Kaspersky Embedded Systems Security for Linux

Contents

Application management concept

To manage Kaspersky Embedded Systems Security, you can use:

The set of actions that you can perform using the Kaspersky Embedded Systems Security graphical user interface is limited.

This section describes the specifics of managing the application via Kaspersky Security Center and the command line, and also describes the main methods of working in the Kaspersky Security Center administration consoles and in the command line.

In this Help section

Managing the application using Kaspersky Security Center

Managing the application using the command line

Page top
[Topic 264153]

Managing the application using Kaspersky Security Center

Kaspersky Security Center allows you to remotely and centrally manage the operation of Kaspersky Embedded Systems Security on client devices. You can remotely install and uninstall, start, and stop Kaspersky Embedded Systems Security; configure settings for the application, as well as for the individual components and tasks of the application; and start and stop tasks on the managed devices.

You can use the following Kaspersky Security Center administration consoles to manage Kaspersky Embedded Systems Security via Kaspersky Security Center:

  • Kaspersky Security Center Administration Console (hereinafter also referred to as Administration Console). This is a Microsoft Management Console (MMC) snap-in that is installed on the administrator's workstation and provides a user interface for the Administration Server and Network Agent administrative services.

    The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Administration Console is provided by the administration MMC plug-in (hereinafter also referred to as the "MMC plug-in").

    This Help describes how to manage the Administration Console of Kaspersky Security Center 14.2 Windows.

  • Kaspersky Security Center Web Console (hereinafter also referred to as Web Console). This is a web interface for managing a protection system based on Kaspersky applications. You can work in Kaspersky Security Center Web Console using a browser on any device that has access to the Administration Server.

    The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Web Console is provided by the administration web plug-in (hereinafter also simply referred to as web plug-in).

    This Help describes how to manage the Web Console of Kaspersky Security Center 15.2 Linux.

  • Kaspersky Security Center Cloud Console. This is a cloud-based administration console within the cloud version of the Kaspersky Security Center application, also known as the Kaspersky Security Center Cloud Console. Interface of the Cloud console is similar to Kaspersky Security Center Web Console interface. The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Cloud Console is also provided by the web plug-in.

The MMC plug-in and web plug-in allow you to create policies and tasks in Kaspersky Security Center for managing the operation of Kaspersky Embedded Systems Security:

  • A policy is a set of settings that is applied on all devices in an . Policies allow you to apply identical application settings to all client devices within an administration group.

    The Kaspersky Embedded Systems Security policy defines the general settings for the operation of Kaspersky Embedded Systems Security and the settings for the operation of individual functional components of the application on devices where the policy is applied.

  • Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center run on the protected devices and implement Kaspersky Embedded Systems Security functions such as on-demand scan, application activation, and updates to the databases and modules of the application.

    In Kaspersky Security Center, you can create tasks to be performed on an individual device (local tasks), tasks for all devices in the administration group (group tasks), or tasks for a random selection of devices (tasks for sets of devices).

Regardless of the Kaspersky Security Center administration console that you use, you must assign the devices on which Kaspersky Embedded Systems Security is installed to administration groups in order to manage Kaspersky Embedded Systems Security on these devices using Kaspersky Security Center. You can create administration groups in Kaspersky Security Center before Kaspersky Embedded Systems Security installation and configure rules to automatically move the devices to administration groups. You can also manually move the devices to the administration groups after installing Kaspersky Embedded Systems Security (for details, refer to Kaspersky Security Center documentation).

In this section

About Kaspersky Embedded Systems Security management plug-ins

Kaspersky Security Center policies

Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center

Logging in and out of the Web Console and Cloud Console

Managing policies in the Web Console

Managing policies in the Administration Console

Managing tasks in the Web Console

Managing tasks in the Administration Console

Page top
[Topic 264152]

About Kaspersky Embedded Systems Security management plug-ins

The following management plug-ins are required for managing Kaspersky Embedded Systems Security using Kaspersky Security Center:

  • Kaspersky Embedded Systems Security administration web plug-in (hereinafter also referred to as the web plug-in) facilitates interaction between Kaspersky Embedded Systems Security and Kaspersky Security Center using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console.

    The web plug-in must be installed on the device that has Kaspersky Security Center Web Console installed. Management of Kaspersky Embedded Systems Security using the web plug-in is available to all administrators who have access to the Kaspersky Security Center Web Console in a browser.

  • The Kaspersky Embedded Systems Security administration MMC plug-in (hereinafter also referred to as the MMC plug-in) facilitates interaction between Kaspersky Embedded Systems Security and Kaspersky Security Center using the Administration Console.

    The MMC plug-in must be installed on the device where the Kaspersky Security Center Administration Console is installed.

The Kaspersky Embedded Systems Security management plug-ins let you manage Kaspersky Embedded Systems Security using policies and tasks.

For more details about administration plug-ins, refer to Kaspersky Security Center documentation.

Page top
[Topic 264115]

Kaspersky Security Center policies

A policy is a set of Kaspersky Embedded Systems Security settings that are applied to all client devices included in the administration group.

Multiple policies with different values of the settings can be configured for a single application. However, there can be only one active policy at a time for an application within an administration group. When you create a new policy, all other policies within an administration group become inactive. You can change the policy status later.

Policies have a hierarchy, similarly to administration groups. By default, a child policy inherits the settings from the parent policy. A child policy is a policy of a nested hierarchy level, that is, a policy for nested administration groups and secondary Administration Servers. You can enable inheritance of the settings from the parent policy.

You can locally modify the values of the settings specified by the policy for individual devices within the administration group, if modification of these settings is not prohibited by the policy.

Each policy setting has a "lock" attribute that indicates whether child policy settings and local application settings can be modified. The "lock" status of a setting within policy properties determines whether or not an application setting on a client device can be edited:

  • When a setting is "locked" (lock_policy), you cannot edit its value locally or in the policies of the nested hierarchy level. The setting value specified by the policy is used for all client devices within the administration group and nested groups.
  • When a setting is "unlocked" (unlock), you can edit its value locally or in the policies of the nested hierarchy level. If setting values are specified locally or in policy properties of a nested hierarchy level for client devices within an administration group, the setting value specified in the policy properties is not applied.

In the web plug-in and in the MMC plug-in, the number of parameters with "locks" is different. The web plug-in includes "locks" that are not present in the MMC plug-in.

Using policy profiles allows you to flexibly configure operation settings for the application. A policy profile may contain settings that differ from the "base" policy settings and apply to client devices when the configured conditions (activation rules) are met. Using policy profiles allows you to flexibly configure operation settings for different devices. You can create and configure profiles in the Policy profiles section of the policy properties.

Profile settings that are locked with a "padlock" override policy settings. That is, if the profile setting locked with a "padlock" is different from the policy setting, the application applies the setting from the profile. However, lists of settings are merged, supplementing each other. That is, if the settings in the list from the profile are missing from the "basic" policy, they are added to the resulting list of settings.

