Contents
- Appendices
- Appendix 1. Resource consumption optimization
- Appendix 2. Commands for managing Kaspersky Embedded Systems Security
- Commands for managing application tasks and settings
- Statistics commands
- Commands for displaying events
- Commands for managing application events
- Commands for managing license keys
- Commands for Firewall Management
- Commands used to manage blocked devices
- Commands for managing Device Control
- Commands for managing Application Control
- Commands for managing Backup
- Commands for managing users and roles
- Commands for managing system performance metrics
- Appendix 3. Configuration files and default application settings
- Rules for editing application task configuration files
- Preset configuration files
- Default settings for command line tasks
- Default settings for the File_Threat_Protection task (ID:1)
- Default settings for the Scan_My_Computer task (ID:2)
- Default settings for the Scan_File task (ID:3)
- Default settings for the Critical_Areas_Scan task (ID:4)
- Default settings for the Update task (ID:6)
- Default settings for the System_Integrity_Monitoring task (ID:11)
- Default settings for the Firewall_Management task (ID:12)
- Default settings for the Anti_Cryptor task (ID:13)
- Default settings for the Web_Threat_Protection task (ID:14)
- Default settings for the Device_Control task (ID:15)
- Default settings for the Removable_Drives_Scan task (ID:16)
- Default settings for the Network_Threat_Protection task (ID:17)
- Default settings for the Behavior_Detection task (ID:20)
- Default settings for the Application_Control task (ID:21)
- Default settings for the Inventory_Scan task (ID:22)
- General application settings
- Encrypted connections scan settings
- Tasks schedule settings
- Appendix 4. Command line return codes
Appendix 1. Resource consumption optimization
When scanning objects, Kaspersky Embedded Systems Security uses CPU resources, disk subsystem input/output, and RAM.
To view the resource consumption by the application, execute the following command:
top -bn1|grep kess
The command must be executed when the system is loaded.
The command output shows the amount of used memory and processor time:
651 root 20 0 3014172 2.302g 154360 S 120.0 30.0 0:32.80 kess
Column 6 displays the amount of resident memory – 2.302g.
Column 9 displays the percentage of the processor cores usage – 120.0, where each core is represented by 100 percent. Thus, 120% means that one core is fully used, and the other is used at 20%.
If, while scanning objects, Kaspersky Embedded Systems Security critically slows down the system, the application must be configured to optimize system resource consumption.
Determining the task that consumes resources
To find out which application tasks are hogging system resources, it is necessary to distinguish the resource usage of File Threat Protection tasks (OAS type) and On-demand Scan tasks (ODS type).
If the application is managed by Kaspersky Security Center policy, it is required to allow local task management for the period of the study.
File Threat Protection task operation analysis
To analyze the operation of the File Threat Protection task:
- Stop all scan and monitoring tasks.
- Make sure that the on-demand scan tasks will not run during the scan or have no schedule. You can do it using Kaspersky Security Center or locally by doing the following steps:
- Get the list of all application tasks by executing the following command:
kess-control --get-task-list - Get the schedule settings for the Malware Scan task by executing the following command:
kess-control --get-schedule <task ID>If the command output is
RuleType=Manual, the task can only be started manually. - Get the schedule settings for all your Malware Scan and Custom Scan tasks, if any, and set them to start manually by executing the following command:
kess-control --set-schedule <task ID> RuleType=Manual
- Get the list of all application tasks by executing the following command:
- Enable generation of application trace files with a high level of details by executing the following command:
kess-control --set-app-settings TraceLevel=Detailed - Start the File Threat Protection task if it has not been started by executing the following command:
kess-control --start-task 1 - Load the system in the mode that caused the performance problems; a few hours is enough.
While being loaded, the application writes a lot of information to the trace files; however only 5 files of 500 MB are stored by default, so the old information will be overwritten. If the problems with performance and resource consumption stop occurring, it means they are most likely caused by on-demand scan tasks and you can proceed to analyze the performance of ODS scan tasks.
- Disable creation of the application trace files by executing the following command:
kess-control --set-app-settings TraceLevel=None - Determine the list of objects that have been scanned the most times by running the following command:
fgrep 'AVP ENTER' /var/log/kaspersky/kess/kess.* | awk '{print $8}' | sort | uniq -c | sort -k1 -n -r|lessThe result is loaded into less, a text viewer utility, where the objects that have been scanned the most times are displayed first.
- Determine whether the objects scanned the most number of times are dangerous. In case of any difficulties, contact Technical Support.
For example, directories and log files can be considered safe if a trusted process writes to them, database files can also be considered safe.
- Write down the paths to the objects that are safe, in your opinion; the paths will be required to configure exclusions from the scan scope.
- If various services frequently write data to files in the system, such files are scanned again in the pending queue. Determine the list of paths that have been scanned the most times in the pending queue by running the following command:
fgrep 'SYSCALL' /var/log/kaspersky/kess/kess.* | fgrep 'KLIF_ACTION_CLOSE_MODIFY' | awk '{print $9}' | sort | uniq -c | sort -k1 -n -rThe files that were scanned the most times will appear at the beginning of the list.
- If the counter for a file exceeds several thousands in a few hours, you should check whether you can trust this file in order to exclude it from scan.
The logic of to determine it is the same as for the previous study (see step 8): log files can be considered safe, since they cannot be launched.
- Even if some files are excluded from scan by the Real-time protection task, they can still be intercepted by the application. If excluding certain files from Real-time protection does not result in significant increase of performance, you can completely exclude the mount point where these files are located from the interception scope of the application. To do so, do the following:
- Run the following command to get the list of files intercepted by the application:
grep 'FACACHE.*needs' /var/log/kaspersky/kess/kess.* | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r - Using this list, determine the paths used for most of the file operation interceptions and configure interception exceptions.
- Run the following command to get the list of files intercepted by the application:
On-demand Scan tasks operation analysis
Tasks of the ODS type can also cause significant resource consumption. Follow these recommendations for the tasks of ODS type:
- Make sure that several on-demand scan tasks are not running at the same time. The application allows for operation in this mode, but resource consumption can significantly increase. Check the schedule of all tasks of the ODS type locally (as described for the File Threat Protection task) or using Kaspersky Security Center.
- Run the scan during the minimum server load.
- Make sure that there are no mounted remote resources (SMB/NFS) at the specified scan path. If a remote resource scan task cannot be performed directly on the server that provides the resource, do not perform the resource scan on servers with critical services, as execution of this task can take a long time (depending on the connection speed and the number of files).
- Optimize the settings of the on-demand scan task before start.
Configuring the File Threat Protection task
If, after analysis of the File Threat Protection task's operation, you have created a list of directories and files that can be excluded from the scan scope, you need to add them to the exclusions.
