 197913]

Post-installation configuration of the Network Agent using the command line

To configure Network Agent settings:

Execute the command:
- for a 32-bit operating system:
  # /opt/kaspersky/klnagent/lib/bin/setup/postinstall.pl
- for a 64-bit operating system:
  # /opt/kaspersky/klnagent64/lib/bin/setup/postinstall.pl
Accept the End User License Agreement.
Specify the DNS name or IP address of the Administration Server.
Specify the port number of the Administration Server.
Port 14000 is used by default.
If you want to use an SSL connection, specify the SSL port number of the Administration Server.
Port 13000 is used by default.
Do one of the following:
- Enter yes if you want to use an SSL connection.
- Enter no if you do not want to use an SSL connection.
By default, SSL connection is enabled.
If necessary, specify the connection gateway usage mode:
- 1—Do not configure a connection gateway.
- 2—Do not use a connection gateway.
- 3—Connect to the Administration Server using a connection gateway.
- 4—Use the Network Agent as a connection gateway.
The default value is the first option.

For more detailed information about configuring Network Agent, please refer to the Kaspersky Security Center documentation.

Page top

[Topic 233554]

Installing Kaspersky Endpoint Security administration plug-ins

The following Kaspersky Endpoint Security administration plug-ins are used to manage Kaspersky Endpoint Security using Kaspersky Security Center:

The Kaspersky Endpoint Security MMC administration plug-in lets you manage the application using Kaspersky Security Center Administration Console.
The Kaspersky Endpoint Security management web plug-in lets you manage the application using Kaspersky Security Center Cloud Console and Kaspersky Security Center Web Console.

You can install administration plug-ins for different versions of Kaspersky Endpoint Security simultaneously. This allows you to manage the application by using the policies created with different administration plug-in versions. You can also convert policies and tasks created with previous versions of the administration plug-in to newer versions.

In this section

About the Kaspersky Endpoint Security administration MMC plug-in

About the Kaspersky Endpoint Security administration web plug-in

Page top

[Topic 198108]

About the Kaspersky Endpoint Security administration MMC plug-in

The Kaspersky Endpoint Security administration MMC plug-in (hereinafter also referred to as the MMC plug-in) facilitates interaction between Kaspersky Endpoint Security and Kaspersky Security Center using the Administration Console. The MMC plug-in allows you to manage Kaspersky Endpoint Security using policies and tasks.

The MMC plug-in must be installed on the same client device where Kaspersky Security Center Administration Console is installed.

Before installing Kaspersky Endpoint Security administration MMC plug-in, make sure that Kaspersky Security Center and Redist C++ 2015 (Microsoft Visual C++ 2015 Redistributable) are installed.

For more details about administration plug-ins, refer to Kaspersky Security Center documentation.

Page top

[Topic 202111]

About Kaspersky Endpoint Security administration web plug-in

Kaspersky Endpoint Security management web plug-in (hereinafter also referred to as web plug-in) facilitates interaction between Kaspersky Endpoint Security and Kaspersky Security Center using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console. The web plug-in allows you to manage Kaspersky Endpoint Security using policies and tasks.

The web plug-in must be installed on the client device that has Kaspersky Security Center Web Console installed. The functionality of the web plug-in is available to all administrators who have access to Kaspersky Security Center Web Console in a browser.

You can view the list of installed web plug-ins in Kaspersky Security Center Web Console interface: Console settings → Web plug-ins. For more information about compatibility of the web plug-in and Kaspersky Security Center Web Console versions, refer to Kaspersky Security Center documentation.

If you select a language that is not included in Kaspersky Endpoint Security distribution package in the properties of Kaspersky Security Center Administration Server, the License Agreement and the entire Kaspersky Security Center Web Console interface will be displayed in English.

Installing the web plug-in

You can install the web plug-in as follows:

Using the Quick Start Wizard for Kaspersky Security Center Web Console.
Kaspersky Security Center Web Console automatically prompts you to run the Initial Setup Wizard when connecting Web Console to the Administration Server for the first time. You can also run the Initial Setup Wizard in the Web Console interface (Device discovery and deployment → Deployment and assignment → Initial Setup Wizard). The Initial Configuration Wizard can also check if the installed web plug-ins are up to date and download the necessary updates. For more information on the Initial Setup Wizard for Kaspersky Security Center Web Console, please refer to Kaspersky Security Center documentation.
From the list of available distribution kits in Kaspersky Security Center Web Console.
To install the web plug-in, select the web plug-in distribution kit in the Web Console interface: Console settings → Web plug-ins. The list of available distribution packages is updated automatically after new versions of Kaspersky applications are released.
Download the distribution kit to Kaspersky Security Center Web Console from an external source.
To install the web plug-in, add the ZIP-archive of the web plug-in distribution kit in the Web Console interface: Console settings → Web plug-ins. The distribution kit of the web plug-in can be downloaded on the Kaspersky website, for example. For a local version of the application, additionally upload a text file that contains a signature.

Updating the web plug-in

If a new version of the web plug-in becomes available, Kaspersky Security Center Web Console displays the Updates are available for utilized plug-ins notification. You can proceed to update the web plug-in version from this Web Console notification. You can also manually check for new web plug-in updates in the Web Console interface (Console settings → Web plug-ins). The previous version of the web plug-in will be automatically removed during the update.

When the web plug-in is updated, already existing components (for example, policies or tasks) are saved. The new settings of components implementing new functions of Kaspersky Endpoint Security will appear in existing components and will have the default values.

You can update the web plug-in as follows:

In the list of web plug-ins in online mode.
To update the web plug-in, select the distribution package of Kaspersky Endpoint Security web plug-in in the Kaspersky Security Center Web Console interface (Console settings → Web plug-ins) and run the update. Web Console checks for available updates on Kaspersky servers and downloads the relevant updates.
From a file.
To update the web plug-in, select the ZIP-archive of the distribution package of Kaspersky Endpoint Security web plug-in in the Kaspersky Security Center Web Console interface: Console settings → Web plug-ins. The distribution kit of the web plug-in can be downloaded on the Kaspersky website, for example. For a local version of the application, additionally upload a text file that contains a signature.

You can only update the web plug-in to a more recent version. The web plug-in cannot be updated to an older version.

If any component is opened (such as a policy or task), the web plug-in checks its compatibility information. If the version of the web plug-in is equal to or later than the version specified in the compatibility information, you can change the settings of this component. Otherwise, you cannot use the web plug-in to change the settings of the selected component. It is recommended to update the web plug-in.

Page top

[Topic 197922]

Deploying the application using Kaspersky Security Center

You can install Kaspersky Endpoint Security on a client device remotely from the administrator's workstation using Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console.

For the remote installation, Kaspersky Endpoint Security installation package is used. An installation package is a set of files created for remote installation of Kaspersky applications using Kaspersky Security Center. The installation package contains the settings required to install the application and ensure its operation immediately after the installation. The values of the settings correspond to the default values of the application settings. The installation package is created using the .kud file included in the application distribution kit. Kaspersky Endpoint Security installation package is common for all supported operating systems and processor architecture types.

If you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments (as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent), you need to configure the settings in the autoinstall.ini configuration file and include this file in the installation package.

You can deploy Kaspersky Endpoint Security on the devices in the corporate network in several ways.

The Kaspersky Security Center Administration Console supports the following main deployment methods:

Installing the application using the Remote Installation Wizard.
Installing the application using the remote installation task.

Kaspersky Security Center Web Console supports the following main deployment methods:

Installing the application using the Protection Deployment Wizard.
Installing the application using the remote installation task.

For a description of the deployment procedures, see the Kaspersky Security Center Help.

If necessary, you can view the remote application installation log in the Web Console in the properties of the managed device on the Advanced tab in the Remote diagnostics section or in the Administration Console using the remote diagnostics utility.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, then activation of the application during installation and automatic license key distribution are not supported. If Kaspersky Endpoint Security receives information about the license from the Protection Server after connecting to the SVM; there is no need to activate Kaspersky Endpoint Security separately.

To use Kaspersky Security Center to manage Kaspersky Endpoint Security installed on client devices, you need to put these devices in

administration groups

. Before starting Kaspersky Endpoint Security installation, you can create Kaspersky Security Center administration groups to which you want to move the devices with Kaspersky Endpoint Security installed, and configure the rules to automatically move the devices to these administration groups. If rules for moving devices to the administration groups are not configured, Kaspersky Security Center moves all the devices that have the Administration Agent installed and are connected to Administration Server to the Unassigned devices list. In this case, you need to manually move computers to the administration groups (refer to the Kaspersky Security Center Help for details).

In this section

Creating an installation package in Kaspersky Security Center Administration Console

Creating an installation package in Kaspersky Security Center Web Console

Preparing an archive with application databases in order to create an installation package with integrated databases

Autoinstall.ini configuration file settings

Getting started using Kaspersky Security Center

Activating the application using Kaspersky Security Center

Page top

[Topic 236944]

Creating an installation package in Kaspersky Security Center Administration Console

Before creating an installation package for Kaspersky Endpoint Security, you need to prepare the files to be included in the package.

To prepare files for creating an installation package:

Download the kesl.zip archive from the application download page. It is located in the Kaspersky Endpoint Security for Linux (Additional distribution -> Files for Product remote installation).
Unpack the kesl.zip archive to a folder accessible to Kaspersky Security Center Administration Server. Place the distribution files, that correspond to the type of operating system where you want to install the application and the type of its package manager, to the same folder:
- To install Kaspersky Endpoint Security:
  - kesl-12.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
  - kesl_12.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
  - kesl-12.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
  - kesl_12.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)
  - kesl-12.0-<build number>.aarch64.rpm (for 64-bit operating systems with rpm for the Arm architecture)
  - kesl_12.0-<build number>_arm64.deb (for 64-bit operating systems with dpkg for the Arm architecture)
- to install the GUI:
  - kesl-gui-12.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
  - kesl-gui_12.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
  - kesl-gui-12.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
  - kesl-gui_12.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)
  - kesl-gui-12.0-<build number>.aarch64.rpm (for 64-bit operating systems with rpm for the Arm architecture)
  - kesl-gui_12.0-<build number>_arm64.deb (for 64-bit operating systems with dpkg for the Arm architecture)
  If you do not want to install a graphical user interface, do not use these files; this will make the installation package smaller.
  
  If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the graphical user interface is not supported.
If the graphical user interface will not be used, you need to set the USE_GUI=No parameter-value pair in the autoinstall.ini configuration file. Otherwise, the installation will fail.

If you want to use the created installation package to install the application on several types of operating systems or package managers, place the files for all the required types of operating systems and package managers in the folder.
If you plan to use Kaspersky Endpoint Security in standalone mode and want to use previously downloaded databases, place the prepared archives with databases for all required operating system types in the folder. Open the autoinstall.ini configuration file and specify UPDATE_EXECUTE=no. The autoinstall.ini file is located in the folder where you unpacked the kesl.zip archive.
If you are planning to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments or you want to specify the initial configuration parameters of the application, open the autoinstall.ini configuration file and make the necessary changes. The autoinstall.ini file is located in the folder where you unpacked the kesl.zip archive.
If you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments, you need to set the KSVLA_MODE=yes setting in the autoinstall.ini configuration file.

To create an installation package for Kaspersky Endpoint Security in the Administration Console of Kaspersky Security Center:

Open the Administration Console of Kaspersky Security Center.
In the console tree, select Additional → Remote installation → Installation packages.
Click the Create installation package button.
The wizard for creating an installation package will start.
In the wizard window that opens, click the Create installation package for a Kaspersky application button.
Enter the name of the new installation package and proceed to the next step.
Select Kaspersky Endpoint Security distribution package. To do this, open a standard browsing window using the Browse button and specify the path to the kesl.kud file. The file is located in the folder where you unpacked the kesl.zip archive.
The application name is displayed in the window.

Proceed to the next step.
Read the License Agreement between you and Kaspersky and the Privacy Policy that describes the processing and transmission of data.
To continue creating the installation package, you must confirm that you have read and accept the full terms of the End User License Agreement and the Privacy Policy. To confirm, in the window that opens, select both check boxes.

Proceed to the next step.
The wizard downloads the files required to install the application to Kaspersky Security Center Administration Server. Wait for the download to finish.
Complete the wizard.

The created installation package is located in the tree of the Administration Console of Kaspersky Security Center in the Additional → Remote installation → Installation packages folder. You can use the same installation package many times.

Page top

[Topic 247278]

Creating an installation package in Kaspersky Security Center Web Console

In Kaspersky Security Center Web Console, you can create an installation package in one of the following ways:

From an archive file that you have prepared previously.
From a distribution kit hosted on Kaspersky servers.

If you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments or want to configure additional application installation settings, you need to prepare the files to be included in the installation package and create a package from an archive.

If you plan to use Kaspersky Endpoint Security in standalone mode and do not need to configure additional installation settings, you can create an installation package from a distribution kit hosted on Kaspersky servers.

To prepare an archive for creating an installation package:

Download the kesl.zip archive from the application download page. It is located in the Kaspersky Endpoint Security for Linux (Additional distribution -> Files for Product remote installation).
Unpack the kesl.zip archive to a folder accessible to Kaspersky Security Center Administration Server. Place the distribution files, that correspond to the type of operating system where you want to install the application and the type of its package manager, to the same folder:
- To install Kaspersky Endpoint Security:
  - kesl-12.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
  - kesl_12.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
  - kesl-12.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
  - kesl_12.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)
  - kesl-12.0-<build number>.aarch64.rpm (for 64-bit operating systems with rpm for the Arm architecture)
  - kesl_12.0-<build number>_arm64.deb (for 64-bit operating systems with dpkg for the Arm architecture)
- to install the GUI:
  - kesl-gui-12.0-<build number>.i386.rpm (for 32-bit operating systems with rpm)
  - kesl-gui_12.0-<build number>_i386.deb (for 32-bit operating systems with dpkg)
  - kesl-gui-12.0-<build number>.x86_64.rpm (for 64-bit operating systems with rpm)
  - kesl-gui_12.0-<build number>_amd64.deb (for 64-bit operating systems with dpkg)
  - kesl-gui-12.0-<build number>.aarch64.rpm (for 64-bit operating systems with rpm for the Arm architecture)
  - kesl-gui_12.0-<build number>_arm64.deb (for 64-bit operating systems with dpkg for the Arm architecture)
  If you do not want to install a graphical user interface, do not use these files; this will make the installation package smaller.
  
  If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the graphical user interface is not supported.
If the graphical user interface will not be used, you need to set the USE_GUI=No parameter-value pair in the autoinstall.ini configuration file. Otherwise, the installation will fail.

If you want to use the created installation package to install the application on several types of operating systems or package managers, place the files for all the required types of operating systems and package managers in the folder.
If you plan to use Kaspersky Endpoint Security in standalone mode and want to use previously downloaded databases, place the prepared archives with databases for all required operating system types in the folder. Open the autoinstall.ini configuration file and specify UPDATE_EXECUTE=no. The autoinstall.ini file is located in the folder where you unpacked the kesl.zip archive.
If you are planning to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments or you want to specify the initial configuration parameters of the application, open the autoinstall.ini configuration file and make the necessary changes. The autoinstall.ini file is located in the folder where you unpacked the kesl.zip archive.
If you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments, you need to set the KSVLA_MODE=yes setting in the autoinstall.ini configuration file.
Place all prepared files in an archive in ZIP, CAB, TAR, or TAR.GZ format with any name.

To create an installation package for Kaspersky Endpoint Security in Kaspersky Security Center Web Console:

In the main Web Console window, select one of the following sections:
- Device discovery and deployment → Deployment and assignment → Installation packages.
- Operations → Repositories → Installation packages.
A list of installation packages available on the Administration Server opens.
Click Add.
The wizard for creating an installation package will start. Follow the instructions of the Wizard.
On the first page of the wizard, select the method for creating an installation package:
- Create an installation package from a file. The installation package will be created from an archive that you have prepared in advance. You need to select this option if you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments.
- Create an installation package for the Kaspersky application. The installation package will be created from a distribution package located on Kaspersky servers.
Kaspersky Security Center Cloud Console does not allow creation of installation packages from a file.
Depending on the selected package creation method:
- Specify the package name, click the Browse button, and specify the path to the archive that you have prepared for creating the installation package.
- Select Kaspersky Endpoint Security distribution package. In the window on the right, read the information about the distribution package and click the Download and create installation package button. The installation package creation process starts.
During creation of the installation package, accept the terms of the End User License Agreement and Privacy Policy. When prompted by the Wizard, read the License Agreement between you and Kaspersky and the Privacy Policy that describes the processing and transmission of data. To continue creating the installation package, you must confirm that you have read and accept the full terms of the End User License Agreement and the Privacy Policy.

The installation package will be created and added to the list of installation packages. Using the installation package, you can install the application on devices in the corporate network or update the application version.

In the installation package properties, you can also configure the application installation settings (see the table below) on the Settings tab.

An installation package for Kaspersky Endpoint Security cannot be configured in Kaspersky Security Center Web Console versions lower than 14.2. Use the autoinstall.ini configuration file to configure settings.

Installation package settings

Section	Description
Specify the locale.	Select this check box to specify the locale used during the application operation. The locale in the format specified by RFC 3066. If this setting is not specified, the default locale is used.
Activate the application	Select the check box to activate the application. You can also activate the application after installation. This setting applies only if the application is used in standalone mode.
Select the update source.	Specify the update source: Kaspersky update servers. Kaspersky Security Center. Other source in the local or global network. This setting applies only if the application is used in standalone mode.
Run the database update task after installation.	Select this check box to run the Update task after the application is installed. This setting applies only if the application is used in standalone mode.
Specify the proxy server settings.	Select this check box to specify the address of the proxy server used to connect to the Internet. This setting applies only if the application is used in standalone mode.
Install kernel source	Select this check box to automatically start of kernel module compilation.
Use the graphical user interface.	Select this check box to enable the use of the graphical user interface. This setting applies only if the application is used in standalone mode.
Specify a user with the admin role	Select the check box to specify the user to be assigned the administrator (admin) role.
Configure SELinux automatically	Select the check box to automatically configure SELinux to work with Kaspersky Endpoint Security.

