Kaspersky Endpoint Security for Linux
12
English

Contents

[Topic 202235][Topic 246052]

File Threat Protection.

File Threat Protection prevents infection of the file system on the user device. File Threat Protection starts automatically with the default settings upon Kaspersky Endpoint Security start. It resides in the device operating memory and scans all files that are opened, saved, and launched.

File Threat Protection settings

Setting

Description

File Threat Protection enabled / disabled

This toggle button enables or disables File Threat Protection on all managed devices.

The check toggle button is switched on by default.

File Threat Protection mode

In this drop-down list, you can select the File Threat Protection mode:

  • Smart check (default value) – scan a file when there is an attempt to open it and scan it again when there is an attempt to close it if the file has been modified. If a process accesses and modifies a file multiple times in a certain period, the application scans the file again only when the process closes it for the last time.
  • When opened – scan the file on an attempt to open it for reading, execution, or modification.
  • When opened and modified – scan a file on an attempt to open it, and scan it again on an attempt to close it if the file has been modified.

First action

In this drop-down list, you can select the first action to be performed by the application on an infected object that has been detected:

  • Disinfect the object. A copy of the infected object will be moved to the Storage.
  • Remove the object. A copy of the infected object will be moved to the Storage.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it (default value).
  • Block access to the object.

Second action

In this drop-down list, you can select the second action to be performed by the application on an infected object, in case the first action is unsuccessful:

  • Disinfect the object. A copy of the infected object will be moved to the Storage.
  • Remove the object. A copy of the infected object will be moved to the Storage.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it.
  • Block access to the object (default value).

Scan scopes

Clicking the Configure scan scopes link opens the Scan scopes window.

Scan archives

This check box enables or disables scan of archives.

If the check box is selected, the application scans the archives.

To scan an archive, the application has to unpack it first, which may slow down scanning. You can reduce the duration of archive scans by enabling and configuring the Skip file that is scanned for longer than (sec) and Skip file larger than (MB) settings.

If the check box is cleared, the application does not scan the archives.

This check box is cleared by default.

Scan SFX archives

This check box enables or disables self-extracting archive scans. Self-extracting archives are archives that contain an executable extraction module.

If the check box is selected, the application scans self-extracting archives.

If the check box is cleared, the application does not scan self-extracting archives.

This check box is available if the Scan archives check box is unchecked.

This check box is cleared by default.

Scan mail databases

This check box enables or disables scans of mail databases of Microsoft Outlook, Outlook Express, The Bat!, and other mail applications.

If the check box is selected, the application scans mail database files.

If the check box is cleared, the application does not scan mail database files.

This check box is cleared by default.

Scan mail format files

This check box enables or disables scan of files of plain-text email messages.

If this check box is selected, the application scans plain-text messages.

If this check box is cleared, the application does not scan plain-text messages.

This check box is cleared by default.

Skip text files

Temporary exclusion of files in text format from scans.

If the check box is selected, Kaspersky Endpoint Security does not scan text files if they are used by the same process within 10 minutes after the most recent scan. This setting makes it possible to optimize scans of application logs.

If this check box is unselected, Kaspersky Endpoint Security scans text files.

This check box is cleared by default.

Skip file that is scanned for longer than (sec)

In this field, you can specify the maximum time to scan a file, in seconds. After the specified time, the application stops scanning the file.

Available values: 0–9999. If the value is set to 0, the scan time is unlimited.

The default value is 60.

Skip file larger than (MB)

In this field, you can specify the maximum size of a file to scan, in megabytes.

Available values: 0–999999. If the value is set to 0, the application scans files of any size.

The default value is 0.

Log clean objects

This check box enables or disables logging of the ObjectProcessed event.

If this check box is selected, the application logs the ObjectProcessed event for all scanned objects.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Log unprocessed objects

This check box enables or disables logging of the ObjectNotProcessed event if a file cannot be processed during scan.

If this check box is selected, the application logs the ObjectNotProcessed event.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Log packed objects

This check box enables or disables logging of the PackedObjectDetected event for all packed objects that are detected.

If this check box is selected, the application logs the PackedObjectDetected event.

If the check box is cleared, the application does not log the event.

This check box is cleared by default.

Use iChecker technology

This check box enables or disables scan of only new and modified since the last scan files.

If the check box is selected, the application scans only new files or the files modified since the last scan.

If the check box is cleared, the application scans the files regardless of the creation or modification date.

The check box is selected by default.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the use of the iChecker technology is not supported. Scan optimization is implemented by means of the Protection Server.

Use heuristic analysis

This check box enables or disables heuristic analysis during an object scan.

The check box is selected by default.

Heuristic analysis level

If the Use heuristic analysis check box is selected, you can select the heuristic analysis level in the drop-down list:

  • Light is the least detailed scan with minimal system load.
  • Medium is a medium scan with balanced system load.
  • Deep is the most detailed scan with maximum system load.
  • Recommended (default value) is the optimal level recommended by Kaspersky experts. It ensures an optimal combination of quality of protection and impact on the performance of protected servers.
Page top
[Topic 236891]

Scan scopes window

The table contains the scan scopes. The application will scan files and directories located in the paths specified in the table. By default, the table contains one scan scope that includes all directories of the local file system.

Scan scope settings

Setting

Description

Scope name

Scan scope name.

Path

Path to the directory that the application scans.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

Kaspersky Endpoint Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Move up button moves the selected item up in the table.

Kaspersky Endpoint Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Endpoint Security scans objects in the specified scopes in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 202257_4]

Add scan scope window

In this window, you can add and configure scan scopes.

Scan scope settings

Setting

Description

Scope name

Field for entering the scan scope name. This name is displayed in the Scan scopes table in the Scan settings section.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application processes this scan scope.

If this check box is cleared, the application does not process this scan scope. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

You can select the type of file system in the drop-down list:

  • Local (default value) – local directories. If this item is selected, you need to indicate the path to the local directory.
  • Mounted – Mounted remote or local directories. If this item is selected, you need to indicate the protocol or name of the file system.
  • Shared — The protected server's file system resources accessible via the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.
  • All shared — All of the protected server's file system resources accessible via the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Shared or Mounted type is selected in the drop-down list of file systems.

Path

This is the entry field for specifying the path to the directory that you want to include in the scan scope. You can use masks and tags to specify the path.

You can use special tags to specify a container or image:

  • [container-id:<identifier>]/<path to local directory>
  • [container-name:<name>]/<path to local directory>
  • [image-id:<identifier>]/<path to local directory>
  • [image-name:<name>]/<path to local directory>

You can also use unique combinations of the [container-id:<identifier>], [container-name:<name>], [image-id:<identifier>] and [image-name:<name>]/<path to local directory> tags.

Any combination of 1 to 4 unique tags within one area is allowed. The order they are listed in is not important.

For example:

  • [container-name:<name>][image-name:<name>]/<path to local directory>
  • [container-id:<identifier>][image-name:<name>]/<path to local directory>
  • [image-name:<name>][image-id:<identifier>]/<path to local directory>
  • [container-name:<name>][container-id:<identifier>][image-name:<name>]/<path to local directory>
  • [container-name:<name>][image-id:<identifier>][container-id:<identifier>][image-name:<name>]/<path to local directory>

You can use masks (? and * characters) in names and identifiers.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default – the application scans all directories of the local file system.

This field is available if the Local type is selected in the drop-down list of file systems.

If the Local type is selected in the drop-down list of file systems, and the path is not specified, the application scans all directories of the local file system.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the scan scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.
Page top
[Topic 248956]

Scan exclusions

Scan exclusion is a set of conditions. When these conditions are met, Kaspersky Endpoint Security does not scan the objects for viruses and other malware. You can also exclude objects by masks and threat names, and configure exclusions for processes.

Settings of scan exclusions

Setting

Description

Exclusion scopes

Clicking the Configure exclusions link opens the Exclusion scopes window. In this window, you can define the list of scan exclusions.

Exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window. In this window, you can configure the exclusion of objects from scans by name mask.

Exclusions by threat name

Clicking the Configure exclusions by threat name link opens the Exclusions by threat name window. In this window, you can configure the exclusion of objects from scans based on threat name.

Exclusions by process

Clicking the Configure exclusions by process link opens the Exclusions by process window. In this window, you can exclude the activity of processes.
Page top
[Topic 249321]

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from scan.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 197613]

Add exclusion scope window

In this window, you can add and configure exclusion scopes.

Exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables the exclusion of the scope when the application is running.

If the check box is selected, the application excludes this scope from scan or protection during its operation.

If the check box is cleared, the application includes this scope in scan or protection during its operation. You can later exclude this scope from scan or protection by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:

  • Local, for local directories.
  • Mounted, for remote directories mounted on the device.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

Entry field for the path to the directory that you want to add to the exclusion scope. You can use masks and tags to specify the path.

You can use special tags to specify a container or image:

  • [container-id:<identifier>]/<path to local directory>
  • [container-name:<name>]/<path to local directory>
  • [image-id:<identifier>]/<path to local directory>
  • [image-name:<name>]/<path to local directory>

You can also use unique combinations of the [container-id:<identifier>], [container-name:<name>], [image-id:<identifier>] and [image-name:<name>]/<path to local directory> tags.

Any combination of 1 to 4 unique tags within one area is allowed. The order they are listed in is not important.

For example:

  • [container-name:<name>][image-name:<name>]/<path to local directory>
  • [container-id:<identifier>][image-name:<name>]/<path to local directory>
  • [image-name:<name>][image-id:<identifier>]/<path to local directory>
  • [container-name:<name>][container-id:<identifier>][image-name:<name>]/<path to local directory>
  • [container-name:<name>][image-id:<identifier>][container-id:<identifier>][image-name:<name>]/<path to local directory>

You can use masks (? and * characters) in names and identifiers.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are only applied to objects in the directory specified in the Path field.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Endpoint Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Endpoint Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Endpoint Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 
Page top
[Topic 248957]

Exclusions by mask window

You can configure the exclusion of objects from scans based on name mask. The application will not scan files whose names contain the specified mask. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Endpoint Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Endpoint Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Endpoint Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).
Page top
[Topic 202356]

Exclusions by threat name window

You can configure the exclusion of objects from scans based on threat name. The application will not block the specified threats. By default, the list of threat names is empty.

You can add, edit, and delete threat names.