Scan exclusions
To exclude the /tmp/logs directory and all subdirectories and files recursively, execute the following command:
kess-control --set-settings 1 --add-exclusion /tmp/logs
To exclude a specific file or files by mask in the /tmp/logs directory, execute the following command:
kess-control --set-settings 1 --add-exclusion /tmp/logs/*.log
To exclude all files with the .log extension in the /tmp/ directory and subdirectories using a recursive mask, execute the following command:
kess-control --set-settings 1 --add-exclusion /tmp/**/*.log
Interception exclusions
If you want to exclude files in a certain directory not only from scan, but also from interception, you can exclude the entire mount point.
To exclude an entire mount point:
- If the directory is not a mount point, create a mount point from it. For example, to create a mount point from the /tmp directory, execute the following command:
mount --bind /tmp/ /tmp - To keep the mount point after the server reboot, add the following line to the /etc/fstab file:
/tmp /tmp none defaults,bind 0 0 - Add the /tmp directory to the global exceptions by executing the following command:
kess-control --set-app-settings ExcludedMountPoint.item_0000=/tmp - If you want to add several directories, increase the item_0000 counter by one (item_0001, item_0002, and so on).
It is also recommended to exclude mount points that are mounted remote resources with unstable or slow connection.
Changing scan type
By default, the File Threat Protection task can scan files when they are opened or closed. If analysis of the File Threats Protection task's operation shows that too many files are being written, you can change the task mode to make it run only when files are opened; to do so, run the following command:
kess-control --set-set 1 ScanByAccessType=Open
In this operation mode, changes made to the file after it is opened are not scanned until the next opening of the file.
Page topConfiguring the On-demand Scan task
Scan exclusions
You can configure scan exclusions for on-demand scan (ODS) tasks. You can configure this in the same way as scan exclusions for the File Threat Protection task.
Scan exclusion settings for one scan task do not affect other scan tasks. Exclusions must be configured separately for each scan task.
Setting the memory usage limits when unpacking archives
The on-demand scan task uses RAM to unpack archives when scanning the archives recursively. The application allows adjusting the memory usage while scanning files using the ScanMemoryLimit parameter in the kess.ini configuration file. The default value is 8192 MB. The minimum value is 2 MB. If the specified value is less than 2 MB, the application uses the minimum value (2 MB). If the specified value is greater than the amount of RAM available in the system, the application uses up to 25% of the RAM. This value cannot be changed.
Setting the application memory usage limit
You can limit the amount of RAM that Kaspersky Embedded Systems Security uses when running OAS and ODS tasks.
Limiting memory usage can be useful for systems with a large amount of RAM (more than 5 GB).
You can use the ScanMemoryLimit option in the kess.ini configuration file to adjust the size of RAM used by the application when scanning files. Default value: 8192 MB. The minimum value is 2 MB. If the specified value is less than 2 MB, the application uses the minimum value (2 MB). If the specified value is greater than the amount of RAM available on the device, the application uses up to 25% of the RAM. This value cannot be changed.
This setting limits only the amount of memory used when scanning files. That means that the total amount of memory required by the application can be more than the value of this setting.
To specify a limit on memory use when scanning files:
- Stop Kaspersky Embedded Systems Security.
- Open the /var/opt/kaspersky/kess/common/kess.ini file for editing.
- Under
[General], specify the required amount of RAM in megabytes in theScanMemoryLimitsetting:ScanMemoryLimit=<amount of memory in megabytes> - Start Kaspersky Embedded Systems Security.
The new memory usage limit for scanning files will be in effect after the application restarts.
Page topAppendix 2. Commands for managing Kaspersky Embedded Systems Security
On the command line, Kaspersky Embedded Systems Security can be managed using Kaspersky Embedded Systems Security management commands.
You can view the help on management commands by running:
kess-control --help <command group prefix>
Where <command group prefix> accepts the following values:
- -A: commands for managing Application Control
- -B: commands for managing Backup
- -D: commands for managing Device Control
- -E: commands for managing application events
- -F: commands for managing firewall
- -H: commands for managing blocked devices
- -J: commands for managing the collection of system performance metrics
- -L: commands for managing license keys
- -N: commands for managing encrypted connections scan settings
- -S: statistics commands
- -T: commands for managing application tasks and settings
- -U: commands for managing users and roles
- -W: event display commands
Commands for managing application tasks and settings
-T is a prefix indicating that the command belongs to the group of commands for managing application settings and tasks.
-N is a prefix indicating that the command belongs to the group of commands for managing secure connections scan settings.
kess-control --export-settings
This command outputs all application settings to the console or exports to a configuration file. These settings include encrypted connections scan settings, general application settings, and task settings.
Command syntax
kess-control [-T] --export-settings [--file <configuration file path>] [--json]
Arguments and options
--file <configuration file path> is the full path to the configuration file where the application settings will be saved.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
kess-control --import-settings
This command imports all application settings from a configuration file, including encrypted connections scan settings, general application settings, and task settings.
Command syntax
kess-control [-T] --import-settings --file <configuration file path> [--json]
Arguments and options
--file <configuration file path> is the full path to the configuration file from which you want to import settings into the application.
--json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
kess-control --update-application
This command installs a downloaded application module update.
It can only be executed if the application is being used in standard mode.
Command syntax
kess-control [-T] --update-application
Commands for managing general application settings
The kess-control --get-app-settings command
The command outputs the current values of the general application settings to the console or a configuration file.
Command syntax
kess-control [-T] --get-app-settings [--file <configuration file path>] [--json]
Arguments and options
--file <configuration file path> is the path to the configuration file where the application general settings will be written. If you do not specify the --file option, settings will be output to the console.
If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, no configuration file will be generated.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
The kess-control --set-app-settings command
This command configures the general application settings via command options or by importing settings from a configuration file.
Command syntax
Define settings via command options:
kess-control [-T] --set-app-settings <setting name>=<setting value> [<setting name>=<setting value>]
Define settings via a configuration file:
kess-control [-T] --set-app-settings --file <configuration file path> [--json]
Arguments and options
<option name>=<option value>: the name and value of a general application setting.
--file <configuration file path> is the full path to the configuration file from which you want to import settings into the application.
--json is specified to import the settings from the configuration file into the application in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
Commands for managing task settings
kess-control --get-settings
This command outputs the current settings for a specified task to the console or a configuration file.
Command syntax
kess-control [-T] --get-settings <task ID/name> [--file <configuration file path>] [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
--file <configuration file path> is the path to the configuration file into which the task settings will be written. If you do not specify the --file option, settings will be output to the console.
If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, no configuration file will be generated.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
kess-control --set-settings
This command defines the settings for a specified task via command options or by importing settings from a configuration file.
Command syntax
Define settings via command options:
kess-control [-T] --set-settings <task name/ID> <setting name>=<setting value> [<setting name>=<setting value>] [--add-path <path>] [--del-path <path>] [--add-exclusion <path>] [--del-exclusion <path>]
Define settings via a configuration file:
kess-control [-T] --set-settings <task name/ID> --file <configuration file path> [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
<setting name>=<setting value> is the name and value of one of the task settings.