However, some lists are not merged, in which case the settings from the profile override the settings of the "basic" policy:

  • Exclusions by process in the File Threat Protection and Behavior Detection components
  • Protection scopes in the File Threat Protection and Anti-Cryptor components
  • Monitoring scopes in the System Integrity Monitoring component
  • List of rules (in the Application Control rules window) in the Application Control component
  • Process memory exclusions in application settings
  • Trusted domains in network settings
  • Trusted root certificates in network settings
  • Monitored ports in network settings

After the policy is applied for the first time, the application settings change in accordance with the policy settings.

If the application is not running when the policy is deleted, after application is started, this policy continues to be applied on the device and the application continues to operate with the settings specified by this policy.

For more details about policies and policy profiles, refer to the Kaspersky Security Center Help system.

Page top
[Topic 264966]

Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center

You can create the following types of tasks in Kaspersky Security Center for Kaspersky Embedded Systems Security:

  • local tasks to run on individual devices;
  • group tasks to run on devices within an administration group;
  • tasks for sets of devices to run on multiple devices, regardless of their inclusion in administration groups.

    The tasks for the sets of devices are performed only on the devices that are specified in the task settings. If new devices are added to the device selection for which the task is created, this task is not applied to the new devices. To apply the task to these computers, you must create a new task or edit the settings of the existing task.

You can create any number of group tasks, tasks for a sets of devices, or local tasks.

The tasks are executed only if Kaspersky Embedded Systems Security is running on the devices.

General information about tasks created in Kaspersky Security Center is provided in Kaspersky Security Center documentation.

The following tasks are provided for managing Kaspersky Embedded Systems Security in Kaspersky Security Center:

  • Malware Scan. During the task execution, the application scans the device areas that are specified in the task settings for viruses and other malware.
  • Critical Areas Scan. During the task execution, the application scans boot sectors, startup objects, process memory, and kernel memory.
  • Inventory. During the task execution, the application receives information about all executable files stored on the devices.
  • System Integrity Check. During the task execution, the application determines changes of each object by comparing the current state of the monitored object to its original state, which was previously established as a baseline.
  • Add Key. During the task execution, the application adds a key, including a reserve one, to activate the application.
  • Update. During the task execution, the application updates the databases in accordance with the configured update settings.
  • Rollback. During the task execution, the application rolls back the last database update.
Page top
[Topic 263939]

Logging in and out of the Web Console and Cloud Console

Kaspersky Security Center Web Console

To log in to the Web Console, you need to know the web address and the port number of the Administration Server specified during the Web Console installation (port 8080 is used by default). JavaScript must also be enabled in your browser.

To log in to Web Console:

  1. In your browser, go to the <Administration Server web address>:<port number> address.

    The login page is displayed.

  2. Enter the user name and password for your account.

    It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months.

  3. Click Log in.

    If the Administration Server is not responding, or if you enter incorrect credentials, an error message is displayed.

After logging in, a dashboard is displayed with the last language and theme used.

For more details about the Web Console interface, refer to Kaspersky Security Center documentation.

To log out of Web Console:

select <Account name>Exit in the lower left corner of the screen.

The Web Console is closed, and the login page is displayed.

Kaspersky Security Center Cloud Console

For the Kaspersky Security Center Cloud Console, use a web token to log in to your account on the Cloud Console portal.

For detailed information about Kaspersky Security Center Cloud Console, refer to the Kaspersky Security Center Cloud Console documentation.

Page top
[Topic 202114]

Managing policies in the Web Console

You can perform the following actions with the policies in the Web Console:

  • Create a policy.
  • Edit policy settings.

    If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

  • Export and import policy settings.
  • Copy and move a policy.
  • Delete a policy.
  • Change a policy status.
  • Create policy profiles.

For general information about working with policies, refer to the Kaspersky Security Center Help system.

In this section

Creating a policy in the Web Console

Changing policy settings in the Web Console

Policy settings in the Web Console

Page top
[Topic 264229]

Creating a policy in the Web Console

To create a policy in the Web Console:

  1. In the main window of the Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies and policy profiles opens.

  2. Select the administration group containing the devices to which the policy should be applied. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select the administration group in the window that opens.
  3. Click Add.

    The Policy Wizard starts.

  4. In the displayed window, select an application name from the list.

    Proceed to the next step of the wizard.

  5. Decide whether you want to use Kaspersky Security Network. Carefully read the Kaspersky Security Network Statement and do one of the following:
    • If you agree with all the terms and conditions of the Statement and want the application to use Kaspersky Security Network, select I confirm that I have fully read, understand, and accept the terms and conditions of Kaspersky Security Network Statement.
    • If you do not want to use Kaspersky Security Network, select I do not accept the terms and conditions of the Kaspersky Security Network Statement and confirm your decision in the window that opens.

    Refusal to use Kaspersky Security Network does not interrupt the policy creation process. At any time, you can enable or disable use of Kaspersky Security Network or change the KSN mode for managed devices in the policy settings.

    Proceed to the next step of the wizard.

  6. The General tab of the new policy settings window opens. Specify a name for the new policy.

    You can also configure the following policy settings:

    • Policy status:
      • Active. The policy that is currently applied to the device. If this option is selected, this policy becomes active on the device upon the next device synchronization with the Administration Server. This option is selected by default.
      • Inactive. The policy that is not currently applied to the device. If this option is selected, the policy becomes inactive but remains in the Policies folder. You can activate the inactive policy later.
    • Policy settings inheritance:
      • Inherit settings from parent policy. If this option is enabled, the policy settings values are inherited from the upper-level group policy and, therefore, are locked. The check toggle button is switched on by default.
      • Enforce settings inheritance for child policies If this option is enabled, the settings values of the child policies are locked. The toggle button is switched off by default.

    For general information about the policy settings, refer to Kaspersky Security Center Help section.

  7. If you want to configure other policy settings, go to the Application settings tab and make the necessary changes.

    You can also change the policy settings later.

  8. Click Save.

The created policy will be displayed in the list of policies.

For general information about managing policies, please refer to the Kaspersky Security Center Help.

Page top
[Topic 264968]

Changing policy settings in the Web Console

To edit policy settings in the Web Console:

  1. In the main window of the Web Console, select Assets (Devices)Policies and policy profiles.

    The list of policies opens.

  2. Select the administration group containing the devices to which the policy is applied. To do so, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.

    The list displays the policies configured for the selected administration group.

  3. Click the name of the required policy in the list.

    The policy properties window opens.

  4. Modify the policy settings on the Application settings tab.
  5. Click the Save button to save the changes made.

The policy is saved with the updated settings.

Page top
[Topic 264319]

Policy settings in the Web Console

You can configure policy settings on the Application settings tab of the policy properties window.

Policy settings

Page top

[Topic 265040]

Managing policies in the Administration Console

You can perform the following actions with the policies in the Kaspersky Security Center Administration Console:

  • Create a policy.
  • Edit policy settings.