Clicking the Delete button causes Kaspersky Endpoint Security to remove the selected threat from the exclusion list.

This button is available if at least one threat name is selected in the list.

Clicking the threat name in the table opens the Threat name window. In this window, you can edit the name of the threat to be excluded from a scan.

Clicking the Add button opens the Threat name window. In this window, you can define the name of the threat to be excluded from a scan.

Page top
[Topic 246682]

Exclusions by process window

The table contains the exclusion scopes for exclusion by process The exclusion scope for exclusion by process lets you exclude from scans the activity of the indicated process and files modified by the indicated process. By default, the table includes two exclusion scopes that contain paths to the Network Agents. You can remove these exclusions, if necessary.

Exclusion scope settings for exclusion by process

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Full path to excluded process.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top
[Topic 249195]

Trusted process window

In this window, you can add and configure exclusion scopes for exclusion by process.

Exclusion scope settings

Setting

Description

Process-based exclusion scope name

Field for entering the Process-based exclusion scope name. This name will be displayed in a table in the Exclusions by process window.

The entry field must not be blank.

Use / Do not use this exclusion

This toggle button enables or disables this scan scope exclusion.

The check toggle button is switched on by default.

Apply to child processes

Exclude child processes of the excluded process indicated by the Path to excluded process setting.

This check box is cleared by default.

Path to excluded process

Full path to the process you want to exclude from scans.

File system, access protocol, and path

This group of settings lets you set scan exclusions for files modified by the process.

In the drop-down list of file systems, you can select the type of file system of the directories to be excluded from scans:

  • Local, for local directories.
  • Mounted – mounted directories.
  • Shared displays server file system resources accessible via the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.
  • All shared displays all server file system resources accessible via the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

     

The Access protocol drop-down list is available if Mounted or Shared is selected in the drop-down list of file systems.

Path

In the input field, you can enter the path to the directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are applied to objects only inside the directory indicated in the File system, access protocol, and path block.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Endpoint Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Endpoint Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Endpoint Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 
Page top
[Topic 248959]

Firewall Management

The operating system's firewall protects personal data stored on the user's device by blocking most threats to the operating system when the device is connected to the Internet or local network.

The operating system's firewall can detect all network connections on the user's device and provide a list of their IP addresses. The Firewall Management task lets you set the status of these network connections by configuring network packet rules.

This feature is not supported in the KESL container.

Configuring network packet rules lets you specify the desired level of the device protection, from blocking Internet access for all applications to allowing unlimited access. All outbound connections are allowed by default, unless corresponding blocking rules for the Firewall Management task are specified.

It is recommended to disable other operating system firewall management tools before enabling the Firewall Management component.

Firewall Management settings

Setting

Description

Firewall Management enabled / disabled

This toggle button enables or disables Firewall Management.

The toggle button is switched off by default.

Network packet rules

Clicking the Configure network packet rules link opens the Network packet rules window. In this window, you can configure the list of network packet rules that are applied by the Firewall Management component when it detects the network connection attempt.

Available networks

Clicking the Configure available networks link opens the Available networks window. In this window, you can configure the list of networks that the Firewall Management component will monitor.

Incoming connections

In this drop-down list, you can select the action to be performed for incoming network connections:

  • Allow network connections (default value).
  • Block network connections.

Incoming packets

In this drop-down list you can select the action to be performed for incoming packets:

  • Allow incoming packets (default value).
  • Block incoming packets.

Always add allowing rules for Network Agent ports

This check box enables or disables automatic adding allowing rules for Network Agent ports.

The check box is selected by default.
Page top
[Topic 202310]

Network packet rules window

The Network packet rules table contains network packet rules that the Firewall Management component uses for network activity monitoring. You can configure the settings described in the table below for network packet rules.

Network packet rules settings

Setting

Description

Name

Network packet rule name.

Action

Action to be performed by Firewall Management when it detects the network activity.

Local address

Network addresses of devices that have Kaspersky Endpoint Security installed and can send and/or receive network packets.

Remote address

Network addresses of remote devices that can send and/or receive network packets.

Logging

This column shows if the application logs actions of the network packet rule.

If the value is Yes, the application logs the actions of the network packet rule.

If the value is No, the application does not log the actions of the network packet rule.

By default, the table of network packet rules is empty.

You can add, edit, delete, move up, and move down network packet rules in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 202312_1]

Network packet rule window

In this window, you can configure the network packet rule.

Network packet rule settings

Setting

Description

Rule name

The field for entering the name of the network packet rule.

Action

In the drop-down list, you can select an action to be performed by the Firewall Management component when it detects network activity:

  • Block network activity.
  • Allow network activity (default value).

Protocol

In the drop-down list, you can select the type of data transfer protocol for which you want to monitor network activity:

  • Any (default value)
  • GRE
  • ICMP
  • ICMPv6
  • IGMP
  • TCP
  • UDP

Specify ICMP type

This check box lets you specify the ICMP type. The Firewall Management component monitors messages of the specified type sent by the host or gateway.

If this check box is selected, the field for entering the ICMP type is displayed.

This check box is displayed only if ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list.

This check box is cleared by default.

Specify ICMP code

This check box lets you specify the ICMP code. The Firewall Management component monitors messages of the type specified in the field under the ICMP type check box, with the code specified in the field under the ICMP code check box, and sent by the host or gateway.

If this check box is selected, the field for entering the ICMP code is displayed.

This check box is displayed only if ICMP or ICMPv6 data transfer protocol is selected in the Protocol drop-down list. It is available only if the Specify ICMP type check box is selected.

This check box is cleared by default.

Direction

In this drop-down list, you can specify the direction of the monitored network activity:

  • Incoming packets (default value). If this option is selected, the Firewall Management component monitors incoming packets.
  • Incoming. If this option is selected, the Firewall Management component monitors incoming network activity.
  • Incoming/Outgoing. If this option is selected, the Firewall Management component monitors both incoming and outgoing network activity.
  • Incoming/Outgoing packets. If this option is selected, the Firewall Management component monitors both incoming and outgoing packets.
  • Outgoing packets. If this option is selected, the Firewall Management component monitors outgoing packets.
  • Outgoing. If this option is selected, the Firewall Management component monitors outgoing network activity.

Remote address

In this drop-down list, you can specify network addresses of the remote devices that can send and receive network packets:

  • Any address (default value). If this option is selected, the network rule controls network packets sent and received by remote devices with any IP address.
  • All subnet addresses. If this option is selected, the network rule controls network packets sent and received by remote devices with the IP addresses associated with the selected network type: Public networks, Local networks, or Trusted networks.
  • Specified address. If this option is selected, the network rule controls network packets sent and received by the remote devices with IP addresses specified in the Address field.

Specify remote ports

This check box allows you to specify the port numbers of the remote devices between which the connection must be monitored.

If this check box is selected, the field for entering port numbers is displayed.

This check box is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list.

This check box is cleared by default.

Local address

In this drop-down list, you can specify the network addresses of the devices with Kaspersky Endpoint Security installed that can send and receive network packets:

  • Any address (default value). If this option is selected, the network rule controls sending and receiving of network packets by the devices with Kaspersky Endpoint Security installed and with any IP address.
  • Specified address. If this option is selected, the network rule controls the specified in the Address field network addresses of the devices with Kaspersky Endpoint Security installed that can send and receive network packets.

Specify local ports

This check box allows you to specify the port numbers of the local devices between which the connection must be monitored.

If this check box is selected, the field for entering port numbers is displayed.

This check box is displayed only if TCP or UDP data transfer protocol is selected in the Protocol drop-down list.

This check box is cleared by default.

Log events

This check box lets you specify whether the actions of the network rule are recorded in the report.

If the check box is selected, the application writes the actions of the network rule to the report.

If the check box is cleared, the application does not write the actions of the network rule to the report.

This check box is cleared by default.
Page top
[Topic 202313]

Available networks window

The Available networks table contains the networks controlled by the Firewall Management component. The table of available networks is empty by default.

Available networks settings

Setting

Description

IP address

Network IP address.

Network type

Network type (Public network, Local network, or Trusted network).

You can add, edit, and delete available networks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 210497_1]

Network connection window

In this window, you can configure the network connection that the Firewall Management component will monitor.

Network connection

Setting

Description

IP address

The field for entering IP address of the network.

Network type

You can select the type of the network:

  • Public
  • Local
  • Trusted

     
Page top
[Topic 214875_1]

Web Threat Protection

While the Web Threat Protection component is running, Kaspersky Endpoint Security scans inbound traffic and prevents downloads of malicious files from the Internet and also blocks phishing, adware, or other malicious websites.

This feature is not supported in the KESL container.

The application scans HTTP, HTTPS, and FTP traffic. Also, the application scans websites and IP addresses. You can specify the network ports or network port ranges to be monitored

To monitor HTTPS traffic, enable encrypted connection scans. To monitor FTP traffic, select the Monitor all network ports check box.

Web Threat Protection settings

Setting

Description

Web Threat Protection enabled / disabled

This toggle button enables or disables the Web Threat Protection component.

The toggle button is switched off by default.

Action on threat detection

In this section, you can specify the action that the application performs on the web resource where the dangerous object is detected:

  • Inform the user when a dangerous object is detected in web traffic. Web Threat Protection allows this object to be downloaded to the device. At that, the application logs the information about the dangerous object and adds it to the list of active threats.
  • Block access to all dangerous objects detected in web traffic, display a notification about the blocked access attempts, and log information about the dangerous objects (default value).

Detect malicious objects

This check box enables or disables checking of links against the databases of malicious web addresses.

The check box is selected by default.

Detect phishing links

This check box enables or disables checking of links against the databases of phishing web addresses.

The check box is selected by default.

Use heuristic analysis for detecting phishing links

This check box enables or disables the use of heuristic analysis for detecting phishing links.

This check box is available if the Detect phishing links check box is selected, and is selected by default.

Detect adware

This check box enables or disables checking links against the databases of adware web addresses.

This check box is cleared by default.

Detect legitimate applications that may be used by hackers to harm devices or data

This check box enables or disables checking links against the databases of legitimate applications that can be used by hackers to harm devices or data.

This check box is cleared by default.

Trusted web addresses

This table contains addresses of URLs and web pages whose content you consider trusted.

You can only add HTTP/HTTPS web addresses to the list of trusted web addresses.

You can use masks to specify web addresses. Masks are not supported to specify IP addresses.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

By default, the table is empty.