--add-path <path> adds the path to the directory with the objects to be scanned.
--del-path <path> deletes the path to the directory with the objects to be scanned.
--add-exclusion <path>: add the path to the directory with objects to exclude from scanning.
--del-exclusion <path> deletes the path to the directory with the objects to be excluded.
--file <configuration file path> is the full path to the configuration file from which the task settings will be imported.
--json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
kess-control --set-to-default
The command restores the default settings for the specified task.
Command syntax
kess-control [-T] --set-settings <task ID/name> --set-to-default
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
The kess-control --get-schedule command
The command outputs the current schedule of the specified task to the console or a configuration file.
Command syntax
kess-control [-T] --get-schedule <task ID/name> [--file <configuration file path>] [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
--file <configuration file path> is the path to the configuration file in which the settings for the task run schedule will be written. If you do not specify the --file option, settings will be output to the console.
If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, no configuration file will be generated.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
The kess-control --set-schedule command
The command defines a schedule for the specified task via command options or by importing settings from a configuration file.
Command syntax
Define settings via command options:
kess-control [-T] --set-schedule <task ID/name> <setting name>=<setting value> [<setting name>=<setting value>]
Define settings via a configuration file:
kess-control [-T] --set-schedule <task ID/name> --file <configuration file path> [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
<setting name>=<setting value> is the name and value of one of the settings for the task schedule.
--file <configuration file path> is the full path to the configuration file from which the task schedule settings will be imported.
--json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
Commands for managing tasks
kess-control --get-task-list
This command outputs a list of existing tasks.
Command syntax
kess-control [-T] --get-task-list [--json]
Arguments and options
--json is specified to output the settings in JSON format.
kess-control --get-task-state
This command outputs the status of the specified task.
Command syntax
kess-control [-T] --get-task-state <task ID/name> [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
--json is specified to output the settings in JSON format.
kess-control --create-task
This command creates a task of the specified type with the default settings or settings specified in a configuration file.
Command syntax
Create a task with the default settings:
kess-control [-T] --create-task <task name> --type <task type>
Create a task with the settings from a configuration file:
kess-control [-T] --create-task <task name> --type <task type> [--file <configuration file path>] [--json]
Arguments and options
<task name> is the name that you specify for the new task.
<task type> is the identifier for the type of the created task.
--file <configuration file path>: the full path to the configuration file to import settings from.
--json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
kess-control --delete-task
This command deletes a task.
Command syntax
kess-control [-T] --delete-task <task ID/name>
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
kess-control --start-task
This command starts a task.
Command syntax
kess-control [-T] --start-task <task ID/name> [-W] [--progress]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
[-W]: enable current events output.
[--progress]: display task progress.
kess-control --stop-task
This command stops a task.
Command syntax
kess-control [-T] --stop-task <task ID/name> [-W]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
[-W]: enable current events output.
kess-control --suspend-task
This command pauses a task.
Command syntax
kess-control [-T] --suspend-task <task ID/name>
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
kess-control --resume-task
This command resumes a task.
Command syntax
kess-control [-T] --resume-task <task ID/name>
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
kess-control --scan-file
This command creates and runs a custom scan task.
Command syntax
kess-control [-T] --scan-file <path> [--action <action>]
Arguments and options
<path>: the path to the file or directory to scan. You can specify multiple paths by separating them with a space.
--action <action> is the action to be performed by the application on the infected objects. If you do not specify the --action option, the application performs the recommended action.
Commands for managing encrypted connections scan settings
-N is a prefix indicating that the command belongs to the group of commands for managing secure connections scan settings.
kess-control -N --query
The command outputs lists of exclusions from encrypted connections scanning:
- a list of exclusions added by the user;
- a list of exclusions added by the application;
- list of exclusions received from the application databases.
Command syntax
kess-control -N --query user
kess-control -N --query auto
kess-control -N --query kl
kess-control --clear-web-auto-excluded
This command clears the list of domains that the application has automatically excluded from scanning.
Command syntax
kess-control -N --clear-web-auto-excluded
kess-control --get-net-settings
The command outputs the current encrypted connections scan settings to the console or a configuration file.
Command syntax
kess-control [-N] --get-net-settings [--file <configuration file path>] [--json]
Arguments and options
--file <configuration file path>: the path to the configuration file to output the encrypted connections scan settings to. If you do not specify the --file option, settings will be output to the console.
If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, no configuration file will be generated.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
kess-control --set-net-settings
The command configures the encrypted connections scan settings with command options or by importing settings from a configuration file.
Command syntax
Define settings via command options:
kess-control [-N] --set-net-settings <setting name>=<setting value> [<setting name>=<setting value>]
Define settings via a configuration file:
kess-control [-N] --set-net-settings --file <configuration file path> [--json]
Arguments and options
<option name> = <option value >: the name and value of an encrypted connections scan option.
--file <configuration file path>: the full path to the configuration file to import encrypted connections scan settings from.
--json is specified to import the settings from the configuration file into the application in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
kess-control --list-certificates
This command outputs a list of trusted root certificates.
Command syntax
kess-control [-N] --list-certificates
kess-control --add-certificate
This command adds a certificate to the list of trusted root certificates.
Command syntax
kess-control [-N] --add-certificate <path to certificate>
Arguments and options
<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).
kess-control --remove-certificate
This command removes a certificate from the list of trusted root certificates.
Command syntax
kess-control [-N] --remove-certificate <certificate subject>
Statistics commands
-S is a prefix indicating that the command belongs to the statistics command group.
kess-control --app-info
This command outputs information about the application.
Command syntax
kess-control [-S] --app-info [--json]
Arguments and options
--json is specified to output the settings in JSON format.
kess-control --get-statistic
The command allows you to display statistics about the operation of the application and the list of mount points found on the device.
Command syntax
kess-control [-S] --get-statistic [--files] [--processes] [--mountpoints]
Arguments and options
[--files]: statistics of files most frequently scanned by the File Threat Protection component, and the number of times the component accesses these files.
[--processes]: statistics of applications most frequently scanned by the Behavior Detection component, and the number of times the component accesses these applications.
--mountpoints: list of mount points.
You can specify one or more options in any combination or no options at all. If you do not specify options, the application displays three lists: statistics on the most frequently scanned files, statistics on the most frequently scanned applications, and the list of mount points found on the device.
kess-control --omsinfo
This command creates a JSON file for integration with Microsoft Operations Management Suite.
Command syntax
kess-control [-S] --omsinfo --file <file path>
Commands for displaying events
kess-control -W
This command enables the display of current application events. The command returns the name of the event and additional information about the event. You can use the command to display all current application events or only events associated with a currently running task.
Command syntax
kess-control -W [--query "<filter conditions>"]
Arguments and options
<filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value>', combined with the logical operator and to output specific current events.
Commands for managing application events
-E: a prefix indicating that the command belongs to the group of commands used for managing application events.
kess-control -E
This command outputs information about all events in the application event log. You can use the less command to navigate through the list of displayed events.
