Contents
- Application management concept
- Managing the application using Kaspersky Security Center
- About Kaspersky Embedded Systems Security management plug-ins
- Kaspersky Security Center policies
- Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center
- Logging in and out of the Web Console and Cloud Console
- Managing policies in the Web Console
- Managing policies in the Administration Console
- Managing tasks in the Web Console
- Managing tasks in the Administration Console
- Managing the application using the command line
- Enabling automatic addition of kess-control commands (bash completion)
- Task management in the command line
- Displaying task settings in the command line
- Editing task settings in the command line
- Configuring task schedule in the command line
- Managing general application settings in the command line
- Using filters to limit results of queries
- Exporting and importing application settings
- Managing user roles using the command line
- Managing the application using Kaspersky Security Center
Application management concept
To manage Kaspersky Embedded Systems Security, you can use:
The set of actions that you can perform using the Kaspersky Embedded Systems Security graphical user interface is limited.
This section describes the specifics of managing the application via Kaspersky Security Center and the command line, and also describes the main methods of working in the Kaspersky Security Center administration consoles and in the command line.
Managing the application using Kaspersky Security Center
Kaspersky Security Center allows you to remotely and centrally manage the operation of Kaspersky Embedded Systems Security on client devices. You can remotely install and uninstall, start, and stop Kaspersky Embedded Systems Security; configure settings for the application, as well as for the individual components and tasks of the application; and start and stop tasks on the managed devices.
You can use the following Kaspersky Security Center administration consoles to manage Kaspersky Embedded Systems Security via Kaspersky Security Center:
- Kaspersky Security Center Administration Console (hereinafter also referred to as Administration Console). This is a Microsoft Management Console (MMC) snap-in that is installed on the administrator's workstation and provides a user interface for the Administration Server and Network Agent administrative services.
The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Administration Console is provided by the administration MMC plug-in (hereinafter also referred to as the "MMC plug-in").
This Help describes how to manage the Administration Console of Kaspersky Security Center 14.2 Windows.
- Kaspersky Security Center Web Console (hereinafter also referred to as Web Console). This is a web interface for managing a protection system based on Kaspersky applications. You can work in Kaspersky Security Center Web Console using a browser on any device that has access to the Administration Server.
The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Web Console is provided by the administration web plug-in (hereinafter also simply referred to as web plug-in).
This Help describes how to manage the Web Console of Kaspersky Security Center 15.2 Linux.
- Kaspersky Security Center Cloud Console. This is a cloud-based administration console within the cloud version of the Kaspersky Security Center application, also known as the Kaspersky Security Center Cloud Console. Interface of the Cloud console is similar to Kaspersky Security Center Web Console interface. The interface for managing Kaspersky Embedded Systems Security via the Kaspersky Security Center Cloud Console is also provided by the web plug-in.
The MMC plug-in and web plug-in allow you to create policies and tasks in Kaspersky Security Center for managing the operation of Kaspersky Embedded Systems Security:
- A policy is a set of settings that is applied on all devices in an . Policies allow you to apply identical application settings to all client devices within an administration group.
The Kaspersky Embedded Systems Security policy defines the general settings for the operation of Kaspersky Embedded Systems Security and the settings for the operation of individual functional components of the application on devices where the policy is applied.
- Tasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center run on the protected devices and implement Kaspersky Embedded Systems Security functions such as on-demand scan, application activation, and updates to the databases and modules of the application.
In Kaspersky Security Center, you can create tasks to be performed on an individual device (local tasks), tasks for all devices in the administration group (group tasks), or tasks for a random selection of devices (tasks for sets of devices).
Regardless of the Kaspersky Security Center administration console that you use, you must assign the devices on which Kaspersky Embedded Systems Security is installed to administration groups in order to manage Kaspersky Embedded Systems Security on these devices using Kaspersky Security Center. You can create administration groups in Kaspersky Security Center before Kaspersky Embedded Systems Security installation and configure rules to automatically move the devices to administration groups. You can also manually move the devices to the administration groups after installing Kaspersky Embedded Systems Security (for details, refer to Kaspersky Security Center documentation).
About Kaspersky Embedded Systems Security management plug-ins
The following management plug-ins are required for managing Kaspersky Embedded Systems Security using Kaspersky Security Center:
- Kaspersky Embedded Systems Security administration web plug-in (hereinafter also referred to as the web plug-in) facilitates interaction between Kaspersky Embedded Systems Security and Kaspersky Security Center using Kaspersky Security Center Web Console and Kaspersky Security Center Cloud Console.
The web plug-in must be installed on the device that has Kaspersky Security Center Web Console installed. Management of Kaspersky Embedded Systems Security using the web plug-in is available to all administrators who have access to the Kaspersky Security Center Web Console in a browser.
- The Kaspersky Embedded Systems Security administration MMC plug-in (hereinafter also referred to as the MMC plug-in) facilitates interaction between Kaspersky Embedded Systems Security and Kaspersky Security Center using the Administration Console.
The MMC plug-in must be installed on the device where the Kaspersky Security Center Administration Console is installed.
The Kaspersky Embedded Systems Security management plug-ins let you manage Kaspersky Embedded Systems Security using policies and tasks.
For more details about administration plug-ins, refer to Kaspersky Security Center documentation.
Page topKaspersky Security Center policies
A policy is a set of Kaspersky Embedded Systems Security settings that are applied to all client devices included in the administration group.
Multiple policies with different values of the settings can be configured for a single application. However, there can be only one active policy at a time for an application within an administration group. When you create a new policy, all other policies within an administration group become inactive. You can change the policy status later.
Policies have a hierarchy, similarly to administration groups. By default, a child policy inherits the settings from the parent policy. A child policy is a policy of a nested hierarchy level, that is, a policy for nested administration groups and secondary Administration Servers. You can enable inheritance of the settings from the parent policy.
You can locally modify the values of the settings specified by the policy for individual devices within the administration group, if modification of these settings is not prohibited by the policy.
Each policy setting has a "lock" attribute that indicates whether child policy settings and local application settings can be modified. The "lock" status of a setting within policy properties determines whether or not an application setting on a client device can be edited:
- When a setting is "locked" (
), you cannot edit its value locally or in the policies of the nested hierarchy level. The setting value specified by the policy is used for all client devices within the administration group and nested groups.
- When a setting is "unlocked" (
), you can edit its value locally or in the policies of the nested hierarchy level. If setting values are specified locally or in policy properties of a nested hierarchy level for client devices within an administration group, the setting value specified in the policy properties is not applied.
In the web plug-in and in the MMC plug-in, the number of parameters with "locks" is different. The web plug-in includes "locks" that are not present in the MMC plug-in.
Using policy profiles allows you to flexibly configure operation settings for the application. A policy profile may contain settings that differ from the "base" policy settings and apply to client devices when the configured conditions (activation rules) are met. Using policy profiles allows you to flexibly configure operation settings for different devices. You can create and configure profiles in the Policy profiles section of the policy properties.