You can add, edit, and remove web addresses in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.
Page top
[Topic 234620]

Web address window

In this window, you can add a web address or a web address mask to the list of trusted web addresses.

You can add only HTTP/HTTPS web addresses to the list of trusted web addresses. You can use masks to specify web addresses. Masks are not supported to specify IP addresses.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

Page top
[Topic 202328_1]

Network Threat Protection

While the Network Threat Protection component is running, the application scans inbound network traffic for activity that is typical for network attacks. Network Threat Protection is started by default when the application starts.

This feature is not supported in the KESL container.

The application receives the numbers of the TCP ports from the current application databases and scans incoming traffic for these ports. Upon detecting an attempt of a network attack that targets your device, the application blocks network activity from the attacking device and logs an event about the detected network activity.

To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.

Network Threat Protection settings

Setting

Description

Network Threat Protection enabled / disabled

This toggle button enables or disables Network Threat Protection.

The check toggle button is switched on by default.

Action on threat detection

Actions performed upon detection of network activity that is typical of network attacks.

  • Inform user. The application allows network activity and logs information about detected network activity.
  • Block network activity from an attacking device and log information about detected network activity (default value).

Blocking attacking devices enabled / disabled

This toggle button enables or disables blocking network activity when a network attack attempt is detected.

The check toggle button is switched on by default.

Block the attacking device for (min)

In this field you can specify the duration an attacking device is blocked in minutes. After the specified time, Kaspersky Endpoint Security allows network activity from this device.

Available values: integer from 1 to 32768.

Default value: 60.

Exclusions

The table contains a list of IP addresses. Network attacks from these addresses will not be blocked. By default, the list is empty.

You can add, edit, and remove IP addresses in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.
Page top
[Topic 11396]

IP address window

In this window, you can add and edit IP addresses. Network attacks from these IP addresses will not be blocked by Kaspersky Endpoint Security.

IP addresses

Setting

Description

Enter an IP address

Entry field for an IP address.

You can specify IP addresses in IPv4 and IPv6 formats.
Page top
[Topic 202336_1]

Kaspersky Security Network

To increase the protection of devices and user data, Kaspersky Endpoint Security can use Kaspersky cloud-based knowledge base Kaspersky Security Network (KSN) to check the reputation of files, Internet resources, and software. Using Kaspersky Security Network data ensures a faster response to various threats, high protection component performance, and fewer false positives.

Use of Kaspersky Security Network is voluntary. Kaspersky Endpoint Security prompts you to enable KSN usage during installation. You can start or stop using KSN at any time.

Kaspersky Security Network infrastructure solutions

Kaspersky Endpoint Security supports the following infrastructure solutions to work with Kaspersky reputation databases:

  • Kaspersky Security Network (KSN) – A solution that receives information from Kaspersky and sends data about objects detected on user devices to Kaspersky for additional verification by Kaspersky analysts and to add to reputation and statistical databases.
  • Kaspersky Private Security Network (KPSN) – A solution that allows users of devices with Kaspersky Endpoint Security installed to access the reputation databases of Kaspersky, as well as other statistical data, without sending data to Kaspersky from their devices. KPSN is designed for corporate clients who can't use Kaspersky Security Network, for example, for the following reasons:
    • No connection of local workplaces to the Internet
    • Legal prohibition or corporate security restrictions on sending any data outside the country or the organization's local network

After changing the Kaspersky Endpoint Security license, submit the details of the new key to the service provider in order to be able to use KPSN. Otherwise, an authentication error will prevent data exchange with KPSN.

Kaspersky Security Network usage options:

There are two options for using KSN:

  • Extended KSN mode – you can receive information from the Kaspersky knowledge base, while Kaspersky Endpoint Security automatically sends statistical information to KSN that it obtained during its operation. The application can also send to Kaspersky for additional scanning certain files (or parts of files) that intruders can use to harm the device or data.
  • Basic KSN mode – you can receive information from the Kaspersky knowledge base, but Kaspersky Endpoint Security does not send anonymous statistics and data about the types and sources of threats.

You can select a different Kaspersky Security Network usage option at any time.

No personal data is collected, processed, or stored. Detailed information about the storage, and destruction, and/or submission to Kaspersky of statistical information generated during participation in KSN is available in the Kaspersky Security Network Statement and on Kaspersky's website.

You can read the text of the Kaspersky Security Network Statement in the Kaspersky Security Network Statement window, which can be opened by clicking the Kaspersky Security Network Statement link.

Cloud mode for Kaspersky Endpoint Security

If Kaspersky Endpoint Security is used in standalone mode and you are using KSN in the application, you can enable cloud mode. Cloud mode is an operating mode of Kaspersky Endpoint Security that uses a lightweight version of the malware databases. This lets you reduce the load on device memory.

Kaspersky Security Network facilitates the application's use of the lightweight malware databases.

If you plan to use cloud mode, make sure KSN is available on your device. Kaspersky Security Center displays information about the availability of KSN via the client device status (OK, Critical, Warning) in the list of managed devices on the Devices tab.

Kaspersky Endpoint Security switches to using a lightweight version of the malware databases after enabling cloud mode and performing the latest update of the application databases and modules. If you are not using KSN or cloud mode is disabled, Kaspersky Endpoint Security downloads the full version of the application databases from Kaspersky servers during the next update of application databases and modules.

Cloud mode is disabled automatically if use of KSN is disabled.

If Kaspersky Endpoint Security is used in Light Agent mode for protecting virtual environments, use of the lightweight malware databases is not supported. Kaspersky Endpoint Security receives special databases necessary for the operation of the Light Agent from the Protection Server.

Using the KSN Proxy service

User devices managed by Kaspersky Security Center Administration Server can interact with KSN via the KSN Proxy service.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the KSN Proxy service facilitates interaction with the KSN infrastructure. If the KSN proxy is not available, KSN is not used by the application.

You can configure the KSN proxy server settings in the Kaspersky Security Center Administration Server properties. For details about the KSN proxy server, refer to the Kaspersky Security Center Help.

Kaspersky Security Network settings

Setting

Description

Do not use KSN

By selecting this option, you decline to use Kaspersky Security Network.

Extended KSN mode

By selecting this option, you accept the terms of using Kaspersky Security Network. You will be able to receive information from Kaspersky's online knowledge base about the reputation of files, web resources, and software. Also, anonymous statistics and information about the types and sources of various threats will be sent to Kaspersky to improve Kaspersky Security Network.

Basic KSN mode

By selecting this option, you accept the terms of using Kaspersky Security Network. You will be able to receive information from Kaspersky online knowledge base about the reputation of files, web resources, and software.

Enable cloud mode

The check box enables or disables the operating mode in which Kaspersky Endpoint Security uses a lightweight version of the malware databases.

The check box is available if use of KSN is enabled.

The check box is selected if, when creating a policy, you accepted the terms of the Kaspersky Security Network Statement and are using KSN in extended mode.

The mode is enabled or disabled after the next application database update.

This setting applies only if the application is used in standalone mode.

Use KSN servers when KSN Proxy is not available

The check box enables or disables the ability to communicate with KSN servers directly when the KSN Proxy service is unavailable.

The check box is selected by default.

This setting applies only if the application is used in standalone mode.

Kaspersky Security Network Statement

This link opens the Kaspersky Security Network Statement window, where you can read the text of the Kaspersky Security Network Statement.
Page top
[Topic 246795]

Kaspersky Security Network Statement

In this window, you can read the text of the Kaspersky Security Network Statement and accept its terms and conditions.

Kaspersky Security Network settings

Setting

Description

I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement

By selecting this option, you confirm that you want to use the Kaspersky Security Network, and you have fully read, understood, and accept the terms and conditions of the Kaspersky Security Network Statement that is displayed.

I do not accept the terms and conditions of the Kaspersky Security Network Statement

By selecting this option, you confirm that you do not want to use Kaspersky Security Network.
Page top
[Topic 246797]

Anti-Cryptor

Anti-Cryptor allows you to protect your files in local directories with network access by SMB/NFS protocols from remote malicious encryption.

While the Anti-Cryptor component is running, Kaspersky Endpoint Security scans remote devices calls to access the files located in the shared network directories of the protected device. If the application considers a remote device actions on network file resources to be malicious encrypting, this device is added to a list of untrusted devices and loses access to the shared network directories. The application does not consider activity to be malicious encryption if it is detected in the directories excluded from the protection scope of the Anti-Cryptor component.

This feature is not supported in the KESL container.

To use the component, a license that includes the corresponding function is required.

For the Anti-Cryptor component to operate correctly, at least one of the services (Samba or NFS) must be installed in the operating system. For the NFS service, the rpcbind package must be installed.

Anti-Cryptor operates correctly with the SMB1, SMB2, SMB3, NFS3, TCP/UDP, and IP/IPv6 protocols. Working with NFS2 and NFS4 protocols is not supported. It is recommended to configure your server settings so that the NFS2 and NFS4 protocols cannot be used to mount resources.

Anti-Cryptor does not block access to network file resources until the device activity is identified as malicious. So, at least one file will be encrypted before the application detects malicious activity.

Anti-Cryptor settings

Setting

Description

Anti-Cryptor protection enabled / disabled

This toggle button enables or disables protection of files in the local directories with network access by SMB/NFS protocols from remote malicious encryption.

The toggle button is switched off by default.

Protection scopes

Clicking the Configure protection scope link opens the Protection scopes window.

Untrusted hosts blocking enabled / disabled

This toggle button enables or disables untrusted hosts blocking.

The check toggle button is switched on by default.

Block untrusted host for (min)

In this field you can specify the untrusted device blocking duration in minutes. After the specified time, Kaspersky Endpoint Security removes the untrusted devices from the list of blocked devices. The access of the host to network file resources is restored automatically, after it is deleted from the list of untrusted hosts.

If a compromised host is blocked and you change this setting value, the blocking time for this host will not change. The blocking time is not a dynamic value, and it is calculated at the moment of blocking.

Available values: integer from 1 to 4294967295.

Default value: 30.

Exclusions

Clicking the Configure exclusions link opens the Exclusion scopes window.

Exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window.
Page top
[Topic 202351]

Protection scopes window

The table contains protection scopes of the Anti-Cryptor component. The application will scan files and directories located in the paths specified in the table. By default, the table contains one scan scope that includes all directories of the local file system.

