Kaspersky Embedded Systems Security for Linux
3.4.0
English

Contents

Malware Scan

Malware Scan is a one-time full or custom file scan on the device performed on demand. Kaspersky Embedded Systems Security can carry out multiple Malware Scan tasks at the same time.

A Malware Scan (Scan_My_Computer) predefined task is created in the application. You can use this task to perform a full scan of the device. During a full scan, the application scans all objects located on the device's local drives, as well as all mounted and shared objects that are accessed via Samba or NFS protocols with the recommended security settings.

In Kaspersky Security Center, the Kaspersky Security Center Initial Configuration Wizard automatically creates a Malware Scan group task after installing the administration MMC plug-in or the Kaspersky Embedded Systems Security administration web plug-in.

During a full disk scan, the processor is busy. It is recommended to run the full scan task when the business is idle.

You can configure the settings of automatically created tasks in Kaspersky Security Center and in the command line, and also create Malware Scan user tasks.

Upon detecting malware, Kaspersky Embedded Systems Security may remove the infected file and terminate the malware process started from this file.

If during execution of the malware scan task the application was restarted by a control service or manually by the user, the task will be stopped. The application logs the OnDemandTaskInterrupted event.

You can run Malware Scan tasks and configure scan settings:

  • Select operating system objects to scan: files, archives, boot sectors, process memory and kernel memory, startup objects.
  • Limit the size of an object to be scanned and the duration of the object scan.
  • Select the actions to be performed by the application on the infected objects.
  • Configure exclusions of objects from scans:
    • by name or mask
    • by the name of the threats detected in the objects
  • Enable or disable global exclusions and File Threat Protection exclusions when scanning.
  • Enable the logging of information about scanned non-infected objects, about scanning objects in archives, and about unprocessed objects.
  • Configure the use of the heuristic analyzer and iChecker technology during a scan.
  • Limit the set of devices whose boot sectors need to be scanned.
  • Configure scan scopes and scan exclusion scopes.

In this Help section

Malware Scan in the Web Console

Malware Scan in the Administration Console

Malware Scan in the command line
Page top
[Topic 264160]

Malware Scan in the Web Console

In the Web Console, you can scan for malware using the Malware Scan task.

You can run an automatically created group task and also create and run user tasks for scanning. You can configure scan settings by editing the settings of Malware Scan tasks.

Malware Scan task settings

Setting

Description

Scan archives

This check box enables or disables scan of archives.

If the check box is selected, the application scans the archives.

To scan an archive, the application has to unpack it first, which may slow down scanning. You can reduce the duration of archive scans by configuring the Skip file that is scanned for longer than (sec) and Skip file larger than (MB) settings in the General scan settings section.

If the check box is cleared, the application does not scan the archives.

The check box is selected by default.

Scan SFX archives

This check box enables or disables self-extracting archive scans. Self-extracting archives are the archives that contain an executable extraction module.

If the check box is selected, the application scans self-extracting archives.

If the check box is cleared, the application does not scan self-extracting archives.

This check box is available if the Scan archives check box is unchecked.

The check box is selected by default.

Scan mail databases

This check box enables or disables scans of mail databases of Microsoft Outlook, Outlook Express, The Bat!, and other mail applications.

If the check box is selected, the application scans mail database files.

If the check box is cleared, the application does not scan mail database files.

This check box is cleared by default.

Scan mail format files

This check box enables or disables scan of files of plain-text email messages.

If this check box is selected, the application scans plain-text messages.

If this check box is cleared, the application does not scan plain-text messages.

This check box is cleared by default.

Skip file that is scanned for longer than (sec)

In this field, you can specify the maximum time to scan a file, in seconds. After the specified time, the application stops scanning the file.

Available values: 0–9999. If the value is set to 0, the scan time is unlimited.

Default value: 0.

Skip file larger than (MB)

In this field, you can specify the maximum size of a file to scan, in megabytes.

Available values: 0–999999. If the value is set to 0, the application scans files of any size.

Default value: 0.

Log clean objects

This check box enables or disables the logging of ObjectProcessed type events.

If this check box is selected, the application logs events of the ObjectProcessed type for all scanned objects.

If this check box is cleared, the application does not log events of the ObjectProcessed type for any scanned object.

This check box is cleared by default.

Log unprocessed objects

This check box enables or disables the logging ObjectNotProcessed type events if a file cannot be processed during a scan.