Page top

[Topic 266691]

Preparing an archive with application databases in order to create an installation package with integrated databases

You can create an installation package for remote installation and include pre-downloaded application databases in it. This may be useful, for example, if you are installing the application on a device with the Astra Linux Special Edition operating system. If you are using an installation package with integrated databases, the application is installed with the databases already functional; in this case, you do not need to update the databases immediately after installation.

To create an archive with databases for installing the application:

Install and perform the initial configuration of Kaspersky Endpoint Security on the device using the command line or using Kaspersky Security Center.
Update the application databases. You can update the databases during the initial configuration of the application or after installation by running an Update task in the command line or an Update task in the Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console.
Copy the contents of the /var/opt/kaspersky/kesl/private/updates/ directory to one of the following subdirectories, depending on the architecture of the operating system for which you are creating the installation package with integrated databases: /i386/, /x86_64/, or /arm64/.
Place the directories with the databases into a kesl-bases.tgz archive, preserving the structure of nested directories. You can place only one subdirectory with databases for the required architecture of the operating system in the archive, or if you plan to create an installation package for installation on several operating systems with different architectures, you can place all the subdirectories with databases (/i386/, /x86_64/, or /arm64/) into a single archive for different architectures.
You can use the created archive with application databases when creating an installation package in the Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console.

Page top

[Topic 236945]

Autoinstall.ini configuration file settings

In the autoinstall.ini configuration file, you can specify the settings shown in the table below. The set of applicable settings depends on the application usage mode.

Autoinstall.ini configuration file settings

Setting	Description	Values
KSVLA_MODE	Kaspersky Endpoint Security usage mode.	`yes` - Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments (as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent). `no` (default value) – Kaspersky Endpoint Security is used in standalone mode.
SERVER_MODE	The role of the protected virtual machine (server or workstation). The setting is applied only if the application is used in Light Agent mode.	`yes` (default value) – the protected virtual machine is used as a server. `no` – the protected virtual machine is used as a workstation.
VDI_MODE	Enabling VDI protection mode to optimize application performance on temporary virtual machines. The setting is applied only if the application is used in Light Agent mode.	`yes` – enable VDI protection mode. This is recommended if you are installing Kaspersky Endpoint Security on a virtual machine template that will be used to create temporary virtual machines. `no` (default value) – do not enable VDI protection mode.
EULA_AGREED	Required setting. Acceptance of the terms of the End User License Agreement.	`yes` (default value) – accept the terms of the End User License Agreement to continue the application installation procedure. `no` – do not accept the End User License Agreement. The application installation will be terminated.
PRIVACY_POLICY_AGREED	Required setting. Acceptance of the terms of the Privacy Policy.	`yes` (default value) – accept the terms of the Privacy Policy to continue the application installation procedure. `no`: do not accept the Privacy Policy. The application installation will be terminated.
USE_KSN	Required setting. Enabling Kaspersky Security Network usage: To enable the use of KSN, the terms of the Kaspersky Security Network Statement must be accepted.	`yes` – accept the terms and conditions of the Kaspersky Security Network Statement and enable the use of KSN. `no` – (default value) do not accept the Kaspersky Security Network Statement. If Kaspersky Endpoint Security is used in standalone mode and you have enabled the use of KSN, the application's cloud mode is automatically enabled. In this mode, Kaspersky Endpoint Security uses a lightweight version of the malware databases.
GROUP_CLEAN	Required setting. Removing users from the kesladmin and keslaudit privileged groups.	`yes` - Remove users from the privileged groups. If the value is `yes` and there is no nogroup group, the installation will fail and you will be prompted to manually remove users from privileged groups. `no` - Do not remove users from the privileged groups.
LOCALE	Optional setting. The locale used for the application events sent to Kaspersky Security Center.	The locale in the format specified by RFC 3066. If the `Locale` setting is not specified, the operating system locale is used. If the application fails to determine the operating system localization language or the operating system localization is not supported, the default value will be used – `en_US.utf8`. The locale of the graphical interface and the application command line depends on the value of the `LANG` environment variable. If the locale that is not supported by Kaspersky Endpoint Security is specified as the value of the `LANG` environment variable, the graphical interface and the command line are displayed in English.
INSTALL_LICENSE	Activation code or key file. This setting applies only if the application is used in standalone mode.
UPDATER_SOURCE	Update source. This setting applies only if the application is used in standalone mode.	`SCServer` – use the Kaspersky Security Center Administration Server as the update source. `KLServers` – use Kaspersky servers as the update source. This value is used by default. Update source address
PROXY_SERVER	Address of the proxy server used to connect to the Internet. This setting applies only if the application is used in standalone mode.	Proxy server address
UPDATE_EXECUTE	Start application database update task during setup. This setting applies only if the application is used in standalone mode.	`yes` (default value) – start the update task. `no` – do not start update task.
KERNEL_SRCS_INSTALL	Automatic start of kernel module compilation.	`yes` (default value) — compile the kernel module. `no` – do not compile kernel module.
USE_GUI	Use of the graphical user interface. This setting applies only if the application is used in standalone mode.	`yes` – Enable use of the graphical user interface. `no` (default value) – Disable the use of the graphical user interface.
ADMIN_USER	A user assigned the administrator role (admin).	No
CONFIGURE_SELINUX	Automatic configuration of SELinux for working with Kaspersky Endpoint Security.	`yes` (default value) – automatically configure SELinux to work with Kaspersky Endpoint Security. `no` – do not automatically configure SELinux to work with Kaspersky Endpoint Security.
DISABLE_PROTECTION	Disable protection components and scan tasks after the application is installed. An installation with protection components disabled can be convenient, for example, in order to reproduce a problem in the operation of the application and create a trace file. If you enable the necessary components and tasks after installing the application with the `DISABLE_PROTECTION=yes` parameter, the enabled components and tasks will continue to work after the application is restarted.	`yes` - Disable protection components and scan tasks when the application is started after installation. `no` - Do not disable protection components and scan tasks when the application is started after installation.

If you want to change the settings in the autoinstall.ini configuration file, specify the values of settings in the following format: <setting_name>=<setting_value> (the application does not process spaces between the name of a setting and its value).

Page top

[Topic 202127]

Getting started using Kaspersky Security Center

After deploying Kaspersky Endpoint Security through Kaspersky Security Center, you must prepare the application for operation. The actions to be performed depend on the mode in which you plan to use Kaspersky Endpoint Security.

Standalone mode

If you plan to use Kaspersky Endpoint Security in standalone mode, after deploying the application, you need to do the following:

Activate the application. You can create and execute an activation task using the Administration Console or Kaspersky Security Center Web Console, as well as distribute the license key to the devices from the Kaspersky Security Center key storage.
Update application databases and modules using the Administration Console or Kaspersky Security Center Web Console. You can use the Update task, which is created automatically by the initial configuration wizard of Kaspersky Security Center after installing the MMC administration plug-in or the Kaspersky Endpoint Security web administration plug-in.
Kaspersky Endpoint Security protects the device only after the application databases are updated.
Configure a
policy
A policy determines the application settings and manages the access to configuration of an application installed on devices within an administration group. An individual policy must be created for each application. You can create an unlimited number of various policies for applications installed on the devices in each administration group, but only one policy can be applied to each application at a time within an administration group.

for centralized management of the application using Kaspersky Security Center Administration Console or Web Console. You can use a policy that is created automatically by the initial configuration wizard of Kaspersky Security Center after installing the administration MMC plug-in or the Kaspersky Endpoint Security administration web plug-in.
You can also configure the application management tasks using the Administration Console or the Web Console.

Light Agent mode

If you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments, after deploying the application, perform the following actions:

Configure SVM detection settings for Light Agents. To do this, you need to create and configure a policy for centralized application management on client devices. You can use the Administration Console or the Web Console to work with policies.
You need to configure the following settings in the policy:
- Settings for connecting Light Agents to the Integration Server.
- Settings for connecting Light Agents to SVMs.
Make sure that a connection is established between Light Agents and the SVMs and the Integration Server.
You can obtain information about the connection by using Kaspersky Endpoint Security commands on the protected virtual machine:
- You can view information about connecting to SVMs using the kesl-control [-V] --svm-info command.
- You can view information about connecting to the Integration Server using the kesl-control [-V] --viis-info command.
Make sure that Kaspersky Endpoint Security used as a Light Agent receives information about the license under which Kaspersky Hybrid Cloud Security for Virtualization Light Agent is activated.
After activating the solution on SVMs and connecting Light Agents to the SVMs, the Protection Server component sends license information to Light Agents. Information about the license used by Kaspersky Endpoint Security as part of the solution can be viewed on the protected virtual machine using the kesl-control -L --query command.
Make sure that database updates required for Light Agent to operate are installed on the protected virtual machines.
Databases on protected virtual machines are updated using a special Update task, in which a folder on the SVM is specified as the update source. The update task starts automatically.

You can check how up-to-date the databases are on a protected virtual machine with Light Agent by using the kesl-control --app-info command.

You can also configure the application management tasks using the Administration Console or the Web Console.

Page top

[Topic 202128]

Activating the application using Kaspersky Security Center

If you plan to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments, you do not need to activate the application separately after installation. You activate Kaspersky Hybrid Cloud Security for Virtualization Light Agent on the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent) by adding a license key to the SVM.

Activation is the process of activating a license that allows you to use a fully functional version of the application until the license expires. The application activation process involves adding a license key.

You can activate the application remotely using Kaspersky Security Center in the following ways:

Using the application activation task.
This method allows you to add a license key to a specific device or the devices included in an administration group. You can create and run an activation task using the Administration Console or Kaspersky Security Center Web Console.
By distributing a license key stored on Kaspersky Security Center Administration Server to the client devices.
This method lets you automatically add a key to the client devices that are already connected to Kaspersky Security Center, and to new client devices. To use this method, first add the key to the key storage on Kaspersky Security Center Administration Server.
By adding the key to the Kaspersky Endpoint Security installation package.
This method allows adding a key in the properties of the installation package when deploying Kaspersky Endpoint Security. The application will be activated automatically after installation.

You can use Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console to create the tasks for application activation, adding a key to the key storage, and distributing the key to the client devices.

Activation using Kaspersky Security Center Web Console

Before creating an activation task or a key distribution task, add the key to Kaspersky Security Center Administration Server key storage.

To add a key to Kaspersky Security Center key storage using the Web Console:

In the Web Console main window, select the Operations → Licensing → Kaspersky Licenses.
Click Add.
In the window that opens, select how to add the key to the repository:
- Enter the activation code to add a key using an activation code.
- Add a key file to add a key using a key file.
Depending on the key adding method you selected at the previous step, do one of the following:
- Enter the activation code and click Submit.
- Click the Select key file button and in the window that opens, select the file with the key extension.
Click Close.

The added key will appear in the list of keys.

To activate the application using the Web Console by means of the Add Key task:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click Add.
The Task Wizard starts.
Configure the task settings:
1. In the Application drop-down list, select the application name: Kaspersky Endpoint Security.
2. In the Task type drop-down list, select Add Key.
3. In the Task name field, enter a brief description, such as Activation of Kaspersky Endpoint Security.
4. In the Select devices to which the task will be assigned section, select the task scope. Click Next.
Select devices according to the selected task scope option. Click Next.
The Kaspersky Security Center key storage window opens.
If you have previously added a key to Kaspersky Security Center key storage, select the key from in the list and click Next.
If the required key cannot be found in the key storage, click the Add key button.
1. In the window that opens, select how to add the key to the repository:
  - Enter the activation code to add a key using an activation code.
  - Add a key file to add a key using a key file.
2. Depending on the key adding method you selected at the previous step, do one of the following:
  - Enter the activation code and click Submit.
  - Click the Select key file button and in the window that opens, select the file with the key extension.
3. Read the information about the key and click Close.
4. The added key will appear in the list of keys. Select it from the list and click Next.
Read the information about the license and click Next.
Complete the wizard.
A new task will be displayed in the list of tasks.
Select the check box next to the task. Click the Start button.

In the properties of the Add Key task, you can add a reserve key to the device. The reserve key becomes active when the license associated with the active key expires or when the active key is deleted. Availability of a reserve key allows you to avoid application functionality limitation when your license expires.

To activate the application using the Web Console by distributing a key stored on Kaspersky Security Center Administration Server to the devices:

In the Web Console main window, select the Operations → Licensing → Kaspersky Licenses.
Open the key properties using the link with the name of the application for that the key is intended to.
On the General tab, select the Automatically distribute a license key to managed devices check box.
Click Save.

The license key is automatically distributed to the appropriate client devices. During the automatic distribution of a key as an active or a reserve key, the licensing limit on the number of devices (set in the key properties) is taken into account. If the licensing limit is reached, distribution of this key to the devices stops automatically. You can view the number of devices to which the key has been added and other information in the key properties on the Devices tab.

You can control license usage using Kaspersky Security Center Web Console in the following ways:

View the Key usage report for the organization infrastructure (Monitoring and reports → Reports).
View the statuses of the managed devices (Devices → Managed devices). If the application is not activated, the device will have the status and the Protection disabled status description.
View the key properties (Operations → Licensing → Kaspersky licenses).

Special considerations for the activation process in Kaspersky Security Center Cloud Console

A trial version is provided for the Kaspersky Security Center Cloud Console. The trial version is a special version of Kaspersky Security Center Cloud Console designed to familiarize a user with the features of the application. In this version, you can perform actions in a workspace for a period of 30 days. All managed applications, including Kaspersky Endpoint Security, are automatically activated under Kaspersky Security Center Cloud Console trial license. However, you cannot activate Kaspersky Endpoint Security using its own trial license when the trial license for the Kaspersky Security Center Cloud Console expires. For detailed information about Kaspersky Security Center Cloud Console, please refer to the Kaspersky Security Center Cloud Console documentation.

The trial version of Kaspersky Security Center Cloud Console does not allow you to subsequently switch to a commercial version. Any trial workspace will be automatically deleted with all its contents after the 30-day period expires.

Page top

[Topic 236566]

Running the application on Astra Linux in closed software environment mode

This section describes how to start the application in the Astra Linux Special Edition operating system.

For Astra Linux Special Edition (operational update 1.7) and Astra Linux Special Edition (operational update 1.6)

To start the application on the Astra Linux Special Edition (operational update 1.7) or Astra Linux Special Edition (operational update 1.6) operating system:

Specify the following setting in the /etc/digsig/digsig_initramfs.conf file:
DIGSIG_ELF_MODE=1
Install the compatibility package:
apt install astra-digsig-oldkeys
Create a directory for the application key:
mkdir -p /etc/digsig/keys/legacy/kaspersky/
Locate the application key (/opt/kaspersky/kesl/shared/kaspersky_astra_pub_key.gpg) in the directory created at the previous step:
cp kaspersky_astra_pub_key.gpg /etc/digsig/keys/legacy/kaspersky/
Update the initramfs image:
update-initramfs -u -k all

For Astra Linux Special Edition (operational update 1.5)

To run the application in the Astra Linux Special Edition (operational update 1.5) operating system:

Specify the following setting in the /etc/digsig/digsig_initramfs.conf file:
DIGSIG_LOAD_KEYS=1

DIGSIG_ENFORCE=1
Create a directory for the application key:
mkdir -p /etc/digsig/keys/legacy/kaspersky/
Locate the application key (/opt/kaspersky/kesl/shared/kaspersky_astra_pub_key.gpg) in the directory created at the previous step:
cp kaspersky_astra_pub_key.gpg /etc/digsig/keys/legacy/kaspersky/
Update the initramfs image:
sudo update-initramfs -u -k all

The application graphical user interface can be used during mandatory access control sessions.

Page top

[Topic 237162]

Configuring allowing rules in the SELinux system

Manually configuring SELinux for working with the application

If SELinux couldn't s be configured automatically during the initial configuration of the application, or if you declined automatic configuration, you can manually configure SELinux to work with Kaspersky Endpoint Security.

To configure SELinux to work with the application:

Switch SELinux to permissive mode:
- If SELinux has been activated, run the following command:
  # setenforce Permissive
- If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
If you use a custom SELinux policy rather than the default targeted policy, assign a label for the following Kaspersky Endpoint Security source executable files in accordance with the SELinux policy used:
- /var/opt/kaspersky/kesl/12.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl
- /var/opt/kaspersky/kesl/12.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/bin/kesl-control
- /var/opt/kaspersky/kesl/12.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/libexec/kesl-gui
- /var/opt/kaspersky/kesl/12.0.<build number>_<installation timestamp>/opt/kaspersky/kesl/shared/kesl
Run the following tasks:
- File Threat Protection task:
  kesl-control --start-task 1
- Critical Areas Scan task:
  kesl-control --start-task 4 -W
It is recommended to run all the tasks that you plan to run while using Kaspersky Endpoint Security.
Start the graphical user interface if you plan to use it.
Ensure that there are no errors in the audit.log file:
grep kesl /var/log/audit/audit.log
If there are errors in the audit.log file, create and download a new rule module based on the blocking records in order to fix the errors, and then relaunch all the tasks that you plan to run while using Kaspersky Endpoint Security.
If new audit messages related to Kaspersky Endpoint Security appear, the file with the rule module file must be updated.
Switch SELinux to blocking mode:
# setenforce Enforcing

If you use a custom SELinux policy, manually assign a label to Kaspersky Endpoint Security source executable files after installing application updates (follow steps 1, 3–8).

You can find more information in the documentation for your operating system.

Configuring SELinux to run the "Start process" task

If SELinux is installed in your operating system in Enforcing mode, starting the Start process task requires additional configuration of SELinux.

To configure SELinux to run the "Start process" task

Switch SELinux to permissive mode:
- If SELinux has been activated, run the following command:
  # setenforce Permissive
- If SELinux was disabled, set the SELINUX=permissive setting in the configuration file / etc / selinux / config and restart the operating system.
Make sure the semanage utility is installed on the system. If the utility is not installed, install the policycoreutils-python or policycoreutils-python-utils package, depending on the package manager.
Start the "Start process" task.
Ensure that there are no errors in the audit.log file:
grep kesl /var/log/audit/audit.log
If errors are present in the audit.log file, create and load a new rules module based on blocking rules to fix the errors, then run the "Start process" task again.
Switch SELinux to blocking mode:
# setenforce Enforcing

Page top

[Topic 246380]

Updating the application from a previous version

Only Kaspersky Endpoint Security 11.4.0 for Linux can be updated to Kaspersky Endpoint Security 12.0 for Linux.