Protection scope settings

Setting

Description

Scope name

Protection scope name.

Path

Path to the directory that the application protects.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Endpoint Security scans objects in the specified scopes in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 202352]

Add protection scope window

In this window, you can add or configure protection scope for the Anti-Cryptor component.

Protection scope settings

Setting

Description

Scope name

Field for entering the protection scope name. This name will be displayed in the table in the Protection scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application processes this protection scope during the component operation.

If this check box is cleared, the application does not process this protection scope during the component operation. You can later include this scope in the component operation settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

You can select the type of file system in the drop-down list:

  • Local (default value) – local directories.
  • Shared displays server file system resources accessible via the Samba or NFS protocol.
  • All shared displays all server file system resources accessible via the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.

This drop-down list is available if the Shared option is selected in the drop-down list of file systems.

Path

The entry field for specifying the path to the directory that you want to include in the protection scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

This field is available if the Local type is selected in the drop-down list of file systems.

The field must not be blank.

By default, the / path is specified (root directory).

Masks

This list contains name masks of the objects that the application scans during operation of the Anti-Cryptor component.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.
Page top
[Topic 202353]

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from scan.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 210496_3]

Add exclusion scope window

In this window, you can add and configure exclusion scopes.

Exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables the exclusion of the scope when the application is running.

If the check box is selected, the application excludes this scope from scan or protection during its operation.

If the check box is cleared, the application includes this scope in scan or protection during its operation. You can later exclude this scope from scan or protection by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:

  • Local, for local directories.
  • Mounted, for remote directories mounted on the device.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

Entry field for the path to the directory that you want to add to the exclusion scope. You can use masks and tags to specify the path.

You can use special tags to specify a container or image:

  • [container-id:<identifier>]/<path to local directory>
  • [container-name:<name>]/<path to local directory>
  • [image-id:<identifier>]/<path to local directory>
  • [image-name:<name>]/<path to local directory>

You can also use unique combinations of the [container-id:<identifier>], [container-name:<name>], [image-id:<identifier>] and [image-name:<name>]/<path to local directory> tags.

Any combination of 1 to 4 unique tags within one area is allowed. The order they are listed in is not important.

For example:

  • [container-name:<name>][image-name:<name>]/<path to local directory>
  • [container-id:<identifier>][image-name:<name>]/<path to local directory>
  • [image-name:<name>][image-id:<identifier>]/<path to local directory>
  • [container-name:<name>][container-id:<identifier>][image-name:<name>]/<path to local directory>
  • [container-name:<name>][image-id:<identifier>][container-id:<identifier>][image-name:<name>]/<path to local directory>

You can use masks (? and * characters) in names and identifiers.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are only applied to objects in the directory specified in the Path field.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Endpoint Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Endpoint Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Endpoint Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 
Page top
[Topic 248957_1]

Exclusions by mask window

You can configure the exclusion of objects from scans based on name mask. The application will not scan files whose names contain the specified mask. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Endpoint Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Endpoint Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Endpoint Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).
Page top
[Topic 202356_1]

System Integrity Monitoring

System Integrity Monitoring is designed to track the actions performed on files and directories in the monitoring scope specified in the component operation settings. You can use System Integrity Monitoring to track the file changes that may indicate a security breach on a protected device.

To use the component, a license that includes the corresponding function is required.

This feature is not supported in the KESL container.

System Integrity Monitoring settings

Setting

Description

System Integrity Monitoring enabled / disabled

This toggle button enables or disables System Integrity Monitoring.

The toggle button is switched off by default.

Monitoring scopes

Clicking the Configure monitoring scopes link opens the Monitoring scopes window.

Monitoring exclusions

Clicking the Configure monitoring exclusion scopes link opens the Exclusion scopes window.

Exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window.
Page top
[Topic 202363]

Monitoring scopes window

The table contains monitoring scopes for the System Integrity Monitoring component. The application monitors files and directories located in the paths specified in the table. By default, the table contains the Kaspersky internal objects (/opt/kaspersky/kesl/) monitoring scope.

Monitoring scope settings for System Integrity Monitoring

Setting

Description

Scope name

Monitoring scope name.

Path

Path to the directory that the application protects.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

This button is available if only one item is selected in the table.

Clicking the Move up button moves the selected item up in the table.

This button is available if only one item is selected in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Endpoint Security scans objects in the specified scopes, in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 202280]

Add monitoring scope window

In this window, you can add and configure monitoring scope for the System Integrity Monitoring component.

Monitoring scope settings

Setting

Description

Scope name

Field for entering the monitoring scope name. This name will be displayed in the table in the Monitoring scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application controls this monitoring scope during the operation.

If this check box is cleared, the application does not control this monitoring scope during the operation. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to include in the monitoring scope. You can use masks to specify the path. The field must not be blank.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default – the application scans all directories of the local file system.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.
Page top
[Topic 218554]

Exclusion scopes window

The table contains monitoring exclusion scopes for the System Integrity Monitoring component. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from monitoring.

Status

Indicates whether the application excludes this scope from monitoring during the component operation.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 202410_1]

Add exclusion scope window

In this window, you can add or configure the monitoring exclusion scope for the System Integrity Monitoring component.

Monitoring exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window. The entry field must not be blank.

Use this scope

The check box enables or disables the exclusion of the scope from monitoring when the application is running.

If this check box is selected, the application excludes this scope from monitoring during the component operation.

If this check box is cleared, the application monitors this scope during the component operation. You can later exclude this scope from monitoring by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

Entry field for the path to the local directory that you want to add to the exclusion scope. You can use masks to specify the path. The field must not be blank.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

Masks

The list contains name masks of the objects that the application excludes from the monitoring.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.
Page top
[Topic 219604]

Exclusions by mask window

You can configure the exclusion of objects from monitoring based on name masks. The application does not scan the files with the names containing the specified masks. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Endpoint Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).
Page top
[Topic 202412_2]

Application Control

During execution of the Application Control task, Kaspersky Endpoint Security controls the launching of applications on user devices. This helps reduce the risk of device infection by restricting access to applications. Application launching is regulated by Application Control rules.

To use the component, a license that includes the corresponding function is required.

This feature is not supported in the KESL container.

Application Control can operate in two modes:

  • Denylist. In this mode Kaspersky Endpoint Security allows all users to launch any applications that are not specified in the Application Control rules. This is the default operation mode of the Application Control component.
  • Allowlist. In this mode Kaspersky Endpoint Security prevents all users from launching any applications that are not specified in the Application Control rules.

For each Application Control mode, separate rules can be created and an action can be specified: apply rules or notify about an attempt to start an application that matches the rules. Kaspersky Endpoint Security performs this action when it detects an attempt to start an application.

The Application Control settings are described in the following table.

Application Control settings

Setting

Description

Application Control enabled / disabled

This toggle button enables or disables Application Control.

The toggle button is switched off by default.

Action on starting applications blocked by rules

The action that Kaspersky Endpoint Security performs upon detecting an attempt to start an application that matches the configured rules:

  • Inform (test mode). If you select this option, Kaspersky Endpoint Security tests the rules and generates an event about an attempt to start an application that matches the rules.
  • Apply rules (default value). If you select this option, Kaspersky Endpoint Security applies Application Control rules and performs the action specified in the rules.

Application Control mode

Application Control task operation mode:

  • Allowlist. If you select this option, Kaspersky Endpoint Security prevents all users from launching any applications except those specified in the Application Control rules.
  • Denylist (default value). If you select this option, Kaspersky Endpoint Security allows all users to launch any applications except those specified in the Application Control rules.

Application Control rules

Clicking the Configure rules link opens the Application Control rules window.
Page top
[Topic 246368]

Application Control rules window

The Application Control rules table has the tabs with the rules for each operation mode: Denylist (active) and Allowlist. Both tabs of the Application Control rules table are empty by default.

Application Control rules settings

Setting

Description

Category

The name of the application category that is used by the rule.

Status

Operation status of the Application Control rule:

  • Enabled – the rule is enabled, Application Control applies this rule during operation.
  • Disabled – the rule is disabled and is not used when the Application Control is running.
  • Test – Application Control allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.

You can add, modify and remove Application Control rules.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Page top
[Topic 246370]

Application Control rule window

In this window, you can configure the settings for the Application Control rule.

Configuring an Application Control rule

Setting

Description

Rule description

Description of the Application Control rule.

Status

You can select the operation status of the Application Control rule:

  • Enabled – the rule is enabled, Application Control applies this rule during operation.
  • Disabled – the rule is disabled and is not used when the Application Control is running.
  • Test – Application Control allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.

Category

The Choose category link opens the Application categories window.

Users and their rights

The table contains a list of users or user groups to which the Application Control rule applies, and the types of access assigned to them, and consists of the following columns:

  • User or group name – names of users or names of user groups to which the Application Control rule applies.
  • Access – access type (allow or block launching applications). This toggle button switches access type: Allow launching the applications or Block launching the applications.

     

You can add, edit, and delete users or user groups.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.
Page top
[Topic 246371]

Application categories window

In this window, you can add a new category or configure the category settings for an Application Control rule.

Kaspersky Endpoint Security does not support use of the KL categories of Kaspersky Security Center.

Application Control categories

Setting

Description

Category name

Search bar for added application categories.

Add

Clicking the button starts the category creation wizard. Follow the instructions of the Wizard.

For details about creating a category, refer to the Kaspersky Security Center Help.

Edit

Clicking this button opens the category properties window, where you can change the category settings. The Golden Image (local) category cannot be edited.

Remove

Clicking the button deletes the selected category. The Golden Image (local) category cannot be deleted.
Page top
[Topic 246372]

Select user or group window

In this window, you can specify a local or domain user or user group for which you want to configure a rule.

Configuring an Application Control rule

Setting

Description

Manual

If this option is selected, in the field below enter the name of the local or domain user or the name of a user group, to which the Application Control rule will apply.

List of groups or users

If this option is selected, in the search field you can enter search criteria for the name of the user or name of the user group, to which the Application Control rule will apply, or you can select the name of the user group in the list below.
Page top
[Topic 247145]

Device Control

When the Device Control task is running, Kaspersky Endpoint Security manages user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks. Device Control manages user access to devices using the access rules.

This feature is not supported in the KESL container.