Command syntax
kess-control -E
kess-control -E --query
This command outputs information about events from the application event log. You can use the less command to navigate through the list of displayed events. You can use a filter to output specific events or output a list of events to a file.
Command syntax
kess-control -E --query "<filter conditions>" [--db <database file>] [-n <number>] [--file <file path>] [--json] [--reverse]
Arguments and options
<database file> is the full path to the event log database file to output events from. By default, the application saves information about events to the /var/opt/kaspersky/kess/private/storage/events.db database. The location of the database is determined by the EventsStoragePath global application setting.
<filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results.
<number> – number of the latest events of the selection (number of records from the end of the selection) to be displayed.
--file <file path> is the full path to the file to output events to. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, file will not be created.
If you do not specify the --file option, the list of events will be output to the console.
--json: output events in JSON format.
--reverse: display events in reverse order (from the newest event at the top to the oldest at the bottom).
Commands for managing license keys
-L is a prefix indicating that the command belongs to the group of commands used to manage license keys.
kess-control --add-active-key
The command lets you add an active license key to the application using a key file or activation code.
Command syntax
kess-control [-L] --add-active-key <key file path>
kess-control [-L] --add-active-key <activation code>
Arguments and options
<path to the key file> – path to the key file. If the key file is located in the current directory, it is sufficient to specify only the file name.
<activation code> – activation code.
Example: Add a key as an active key from the /home/test/00000001.key file:
|
kess-control --add-reserve-key
The command lets you add a reserve license key to the application using a key file or an activation code.
If an active key has not yet been added to the application on the device, the command fails.
Command syntax
kess-control [-L] --add-reserve-key <key file path>
kess-control [-L] --add-reserve-key <activation code>
Arguments and options
<path to the key file> – path to the key file. If the key file is located in the current directory, it is sufficient to specify only the file name.
<activation code> – activation code.
Example: Add a reserve key using the /home/test/00000002.key file:
|
kess-control --remove-active-key
This command lets you remove an active license key.
Command syntax
kess-control [-L] --remove-active-key
kess-control --remove-reserve-key
This command lets you remove a reserve license key.
Command syntax
kess-control [-L] --remove-reserve-key
kess-control -L --query
The -L --query command outputs information about the license that was used for activating the application and license keys currently in use.
Command syntax
kess-control -L --query [--json]
Arguments and options
--json: output data in JSON format.
Commands for Firewall Management
-F: a prefix indicating that the command belongs to the firewall management commands.
kess-control --add-rule
This command adds a new network packet rule.
Command syntax
kess-control [-F] --add-rule [--name <rule name>] [--action <action>] [--protocol <protocol>] [--direction <direction>] [--remote <remote address>[:<port range>]] [--local <local address>[:<port range>]] [--at <index>]
Arguments and options
--name <rule name> is the name of the network packet rule.
--action <action> is the action to be performed on connections specified in network packet rule.
--protocol <protocol> is the type of data transfer protocol for which you want to monitor network activity.
--direction <direction> is the direction of the monitored network activity.
--remote <remote address>[:<port range>]: the network address of the remote device.
--local <local address>[:<port range>] is the network address of the device with Kaspersky Embedded Systems Security installed.
--at <index>: the number of the rule in the list of network packet rules. If the --at option is not specified or its value is larger than the number of rules in the list, the new rule is added to the end of the list.
Parameters that you do not specify values for in the command are set to their default values.
kess-control --del-rule
This command deletes the network packet rule with the specified name or index in the list of rules.
Command syntax
kess-control -F --del-rule --name <rule name>
kess-control [-F] --del-rule --index <index>
Arguments and options
--name <rule name> is the name of the network packet rule.
--index <index>: the number of the rule in the list of network packet rules.
kess-control --move-rule
This command changes the execution priority of a network packet rule.
Command syntax
kess-control [-F] --move-rule --name <rule name> --at <index>
kess-control [-F] --move-rule --index <index> --at <index>
Arguments and options
--name <rule name> is the name of the network packet rule.
--index < index >: the current number of the rule in the list of network packet rules.
--at < index >: the new number of the rule in the list of network packet rules.
kess-control --add-zone
This command adds an address to a network zone.
Command syntax
kess-control [-F] --add-zone --zone <zone> --address <address>
Arguments and options
--zone <zone> is the predefined name of the network zone.
--address <address> is the network address or subnet.
kess-control --del-zone
This command removes an address from a network zone.
Command syntax
kess-control [-F] --del-zone --zone <zone> --address <address>
kess-control [-F] --del-zone --zone <zone> --index <address index>
Arguments and options
--zone <zone> is the predefined name of the network zone.
--address <address> is the network address or subnet.
--index <address index>: the number of the address in the network zone.
kess-control -F --query
This command displays firewall rules created using Kaspersky Embedded Systems Security.
Command syntax
kess-control -F --query
Commands used to manage blocked devices
-H is a prefix indicating that the command belongs to the group of commands for managing devices blocked by Anti-Cryptor and Network Threat Protection.
kess-control --get-blocked-hosts
The command allows you to output the list of blocked devices to the console.
Command syntax
kess-control [-H] --get-blocked-hosts
kess-control --allow-hosts
The command allows you to unblock blocked devices.
Command syntax
kess-control [-H] --allow-hosts <address>
Arguments and options
<address> is an IP address of the device or subnet (IPv4/IPv6, including addresses in short form). You can specify multiple IP addresses of devices or subnets by separating them with a space.
Commands for managing Device Control
-D is a prefix indicating that the command belongs to the group of commands to manage Device Control.
kess-control --get-device-list
The command outputs to the console a list of devices that are installed on a client device or connected to it.
Command syntax
kess-control [-D] --get-device-list [--json]
Arguments and options
--json: output data in JSON format.
Commands for managing Application Control
-A is a prefix indicating that the command belongs to the group of commands to manage Application Control.
kess-control --get-app-list
The command outputs a list of applications found on a client device by the Inventory task.
Command syntax
kess-control [-A] --get-app-list [--json]
Arguments and options
--json: output data in JSON format.
kess-control --get-categories
This command outputs a list of created application control categories.
Command syntax
kess-control [-A] --get-categories [--names <category name 1> <category name 2> ... <category name N>] [--file <path to configuration file>] [--json]
Arguments and options
<name of category 1> <name of category 2> ... <name of category N> – names of the categories whose information you want to view. If you want to view information about several categories, specify the names of the categories, separated by a space.
--file <path to configuration file> – full path to the JSON configuration file to which the settings will be output.
--json: output data in JSON format.
kess-control --set-categories
This command lets you create or edit the list of created Application Control categories.
Command syntax
kess-control [-A] --set-categories [--names <name of category 1> <name of category 2> ... <name of category N>] --file <path to configuration file>
Arguments and options
<name of category 1> <name of category 2> ... <name of category N> – names of the categories whose information you want to change. If you want to change information about several categories, specify the names of the categories, separated by a space. If you do not specify a category name, the category will be removed from the list.