Profile settings that are locked with a "padlock" override policy settings. That is, if the profile setting locked with a "padlock" is different from the policy setting, the application applies the setting from the profile. However, lists of settings are merged, supplementing each other. That is, if the settings in the list from the profile are missing from the "basic" policy, they are added to the resulting list of settings.
However, some lists are not merged, in which case the settings from the profile override the settings of the "basic" policy:
- Exclusions by process in the File Threat Protection and Behavior Detection components
- Protection scopes in the File Threat Protection and Anti-Cryptor components
- Monitoring scopes in the System Integrity Monitoring component
- List of rules (in the Application Control rules window) in the Application Control component
- Process memory exclusions in application settings
- Trusted domains in network settings
- Trusted root certificates in network settings
- Monitored ports in network settings
After the policy is applied for the first time, the application settings change in accordance with the policy settings.
If the application is not running when the policy is deleted, after application is started, this policy continues to be applied on the device and the application continues to operate with the settings specified by this policy.
For more details about policies and policy profiles, refer to the Kaspersky Security Center Help system.
Page topTasks for Kaspersky Embedded Systems Security created in Kaspersky Security Center
You can create the following types of tasks in Kaspersky Security Center for Kaspersky Embedded Systems Security:
- local tasks to run on individual devices;
- group tasks to run on devices within an administration group;
- tasks for sets of devices to run on multiple devices, regardless of their inclusion in administration groups.
The tasks for the sets of devices are performed only on the devices that are specified in the task settings. If new devices are added to the device selection for which the task is created, this task is not applied to the new devices. To apply the task to these computers, you must create a new task or edit the settings of the existing task.
You can create any number of group tasks, tasks for a sets of devices, or local tasks.
The tasks are executed only if Kaspersky Embedded Systems Security is running on the devices.
General information about tasks created in Kaspersky Security Center is provided in Kaspersky Security Center documentation.
The following tasks are provided for managing Kaspersky Embedded Systems Security in Kaspersky Security Center:
- Malware Scan. During the task execution, the application scans the device areas that are specified in the task settings for viruses and other malware.
- Critical Areas Scan. During the task execution, the application scans boot sectors, startup objects, process memory, and kernel memory.
- Inventory. During the task execution, the application receives information about all executable files stored on the devices.
- System Integrity Check. During the task execution, the application determines changes of each object by comparing the current state of the monitored object to its original state, which was previously established as a baseline.
- Add Key. During the task execution, the application adds a key, including a reserve one, to activate the application.
- Update. During the task execution, the application updates the databases in accordance with the configured update settings.
- Rollback. During the task execution, the application rolls back the last database update.
Logging in and out of the Web Console and Cloud Console
Kaspersky Security Center Web Console
To log in to the Web Console, you need to know the web address and the port number of the Administration Server specified during the Web Console installation (port 8080 is used by default). JavaScript must also be enabled in your browser.
To log in to Web Console:
- In your browser, go to the
<
Administration Server web address
>:<
port number
>
address.The login page is displayed.
- Enter the user name and password for your account.
It is recommended to make sure that the password complexity and anti-bruteforce mechanisms ensure that the password cannot be guessed within 6 months.
- Click Log in.
If the Administration Server is not responding, or if you enter incorrect credentials, an error message is displayed.
After logging in, a dashboard is displayed with the last language and theme used.
For more details about the Web Console interface, refer to Kaspersky Security Center documentation.
To log out of Web Console:
select <Account name> → Exit in the lower left corner of the screen.
The Web Console is closed, and the login page is displayed.
Kaspersky Security Center Cloud Console
For the Kaspersky Security Center Cloud Console, use a web token to log in to your account on the Cloud Console portal.
For detailed information about Kaspersky Security Center Cloud Console, refer to the Kaspersky Security Center Cloud Console documentation.
Page topManaging policies in the Web Console
You can perform the following actions with the policies in the Web Console:
- Create a policy.
- Edit policy settings.
If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.
- Export and import policy settings.
- Copy and move a policy.
- Delete a policy.
- Change a policy status.
- Create policy profiles.
For general information about working with policies, refer to the Kaspersky Security Center Help system.
Creating a policy in the Web Console
To create a policy in the Web Console:
- In the main window of the Web Console, select Assets (Devices) → Policies and policy profiles.
A list of policies and policy profiles opens.
- Select the administration group containing the devices to which the policy should be applied. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select the administration group in the window that opens.
- Click Add.
The Policy Wizard starts.
- In the displayed window, select an application name from the list.
Proceed to the next step of the wizard.
- Decide whether you want to use Kaspersky Security Network. Carefully read the Kaspersky Security Network Statement and do one of the following:
- If you agree with all the terms and conditions of the Statement and want the application to use Kaspersky Security Network, select I confirm that I have fully read, understand, and accept the terms and conditions of Kaspersky Security Network Statement.
- If you do not want to use Kaspersky Security Network, select I do not accept the terms and conditions of the Kaspersky Security Network Statement and confirm your decision in the window that opens.
Refusal to use Kaspersky Security Network does not interrupt the policy creation process. At any time, you can enable or disable use of Kaspersky Security Network or change the KSN mode for managed devices in the policy settings.
Proceed to the next step of the wizard.
- The General tab of the new policy settings window opens. Specify a name for the new policy.
You can also configure the following policy settings:
- Policy status:
- Active. The policy that is currently applied to the device. If this option is selected, this policy becomes active on the device upon the next device synchronization with the Administration Server. This option is selected by default.
- Inactive. The policy that is not currently applied to the device. If this option is selected, the policy becomes inactive but remains in the Policies folder. You can activate the inactive policy later.
- Policy settings inheritance:
- Inherit settings from parent policy. If this option is enabled, the policy settings values are inherited from the upper-level group policy and, therefore, are locked. The check toggle button is switched on by default.
- Enforce settings inheritance for child policies If this option is enabled, the settings values of the child policies are locked. The toggle button is switched off by default.
For general information about the policy settings, refer to Kaspersky Security Center Help section.
- Policy status:
- If you want to configure other policy settings, go to the Application settings tab and make the necessary changes.
You can also change the policy settings later.
- Click Save.
The created policy will be displayed in the list of policies.
For general information about managing policies, please refer to the Kaspersky Security Center Help.
Page topChanging policy settings in the Web Console
To edit policy settings in the Web Console:
- In the main window of the Web Console, select Assets (Devices) → Policies and policy profiles.
The list of policies opens.
- Select the administration group containing the devices to which the policy is applied. To do so, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.
The list displays the policies configured for the selected administration group.
- Click the name of the required policy in the list.
The policy properties window opens.
- Modify the policy settings on the Application settings tab.
- Click the Save button to save the changes made.
The policy is saved with the updated settings.
Page topPolicy settings in the Web Console
You can configure policy settings on the Application settings tab of the policy properties window.