When a device, access to which is denied by the Device Control task, connects to a client device, the application denies the users specified in the rule access to this device and displays a notification. During attempts to read and write on this device, the application silently blocks the users specified in the rule from reading/writing.

Device Control settings

Setting

Description

Device Control enabled / disabled

This toggle button enables or disables Device Control.

The check toggle button is switched on by default.

Configure trusted devices

Clicking this link opens the Trusted devices window. In this window, you can add devices to a list of trusted devices by ID or by selecting them from the list of devices detected on the client devices.

Device Control action

Action performed by the application when an attempt is made to access a device to which access is denied in accordance with Device Control rules.

  • Test rules. If you select this option, Kaspersky Endpoint Security tests the access rules and generates an event about detection of an attempt to access a device.
  • Apply rules (default value). If you select this option, Kaspersky Endpoint Security applies Access Control rules and performs the action specified in the rules.

Configure settings for device types

Clicking this link opens the Device types window. In this window, you can configure access rules for various types of devices.

Configure settings for connection buses

Clicking this link opens the Connection buses window. In this window, you can configure access rules for connection buses.
Page top
[Topic 197568]

Trusted devices window

The table contains a list of trusted devices. The table is empty by default.

Trusted device settings

Setting

Description

Device ID

ID of a trusted device.

Device name

Name of a trusted device.

Device type

Trusted device type (for example, Hard drive or Smart card reader).

Host name

Name of the client device the trusted device is connected to.

Comment

Comment related to a trusted device.

You can add a device to the list of trusted devices by the device ID or by selecting the required device in the list of devices detected on the user device.

You can edit and delete trusted devices in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

You can also import the list of devices from a file by clicking Import and export the list of added devices to a file by clicking Export. When importing, you will be prompted to replace the list of trusted devices or add the devices to the existing list.

Page top
[Topic 246343]

Trusted device (Device ID) window

In this window, you can add a device to the list of trusted devices by its identifier.

Adding device by ID

Setting

Description

Device ID

Entry field for a device ID or device ID mask. You can manually specify the device ID or copy the ID of the required device from the Devices detected on hosts list.

To specify an identifier, you can use the following wildcards: * (any sequence of characters) or ? (any single character). For example, you can specify the USBSTOR* mask to allow access to all USB drives.

Comment

Entry field for a comment (optional). This field is available after you enter the device ID, and click the Next button.
Page top
[Topic 246347]

Trusted device window (List of detected devices)

In this window you can add a device to the list of trusted devices by selecting it in the list of existing managed devices.

Information about existing devices is available only if an active policy exists and synchronization with the Network Agent has been completed (the synchronization interval is specified in the Network Agent policy properties; the default setting is 15 minutes). If you create a new policy and there are no other active ones, the list will be empty.

Adding device from list

Setting

Description

Device type

In this drop-down list, you can select type of devices to be displayed in the Devices detected on hosts table.

Device ID mask

Entry field for a device ID mask.

Comment

Entry field for a comment (optional). This field is available after you select the devices, and click the Next button.

Clicking the Filter button opens the window, where you can set up the filtering of displayed information about devices.

Page top
[Topic 246348]

Device types window

In this window, you can configure access rules for various types of devices.

Access rules for device types

Setting

Description

Access to data storage devices

The table contains the following columns:

  • Type represents device types (for example, Hard drives, Printers).
  • Access represents the access mode for devices of this type. You can select one of the following access modes:
    • Allow, to allow access to devices of this type.
    • Block, to block access to devices of this type.
    • Depends on bus (default value), to allow or block access to devices depending on the access rule for a bus used for connecting a device.
    • By rule – allow or block access to devices, depending on the access rule and schedule. You can configure the access rule and its schedule by clicking the required device type.

Access to other devices

The table contains the following columns:

  • Type – type of device (for example, Input devices, Sound adapters).
  • Access represents the access mode for devices of this type. You can select one of the following access modes:
    • Allow, to allow access to devices of this type.
    • Block, to block access to devices of this type. The Block access rule cannot be selected for network adapters.
    • Depends on bus (default value), to allow or block access to devices depending on the access rule for a bus used for connecting a device.
Page top
[Topic 238846]

Device access rules window

In this window, you can configure access rules and schedules for the selected device type.

Device access rules and schedules

Setting

Description

Access to device

Access mode for devices of the selected type:

  • Allow: allow access to devices of the selected type.
  • Block: prohibit access to devices of the selected type.
  • Depends on bus (default value), to allow or block access to devices depending on the access rule for a bus used for connecting a device.
  • By rule – allow or block access to devices, depending on the access rule and schedule.

List of device access rules

The table contains a list of access rules and consists of the following columns:

  • Access schedule – names of existing access schedules.
  • Users and/or user groups – names of users or names of user groups, to which the access rule will apply.
  • Access – access mode for the schedule:
    • Allow (provides access to devices of the selected type).
    • Block (prohibits access to devices of the selected type).
  • Status – status of the access rule:
    • Enabled – the rule is enabled; Application Control applies this rule when it runs.
    • Disabled – the rule is disabled and is not used when Application Control is running.

By default, the table contains the Default schedule access schedule, which provides all users with full access to devices (the \Everyone option is selected in the list of users and groups) at any time, if access by the connection bus is allowed for this type of device.

You can add, edit, and delete access rules.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.
Page top
[Topic 247147]

Device access rules window

In this window, you can configure the device access rule.

Device access rule

Setting

Description

Device access rule settings

Access mode for devices of the selected type:

  • Allow (default value) – provide access to the devices of the selected type.
  • Block: prohibit access to devices of the selected type.

Users and/or user groups

Name of the user or user group to which the rule applies.

The default value is \Everyone (all users).

You can add, edit, and delete users or user groups.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Status

Access rule status:

  • Enabled – the rule is enabled; Application Control applies this rule when it runs.
  • Disabled – the rule is disabled and is not used when Application Control is running.

Schedule for access to devices

Schedule for the specified users' access to devices. The default value is Default schedule. You can set a different schedule.
Page top
[Topic 247148]

Select user or group window

In this window, you can specify a local or domain user or user group for which you want to configure an access rule.

Configuring an access rule

Setting

Description

Manual

If this option is selected, in the field below enter the name of the local or domain users or the name of a user group, to which the device access rule will apply.

List of groups or users

If this option is selected, in the search field you can enter search criteria for the name of the user or name of the user group, to which the device access control rule will apply, or you can select the name of the user group in the list below.
Page top
[Topic 247150]

Schedules window

In this window, you can specify the schedule for the selected device access rule.

You can add, edit, and delete access schedule.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

You cannot delete the Default schedule.

Page top
[Topic 202423]

Schedule for access to devices window

In this window, you can configure the device access schedule. You can configure schedules only for hard drives, removable drives, floppy disks, and CD/DVD drives.

In the General settings -> Application settings section, if the Block access to files during scanning check box is cleared, then it is not possible to block access to devices using a device access schedule.

Schedule for access to devices

Setting

Description

Name

Entry field for the access schedule name. The schedule name must be unique.

Time intervals

The table where you can select time intervals for the schedule (days and hours).

Intervals highlighted in green are included to the schedule.

To exclude an interval from the schedule, click the corresponding cells. Intervals excluded from the schedule are highlighted in gray.

By default, all intervals (24/7) are included to the schedule.
Page top
[Topic 264655]

Connection buses window

In this window, you can configure access rules for connection buses.

Connection rules for buses

Setting

Description

Connection bus

Connection bus used to connect devices to the client device:

  • FireWire
  • USB

Access

This toggle button enables or disables access to devices that use this connection bus:

  • Allow (default value), to provide access to the devices connected using this connection bus.
  • Block, to deny access to the devices connected using this connection bus.
Page top
[Topic 202425]

Behavior Detection

By default, the Behavior Detection component starts when Kaspersky Endpoint Security starts and monitors the malicious activity of the applications in the operating system. When malicious activity is detected, Kaspersky Endpoint Security can terminate the process of the application that performs malicious activity.

This feature is not supported in the KESL container.

Behavior Detection component settings

Setting

Description

Behavior Detection enabled / disabled

This toggle button enables or disables the Behavior Detection component.

The check toggle button is switched on by default.

Action on malware activity detection

The action to be performed by Kaspersky Endpoint Security upon detecting malicious activity in the operating system:

  • Inform user. Kaspersky Endpoint Security does not terminate the process that performs malicious activity; it only records the detection of malicious activity in the event log.
  • Block the application that performs malicious activity (default value). Kaspersky Endpoint Security terminates the process that performs malicious activity and logs information about the detected malicious activity.

Exclusions by process

Clicking the Configure exclusions by process link opens the Exclusions by process window. In this window, you can exclude the activity of processes.
Page top
[Topic 237048]

Exclusions by process window

The table contains the exclusion scopes for exclusion by process The exclusion scope for exclusion by process lets you exclude the activity of the indicated process and files modified by the indicated process. By default, the table is empty.

If integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response is enabled, exclusions by process are not applied.

Exclusion scope settings for exclusion by process

Setting

Description

Exclude / Do not exclude trusted processes from scans

The switch enables or disables the configured exclusions by process in the operation of the Behavior Detection component.

The toggle button is switched off by default.

Exclusion scope name

Exclusion scope name.

Path

Full path to excluded process.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

You can also import the list of exclusions from a file by clicking Import and export the list of added exclusions to a file by clicking Export. When importing, you will be prompted to replace the list of exclusions or add the exclusions to the existing list.

Page top
[Topic 197235]

Adding a process exclusion scope window

In this window, you can add and configure exclusion scopes for exclusion by process.

Exclusion scope settings

Setting

Description

Process-based exclusion scope name

Field for entering the Process-based exclusion scope name. This name will be displayed in a table in the Exclusions by process window.

The entry field must not be blank.

Use this exclusion

This check box enables or disables this scan scope exclusion when the application is running.

The check box is selected by default.

Path to excluded process

Full path to the process you want to exclude from scans. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The entry field must not be blank.

Apply to child processes

Exclude child processes of the excluded process indicated by the Path to excluded process setting.

This check box is cleared by default.
Page top
[Topic 237043]

Managing tasks

You can configure the ability to view and manage Kaspersky Endpoint Security tasks on managed devices.

Task management settings

Setting

Description

Allow users to view and manage local tasks

This check box allows or blocks the users from viewing local tasks created in Kaspersky Endpoint Security and control of these tasks on the managed client devices.