    If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

  • Export and import policy settings.
  • Delete a policy.
  • Change a policy status.
  • Create policy profiles.

For general information about working with policies, please refer to the Kaspersky Security Center Help.

In this section

Creating a policy using the Administration Console

Changing policy settings in the Kaspersky Security Center Administration Console

Policy settings in the Administration Console

Page top
[Topic 264230]

Creating a policy using the Administration Console

To create a policy in the Administration Console:

  1. In the Administration Console tree, in the Managed devices folder, select the administration group containing the devices to which the policy should be applied.

    You can view the list of devices that are part of an administration group on the Devices tab of the folder with the name of this administration group.

  2. In the workspace, select the Policies tab.
  3. Click the New policy button to start the New policy wizard.

    You can also start the Wizard by clicking the CreatePolicy item in the context menu in the list of policies.

  4. In the first step of the Wizard, select Kaspersky Embedded Systems Security 3.4 for Linux from the list.

    Proceed to the next step of the wizard.

  5. Enter a name for the new policy.
  6. To use the settings from the previous version of Kaspersky Embedded Systems Security policy in the policy being created, select the Use policy settings for the earlier application version check box.

    Proceed to the next step of the wizard.

  7. Decide whether you want to use Kaspersky Security Network. Carefully read the Kaspersky Security Network Statement and do one of the following:
    • If you agree with all the terms and conditions of the Statement and want the application to use Kaspersky Security Network, select I confirm that I have fully read, understand, and accept the terms and conditions of Kaspersky Security Network Statement.
    • If you do not want to use Kaspersky Security Network, select I do not accept the terms and conditions of the Kaspersky Security Network Statement and confirm your decision in the window that opens.

    Refusal to use Kaspersky Security Network does not interrupt the policy creation process. At any time, you can enable or disable use of Kaspersky Security Network or change the KSN mode for managed devices in the policy settings.

    Proceed to the next step of the wizard.

  8. If necessary, configure the general settings for File Threat Protection.

    Proceed to the next step of the wizard.

  9. If necessary, edit the File Threat Protection settings that have been configured by default.

    Proceed to the next step of the wizard.

  10. If necessary, configure the exclusions from File Threat Protection.

    Proceed to the next step of the wizard.

  11. If necessary, modify the default actions for infected objects.

    Proceed to the next step of the wizard.

  12. Complete the New Policy Wizard.

The created policy is displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.

You can change the policy settings later. For general information about managing policies, refer to the Kaspersky Security Center Help system.

Page top
[Topic 264967]

Changing policy settings in the Kaspersky Security Center Administration Console

To edit policy settings in the Administration Console:

  1. In the tree of the Kaspersky Security Center Administration Console, in the Managed devices folder, open the folder with the name of the administration group that includes the required devices.
  2. In the workspace, select the Policies tab.
  3. In the list of policies, select the required policy and double-click it to open the Properties: <Policy name> window.

    You can also open the policy properties window by using the Properties item in the policy context menu or by clicking the Configure policy settings link located to the right of the list of policies in the section with the policy settings.

  4. Edit the policy settings.
  5. In the Properties: <Policy name> window, click OK to save the changes.
Page top
[Topic 264320]

Policy settings in the Administration Console

You can configure policy settings in the sections and subsections of the policy properties window. For information about configuring general policy settings and event settings, refer to Kaspersky Security Center Help section.

Policy settings

Page top

[Topic 264316]

Managing tasks in the Web Console

You can perform the following actions with the tasks for Kaspersky Embedded Systems Security in the Web Console:

  • Create new tasks.
  • Edit task settings.

    If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

  • Start, stop, pause, and resume tasks.

    The Update task cannot be paused or resumed, it can only be started or stopped.

  • Export and import tasks.
  • Delete tasks.

In the list of tasks, you can monitor the task execution results: view the task status and the statistics for task performance on the devices. You can also create a selection of events to monitor the task execution (Monitoring and reportsEvent selections). For details on event selection, refer to Kaspersky Security Center documentation.

Task execution results are also saved locally on the device and in Kaspersky Security Center reports.

For general information about task management, refer to the Kaspersky Security Center Help system.

If the device is managed by a policy, it may not be possible to view and manage tasks created in Kaspersky Security Center using the command line or the graphical interface of the application.

In this section

Creating tasks in the Web Console

Changing task settings in the Web Console

Starting, stopping, pausing, and resuming tasks in the Web Console

Page top
[Topic 265019]

Creating tasks in the Web Console

To create a task for a group or set of devices in the Web Console:

  1. In the main window of the Web Console, select Assets (Devices)Tasks.

    The list of tasks opens.

  2. Click Add.

    The Task Wizard starts.

  3. In the first step of the Wizard, perform the following actions:
    1. In the Application drop-down list, select Kaspersky Embedded Systems Security 3.4 for Linux.
    2. In the Task type drop-down list, select the type of task that you want to create.
    3. In the Task name field, enter a name for the new task.
    4. In the Devices to which the task will be assigned section, select the method for defining the task scope. The task scope comprises the devices on which the task will be run:
      • Select the Assign task to an administration group option if the task is to be run on all devices included in a specific administration group.
      • Select the Specify device addresses manually, or import addresses from a list option if the task is to be run on the specified devices.
      • Select the Assign task to a device selection option if the task is to be run on devices included in the device selection according to a predefined criterion. For information on how to create a device selection, refer to the Kaspersky Security Center Help system.

    Proceed to the next step of the wizard.

  4. Depending on the selected method for defining the task scope, perform one of the following actions:
    • In the administration group tree, select the check boxes next to the required administration groups.
    • In the list of devices, select the check boxes next to the required devices. If the required devices are not listed, you can add them in the following ways:
      • Using the Add devices button. You can add devices by name or IP address, add devices from a specified IP range, or select devices from the list of devices detected by the Administration Server when polling the corporate LAN.
      • Using the Import devices from file button. For the import, a TXT file with a list of device addresses is used, where each address must be on a separate line.
    • From the list, select the name of the selection containing the required devices.

    Proceed to the next step of the wizard.

  5. To configure the task settings immediately after creation, in the last step of the Wizard, select the Open task properties window after creation check box. A task is created with the default settings.
  6. Complete the wizard.

A new task will be displayed in the list of tasks.

To create a local task in the Web Console:

  1. In the main window of the Web Console, select Assets (Devices)Managed devices.

    The list of managed devices opens.

  2. Select the administration group containing the necessary device. To do so, click the link in the Current path field above the list of managed devices and select an administration group in the window that opens.

    The list displays only the managed devices for the selected administration group.

  3. In the list, find the device for which you want to create a task and click the device name.
  4. This opens a managed device properties window; in that window, go to the Tasks tab.

    The list of tasks created for this device is displayed.

  5. Click Add.

    The Task Wizard starts.