If this check box is selected, the application logs the events of the ObjectNotProcessed type.

If this check box is cleared, the application does not log the events of the ObjectNotProcessed type.

This check box is cleared by default.

Log packed objects

This check box enables or disables the logging of PackedObjectDetected type events for all packed objects that are detected.

If this check box is selected, the application logs the events of the PackedObjectDetected type.

If this check box is cleared, the application does not log the events of the PackedObjectDetected type.

This check box is cleared by default.

Use iChecker technology

This check box enables or disables scan of only new and modified since the last scan files.

If the check box is selected, the application scans only new files or the files modified since the last scan.

If the check box is cleared, the application scans the files regardless of the creation or modification date.

The check box is selected by default.

Use heuristic analysis

This check box enables or disables heuristic analysis during file scans.

The check box is selected by default.

Heuristic analysis level

If the Use heuristic analysis check box is selected, you can select the heuristic analysis level in the drop-down list:

  • Light is the least detailed scan with minimal system load.
  • Medium is a medium scan with balanced system load.
  • Deep is the most detailed scan with maximum system load.
  • Recommended (default value) is the optimal level recommended by Kaspersky experts. It ensures an optimal combination of protection quality and impact on the performance of the protected devices.

First action

In this drop-down list, you can select the first action to be performed by the application on an infected object that has been detected:

  • Disinfect the object. A copy of the infected object will be moved to the Backup.
  • Remove the object. A copy of the infected object will be moved to the Backup.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it (default value).
  • Skip the object.

Second action

In this drop-down list, you can select the second action to be performed by the application on an infected object, in case the first action is unsuccessful:

  • Disinfect the object. A copy of the infected object will be moved to the Backup.
  • Remove the object. A copy of the infected object will be moved to the Backup.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it.
  • Skip the object (default value).

Scan scopes

The table that contains the scopes scanned by the task. By default, the table contains one scan scope that includes all directories of the local file system.

You can add, configure, delete, move up, or move down scan scopes in the table.

Clicking the Move down button moves the selected item down in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Move up button moves the selected item up in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

Clicking the scan scope name opens the <Scan scope name> window. In this window, you can modify the settings of the selected scan scope.

Clicking the Add button opens the <New scan scope> window. In this window, you can define a new scan scope.

In this section

Add scan scope window

Scan scopes section

Scan scopes window

Exclusion scopes section

Exclusion scopes window

Add exclusion scope window

Exclusions by mask window

Exclusions by threat name window
Page top
[Topic 197968]

Add scan scope window

In this window, you can add and configure scan scopes.

Scan scope settings

Setting

Description

Scope name

Field for entering the scan scope name. This name is displayed in the Scan scopes table in the Scan settings section.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application processes this scan scope.

If this check box is cleared, the application does not process this scan scope. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

You can select the type of file system in the drop-down list:

  • Local (default value) – local directories. If this item is selected, you need to indicate the path to the local directory.
  • Mounted – Mounted remote or local directories. If this item is selected, you need to indicate the protocol or name of the file system.
  • Shared — The protected server's file system resources accessible via the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.
  • All shared — All of the protected server's file system resources accessible via the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Shared or Mounted type is selected in the drop-down list of file systems.

Path

This is the entry field for specifying the path to the directory that you want to include in the scan scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default – the application scans all directories of the local file system.

This field is available if the Local type is selected in the drop-down list of file systems.

If the Local type is selected in the drop-down list of file systems, and the path is not specified, the application scans all directories of the local file system.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the scan scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 248956]

Scan scopes section

You can configure scan scope settings for the Malware Scan task. The application allows you to scan files, boot sectors, client device memory, and startup objects.

Malware Scan scope task settings

Setting

Description

Scan files

This check box enables or disables file scans.

If the check box is selected, the application scans the files.

If the check box is cleared, the application does not scan the files.

The check box is selected by default.

Scan boot sectors

This check box enables or disables boot sector scans.

If the check box is selected, the application scans the boot sectors.

If the check box is cleared, the application does not scan the boot sectors.

This check box is cleared by default.

Scan kernel memory and running processes

This check box enables or disables client device memory scan.

If the check box is selected, the application scans kernel memory and running processes.

If the check box is cleared, the application does not scan kernel memory and running processes.

This check box is cleared by default.