This check box is cleared by default.

Allow users to view and manage tasks created through KSC

The check box allows or prohibits the users from viewing tasks created in Kaspersky Security Center Web Console and managing these tasks on managed client devices.

This check box is cleared by default.
Page top
[Topic 233441]

Removable Drives Scan

When the Removable Drives Scan task is running, the application scans the removable device and its boot sectors for viruses and other malware. The following removable drives are scanned: CDs, DVDs, Blu-ray discs, flash drives (including USB modems), external hard drives, and floppy disks.

This feature is not supported in the KESL container.

Removable Drives Scan task settings

Setting

Description

Removable drives scan enabled / disabled

This option enables or disables the scan of removable drives when they are connected to the user device.

The toggle button is switched off by default.

Action when a removable drive connects

In the drop-down list, you can select an action to be performed by the application upon connection of removable drives to the user device:

  • Do not scan removable drives when connected (default value).
  • Quick scan – only scan files of certain types on removable drives (except CD/DVD drives and Blu-ray discs) and do not unpack compound objects. For the quick scan, the default settings of the File Threat Protection component are used.
  • Detailed scan – scan all files on removable drives (except CD/DVD drives and Blu-ray discs). For a detailed scan, the default settings of the Malware Scan task are used.

Action on a CD / DVD drive connection

In the drop-down list, you can select an action to be performed by the application upon connection of CD/DVD drives and Blu-ray discs to the user device:

  • Do not scan CD/DVD drives and Blu-ray discs when connected (default value).
  • Quick scan – only scan files of certain types on CD/DVD drives and Blu-ray discs. For the quick scan, the default settings of the File Threat Protection component are used.
  • Detailed scan – scan all files on CD/DVD drives and Blu-ray discs. For a detailed scan, the default settings of the Malware Scan task are used.

Block access to the removable drive while scanning

This check box enables or disables blocking of files on the connected drive during execution of the Removable Drives Scan task.

This check box is cleared by default.
Page top
[Topic 247217]

Proxy server settings

You can configure proxy server settings if the users of the client devices use a proxy server to connect to the internet. Kaspersky Endpoint Security may use a proxy server to connect to Kaspersky servers, for example, when updating application databases and modules or when communicating with Kaspersky Security Network and Kaspersky Endpoint Detection and Response (KATA).

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the use of a proxy server for connecting to Kaspersky Security Network, the SVM, and the Integration Server is not supported.

Proxy server settings

Setting

Description

Do not use proxy server

If this option is selected, Kaspersky Endpoint Security does not use a proxy server.

Use specified proxy server settings

If this option is selected, Kaspersky Endpoint Security uses the specified proxy server settings, for example, for integration with Kaspersky Endpoint Detection and Response (KATA).

Address

Field for entering the proxy server's IP address or domain name.

This field is available if the Use specified proxy server settings option is selected.

Port

Field for entering the proxy server's port.

Default value: 3128.

This field is available if the Use specified proxy server settings option is selected.

Use user name and password

Enables or disables proxy server authentication using a user name and password.

This check box is available if the Use specified proxy server settings option is selected.

This check box is cleared by default.

When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.

User name

Entry field for the user name used for proxy server authentication.

This entry field is available if the Use user name and password check box is selected.

Edit

Allows you to specify a password for authenticating on the proxy server. The Password field cannot be edited. By default, the password is empty.

To specify a password, click Edit. In the window that opens, enter the password and click OK.

It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months.

Clicking the Show button in the window displays the password in clear text in the password entry window.

This button is available if the Use user name and password check box is selected.

Use Kaspersky Security Center as a proxy server for the application activation

This check box enables or disables use of Kaspersky Security Center as a proxy server for application activation.

If this check box is selected, Kaspersky Endpoint Security uses Kaspersky Security Center as a proxy server for the application activation.

This check box is cleared by default.

This setting applies only if the application is used in standalone mode. If the application is used in Light Agent mode to protect virtual environments, the license information is provided by the Protection Server.
Page top
[Topic 197958]

Application settings

You can configure the general settings of Kaspersky Endpoint Security.

General application settings

Setting

Description

Detect legitimate applications that may be used by hackers to harm devices or data

This check box enables or disables the detection of legitimate software that could be used by hackers to harm computers or data of users.

This check box is cleared by default.

Event notifications

Clicking the Configure event notifications link opens the Notification settings window. In this window, you can select the events that the application logs in the operating system log (syslog). To do this, select the check box next to each type of event that you want to log.

You can also select the check box next to the event severity level (Functional failures, Informational messages, Warnings, Critical events). In this case, the check boxes will be automatically selected next to each type of event that belongs to the group of the selected importance level.

All check boxes are cleared by default.

Block access to files during scans

The checkbox enables or disables blocking access to files during scanning by the File Threat Protection, Anti-Cryptor, Device Control components and the Removable Drives Scan task.

If the check box is cleared, the

Notify only
mode is enabled for the File Threat Protection and Device Control components.

The check box is selected by default.

Excluding process memory from scan

The Configure excluding process memory from scan link opens the Excluding process memory from scan window where you can create a list of processes to exclude during process memory scans.

Limit CPU utilization for scan tasks (%)

The checkbox enables or disables the CPU utilization limit for the Malware Scan, Inventory, Container Scan, and Custom Container Scan tasks.

This check box is cleared by default.

Maximum load (as a percentage)

A field for entering the maximum load on all processor cores (as a percentage) when running the Malware Scan, Inventory Scan, Container Scan, and Custom Container Scan tasks.

Available values: 10–100.

The default value is 100%

The field is available if the Limit CPU utilization for scan tasks checkbox is selected.

Advanced application settings

The Configure dump file settings link opens the Dump file settings window.
Page top
[Topic 246285]

Excluding process memory from scan window

The list contains paths to processes whose memory Kaspersky Endpoint Security excludes from process memory scans. You can use masks to specify the path. By default, the list is empty.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

You can add, edit, and delete items in the list.

Clicking the Delete button causes Kaspersky Endpoint Security to remove the selected process path from the list.

This button is available if at least one process path is selected in the list.

The Edit button a window where you can change the process path. Kaspersky Endpoint Security excludes the memory of the indicated process from scans.

The Add button opens a window where you can enter the full path to a process. Kaspersky Endpoint Security excludes the memory of the indicated process from scans.

Page top
[Topic 236898_1]

Dump file settings window

In this window, you can configure the settings for writing dump files.

Dump file settings

Setting

Description

Create a dump file if the application crashes

This check box enables or disables the creation of a dump file when the application crashes.

This check box is cleared by default.

You must restart the application to apply the dump file settings.

Path to the dump file directory

Input field for the path to the directory where the dump files are stored. The input field is limited to 128 characters.

Default value: /var/opt/kaspersky/kesl/common/dumps.
Page top
[Topic 261204]

Container Scan settings

You can configure the settings for namespace and container scan by Kaspersky Endpoint Security.

The application does not scan namespaces and containers unless components for working with containers and namespaces are installed in the operating system. Moreover, in the device properties in the Applications section, in the application properties in the Components section for container scans, the Stopped status is displayed.

Container Scan settings

Setting

Description

Namespace and container scan enabled / disabled

This toggle button enables or disables namespace and container scans.

The check toggle button is switched on by default.

Action with container upon threat detection

You can select the action that the application performs on a container when it detects an infected object:

  • Skip container: if an infected object is detected, the application does not perform any action on the container.
  • Stop container: if an infected object is detected, the application stops the container.
  • Stop container if disinfection fails (default value) – the application stops the container if disinfection of the infected object fails.

This setting is available when using the application under a license that supports this function.

Use Docker

This check box enables or disables the use of the Docker environment.

The check box is selected by default.

Docker socket path

Entry field for the path or URI (Uniform Resource Identifier) of the Docker socket.

Default value: /var/run/docker.sock.

Use CRI-O

The check box enables or disables the use of the CRI-O environment.

The check box is selected by default.

File path

Entry field for the path to CRI-O configuration file.

Default value: /etc/crio/crio.conf.

Use Podman

The check box enables or disables the use of the Podman utility.

The check box is selected by default.

File path

Entry field for the path to the Podman utility executable file.

Default value: /usr/bin/podman.

Root directory

Entry field for the path to the root directory of the container storage.

Default value: /var/lib/containers/storage.

Use runc

The check box enables or disables the use of the runc utility.

The check box is selected by default.

File path

Entry field for the path to the runc utility executable file.

Default value: /usr/bin/runc.

Root directory

Entry field for the path to the root directory of the container state storage.

Default value: /run/runc.
Page top
[Topic 207662]

Managed Detection and Response

Integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response enables continuous search, detection and elimination of threats aimed at your organization.

When interacting with Kaspersky Managed Detection and Response, Kaspersky Endpoint Security allows you to perform the following actions:

  • Send telemetry data to Kaspersky Managed Detection and Response for threat detection.
  • Carry out Kaspersky Managed Detection and Response commands for providing security features.

    Managed Detection and Response settings

    Setting

    Description

    Managed Detection and Response enabled / disabled

    This toggle button enables or disables integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response.

    The toggle button is switched off by default.

    Download

    Clicking this button opens a standard Microsoft Windows window, where you can select the BLOB configuration file.
Page top
[Topic 202314]

Network settings

You can configure the settings of encrypted connection scans. These settings are used by the Web Threat Protection component.

When the encrypted connection scan settings are changed, the application generates a Network settings changed event.

Network settings

Setting

Description

Encrypted connections scan enabled / disabled

This toggle button enables or disables scanning of encrypted connections.

The check toggle button is switched on by default.

Trusted certificates

The Configure list of trusted certificates link opens a window where you can configure a list of trusted certificates. Trusted certificates are used when scanning encrypted connections.

Action when an untrusted certificate is encountered

You can select the action that the application performs on a container when it detects an untrusted certificate:

  • Allow connection to a domain with an untrusted certificate (default value).
  • Block connection to a domain with an untrusted certificate.

Action on errors during an encrypted connections scan

You can select the action that the application performs when an error occurs during an encrypted connection scan:

  • Add website to exclusions (default value) – add the domain that resulted in the error to the list of domains with scan errors and do not scan encrypted network traffic when this domain is visited.
  • Disconnect from website – block the network connection.

Certificate verification policy

You can select how the application verifies certificates:

  • Local check: the application does not use the internet to validate a certificate.
  • Full check (default value): the application uses the internet to check and download the missing chains that are needed to verify a certificate.