  6. In the first step of the Wizard, perform the following actions:
    1. In the Application drop-down list, select Kaspersky Embedded Systems Security 3.4 for Linux.
    2. In the Task type drop-down list, select the type of task that you want to create.
    3. In the Task name field, enter a name for the new task.
  7. To configure the task settings immediately after creation, in the last step of the Wizard, select the Open task properties window after creation check box. A task is created with the default settings.
  8. Complete the wizard.

A new task will be displayed in the list of tasks.

Page top

[Topic 265044]

Changing task settings in the Web Console

To edit task settings in the Web Console:

  1. In the main window of the Web Console, select Assets (Devices)Tasks.

    The list of tasks opens.

  2. Do one of the following:
    • To edit the settings of a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.

      The list displays only tasks configured for the selected administration group.

    • To edit the settings of a task that is run on one or multiple devices (a task for a set of devices), click the link in the Current path field in the upper part of the window and select the top node with the name of the Administration Server in the window that opens.

      The list displays all tasks created on the Administration Server.

  3. In the list of tasks, select the required task and open the task properties window by clicking the link in the task name.
  4. Configure the task settings:
    • On the General tab, you can edit the name of the task.
    • On the Application settings tab, you can configure specific task settings. The availability of configurable settings depends on the type of task.
    • On the Schedule tab, you can configure the task run schedule and additional settings for starting and stopping the task.

    The General, Results, Settings, Schedule, and Revision history tabs of the task properties window are standard for Kaspersky Security Center; for more details, refer to the Kaspersky Security Center Help system.

  5. Click the Save button to save the changes made.
Page top
[Topic 265045]

Starting, stopping, pausing, and resuming tasks in the Web Console

To start, stop, pause, or resume a task in the Web Console:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Tasks.

    The list of tasks opens.

  2. Do one of the following:
    • To start or stop a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.

      The list displays only the tasks created for the selected administration group.

    • To start or stop a task that is run on one or multiple devices (a task for a set of devices), click the link in the Current path field in the upper part of the window and select the top node with the name of the Administration Server in the window that opens.

      The list displays all tasks created on the Administration Server.

  3. In the list of tasks, check the box next to the name of the required task and click the action button above the list of tasks.
Page top
[Topic 264981]

Managing tasks in the Administration Console

You can perform the following actions with the tasks for Kaspersky Embedded Systems Security in the Administration Console:

  • Create new tasks.
  • Edit task settings.

    If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.

  • Start, stop, pause, and resume tasks.

    The Update task cannot be paused or resumed, it can only be started or stopped.

  • Export and import tasks.
  • Delete tasks.

In the list of tasks, you can monitor the task execution results: view the task status and the statistics for task performance on the devices.

Information on the progress and results of task execution can be viewed in the list of events that Kaspersky Embedded Systems Security sends to the Kaspersky Security Center Administration Server (on the Events tab in the workspace of the Administration Server <server name> node). You can also create a selection of events to monitor the execution of tasks. For details on event selection, refer to Kaspersky Security Center documentation.

Task execution results are also saved locally on the device and in Kaspersky Security Center reports.

For general information about task management, refer to the Kaspersky Security Center Help system.

If the device is managed by a policy, it may not be possible to view and manage tasks created in Kaspersky Security Center using the command line or the graphical interface of the application.

In this section

Creating tasks in the Administration Console

Changing task settings in the Administration Console

Starting, stopping, pausing, and resuming tasks in the Administration Console

Page top
[Topic 264974]

Creating tasks in the Administration Console

To create a task for a group or set of devices in the Administration Console:

  1. In the Administration Console, perform one of the following actions:
    • To create a task that will be run on devices included in the selected administration group, select this administration group in the console tree in the Managed devices folder, then select the Tasks tab in the workspace and click the New task button.

      The New task wizard starts for devices of the selected administration group.

    • To create a task that will be performed on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree and click the New task button in the workspace.

      The New task wizard starts for the set of devices.

  2. At the first step of the wizard, select Kaspersky Embedded Systems Security 3.4 for Linux and the type of the task.

    Proceed to the next step of the wizard.

  3. If you are creating a task for a set of devices, the Wizard prompts you to define the task scope. The task scope comprises the devices on which the task will be run.
    1. Specify the method for defining the task scope: select devices from the list of devices detected by the Administration Server; set device addresses manually; import a list of devices from a file or specify a previously configured selection of devices (for more details, refer to the Kaspersky Security Center Help system).
    2. Depending on the method you have specified for defining the task scope, in the window that opens, perform one of the following actions:
      • In the list of detected devices, specify the devices on which the task will be run. To do so, select the check box in the list to the left of the device name.
      • Click the Add or Add IP range button and enter the device addresses manually.
      • Click the Import button and select the TXT file containing the list of device addresses in the window that opens.
      • Click the Browse button and, in the window that opens, specify the name of the selection containing the devices on which the task will be run.

    Proceed to the next step of the wizard.

  4. Configure the available task settings by following the instructions in the Wizard.
  5. Enter the name of the new task and proceed to the next step in the Wizard.
  6. To start the task immediately after the Wizard finishes, in the final step, select the Run task after the wizard finishes check box.
  7. Complete the wizard.

    A new task will be displayed in the list of tasks.

To create a local task in the Administration Console:

  1. In the Administration Console tree, in the Managed devices folder, select the administration group containing the necessary device.
  2. In the workspace, select the Devices tab.
  3. In the list of managed devices, select the required device and double-click it to open the Properties: <Task name> window.
  4. In the displayed window with the properties of the managed device, select the Tasks section.

    The list of tasks created for this device is displayed.

  5. Click Add.

    The Task Wizard starts.

  6. At the first step of the wizard, select Kaspersky Embedded Systems Security 3.4 for Linux and the type of the task.

    Proceed to the next step of the wizard.

  7. Enter a name for the new task and configure the available task settings following the instructions of the wizard.
  8. Complete the wizard.

    A new task will be displayed in the list of tasks.

Page top
[Topic 264980]

Changing task settings in the Administration Console

To edit task settings in the Administration Console:

  1. In the Administration Console, perform one of the following actions:
    • To edit the settings of a task that is run on devices included in the specified administration group, select this administration group in the console tree, then select the Tasks tab in the workspace.
    • To edit the settings of a task that is run on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree.
  2. In the list of tasks, select the required task and double-click it to open the Properties: <Task name> window.

    You can also open the task properties window using the Properties item in the task context menu.

  3. Edit the task settings. The availability of configurable settings depends on the type of task.

    The General, Notification, Schedule, and Revision history tabs of the task properties window are standard for Kaspersky Security Center; for more details, refer to the Kaspersky Security Center Help system.

  4. Click Apply or OK in the Properties: <Task name> window to save the changes made.
Page top
[Topic 265718]

Starting, stopping, pausing, and resuming tasks in the Administration Console

To start, stop, pause, or resume a task in the Administration Console:

  1. In the Administration Console, perform one of the following actions:
    • To start or stop a task that is run on devices included in the specified administration group, select this administration group in the console tree, then select the Tasks tab in the workspace.