Scan startup objects

This check box enables or disables startup object scans.

If the check box is selected, the application scans startup objects.

If the check box is cleared, the application does not scan startup objects.

This check box is cleared by default.

Devices to scan

Clicking the Configure device masks link opens the Scan scopes window, where you can specify the devices whose boot sectors will be scanned.

Page top

[Topic 246654]

Scan scopes window

The table contains name masks of the devices, whose boot sectors the application must scan. By default, the table contains the /** device name mask (all devices).

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 215174]

Exclusion scopes section

In the Exclusion scopes section for the Malware Scan task, you can configure exclusion scopes, exclusions by mask and threat name, as well as the use of global exclusions and File Threat Protection exclusions when the task is running.

Settings of scan exclusions

Setting

Description

Configure exclusion scopes

Clicking the Configure exclusions link opens the Exclusion scopes window. In this window, you can define the list of scan exclusions.

Configure exclusions by mask

Clicking the Configure exclusions by mask link opens the Exclusions by mask window. In this window, you can configure the exclusion of objects from scans by name mask.

Configure exclusions by threat name

Clicking the Configure exclusions by threat name link opens the Exclusions by threat name window. In this window, you can configure the exclusion of objects from scans based on threat name.

Use global exclusions

The check box enables or disables the exclusion of the mount points specified in global exceptions while the application is running.

If this check box is selected, the application excludes configured mount points from scans.

The check box is selected by default.

Use File Threat Protection exclusions

This check box enables or disables the use of configured File Threat Protection exclusions when the application is running.

If the check box is selected, the application does not scan the objects specified in the exclusions for the File Threat Protection component.

The check box is selected by default.

Page top

[Topic 275076]

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from scan.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 197613_1]

Add exclusion scope window

In this window, you can add and configure exclusion scopes.

Exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables the exclusion of the scope when the application is running.

If the check box is selected, the application excludes this scope from scan or protection during its operation.

If the check box is cleared, the application includes this scope in scan or protection during its operation. You can later exclude this scope from scan or protection by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

In this drop-down list, you can select the type of file system where the directories that you want to add to scan exclusions are located:

  • Local, for local directories.
  • Mounted, for remote directories mounted on the device.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

Access protocol

You can select the remote access protocol in the drop-down list:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

This drop-down list is available if the Mounted type is selected in the drop-down list of file systems.

Path

Entry field for the path to the directory that you want to add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

This field is available if the Local type is selected in the drop-down list of file systems.

Name of shared resource

The field for entering the name of the file system shared resource, where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the File system drop-down list and the Custom item is selected in the Access protocol drop-down list.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are only applied to objects in the directory specified in the Path field.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 248957_1]

Exclusions by mask window

You can configure the exclusion of objects from scans based on name mask. The application will not scan files whose names contain the specified mask. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 202356_1]

Exclusions by threat name window

You can configure the exclusion of objects from scans based on threat name. The application will not block the specified threats. By default, the list of threat names is empty.

You can add, edit, and delete threat names.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected threat from the exclusion list.

This button is available if at least one threat name is selected in the list.

Clicking the threat name in the table opens the Threat name window. In this window, you can edit the name of the threat to be excluded from a scan.

Clicking the Add button opens the Threat name window. In this window, you can define the name of the threat to be excluded from a scan.

Page top
[Topic 246682_1]

Malware Scan in the Administration Console

In the Administration Console, you can scan for malware using the Malware Scan task.

You can run an automatically created group task and also create and run user tasks for scanning. You can configure scan settings by editing the settings of Malware Scan tasks.

In the Settings section of the properties of the Malware Scan task, you can configure the settings listed in the table below.

Malware Scan task settings

Setting

Description

Scan

This group of settings contains buttons that open windows where you can configure the scan scopes, scan scope settings, and scan settings.

Action on threat detection

This group of settings contains the Configure button. Clicking this button opens the Action on threat detection window, where you can configure the actions that the application performs on detected infected objects.

In the Exclusions section, you can configure exclusion scopes as well as exclusions by mask and by the threat name in the properties of the Malware Scan task.

In this section

Scan scopes window

<New scan scope> window

Scan scope settings window

Scan scopes window

Scan settings window

Action on threat detection window

Exclusions section

Exclusion scopes window

<New exclusion scope> window

Exclusions by mask window

Exclusions by threat name window
Page top
[Topic 197284]

Scan scopes window

The table contains the scan scopes. The application will scan files and directories located in the paths specified in the table. By default, the table contains one scan scope that includes all directories of the local file system.