Trusted domains

Clicking the Configure list of trusted domains link opens the Trusted domains window.

Network ports

Clicking the Configure network port settings link opens the Network ports window, where you can specify the network ports to be monitored by the application.

Monitor all network ports

If this option is selected, the application monitors all network ports.

Monitor specified ports only

If this option is selected, the application monitors only the network ports specified in the Network ports window.

This option is selected by default.
Page top
[Topic 237096]

Trusted certificates window

You can configure a list of certificates considered trusted by Kaspersky Endpoint Security. The list of trusted certificates is used when scanning encrypted connections.

The following information is displayed for each certificate:

  • certificate subject
  • serial number
  • certificate issuer
  • certificate start date
  • certificate expiration date
  • SHA-256 certificate thumbprint

By default, the certificate list is empty.

You can add and remove certificates.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

See also:

Adding a trusted certificate window

Trusted domains window

Network ports window
Page top
[Topic 7588]

Adding a trusted certificate window

In this window, you can add a certificate to the list of trusted certificates.

The Add certificate link opens the standard file selection window. Indicate the path to the file that contains the certificate, in DER or PEM format.

After the certificate file is selected, the window displays certificate information and the file path.

Page top
[Topic 197621]

Trusted domains window

This list contains the domain names and domain name masks that will be excluded from encrypted connection scans.

Example: *example.com. For example, *example.com/* is incorrect because a domain address, not a web page, needs to be specified.

By default, the list is empty.

You can add, edit and remove domains from the list of trusted domains.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 238852]

Network ports window

This table contains the network ports monitored by the application if the Monitor specified ports only option is selected in the Network settings window.

The table contains two columns:

  • Port – monitored port.
  • Description – description of the monitored port.

By default, the table displays a list of network ports that are usually used for the transmission of mail and network traffic. The list of network ports is included in the application package.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 202457]

Global exclusions

The table contains mount points that will be excluded from the scan scope for the application components that use the file operation interceptor (File Threat Protection and Anti-Cryptor).

The Path column displays the paths to the excluded mount points. The table is empty by default.

You can add, edit, and delete items in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

Page top
[Topic 202461]

Adding a mount point exclusion window

Mount point settings

Setting

Description

File system, access protocol, and path

In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:

  • Local: local mount points.
  • Mounted: remote directories mounted on the device using the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

Field for entering the path to the mount point that you want to exclude from file operation interception. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

Mount points must be specified in the same way as they are displayed in the mount command output.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the file operation interception exclusions are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.
Page top
[Topic 248961]

Storage settings

The Storage is a list of backup copies of files that have been deleted or modified during the disinfection process. Backup copy is a file copy created at the first attempt to disinfect or delete this file. Backup copies of files are stored in a special format and do not pose a threat. By default, the Storage is located in the /var/opt/kaspersky/kesl/common/objects-backup/ directory. Files in the Storage may contain personal data. Root privileges are required to access files in the Storage.

Storage settings

Setting

Description

Informing about unprocessed files enabled / disabled

This toggle button enables or disables sending notifications about the files, that cannot be processed during the scan, to the Administration Server.

The check toggle button is switched on by default.

Informing about installed devices enabled / disabled

This toggle button enables or disables sending information about the devices installed on the managed client device to the Administration Server.

The check toggle button is switched on by default.

Informing about files in Storage enabled / disabled

This toggle button enables or disables sending of notifications about files in the Storage to the Administration Server.

The check toggle button is switched on by default.

Store objects no longer than (days)

The entry field to specify the period for storing objects in the Storage.

Available values: 0–3653.

Default value: 90. If 0 is specified, the period for storing objects in the Storage is unlimited.

Maximum size of Storage (MB)

The entry field to specify the maximum size of the Storage (MB).

Available values: 0–999999. Default value: 0 (the size of Storage is unlimited).
Page top
[Topic 202462]

Kaspersky Endpoint Detection and Response (KATA) Integration

Kaspersky Endpoint Detection and Response (KATA) is a component of the Kaspersky Anti Targeted Attack Platform solution, which is designed to protect the IT infrastructure of organizations and promptly detect threats, such as zero-day attacks, targeted attacks, and advanced persistent threats (APT). To read more, check out the Kaspersky Anti Targeted Attack Platform Help.

When interacting with Kaspersky Endpoint Detection and Response (KATA), Kaspersky Endpoint Security may send data about events on devices (telemetry) to the Kaspersky Anti Targeted Attack Platform server with the Central Node component ("KATA server") and execute commands from Kaspersky Anti Targeted Attack Platform intended to provide security.

This feature is not supported in the KESL container.

Management of integration settings with Kaspersky Endpoint Detection and Response (KATA) via Kaspersky Security Center Cloud Console is not supported.

For integration with Kaspersky Endpoint Detection and Response (KATA), the Behavior Detection component must be enabled.

The integration of Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA) is only possible if these components are enabled. Otherwise, the required telemetry data cannot be transmitted.

Kaspersky Endpoint Detection and Response (KATA) can additionally use data received from the following components:

  • File Threat Protection.
  • Network Threat Protection.
  • Web Threat Protection.

When integrated with Kaspersky Endpoint Detection and Response (KATA), devices with Kaspersky Endpoint Security establish secure connections to the KATA server via the HTTPS protocol. To ensure a secure connection, the following certificates issued by the KATA server are used:

  • KATA server certificate. The connection is encrypted using the server's TLS certificate. You can elevate the security of the connection by verifying the server certificate on the Kaspersky Endpoint Security side. You need to add the server certificate when configuring integration settings.
  • Client certificate. This certificate is used for additional protection of the connection using two-way authentication (scanning devices with Kaspersky Endpoint Security KATA server). The same client certificate can be used by multiple devices. By default, the KATA server does not validate client certificates, but validation can be enabled on the KATA server side. In this case, you need to enable two-way authentication and add the client certificate in the integration settings (cryptocontainer with certificate and private key).

Certificates for securing the connection to the KATA server are provided by the Kaspersky Anti Targeted Attack Platform administrator.

A proxy server is used to connect to the KATA server if use of a proxy server is configured in the general application settings of Kaspersky Endpoint Security.

Kaspersky Endpoint Detection and Response (KATA) integration settings

Setting

Description

Integration with Endpoint Detection and Response (KATA) enabled / disabled

Enables or disables the integration of the Kaspersky Endpoint Security application with Kaspersky Endpoint Detection and Response (KATA).

The integration is disabled by default.

Server connection settings

Clicking the Configure button in the block opens a window where you can configure general settings for connecting to KATA servers, add a server certificate, and configure two-way authentication when connecting to KATA servers.

KATA servers

The table contains a list of KATA servers to which connection is configured.

The Add button opens a window where you can configure the connection to the KATA server.

You can use the buttons above the table to edit and remove previously configured connection settings.

Maximum delay when sending events (sec)

The maximum delay in sending events to the KATA server in seconds.

The default value is 30.

Enable event throttling

Enables or disables the regulation of the number of events sent to the KATA server.

Maximum number of events per hour

Maximum number of events per hour

The default value is 3000.

Event throttle threshold (percentage)

Event throttle threshold (percentage). Sending events is limited if ratio of events of one type (for example, events about registry changes) to the total number of events exceeds the set threshold (as a percentage).

The default value is 15.
Page top
[Topic 246827]

Server connection settings window

In this window, you can configure general settings for connecting to KATA servers, add a server certificate, and configure two-way authentication when connecting to KATA servers.

KATA server connection settings

Setting

Description

Send a synchronization request to the KATA server every (minutes)

Frequency of sending synchronization requests to the KATA server in minutes.

The default value is 5.

Maximum time to wait for the server connection (sec)

Maximum time to wait for a connection to the KATA server in seconds.

The default value is 10.

Maximum time to wait for a response from the server (sec)

Maximum time to wait for a response from the KATA server in seconds.

The default value is 10.

Allow sending telemetry

Enables or disables sending data about events on devices (telemetry) to the KATA server.

Sending telemetry is enabled by default.

Server certificate

After adding the server certificate, information about the certificate is displayed:

  • certificate serial number
  • certificate subject
  • certificate issuer
  • certificate issue date
  • certificate expiration date

Select

Opens a standard file selection window where you can specify the path to the KATA server certificate.

If a server certificate has been added, the server certificate is verified on the Kaspersky Endpoint Security side. This elevates the security of the connection.

Remove

Deletes the server certificate added previously.

The button is displayed only if a server certificate has been added.

Additional connection protection

The settings section lets you enable or disable two-way authentication when connecting to the KATA server and add a client certificate.

Use two-way authentication

Enables or disables the use of two-way authentication to further secure the connection to the KATA server.

Two-way authentication must be enabled on the KATA server side.

To use two-way authentication, you need to add a client certificate.

Add a client certificate

Opens a standard file selection window where you can specify the path to the cryptocontainer (PFX archive) with the client certificate and private key.

The button is available if the Use two-way authentication check box is selected.

Edit

Allows you to specify the password for the cryptocontainer with the client certificate. The Cryptocontainer password field cannot be edited. By default, the password is empty.

To specify a password, click Edit. In the window that opens, enter the password and click OK. Clicking the Show button in the window displays the password in clear text in the password entry window.

It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months.

The button is available if the Use two-way authentication check box is selected.
Page top
[Topic 246829]

Server connection settings window

In this window you can specify the connection settings to the KATA server.

KATA server connection settings

Setting

Description

Address

KATA server address IP address (IPv4 or IPv6) or fully qualified domain name (FQDN) of the integration server can be specified.

To ensure that communication with the KATA server is not interrupted if the application fails when network isolation is enabled for the device, it is recommended to specify the server's IP address.

Default value: 127.0.0.1.

Port

Port to connect to the KATA server.

The default value is 443.
Page top
[Topic 246830]

Light Agent mode

The settings described in this section apply only if Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments.

Running Kaspersky Endpoint Security in Light Agent mode requires constant interaction between the Light Agent and the Protection Server installed on the SVM. If there is no connection to the Protection Server, the Light Agent cannot transfer file fragments to the Protection Server for scanning, and scanning is not performed.

To interact with the Protection Server, the Light Agent establishes and maintains a connection to the SVM on which this Protection Server is installed.