      The list of tasks created for the selected administration group opens.

    • To start or stop a task that is run on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree.

      The list of all tasks created on the Administration Server opens.

  2. In the list of tasks, select the required task, open the context menu of the task, and select the action that you want to perform.
Page top
[Topic 265719]

Managing the application using the command line

Using the command line, you can install, uninstall, start, and stop Kaspersky Embedded Systems Security on the device, and also manage the application locally.

The functional components of the application are supported by Kaspersky Embedded Systems Security local tasks that run in the operating system. You can enable or disable functional components of the application on a device by starting or stopping Kaspersky Embedded Systems Security tasks in the command line. One-time device scans are also performed by starting Kaspersky Embedded Systems Security tasks. You can define the settings for functional components on the device and the device scan settings by configuring the Kaspersky Embedded Systems Security task settings.

In addition to the task settings, the following settings are provided for configuring the application:

On the command line, Kaspersky Embedded Systems Security can be managed using Kaspersky Embedded Systems Security management commands.

In this section

Enabling automatic addition of kess-control commands (bash completion)

Task management in the command line

Displaying task settings in the command line

Editing task settings in the command line

Configuring task schedule in the command line

Managing general application settings in the command line

Using filters to limit results of queries

Exporting and importing application settings

Managing user roles using the command line

Page top
[Topic 264003]

Enabling automatic addition of kess-control commands (bash completion)

Kess-control commands can be automatically added for the bash shell.

To enable automatic addition of kess-control commands in the current bash shell session, run the following command:

source /opt/kaspersky/kess/shared/bash_completion.sh

To enable automatic addition for all new bash shell sessions, run the following command:

echo "source /opt/kaspersky/kess/shared/bash_completion.sh" >> ~/.bashrc

Page top
[Topic 238601]

Task management in the command line

The following application tasks are provided for managing Kaspersky Embedded Systems Security using the command line:

  • File Threat Protection. This task allows you to enable or disable File Threat Protection in real time and defines the settings for the File Threat Protection component. The task starts automatically when the application starts.
  • Malware Scan. This task allows you to scan file system objects for malware on demand and defines the settings for the scan. You can use this task to perform a full or custom scan of the device.
  • Critical Areas Scan. This task allows you to run a critical areas scan of the operating system on demand and defines the settings for the scan.
  • Custom file scan. This task is designed for configuring and storing settings that are used when scanning the specified files and directories using the kess-control --scan-file command. As a result of the command execution, the application creates and starts a temporary file scan task.
  • Removable Drives Scan. This task allows you to monitor the connection of removable media to the device in real time and defines the settings of the Removable Drives Scan and the scan of its boot sectors for malware.
  • Web Threat Protection. This task allows you to enable or disable Web Threat Protection and defines the settings for the Web Threat Protection component.
  • Network Threat Protection. This task allows you to enable or disable Network Threat Protection and defines the settings for the Network Threat Protection component.
  • Anti-Cryptor. This task allows you to enable or disable the protection of files from remote malicious encryption and defines the settings for the Anti-Cryptor component.
  • Firewall Management. This task allows you to enable or disable firewall management and defines the network connection control settings on the device.
  • Application Control. This task allows you to enable or disable Application Control and defines the settings of the Application Control component.
  • Inventory. The task allows you to obtain information about all the application executable files stored on the device.
  • Device Control. This task allows you to enable or disable Device Control and defines the settings for the Device Control component. The task starts automatically when Kaspersky Embedded Systems Security starts.
  • Behavior Detection. This task allows you to monitor malicious activity of applications in the operating system. The task starts automatically when Kaspersky Embedded Systems Security starts.
  • System Integrity Monitoring. This task allows you to perform real-time monitoring of the actions performed with objects from the monitoring scope specified in the System Integrity Monitoring component settings.
  • System Integrity Check. This task allows you to check for changes in files and directories that you have included in the monitoring scope, by comparing the current state of the monitored object with a previously recorded state.
  • Licensing. This task provides the capability to activate an application installed on the device. The task starts automatically when the application starts, and it resides in the device operating memory. The task has no settings; license keys are managed using special management commands. The task cannot be started, stopped, or deleted.
  • Update. You can use this task to perform scheduled and on-demand application database and module updates and edit update settings.
  • Rollback. You can use this task to roll back the last update of application databases and modules.

Each application task has a name used on the command line, an ID, and a type (see the table below).

IDs are unique for all tasks, including deleted tasks. The application does not reuse the identifiers of the deleted tasks. The identifier of a new task is the next successive number to the identifier of the latest created task.

Task names are not case-sensitive.

During installation of the application, predefined tasks are created. These tasks cannot be deleted. Each predefined task has a name and ID.

Tasks that you create while working with the application are called user tasks. When you create the task, you specify the name for it. IDs for user tasks are defined and assigned by the application when the task is created. IDs for user tasks are starting from 100.

During operation, the application creates temporary scan tasks. Temporary task names and IDs are assigned by the application. Temporary tasks are automatically deleted when completed.

Application tasks

Task

Task name in command line

Task ID

Task type

File Threat Protection

File_Threat_Protection

1

OAS

Malware Scan

Scan_My_Computer

2

ODS

Malware Scan (user task)

user-defined

starting from 100

ODS

Custom file scan

Scan_File

3

ODS

Critical Areas Scan

Critical_Areas_Scan

4

ODS

Update

Update

6

Update

Update (user task)

user-defined

starting from 100

Update

Rollback

Rollback

7

Rollback

Rollback (user task)

user-defined

starting from 100

Rollback

Licensing

License

9

License

System Integrity Monitoring

System_Integrity_Monitoring

11

OAFIM

System Integrity Monitoring (user task)

user-defined

starting from 100

ODFIM

Firewall Management

Firewall_Management

12

Firewall

Anti-Cryptor

Anti_Cryptor

13

AntiCryptor

Web Threat Protection

Web_Threat_Protection

14

WTP

Device Control

Device_Control

15

DeviceControl

Removable Drives Scan

Removable_Drives_Scan

16

RDS

Network Threat Protection

Network_Threat_Protection

17

NTP

Behavior Detection

Behavior_Detection

20

BehaviorDetection

Application Control

Application_Control

21

AppControl

Inventory

Inventory_Scan

22

InventoryScan

Inventory (user task)

user-defined

starting from 100

InventoryScan

You can perform the following actions with tasks:

In this section

Viewing a list of tasks in the command line

Viewing the status of a task in the command line

Creating a task in the command line

Starting, stopping, pausing, and resuming tasks in the command line

Deleting a task in the command line

Page top
[Topic 264195]

Viewing a list of tasks in the command line

To view the list of application tasks, execute the following command:

kess-control --get-task-list [--json]

where:

--json – output format for the list of application tasks. If a file format is not specified, the output will be an INI file.