--file <path to configuration file> – full path to the configuration file with the category settings.
kess-control --get-settings 21
This command outputs a list of created application control rules.
Command syntax
kess-control --get-settings 21 [--file <path to configuration file>] [--json]
Arguments and options
--file <path to configuration file> – full path to the configuration file to which the settings will be exported.
--json: output data in JSON format.
kess-control --set-settings 21
This command lets you edit the list of created application categories and Application Control rules.
Command syntax
kess-control --get-settings 21 [--file <path to configuration file>] [--json]
Arguments and options
--file <path to configuration file> – full path to the configuration file from which the settings will be imported.
--json – import data from a JSON file.
kess-control --set-to-default 21
This command lets you delete a list of application categories and Application Control rules.
Command syntax
kess-control --set-settings 21 --set-to-default
kess-control ---add-app-control-trust-certificates
This command adds a certificate to Application Control's list of trusted certificates.
Command syntax
kess-control [-A] --add-app-control-trust-certificates <path to certificate>
Arguments and options
<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).
kess-control --remove-app-control-trust-certificates
This command removes a certificate from Application Control's list of trusted certificates.
Command syntax
kess-control [-A] --remove-app-control-trust-certificates < certificate serial number>
kess-control --query-app-control-trust-certificates
This command outputs a list of Application Control's trusted certificates.
Command syntax
kess-control [-A] --query-app-control-trust-certificates
Commands for managing Backup
-B is a prefix indicating that the command belongs to the group of commands used to manage the Backup storage.
kess-control -B --mass-remove
The command deletes some or all objects from Backup.
Command syntax
Delete all objects:
kess-control -B --mass-remove
Delete objects that match the filter conditions:
kess-control -B --mass-remove --query "<filter conditions>"
Arguments and options
<filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results.
kess-control -B --query
This command outputs information about Backup objects.
Command syntax
Output information about all objects in Backup:
kess-control -B --query [-n <number>] [--json] [--reverse]
Output information about Backup objects that match the filter conditions:
kess-control -B --query ["<filter conditions>"] [-n <number>] [--json] [--reverse]
Arguments and options
<filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results. If you do not specify any filter conditions, the application will display the details of all objects in Backup.
<number>: the number of the most recent objects to display. If you do not specify the -n switch, the last 30 objects will be displayed. To display all objects, specify 0.
--json: output data in JSON format.
--reverse – output objects in reverse order (from the newest object at the top to the oldest at the bottom).
kess-control -B --restore
This command restores an object from Backup.
Command syntax
kess-control -B --restore <object ID> --file <path to file>
Arguments and options
<object ID>: the ID of the Backup object.
--file <file path>: the new name of the file and the path to the directory to save it to. If you do not specify the --file option, the object will be restored with its original name and to its original location.
Commands for managing users and roles
-U is a prefix indicating that the command belongs to the group of commands for managing users and roles.
kess-control --get-user-list
This command outputs a list of users and roles.
Command syntax
kess-control [-U] --get-user-list
kess-control --grant-role
This command assigns a role to a specific user.
Command syntax
kess-control [-U] --grant-role <role> <user>
kess-control --revoke-role
This command revokes a role from a specific user.
Command syntax
kess-control [-U] --revoke-role <role> <user>
Commands for managing system performance metrics
kess-control --export-metrics
This command allows configuring the collection of operating system performance metrics.
Command syntax
kess-control [-J] --export-metrics [--period <interval in seconds between exports>|--interactive]
Arguments and options
--period enables periodic output of results.
<interval in seconds between exports> (in seconds) sets the output period.
--interactive enables interactive output (on the Enter key being pressed).
Appendix 3. Configuration files and default application settings
The following configuration files are used for managing Kaspersky Embedded Systems Security:
- Configuration files that contain the initial configuration settings of the application:
- autoinstall.ini configuration file, used when installing the application via Kaspersky Security Center.
- Configuration file used when installing the application via the command line.
- Preset configuration files generated automatically during the initial configuration of the application and containing the options set during the initial configuration. These settings are applied at run time.
- Configuration files that you can create with Kaspersky Embedded Systems Security management commands. These configuration files may contain task settings and other application settings. You can modify these files and import into the application to modify the corresponding options.
Rules for editing application task configuration files
When editing a configuration file, adhere to the following rules:
- Specify all mandatory settings in the configuration file. You can specify individual task settings without a file using the command line.
- If a setting belongs to a certain section, specify it only in this section. You can specify the settings in any order within the one section.
- Enclose the names of sections in square brackets [ ].
- Enter the values of settings in the format
<setting name>=<setting value>(spaces between the a setting name and its value are not processed).Example:
[ScanScope.item_0000]AreaDesc=HomeAreaMask.item_0000=*docPath=/homeSpace and tab characters are ignored before the first quotation mark and after the last quotation mark of a string value, and at the beginning and end of a string value that is not enclosed in quotation marks.
- If you need to specify several values for a setting, repeat the setting the same number of times as the number of values that you want to specify.
Example:
AreaMask.item_0000=*xmlAreaMask.item_0001=*doc - Be case-sensitive when entering values for the following types of settings:
- Names (masks) of scanned objects and excluded objects.
- Names (masks) of threats.
The remaining setting values are not case-sensitive.
- Specify Boolean setting values as follows:
Yes/No. - Use quotation marks to enclose string values containing a space character (for example, names of files and directories and their paths, expressions containing the date and time in the format "YYYY-MM-DD HH:MM:SS").
You can enter the remaining values with or without quotation marks.
Example:
AreaDesc="Scanning of email databases"A single quotation mark in the beginning or end of a string is considered an error.
Preset configuration files
After the post-installation configuration, the application creates the following configuration files:
- /var/opt/kaspersky/kess/common/agreements.ini
The agreements.ini configuration file contains settings related to the License Agreement, Privacy Policy, and Kaspersky Security Network Statement.
- /var/opt/kaspersky/kess/common/kess.ini
The kess.ini configuration file contains the settings described in the following table.
If necessary, you can edit the values of the settings in these files.
The default values in these files should be changed only under the supervision of Technical Support specialists and in accordance with their instructions.