Scan scope settings

Setting

Description

Scope name

Scan scope name.

Path

Path to the directory that the application scans.

Status

The status indicates whether the application scans this scope.

You can add, edit, delete, move up, and move down items in the table.

Clicking the Move down button moves the selected item down in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Move up button moves the selected item up in the table.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they are listed in the table of scan scopes. If you want to configure security settings for a subdirectory that are different from the security settings of the parent directory, you must place the subdirectory higher than its parent directory in the table.

This button is available if a scope is selected in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Kaspersky Embedded Systems Security scans objects in the specified scopes in the order they appear in the list of scopes. If necessary, place the subdirectory higher in the list than its parent directory, to configure security settings for a subdirectory that are different from the security settings of the parent directory.

Page top
[Topic 276443]

<New scan scope> window

In this window, you can add and configure scan scopes.

Scan scope settings

Setting

Description

Scan scope name

Field for entering the scan scope name. This name will be displayed in the table in the Scan scopes window.

The entry field must not be blank.

Use this scope

This check box enables or disables scans of this scope by the application.

If this check box is selected, the application processes this scan scope.

If this check box is cleared, the application does not process this scan scope. You can later include this scope in the component settings by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

The settings block lets you set the scan scope.

You can select the file system type in the drop-down list of file systems:

  • Local (default value) – local directories. If this item is selected, you need to indicate the path to the local directory.
  • Mounted – Mounted remote or local directories. If this item is selected, you need to indicate the protocol or name of the file system.
  • Shared — The protected server's file system resources accessible via the Samba or NFS protocol.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.
  • All shared — All of the protected server's file system resources accessible via the Samba and NFS protocols.

If Shared or Mounted is selected in the drop-down list of file systems, you can select the remote access protocol in the drop-down list on the right:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

If Local is selected in the drop-down list of file systems, then in the input field you can enter a path to a directory that you want to add to the scan scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default – the application scans all directories of the local file system.

If the Local type is selected in the drop-down list of file systems, and the path is not specified, the application scans all directories of the local file system.

Filesystem name

The field for entering the name of the file system where the directories that you want to add to the scan scope are located.

The field is available if the Mounted type is selected in the drop-down list of file systems and the Custom item is selected in the drop-down list on the right.

Masks

The list contains name masks for the objects that the application scans.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 276444]

Scan scope settings window

In this window, you can configure the scan settings for the Malware Scan task. The application allows you to scan files, boot sectors, device memory, and startup objects.

Scan scope settings

Setting

Description

Scan files

This check box enables or disables file scans.

If the check box is selected, the application scans the files.

If the check box is cleared, the application does not scan the files.

The check box is selected by default.

Scan boot sectors

This check box enables or disables boot sector scans.

If the check box is selected, the application scans the boot sectors.

If the check box is cleared, the application does not scan the boot sectors.

This check box is cleared by default.

Scan kernel memory and running processes

This check box enables or disables device memory scan.

If the check box is selected, the application scans kernel memory and running processes.

If the check box is cleared, the application does not scan kernel memory and running processes.

This check box is cleared by default.

Scan startup objects

This check box enables or disables startup object scans.

If the check box is selected, the application scans startup objects.

If the check box is cleared, the application does not scan startup objects.

This check box is cleared by default.

Devices to scan

This group of settings contains the Configure button. Clicking this button opens the Scan scopes window, where you can specify the devices whose boot sectors must be scanned.

Use global exclusions

The check box enables or disables the exclusion of the mount points specified in global exceptions while the application is running.

If this check box is selected, the application excludes configured mount points from scans.

The check box is selected by default.

Use File Threat Protection exclusions

This check box enables or disables the use of configured File Threat Protection exclusions when the application is running.

If the check box is selected, the application does not scan the objects specified in the exclusions for the File Threat Protection component.

The check box is selected by default.

Page top

[Topic 275185]

Scan scopes window

The table contains name masks of the devices, whose boot sectors the application must scan. By default, the table contains the /** device name mask (all devices).

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 276447]

Scan settings window

In this window, you can configure the file scan settings for the task.