Policy settings
Section |
Subsections |
---|---|
Essential Threat Protection |
|
Advanced Threat Protection |
|
Security Controls |
|
Local Tasks |
|
General settings |
Managing policies in the Administration Console
You can perform the following actions with the policies in the Kaspersky Security Center Administration Console:
- Create a policy.
- Edit policy settings.
If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.
- Export and import policy settings.
- Delete a policy.
- Change a policy status.
- Create policy profiles.
For general information about working with policies, please refer to the Kaspersky Security Center Help.
Creating a policy using the Administration Console
To create a policy in the Administration Console:
- In the Administration Console tree, in the Managed devices folder, select the administration group containing the devices to which the policy should be applied.
You can view the list of devices that are part of an administration group on the Devices tab of the folder with the name of this administration group.
- In the workspace, select the Policies tab.
- Click the New policy button to start the New policy wizard.
You can also start the Wizard by clicking the Create → Policy item in the context menu in the list of policies.
- In the first step of the Wizard, select Kaspersky Embedded Systems Security 3.4 for Linux from the list.
Proceed to the next step of the wizard.
- Enter a name for the new policy.
- To use the settings from the previous version of Kaspersky Embedded Systems Security policy in the policy being created, select the Use policy settings for the earlier application version check box.
Proceed to the next step of the wizard.
- Decide whether you want to use Kaspersky Security Network. Carefully read the Kaspersky Security Network Statement and do one of the following:
- If you agree with all the terms and conditions of the Statement and want the application to use Kaspersky Security Network, select I confirm that I have fully read, understand, and accept the terms and conditions of Kaspersky Security Network Statement.
- If you do not want to use Kaspersky Security Network, select I do not accept the terms and conditions of the Kaspersky Security Network Statement and confirm your decision in the window that opens.
Refusal to use Kaspersky Security Network does not interrupt the policy creation process. At any time, you can enable or disable use of Kaspersky Security Network or change the KSN mode for managed devices in the policy settings.
Proceed to the next step of the wizard.
- If necessary, configure the general settings for File Threat Protection.
Proceed to the next step of the wizard.
- If necessary, edit the File Threat Protection settings that have been configured by default.
Proceed to the next step of the wizard.
- If necessary, configure the exclusions from File Threat Protection.
Proceed to the next step of the wizard.
- If necessary, modify the default actions for infected objects.
Proceed to the next step of the wizard.
- Complete the New Policy Wizard.
The created policy is displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.
You can change the policy settings later. For general information about managing policies, refer to the Kaspersky Security Center Help system.
Page topChanging policy settings in the Kaspersky Security Center Administration Console
To edit policy settings in the Administration Console:
- In the tree of the Kaspersky Security Center Administration Console, in the Managed devices folder, open the folder with the name of the administration group that includes the required devices.
- In the workspace, select the Policies tab.
- In the list of policies, select the required policy and double-click it to open the Properties: <Policy name> window.
You can also open the policy properties window by using the Properties item in the policy context menu or by clicking the Configure policy settings link located to the right of the list of policies in the section with the policy settings.
- Edit the policy settings.
- In the Properties: <Policy name> window, click OK to save the changes.
Policy settings in the Administration Console
You can configure policy settings in the sections and subsections of the policy properties window. For information about configuring general policy settings and event settings, refer to Kaspersky Security Center Help section.
Policy settings
Section |
Subsections |
---|---|
Essential Threat Protection |
|
Advanced Threat Protection |
|
Security Controls |
|
Local Tasks |
|
General settings |
Managing tasks in the Web Console
You can perform the following actions with the tasks for Kaspersky Embedded Systems Security in the Web Console:
- Create new tasks.
- Edit task settings.
If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.
- Start, stop, pause, and resume tasks.
The Update task cannot be paused or resumed, it can only be started or stopped.
- Export and import tasks.
- Delete tasks.
In the list of tasks, you can monitor the task execution results: view the task status and the statistics for task performance on the devices. You can also create a selection of events to monitor the task execution (Monitoring and reports → Event selections). For details on event selection, refer to Kaspersky Security Center documentation.
Task execution results are also saved locally on the device and in Kaspersky Security Center reports.
For general information about task management, refer to the Kaspersky Security Center Help system.
If the device is managed by a policy, it may not be possible to view and manage tasks created in Kaspersky Security Center using the command line or the graphical interface of the application.
Creating tasks in the Web Console
To create a task for a group or set of devices in the Web Console:
- In the main window of the Web Console, select Assets (Devices) → Tasks.
The list of tasks opens.
- Click Add.
The Task Wizard starts.
- In the first step of the Wizard, perform the following actions:
- In the Application drop-down list, select Kaspersky Embedded Systems Security 3.4 for Linux.
- In the Task type drop-down list, select the type of task that you want to create.
- In the Task name field, enter a name for the new task.
- In the Devices to which the task will be assigned section, select the method for defining the task scope. The task scope comprises the devices on which the task will be run:
- Select the Assign task to an administration group option if the task is to be run on all devices included in a specific administration group.
- Select the Specify device addresses manually, or import addresses from a list option if the task is to be run on the specified devices.
- Select the Assign task to a device selection option if the task is to be run on devices included in the device selection according to a predefined criterion. For information on how to create a device selection, refer to the Kaspersky Security Center Help system.
Proceed to the next step of the wizard.
- Depending on the selected method for defining the task scope, perform one of the following actions:
- In the administration group tree, select the check boxes next to the required administration groups.
- In the list of devices, select the check boxes next to the required devices. If the required devices are not listed, you can add them in the following ways:
- Using the Add devices button. You can add devices by name or IP address, add devices from a specified IP range, or select devices from the list of devices detected by the Administration Server when polling the corporate LAN.
- Using the Import devices from file button. For the import, a TXT file with a list of device addresses is used, where each address must be on a separate line.
- From the list, select the name of the selection containing the required devices.
Proceed to the next step of the wizard.
- To configure the task settings immediately after creation, in the last step of the Wizard, select the Open task properties window after creation check box. A task is created with the default settings.
- Complete the wizard.
A new task will be displayed in the list of tasks.
To create a local task in the Web Console:
- In the main window of the Web Console, select Assets (Devices) → Managed devices.
The list of managed devices opens.
- Select the administration group containing the necessary device. To do so, click the link in the Current path field above the list of managed devices and select an administration group in the window that opens.
The list displays only the managed devices for the selected administration group.
- In the list, find the device for which you want to create a task and click the device name.
- This opens a managed device properties window; in that window, go to the Tasks tab.
The list of tasks created for this device is displayed.
- Click Add.
The Task Wizard starts.
- In the first step of the Wizard, perform the following actions:
- In the Application drop-down list, select Kaspersky Embedded Systems Security 3.4 for Linux.
- In the Task type drop-down list, select the type of task that you want to create.
- In the Task name field, enter a name for the new task.