The kess.ini configuration file settings
Setting |
Description |
Values |
|---|---|---|
The [General] section contains the following settings: |
||
|
The locale used for the localization of texts sent by Kaspersky Embedded Systems Security to Kaspersky Security Center (events, notifications, task results, etc.). The locale of the graphical interface and the application command line depends on the value of the |
The locale in the format specified by RFC 3066. If the |
|
Format of the installed application package. We do not recommend changing the value of this setting manually. The value of the setting is filled in automatically during initial application configuration. |
|
|
Using the fanotify technology to intercept file operations. We do not recommend changing the value of this setting manually. This setting is specified during the initial configuration of the application. |
|
|
Enables generation of trace files at application startup. |
|
|
Display information in trace files that may contain personal data (for example, passwords). |
|
|
Enables asynchronous tracing, in which information is logged to trace files in asynchronously. |
|
|
Enables the creation of a dump file when application failure occurs. |
|
|
Path to the directory where the dump files are stored. |
Default value: /var/opt/kaspersky/kess/common/dumps. Root privileges are required to access the default dump file directory. |
|
The minimum amount of disk memory that will remain after writing a dump file, in megabytes. |
Default value: 300. |
|
Limit on the application's use of memory in megabytes. |
Default value: 8192. |
|
The user's unique device ID. |
The value of the setting is filled in automatically during installation of the application. |
|
The path to the socket for remote connection, through which, for example, the graphical interface and the kess-control utility are connected. |
Default value: /var/run/bl4control. |
|
Limit on the number of subscriptions to changes in files and directories (user watches) in /proc/sys/fs/inotify/max_user_watches. |
Default value: 300000. |
|
Limit on the number of subscriptions to changes in files and directories for a single user. |
Default value: 2048. |
|
The number of environment variables that the application captures from the command call. |
Default value: 50. |
|
Number of arguments that the application captures from the exec call. |
Default value: 20. |
|
Indicates use of a public DNS. If there are errors accessing servers through the system DNS, the application uses a public DNS. This is needed for updating application databases and maintaining device security. The application will use the following public DNSes in this order:
|
The application's requests may contain domain addresses and the user's external IP address, since the application establishes a TCP/UDP connection with the DNS server. This information is necessary, for example, to check the certificate of a web resource when interacting via HTTPS. If the application is using a public DNS server, data processing rules are governed by the Privacy Policy of the corresponding service. If you need to block the application from using a public DNS server, contact Technical Support for a private patch. |
The [Network] section contains the following settings: |
||
|
A mark in the iptables rules for forwarding traffic to the application for processing by Web Threat Protection component. You may need to change this mark if a device with the application runs other software that uses the ninth bit of the TCP packet mask, and a conflict occurs. |
A decimal value or hexadecimal number with the prefix 0x. Default value: 0x100. |
|
A mark in the iptables rules for forwarding traffic to the application for processing by Network Threat Protection component. You may need to change this mark if a device with the application runs other software that uses the ninth bit of the TCP packet mask, and a conflict occurs. |
A decimal value or hexadecimal number with the prefix 0x. Default value: 0x200. |
|
A mark used to indicate packets created or scanned by the application, so that the application does not scan them again. |
A decimal value or hexadecimal number with the prefix 0x. Default value: 0x400. |
|
A mark used to indicate packages created or scanned by the application to prevent them from being logged by the iptable utility. |
A decimal value or hexadecimal number with the prefix 0x. Default value: 0x800. |
|
Number of the routing table. |
Default value: 101. |
The [ScannerImpactStats] section contains the following settings: |
||
|
Enables the tallying of statistics of file and process scanning by the File Threat Protection and Behavior Detection components. |
|
|
The time interval for which the application keeps a tally of file and process scanning statistics by the File Threat Protection and Behavior Detection components before saving the statistics to a trace file and reports. |
Default value: 10 minutes. |
|
The number of files and processes counted by the application during the time interval specified by the |
Default value: 10. |
|
The number of records to be written to reports on the most frequently scanned files and processes for the day. |
Default value: 20. |
The [Watchdog] section contains the following settings: |
||
|
Maximum time to wait for the kess process to finish from the moment the Watchdog server sends the HEADSHOT signal to the kess process. |
Default value: 2 minutes. |
|
The maximum time to wait for the application to start (in minutes), after which the Watchdog server starts the procedure for restarting the kess process. |
Default value: 3 minutes. |
|
Maximum time to wait for the controlled kess process to complete from the moment the Watchdog server sends the SIGKILL signal to the kess process. If the kess process does not finish before this time elapses, the action specified by the --failed-kill setting is performed. |
Default value: 2 days. |
|
The interval with which the application attempts to send a PONG message to the Watchdog server in response to a received PING message. |
Default value: 2000 milliseconds. |
|
Maximum number of consecutive unsuccessful attempts to start the application. |
Default value: 5. |
|
Maximum time interval during which the application should send a message to the Watchdog server. If a message is not received from the application within this time interval, the Watchdog server begins the procedure to restart the kess process. |
Default value: 2 minutes. |
|
Maximum time from the start of the kess process to the moment when a connection with the Watchdog server is established by the application. If the application does not establish a connection in this time interval, the Watchdog server begins the procedure to restart the kess process. |
Default value: 3 minutes. |
|
Maximum time from the moment the application connects to the Watchdog server to the moment the server receives a REGISTER message. |
Default value: 500 milliseconds. |
|
Maximum time to wait for the kess process to finish from the moment the Watchdog server sends the SHUTDOWN signal to the kess process. |
Default value: 2 minutes. |
|
Limit on the use of resident memory by the kess process. If the managed process uses more resident memory than this limit, the Watchdog server begins the procedure to restart the kess process. |
Default value: |
|
Limit on the use of virtual memory by the kess process. If the managed process uses more virtual memory than this limit, the Watchdog server begins the procedure to restart the kess process. |
|
|
Limit on the size of the swap file of the kess process. If the swap file of the managed process exceeds this limit, the Watchdog server begins the procedure to restart the kess process. |
|
|
Enabling application stability monitoring. If application stability monitoring is enabled, the Watchdog server tracks the number of abnormal halts of the application. |
|
|
The path to the file used for application stability monitoring. |
Default value: /var/opt/kaspersky/kess/private/kess_health.log. |
|
Time interval (in seconds) in which the application must experience the specified number of abnormal halts before displaying a notification about unstable operation. |
Default value: 3600 seconds. |
|
Number of abnormal halts of the application that are required before displaying a notification about unstable application operation. |
Default value: 10. If the value is 0, an unstable application notification is not displayed. |
|
Time interval (in seconds) after which the application's unstable status will be cleared. |
Default value: 86400 seconds. |
|
The period with which the Watchdog server calls the open and execve system functions and increments the success counters for these functions. |
Default value: 3 seconds. |
|
The period with which the Watchdog server checks the success counters for the open and execve functions. If the value of the counters is unchanged after this time, the Watchdog server starts the procedure for restarting the kess process. |
Default value: 12 seconds. |
|
The maximum time to wait for the creation of an application dump file, during which the Watchdog server suspends the checking of application activity. If the dump creation has not completed after this time, the Watchdog server starts the procedure for restarting the kess process. |
Possible values: 1–30 minutes. Default value: 2 minutes. |
Default settings for command line tasks
This section contains the default options for all predefined tasks that can be used to manage Kaspersky Embedded Systems Security on the command line.
The Rollback and License tasks have no settings.