The list of Kaspersky Embedded Systems Security tasks will be displayed.

The following information will be displayed for each task:

  • Name: the task name
  • ID: the task ID
  • Type: the task type
  • State: the current state of the task

If the Kaspersky Security Center policy prohibits users from viewing and editing local tasks, information about the Scan_My_Computer, Critical_Areas_Scan, Inventory_Scan, Update, and Rollback tasks is not available.

Page top

[Topic 264317]

Viewing the status of a task in the command line

To view a task state, execute the following command:

kess-control --get-task-state <task ID/name> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --json is specified to output the settings in JSON format.

Application tasks can take the following main states:

  • Started—Task is running.
  • Starting—Task is being launched.
  • Stopped—Task has been stopped.
  • Stopping—Task is stopping.

The ODS, ODFIM, and InventoryScan tasks can also have one of the following states:

  • Pausing — Task is pausing.
  • Suspended — Task is suspended.
  • Resuming — Task is resuming.

Page top

[Topic 264963]

Creating a task in the command line

You can create the following types of tasks: ODS, Update, Rollback, ODFIM, and InventoryScan.

You can create tasks with default settings or with settings specified in a configuration file.

To create a task with default settings, execute the following command:

kess-control -create-task <task name> --type <task name>

where:

  • <task name> is the name that you specify for the new task.
  • <task type> is the identifier for the type of the created task.

To create a task with the settings specified in the configuration file, execute the following command:

kess-control --create-task <task name> --type <task type> --file <configuration file path> [--json]

where:

  • <task name> is the name that you specify for the new task.
  • <task type> is the identifier for the type of the created task.
  • <path to file> is the full path to the configuration file with the settings that will be used for creating the task.
  • --json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

Page top

[Topic 264321]

Starting, stopping, pausing, and resuming tasks in the command line

You can start and stop predefined and user tasks, except for tasks of the License type.

You can suspend and resume tasks of ODS, ODFIM, and InventoryScan types.

To start a task, execute the following command:

kess-control --start-task <task ID/name> [-W] [--progress]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • [-W] is a command used in conjunction with the task start command to enable the display of current events associated with this task.
  • Specify the [--progress] option if you want to display the progress of the task.

    Example:

    Start the task with ID 1 and enable the display of current events associated with the task:

    kess-control --start-task 1 -W

If an error occurs when starting a task and the task does not start, then after the application is restarted, an attempt is made to start the task again.

To stop a task, execute the following command:

kess-control --stop-task <task ID/name> [-W]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • [-W] is a command used in conjunction with the stop task command to enable the display of current events associated with this task.

To suspend a task, execute the following command:

kess-control --suspend-task <task ID/name>

To resume a task, execute the following command:

kess-control --resume-task <task ID/name>

Page top

[Topic 264322]

Deleting a task in the command line

You can delete only user tasks. Predefined tasks cannot be deleted.

To delete a task, execute the following command:

kess-control --delete-task <task ID/name>

where <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.

Page top
[Topic 264323]

Displaying task settings in the command line

You can display the current values of settings for all user tasks and all predefined tasks, except for Rollback and License tasks (these tasks have no settings).

You can output the current values of task settings to the console or to a configuration file that you can use to change task settings.

To output the current values of task settings to the console, execute the following command:

kess-control --get-settings <task ID/name> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current values of task settings to a configuration file, execute the following command:

kess-control --get-settings <task ID/name> --file <path to configuration file> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --file <configuration file path> is the path to the configuration file into which the task settings will be written. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
Page top
[Topic 264157]

Editing task settings in the command line

You can edit the settings for all user tasks and all predefined tasks, except for Rollback and License tasks.

On the command line, you can edit the settings of tasks using the kess-control --set-settings command:

You can add or remove scan scopes and exclusion scopes using a configuration file that contains task settings or command line options. Configuring scan scopes and exclusion scopes is available for tasks with the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types.

In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion for the path: /.snapshots/*/snapshot/.

For some tasks, separate management commands are also provided that allow you to edit task settings.

In this section

Editing task settings using a configuration file

Editing task settings using the command line options

Restoring default task settings in the command line

Page top
[Topic 265721]

Editing task settings using a configuration file

To edit values of task settings using a configuration file:

  1. Output the task settings to the configuration file using the command kess-control --get-settings.
  2. Open the configuration file and edit the values of the necessary settings.

    For tasks of the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types, you can add or remove scan scopes and exclusion scopes.

    If you want to add a scan scope, add a [ScanScope.item_ #] section with the following settings to the file:

    • AreaDesc is a description of the scan scope, which contains additional information about this scope.
    • UseScanArea enables scanning of the specified scope.
    • Path is a path to the directory with the objects to be scanned. You can specify a path to a local directory or enable scanning of remote directories mounted on a client device.
    • AreaMask.item_# is a limitation of the scan scope. You can specify a mask for the name of the files to be scanned. Scanning is enabled by default for all objects in the scan scope. You can specify multiple AreaMask.item_# items.

    If you want to add an exclusion scope, add an [ExcludedFromScanScope.item_#] section with the following settings to the file:

    • AreaDesc – a description of the exclusion scope, which contains additional information about the exclusion scope.
    • UseScanArea enables exclusion of the specified scope.
    • Path is a path to the directory with the objects to be excluded. You can specify a path to a local directory or exclude remote directories mounted on a client device. Possible values for the setting depend on the type of task.
    • AreaMask.item_# is a limitation of the exclusion scope. You can specify a mask for the name of the files that you want to exclude from the scan scope. By default, all objects in the scope are excluded.

      Example:

      [ExcludedFromScanScope.item_0000]

      AreaDesc=

      UseScanArea=Yes

      Path=/tmp/notchecked

      AreaMask.item_0000=*

    You can specify multiple [ScanScope.item_#] and [ExcludedFromScanScope.item_#] sections. The application processes the scopes by index in ascending order.

  3. Save the configuration file.
  4. Execute the command:

    kess-control --set-settings <task ID/name> --file <path to configuration file> [--json]

    where:

    • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
    • --file <configuration file path> is the full path to the configuration file from which the task settings will be imported.
    • Specify the --json option if you are importing settings from a JSON configuration file. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All values of task settings defined in the file will be imported into the application.

If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings command with the --accept option.

Page top
[Topic 197633]

Editing task settings using the command line options

Using the kess-control --set-settings command line options, you can edit individual values of task settings, as well as add or remove scan scopes and exclusion scopes for tasks of the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types.

Configuring individual task settings

To modify individual values of task settings using command line options, run the following command:

kess-control --set-settings <task ID/name> <setting name>=<setting value> [<setting name>=<setting value>]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • <setting name>=<setting value> is the name and value of one of the task settings. You can get the current values of task settings using the command for displaying task settings.

The values of the specified task settings will be changed.