- To configure the task settings immediately after creation, in the last step of the Wizard, select the Open task properties window after creation check box. A task is created with the default settings.
- Complete the wizard.
A new task will be displayed in the list of tasks.
Changing task settings in the Web Console
To edit task settings in the Web Console:
- In the main window of the Web Console, select Assets (Devices) → Tasks.
The list of tasks opens.
- Do one of the following:
- To edit the settings of a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.
The list displays only tasks configured for the selected administration group.
- To edit the settings of a task that is run on one or multiple devices (a task for a set of devices), click the link in the Current path field in the upper part of the window and select the top node with the name of the Administration Server in the window that opens.
The list displays all tasks created on the Administration Server.
- To edit the settings of a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.
- In the list of tasks, select the required task and open the task properties window by clicking the link in the task name.
- Configure the task settings:
- On the General tab, you can edit the name of the task.
- On the Application settings tab, you can configure specific task settings. The availability of configurable settings depends on the type of task.
- On the Schedule tab, you can configure the task run schedule and additional settings for starting and stopping the task.
The General, Results, Settings, Schedule, and Revision history tabs of the task properties window are standard for Kaspersky Security Center; for more details, refer to the Kaspersky Security Center Help system.
- Click the Save button to save the changes made.
Starting, stopping, pausing, and resuming tasks in the Web Console
To start, stop, pause, or resume a task in the Web Console:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.
The list of tasks opens.
- Do one of the following:
- To start or stop a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.
The list displays only the tasks created for the selected administration group.
- To start or stop a task that is run on one or multiple devices (a task for a set of devices), click the link in the Current path field in the upper part of the window and select the top node with the name of the Administration Server in the window that opens.
The list displays all tasks created on the Administration Server.
- To start or stop a task that is run on all devices included in a specific administration group, click the link in the Current path field in the upper part of the window and select the administration group in the window that opens.
- In the list of tasks, check the box next to the name of the required task and click the action button above the list of tasks.
Managing tasks in the Administration Console
You can perform the following actions with the tasks for Kaspersky Embedded Systems Security in the Administration Console:
- Create new tasks.
- Edit task settings.
If the user account which is used to access the Administration Server does not have permissions to edit the settings of certain functional scopes, the settings of these functional scopes are not available for editing.
- Start, stop, pause, and resume tasks.
The Update task cannot be paused or resumed, it can only be started or stopped.
- Export and import tasks.
- Delete tasks.
In the list of tasks, you can monitor the task execution results: view the task status and the statistics for task performance on the devices.
Information on the progress and results of task execution can be viewed in the list of events that Kaspersky Embedded Systems Security sends to the Kaspersky Security Center Administration Server (on the Events tab in the workspace of the Administration Server <server name> node). You can also create a selection of events to monitor the execution of tasks. For details on event selection, refer to Kaspersky Security Center documentation.
Task execution results are also saved locally on the device and in Kaspersky Security Center reports.
For general information about task management, refer to the Kaspersky Security Center Help system.
If the device is managed by a policy, it may not be possible to view and manage tasks created in Kaspersky Security Center using the command line or the graphical interface of the application.
Creating tasks in the Administration Console
To create a task for a group or set of devices in the Administration Console:
- In the Administration Console, perform one of the following actions:
- To create a task that will be run on devices included in the selected administration group, select this administration group in the console tree in the Managed devices folder, then select the Tasks tab in the workspace and click the New task button.
The New task wizard starts for devices of the selected administration group.
- To create a task that will be performed on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree and click the New task button in the workspace.
The New task wizard starts for the set of devices.
- To create a task that will be run on devices included in the selected administration group, select this administration group in the console tree in the Managed devices folder, then select the Tasks tab in the workspace and click the New task button.
- At the first step of the wizard, select Kaspersky Embedded Systems Security 3.4 for Linux and the type of the task.
Proceed to the next step of the wizard.
- If you are creating a task for a set of devices, the Wizard prompts you to define the task scope. The task scope comprises the devices on which the task will be run.
- Specify the method for defining the task scope: select devices from the list of devices detected by the Administration Server; set device addresses manually; import a list of devices from a file or specify a previously configured selection of devices (for more details, refer to the Kaspersky Security Center Help system).
- Depending on the method you have specified for defining the task scope, in the window that opens, perform one of the following actions:
- In the list of detected devices, specify the devices on which the task will be run. To do so, select the check box in the list to the left of the device name.
- Click the Add or Add IP range button and enter the device addresses manually.
- Click the Import button and select the TXT file containing the list of device addresses in the window that opens.
- Click the Browse button and, in the window that opens, specify the name of the selection containing the devices on which the task will be run.
Proceed to the next step of the wizard.
- Configure the available task settings by following the instructions in the Wizard.
- Enter the name of the new task and proceed to the next step in the Wizard.
- To start the task immediately after the Wizard finishes, in the final step, select the Run task after the wizard finishes check box.
- Complete the wizard.
A new task will be displayed in the list of tasks.
To create a local task in the Administration Console:
- In the Administration Console tree, in the Managed devices folder, select the administration group containing the necessary device.
- In the workspace, select the Devices tab.
- In the list of managed devices, select the required device and double-click it to open the Properties: <Task name> window.
- In the displayed window with the properties of the managed device, select the Tasks section.
The list of tasks created for this device is displayed.
- Click Add.
The Task Wizard starts.
- At the first step of the wizard, select Kaspersky Embedded Systems Security 3.4 for Linux and the type of the task.
Proceed to the next step of the wizard.
- Enter a name for the new task and configure the available task settings following the instructions of the wizard.
- Complete the wizard.
A new task will be displayed in the list of tasks.
Changing task settings in the Administration Console
To edit task settings in the Administration Console:
- In the Administration Console, perform one of the following actions:
- To edit the settings of a task that is run on devices included in the specified administration group, select this administration group in the console tree, then select the Tasks tab in the workspace.
- To edit the settings of a task that is run on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree.
- In the list of tasks, select the required task and double-click it to open the Properties: <Task name> window.
You can also open the task properties window using the Properties item in the task context menu.
- Edit the task settings. The availability of configurable settings depends on the type of task.
The General, Notification, Schedule, and Revision history tabs of the task properties window are standard for Kaspersky Security Center; for more details, refer to the Kaspersky Security Center Help system.
- Click Apply or OK in the Properties: <Task name> window to save the changes made.
Starting, stopping, pausing, and resuming tasks in the Administration Console
To start, stop, pause, or resume a task in the Administration Console:
- In the Administration Console, perform one of the following actions:
- To start or stop a task that is run on devices included in the specified administration group, select this administration group in the console tree, then select the Tasks tab in the workspace.
The list of tasks created for the selected administration group opens.
- To start or stop a task that is run on one or multiple devices (a task for a set of devices), select the Tasks folder in the console tree.
The list of all tasks created on the Administration Server opens.
- To start or stop a task that is run on devices included in the specified administration group, select this administration group in the console tree, then select the Tasks tab in the workspace.