Scan settings

Setting

Description

Scan archives

This check box enables or disables scan of archives.

If the check box is selected, the application scans the archives.

To scan an archive, the application has to unpack it first, which may slow down scanning. You can reduce the duration of archive scans by configuring the Skip file that is scanned for longer than (sec) and Skip file larger than (MB) settings in the General scan settings section.

If the check box is cleared, the application does not scan the archives.

The check box is selected by default.

Scan SFX archives

This check box enables or disables self-extracting archive scans. Self-extracting archives are the archives that contain an executable extraction module.

If the check box is selected, the application scans self-extracting archives.

If the check box is cleared, the application does not scan self-extracting archives.

This check box is available if the Scan archives check box is unchecked.

The check box is selected by default.

Scan mail databases

This check box enables or disables scans of mail databases of Microsoft Outlook, Outlook Express, The Bat!, and other mail applications.

If the check box is selected, the application scans mail database files.

If the check box is cleared, the application does not scan mail database files.

This check box is cleared by default.

Scan mail format files

This check box enables or disables scan of files of plain-text email messages.

If this check box is selected, the application scans plain-text messages.

If this check box is cleared, the application does not scan plain-text messages.

This check box is cleared by default.

Skip file that is scanned for longer than (sec)

In this field, you can specify the maximum time to scan a file, in seconds. After the specified time, the application stops scanning the file.

Available values: 0–9999. If the value is set to 0, the scan time is unlimited.

Default value: 0.

Skip file larger than (MB)

In this field, you can specify the maximum size of a file to scan, in megabytes.

Available values: 0–999999. If the value is set to 0, the application scans files of any size.

Default value: 0.

Log clean objects

This check box enables or disables the logging of ObjectProcessed type events.

If this check box is selected, the application logs events of the ObjectProcessed type for all scanned objects.

If this check box is cleared, the application does not log events of the ObjectProcessed type for any scanned object.

This check box is cleared by default.

Log unprocessed objects

This check box enables or disables the logging ObjectNotProcessed type events if a file cannot be processed during a scan.

If this check box is selected, the application logs the events of the ObjectNotProcessed type.

If this check box is cleared, the application does not log the events of the ObjectNotProcessed type.

This check box is cleared by default.

Log packed objects

This check box enables or disables the logging of PackedObjectDetected type events for all packed objects that are detected.

If this check box is selected, the application logs the events of the PackedObjectDetected type.

If this check box is cleared, the application does not log the events of the PackedObjectDetected type.

This check box is cleared by default.

Use iChecker technology

This check box enables or disables scan of only new and modified since the last scan files.

If the check box is selected, the application scans only new files or the files modified since the last scan.

If the check box is cleared, the application scans the files regardless of the creation or modification date.

The check box is selected by default.

Use heuristic analysis

This check box enables or disables heuristic analysis during file scans.

The check box is selected by default.

Heuristic analysis level

If the Use heuristic analysis check box is selected, you can select the heuristic analysis level in the drop-down list:

  • Light is the least detailed scan with minimal system load.
  • Medium is a medium scan with balanced system load.
  • Deep is the most detailed scan with maximum system load.
  • Recommended (default value) is the optimal level recommended by Kaspersky experts. It ensures an optimal combination of protection quality and impact on the performance of the protected devices.

     
Page top
[Topic 197279]

Action on threat detection window

In this window, you can configure actions to be performed by Kaspersky Embedded Systems Security on detected infected objects:

Actions on threat detection

Setting

Description

First action

In this drop-down list, you can select the first action to be performed by the application on an infected object that has been detected:

  • Disinfect the object. A copy of the infected object will be moved to the Backup.
  • Remove the object. A copy of the infected object will be moved to the Backup.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it (default value).
  • Skip the object.

Second action

In this drop-down list, you can select the second action to be performed by the application on an infected object, in case the first action is unsuccessful:

  • Disinfect the object. A copy of the infected object will be moved to the Backup.
  • Remove the object. A copy of the infected object will be moved to the Backup.
  • Perform recommended action on the object, based on data about the danger level of the threat detected in the file and about the possibility of disinfecting it.
  • Skip the object (default value).

     
Page top
[Topic 210864]

Exclusions section

Scan exclusion is a set of conditions. When these conditions are met, Kaspersky Embedded Systems Security does not scan the objects for viruses and other malware. You can also exclude objects from scans by masks and threat names.