Upgrading earlier Kaspersky Endpoint Security versions to version 12.0 is not supported. If you have an earlier version of Kaspersky Endpoint Security installed, you need to first uninstall it and then install Kaspersky Endpoint Security 12.0 for Linux.

During an update of Kaspersky Endpoint Security, standalone mode is selected automatically. If you plan to use Kaspersky Endpoint Security 12.0 for Linux in Light Agent mode to protect virtual environments (as part of the Kaspersky Security for Virtualization Light Agent solution), you need to first uninstall the previous version of the application and then install Kaspersky Endpoint Security 12.0 for Linux.

You need to prepare to install before installing Kaspersky Endpoint Security.

You can update Kaspersky Endpoint Security 12.0 for Linux in one of the following ways:

Locally from the command line
Remotely using Kaspersky Security Center

During the update, the application settings and the application log are migrated to the new version of the application. If the transfer of application settings fails for any reason, the application is set to the default values.

If an error occurs while updating the application, the update is rolled back and the previous version of the application is started. In this case, an error message will be displayed, but the package manager (rpm/dpkg) will indicate the new version.

Even if Kaspersky Endpoint Security is launched before the update process start, if the update is completed successfully, a new application version is launched.

After updating the application, you need to run the Database Update task.

In this Help section

Updating the application using the command line

Updating the application using Kaspersky Security Center

Page top

[Topic 236426]

Updating the application using the command line

Follow the procedure below to update the previous version of the application to Kaspersky Endpoint Security 12.0 for Linux.

Application update consists of the following steps:

Start installation of the Kaspersky Endpoint Security 12.0 for Linux package appropriate for the package manager.
If you have a graphical user interface installed, then you also need to start the package containing the files of the graphical user interface.
Acceptance of the terms of the End User License Agreement.
If the terms of the End User License Agreement changed in the new version of the application, you need to accept the new terms of the End User License Agreement. Read the new version of the License Agreement located in the ~/.kesl/<application version>/ksn_license.<language ID> directory. If you do not accept the terms of the End User License Agreement, the application is not updated.
Acceptance of the terms of the Privacy Policy.
If the terms of the Privacy Policy changed in the new version of the application, you need to accept the new terms of the Privacy Policy. Read the new version of the Privacy Policy located in the ~/.kesl/<application version>/ksn_license.<language ID> directory. If you do not accept the terms of the Privacy Policy, the application is not updated.
Acceptance of the Kaspersky Security Network Statement.
If the terms of the Kaspersky Security Network Statement changed in the new version of the application, you need to accept or decline the new terms of use for participating in Kaspersky Security Network. Read the new version of the document located in the (~/.kesl/<application version>/ksn_license.<language ID>) directory. Refusal to participate in Kaspersky Security Network does not interrupt the Kaspersky Endpoint Security update process. You can enable, disable, or change Kaspersky Security Network mode later.

If you used KSN and accepted the conditions of the Kaspersky Security Network Statement in a previous version of the application, you need to accept the conditions of the Kaspersky Security Network Statement when updating the application. Otherwise, use of KSN is disabled.
Automatic application restart.

If the terms of the End User License Agreement, Privacy Policy, or Kaspersky Security Network Statement have changed in the new application version, the application update finishes with an error. In this case, you need to read the new version of the document and confirm that you have fully read and accepted its conditions. To do this, use the KESL_EULA_AGREED=yes, KESL_PRIVACY_POLICY_AGREED=yes and KESL_USE_KSN=yes/no environment variables.

To update the application:

Install the application package using the following command, depending on the package manager. If you have the graphical user interface of the previous version of the application installed, then you also need to start the package containing the files of the graphical user interface.
- for an RPM package.
  If you want to upgrade the GUI package of Kaspersky Endpoint Security version 11.4.0 to version 12.0, you must first uninstall the GUI package of version 11.4.0 using the command rpm -e --nodeps kesl-gui, and then install the GUI package of version 12.0.
  
  # [KESL_EULA_AGREED=yes] [KESL_PRIVACY_POLICY_AGREED=yes] [KESL_USE_KSN=yes/no] rpm -U --replacefiles --replacepkgs kesl-12.0-<build number>.<arch>.rpm [kesl-gui-12.0-<build number>.<arch>.rpm]
  
  where <arch> is the architecture type:
  - i386 – for 32-bit operating systems
  - x86_64 – for 64-bit operating systems
  - aarch64 – for 64-bit operating systems for the Arm architecture
- for a DEB package:
  # [KESL_EULA_AGREED=yes] [KESL_PRIVACY_POLICY_AGREED=yes] [KESL_USE_KSN=yes/no] apt-get install ./kesl_12.0-<build number>_<arch>.deb [./kesl-gui_12.0-<build number>_<arch>.deb]
  
  where <arch> is the architecture type:
  - i386 – for 32-bit operating systems
  - amd64 – for 64-bit operating systems
  - arm64 – for 64-bit operating systems for the Arm architecture
Kaspersky Endpoint Security will restart automatically.
Some operating systems may require a restart. The application will show a corresponding message, if necessary.

Changes to the application settings made after the update is complete and before the application restarts are not saved.

Page top

[Topic 247941]

Updating the application using Kaspersky Security Center

Follow the procedure below to use Kaspersky Security Center to update the previous version of the application to Kaspersky Endpoint Security 12.0 for Linux.

To update the application managed by the Kaspersky Security Center policy:

Update the Network Agent to the latest version (for details, refer to Kaspersky Security Center documentation).
If the Network Agent is not updated, the application cannot be managed using Kaspersky Security Center.

On a device running the Astra Linux Special Edition operating system, we recommend to update Network Agent remotely using Kaspersky Security Center, since updating using the command line in the Kaspersky Security Center administration console creates a new copy of the same managed device, and the old one becomes inaccessible.

The application continues working correctly during the Network Agent update.
Install Kaspersky Endpoint Security 12.0 for Linux using Kaspersky Security Center.
If you want to update the application, but do not want to enable the graphical user interface, specify the USE_GUI=No setting value in the autoinstall.ini configuration file.
Kaspersky Endpoint Security will restart automatically.
Some operating systems may require a restart. The application will show a corresponding message, if necessary.

Refer to the Kaspersky Security Center documentation for more details about this type of application update.

Page top

[Topic 197919]

Uninstalling the application

You can uninstall Kaspersky Endpoint Security locally or using Kaspersky Security Center by means of the Administration Console or Kaspersky Security Center Web Console.

While the application is being uninstalled, all Kaspersky Endpoint Security tasks are stopped.

You can perform the following actions when uninstalling the application:

Uninstall the application package and the graphical user interface package at the same time.
Uninstall only the application package if the graphical user interface package is not installed.
It is not possible to uninstall only the application package if the graphical user interface package is installed.
Remove only the graphical user interface package.

After uninstalling the application, all information saved by the application is deleted, except for the license database. Installed application certificates are also removed. The license database is saved, and you can use it to reinstall the application.

If the application was installed in a systemd, the systemd settings are restored to their initial state after the application uninstallation.

In this Help section

Uninstalling the application using the command line

Uninstalling the application using the Administration Console

Uninstalling the application using Kaspersky Security Center Web Console

Page top

[Topic 236428]

Uninstalling the application using the command line

The application automatically performs the uninstallation procedure. After the uninstallation procedure is completed, the application displays a message about the uninstallation results.

Uninstalling the application package and the graphical user interface package

To uninstall the application and the graphical user interface installed from the RPM packages, carry out the following command:

# rpm -e kesl kesl-gui

To uninstall the application and the graphical user interface installed from the DEB packages, carry out the following command:

# apt-get purge kesl kesl-gui

Uninstalling the application package without the graphical user interface package

To uninstall the application installed from the RPM package without removing the graphical user interface, carry out the following command:

# rpm -e kesl

To uninstall the application installed from the DEB package without removing the graphical user interface, carry out the following command:

# apt-get purge kesl

Removing the graphical user interface package

To remove the graphical user interface that was installed from the RPM package, execute the following command:

# rpm -e kesl-gui

To remove the graphical user interface that was installed from the DEB package, execute the following command:

# apt-get purge kesl-gui

Removing Network Agent

To uninstall the Network Agent installed on a 32-bit operating system from an RPM package, carry out the following command:

# rpm -e klnagent

To uninstall the Network Agent installed on a 64-bit operating system from an RPM package, carry out the following command:

# rpm -e klnagent64

To uninstall the Network Agent installed on a 32-bit operating system from a DEB package, carry out the following command:

# apt-get purge klnagent

To uninstall the Network Agent installed on a 64-bit operating system from a DEB package, carry out the following command:

# apt-get purge klnagent64

Page top

[Topic 206318]

Uninstalling the application using the Administration Console

You can uninstall Kaspersky Endpoint Security using Kaspersky Security Center Administration Console. To do this, create and run the uninstall application remotely task in Kaspersky Security Center.

If you want to remove only the graphical user interface without removing the application, specify the USE_GUI=No setting value in the autoinstall.ini configuration file and start the remote application installation task.

For more details about creating and running remote application installation and uninstall tasks, refer to the Kaspersky Security Center help file.

Page top

[Topic 202130]

Uninstalling the application using Kaspersky Security Center Web Console

You can uninstall the application remotely using the Kaspersky Security Center Web Console by means of the uninstall application remotely task. When performing the task, Kaspersky Endpoint Security downloads the application uninstallation utility to the user device. After completing the application uninstallation, the utility is automatically removed.

To uninstall the application:

In the main window of Web Console, select Devices → Tasks.
The list of tasks opens.
Click Add.
The Task Wizard starts.
Follow the Task wizard instructions.

Step 1. Configuring general task settings

At this step, configure the general settings of the task:

In the Application drop-down list, select Kaspersky Security Center <version number>.
In the Task type drop-down list, select Uninstall application remotely.
In the Task name field, enter a brief description, for example, Uninstall Kaspersky Endpoint Security from Technical Support devices.
In the Select devices to which the task will be assigned section, select the task scope.

Step 2. Selecting devices to uninstall the application

At this step, select the devices where to uninstall Kaspersky Endpoint Security according to the selected task scope.

Step 3. Configuring application uninstallation settings

At this step, configure the application uninstallation settings:

Select Uninstall managed application.
In the Application to be uninstalled drop-down list, select the Kaspersky Endpoint Security installation package.
In the Force download of the uninstallation utility section, select the utility delivery method:
- Using the Network Agent. If the Network Agent is not installed on the device, first the Network Agent is installed using the operating system tools. Then Kaspersky Endpoint Security is uninstalled by means of the Network Agent.
- Using operating system resources through Administration Server. The utility is delivered to the client devices by means of the operating system tools using the Administration Server. You can select this option if the Network Agent is not installed on the client device, but the client device belongs to the same network as the Administration Server.
- Using operating system resources through distribution points. The utility is delivered to the client devices using the operating system tools via the distribution points. You can select this option if there is at least one distribution point in the network. For more details about distribution points, refer to Kaspersky Security Center documentation.
In the Maximum number of concurrent downloads field, set a limit on the number of requests sent to the Administration Server to download the application uninstallation utility. A limit on the number of requests will help prevent the network from being overload.
In the Maximum number of uninstallation attempts field, set a limit on the number of attempts to uninstall the application. If the application uninstallation finishes with an error, the task automatically starts the uninstallation again.
If necessary, clear the Verify operating system type before downloading check box. It allows you to avoid downloading the uninstallation utility if the operating system of the client device does not meet the software requirements. If you are sure that the device operating system meets the software requirements, you can skip the verification.

Step 4. Selecting the application action when the operating system restart is required

At this step, you can select the action to be performed by the application if uninstallation requires the operating system restart.

Step 5. Selecting an account for accessing the client devices

At this step, select the account used for uninstalling the application using the tools of the operating system. In this case, administrator rights are required for accessing the client device. You can add multiple accounts. If an account does not have sufficient rights, the Installation Wizard uses the next account. If you uninstall Kaspersky Endpoint Security by means of the Network Agent, you do not have to select an account.

Step 6. Completing task creation

Complete the wizard. A new task will be displayed in the list of tasks.

To run a task, select the check box next to the task and click the Start button. The application will be uninstalled in silent mode. After the application uninstallation finishes, you will be prompted to restart the client device.

Page top

[Topic 69238]

Application licensing

This section provides Kaspersky Endpoint Security license information.

In this Help section

About the End User License Agreement

About the license

About the license certificate

About the license key

About the activation code

About the key file

About subscription

Comparison of application features across different licenses

Page top

[Topic 197923]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the application.

Read through the terms of the License Agreement carefully before you start using the application.

You can view the terms of the License Agreement:

During Kaspersky Endpoint Security installation.
By reading the text in the license.<language ID> file. This file is included in the application distribution kit.

By confirming that you accept the End User License Agreement during post-installation configuration of the application, you accept the terms and conditions of the End User License Agreement. If you do not accept the terms of the End User License Agreement, do not use the application.

Page top

[Topic 69240]

About the license

A license is a time-limited right to use Kaspersky Endpoint Security, granted under the End User License Agreement.

The list of available functions and the validity period of the application depend on the license under which the application is used.

The following license types are provided:

Trial – a free license intended for trying out the application.
Trial licenses have a short validity period. When the trial license expires, all Kaspersky Endpoint Security features become disabled. To continue using the application, you need to purchase a commercial license.

You can use the application under a trial license for only one trial period.
Commercial is a paid license.
The main functions of the application stop working when a commercial license expires. To continue using Kaspersky Endpoint Security, you need to renew the commercial license. After the license expires, you can no longer use the application and must uninstall it from the device.

It is recommended to renew the license before its expiration date to ensure continued protection of your device against security threats.

Page top

[Topic 73976]

About the license certificate

The License Certificate is a document provided together with the key file or activation code.

A license certificate contains the following information about the license provided:

License key or order number
Information about the license user
Information about the application that can be activated under the provided license
Restrictions on the number of licensing units (for example, devices on which the application can be used under the license)
License validity start date
License expiration date or validity period
License type

Page top

[Topic 209867]

About the license key

The license key is a sequence of bits that can be used to activate the application for further usage in accordance with the terms of the End User License Agreement. License key is generated by Kaspersky experts.

You can add a license key to the application using one of the following methods: by applying a key file or by entering an activation code. After you add a key to the application, the license key is displayed in the application interface as a unique alphanumeric sequence.

The license key may be blocked by Kaspersky, if the terms of the End User License Agreement are violated. If the license key is blocked, add another license key for proper application operation.

A license key may be active or reserve.

Active license key is currently used to run the application. A license key for a trial or commercial license can be added as the active key. The application cannot have more than one active license key.

Reserve license key is a license key that entitles the user to use the application, but is not currently in use. The reserve license key automatically becomes active when the license associated with the current active license key expires. A reserve license key can be added only if an active license key is already added.

A trial license key can only be added as an active license key. A trial license key cannot be added as a reserve license key.

Page top

[Topic 69430]

About the activation code

An activation code is a unique sequence of twenty Latin letters and numbers. You have to enter an activation code in order to add a license key for activating Kaspersky Endpoint Security. You receive the activation code at the email address that you provided when you bought Kaspersky Endpoint Security or requested the trial version of Kaspersky Endpoint Security.

To activate the application with an activation code, you need Internet access in order to connect to Kaspersky activation servers.

If you lost your activation code after activating the application, contact the Kaspersky partner from whom you purchased the license.

Page top

[Topic 69431]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. Key files are intended to add a license key for activating the application.

You receive a key file at the email address that you provided when you bought Kaspersky Endpoint Security or ordered the trial version of Kaspersky Endpoint Security.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can restore a key file if it has been accidentally deleted. You may need a key file to register a Kaspersky CompanyAccount, for example.

To restore your key file, perform any of the following actions:

Contact the license seller.
Get the key file on the Kaspersky website when you have an activation code.

Page top

[Topic 201930]

About subscription

Subscription for Kaspersky Endpoint Security is a purchase order for the application with specific settings (subscription expiry date, number of devices protected). You can order a subscription for Kaspersky Endpoint Security from your service provider (such as your internet service provider). You can renew or cancel your subscription. You can manage your subscription on the website of the service provider.

Subscription can be limited (for one year, for example) or unlimited (without an expiry date). To continue using the application after the limited subscription expires, you need to renew your subscription. Unlimited subscription is renewed automatically if the vendor's services have been prepaid on time.

Upon a limited subscription's expiry, you may be offered a grace period to renew the subscription. During this period the application retains its functionality. The service provider decides whether or not to grant a grace period and, if so, determines the duration of the grace period.

The set of options for managing your subscription may vary depending on your service provider. The service provider might not provide a grace period for renewing the subscription where the application retains its functionality.

To use Kaspersky Endpoint Security under a subscription, you need to use the activation code received from the service provider. After you apply the activation code, an active key corresponding to the license to use the application under subscription is added to the application. A reserve key can only be added when you use an activation code and cannot be added for a key file or subscription.

Activation codes purchased under subscription may not be used to activate previous versions of Kaspersky Endpoint Security.

Page top

[Topic 256558]

Comparison of application features across different licenses

The set of application functions available in Kaspersky Endpoint Security depends on the license (see the table below).

Application feature comparison is based on solutions based on Intel architecture processors. For information on licenses and available functionality for solutions based on Arm architecture, please contact your service provider in your region.

Comparison of application functions

Feature	Kaspersky Endpoint Security for Business Select	Kaspersky Endpoint Security for Business Advanced	Kaspersky Endpoint Security for Business Total	Kaspersky Hybrid Cloud Security (Desktop)	Kaspersky Security for Virtualization (Desktop)	Kaspersky Security for Virtualization (Core, Server)	Kaspersky Hybrid Cloud Security (Core, CPU, Server)
File Threat Protection
Web Threat Protection
Network Threat Protection
Firewall Management
Behavior Detection
Device Control
Removable Drives Scan
Anti-Cryptor (for shared folders)				–	–
Container Scan	–	–	–	–	–	–	–
System Integrity Monitoring	–	–	–	–	–	–	–
Application Control	–					–	–

Page top

[Topic 250618]

Data provision

This section describes the information that Kaspersky Endpoint Security may store on the device and automatically send to Kaspersky during its operation.

Kaspersky protects any information thus received in accordance with law and the applicable rules of Kaspersky. Data is transmitted over encrypted channels.