- In the list of tasks, select the required task, open the context menu of the task, and select the action that you want to perform.
Managing the application using the command line
Using the command line, you can install, uninstall, start, and stop Kaspersky Embedded Systems Security on the device, and also manage the application locally.
The functional components of the application are supported by Kaspersky Embedded Systems Security local tasks that run in the operating system. You can enable or disable functional components of the application on a device by starting or stopping Kaspersky Embedded Systems Security tasks in the command line. One-time device scans are also performed by starting Kaspersky Embedded Systems Security tasks. You can define the settings for functional components on the device and the device scan settings by configuring the Kaspersky Embedded Systems Security task settings.
In addition to the task settings, the following settings are provided for configuring the application:
- Encrypted connections scan settings.
- General application settings that define the operation of the application as a whole and the operation of individual functions.
On the command line, Kaspersky Embedded Systems Security can be managed using Kaspersky Embedded Systems Security management commands.
Enabling automatic addition of kess-control commands (bash completion)
Kess-control commands can be automatically added for the bash shell.
To enable automatic addition of kess-control commands in the current bash shell session, run the following command:
source /opt/kaspersky/kess/shared/bash_completion.sh
To enable automatic addition for all new bash shell sessions, run the following command:
echo "source /opt/kaspersky/kess/shared/bash_completion.sh" >> ~/.bashrc
Task management in the command line
The following application tasks are provided for managing Kaspersky Embedded Systems Security using the command line:
- File Threat Protection. This task allows you to enable or disable File Threat Protection in real time and defines the settings for the File Threat Protection component. The task starts automatically when the application starts.
- Malware Scan. This task allows you to scan file system objects for malware on demand and defines the settings for the scan. You can use this task to perform a full or custom scan of the device.
- Critical Areas Scan. This task allows you to run a critical areas scan of the operating system on demand and defines the settings for the scan.
- Custom file scan. This task is designed for configuring and storing settings that are used when scanning the specified files and directories using the
kess-control --scan-file
command. As a result of the command execution, the application creates and starts a temporary file scan task. - Removable Drives Scan. This task allows you to monitor the connection of removable media to the device in real time and defines the settings of the Removable Drives Scan and the scan of its boot sectors for malware.
- Web Threat Protection. This task allows you to enable or disable Web Threat Protection and defines the settings for the Web Threat Protection component.
- Network Threat Protection. This task allows you to enable or disable Network Threat Protection and defines the settings for the Network Threat Protection component.
- Anti-Cryptor. This task allows you to enable or disable the protection of files from remote malicious encryption and defines the settings for the Anti-Cryptor component.
- Firewall Management. This task allows you to enable or disable firewall management and defines the network connection control settings on the device.
- Application Control. This task allows you to enable or disable Application Control and defines the settings of the Application Control component.
- Inventory. The task allows you to obtain information about all the application executable files stored on the device.
- Device Control. This task allows you to enable or disable Device Control and defines the settings for the Device Control component. The task starts automatically when Kaspersky Embedded Systems Security starts.
- Behavior Detection. This task allows you to monitor malicious activity of applications in the operating system. The task starts automatically when Kaspersky Embedded Systems Security starts.
- System Integrity Monitoring. This task allows you to perform real-time monitoring of the actions performed with objects from the monitoring scope specified in the System Integrity Monitoring component settings.
- System Integrity Check. This task allows you to check for changes in files and directories that you have included in the monitoring scope, by comparing the current state of the monitored object with a previously recorded state.
- Licensing. This task provides the capability to activate an application installed on the device. The task starts automatically when the application starts, and it resides in the device operating memory. The task has no settings; license keys are managed using special management commands. The task cannot be started, stopped, or deleted.
- Update. You can use this task to perform scheduled and on-demand application database and module updates and edit update settings.
- Rollback. You can use this task to roll back the last update of application databases and modules.
Each application task has a name used on the command line, an ID, and a type (see the table below).
IDs are unique for all tasks, including deleted tasks. The application does not reuse the identifiers of the deleted tasks. The identifier of a new task is the next successive number to the identifier of the latest created task.
Task names are not case-sensitive.
During installation of the application, predefined tasks are created. These tasks cannot be deleted. Each predefined task has a name and ID.
Tasks that you create while working with the application are called user tasks. When you create the task, you specify the name for it. IDs for user tasks are defined and assigned by the application when the task is created. IDs for user tasks are starting from 100.
During operation, the application creates temporary scan tasks. Temporary task names and IDs are assigned by the application. Temporary tasks are automatically deleted when completed.
Application tasks
Task |
Task name in command line |
Task ID |
Task type |
---|---|---|---|
File_Threat_Protection |
1 |
OAS |
|
Scan_My_Computer |
2 |
ODS |
|
Malware Scan (user task) |
user-defined |
starting from 100 |
ODS |
Scan_File |
3 |
ODS |
|
Critical_Areas_Scan |
4 |
ODS |
|
Update |
6 |
Update |
|
Update (user task) |
user-defined |
starting from 100 |
Update |
Rollback |
7 |
Rollback |
|
Rollback (user task) |
user-defined |
starting from 100 |
Rollback |
Licensing |
License |
9 |
License |
System_Integrity_Monitoring |
11 |
OAFIM |
|
System Integrity Monitoring (user task) |
user-defined |
starting from 100 |
ODFIM |
Firewall_Management |
12 |
Firewall |
|
Anti_Cryptor |
13 |
AntiCryptor |
|
Web_Threat_Protection |
14 |
WTP |
|
Device_Control |
15 |
DeviceControl |
|
Removable_Drives_Scan |
16 |
RDS |
|
Network_Threat_Protection |
17 |
NTP |
|
Behavior_Detection |
20 |
BehaviorDetection |
|
Application_Control |
21 |
AppControl |
|
Inventory_Scan |
22 |
InventoryScan |
|
Inventory (user task) |
user-defined |
starting from 100 |
InventoryScan |
You can perform the following actions with tasks:
- Start and stop all predefined and user tasks except the License task.
- Suspend and resume ODS, ODFIM, and InventoryScan tasks.
- Create and delete user tasks. You can create the following types of tasks: ODS, Update, Rollback, ODFIM and InventoryScan.
- Change the settings for all user tasks and all predefined tasks, except for Rollback and License tasks.
- Configure the task start schedule.
Viewing a list of tasks in the command line
To view the list of application tasks, execute the following command:
kess-control --get-task-list [--json]
where:
--json
– output format for the list of application tasks. If a file format is not specified, the output will be an INI file.
The list of Kaspersky Embedded Systems Security tasks will be displayed.
The following information will be displayed for each task:
Name
: the task nameID
: the task IDType
: the task typeState
: the current state of the task
If the Kaspersky Security Center policy prohibits users from viewing and editing local tasks, information about the Scan_My_Computer, Critical_Areas_Scan, Inventory_Scan, Update, and Rollback tasks is not available.