If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings command with the --accept option.

Adding and removing a scan scope

To add a scan scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --add-path <path>

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --add-path <path> adds the path to the directory with the objects to be scanned.

A new [ScanScope.item_#] section will be added to the task settings. The application scans the objects in the directory specified by the Path setting. The remaining settings of the scan scope take default values.

If the task settings already contain a [ScanScope.item_#] section with the specified value for the Path setting, a duplicate section is not added.

If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be scanned.

Example:

Adding a scan scope for a task with ID=100:

kess-control --set-settings 100 ScanScope.item_0001.UseScanArea=Yes ScanScope.item_0001.Path=/home

The following scan scope settings will be added to the task:

[ScanScope.item_0001]

AreaDesc=

UseScanArea=Yes

Path=/home

AreaMask.item_0000=*

To delete a scan scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --del-path <path>

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --del-path <path> deletes the path to the directory with the objects to be scanned.

The [ScanScope.item_#] section that contains the specified path will be deleted from the task settings. The application will not scan the objects in the specified directory.

Adding and removing an exclusion scope

To add an exclusion scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --add-exclusion <path>

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --add-exclusion <path> adds the path to the directory with the objects that you want to exclude from the scan.

A new [ExcludedFromScanScope.item_#] section will be added to the task settings. The application will exclude objects in the directory specified by the Path setting from scans. The remaining settings of the exclusion scope take default values.

If the task settings already contain an [ExcludedFromScanScope.item_#] section with the specified value for the Path setting, a duplicate section is not added.

If the UseScanArea setting is set to No its value will change to Yes after this command is executed and the objects located in this directory will be excluded from scans.

To delete an exclusion scope using command line options, run the following command:

kess-control --set-settings <task ID/name> --del-exclusion <path>

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --del-exclusion <path> deletes the path to the directory with the objects to be excluded.

The [ExcludedFromScanScope.item_#] section that contains the specified path will be deleted from the task settings. The application will not exclude the objects in the specified directory from the scan.

Page top
[Topic 197627]

Restoring default task settings in the command line

You can restore the default settings for all user tasks and all predefined tasks, except for tasks of the Rollback and License types (these tasks have no settings).

To reset task settings to their default values, execute the following command:

kess-control --set-settings <task ID/name> --set-to-default

where <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.

The application changes the setting values to their defaults.

Page top

[Topic 264194]

Configuring task schedule in the command line

You can configure the schedule for running the following types of tasks: ODS, Update, Rollback, ODFIM, and InventoryScan.

You can output the current values of the settings for the task run schedule to the console or to a configuration file.

To output the current settings for the task run schedule to the console, execute the following command:

kess-control --get-schedule <task ID/name> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current settings for the task run schedule to a configuration file, execute the following command:

kess-control --get-schedule <task ID/name> --file <path to configuration file> [--json]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • --file <path to configuration file> is the path to the configuration file in which the settings for the task run schedule will be output. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

    Examples:

    Save the update task settings to a file named update_schedule.ini and save the created file in the current directory:

    kess-control --get-schedule 6 --file update_schedule.ini

    Display the update task schedule in the console:

    kess-control --get-schedule 6

You can edit the settings for the task run schedule in the following ways:

  • Import the settings from a configuration file that contains all schedule settings.
  • Using the command line, specify the individual settings for the task run schedule in the format <setting name >=<setting value >.

To edit the values of the settings for task run schedule using a configuration file, perform the following actions:

  1. Output the task settings to the configuration file using the kess-control --get-schedule command.
  2. Edit the values of the necessary settings in the file and save the changes.
  3. Execute the command:

    kess-control --set-schedule <task ID/name> --file <configuration file path> [--json]

    where:

    • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
    • --file <configuration file path> is the full path to the configuration file from which the task schedule settings will be imported.
    • --json: specify this option if you are importing settings from a configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All values of the settings for the task run schedule defined in the file will be imported into the application.

Example:

Import the schedule settings from the configuration file named /home/test/on_demand_schedule.ini into the task with ID=2:

kess-control --set-schedule 2 --file /home/test/on_demand_schedule.ini

To edit the individual values of the settings for the task run schedule using the command line, execute the following command:

kess-control --set-schedule <task ID/name> <setting name>=<setting value> [<setting name>=<setting value>]

where:

  • <task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
  • <setting name>=<setting value> is the name and value of one of the settings for the task schedule.

The values of the specified settings for the task run schedule are modified.

Examples:

To schedule the task to start every ten hours, specify the following settings:

RuleType=Hourly

RunMissedStartRules=No

StartTime=2021/May/30 23:05:00;10

RandomInterval=0

To schedule the task to start every ten minutes, specify the following settings:

RuleType=Minutely

RunMissedStartRules=No

StartTime=23:10:00;10

RandomInterval=0

To schedule the task to start on the 15th of every month, specify the following settings:

RuleType=Monthly

RunMissedStartRules=No

StartTime=23:25:00;15

RandomInterval=0

To schedule the task to start on every Tuesday, specify the following settings:

RuleType=Weekly

StartTime=18:01:30;Tue

RandomInterval=99

RunMissedStartRules=No

To schedule the task to start every 11 days, specify the following settings:

RuleType=Daily

RunMissedStartRules=No

StartTime=23:15:00;11

RandomInterval=0

Page top

[Topic 264965]

Managing general application settings in the command line

General application settings define the operation of the application as a whole and the operation of individual functions.

You can manage general application settings using special management commands:

  • Output the current values of general application settings to the console or to a configuration file.
  • Edit general application settings using a configuration file containing all general settings, or using command line options in the <setting name>=<setting value> format.

Using general settings, you can:

In this section

Displaying general application settings

Editing general application settings

Page top
[Topic 264277]

Displaying general application settings

You can output the current values of general application settings to the console or to a configuration file that you can use to edit task settings.

To output the current values of general application settings to the console, execute the following command:

kess-control --get-app-settings [--json]

where --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

To output the current values of general application settings to a configuration file, execute the following command:

kess-control --get-app-settings --file <configuration file path> [--json]

where:

  • --file <configuration file path> is the path to the configuration file into which general settings of the application will be written. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.
  • --json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.

    Example:

    Display the general application settings to a file named kess_config.ini. Save the created file in the current directory:

    kess-control --get-app-settings --file kess_config.ini

Page top

[Topic 265722]

Editing general application settings

On the command line, you can edit the general application settings using the command kess-control --set-app-settings:

  • You can edit all general settings using the configuration file that contains the general application settings. You can get the configuration file using the command for displaying general settings.
  • You can edit individual settings using command line options in the <setting name>=<setting value> format. You can get the current values of general application settings using the command for displaying general settings.