For more detailed information about the processing, storage, and destruction of information obtained during the use of the application and transmitted to Kaspersky, please read the End User License Agreement, the KSN Statement, and refer to the Privacy Policy on the Kaspersky website. The license.<language ID> and ksn_license.<language ID> files containing the End User License Agreement and Kaspersky Security Network Statement are included in the application distribution package.

In this Help section

Data provided when using an activation code

Data provided when downloading updates from Kaspersky update servers

Data transferred when using the application in Light Agent mode

Data sent to Kaspersky Security Center

Data provided when following links in the application interface

Data provided when using Kaspersky Security Network

Data provided when using Kaspersky Anti Targeted Attack Platform

Page top

[Topic 250619]

Data provided when using an activation code

If Kaspersky Endpoint Security is used in standalone mode and is activated using an activation code, in order to verify if the application is being used legally and to obtain statistical information on the distribution and use of the application, you agree to provide the following information automatically:

ID of a regional activation center
List of agreements presented to the user by the application
Data compression type
Operating system family
Checksum type for the object being processed
Type of the license used to activate the application
Application ID derived from the license
Full version of the application
Unique device ID
Application ID
Application license expiration date and time
Application license ID
Application license key creation date and time
Current status of the application license key
Application license header
ID of the information model used to provide the application license
Set of IDs of the applications that can be activated on the user device
Type of application license used
Application locale
Application installation ID (PCID)
Application rebranding ID
Size of the content of the request to Kaspersky infrastructure
Format of the data in the request to Kaspersky infrastructure
Type of legal agreement accepted by the user while using the application
Version of the legal agreement accepted by the user while using the application
Protocol ID
Accessed IPv4 address of the web service

Page top

[Topic 250625]

Data provided when downloading updates from Kaspersky update servers

If Kaspersky Endpoint Security is used in standalone mode and you use Kaspersky update servers to download updates, in order to increase efficiency of the update procedure and to obtain statistical information on the distribution and use of the application, you agree to automatically provide the following information:

Application ID derived from the license
Full version of the application
Application license ID
Type of application license used
Application installation ID (PCID)
ID of the application update start
Web address being processed

Page top

[Topic 266696]

Data transferred when using the application in Light Agent mode

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments as part of Kaspersky Security for Virtualization Light Agent, the application saves the following information, which may contain personal and confidential data, and sends it to other solution components during operation of the application.

To carry out the activation process, Kaspersky Endpoint Security sends the following data to the Protection Server: OS type of the protected virtual machine, ticket validity period; ticket request time (in UTC format); identifier (BIOS ID) of the protected virtual machine.
To update the Light Agent databases, Kaspersky Endpoint Security sends the following data to the Protection Server: software identifier obtained from the license; full version of the software; software license identifier; software installation identifier (PCID); processed web address; type of the license; identifier of the update start.
To provide protection, Kaspersky Endpoint Security sends the Protection Server the information that is necessary for scanning objects while scan tasks are running. The transmitted information may include the names of files and paths to them in the file system, the checksums of files, web addresses, and the scanned objects or their fragments.
In an infrastructure managed by a VMware vCenter Server and VMware NSX Manager, Kaspersky Endpoint Security may send the Integration Server information about security tags that are assigned to a protected virtual machine upon detection of viruses, malware, or activity that is typical of network attacks. The IDs of protected virtual machines are also sent.
To get information that is used when selecting an SVM for connection, Kaspersky Endpoint Security sends the identifier of the protected virtual machine to the Integration Server and Protection Server.
When using the Kaspersky Security for Virtualization Light Agent solution in multitenancy mode, the information necessary for generating tenant protection reports may be sent to SVMs from the Kaspersky Endpoint Security Protection Server. The following data may be sent: identifier of the protected virtual machine; type and version of the guest operating system installed on the protected virtual machine; time intervals when Kaspersky Endpoint Security was connected to SVMs.
To obtain statistics, Kaspersky Endpoint Security sends the following information to the Protection Server: information about the OS version of the protected virtual machine; localization of Kaspersky Endpoint Security; names of active Kaspersky Endpoint Security components; identifier (BIOS ID) of the protected virtual machine.

The specified information is transmitted over encrypted data channels (except for the information necessary for scanning objects, and the information that is used when selecting SVMs). The connection between Kaspersky Endpoint Security and the Protection Servers is not encrypted by default. You can enable encryption of the data channel between the Light Agents and the Protection Servers in the Kaspersky Endpoint Security settings.

Page top

[Topic 250629]

Data sent to Kaspersky Security Center

During operation, Kaspersky Endpoint Security saves and submits to Kaspersky Security Center the following information, which may contain personal and confidential data:

Information about the databases used by the application:
- List of the database categories required by the application
- Date and time when the databases were released and loaded into the application
- Date when the downloaded application database updates were released
- Time of the last application database update
- Number of records in the currently used application databases
Application license information:
- License serial number and type
- License validity period in days
- Number of devices covered by the license
- Start and end dates of license term
- License key status
- Date and time of the last successful synchronization with activation servers if the application was activated using an activation code
- Identifier of the application for which the license is intended
- Functionality available under the license
- Name of the organization for which the license is provided
- Additional information if the application is used under subscription (subscription flag, subscription expiration date and the number of days available for renewing the subscription, subscription provider web address, current subscription status and the reason for this status), date and time when the application was activated on the device
- Expiration date and time of the application license on the device
Information about the application updates:
- List of updates to be installed or removed
- Update release date and the sign of the Critical status
- Name, version, and short description of the update
- Link to the detailed description of the update
- Identifier and text of the End User License Agreement and the Privacy Policy for the application updates
- Identifier and text of Kaspersky Security Network Statement for the application updates
- Indicator showing if the update can be removed
- Versions of the application policy and administration plug-in
- Web address for downloading the application administration plug-in
- Names, version, and installation dates of the installed application updates
- Error code and description if the update installation or removal completed with an error
- Sign and reason for the device or application restart necessity because of the application update
User agreement or disagreement with the terms and conditions of Kaspersky Security Network Statement, End User License Agreement and Privacy Policy
List of tags assigned to the device
List of device statuses and reasons they are assigned.
General application status and the status of all its components; policy compliance information, real-time protection status of the device.
Date and time of the last device scan; number of scanned objects; number of detected malicious objects; number of blocked, deleted and disinfected objects; number of objects that cannot be disinfected; number of scan errors; number of detected network attacks
Data on the currently applied values of the application settings
The current status and execution results of the group and local tasks and the values of their settings
Information about external devices connected to the client device (ID, name, class, manufacturer, description, serial number, VID/PID)
Information about backup copies of files in the Backup storage (name, path, size and type of the object, description of the object, name of the detected threat, version of the application database which is used to detect the threat, date and time when the object was moved to the Backup storage), actions on the objects in the Backup storage (removed, restored), and the files by administrator request.
Information about the operation of each application component and about the execution of each task represented as events:
- Date and time of event
- Name and type of event
- Event severity level
- Name of the task or the application component running when the event occurred
- Information about the application that triggered the event: application name, path to the file on the disk, process identifier, setting values (if the application launch or settings modification event is triggered)
- User ID
- Name of the initiator (task scheduler, application, Kaspersky Security Center, or a user) whose actions triggered the event
- Name and identifier of the user who initiated access to the file
- Object or action processing result (description, type, name, threat level and accuracy, file name and type of operation on the device, application decision on the operation)
- Information about the object (object name and type, path to the object on the disk, object version, size, information about the performed action, event trigger description, description of the reason for not processing and skipping the object)
- Device information (manufacturer name, device name, path, device type, bus type, identifier, VID/PID, system device flag, name of the device access rule schedule)
- Information about blocking and unblocking the device; information about blocked connections (name, description, device name, protocol, remote address and port, local address and port, packet rules, actions)
- Information about requested web address
- Information about detected objects
- Detection type and method
- Information about the performed action
- Information about the application databases (date when the downloaded database updates are released, information on the database usage, database usage errors, information on canceling the installed database updates)
- Information about encryption detection (ransomware name; name of the device where encryption was detected; information about blocking and unblocking the device)
- Application settings and network settings
- Information about the triggered Application Control rule (name and type) and the result of its application
- Information about containers and container images (names of containers or container images, paths to containers or container images, repository URL)
- Information about active and blocked connections (name, description, and type)
- Information about blocking and unblocking access to untrusted devices
- Information about the use of KSN (KSN connection status, KSN infrastructure, identifier of the KSN Statement in extended mode, acceptance of the KSN Statement in extended mode, identifier of the KSN Statement, acceptance of the KSN Statement)
- Information about certificates (domain name, subject name, issuer name, expiration date, certificate status, certificate type, date certificate was added, issue date, serial number, SHA256 thumbprint)
- Information about external systems that are part of corporate software solutions (integration server address)
- Information about enabling and disabling network isolation for the device
- Information about working in Light Agent mode: name of the virtual machine template, address of the Integration Server
- name of the device for which network isolation is enabled or disabled
Information about operation of the system integrity scan task (name, type, path) and information about the system baseline
Information about network activity, packet rules, and network attacks
User role information:
- Name and identifier of the user who initiated changing the user role
- User role
- Name of the user who has been assigned or revoked the role
Information about executable files detected on the client device (name, path, type, and hash of the file; list of categories to which the application belongs; trust group to which the application belongs; time of the first file launch; name and version of the application; name of the application vendor; information about the certificate used to sign the application: serial number, thumbprint, issuer, subject, release date, expiration date, and public key; HIPS group name, KSN group name).

Page top

[Topic 250630]

Data provided when following links in the application interface

When clicking the links in Kaspersky Endpoint Security interface, you agree to automatically provide the following information to Kaspersky:

Full version of the application
Application locale
Application ID (PID)
Link name

Page top

[Topic 250631]

Data provided when using Kaspersky Security Network

If you use Kaspersky Security Network in extended mode, you agree to automatically provide Kaspersky with all the data listed in the Kaspersky Security Network Statement. Additionally, files (or parts of files) that intruders may use to harm the device and the data stored in its operating system may be sent to Kaspersky for scanning.

The ksn_license.<language ID> file with the text of the Kaspersky Security Network Statement is included in the application distribution kit.

Page top

[Topic 250632]

Data provided when using Kaspersky Anti Targeted Attack Platform

When integrating Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA), a component of the Kaspersky Anti Targeted Attack Platform solution, Kaspersky Endpoint Security stores and send to Kaspersky Security Center the following information, which may contain personal and confidential data:

Service data:
- KATA server addresses
- Public key of the certificate of the server for integrating with Kaspersky Endpoint Detection and Response (KATA)
- Cryptocontainer with the client certificate for integrating with Kaspersky Endpoint Detection and Response (KATA)
- Credentials for authenticating on the proxy server
- Settings for the frequency of synchronization with the KATA server and settings for sending data to the KATA server
- Status of the connection with the KATA server and information about client certificate and server certificate errors

When integrating Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA), Kaspersky Endpoint Security stores the following information and may send it to the KATA server:

Information for synchronization requests to the EDR (KATA) component:
- Unique identifier
- Base part of the server address
- Device name
- IP address of the device
- MAC address of the device
- Local time on the device
- Name and version of the operating system installed on the device
- Version of Kaspersky Endpoint Security
- Version of the application settings and task settings
- Task status (task identifiers, statuses, error codes)
Information from requests to the EDR (KATA) component in task execution reports:
- IP address of the device
- Task execution errors and return codes
- Task completion statuses
- Task completion time
- Versions of task settings used
- Information about processes started or stopped on the device at the server's request: PID and UniquePID, error code, MD5 and SHA256 checksums of objects
- Files requested by the server
- Telemetry packets
- Information about running processes:
  - executable file name, including the full path and extension
  - process launch settings
  - process identifier
  - system logon session code
  - system logon session name
  - process launch date and time
  - MD5 and SHA256 checksums of the object
- Information about files:
  - File path
  - File name
  - File size
  - File attributes
  - Date and time of file creation
  - Date and time of last file modification
  - MD5 and SHA256 checksums of the object
- Information about errors that occur while getting information about objects:
  - Full name of the object being processed when the error occurred
  - Error code
Information from requests from the KATA server to the built-in agent of Kaspersky Endpoint Security (task settings):
- Task types
- Task start schedule settings
- Names and passwords of accounts used to start tasks
- Versions of settings
- Paths to objects
- MD5 and SHA256 checksums of objects
- Command line (including arguments) used to start the process
- Description of services
- Type of service start
Parameters of the responses sent by the KATA server to the built-in agent of Kaspersky Endpoint Security:
- Get File task:
  - Full path to the file or directory
  - Hashing algorithm Possible values: MD5 and/or SHA256
  - Checksums (MD5 and SHA256) of the file
- Delete File task:
  - confirmation of deletion, or an error that occurred.
- Run Process task:
  - Full path to the executable file used to start the process
  - Command line of the process
  - Full path to the working directory of the process
- Terminate Process task:
  - Unique PID of the process.
  - System PID of the process.
  - Process termination error code (0 if the process terminated successfully).
- IOC Scan task:
  - Scan results (whether each indicator was detected, objects found, and information about which branch of the indicator was detected).
  For the objects in which indicators were detected, different values are returned depending on their type:
  - ArpEntry: IP address from the ARP table (including ipv6), physical address from the ARP table.
  - File: MD5 hash of the file, SHA256 hash of the file, full file name (including path), file size.
  - Port: remote IP address and port used to established a connection during scan; IP address and port of the local adapter; protocol type (TCP, UDP, IP, RAWIP).
  - Process: process name; process arguments; path to the process file; system PID of the process; system PID of the parent process; name of the user that the process is running as; date and time the process started.
  - SystemInfo: OS name; OS version; network name of a computer without a domain; domain or workgroup.
  - User: user name.
Network isolation: whether network isolation is enforced.

Page top

[Topic 201932]

Managing the application using the command line

You can manage Kaspersky Endpoint Security using the command line. All actions are available from the command line, including task management and configuring application settings.

In this Help section

Starting and stopping the application

Displaying Help on the commands

Enabling automatic addition of kesl-control commands (bash completion)

Enabling the display of events

Viewing information about the application

Description of the application commands

Using filters to limit query results

Exporting and importing application settings

Setting the application memory usage limit

User roles

General application settings

Managing application tasks using the command line

Encrypted connections scan

Page top

[Topic 197929]

Starting and stopping the application

By default, Kaspersky Endpoint Security starts automatically when the operating system is booted (at the default level of execution for each operating system). The application starts all service tasks as well as user tasks with starting mode set to PS in the schedule settings.

If you stop the application, all running tasks will be interrupted. After restarting the application, paused user tasks are not resumed automatically. Only user tasks with starting mode set to PS in the schedule settings are restarted.

To run the application, the root account must be the owner of the following directories and only the owner must have write access to them: /var, /var/opt, /var/opt/kaspersky, /var/log/kaspersky, /opt, /opt/kaspersky, /usr/bin, /usr/lib, /usr/lib64.

Starting, restarting, and stopping Kaspersky Endpoint Security

To start the application in systemd, execute the following command:

systemctl start kesl

To stop the application in systemd, execute the following command:

systemctl stop kesl

To restart the application in systemd, execute the following command:

systemctl restart kesl

To start the application in the system without systemd, execute the following command:

/etc/init.d/kesl start

To stop the application in the system without systemd, execute the following command:

/etc/init.d/kesl stop

To restart the application in the system without systemd, execute the following command:

/etc/init.d/kesl restart

Monitoring the status of Kaspersky Endpoint Security

The Kaspersky Endpoint Security status is monitored by the watchdog service. The watchdog service is automatically launched when the application starts.

In the event of an application crash, a dump file is generated and the application is restarted automatically.

To display the application status in systemd, execute the following command:

systemctl status kesl

To display the application status in the system without systemd, execute the following command:

/etc/init.d/kesl status

Page top

[Topic 245711]

Displaying Help on the commands

The kesl-control --help <set of application commands> command displays help for the application commands.

Command syntax

kesl-control --help [<set of application commands>]

Available values:

-T – Commands for managing tasks and general application settings.

-C – Commands for managing general container scan settings.

-N – Commands for managing encrypted connections scan settings.

-L – Commands for managing license keys and integration of Kaspersky Endpoint Security with Kaspersky Managed Detection and Response.

-E – Commands for managing application events.

-B – Commands for managing the Storage Management task.

-F – Commands for managing the Firewall Management task.

-H – Commands for managing the Anti-Cryptor task.

-D – Commands for managing the Device Control task.

-A – Commands for managing the Application Control task.

-U – Commands for managing users and user roles.

-S – Statistical commands.

-W – Display events.

-R – command to manage the settings of Kaspersky Endpoint Security integration with Kaspersky Endpoint Detection and Response (KATA).

-V – application commands in Light Agent mode to protect virtual environments.

Page top

[Topic 238601]

Enabling automatic addition of kesl-control commands (bash completion)

Automatic addition of kesl-control commands can be disabled for the bash shell.

To enable automatic addition of kesl-control commands in the current bash shell session, run the following command:

source /opt/kaspersky/kesl/shared/bash_completion.sh

To enable automatic addition for all new bash shell sessions, run the following command:

echo "source /opt/kaspersky/kesl/shared/bash_completion.sh" >> ~.bashrc

Page top

[Topic 197937]

Enabling the display of events

The kesl-control -W command enables display of the current application events. The command returns the name of the event and additional information about the event.

You can use this command either separately to display all current application events or together with the kesl-control --start-task command to display only events related to the running task.

You can also use the kesl-control -W command with the --query flag to specify filter conditions to display specific events.

Command syntax

kesl-control -W

Examples:

Enable the display of current application events:

kesl-control -W

Enable display of the current events of the task with ID=1:

kesl-control --start-task 1 -W

Enable display of the current events of the TaskStateChanged type:

kesl-control -W --query "EventType == 'TaskStateChanged'"

Page top

[Topic 246692]

Viewing information about the application

The kesl-control --app-info command displays information about the application.