Settings of scan exclusions

Group of settings

Description

Exclusion scopes

This group of settings contains the Configure button. Clicking this button opens the Exclusion scopes window. In this window, you can define the list of scopes to be excluded from scans.

Exclusions by mask

This group of settings contains the Configure button, which opens the Exclusions by mask window. In this window, you can configure the exclusion of objects from scans by name mask.

Exclusions by threat name

This group of settings contains the Configure button, which opens the Exclusions by threat name window. In this window, you can configure the exclusion of objects from scans based on threat name.

Page top

[Topic 276315]

Exclusion scopes window

This table contains scan exclusion scopes. The application does not scan files and directories located at the paths specified in the table. By default, the table is empty.

Exclusion scope settings

Setting

Description

Exclusion scope name

Exclusion scope name.

Path

Path to the directory excluded from scan.

Status

The status indicates whether the application uses this exclusion.

You can add, edit, and delete items in the table.

Clicking the Delete button excludes the selected scope from scans.

This button is available if at least one scan scope is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top
[Topic 276448]

<New exclusion scope> window

In this window, you can add and configure scan exclusion scopes.

Exclusion scope settings

Setting

Description

Exclusion scope name

Field for entering the exclusion scope name. This name will be displayed in the table in the Exclusion scopes window.

The entry field must not be blank.

Use this scope

The check box enables or disables exclusion of the scope from scan when the application is running.

If this check box is selected, the application excludes this area during scans.

If this check box is cleared, the application includes this area in the scan scope. You can later exclude this scope by selecting the check box.

The check box is selected by default.

File system, access protocol, and path

The settings block lets you set the exclusion scope.

In the drop-down list of file systems, you can select the type of file system of the directories to be excluded from scans:

  • Local, for local directories.
  • Mounted – mounted directories.
  • All remote mounted – all remote directories mounted on the device using the Samba and NFS protocols.

If Mounted is selected in the drop-down list of file systems, you can select the remote access protocol in the drop-down list on the right:

  • NFS: remote directories mounted on a device using the NFS protocol.
  • Samba: remote directories mounted on a device using the Samba protocol.
  • Custom – resources of the device's file system specified in the field below.

If Local is selected in the drop-down list of file systems, then in the input field you can enter a path to a directory that you want add to the exclusion scope. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

You can use a single ? character to represent any one character in the file or directory name.

The / path is specified by default. The application excludes all directories of the local file system from scan.

Filesystem name

The field for entering the name of the file system where the directories that you want to add to the exclusion scope are located.

The field is available if the Mounted type is selected in the drop-down list of file systems and the Custom item is selected in the drop-down list on the right.

Masks

The list contains name masks of the objects that the application excludes from scan. Masks are only applied to objects in the directory specified in the path field.

By default the list contains the * mask (all objects).

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

 

Page top

[Topic 276479]

Exclusions by mask window

You can configure the exclusion of objects from scans based on name mask. The application will not scan files whose names contain the specified mask. By default, the list of masks is empty.

You can add, edit, or delete masks.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected name mask of files excluded from a scan.

This button is available if at least one file mask is selected in the list.

Clicking the mask opens the Object mask window. In this window, in the Define object mask field, you can modify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Clicking the Add button opens the Object mask window. In this window, in the Define object mask field, you can specify the name template for files that Kaspersky Embedded Systems Security excludes from scans.

Examples:

The *.txt mask refers to all text files.

The *_my_file_??.html mask refers to html files starting with any characters, and ending with _my_file_ followed by any two characters (for example, 2020_my_file_09.html).

Page top
[Topic 276459]

Exclusions by threat name window

You can configure the exclusion of objects from scans based on threat name. The application will not block the specified threats. By default, the list of threat names is empty.

You can add, edit, and delete threat names.

Clicking the Delete button causes Kaspersky Embedded Systems Security to remove the selected threat from the exclusion list.

This button is available if at least one threat name is selected in the list.

Clicking the threat name in the table opens the Threat name window. In this window, you can edit the name of the threat to be excluded from a scan.

Clicking the Add button opens the Threat name window. In this window, you can define the name of the threat to be excluded from a scan.