Viewing the status of a task in the command line
To view a task state, execute the following command:
kess-control --get-task-state <
task ID/name
> [--json]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--json
is specified to output the settings in JSON format.
Application tasks can take the following main states:
Started
—Task is running.Starting
—Task is being launched.Stopped
—Task has been stopped.Stopping
—Task is stopping.
The ODS, ODFIM, and InventoryScan tasks can also have one of the following states:
Pausing
— Task is pausing.Suspended
— Task is suspended.Resuming
— Task is resuming.
Creating a task in the command line
You can create the following types of tasks: ODS, Update, Rollback, ODFIM, and InventoryScan.
You can create tasks with default settings or with settings specified in a configuration file.
To create a task with default settings, execute the following command:
kess-control -create-task <
task name
> --type <
task name
>
where:
<
task name
>
is the name that you specify for the new task.<
task type
>
is the identifier for the type of the created task.
To create a task with the settings specified in the configuration file, execute the following command:
kess-control --create-task <
task name
> --type <
task type
> --file <
configuration file path
> [--json]
where:
<
task name
>
is the name that you specify for the new task.<
task type
>
is the identifier for the type of the created task.<
path to file
>
is the full path to the configuration file with the settings that will be used for creating the task.--json
is specified to import the settings from the configuration file in JSON format. If the--json
option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
Starting, stopping, pausing, and resuming tasks in the command line
You can start and stop predefined and user tasks, except for tasks of the License type.
You can suspend and resume tasks of ODS, ODFIM, and InventoryScan types.
To start a task, execute the following command:
kess-control --start-task <
task ID/name
> [-W] [--progress]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.[-W]
is a command used in conjunction with the task start command to enable the display of current events associated with this task.- Specify the
[--progress]
option if you want to display the progress of the task.Example:
Start the task with ID 1 and enable the display of current events associated with the task:
kess-control --start-task 1 -W
If an error occurs when starting a task and the task does not start, then after the application is restarted, an attempt is made to start the task again.
To stop a task, execute the following command:
kess-control --stop-task <
task ID/name
> [-W]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.[-W]
is a command used in conjunction with the stop task command to enable the display of current events associated with this task.
To suspend a task, execute the following command:
kess-control --suspend-task <
task ID/name
>
To resume a task, execute the following command:
kess-control --resume-task <
task ID/name
>
Deleting a task in the command line
You can delete only user tasks. Predefined tasks cannot be deleted.
To delete a task, execute the following command:
kess-control --delete-task <
task ID/name
>
where <
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
Displaying task settings in the command line
You can display the current values of settings for all user tasks and all predefined tasks, except for Rollback and License tasks (these tasks have no settings).
You can output the current values of task settings to the console or to a configuration file that you can use to change task settings.
To output the current values of task settings to the console, execute the following command:
kess-control --get-settings <
task ID/name
> [--json]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--json
is specified to output the settings in JSON format. If the--json
option is not specified, the settings are output in the INI format.
To output the current values of task settings to a configuration file, execute the following command:
kess-control --get-settings <
task ID/name
> --file <
path to configuration file
> [--json]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--file <
configuration file path
>
is the path to the configuration file into which the task settings will be written. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.--json
is specified to output the settings in JSON format. If the--json
option is not specified, the settings are output in the INI format.
Editing task settings in the command line
You can edit the settings for all user tasks and all predefined tasks, except for Rollback and License tasks.
On the command line, you can edit the settings of tasks using the kess-control --set-settings
command:
- You can edit all task settings using the configuration file that contains the task settings. You can get the configuration file using the command for displaying task settings.
- You can edit individual task settings on the command line in the
<
setting name
>=<
setting value
>
format. You can get the current values of task settings using the command for displaying task settings. - You can restore the task settings to their default values.
You can add or remove scan scopes and exclusion scopes using a configuration file that contains task settings or command line options. Configuring scan scopes and exclusion scopes is available for tasks with the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types.
In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion for the path: /.snapshots/*/snapshot/
.
For some tasks, separate management commands are also provided that allow you to edit task settings.
Editing task settings using a configuration file
To edit values of task settings using a configuration file:
- Output the task settings to the configuration file using the command
kess-control --get-settings
. - Open the configuration file and edit the values of the necessary settings.
For tasks of the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types, you can add or remove scan scopes and exclusion scopes.
If you want to add a scan scope, add a
[ScanScope.item_ #]
section with the following settings to the file:AreaDesc
is a description of the scan scope, which contains additional information about this scope.UseScanArea
enables scanning of the specified scope.Path
is a path to the directory with the objects to be scanned. You can specify a path to a local directory or enable scanning of remote directories mounted on a client device.AreaMask.item_#
is a limitation of the scan scope. You can specify a mask for the name of the files to be scanned. Scanning is enabled by default for all objects in the scan scope. You can specify multipleAreaMask.item_#
items.
If you want to add an exclusion scope, add an
[ExcludedFromScanScope.item_#]
section with the following settings to the file:AreaDesc
– a description of the exclusion scope, which contains additional information about the exclusion scope.UseScanArea
enables exclusion of the specified scope.Path
is a path to the directory with the objects to be excluded. You can specify a path to a local directory or exclude remote directories mounted on a client device. Possible values for the setting depend on the type of task.AreaMask.item_#
is a limitation of the exclusion scope. You can specify a mask for the name of the files that you want to exclude from the scan scope. By default, all objects in the scope are excluded.Example:
[ExcludedFromScanScope.item_0000]
AreaDesc=
UseScanArea=Yes
Path=/tmp/notchecked
AreaMask.item_0000=*
You can specify multiple
[ScanScope.item_#]
and[ExcludedFromScanScope.item_#]
sections. The application processes the scopes by index in ascending order. - Save the configuration file.
- Execute the command:
kess-control --set-settings <
task ID/name
> --file <
path to configuration file
> [--json]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--file <
configuration file path
>
is the full path to the configuration file from which the task settings will be imported.- Specify the
--json
option if you are importing settings from a JSON configuration file. If the--json
option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
All values of task settings defined in the file will be imported into the application.
If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings
command with the --accept
option.
Editing task settings using the command line options
Using the kess-control --set-settings
command line options, you can edit individual values of task settings, as well as add or remove scan scopes and exclusion scopes for tasks of the OAS, ODS, OAFIM, ODFIM, and AntiCryptor types.
Configuring individual task settings
To modify individual values of task settings using command line options, run the following command:
kess-control --set-settings
<
task ID/name
> <
setting name
>=<
setting value
> [<
setting name
>=<
setting value
>]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.<
setting name
>=<
setting value
>
is the name and value of one of the task settings. You can get the current values of task settings using the command for displaying task settings.
The values of the specified task settings will be changed.
If you change the allowlist, or prohibit launch of all applications or applications that affect the operation of Kaspersky Embedded Systems Security in the Application Control task settings, run the --set-settings
command with the --accept
option.