Command syntax

kesl-control [-S] --app-info [--json]

Result of command execution:

Name. Application names.
Version. Current application version.
Policy. Indicates whether the Kaspersky Security Center policy is applied.
License information. License information or license key status.
Subscription status. Subscription status. This field is displayed if the application is started under a subscription.
License expiration date. Date and time when the license expires, in UTC.
MDR BLOB file status. Status of the BLOB configuration file for integration with Managed Detection and Response.
Kaspersky Managed Detection and Response license expiration date. Date and time when the Kaspersky Managed Detection and Response license expires, in UTC.
Storage state. Storage status.
Storage space usage. Storage size.
Last run date of the Scan_My_Computer task. Time of the last Malware Scan task.
Last release date of databases. Date and time the application databases were last released.
Application databases. Displays whether the application databases have been downloaded.
Using Kaspersky Security Network. Information about using Kaspersky Security Network: Extended KSN mode, Basic KSN mode or Disabled.
Kaspersky Security Network infrastructure. Information about the infrastructure solution used to work with Kaspersky reputation databases: Kaspersky Security Network or Kaspersky Private Security Network.
Managed Detection and Response state. Managed Detection and Response state: active, inactive.
File Threat Protection. Status of the File Threat Protection task.
Container monitoring. Displays information about container scan settings.
System Integrity Monitoring. Status of the System Integrity Monitoring task.
Firewall Management. Status of the Firewall Management task.
Anti-Cryptor. Status of the Anti-Cryptor task.
Web Threat Protection. Status of the Web Threat Protection task.
Device Control. Status of the Device Control task.
Removable Drives Scan. Status of the Removable Drives Scan task.
Network Threat Protection. Status of the Network Threat Protection task.
Behavior Detection. Status of the Behavior Detection task.
Application Control. Status of the Application Control task.
Integration with Endpoint Detection and Response (KATA). Status of Kaspersky Endpoint Detection and Response (KATA) Integration task.
Application update status. Displays application update actions and the actions to be performed by the user.
Unstable application operation. Information about application failure and dump file creation is displayed. This field is displayed if a failure occurred the last time the application was launched.

Page top

[Topic 245716]

Description of the application commands

Displaying Help on application commands

--help – displays Help on application commands.

Displaying application events

-W – enables the display of application events.

Statistics commands

-S is a prefix indicating that the command belongs to the statistics command group.

[-S] --app-info – displays information about the application.

[-S] --omsinfo --file <file name and path> – creates a JSON file for integration with Microsoft Operations Management Suite.

Commands for managing application tasks and settings

-T is a prefix indicating that the command belongs to the group of commands for managing application settings and tasks.

[-T] --get-app-settings --file <file name and path> – displays the general application settings.

[-T] --set-app-settings --file <file name and path> – sets the general application settings.

[-T] --set-app-settings <setting>=<setting value> – sets the value for the specified general application setting.

[-T] --export-settings --file <full path to the configuration file> – exports the application settings to the configuration file.

[-T] --import-settings --file <full path to the configuration file> – imports the application settings from the configuration file.

[-T] --update-application – updates the application.

[-T] --get-task-list – displays a list of existing application tasks.

[-T] --get-task-state <task ID>|<task name> – displays the status of the specified task.

[-T] --create-task <task name> --type <task type> --file <file name and path> – creates a task of the specified type and imports the settings from the specified configuration file into the task.

[-T] --delete-task <task ID>|<task name> – deletes the task.

[-T] --start-task <task ID>|<task name> [-W] [--progress] – starts the task.

[-T] --stop-task <task ID>|<task name> – stops the task.

[-T] --suspend-task <task ID>|<task name> – pauses the task. The Update task cannot be paused.

[-T] --resume-task <task ID>|<task name> – resumes the task. The Update task cannot be resumed.

[-T] --scan-file <path to file or directory> [--action <action>] – creates and runs a temporary Custom Scan task (Scan_File), which is assigned a new identifier. The [ScanScope.item_#] and [ExcludedFromScanScope.item_#] sections in the settings of this task are not inherited from the original task with ID=3. If the --action <action> option is not specified, the Recommended action is performed. After the scan is complete, the temporary task is automatically deleted.

[-T] --scan-container <container|image[:tag]> – creates a temporary Custom Container Scan task (Custom_Container_Scan). After the scan is complete, the temporary task is automatically deleted.

[-T] --get-settings <task ID>|<task name> --file <file name and directory> – displays the task settings.

[-T] --set-settings <task ID>|<task name> [<parameters>] [--file <file name and directory>] [--add-path <path>] [--del-path <path>] [--add-exclusion <exclusion>] [--del-exclusion <exclusion>] – sets the task settings.

[-T] --set-settings [<task ID>|<task name>] --set-to-default – restores the task settings to their default values.

[-T] --set-schedule <task ID>|<task name> --file <file name and path> – sets the task schedule settings or imports them into the task from the configuration file.

[-T] --get-schedule <task ID>|<task name> --file <file name and path> – displays the task schedule settings or saves them to the configuration file.

Commands for managing container scan settings

-C is a prefix indicating that the command belongs to the group of commands for managing container scan settings.

[-C] --get-container-settings --file <file name and path> – displays the general container scan settings.

[-C] --set-container-settings --file <file name and path> – sets the general container scan settings.

Commands for managing encrypted connections scan settings

-N is a prefix indicating that the command belongs to the group of commands for managing encrypted connections scan settings.

-N --query user – displays a list of encrypted connections scan exclusions added by the user.

-N --query auto – displays a list of encrypted connections scan exclusions added by the application.

-N --query kl – displays a list of encrypted connections scan exclusions received from Kaspersky databases.

-N --clear-web-auto-excluded – clears the list of domains that the application automatically excluded from encrypted connections scan.

[-N] {--get-net-settings} [--file <file name and path>] – saves encrypted connection scan settings to an INI file.

[-N] {--set-net-settings} [--file <file name and path>] – sets encrypted connection scan settings.

[-N] --add-certificate --file <path to certificate file> – adds a certificate to the trusted certificate list.

[-N] --remove-certificate <certificate subject> – removes a certificate from the trusted certificate list.

[-N] --list-certificates – displays the trusted certificate list.

Commands for managing users and roles

-U is a prefix indicating that the command belongs to the group of commands for managing users and roles.

[-U] --get-user-list – displays a list of users and roles.

[-U] --grant-role <role> <user> – grants a role to a specified user.

[-U] --revoke-role <role> <user> – revokes a role from a specified user.

Licensing commands

-L is a prefix indicating that the command belongs to the group of commands used to manage license keys.

[-L] --add-active-key <activation code>|<key file> – adds an active key.

[-L] --add-reserve-key <activation code>|<key file> – adds a reserve key.

[-L] --remove-active-key – removes the active key.

[-L] --remove-reserve-key – removes the reserve key.

-L --query – displays information about the license key.

[-L] --load-mdr-blob <path to the BLOB configuration file> – downloads the BLOB configuration file.

[-L] --remove-mdr-blob – removes the BLOB configuration file.

The commands for adding and deleting license keys can be performed only if the application is used in standalone mode. In Light Agent mode for protecting virtual environments, these commands fail.

Commands for managing the Firewall Management task

-F is a prefix indicating that the command belongs to the group of commands for managing the Firewall Management task.

[-F] --add-rule [--name <string>] [--action <action>] [--protocol <protocol>] [--direction <directory>] [--remote <remote>] [--local <local>] [--at <index>] – adds a new rule.

[-F] --del-rule [--name <string>] [--index <index>] – deletes a rule.

[-F] --move-rule [--name <string>] [--index <index>] [--at <index>] – changes the rule priority.

[-F] --add-zone [--zone <zone>] [--address <address>] – adds an IP address to the zone.

[-F] --del-zone [--zone <zone>] [--address <address>] [--index <index>] – deletes an IP address from the zone.

-F --query – displays information about the task.

Commands used to manage blocked devices

-H is a prefix indicating that the command belongs to the group of commands for managing devices blocked by Anti-Cryptor and Network Threat Protection.

[-H] --get-blocked-hosts – displays a list of blocked devices.

[-H] --allow-hosts – unblocks blocked devices.

Commands for managing Device Control tasks

-D is a prefix indicating that the command belongs to the Device Control group of commands.

[-D] --get-device-list – displays a list of devices connected to the computer.

Commands for managing the Application Control task

-A is a prefix indicating that the command belongs to the Application Control group of commands.

[-A] --get-app-list – displays the list of applications detected on the computer while executing the Inventory Scan task.

[-A] --get-categories – displays a list of created Application Control categories.

Commands for managing the Storage

-B is a prefix indicating that the command belongs to the group of commands used to manage the Storage.

[-B] --mass-remove --query – clears the Storage completely or selectively.

-B --query <filter> -n <count> [--json] - displays information about the objects in the Storage that match the filter conditions in JSON format, where:

<number> – number of the latest objects of the selection (number of records from the end of the selection) to be displayed.

<filter> – filter conditions to limit the query results.

[-B] --restore <object ID> --file <file name and path> – restores an object from Storage.

Commands used to manage the event log

-E is a prefix indicating that the command belongs to the group of commands used to manage the event log.

-E --query <filter> --db <database file> -n <number> --file <file name and path> [--json] – outputs information about events that match filter conditions from the event log database to the specified file in JSON format, where:

<number> – number of the latest events of the selection (number of records from the end of the selection) to be displayed.

<filter> – filter conditions to limit the query results.

<file name and path> – name and path of the file where you want to save the events.

<database file> – name and path to the event log database file.

Commands for managing settings for Kaspersky Endpoint Detection and Response (KATA) Integration

-R – the prefix indicating that the command belongs to the group of commands to manage Kaspersky Endpoint Detection and Response (KATA) Integration.

[-R] --add-kataedr-server-certificate <file name and path> — Adds or replaces a previously added KATA server certificate.

[-R] --remove-kataedr-server-certificate — removes the KATA server certificate.

[-R] --query-kataedr-server-certificate — displays information about the KATA server certificate.

[-R] --add-kataedr-client-certificate <file name and path> — Adds or replaces a previously added client certificate used to secure the connection to the KATA server.

[-R] --remove-kataedr-client-certificate — removes the client certificate used to secure the connection to the KATA server.

[-R] --query-kataedr-client-certificate — displays information about the client certificate.

[-R] --isolation-stat – displays the current state of network isolation in the console: enabled or disabled.

[-R] --isolation-off – disable network isolation of the device (the command is executed synchronously, that is, control does not return until the task is completed). We recommend using this command if the connection to the KATA server is lost after network isolation is enabled.

Application commands in Light Agent mode for protecting virtual environments

The commands can be executed only if Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments.

-V – a prefix indicating that the command belongs to the group of commands of Kaspersky Endpoint Security used in Light Agent mode to protect virtual environments (as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent).

[-V] --ksvla-info – displays information about using the application in Light Agent mode to protect virtual environments:

Light Agent mode for protecting virtual environments: enabled / disabled.
If Light Agent mode is enabled, the application is used as a Light Agent as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent. If Light Agent mode is disabled, the application is used in standalone mode.
VDI protection mode: enabled / disabled.
VDI protection mode optimizes the operation of Kaspersky Endpoint Security on temporary virtual machines. If VDI protection mode is enabled, updates that require restarting the protected virtual machine are not installed on temporary virtual machines. When receiving updates that require a restart, the Light Agent installed on a temporary virtual machine sends a message to Kaspersky Security Center about the need to update the protected virtual machine template.
The role of the virtual machine in the virtual infrastructure: server or workstation.
The identifier (UUID) of the protected virtual machine.

[-V] --viis-info – displays information about the connection of Light Agent (the Kaspersky Endpoint Security application used as a Light Agent as part of the Kaspersky Hybrid Cloud Security for Virtualization Light Agent solution) to the Integration Server:

Address and port of the Integration Server that the Light Agent connects to.
Status of the connection to the Integration Server.
Date and time of the last connection between the Light Agent and the Integration Server.

[-V] --svm-info – displays information about the connection of Light Agent (the Kaspersky Endpoint Security application used as a Light Agent as part of the Kaspersky Hybrid Cloud Security for Virtualization Light Agent solution) to the SVM:

Address of the SVM to which the Light Agent is connected.
Method that the Light Agent uses to detect SVMs: using the Integration Server or using a list of manually defined SVM addresses.
List of SVM addresses, if the selected SVM discovery method is lists of SVM addresses.
Tag for connecting Light Agent to the SVM.
SVM selection algorithm: standard or advanced.
Type of SVM path in the virtual infrastructure, which is taken into account when selecting SVMs for connection if the extended SVM selection algorithm is applied.
Protection of the connection between the Light Agent and the Protection Server.

For information about the settings for connecting Light Agents to the Integration Server and SVMs, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.

Page top

[Topic 201938]

Using filters to limit query results

You can use a filter to limit the query results for the following commands:

Getting information about application events:
kesl-control -E --query "<logical expression>"
Displaying information about the objects in the Storage:
kesl-control -B --query "<logical expression>"
Removing the selected objects from the Storage:
kesl-control -B --mass-remove --query "<logical expression>"

You can use multiple logical expressions to specify a filter by combining them using the AND operator. Logical expressions must be enclosed in quotation marks.

Syntax

"<field> <comparison operator> '<value>'"

"<field> <comparison operator> '<value>' and <field> <comparison operator> '<value>'"

Comparison operator

Comparison operator	Description
`>`	Greater than
`<`	Less than
`like`	Matches the specified value (when specifying the value, you can use masks %, see the example below)
`==`	Equal to
`!=`	Not equal to
`>=`	Greater than or equal to
`<=`	Less than or equal to

Examples:

Get information about files in the Storage that have the High severity level:

kesl-control -B --query "DangerLevel == 'High'"

Get information about events that contain the text "etc" in the FileName field:

kesl-control -E --query "FileName like '%etc%'"

Get events of the ThreatDetected type:

kesl-control -E --query "EventType == 'ThreatDetected'"

Output ThreatDetected events generated by ODS tasks:

kesl-control -E --query "EventType == 'ThreatDetected' and TaskType == 'ODS'"

Get events generated after the date specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970):

kesl-control -E --query "Date > '1583425000'"

Get events generated after the date specified in YYYY-MM-DD hh:mm:ss format:

kesl-control -E --query "Date > '2022-12-22 18:52:45'"

Page top

[Topic 234826]

Exporting and importing application settings

Kaspersky Endpoint Security lets you export and import all application settings for troubleshooting, verifying settings, or simplifying the application's configuration on other user devices.

If the Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the settings of the Update task cannot be exported or imported.

When you export settings, all application and task settings are saved to a configuration file. This configuration file is used to import the application's configuration settings.

The application must be launched when settings are imported or exported. After the settings are imported, the application must be restarted.

When importing or exporting settings from an older application version, new settings are set to default values. Importing settings to an older application version is not supported.

Export settings

The kesl-control --export-settings command is for exporting settings.

Command syntax

kesl-control --export-settings --file <configuration file path> [--json]

Arguments and keys

--file <configuration file path> – full path to the configuration file where the application settings will be saved.

--json – format of the configuration file where the application settings will be saved. If a file format is not specified, the settings will be exported to an INI file.

Import settings

The kesl-control --import-settings command is for importing settings.

If the application is managed via Kaspersky Security Center, importing settings is not supported.

Command syntax

kesl-control --import-settings --file <configuration file path> [--json]

Arguments and keys

--file <configuration file path> – full path to the configuration file from which the application settings will be imported.

--json – format of the configuration file from which the application settings will be imported. If a file format is not specified, the application attempts to import settings from an INI file. If the import fails, an error is displayed.

When you import application settings, the UseKSN and CloudMode settings are set to No. To start or resume the use of Kaspersky Security Network, set the value of the UseKSN setting to Basic or Extended. To enable cloud mode, you must set the CloudMode setting to Yes. Cloud mode is available if use of KSN is enabled.

After application settings are imported, internal task IDs may change. It is recommended to use task names to manage them.

Page top

[Topic 197939]

Setting the application memory usage limit

You can specify the memory usage limit for Kaspersky Endpoint Security during scan tasks (ODS and OAS), in megabytes.

This setting limits only the amount of memory used when scanning files. That means that the total amount of memory required by the application can be more than the value of this setting.

The minimum value is 2 MB. Default value is 8192 MB. If the specified value is less than 2 MB, then the application uses the minimum value (2 MB). If the specified value is greater than the amount of RAM, then the application will use only 25% of the RAM. This value cannot be changed.

To specify a limit on memory use when scanning files:

Stop Kaspersky Endpoint Security.
Open the /var/opt/kaspersky/kesl/common/kesl.ini file for editing.
Add the following setting to the [General] section:
ScanMemoryLimit=<amount of memory in megabytes>
Start Kaspersky Endpoint Security.

The new memory usage limit for scanning files will be in effect after the application starts.

Page top

[Topic 197942]

User roles

Access to Kaspersky Endpoint Security functions is provided to users in accordance with their roles. A role is a set of rights and privileges for managing the application.

Four groups of system users are created in the operating system: kesladmin, kesluser, keslaudit, and nokesl. When you assign an application role to a system user, the user is added to the corresponding group of roles (see the Roles table below). When you revoke a role from a user, this user is removed from the corresponding group of roles.

If no application role is assigned to a system user, that user belongs to a separate group of users without rights.

Thus, the roles correspond to the four groups of operating system users:

kesladmin – the Administrator role
kesluser – the User role
keslaudit – the Auditor role
nokesl is assigned to a user if no other roles are assigned. In this case, the user belongs to a separate group of users without privileges

The table below describes the application roles and their permissions.

User roles

Role name	Role in application	OS user	Permissions
Administrator	admin	kesladmin	Manage all application and task settings. Manage application licensing. Assigning roles to users. Revoking user roles (the administrator has no right to revoke the admin role from himself). View and manage users' Storages.
User	user	kesluser	Manage only Scan_File tasks. Start and stop Update tasks. View reports for the tasks created by this user. View specific events that are common for all application users.
Auditor	audit	keslaudit	Viewing application settings View application status. View all tasks, their settings, and start schedules. View all events. View all objects in the Storage.
—	—	nokesl	No role is assigned in the application, no permissions.