Page top
[Topic 276460]

Malware Scan in the command line

On the command line, you can scan for malware in the following ways:

In this section

Settings of the Malware Scan predefined task

Custom Scan of files and directories on the command line
Page top
[Topic 197644]

Settings of the Malware Scan predefined task

The table describes all available values and the default values of all the settings that you can specify for the Malware Scan task.

Malware Scan task settings

Setting

Description

Values

ScanFiles

Enables file scan.

Yes (default value) — Scan files.

No — Do not scan files.

ScanBootSectors

Enables boot sector scans.

Yes (default value) — Scan boot sectors.

No — Do not scan boot sectors.

ScanComputerMemory

Enables process memory and kernel memory scans.

Yes (default value) — Scan process memory and kernel memory.

No — Do not scan process memory and kernel memory.

ScanStartupObjects

Enables startup object scans.

Yes (default value) — Scan startup objects.

No — Do not scan startup objects.

ScanArchived

Enables scanning of archives (including SFX self-extracting archives).

The application scans the following archives: .zip; .7z*; .7-z; .rar; .iso; .cab; .jar; .bz; .bz2; .tbz; .tbz2; .gz; .tgz; .arj. The list of supported archive formats depends on the application databases being used.

Yes (default value) — Scan archives. If the FirstAction=Recommended value is specified, then, depending on the archive type, the application deletes either the infected object or the entire archive that contains the threat.

No — Do not scan archives.

ScanSfxArchived

Enables scanning of self-extracting archives only (archives that contain an executable extraction module).

Yes (default value) — Scan self-extracting archives.

No — Do not scan self-extracting archives.

ScanMailBases

Enables scanning email databases of Microsoft Outlook, Outlook Express, The Bat, and other mail clients.

Yes — Scan files of email databases.

No (default value) — Do not scan files of email databases.

ScanPlainMail

Enables scanning of plain text email messages.

Yes — Scan plain text email messages.

No (default value) — Do not scan plain text email messages.

SizeLimit

Maximum size of an object to be scanned (in megabytes). If the object to be scanned is larger than the specified value, the application skips this object.

0–999999

0 — The application scans objects of any size.

Default value: 0.

TimeLimit

Maximum object scan duration (in seconds). The application stops scanning the object if it takes longer than the time specified by this setting.

0–9999

0 — The object scan time is unlimited.

Default value: 0.

FirstAction

Selection of the first action to be performed by the application on the infected objects.

Disinfect — The application tries to disinfect an object and save a copy of it to Backup. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected), then the application leaves the object unchanged. If the first action is Disinfect, it is recommended to specify a second action using the SecondAction setting.

Remove — The application removes the infected object after creating a backup copy of it.

Recommended (perform recommended action) — The application automatically selects and performs an action on the object based on information about the threat detected in the object. For example, Kaspersky Embedded Systems Security immediately removes Trojans because they do not incorporate themselves into other files and therefore they do not need to be disinfected.

Skip — The application does not try to disinfect or delete infected objects. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by the application on the infected objects. The application performs the second action if the first action fails.

The possible values of the SecondAction setting are the same as those of the FirstAction setting.

If Skip or Remove is selected as the first action, the second action does not need to be specified. It is recommended to specify two actions in all other cases. If you have not specified the second action, the application applies Skip as the second action.

Default value: Skip.

UseExcludeMasks

Enables exclusion of the objects specified by the ExcludeMasks.item_# setting from the scan.

Yes — Exclude objects specified by the ExcludeMasks.item_# setting from the scan.

No (default value) — Do not exclude objects specified by the ExcludeMasks.item_# setting from the scan.

ExcludeMasks.item_#

Excludes objects from being scanned by name or mask. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format.

Before specifying a value for this setting, make sure that the UseExcludeMasks setting is enabled.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

 

UseExcludeThreats

Enables exclusion of objects containing the threats specified by the ExcludeThreats setting from scans.

Yes — Exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

No (default value): do not exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

ExcludeThreats.item_#

Excludes objects from scans by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude an object from scans, specify the full name of the threat detected in this object – the string containing the application's decision that the object is infected.

For example, you may be using a utility to collect information about your network. To keep the application from blocking it, add the full name of the threat contained in it to the list of threats excluded from scans.

You can find the full name of the threat detected in an object in the application log or on the website https://threats.kaspersky.com.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

 

 

UseGlobalExclusions

Enables global exclusions for scanning.

Yes (default value) — Use the global exclusions.

No — Do not use global exclusions.