Adding and removing a scan scope
To add a scan scope using command line options, run the following command:
kess-control --set-settings <
task ID/name
> --add-path <
path
>
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--add-path <
path
>
adds the path to the directory with the objects to be scanned.
A new [ScanScope.item_#]
section will be added to the task settings. The application scans the objects in the directory specified by the Path
setting. The remaining settings of the scan scope take default values.
If the task settings already contain a [ScanScope.item_#]
section with the specified value for the Path
setting, a duplicate section is not added.
If the UseScanArea
setting is set to No
its value will change to Yes
after this command is executed and the objects located in this directory will be scanned.
Example: Adding a scan scope for a task with ID=100:
The following scan scope settings will be added to the task:
|
To delete a scan scope using command line options, run the following command:
kess-control --set-settings <
task ID/name
> --del-path <
path
>
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--del-path <
path
>
deletes the path to the directory with the objects to be scanned.
The [ScanScope.item_#]
section that contains the specified path will be deleted from the task settings. The application will not scan the objects in the specified directory.
Adding and removing an exclusion scope
To add an exclusion scope using command line options, run the following command:
kess-control --set-settings <
task ID/name
> --add-exclusion <
path
>
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--add-exclusion <
path
>
adds the path to the directory with the objects that you want to exclude from the scan.
A new [ExcludedFromScanScope.item_#]
section will be added to the task settings. The application will exclude objects in the directory specified by the Path
setting from scans. The remaining settings of the exclusion scope take default values.
If the task settings already contain an [ExcludedFromScanScope.item_#]
section with the specified value for the Path
setting, a duplicate section is not added.
If the UseScanArea
setting is set to No
its value will change to Yes
after this command is executed and the objects located in this directory will be excluded from scans.
To delete an exclusion scope using command line options, run the following command:
kess-control --set-settings <
task ID/name
> --del-exclusion <
path
>
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--del-exclusion <
path
>
deletes the path to the directory with the objects to be excluded.
The [ExcludedFromScanScope.item_#]
section that contains the specified path will be deleted from the task settings. The application will not exclude the objects in the specified directory from the scan.
Restoring default task settings in the command line
You can restore the default settings for all user tasks and all predefined tasks, except for tasks of the Rollback and License types (these tasks have no settings).
To reset task settings to their default values, execute the following command:
kess-control --set-settings <
task ID/name
> --set-to-default
where <
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
The application changes the setting values to their defaults.
Configuring task schedule in the command line
You can configure the schedule for running the following types of tasks: ODS, Update, Rollback, ODFIM, and InventoryScan.
You can output the current values of the settings for the task run schedule to the console or to a configuration file.
To output the current settings for the task run schedule to the console, execute the following command:
kess-control --get-schedule <
task ID/name
> [--json]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--json
is specified to output the settings in JSON format. If the--json
option is not specified, the settings are output in the INI format.
To output the current settings for the task run schedule to a configuration file, execute the following command:
kess-control --get-schedule <
task ID/name
> --file <
path to configuration file
> [--json]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--file <
path to configuration file
>
is the path to the configuration file in which the settings for the task run schedule will be output. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.--json
is specified to output the settings in JSON format. If the--json
option is not specified, the settings are output in the INI format.Examples:
Save the update task settings to a file named update_schedule.ini and save the created file in the current directory:
kess-control --get-schedule 6 --file update_schedule.ini
Display the update task schedule in the console:
kess-control --get-schedule 6
You can edit the settings for the task run schedule in the following ways:
- Import the settings from a configuration file that contains all schedule settings.
- Using the command line, specify the individual settings for the task run schedule in the format
<
setting name
>=<
setting value
>
.
To edit the values of the settings for task run schedule using a configuration file, perform the following actions:
- Output the task settings to the configuration file using the
kess-control --get-schedule
command. - Edit the values of the necessary settings in the file and save the changes.
- Execute the command:
kess-control --set-schedule <
task ID/name
> --file <
configuration file path
> [--json]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.--file <
configuration file path
>
is the full path to the configuration file from which the task schedule settings will be imported.--json
: specify this option if you are importing settings from a configuration file in JSON format. If the--json
option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
All values of the settings for the task run schedule defined in the file will be imported into the application.
Example: Import the schedule settings from the configuration file named /home/test/on_demand_schedule.ini into the task with ID=2:
|
To edit the individual values of the settings for the task run schedule using the command line, execute the following command:
kess-control --set-schedule <
task ID/name
> <
setting name
>=<
setting value
> [<
setting name
>=<
setting value
>]
where:
<
task ID/name
>
is the ID assigned to the task at the time of its creation, or the name of the task in the command line.<
setting name
>=<
setting value
>
is the name and value of one of the settings for the task schedule.
The values of the specified settings for the task run schedule are modified.
Examples: To schedule the task to start every ten hours, specify the following settings:
To schedule the task to start every ten minutes, specify the following settings:
To schedule the task to start on the 15th of every month, specify the following settings:
To schedule the task to start on every Tuesday, specify the following settings:
To schedule the task to start every 11 days, specify the following settings:
|
Managing general application settings in the command line
General application settings define the operation of the application as a whole and the operation of individual functions.
You can manage general application settings using special management commands:
- Output the current values of general application settings to the console or to a configuration file.
- Edit general application settings using a configuration file containing all general settings, or using command line options in the
<
setting name
>=<
setting value
>
format.
Using general settings, you can:
- Configure the use of Kaspersky Security Network and the light version of anti-malware databases in the application.
- Configure the use of a proxy server in the application.
- Select the file operation interception mode (block or do not block files during a scan).
- Configure exclusions from the mount points scan (global exclusions).
- Configure exclusions from the process memory scan.
- Enable or disable the detection of legitimate applications that intruders can use to compromise devices or data.
- Configure the use of event logs.
- Configure a limit on CPU resource usage by scan tasks (of the ODS type).
- Limit the number of user scan tasks that a non-privileged user can start simultaneously.
Displaying general application settings
You can output the current values of general application settings to the console or to a configuration file that you can use to edit task settings.
To output the current values of general application settings to the console, execute the following command:
kess-control --get-app-settings [--json]
where --json
is specified to output the settings in JSON format. If the --json
option is not specified, the settings are output in the INI format.
To output the current values of general application settings to a configuration file, execute the following command:
kess-control --get-app-settings --file <
configuration file path
> [--json]
where:
--file <
configuration file path
>
is the path to the configuration file into which general settings of the application will be written. If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, the configuration file will not be created.--json
is specified to output the settings in JSON format. If the--json
option is not specified, the settings are output in the INI format.Example:
Display the general application settings to a file named kess_config.ini. Save the created file in the current directory:
kess-control --get-app-settings --file kess_config.ini
Editing general application settings
On the command line, you can edit the general application settings using the command kess-control --set-app-settings
:
- You can edit all general settings using the configuration file that contains the general application settings. You can get the configuration file using the command for displaying general settings.