In this section

Viewing a list of users and roles

Assigning a role to a user

Revoking a user role

Page top

[Topic 197944]

Viewing a list of users and roles

To view a list of users and their roles, execute the following command:

kesl-control [-U] --get-user-list

Page top

[Topic 197945]

Assigning a role to a user

To assign a role to a specific user, execute the following command:

kesl-control [-U] --grant-role <role> <user>

Example:

To assign the audit role to the user test15:

kesl-control --grant-role audit test15

Page top

[Topic 197946]

Revoking a user role

To revoke a role from a specific user, execute the following command:

kesl-control [-U] --revoke-role <role> <user>

Example:

To revoke the audit role from the user test15:

kesl-control --revoke-role audit test15

Page top

[Topic 201954]

General application settings

This section contains information about commands for managing general application settings and container scan settings.

In this section

Description of the general application settings

Editing general application settings

Description of general container scan settings

Editing general container scan settings

Page top

[Topic 247312]

Description of the general application settings

This section describes the values of the general settings of the Kaspersky Endpoint Security configuration file (see the table below).

General application settings

Setting	Description	Values
`SambaConfigPath`	Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the `AllShared` or `Shared:SMB` values can be used for the `Path` setting.	The standard directory of the SAMBA configuration file on the computer is specified by default. Default value: /etc/samba/smb.conf. The application must be restarted after this setting is changed.
`NfsExportPath`	The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the `AllShared` or `Shared:NFS` values can be used for the `Path` setting.	The standard directory of the NFS configuration file on the computer is specified by default. Default value: /etc/exports. The application must be restarted after this setting is changed.
`TraceLevel`	Enables trace file generation and specifies the level of detail of the trace file.	`Detailed` – Generate a detailed trace file. `MediumDetailed` – Generate a trace file that contains informational messages and error messages. `NotDetailed` – Generate a trace file that contains error messages. `None` (default value) — Do not generate a trace file.
`TraceFolder`	The directory that stores the application's trace files. Trace files contain information about the operating system, and may also contain personal data.	Default value: /var/log/kaspersky/kesl. If you specify a different directory, make sure that the account under which Kaspersky Endpoint Security is running has read/write permissions for this directory. Root privileges are required to access the default trace files directory. The application must be restarted after this setting is changed.
`TraceMaxFileCount`	Maximum number of application trace files.	1–10000 Default value: 10. The application must be restarted after this setting is changed.
`TraceMaxFileSize`	Specifies the maximum size of an application trace file (in megabytes).	1–1000 Default value: 500. The application must be restarted after this setting is changed.
`BlockFilesGreaterMaxFileNamePath`	Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, scan tasks skip this file during scanning. This setting is not available for operating systems that use the fanotify technology.	4096–33554432 Default value: 16384. After changing the value of this setting, the File Threat Protection task needs to be restarted.
`DetectOtherObjects`	Enables detection of legitimate software that could be used by intruders to harm computers or user data.	`Yes`— Enable detection of legitimate software that could be used by intruders to harm computers or user data. `No` (default value) — Disable detection of legitimate software that could be used by intruders to harm computers or user data.
`NamespaceMonitoring`	Enable scanning of namespaces and containers. The application does not scan namespaces and containers unless components for working with containers and namespaces are installed in the operating system. Moreover, when viewing application information in the Container Monitoring row, `"The task is available and not running"` is displayed.	`Yes` (default value) — Enable scanning of namespaces and containers. `No` — Disable scanning of namespaces and containers.
`InterceptorProtectionMode`	File interceptor mode when executing tasks that use the file operation interceptor (File Threat Protection, Anti-Cryptor, Device Control, Removable Drives Scan). This setting affects the operating mode of File Threat Protection, Device Control, and Removable Drive Scan tasks.	`Block` (default value) – block the files while they are being scanned by the task that uses the file interceptor. A request to any file has to wait for scan results. When detecting infected objects, the application performs the actions specified in the `FirstAction` and `SecondAction` settings of the File Threat Protection task. `Notify` — do not block the files while they are being scanned by the task that uses the file interceptor. Requests to any file is allowed, scanning is done asynchronously. When detecting infected objects, the application only records the event in the event log. The actions specified in the `FirstAction` and `SecondAction` settings of the File Threat Protection task are skipped. If the `Notify` value is selected, the "Notify only" mode is enabled for the File Threat Protection and Device Control components. If the `Notify` value is selected, the protection level of your device is reduced.
`UseKSN`	Enabling Kaspersky Security Network usage:	`Basic` - enable use of Kaspersky Security Network in standard mode. `Extended` - enable use of Kaspersky Security Network in extended mode. `No` (default value) — disable use of Kaspersky Security Network.
`CloudMode`	Enable cloud mode. Cloud mode is available if use of KSN is enabled. If you plan to use cloud mode, make sure KSN is available on your device. This setting applies only if the application is used in standalone mode.	`Yes` — enable the operating mode in which Kaspersky Endpoint Security uses a lightweight version of the malware databases. `No` (default value) – use the full version of the malware databases. Cloud mode is disabled automatically if use of KSN is disabled.
`UseMDR`	Enables Managed Detection and Response.	`Yes` – enable Managed Detection and Response. `No` (default value) – disable Managed Detection and Response.
`UseProxy`	Enables use of a proxy server by Kaspersky Endpoint Security components. A proxy server can be used to communicate with Kaspersky Security Network and Kaspersky Endpoint Detection and Response (KATA) to activate the application, and when updating application databases and modules. If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the use of a proxy server for connecting to Kaspersky Security Network, the SVM, and the Integration Server is not supported.	`Yes` - enable the use of a proxy server. `No` (default) - Disable the use of a proxy server. If `Yes` is selected, integration with Kaspersky Endpoint Detection and Response (KATA) happens through a proxy server.
`ProxyServer`	Proxy server settings in the format [user[:password]@]host[:port]. When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.	—
`MaxEventsNumber`	The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events.	Default value: 500000. If 0 is specified, events are not saved.
`LimitNumberOfScanFileTasks`	The maximum number of Scan_File tasks that a non-privileged user can simultaneously start on a device. This setting does not limit the number of tasks that a user with root privileges can start.	0–4294967295 Default value: 0. If 0 is specified, a non-privileged user cannot start Scan_File tasks. If you installed the graphical user interface package when installing the application, the `LimitNumberOfScanFileTasks` settings has the default value `5`.
`UseSyslog`	Enable logging of information about events to syslog Root privileges are required to access syslog.	`Yes` — Enable logging of information about events to syslog. `No` (default value) — Disable logging of information about events to syslog.
`EventsStoragePath`	The database directory where the application saves information about events. Root privileges are required to access the default event database.	Default value: /var/opt/kaspersky/kesl/private/storage/events.db.
`ExcludedMountPoint.item_#`	The mount point to be excluded from the scan scope for tasks that use a file operation interceptor (File Threat Protection and Anti-Cryptor). You can specify several mount points to be excluded from scans. Mount points must be specified in the same way as they are displayed in the `mount` command output. The `ExcludedMountPoint.item_#` setting is left unspecified by default.	`AllRemoteMounted` — Exclude all remote directories mounted on the device using SMB and NFS protocols from file operation interception. `Mounted:NFS` — Exclude all remote directories mounted on the device using the NFS protocol from file operation interception. `Mounted:SMB` — Exclude all remote directories mounted on the device using the SMB protocol from file operation interception. `Mounted:<file system type>` — Exclude all mounted directories with the specified file system type from file operation interception. `/mnt` — Exclude objects in the /mnt mount point (including subdirectories) from file operation interception. This directory is used as the temporary mount point for removable drives. `<path that contains the` `/mnt/user` `or` `/mnt//user_share>` — Exclude objects in mount points whose names contain the specified mask from file operation interception. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir//file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. To exclude the mount point `/dir`, you need to specifically indicate `/dir` (no asterisk). The mask `/dir/` excludes all mount points at the level below `/dir` but not `/dir` itself. The `/dir/*` mask excludes all mount points below the level of `/dir` but not `/dir` itself. You can use a single `?` character to represent any one character in the file or directory name.
`MemScanExcludedProgramPath.item_#`	Exclude process memory from scans. The application does not scan the memory of the indicated process.	`<full path to process>` – Do not scan the process in the indicated local directory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.
`UseOnDemandCPULimit`	Enables limits on CPU utilization for ODS, ContainerScan, and InventoryScan tasks.	`Yes` – enable limits on CPU utilization for ODS, ContainerScan, and InventoryScan tasks. `No` (default value) – disable limits on CPU utilization for ODS, ContainerScan, and InventoryScan tasks.
`OnDemandCPULimit`	The maximum load on all processor cores (as a percentage) when running ODS, ContainerScan, and InventoryScan tasks.	10–100 Default value: 100.

Page top

[Topic 234832]

Editing general application settings

Root privileges are required to change application settings.

To edit the general application settings:

Save the general application settings to the configuration file using the --get-app-settings command:
kesl-control [-T] --get-app-settings --file <configuration file path>
Open the created configuration file, edit the necessary settings, and save the changes.
Import the settings from the configuration file into the application using the --set-app-settings command:
kesl-control [-T] --set-app-settings --file <configuration file path>

To enable the Kaspersky Security Network usage, run the kesl-control --set-settings command with the --accept-ksn flag: kesl-control --set-app-settings UseKSN=Basic|Extended --accept-ksn.

Kaspersky Endpoint Security applies the new values of the settings after restart.

You can use the created configuration file to import the settings into the application installed on another device.

The kesl-control --get-app-settings command

The kesl-control --get-app-settings command displays the general application settings. You can also use this command to export the general application settings to a configuration file.

Command syntax

kesl-control [-T] --get-app-settings [--file <configuration file path>] [--json]

Arguments and keys

--file <configuration file path> – path to the configuration file where the application settings will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created. If you do not specify the --file option, the general application settings will be displayed on the console.

--json – format of the configuration file where the application settings will be saved. If a file format is not specified, the settings will be exported to an INI file.

Example:

Export the general application settings to a file named kesl_config.ini. Save the created file in the current directory:

kesl-control --get-app-settings --file kesl_config.ini

The kesl-control --set-app-settings command

The kesl-control --set-app-settings command sets the general application settings using the command options or imports the general application settings from the specified configuration file.

Command syntax

kesl-control [-T] --set-app-settings <setting name>=<setting value> <setting name>=<setting value>

kesl-control [-T] --set-app-settings --file <configuration file path> [--json]

Arguments and keys

--file <configuration file path> – full path to the configuration file to import the settings into the application.

--json – format of the configuration file to import the settings into the application. If a file format is not specified, the application attempts to import settings from an INI file. If the import fails, an error is displayed.

Examples:

Import general settings into the application from the configuration file /home/test/kesl_config.ini:

kesl-control --set-app-settings --file /home/test/kesl_config.ini

Set the detail level for the trace file to low:

kesl-control --set-app-settings TraceLevel=NotDetailed

Add a mount point to be excluded from scan scope by tasks that use a file operation interceptor (File Threat Protection and Anti-Cryptor):

kesl-control --set-app-settings ExcludedMountPoint.item_0000="/data"

Page top

[Topic 234889]

Description of general container scan settings

This section describes the values of the general container and namespace scan settings (see the table below). Integration with Docker container management system, CRI-O framework, and Podman and runc utilities is supported.

The application does not scan namespaces and containers unless components for working with containers and namespaces are installed in the operating system. Moreover, when viewing application information in the Container Monitoring row, "The task is available and not running" is displayed. Namespace and container scans can be enabled using the NamespaceMonitoring setting described in the general application settings.

General container and namespace scan settings

Setting	Description	Values
`OnAccessContainerScanAction`	Action to be performed on a container when an infected object is detected. This setting is available when using the application under a license that supports this function. File Threat Protection task settings are used when scanning objects inside a container. The action performed on a container when an infected object is detected also depends on the File Threat Protection task settings (see the table below).	`StopContainerIfFailed` (default value) — Stop the container if an infected object cannot be disinfected or deleted. `StopContainer` — Stop the container when an infected object is detected. `Skip` — Do not perform any action on containers when an infected object is detected.
`UseDocker`	Use the Docker environment.	`Yes` (default value) — Use the Docker environment. `No` — Do not use the Docker environment.
`DockerSocket`	Docker socket path or URI (Universal Resource Identifier).	Default value: /var/run/docker.sock.
`UseCrio`	Use the CRI-O environment.	`Yes` (default value) — Use the CRI-O environment. `No` — Do not use the CRI-O environment.
`CrioConfigFilePath`	Path to the CRI-O configuration file.	Default value: /etc/crio/crio.conf.
`UsePodman`	Use the Podman utility.	`Yes` (default value) — Use the Podman utility. `No` — Do not use the Podman utility.
`PodmanBinaryPath`	Path to the Podman utility executable file.	Default value: /usr/bin/podman.
`PodmanRootFolder`	Path to the root directory of the container storage.	Default value: /var/lib/containers/storage.
`UseRunc`	Use the runc utility.	`Yes` (default value) — Use the runc utility. `No` — Do not use the utility.
`RuncBinaryPath`	Path to the runc utility executable file.	Default value: /usr/bin/runc.
`RuncRootFolder`	Path to the root directory of the container state storage.	Default value: /run/runc.

Actions performed on a container when an infected object is detected may vary depending on the specified values of the FirstAction and SecondAction settings of the File Threat Protection task and on the value of the InterceptorProtectionMode setting, one of the general application settings (see the table below).

Relationship between actions performed on containers and the specified action performed on infected objects

Value of the FirstAction / SecondAction or the InterceptorProtectionMode setting	Action performed on the container when the StopContainerIfFailed action is selected
`Disinfect`	Stop the container if disinfection of an infected object fails.
`Remove`	Stop the container if an infected object removal fails.
`Block` or `Notify`	Do not perform any action on containers when an infected object is detected.

Page top

[Topic 207299]

Editing general container scan settings

Root privileges are required to change application settings.

To edit the general container scan settings:

Save the general Container Scan settings to the configuration file using the --get-container-settings command:
kesl-control [-C] --get-container-settings --file <configuration file name>
Open the created configuration file, edit the necessary Container Scan settings and save the changes.
Import the Container Scan settings from the configuration file into the application using the --set-container-settings command:
kesl-control [-C] --set-container-settings --file <configuration file name>

Kaspersky Endpoint Security will apply the new values of the settings after you restart it.

The kesl-control --get-container-settings command

The kesl-control --get-container-settings command displays the general Container Scan settings. You can also use this command to export the general container scan setting to the configuration file.

Command syntax

kesl-control [-C] --get-container-settings [--file <configuration file name>]

Arguments and keys

--file <configuration file name> – name of the configuration file where the container scan settings are saved.

If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created.

The kesl-control --set-container-settings command

The kesl-control --set-container-settings command sets the general Container Scan settings using the command keys, or imports the general Container Scan settings from the specified configuration file.

Command syntax

kesl-control [-C] --set-container-settings --file <configuration file name>

kesl-control [-C] --set-container-settings <setting name>=<setting value> <setting name>=<setting value>

Arguments and keys

--file <configuration file name> – name of the configuration file, including the full path to the file; the container scan settings from this file will be imported into the application.

Page top

[Topic 245737]

Managing application tasks using the command line

You can manage the application operation using tasks locally on the device (using the command line or configuration files), as well as using Administration Console or Kaspersky Security Center Web Console.

There are two types of tasks for working with the application:

Predefined task — a task created during installation of the application. Predefined tasks cannot be created or deleted, but you can modify the settings of these tasks.
If the application is used in Light Agent mode to protect virtual environments, the settings of the predefined Update task cannot be edited.
A user task that you can create or delete on your own. Depending on the application usage mode, you can create the following types of tasks:
- Standalone mode: ODS, Update, Rollback, ODFIM, ContainerScan, and InventoryScan
- Light Agent mode for protecting virtual environments: ODS, ODFIM, ContainerScan, and InventoryScan

Task ID is an identifier that the application assigns to the task at creation. IDs for user tasks are starting from 100. All tasks (including deleted tasks) have unique IDs. The application does not reuse the identifiers of the deleted tasks. The identifier of a new task is the next successive number to the identifier of the latest created task.

Task names are not case-sensitive.

The application's predefined tasks are listed in the table.

Application tasks

Task	Task name in the command line	Task ID	Task type
File Threat Protection	File_Threat_Protection	1	OAS
Malware Scan	Scan_My_Computer	2	ODS
Custom Scan	Scan_File	3	ODS
Critical Areas Scan	Critical_Areas_Scan	4	ODS
Update	Update	6	Update
Rollback	Rollback	7	Rollback
Licensing	License	9	License
Storage management	Backup	10	Backup
System Integrity Monitoring	System_Integrity_Monitoring	11	OAFIM
Firewall Management	Firewall_Management	12	Firewall
Anti-Cryptor	Anti_Cryptor	13	AntiCryptor
Web Threat Protection	Web_Threat_Protection	14	WTP
Device Control	Device_Control	15	DeviceControl
Removable Drives Scan	Removable_Drives_Scan	16	RDS
Network Threat Protection	Network_Threat_Protection	17	NTP
Container Scan	Container_Scan	18	ContainerScan
Custom Container Scan	Custom_Container_Scan	19	ContainerScan
Behavior Detection	Behavior_Detection	20	BehaviorDetection
Application Control	Application_Control	21	AppControl
Inventory	Inventory_Scan	22	InventoryScan
Kaspersky Endpoint Detection and Response (KATA) Integration	KATAEDR	24	KATAEDR

You can perform the following actions with tasks:

start and stop tasks.
create and delete user tasks.
Edit task settings.

The set of available actions for a task depends on the type of task and the application usage mode.

In this section

View the list of tasks

Creating a new task

Editing task settings using a configuration file

Editing task settings using the command line

Resetting task settings to their default values

Starting and stopping a task

Viewing a task state

Scheduling a task

Managing scan scopes from the command line

Managing exclusion scopes from the command line

Deleting a task

Page top

[Topic 236014]

View the list of tasks

To view the list of application tasks, execute the following command:

kesl-control [-T] --get-task-list [--json]

where:

--json – output format for the list of application tasks. If a file format is not specified, the output will be an INI file.

The list of Kaspersky Endpoint Security tasks will be displayed.

The following information will be displayed for each task:

Name. Task name.
ID. Task ID.
Type. Task type.
State. Current task status.

If Kaspersky Security Center policy prohibits users from viewing and editing tasks locally, information will only be displayed about the Scan_File, Backup, License, File_Threat_Protection, System_Integrity_Monitoring, and Anti_Cryptor tasks. Information about other tasks is not available.