Default settings for the File_Threat_Protection task (ID:1)
ScanArchived=No
ScanSfxArchived=No
ScanMailBases=No
ScanPlainMail=No
SkipPlainTextFiles=No
TimeLimit=60
SizeLimit=0
FirstAction=Recommended
SecondAction=Block
UseExcludeMasks=No
UseExcludeThreats=No
ReportCleanObjects=No
ReportPackedObjects=No
ReportUnprocessedObjects=No
UseAnalyzer=Yes
HeuristicLevel=Recommended
UseIChecker=Yes
ScanByAccessType=SmartCheck
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/
AreaMask.item_0000=*
Default settings for the Scan_My_Computer task (ID:2)
ScanFiles=Yes
ScanBootSectors=Yes
ScanComputerMemory=Yes
ScanStartupObjects=Yes
ScanArchived=Yes
ScanSfxArchived=Yes
ScanMailBases=No
ScanPlainMail=No
TimeLimit=0
SizeLimit=0
FirstAction=Recommended
SecondAction=Skip
UseExcludeMasks=No
UseExcludeThreats=No
ReportCleanObjects=No
ReportPackedObjects=No
ReportUnprocessedObjects=No
UseAnalyzer=Yes
HeuristicLevel=Recommended
UseIChecker=Yes
UseGlobalExclusions=Yes
UseOASExclusions=Yes
DeviceNameMasks.item_0000=/**
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/
AreaMask.item_0000=*
Default settings for the Scan_File task (ID:3)
ScanFiles=Yes
ScanBootSectors=No
ScanComputerMemory=No
ScanStartupObjects=No
ScanArchived=Yes
ScanSfxArchived=Yes
ScanMailBases=No
ScanPlainMail=No
TimeLimit=0
SizeLimit=0
FirstAction=Recommended
SecondAction=Skip
UseExcludeMasks=No
UseExcludeThreats=No
ReportCleanObjects=No
ReportPackedObjects=No
ReportUnprocessedObjects=No
UseAnalyzer=Yes
HeuristicLevel=Recommended
UseIChecker=Yes
UseGlobalExclusions=Yes
UseOASExclusions=Yes
DeviceNameMasks.item_0000=/**
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/
AreaMask.item_0000=*
Default settings for the Critical_Areas_Scan task (ID:4)
ScanFiles=No
ScanBootSectors=Yes
ScanComputerMemory=Yes
ScanStartupObjects=Yes
ScanArchived=Yes
ScanSfxArchived=Yes
ScanMailBases=No
ScanPlainMail=No
TimeLimit=0
SizeLimit=0
FirstAction=Recommended
SecondAction=Skip
UseExcludeMasks=No
UseExcludeThreats=No
ReportCleanObjects=No
ReportPackedObjects=No
ReportUnprocessedObjects=No
UseAnalyzer=Yes
HeuristicLevel=Recommended
UseIChecker=Yes
UseGlobalExclusions=Yes
UseOASExclusions=Yes
DeviceNameMasks.item_0000=/**
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/
AreaMask.item_0000=*
Default settings for the Update task (ID:6)
SourceType=KLServers
UseKLServersWhenUnavailable=Yes
ApplicationUpdateMode=DownloadOnly
ConnectionTimeout=10
Default settings for the System_Integrity_Monitoring task (ID:11)
UseExcludeMasks=No
[ScanScope.item_0000]
AreaDesc=Kaspersky internal objects
UseScanArea=Yes
Path=/opt/kaspersky/kess/
AreaMask.item_0000=*
Default settings for the Firewall_Management task (ID:12)
DefaultIncomingAction=Allow
DefaultIncomingPacketAction=Allow
OpenNagentPorts=Yes
[NetworkZonesTrusted]
[NetworkZonesLocal]
[NetworkZonesPublic]
Default settings for the Anti_Cryptor task (ID:13)
ActionOnDetect=Block
BlockTime=30
UseExcludeMasks=No
[ScanScope.item_0000]
AreaDesc=All shared directories
UseScanArea=Yes
Path=AllShared
AreaMask.item_0000=*
Default settings for the Web_Threat_Protection task (ID:14)
UseTrustedAddresses=Yes
ActionOnDetect=Block
CheckMalicious=Yes
CheckPhishing=Yes
UseHeuristicForPhishing=Yes
CheckAdware=No
CheckOther=No
Default settings for the Device_Control task (ID:15)
OperationMode=Block
[DeviceClass]
HardDrive=DependsOnBus
RemovableDrive=DependsOnBus
Printer=DependsOnBus
FloppyDrive=DependsOnBus
OpticalDrive=DependsOnBus
Modem=DependsOnBus
TapeDrive=DependsOnBus
MultifuncDevice=DependsOnBus
SmartCardReader=DependsOnBus
PortableDevice=DependsOnBus
WiFiAdapter=DependsOnBus
NetworkAdapter=DependsOnBus
BluetoothDevice=DependsOnBus
ImagingDevice=DependsOnBus
SerialPortDevice=DependsOnBus
ParallelPortDevice=DependsOnBus
InputDevice=DependsOnBus
SoundAdapter=DependsOnBus
[DeviceBus]
USB=Allow
FireWire=Allow
[Schedules.item_0000]
ScheduleName=Default
DaysHours=All
[HardDrivePrincipals.item_0000]
Principal=\Everyone
[HardDrivePrincipals.item_0000.AccessRules.item_0000]
UseRule=Yes
ScheduleName=Default
Access=Allow
[RemovableDrivePrincipals.item_0000]
Principal=\Everyone
[RemovableDrivePrincipals.item_0000.AccessRules.item_0000]
UseRule=Yes
ScheduleName=Default
Access=Allow
[FloppyDrivePrincipals.item_0000]
Principal=\Everyone
[FloppyDrivePrincipals.item_0000.AccessRules.item_0000]
UseRule=Yes
ScheduleName=Default
Access=Allow
[OpticalDrivePrincipals.item_0000]
Principal=\Everyone
[OpticalDrivePrincipals.item_0000.AccessRules.item_0000]
UseRule=Yes
ScheduleName=Default
Access=Allow
Default settings for the Removable_Drives_Scan task (ID:16)
ScanRemovableDrives=NoScan
ScanOpticalDrives=NoScan
BlockDuringScan=No
Default settings for the Network_Threat_Protection task (ID:17)
ActionOnDetect=Block
BlockAttackingHosts=Yes
BlockDurationMinutes=60
UseExcludeIPs=No
Default settings for the Behavior_Detection task (ID:20)
UseTrustedPrograms=No
TaskMode=Block
Default settings for the Application_Control task (ID:21)
AppControlMode=DenyList
AppControlRulesAction=ApplyRules
UseTrustedCustomCerts=Yes
Default settings for the Inventory_Scan task (ID:22)
ScanScripts=Yes
ScanBinaries=Yes
ScanAllExecutable=Yes
GoldenImageAction=DoNothing
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/usr/bin
AreaMask.item_0000=*
General application settings
General application settings define the operation of the application as a whole and the operation of individual functions.