To edit values of general application settings using a configuration file:

  1. Output the general application settings to a configuration file.
  2. Edit the values of the necessary parameters in the file and save the changes.
  3. Execute the command:

    kess-control --set-app-settings --file <path to configuration file> [--json]

    where:

    • --file <path to configuration file> is the full path to the configuration file with the general application settings.
    • --json: specify this option if you are importing settings from a configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

All the values of the general settings defined in the file will be imported into the application.

To edit general application settings using command line options, execute the following command:

kess-control --set-app-settings <setting name>=<setting value> [<setting name>=<setting value>]

where <setting name>=<setting value> is the name and value of one of the general application settings.

The values of the specified general settings will be changed.

Examples:

Import general settings into the application from the configuration file /home/test/kess_config.ini:

kess-control --set-app-settings --file /home/test/kess_config.ini

Set the detail level for the trace file to low:

kess-control --set-app-settings TraceLevel=NotDetailed

Add a mount point that you want to exclude from interception of file operations:

kess-control --set-app-settings ExcludedMountPoint.item_0000="/data"

Page top

[Topic 265724]

Using filters to limit results of queries

A filter allows you to limit the query results when executing application management commands.

Filter conditions are specified using one or more logical expressions, which are combined using the logical operator and. Filter conditions must be enclosed in quotation marks:

"<field> <comparison operator> '<value>'"

"<field> <comparison operator> '<value>' and <field> <comparison operator> '<value>'"

where:

  • <field> is the name of the field for the database.
  • <comparison operator> is one of the following comparison operators:
    • > is "greater than"
    • < is "less than"
    • like matches the specified value When specifying a value, you can use % masks: for example, the logical expression "FileName like '%etc%'" sets the limitation "contains the text "etc" in the FileName field"
    • == is "equal to"
    • != is "not equal to"
    • >= is "greater than or equal to"
    • <= is "less than or equal to"
  • <value> is the value of the field. The value must be enclosed in single quotation marks (').

    You can specify a date value as UNIX time (the number of seconds that have elapsed since 00:00:00 (UTC), January 1, 1970) or in YYYY-MM-DD hh:mm:ss format. The user specifies the date and time in the user's local time zone, and the application displays them in the same time zone.

You can use a filter in the following application management commands:

  • Display information about certain current events of the application:

    kess-control -W --query "<filter conditions>"

  • Display information about certain application events in the event log:

    kess-control -E --query "<filter conditions>"

  • Display information about certain objects in the Backup:

    kess-control -B --query "<filter conditions>"

  • Delete certain objects from the Backup:

    kess-control -B --mass-remove --query "<filter conditions>"

    Examples:

    Get information about events that contain the text "etc" in the FileName field:

    kess-control -E --query "FileName like '%etc%'"

    Display information about events with the ThreatDetected type:

    kess-control -E --query "EventType == 'ThreatDetected'"

    Display information about events with the ThreatDetected type, created by tasks of the ODS type:

    kess-control -E --query "EventType == 'ThreatDetected' and TaskType == 'ODS'"

    Get information about the events generated after the date specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970):

    kess-control -E --query "Date > '1583425000'"

    Get information about the events generated after the date specified in YYYY-MM-DD hh:mm:ss format:

    kess-control -E --query "Date > '2022-12-22 18:52:45'"

    Get information about files in the Backup storage that have the High severity level:

    kess-control -B --query "DangerLevel == 'High'"

Page top

[Topic 264094]

Exporting and importing application settings

If Kaspersky Embedded Systems Security is managed via Kaspersky Security Center, importing settings is not supported.

Kaspersky Embedded Systems Security allows you to export and import all application settings for troubleshooting, verifying settings, or simplifying the application's configuration on other user devices. When exporting settings, all application settings (including encrypted connections scan settings, general application settings, and task settings) are saved in a configuration file. You can use this configuration file to import settings into the application.

The application must be launched when settings are imported or exported. After the settings are imported, the application must be restarted.

When importing or exporting settings from an older application version, new settings are set to default values. Importing settings to an older application version is not supported.

To export the application settings, execute the following command:

kess-control --export-settings --file <configuration file path> [--json]

where:

  • --file <configuration file path> is the full path to the configuration file where the application settings will be saved.
  • --json is specified to export the settings to the configuration file in JSON format. If the --json options is not specified, the settings will be exported to an INI file.

To import the application settings from the file, execute the following command:

kess-control --import-settings --file <configuration file path> [--json]

where:

  • --file <configuration file path> is the full path to the configuration file from which you want to import settings into the application.
  • --json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.

When you import application settings from a file, the UseKSN and CloudMode settings are set to No. To start or resume the use of Kaspersky Security Network, set the value of the UseKSN setting to Basic or Extended. To enable cloud mode, you must set the CloudMode setting to Yes. Cloud mode is available if use of KSN is enabled.

After application settings are imported, internal task IDs may change. It is recommended to use task names to manage tasks.

Page top

[Topic 265009]

Managing user roles using the command line

Access to Kaspersky Embedded Systems Security functions via the command line is provided to users in accordance with their roles. A role is a set of rights and privileges for managing the application.

The four groups of system users are created in the operating system: kessadmin, kessuser, kessaudit, and nokess. When you assign an application role to a system user, the user is added to the corresponding group of roles (see the Roles table below). When you revoke a role from a user, this user is removed from the corresponding group of roles.

If no application role is assigned to a system user, that user belongs to a separate group of users without rights.

Thus, the roles correspond to the four groups of operating system users:

  • kessadmin – the Administrator role
  • kessuser – the User role
  • kessaudit – the Auditor role
  • nokess is assigned to a user if no other roles are assigned. In this case, the user belongs to a separate group of users without privileges

    User roles

    Role name

    Role in application

    OS user

    Permissions

    Administrator

    admin

    kessadmin

    Manage application settings and task settings.

    Manage application licensing.

    Assigning roles to users.

    Revoking user roles (the administrator has no right to revoke the admin role from himself).

    View and manage users' Storages.

    User

    user

    kessuser

    Manage only user file scan tasks.

    Start and stop Update tasks.

    View reports for the tasks created by this user.

    View specific events that are common for all application users.

    Auditor

    audit

    kessaudit

    Viewing application settings

    View application status.

    View all tasks, their settings, and start schedules.

    View all events.

    View all objects in Backup.

    nokess

    No role is assigned in the application, no permissions.

In this section

Viewing a list of users and roles

Assigning a role to a user

Revoking a user role

Page top
[Topic 264128]

Viewing a list of users and roles

To view a list of users and their roles, execute the following command:

kess-control [-U] --get-user-list

Page top
[Topic 197944]

Assigning a role to a user

To assign a role to a specific user, execute the following command:

kess-control [-U] --grant-role <role> <user>

Example:

To assign the audit role to the user test15:

kess-control --grant-role audit test15

Page top

[Topic 197945]

Revoking a user role

To revoke a role from a specific user, execute the following command:

kess-control [-U] --revoke-role <role> <user>

Example:

To revoke the audit role from the user test15:

kess-control --revoke-role audit test15

Page top

[Topic 197946]