Page top

[Topic 197949]

Creating a new task

If you are using the application in standalone mode, you can create the following types of tasks: ODS, Update, Rollback, ODFIM, ContainerScan, and InventoryScan. If the application is used in Light Agent mode to protect virtual environments, you can create the following types of tasks: ODS, ODFIM, ContainerScan, and InventoryScan.

You can create tasks with default settings or with settings specified in a configuration file.

To create a task with default settings, execute the following command:

kesl-control [-T] --create-task <task name> --type <task type>

where:

<task name> is the name you assign to the new task;
<task type> is the type of task.

A task of the specified type is created with default settings.

To create a task with the settings specified in the configuration file, execute the following command:

kesl-control [-T] --create-task <task name> --type <task type> --file <path to file> [--json]

where:

<task name> is the name you assign to the new task;
<task type> is the type of task;
<path to file> is the full path to the configuration file.

A task of the specified type is created with settings specified in a configuration file.

Page top

[Topic 197950]

Editing task settings using a configuration file

If the application is used in Light Agent mode to protect virtual environments, the settings of the Update task cannot be edited.

To edit task settings by changing a configuration file:

Save task settings to the configuration file:
kesl-control --get-settings <task ID>|<task name> --file <full path to the file> [--json]
Open the created configuration file for editing.
Edit the required settings in the configuration file.
Save the changes in the configuration file.
Import the settings from the configuration file into the task:
kesl-control --set-settings < task ID>|<task name> --file <full path to the file> [--json]

Task settings will be updated.

If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Endpoint Security in the Application Control task settings, run the --set-settings command with the --accept flag.

Page top

[Topic 246838]

Editing task settings using command line

If the application is used in Light Agent mode to protect virtual environments, the settings of the Update task cannot be edited.

To edit task settings using the command line:

Specify the required setting value:
kesl-control --set-settings <task ID>|<task name> <setting=value> [<setting=value>]

The application changes the specified setting.

If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Endpoint Security in the Application Control task settings, run the --set-settings command with the --accept flag.
Make sure the setting value is changed in the task configuration file:
kesl-control --get-settings <task ID>|<task name>

If you add a new scan scope or exclusion scope not specifying all settings, a scope with default settings is added to the configuration file.

Example:

To specify a new scan scope, execute the following command:

kesl-control --set-settings 100 ScanScope.item_0001.UseScanArea=Yes ScanScope.item_0001.Path=/home

A new section describing the scan scope is added to the task configuration file with ID=100:

[ScanScope.item_0001]

AreaDesc=

UseScanArea=Yes

Path=/home

AreaMask.item_0000=*

Page top

[Topic 197952]

Resetting task settings to their default values

Kaspersky Endpoint Security allows you to reset task settings to default values from command line.

Restoring default settings is not available for the License and Rollback tasks.

To reset task settings to their default values from the command line:

Execute the following command:
kesl-control --set-settings <task ID>|<task name> --set-to-default

The application changes the setting values to their defaults.
Make sure the settings' values are changed in the task configuration file:
kesl-control --get-settings <task ID>|<task name> --file <configuration file name>

The task configuration file contains default values for all settings.

Page top

[Topic 197953]

Starting and stopping a task

By default, the following tasks are automatically started when the application starts: File Threat Protection, Device Control, and Behavior Detection. The remaining tasks are stopped (their status is Stopped).

You can start a task at any time.

The Backup and License tasks cannot be started or stopped.

To start a task, execute the following command:

kesl-control --start-task <task ID>|<task name>

To stop a task, execute the following command:

kesl-control --stop-task <task ID>|<task name>

Page top

[Topic 246851]

Viewing a task state

To view a task state, execute the following command:

kesl-control --get-task-state <task ID>|<task name>

where:

<task ID> is the task ID that the application assigned to the task when it was created.

The application tasks can have one of the following states:

Started—Task is running.
Starting—Task is being launched.
Stopped—Task has been stopped.
Stopping—Task is stopping.

The ODS, ODFIM, and InventoryScan tasks can also have one of the following states:

Pausing — Task is pausing.
Suspended — Task is suspended.
Resuming — Task is resuming.

The Backup and License tasks cannot be started, suspended, or stopped. They can have only the Started state.

Page top

[Topic 236381]

Scheduling a task

If the application is used in standalone mode, you can view and configure the schedule settings for the following types of tasks: ODS, Update, Rollback, ODFIM, ContainerScan and InventoryScan. If the application is used in Light Agent mode to protect virtual environments, you can view and configure the start schedule settings for the following types of tasks: ODS, ODFIM, ContainerScan, and InventoryScan.

Editing task schedule settings

To configure task schedule settings:

Save task schedule settings to a configuration file by executing the following command:
kesl-control --get-schedule <task ID>|<task name> --file <configuration file name> [--json]
Open the configuration file for editing.
Specify the schedule settings.
Save the changes in the configuration file.
Import the schedule settings from the configuration file to the task using the following command:
kesl-control --set-schedule <task ID>|<task name> --file <configuration file name> [--json]

The application will apply the new values of the schedule settings immediately.

Task schedule settings

The application provides the following settings for configuring the task launch schedule:

where:

Manual – start the task manually.

PS – start the task after starting the application.

BR – start the task after the application databases have been updated.

RandomInterval=<minutes> – a time interval from 0 to the specified value (in minutes), which will be added to the task start time to avoid starting tasks at the same time.

RunMissedStartRules – enables launch of the missed task after the application starts.

Examples:

To schedule the task to start every ten hours, specify the following settings:

RuleType=Hourly

RunMissedStartRules=No

StartTime=2021/May/30 23:05:00;10

RandomInterval=0

To schedule the task to start every ten minutes, specify the following settings:

RuleType=Minutely

RunMissedStartRules=No

StartTime=23:10:00;10

RandomInterval=0

To schedule the task to start on the 15th of every month, specify the following settings:

RuleType=Monthly

RunMissedStartRules=No

StartTime=23:25:00;15

RandomInterval=0

To schedule the task to start on every Tuesday, specify the following settings:

RuleType=Weekly

StartTime=18:01:30;Tue

RandomInterval=99

RunMissedStartRules=No

To schedule the task to start every 11 days, specify the following settings:

RuleType=Daily

RunMissedStartRules=No

StartTime=23:15:00;11

RandomInterval=0

The kesl-control --get-schedule command

The kesl-control --get-schedule command displays the task schedule settings or saves them to the specified configuration file.

Command syntax

kesl-control [-T] --get-schedule <task ID>|<task name> [--file <configuration file name>] [--json]

Arguments and keys

<task ID> is the task identification number in the application.

<task name> is a name of a task.

--file <configuration file name> is the name of the configuration file where the schedule settings will be saved. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, the configuration file will not be created.

Examples:

Save the update task settings to a file named update_schedule.ini and save the created file in the current directory:

kesl-control --get-schedule 6 --file update_schedule.ini

Display the Update task schedule:

kesl-control --get-schedule 6

The kesl-control --set-schedule command

The kesl-control --set-schedule command sets the task schedule settings using the command keys or imports the task schedule settings from the specified configuration file.

Command syntax

kesl-control --set-schedule <task ID>|<task name> --file <configuration file name> [--json]

kesl-control --set-schedule <task ID>|<task name> <setting name>=<setting value> <setting name>=<setting value>

Arguments and keys

<task ID> is the task identification number in the application.

<task name> is a name of a task.

--file <configuration file name> is the name of the configuration file; the schedule settings from this file will be imported into the task; includes the full path to the file.

Example:

Import the schedule settings from the configuration file named /home/test/on_demand_schedule.ini into the task with ID=2:

kesl-control --set-schedule 2 --file /home/test/on_demand_schedule.ini

Page top

[Topic 197954]

Managing scan scopes from the command line

You can add or delete a scan scope with a specified Path for OAS, ODS, OAFIM, ODFIM, and AntiCryptor tasks from the command line.

To add a new scan scope, execute the following command:

kesl-control --set-settings <task ID>|<task name> --add-path <path>

A new [ScanScope.item_#] section will be added to the configuration file. The application scans the objects in the directory specified by the Path setting.

If a [ScanScope.item_#] section already exists for the specified Path setting, a duplicate section will not be added to the configuration file. If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be scanned.

To delete a scan scope, execute the following command:

kesl-control --set-settings <task ID>|<task name> --del-path <path>

The [ScanScope.item_#] section that contains the specified path will be deleted from the task configuration file. The application will not scan the objects in the directory specified by the Path setting.

Page top

[Topic 197955]

Managing exclusion scopes from the command line

You can add or delete an exclusion scope with a specified Path for OAS, ODS, OAFIM, ODFIM, and AntiCryptor tasks from the command line.

To add a new exclusion scope, execute the following command:

kesl-control --set-settings <task ID>|<task name> --add-exclusion <path>

In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion for the path: /.snapshots/*/snapshot/.

A new [ExcludedFromScanScope.item_#] section will be added to the configuration file. The application will exclude objects in the directory specified by the Path setting from scans.

If an [ExcludedFromScanScope.item_#] section already exists for the specified Path setting, a duplicate section will not be added to the configuration file. If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be excluded from scans.

To delete an exclusion scope, execute the following command:

kesl-control --set-settings <task ID>|<task name> --del-exclusion <path>

The [ExcludedFromScanScope.item_#] section that contains the specified path is deleted from the task configuration file. The application will not exclude objects in the directory specified by the Path setting from scans.

Page top

[Topic 197960]

Deleting a task

You can only delete tasks that you have created. Predefined tasks cannot be deleted.

If the application is used in Light Agent mode to protect virtual environments, the Update task cannot be deleted.

To delete a task, execute the following command:

kesl-control --delete-task <task ID>|<task name>

Page top

[Topic 236580]

Encrypted connections scan

You can configure settings for scanning the encrypted connections used in the Web Threat Protection task.

You can also configure the list of trusted certificates, which is used when scanning encrypted connections.

In this section

Encrypted connections scan settings

Managing encrypted connections scan settings

Managing trusted certificates

Page top

[Topic 198037]

Encrypted connections scan settings

All available values and default values for each setting are described in the table below.

When the encrypted connection scan settings are changed, the application records a NetworkSettingsChanged event in the log file.

Encrypted connections scan settings

Setting	Description	Values

`EncryptedConnectionsScan`	Enables or disables encrypted traffic scan. For the FTP protocol, encrypted connections scan is disabled by default.	`Yes` (default value) — Enable encrypted connection scans. `No` — Disable encrypted connection scans. The application does not decrypt the encrypted traffic.
`EncryptedConnectionsScanErrorAction`	Specifies the action to perform when an encrypted connection scan error occurs on a website.	`AddToAutoExclusions` (default value) — Add the domain where an error occurred to the list of domains with scan errors. The application will not monitor encrypted network traffic when this domain is visited. `Disconnect` — Block the network connection.
`CertificateVerificationPolicy`	Specifies the way Kaspersky Endpoint Security checks certificates. If a certificate is self-signed, the application does not perform the additional verification.	`FullCheck` (default value) — The application uses the Internet to check and download the missing chains that are required to verify a certificate. `LocalCheck` — The application does not use the Internet to verify a certificate.
`UntrustedCertificateAction`	Specifies the action to perform when an encrypted connection scan error occurs on a website.	`Allow` (default value) — Allow network connections established while visiting a domain with an untrusted certificate. `Block` — Block network connections established while visiting a domain with an untrusted certificate.
`ManageExclusions`	Enables or disables the use of the encrypted connection scan exclusions.	`Yes` — Do not scan websites specified in the `[Exclusions.item_#]` section. `No` (default value) — Scan all websites.
`MonitorNetworkPorts`	Specifies the way Kaspersky Endpoint Security monitors network ports.	`Selected` (default value) — Monitor only network ports specified in the `[NetworkPorts.item_#]` section (see below). `All` — Monitor all network ports. Specifying this value may significantly increase an operating system load.
The [Exclusions.item_#] section contains domains excluded from scans. The application does not scan encrypted connections established when visiting specified domains.
`DomainName`	Specifies the domain name. You can use masks to specify the domain.	The default value is not defined.
The [NetworkPorts.item_#] section contains the network ports monitored by the application.
`PortName`	Network port description.	The default value is not defined.
`Port`	Network port numbers to be monitored by the application.	`1` – `65535` The default value is not defined.

Page top

[Topic 198038]

Managing encrypted connections scan settings

You can manage encrypted connections scan settings from the command line.

To view the list of encrypted connection scan exclusions added by a user, execute the following command:

kesl-control -N --query user

To view the list of encrypted connection scan exclusions added by a user, execute the following command:

kesl-control -N --query auto

To view the list of encrypted connection scan exclusions received from the application databases, execute the following command:

kesl-control -N --query kl

To clear a list of domains that the application automatically excluded from scan, execute the following command:

kesl-control -N --clear-web-auto-excluded

To view encrypted connection scan settings, execute the following command:

kesl-control [-N] --get-net-settings [--file <file path and name>]

The output format is INI.

To set encrypted connection scan settings, execute the following command:

kesl-control [-N] --set-net-settings [--file <file path and name>]

Page top

[Topic 236555]

Managing trusted certificates

You can set the list of certificates that will be trusted by the application. The list of trusted certificates is used when scanning encrypted connections.

You can manage the trusted certificate list from the command line.

To add a certificate to the trusted certificate list, run the following command:

kesl-control [-N] --add-certificate <path to certificate>

where:

<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).

To remove a certificate from the trusted certificate list, run the following command:

kesl-control [-N] --remove-certificate <certificate subject>

To view the list of trusted certificates, execute the following command:

kesl-control [-N] --list-certificates

The following information is displayed for each certificate:

certificate subject
serial number
certificate issuer
certificate start date
certificate expiration date
SHA-256 certificate thumbprint

Page top

[Topic 197961]

File Threat Protection task (File_Threat_Protection, ID:1)

File Threat Protection prevents infection of the device's file system. The File Threat Protection task is created automatically with default settings when you install Kaspersky Endpoint Security application on your device. By default, the File Threat Protection task starts automatically when the application starts. The task resides in the device's RAM and scans all opened, saved, and active files.

Administrator role privileges are required to start and stop the File Threat Protection task from the command line.

Upon detecting malware, Kaspersky Endpoint Security may remove the infected file and terminate the malware process started from this file.

While the File Threat Protection task is running, the application scans all namespaces and containers on all supported operating systems if the value of the NamespaceMonitoring setting in the general application settings is set to Yes. Additionally, for Astra Linux, a custom virus scan task (Scan_File) allows files from other namespaces to be scanned (as part of a mandatory scan). You can separately configure general scan settings for containers and namespaces.

File Threat Protection user tasks cannot be created. You can modify the settings of the default File Threat Protection task.

If InterceptorProtectionMode is set to Notify in the general application settings, then when infected objects are detected, the application does not perform the actions specified in the FirstAction and SecondAction settings of the File Threat Protection task.

In this Help section

Special considerations for scanning symbolic links and hard links

File Threat Protection task settings

Specifying an exclusion scope

Optimizing network directory scanning

Page top

[Topic 197963]

Special considerations for scanning symbolic links and hard links

Kaspersky Endpoint Security lets you scan symbolic links and hard links to files.

Scanning symbolic links

The application scans symbolic links only if the file referenced by the symbolic link is within the protection scope of the File Threat Protection task.

If the file referenced by the symbolic link is not within the File Threat Protection task, the application does not scan this file. However, if the file contains malicious code, the security of the device is at risk.

Scanning hard links

When processing a file with more than one hard link, the application chooses an action depending on the specified action on objects:

If the Perform recommended action option is selected, the application automatically selects and performs an action on an object based on data about the danger level of the threat detected in the object and the possibility of disinfecting it.
If the Remove action is selected, the application removes the hard link being processed. The remaining hard links to this file will not be processed.
If the Disinfect action is selected, the application disinfects the source file. If disinfection fails, the application deletes the hard link and creates in its place a copy of the source file with the name of the deleted hard link.

When you restore a file with a hard link from the Storage, the application creates a copy of the source file with the name of the hard link that was moved to the Storage. Connections with the remaining hard links to the source file will not be restored.

Page top

[Topic 234812]

File Threat Protection task settings

The table describes all available values and default values of all the settings that you can specify for the File Threat Protection task.

File Threat Protection task settings

Setting

Description

Values

ScanArchived

Enables scanning of archives (including SFX self-extracting archives).

The application scans the following archives: .zip; .7z*; .7-z; .rar; .iso; .cab; .jar; .bz; .bz2; .tbz; .tbz2; .gz; .tgz; .arj. The list of supported archive formats depends on the application databases being used.

Yes—Scan archives. If the FirstAction=Recommended value is specified, then, depending on the archive type, the application deletes either the infected object or the entire archive that contains the threat.

No (default value) — Do not scan archives.

ScanSfxArchived

Enables scanning of self-extracting archives only (archives that contain an executable extraction module).

Yes — Scan self-extracting archives.

No (default value) — Do not scan self-extracting archives.

ScanMailBases

Enables scanning email databases of Microsoft Outlook, Outlook Express, The Bat, and other mail clients.

Yes — Scan files of email databases.

No (default value) — Do not scan files of email databases.

ScanPlainMail

Enables scanning of plain text email messages.

Yes — Scan plain text email messages.

No (default value) — Do not scan plain text email messages.

SkipPlainTextFiles

Temporary exclusion of files in text format from scans.

If the value of this setting is SkipPlainTextFiles=Yes, the application does not scan text files if they are reused by the same process for 10 minutes after the most recent scan. This setting makes it possible to optimize scans of application logs.

Yes – Do not scan text files if they are reused by the same process for 10 minutes after the most recent scan.

No (default value) – scan files in plain text format.

SizeLimit

Maximum size of an object to be scanned (in megabytes). If the object to be scanned is larger than the specified value, the application skips this object.

0–999999

0 — The application scans objects of any size.

Default value: 0.

TimeLimit

Maximum object scan duration (in seconds).

The application stops scanning the object if it takes longer than the time specified by this setting.

0–9999

0 — The object scan time is unlimited.

Default value: 60.

FirstAction

Selection of the first action to be performed by the application on the infected objects.

Before performing the action specified by you on an object, Kaspersky Endpoint Security blocks access to the object by applications that attempt to access it.

If InterceptorProtectionMode is set to Notify in the general application settings, then when infected objects are detected, the application does not perform the action specified in the FirstAction setting.