You can configure the following settings for connecting the Light Agent to the SVM:

  • SVM detection method. You can select the method that Light Agents use to discover SVMs available to connect to. The Light Agent can discover SVMs running on the network in one of the following ways:
    • Using the Integration Server. SVMs transmit information about themselves to the Integration Server. The Integration Server generates a list of SVMs available for connection and provides it to Light Agents.

      To use this method of detecting SVMs, you need to connect SVMs and Light Agents to the Integration Server.

    • Using a list of SVM addresses. You can specify a list of SVM addresses to which Light Agents can connect.
  • SVM selection algorithm for connecting. After receiving information about available SVMs, the Light Agent selects the optimal SVM to connect to in accordance with the SVM selection algorithm. You can specify which algorithm Light Agents should use when selecting an SVM to connect to.
  • Connection tags. You can use connection tags to control Light Agents' connection to SVMs. If you use connection tags, Light Agent can only connect to SVMs that are configured to use that connection tag.
  • Protection of the connection between the Light Agent and the Protection Server. You can use encryption to protect the connection between Light Agents and Protection Servers.

For more information about the settings for connecting the Light Agent to the SVM, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.

In this section

SVM discovery settings

Integration Server connection settings

SVM connection tag

SVM selection algorithm

Protecting the connection
Page top
[Topic 246882]

SVM discovery settings

The settings described in this section apply only if Kaspersky Endpoint Security is used in Light Agent mode for protecting virtual environments.

In this window, you can select the method that Light Agents use to discover SVMs available to connect to.

SVM discovery settings

Setting

Description

Use the Integration Server

If this option is selected, Light Agent connects to Integration Server to get a list of SVMs available for connection and their details.

If you want to use the Integration Server, you need to configure the settings for connecting Light Agents to the Integration Server.

Use a custom list of SVM addresses

If this option is selected, you can specify a list of SVMs that Light Agents managed by this policy can connect to. Light agents will only connect to SVMs specified in the list.

List of SVMs

A list of IP addresses in IPv4 format or fully qualified domain names (FQDNs) of the SVMs to which Light Agents managed by the policy can connect.

Click Add to open a window in which you can specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the SVM. You can enter multiple IP addresses or FQDNs of SVMs on a new line.

Specify only fully qualified domain names (FQDNs) that map to a single IP address. Using a fully qualified domain name that corresponds to multiple IP addresses can lead to errors in the application.

You can delete addresses selected in the list by clicking the Delete button.

The list of SVM addresses is displayed if the Use a custom list of SVM addresses option is selected.

If you select the Use a custom list of SVM addresses option, the Light Agent is using the extended SVM selection algorithm, and large infrastructure protection mode is enabled on an SVM (for more information, see the Kaspersky Security for Virtualization Light Agent Help), then connecting a Light Agent to this SVM is only possible if the SVM path is ignored. In the SVM selection algorithm section, you need to set the SVM path setting to Ignore SVM path. If any other value is set, Light Agents will not be able to connect to the SVM.

Page top
[Topic 261367]

Integration Server connection settings

The settings described in this section apply only if Kaspersky Endpoint Security is used in Light Agent mode for protecting virtual environments.

A connection to the Integration Server is required if you want Light Agents to receive information about the SVM through the Integration Server, or if you want to protect the connection between the Protection Server and the Light Agent.

This window displays the current settings for connecting Light Agents to the Integration Server: address and port for connecting. The Edit button opens the Connection to the Integration Server window, where you can configure the connection to the Integration Server.

Page top
[Topic 261366]

Connection to the Integration Server window

In this window, you can specify or change the settings for connecting Light Agents to the Integration Server.

Integration Server connection settings

Setting

Description

Address

IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

If a NetBIOS name, "localhost", or 127.0.0.1 is specified as the address, the connection to the Integration Server fails with an error.

Port

Port for connecting to the Integration Server.

Port 7271 is used by default.

Check

When you click the button, the web plug-in checks the SSL certificate received from the Integration Server.

The button is available after entering the address and port for connecting to the Integration Server.

If the certificate contains an error or is not trusted, a corresponding message is displayed in the Connection to the Integration Server window.

View the received certificate

Click the line to view information about the certificate received from the Integration Server.

Ignore

Select this option to save the received certificate and continue connecting to the Integration Server.

If you encounter problems with an SSL certificate, we recommend to make sure that the data transmission channel you are using is secure.

Cancel

Select this option to terminate the connection to the Integration Server.

Password

Password for the Integration Server administrator account (admin account password).

It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months.

Check

Clicking the button connects the web plug-in to the Integration Server.

After connecting to the Integration Server with administrator rights, the policy automatically receives the password of the agent account, which is used to connect Light Agents to the Integration Server. The password is stored in encrypted form.
Page top
[Topic 197257]

SVM connection tag

In this window, you can enable the Light Agent to use tags and assign a tag that the Light Agent will use to connect.

Make sure that the use of connection tags is also configured in the Protection Server settings: For more information, see the Help for Kaspersky Security for Virtualization Light Agent. Light Agents assigned a tag can only connect to SVMs that are allowed to connect to Light Agents with that tag.

Settings for using connection tags

Setting

Description

Use tags for connecting Light Agents

The check box enables or disables the use of SVM connection tags by the Light Agent.

Tag

A tag that is assigned to Light Agents.

You can enter a text string of up to 255 characters as a tag. You can use any character except the ; character.

This field is available if the Use tags for connecting Light Agents check box is selected.
Page top
[Topic 261368]

SVM selection algorithm

In this window, you can specify which SVM selection algorithm Light Agents for Linux should use, and configure the settings for using the extended SVM selection algorithm.

SVM selection algorithm

Setting

Description

Use the standard SVM selection algorithm

If this option is selected, after installing and running on a virtual machine, the Light Agent selects an SVM to connect to that is local to Light Agent. For more details, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.

If there are no local SVMs available for connection, the Light Agent selects the SVM that has the fewest Light Agents connected, regardless of the location of the SVM in the virtual infrastructure.

This option is selected by default.

Use the extended SVM selection algorithm

If this option is selected, you can use the SVM path slider to specify how the SVM's location in the virtual infrastructure will be taken into account when determining whether the SVM is local relative to the Light Agent. The Light Agent will only be able to connect to SVMs that are local.

You can also specify that the SVM path in the virtual infrastructure should not be taken into account when selecting an SVM to connect to.

When selecting an SVM, Light Agents consider the number of Light Agents connected to the SVM to ensure an even distribution of Light Agents among the SVMs available to connect to.

SVM path

Allows you to specify the type of SVM path in the virtual infrastructure, which is taken into account when selecting SVMs for connection:

  • Hypervisor. The Light Agent selects an SVM to connect to that meets the criteria (depending on the type of virtual infrastructure):
    • The SVM is deployed on the same hypervisor as the virtual machine with the installed Light Agent (in a virtual infrastructure running on the Microsoft Hyper-V, Citrix Hypervisor, VMware vSphere, KVM, Proxmox VE, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, ALT Virtualization Server, or Astra Linux platform).
    • SVM is located in the same server group, as the virtual machine with the installed Light Agent (in virtual infrastructure running on TIONIX Cloud Platform or OpenStack platform).

    If there are no SVMs available for connection on the same hypervisor or in the same Server Group where the virtual machine with the Light Agent is located, the Light Agent does not connect to the SVM.

  • Cluster. The Light Agent selects an SVM to connect to that meets the criteria (depending on the type of virtual infrastructure):
    • The SVM is deployed in the same hypervisor cluster as the virtual machine with the Light Agent installed (in a virtual infrastructure on Microsoft Hyper-V, Citrix Hypervisor, VMware vSphere, KVM, Proxmox VE, Scala-R, HUAWEI FusionSphere, Nutanix Acropolis, ALT Virtualization Server, or Astra Linux);
    • The SVM is deployed in the same OpenStack project as the virtual machine with the Light Agent installed (in a virtual infrastructure managed by the TIONIX Cloud Platform or the OpenStack platform).

    If there are no SVMs available for connection in the same hypervisor cluster or within the same OpenStack project where the virtual machine with the Light Agent is located, the Light Agent does not connect to the SVM.

  • Data center. The Light Agent selects an SVM to connect to that meets the criteria (depending on the type of virtual infrastructure):
    • The SVM is deployed in the same data center as the virtual machine with the Light Agent installed (in a virtual infrastructure on Microsoft Hyper-V, Citrix Hypervisor, VMware vSphere, KVM, Proxmox VE, Scala-R, HUAWEI FusionSphere, Nutanix Acropolis, ALT Virtualization Server or Astra Linux).
    • The SVM is located in the same Availability Zone as the virtual machine with the Light Agent installed (in a virtual infrastructure managed by the TIONIX Cloud Platform or the OpenStack platform).

    If there are no SVMs available for connection in the same data center or Availability Zone where the virtual machine with the Light Agent is located, the Light Agent does not connect to the SVM.

  • Ignore SVM path. When selecting an SVM, the Light Agent does not consider its location.

The Hypervisor option is selected by default.

The option is available if the Use the extended SVM selection algorithm option is selected.

If a Light Agent uses the extended SVM selection algorithm and a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM (for more information, see the Kaspersky Security for Virtualization Light Agent Help), then connecting a Light Agent to this SVM is only possible if the SVM path is ignored. You need to set the SVM path setting to Ignore SVM path. If any other value is set, Light Agents will not be able to connect to the SVM.

Page top
[Topic 261369]

Protecting the connection

In this window, you can enable encryption of the data transmission channel between the Light Agent and the Protection Server

Make sure that encryption of the data transmission channel between the Light Agent and the Protection Server is enabled in the Protection Server settings on the SVM. For more details, refer to the Help for Kaspersky Hybrid Cloud Security for Virtualization Light Agent.

Connection protection settings

Setting

Description

Encrypt data channel between Light Agent and the Protection Server

Use encryption to protect the connection between Light Agents and Protection Servers.

If the check box is selected, an encrypted connection is established between the Light Agent, which is managed by policy, and the Protection Server on the SVM that the Light Agent is connecting to. A Light Agent for which connection protection is enabled can only connect to an SVM on which connection protection is enabled or an unprotected connection to the Protection Server is allowed.

If the check box is cleared, an unprotected connection is established between the Light Agent and the Protection Server on the SVM that the Light Agent is connecting to.

This check box is cleared by default.
Page top
[Topic 261370]