General application settings
Setting |
Description |
Values |
|---|---|---|
|
Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the |
The standard directory of the SAMBA configuration file on the computer is specified by default. Default value: /etc/samba/smb.conf. The application must be restarted after this setting is changed. |
|
The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the |
The standard directory of the NFS configuration file on the computer is specified by default. Default value: /etc/exports. The application must be restarted after this setting is changed. |
|
Enable application tracing and the level of detail in the trace files. |
|
|
The directory that stores the application trace files. |
Default value: /var/log/kaspersky/kess. If you specify a different directory, make sure that the account under which Kaspersky Embedded Systems Security is running has read/write permissions for this directory. Root privileges are required to access the default trace files directory. The application must be restarted after this setting is changed. |
|
Maximum number of application trace files. |
1–10000 Default value: 10. The application must be restarted after this setting is changed. |
|
Specifies the maximum size of an application trace file (in megabytes). |
1–1000 Default value: 500. The application must be restarted after this setting is changed. |
|
Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, scan tasks skip this file during scanning. This setting is not available for operating systems that use the fanotify technology. |
4096–33554432 Default value: 16384. After changing the value of this setting, the File Threat Protection task needs to be restarted. |
|
Enable detection of legitimate applications that intruders can use to compromise devices or data. |
|
|
Enabling the use of the namespace mechanism, which also allows scanning files in containers and mandatory access control sessions of the Astra Linux operating system. The application does not scan namespaces or containers unless components for managing namespaces are installed in the operating system. |
|
|
Enabling the file operation intercept mode with blocking access to files for the duration of the scan. The file operation interception mode affects the File Threat Protection and Device Control components. |
|
|
Enabling Kaspersky Security Network usage: |
|
|
Enable cloud mode. Cloud mode is available if use of KSN is enabled. If you plan to use cloud mode, make sure KSN is available on your device. |
Cloud mode is disabled automatically if use of KSN is disabled. |
|
Enables the use of a proxy server by Kaspersky Embedded Systems Security components. The proxy server can be used for access to Kaspersky activation servers, to update sources for databases and application modules, to Kaspersky Security Network, and when verifying website certificates using the Web Threat Protection component. |
|
|
Proxy server settings in the following format: Connecting to a proxy server over HTTPS is not supported. When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised. |
|
|
List of addresses in the [ |
|
|
The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events. |
Default value: 500000. If 0 is specified, events are not saved. |
|
The maximum number of custom scan tasks that a non-privileged user can simultaneously start on the device. This setting does not limit the number of tasks that a user with root privileges can start. |
0–100000 0 means a non-privileged user cannot start custom scan tasks. Default value: 5. |
|
Enable logging of information about events to syslog Root privileges are required to access syslog. |
|
|
The database directory where the application saves information about events. Root privileges are required to access the default event database. |
Default value: /var/opt/kaspersky/kess/private/storage/events.db. |
|
The mount point to exclude from the scan scope. The exclusion applies to the operation of the File Threat Protection and Anti-Cryptor components, the Removable Drives Scan task, and is also configured for scan tasks of the ODS type. You can specify several mount points to be excluded from scans. Mount points must be specified in the same way as they are displayed in the The |
|
|
Exclude process memory from scans. The application does not scan the memory of the indicated process. |
|
|
Enables CPU usage limits for tasks of the ODS and InventoryScan type. |
|
|
The maximum utilization of all processor cores (as a percentage) when running tasks of the ODS and InventoryScan type. |
10–100 Default value: 100. |
|
Time period for storing objects in the Backup storage (in days). After the specified time has elapsed, the application deletes the oldest backup copies of files. To remove the object retention limit, set 0. |
0–10000 0–unlimited retention. Default value: 30. |
|
Maximum Backup size in MB. When the maximum Backup storage size is reached, the application deletes the oldest backup copies of files. To remove the Backup size limit, set 0. |
0–999999 0–unlimited size. Default value: 0. |
|
Path to the Backup directory. You can specify a custom Backup storage directory that is different from the default directory. You can use directories on any device as the Backup storage. It is not recommended to assign directories that are located on remote devices, such as those mounted via the Samba and NFS protocols. If the specified directory does not exist or is unavailable, the application uses the default directory. |
Default value: /var/opt/kaspersky/kess/common/objects-backup/ Root privileges are required to access the default Backup storage directory. |
|
Enables displaying pop-up notifications in the graphical user interface. |
|
Encrypted connections scan settings
Encrypted connections scan settings
Setting |
Description |
Values |
|---|---|---|
|
Enables or disables encrypted traffic scan. For the FTP protocol, secure connections scan is disabled by default. |
|
|
Specifies the action to perform when a secure connection scan error occurs on a website. |
|
|
Specifies the way Kaspersky Embedded Systems Security checks certificates. If a certificate is self-signed, the application does not perform additional verification. |
|
|
The action to take when an unconfirmed certificate is detected. |
|
|
Using exclusions when scanning encrypted traffic. |
|
|
Specifies the way Kaspersky Embedded Systems Security monitors network ports. |
Specifying this value may significantly increase an operating system load. |
The [Exclusions.item_#] section contains domains excluded from scans. The application does not scan secure connections established when visiting specified domains. |
||
|
Specifies the domain name. You can use masks to specify the domain. |
The default value is not defined. |
The [NetworkPorts.item_#] section contains the network ports monitored by the application. |
||
|
Network port description. |
The default value is not defined. |
|
Network port numbers to be monitored by the application. |
The default value is not defined. |
Tasks schedule settings
Task start schedule settings
Setting |
Description |
Values |
|---|---|---|
|
Task launch schedule. |
|
|
Task start date and time. The |
|
|
A time interval from 0 to the specified value (in minutes), which will be added to the task start time to avoid starting tasks at the same time. |
Default value: 99 minutes. |
|
Runs a missed task after the application is started. |
|
|
Stops the task upon reaching the maximum task execution time specified by the |
|
|
The maximum task execution time (in minutes) after which the application stops executing the task if |
Default value: 120 minutes. |
Appendix 4. Command line return codes
Kaspersky Embedded Systems Security has the following command line return codes:
0 means command/task completed successfully
1 means general error in command syntax
2 means error in passed application settings.
64 – Kaspersky Embedded Systems Security is not running.
66 – application databases are not downloaded (used only by the kess-control --app-info command).
67 means activation 2.0 ended with an error due to network problems.
68 means the command cannot be executed because the application is managed by a policy.
69 means the application is located in the Amazon Paid Ami infrastructure.
70 – an attempt to start a running task, delete a running task, change the settings of a running task, stop a stopped task, pause a suspended task, or resume a running task.
71 – Kaspersky Security Network Statement has not been accepted.
72 – threats were detected by the Custom scan task.
73 means attempt to set Application Control task settings that affect the operation of the application without confirming them using the --accept option.
74 – Kaspersky Embedded Systems Security must be restarted after an update.
75 – the device must be restarted.
76 — connection prohibited, as only users with root rights should have write access to the specified path.
77 — the specified license key is already in use on the device.
128 – unknown error.
65 – all other errors.
Page top