- You can edit individual settings using command line options in the
<
setting name
>=<
setting value
>
format. You can get the current values of general application settings using the command for displaying general settings.
To edit values of general application settings using a configuration file:
- Output the general application settings to a configuration file.
- Edit the values of the necessary parameters in the file and save the changes.
- Execute the command:
kess-control --set-app-settings --file <
path to configuration file
> [--json]
where:
--file <
path to configuration file
>
is the full path to the configuration file with the general application settings.--json
: specify this option if you are importing settings from a configuration file in JSON format. If the--json
option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
All the values of the general settings defined in the file will be imported into the application.
To edit general application settings using command line options, execute the following command:
kess-control --set-app-settings <
setting name
>=<
setting value
> [<
setting name
>=<
setting value
>]
where <
setting name
>=<
setting value
>
is the name and value of one of the general application settings.
The values of the specified general settings will be changed.
Examples: Import general settings into the application from the configuration file /home/test/kess_config.ini:
Set the detail level for the trace file to low:
Add a mount point that you want to exclude from interception of file operations:
|
Using filters to limit results of queries
A filter allows you to limit the query results when executing application management commands.
Filter conditions are specified using one or more logical expressions, which are combined using the logical operator and
. Filter conditions must be enclosed in quotation marks:
"<
field
> <
comparison operator
> '<
value
>'"
"<
field
> <
comparison operator
> '<
value
>' and <
field
> <
comparison operator
> '<
value
>'"
where:
<
field
>
is the name of the field for the database.<
comparison operator
>
is one of the following comparison operators:>
is "greater than"<
is "less than"like
matches the specified value When specifying a value, you can use % masks: for example, the logical expression "FileName like '%etc%'" sets the limitation "contains the text "etc" in the FileName field"==
is "equal to"!=
is "not equal to">=
is "greater than or equal to"<=
is "less than or equal to"
<
value
>
is the value of the field. The value must be enclosed in single quotation marks (').You can specify a date value as UNIX time (the number of seconds that have elapsed since 00:00:00 (UTC), January 1, 1970) or in YYYY-MM-DD hh:mm:ss format. The user specifies the date and time in the user's local time zone, and the application displays them in the same time zone.
You can use a filter in the following application management commands:
- Display information about certain current events of the application:
kess-control -W --query "<
filter conditions
>"
- Display information about certain application events in the event log:
kess-control -E --query "<
filter conditions
>"
- Display information about certain objects in the Backup:
kess-control -B --query "<
filter conditions
>"
- Delete certain objects from the Backup:
kess-control -B --mass-remove --query "<
filter conditions
>"
Examples:
Get information about events that contain the text "etc" in the FileName field:
kess-control -E --query "FileName like '%etc%'"
Display information about events with the ThreatDetected type:
kess-control -E --query "EventType == 'ThreatDetected'"
Display information about events with the ThreatDetected type, created by tasks of the ODS type:
kess-control -E --query "EventType == 'ThreatDetected' and TaskType == 'ODS'"
Get information about the events generated after the date specified in the UNIX time stamp system (the number of seconds that have elapsed since 00:00:00 (UTC), 1 January 1970):
kess-control -E --query "Date > '1583425000'"
Get information about the events generated after the date specified in YYYY-MM-DD hh:mm:ss format:
kess-control -E --query "Date > '2022-12-22 18:52:45'"
Get information about files in the Backup storage that have the High severity level:
kess-control -B --query "DangerLevel == 'High'"
Exporting and importing application settings
If Kaspersky Embedded Systems Security is managed via Kaspersky Security Center, importing settings is not supported.
Kaspersky Embedded Systems Security allows you to export and import all application settings for troubleshooting, verifying settings, or simplifying the application's configuration on other user devices. When exporting settings, all application settings (including encrypted connections scan settings, general application settings, and task settings) are saved in a configuration file. You can use this configuration file to import settings into the application.
The application must be launched when settings are imported or exported. After the settings are imported, the application must be restarted.
When importing or exporting settings from an older application version, new settings are set to default values. Importing settings to an older application version is not supported.
To export the application settings, execute the following command:
kess-control --export-settings --file <
configuration file path
> [--json]
where:
--file <
configuration file path
>
is the full path to the configuration file where the application settings will be saved.--json
is specified to export the settings to the configuration file in JSON format. If the--json
options is not specified, the settings will be exported to an INI file.
To import the application settings from the file, execute the following command:
kess-control --import-settings -
-
file <
configuration file path
> [--json]
where:
--file <
configuration file path
>
is the full path to the configuration file from which you want to import settings into the application.--json
is specified to import the settings from the configuration file in JSON format. If the--json
option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
When you import application settings from a file, the UseKSN
and CloudMode
settings are set to No
. To start or resume the use of Kaspersky Security Network, set the value of the UseKSN
setting to Basic
or Extended
. To enable cloud mode, you must set the CloudMode
setting to Yes
. Cloud mode is available if use of KSN is enabled.
After application settings are imported, internal task IDs may change. It is recommended to use task names to manage tasks.
Managing user roles using the command line
Access to Kaspersky Embedded Systems Security functions via the command line is provided to users in accordance with their roles. A role is a set of rights and privileges for managing the application.
The four groups of system users are created in the operating system: kessadmin, kessuser, kessaudit, and nokess. When you assign an application role to a system user, the user is added to the corresponding group of roles (see the Roles table below). When you revoke a role from a user, this user is removed from the corresponding group of roles.
If no application role is assigned to a system user, that user belongs to a separate group of users without rights.
Thus, the roles correspond to the four groups of operating system users:
- kessadmin – the Administrator role
- kessuser – the User role
- kessaudit – the Auditor role
- nokess is assigned to a user if no other roles are assigned. In this case, the user belongs to a separate group of users without privileges
User roles
Role name
Role in application
OS user
Permissions
Administrator
admin
kessadmin
Manage application settings and task settings.
Manage application licensing.
Assigning roles to users.
Revoking user roles (the administrator has no right to revoke the admin role from himself).
View and manage users' Storages.
User
user
kessuser
Manage only user file scan tasks.
Start and stop Update tasks.
View reports for the tasks created by this user.
View specific events that are common for all application users.
Auditor
audit
kessaudit
Viewing application settings
View application status.
View all tasks, their settings, and start schedules.
View all events.
View all objects in Backup.
—
—
nokess
No role is assigned in the application, no permissions.
Viewing a list of users and roles
To view a list of users and their roles, execute the following command:
kess-control [-U] --get-user-list
Assigning a role to a user
To assign a role to a specific user, execute the following command:
kess-control [-U] --grant-role <
role
> <
user
>
Example: To assign the audit role to the user test15:
|
Revoking a user role
To revoke a role from a specific user, execute the following command:
kess-control [-U] --revoke-role <
role
> <
user
>
Example: To revoke the audit role from the user test15:
|