Disinfect — The application tries to disinfect an object and save a copy of it to the Storage. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected), then the application leaves the object unchanged. If the first action is Disinfect, it is recommended to specify a second action using the SecondAction setting.

Remove — The application removes the infected object after creating a backup copy of it.

Recommended (perform recommended action) — The application automatically selects and performs an action on the object based on information about the threat detected in the object. For example, Kaspersky Endpoint Security immediately removes Trojans since they do not incorporate themselves into other files and therefore they do not need to be disinfected.

Block – The application blocks access to an infected object. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by the application on the infected objects. The application performs the second action if the first action fails.

If InterceptorProtectionMode is set to Notify in the general application settings, then when infected objects are detected, the application does not perform the action specified in the SecondAction setting.

The possible values of the SecondAction setting are the same as those of the FirstAction setting.

If Block or Remove is selected as the first action, the second action does not need to be specified. It is recommended to specify two actions in all other cases. If you have not specified a second action, the application applies Block as the second action.

Default value: Block.

UseExcludeMasks

Enables exclusion of the objects specified by the ExcludeMasks.item_# setting from the scan.

Yes — Exclude objects specified by the ExcludeMasks.item_# setting from the scan.

No (default value) — Do not exclude objects specified by the ExcludeMasks.item_# setting from the scan.

ExcludeMasks.item_#

Excludes objects from being scanned by name or mask.

You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

UseExcludeThreats

Enables exclusion of objects containing the threats specified by the ExcludeThreats setting from scans.

Yes — Exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

No (default value): do not exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

ExcludeThreats.item_#

Excludes objects from scans by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude an object from scans, specify the full name of the threat detected in this object – the string containing the application's decision that the object is infected.

For example, you may be using a utility to collect information about your network. To keep the application from blocking it, add the full name of the threat contained in it to the list of threats excluded from scans.

You can find the full name of the threat detected in an object in the application log or on the website https://threats.kaspersky.com.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

ReportCleanObjects

Enables logging of information about scanned objects that the application reports as not being infected.

You can enable this setting, for example, to make sure that a particular object was scanned by the application.

Yes — Log information about non-infected objects.

No (default value) — Do not log information about non-infected objects.

ReportPackedObjects

Enables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by the application.

Yes — Log information about scanned objects within archives.

No (default value) — Do not log information about scanned objects within archives.

ReportUnprocessedObjects

Enables logging of information about objects that have not been processed for some reason.

Yes — Log information about unprocessed objects.

No (default value) — Do not log information about unprocessed objects.

UseAnalyzer

Enables heuristic analysis.

Heuristic analysis helps the application to detect threats even before they become known to virus analysts.

Yes (default value) — Enable Heuristic Analyzer.

No — Disable Heuristic Analyzer.

HeuristicLevel

Specifies the heuristic analysis level.

The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Light — The least thorough scan with minimum load on the system.

Medium — A medium heuristic analysis level with a balanced load on the system.

Deep — The most thorough scan with maximum load on the system.

Recommended (default value) — The recommended value.

UseIChecker

Enables usage of the iChecker technology.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the use of the iChecker technology is not supported. Scan optimization is implemented by means of the Protection Server.

Yes (default value) — Enable use of the iChecker technology.

No — Disable use of the iChecker technology.

ScanByAccessType

File Threat Protection task operation mode. The ScanByAccessType setting applies only to the File Threat Protection task.

SmartCheck (default value) — Scan a file on attempts to open it, and scan it again on attempts to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and modifies it, the application scans the object again only when the process closes it for the last time.

OpenAndModify — Scan a file on attempts to open it, and scan it again on attempts to close it if the file has been modified.

Open — Scan a file on attempts to open it for reading, execution, or modification.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan scope, which contains additional information about the scan scope.

The maximum length of the string specified using this setting is 4096 characters.

Default value: All objects.

Example:

AreaDesc="Scanning of email databases"

UseScanArea

Enables scans of the specified scope. To run the task, enable scans of at least one scope.

Yes (default value) — Scan the specified scope.

No — Do not scan the specified scope.

AreaMask.item_#

Scan scope limitation. With this scan scope, the application only scans files that are specified using masks in the shell format.

If this setting is not specified, the application scans all the objects in the scan scope. You can specify several values for this setting.

The default value is * (scan all objects).

Example:

AreaMask_item_<item number>=*doc

Path

Path to the directory with objects to be scanned.

<path to local directory> — Scan objects in the specified directory. You can use masks and tags to specify the path.

You can use special tags to specify a container or image:

[container-id:<identifier>]/<path to local directory>
[container-name:<name>]/<path to local directory>
[image-id:<identifier>]/<path to local directory>
[image-name:<name>]/<path to local directory>

You can also use unique combinations of the [container-id:<identifier>], [container-name:<name>], [image-id:<identifier>] and [image-name:<name>]/<path to local directory> tags.

Any combination of 1 to 4 unique tags within one area is allowed. The order they are listed in is not important.

For example:

[container-name:<name>][image-name:<name>]/<path to local directory>
[container-id:<identifier>][image-name:<name>]/<path to local directory>
[image-name:<name>][image-id:<identifier>]/<path to local directory>
[container-name:<name>][container-id:<identifier>][image-name:<name>]/<path to local directory>
[container-name:<name>][image-id:<identifier>][container-id:<identifier>][image-name:<name>]/<path to local directory>

You can use masks (? and * characters) in names and identifiers.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Shared:NFS — Scan the device file system resources that are accessible via the NFS protocol.

Shared:SMB – Scan the device file system resources that are accessible via the Samba protocol.

Mounted:NFS – Scan the remote directories mounted on a device using the NFS protocol.

Mounted:SMB – Scan the remote directories mounted on a device using the Samba protocol.

AllRemoteMounted – Scan all remote directories mounted on the device using the Samba and NFS protocols.

AllShared – Scan all the device file system resources that are accessible via the Samba and NFS protocols.

<file system type> — Scan all the resources of the specified device file system.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan exclusion scope, which contains additional information about the exclusion scope.

The default value is not defined.

UseScanArea

Excludes the specified scope from scans.

Yes (default value) — Exclude the specified scope.

No — Do not exclude the specified scope.

AreaMask.item_#

Limitation of scan exclusion scope. In the exclusion scope, the application excludes from scans only files that are specified using masks in the shell format.

If this setting is not specified, the application does not scan any of the objects within the exclusion scope. You can specify several values for this setting.

Default value: * (exclude all objects from scan)

Path

Path to the directory with objects to be excluded.

<path to local directory> — Exclude objects in the specified directory (including subdirectories) from scans. You can use masks and tags to specify the path.

You can use special tags to specify a container or image:

[container-id:<identifier>]/<path to local directory>
[container-name:<name>]/<path to local directory>
[image-id:<identifier>]/<path to local directory>
[image-name:<name>]/<path to local directory>

You can also use unique combinations of the [container-id:<identifier>], [container-name:<name>], [image-id:<identifier>] and [image-name:<name>]/<path to local directory> tags.

Any combination of 1 to 4 unique tags within one area is allowed. The order they are listed in is not important.

For example:

[container-name:<name>][image-name:<name>]/<path to local directory>
[container-id:<identifier>][image-name:<name>]/<path to local directory>
[image-name:<name>][image-id:<identifier>]/<path to local directory>
[container-name:<name>][container-id:<identifier>][image-name:<name>]/<path to local directory>
[container-name:<name>][image-id:<identifier>][container-id:<identifier>][image-name:<name>]/<path to local directory>

You can use masks (? and * characters) in names and identifiers.

You can use the * (asterisk) character to create a file or directory name mask.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Mounted:NFS– Exclude the remote directories mounted on a device using the NFS protocol from scan.

Mounted:SMB – Exclude the remote directories mounted on a device using the Samba protocol from scan.

AllRemoteMounted – Exclude all remote directories mounted on the device using the Samba and NFS protocols from scan.

<file system type> — Exclude all the resources of the specified device file system from scans.

The [ExcludedForProgram.item_#] section contains the following settings:

ProgramPath

Path to excluded process.

<full path to process> – Do not scan the process in the indicated local directory.

ApplyToDescendants

Exclude child processes of the excluded process specified by the ProgramPath setting from scans.

Yes – exclude the specified process and all its child processes from scans.

No (default value) – exclude only the specified process from scans, do not exclude its child processes from scans.

AreaDesc

Description of the process exclusion scope.

Default value: All objects.

UseExcludedForProgram

Excludes the specified scope from scans.

Yes (default value) — Exclude the specified scope.

No — Do not exclude the specified scope.

AreaMask.item_#

Limitation of the process exclusion scope. In the process exclusion scope, the application excludes from scans only the files that are specified using masks in the shell format.

If this setting is not specified, the application excludes from scans all the objects within the process exclusion scope. You can specify several values for this setting.

Default value: * (exclude all objects from scan)

Path

Path to a directory with files that are modified by the process.

<path to local directory> — Exclude objects in the specified directory from scan. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Shared:NFS — Exclude device file system resources that are accessible via the NFS protocol from scans.

Shared:SMB — Exclude device file system resources that are accessible via the Samba protocol from scans.

Mounted:NFS– Exclude the remote directories mounted on a device using the NFS protocol from scan.

Mounted:SMB – Exclude the remote directories mounted on a device using the Samba protocol from scan.

AllRemoteMounted – Exclude all remote directories mounted on the device using the Samba and NFS protocols from scan.

AllShared – Exclude all device file system resources that are accessible using the Samba and NFS protocols from scan.

<file system type> — Exclude all the resources of the specified device file system from scans.

Page top

[Topic 197965]

Specifying an exclusion scope

You can specify an exclusion scope for the File Threat Protection task. Files in the exclusion scope are excluded from protection scopes.

To create an exclusion scope:

Save the File Threat Protection task settings to a file using the following command:
kesl-control --get-settings 1 --file <full path to configuration file>
Add the [ExcludedFromScanScope.item_#] section to the created file. This section contains the following settings:
- AreaDesc – a description of the exclusion scope, which contains additional information about the exclusion scope.
- Path – the path to the files or directories to be excluded from the protection scope.
- AreaMask.item_# – file name mask for the files to be excluded from the protection scope.
  
  Example:
  
  [ExcludedFromScanScope.item_0000]
  
  AreaDesc=
  
  UseScanArea=Yes
  
  Path=/tmp/notchecked
  
  AreaMask.item_0000=*
Import settings from the configuration file to the File Threat Protection task by using the following command:
kesl-control --set-settings 1 --file <full path to configuration file>

You can also manage exclusion scopes from the command line.

Page top

[Topic 235226]

Optimizing network directory scanning

To optimize the File Threat Protection task, you can exclude from scans any files being copied from network directories. Files are scanned only after the process of copying to a local directory is finished. To exclude files located in network directories from scans, configure scan exclusion for the utility used to copy files from network directories (for example, for the cp utility).

To configure exclusion of network directories from scans:

Save the File Threat Protection task settings to a file using the following command:
kesl-control --get-settings 1 --file <full path to configuration file>
Add the [ExcludedForProgram.item_#] section to the created file. This section contains the following settings:
- ProgramPath – path to the process to be excluded or to the directory with the processes to be excluded.
- ApplyToDescendants parameter indicates whether the scan should exclude child processes of the excluded process specified by the ProgramPath parameter (possible values: Yes or No).
- AreaDesc – a description of the process exclusion scope, which contains additional information about the exclusion scope.
- UseExcludedForProgram parameter indicates whether the scan task should exclude the specified scope (possible values: Yes or No).
- Path – path to the files or directory with files modified by the process.
- AreaMask.item_# is the file name mask for the files to be excluded from the scan. You can also specify the full path to the file.
  
  Example:
  
  [ExcludedForProgram.item_0000]
  
  ProgramPath=/usr/bin/cp
  
  ApplyToDescendants=No
  
  AreaDesc=
  
  UseExcludedForProgram=Yes
  
  Path=AllRemoteMounted
  
  AreaMask.item_0000=*
Import settings from the configuration file to the File Threat Protection task by using the following command:
kesl-control --set-settings 1 --file <full path to configuration file>

The application does not scan the files in network directories, but the cp command itself (for the example given above) and local files are scanned.

Page top

[Topic 246880]

Malware Scan task (Scan_My_Computer, ID:2)

Malware scan is a one-time full or custom scan of files on the device by Kaspersky Endpoint Security. The application can carry out multiple malware scanning tasks at the same time. You can also create custom malware scan tasks.

By default, a pre-installed malware scan task is created in the application — full scan. During a full scan, the application scans all objects located on the device's local drives, as well as all mounted and shared objects that are accessed via Samba or NFS protocols with the recommended security settings.

Upon detecting malware, Kaspersky Endpoint Security may remove the infected file and terminate the malware process started from this file.

If during execution of the malware scan task the application was restarted by a control service or manually by the user, the task will be stopped. The application logs the OnDemandTaskInterrupted event.

The table describes all available values and the default values of all the settings that you can specify for the Malware Scan task.

Malware Scan task settings

Setting

Description

Values

ScanFiles

Enables file scan.

Yes (default value) — Scan files.

No — Do not scan files.

ScanBootSectors

Enables boot sector scans.

Yes (default value) — Scan boot sectors.

No — Do not scan boot sectors.

ScanComputerMemory

Enables process memory and kernel memory scans.

Yes (default value) — Scan process memory and kernel memory.

No — Do not scan process memory and kernel memory.

ScanStartupObjects

Enables startup object scans.

Yes (default value) — Scan startup objects.

No — Do not scan startup objects.

ScanArchived

Enables scanning of archives (including SFX self-extracting archives).

Yes (default value) — Scan archives. If the FirstAction=Recommended value is specified, then, depending on the archive type, the application deletes either the infected object or the entire archive that contains the threat.

No — Do not scan archives.

ScanSfxArchived

Enables scanning of self-extracting archives only (archives that contain an executable extraction module).

Yes (default value) — Scan self-extracting archives.

No — Do not scan self-extracting archives.

ScanMailBases

Enables scanning email databases of Microsoft Outlook, Outlook Express, The Bat, and other mail clients.

Yes — Scan files of email databases.

No (default value) — Do not scan files of email databases.

ScanPlainMail

Enables scanning of plain text email messages.

Yes — Scan plain text email messages.

No (default value) — Do not scan plain text email messages.

SizeLimit

Maximum size of an object to be scanned (in megabytes). If the object to be scanned is larger than the specified value, the application skips this object.

0–999999

0 — The application scans objects of any size.

Default value: 0.

TimeLimit

Maximum object scan duration (in seconds). The application stops scanning the object if it takes longer than the time specified by this setting.

0–9999

0 — The object scan time is unlimited.

Default value: 0.

FirstAction

Selection of the first action to be performed by the application on the infected objects.

Remove — The application removes the infected object after creating a backup copy of it.

Skip — The application does not try to disinfect or delete infected objects. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by the application on the infected objects. The application performs the second action if the first action fails.

The possible values of the SecondAction setting are the same as those of the FirstAction setting.

If Skip or Remove is selected as the first action, the second action does not need to be specified. It is recommended to specify two actions in all other cases. If you have not specified the second action, the application applies Skip as the second action.

Default value: Skip.

UseExcludeMasks

Enables exclusion of the objects specified by the ExcludeMasks.item_# setting from the scan.

Yes — Exclude objects specified by the ExcludeMasks.item_# setting from the scan.

No (default value) — Do not exclude objects specified by the ExcludeMasks.item_# setting from the scan.

ExcludeMasks.item_#

Excludes objects from being scanned by name or mask. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format.

Before specifying a value for this setting, make sure that the UseExcludeMasks setting is enabled.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

UseExcludeThreats

Enables exclusion of objects containing the threats specified by the ExcludeThreats setting from scans.

Yes — Exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

No (default value): do not exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

ExcludeThreats.item_#

Excludes objects from scans by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude an object from scans, specify the full name of the threat detected in this object – the string containing the application's decision that the object is infected.

You can find the full name of the threat detected in an object in the application log or on the website https://threats.kaspersky.com.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

ReportCleanObjects

Enables logging of information about scanned objects that the application reports as not being infected.

You can enable this setting, for example, to make sure that a particular object was scanned by the application.

Yes — Log information about non-infected objects.

No (default value) — Do not log information about non-infected objects.

ReportPackedObjects

Enables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by the application.

Yes — Log information about scanned objects within archives.

No (default value) — Do not log information about scanned objects within archives.

ReportUnprocessedObjects

Enables logging of information about objects that have not been processed for some reason.

Yes — Log information about unprocessed objects.

No (default value) — Do not log information about unprocessed objects.

UseAnalyzer

Enables heuristic analysis.

Heuristic analysis helps the application to detect threats even before they become known to virus analysts.

Yes (default value) — Enable Heuristic Analyzer.

No — Disable Heuristic Analyzer.

HeuristicLevel

Specifies the heuristic analysis level.

You can specify the heuristic analysis level. The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Light — The least thorough scan with minimum load on the system.

Medium — A medium heuristic analysis level with a balanced load on the system.

Deep — The most thorough scan with maximum load on the system.

Recommended (default value) — The recommended value.

UseIChecker

Enables usage of the iChecker technology.

Yes (default value) — Enable use of the iChecker technology.

No — Disable use of the iChecker technology.

DeviceNameMasks.item_#

List of device names. The application will scan boot sectors of these devices.

The setting value cannot be empty. At least one device name mask must be specified to run this task.

AllObjects – scan boot sectors of all devices.

<device name mask> – Scan boot sectors of the devices whose names match the specified mask.

Default value: /** – any set of characters in the device name, including the / character.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan scope, which contains additional information about the scan scope. The maximum length of the string specified using this setting is 4096 characters.

Default value: All objects.

Example:

AreaDesc="Mail bases scan"

UseScanArea

Enables scans of the specified scope. To run the task, enable scans of at least one scope.

Yes (default value) — Scan the specified scope.

No — Do not scan the specified scope.

AreaMask.item_#

Scan scope limitation. Within the scan scope, the application scans only the files that are specified using the masks in the shell format.

If this setting is not specified, the application scans all the objects in the scan scope. You can specify several values for this setting.

The default value is * (scan all objects).

Example:

AreaMask.item_<item number>=*doc

Path

Path to the directory with objects to be scanned.

<path to local directory> — Scan objects in the specified directory.