UseOASExclusions

Enables File Threat Protection exclusions for scanning.

Yes (default value) — Use File Threat Protection exclusions.

No — do not use File Threat Protection exclusions.

ReportCleanObjects

Enables logging of information about scanned objects that the application reports as not being infected.

You can enable this setting, for example, to make sure that a particular object was scanned by the application.

Yes — Log information about non-infected objects.

No (default value) — Do not log information about non-infected objects.

ReportPackedObjects

Enables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by the application.

Yes — Log information about scanned objects within archives.

No (default value) — Do not log information about scanned objects within archives.

ReportUnprocessedObjects

Enables logging of information about objects that have not been processed for some reason.

 

Yes — Log information about unprocessed objects.

No (default value) — Do not log information about unprocessed objects.

UseAnalyzer

Enables heuristic analysis.

Heuristic analysis helps the application to detect threats even before they become known to virus analysts.

Yes (default value) — Enable Heuristic Analyzer.

No — Disable Heuristic Analyzer.

HeuristicLevel

Specifies the heuristic analysis level.

You can specify the heuristic analysis level. The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Light — The least thorough scan with minimum load on the system.

Medium — A medium heuristic analysis level with a balanced load on the system.

Deep — The most thorough scan with maximum load on the system.

Recommended (default value) — The recommended value.

UseIChecker

Enables usage of the iChecker technology.

Yes (default value) — Enable use of the iChecker technology.

No — Disable use of the iChecker technology.

DeviceNameMasks.item_#

List of device names. The application will scan boot sectors of these devices.

The setting value cannot be empty. At least one device name mask must be specified to run this task.

AllObjects – scan boot sectors of all devices.

<device name mask> – Scan boot sectors of the devices whose names match the specified mask.

Default value: /** – any set of characters in the device name, including the / character.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan scope, which contains additional information about the scan scope. The maximum length of the string specified using this setting is 4096 characters.

Default value: All objects.

Example:

AreaDesc="Mail bases scan"

 

UseScanArea

Enables scans of the specified scope. To run the task, enable scans of at least one scope.

Yes (default value) — Scan the specified scope.

No — Do not scan the specified scope.

AreaMask.item_#

Scan scope limitation. Within the scan scope, the application scans only the files that are specified using the masks in the shell format.

If this setting is not specified, the application scans all the objects in the scan scope. You can specify several values for this setting.

The default value is * (scan all objects).

Example:

AreaMask.item_<item number>=*doc

 

Path

Path to the directory with objects to be scanned.

 

<path to local directory> — Scan objects in the specified directory.

Shared:NFS — Scan the device file system resources that are accessible via the NFS protocol.

Shared:SMB – Scan the device file system resources that are accessible via the Samba protocol.

Mounted:NFS – Scan the remote directories mounted on a device using the NFS protocol.

Mounted:SMB – Scan the remote directories mounted on a device using the Samba protocol.

AllRemoteMounted – Scan all remote directories mounted on the device using the Samba and NFS protocols.

AllShared – Scan all the device file system resources that are accessible via the Samba and NFS protocols.

<file system type> — Scan all the resources of the specified device file system.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan exclusion scope, which contains additional information about the exclusion scope.

The default value is not defined.

UseScanArea

Excludes the specified scope from scans.

Yes (default value) — Exclude the specified scope.

No — Do not exclude the specified scope.

AreaMask.item_#

Limitation of scan exclusion scope. In the exclusion scope, the application excludes only the files that are specified using masks in the shell format.

If this setting is not specified, the application excludes all the objects in the exclusion scope. You can specify several values for this setting.

Default value: * (exclude all objects)

Path

Path to the directory with objects to be excluded.

 

<path to local directory> — Exclude objects in the specified directory (including subdirectories) from scans. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion /.snapshots/*/snapshot/.

Mounted:NFS– Exclude the remote directories mounted on a device using the NFS protocol from scan.

Mounted:SMB – Exclude the remote directories mounted on a device using the Samba protocol from scan.

AllRemoteMounted – Exclude all remote directories mounted on the device using the Samba and NFS protocols from scan.

<file system type> — Exclude all the resources of the specified device file system from scans.

Remote directories are excluded from scanning by the application only if they were mounted before the task was started. Remote directories mounted after the task is started are not excluded from scanning.

Page top

[Topic 197643]

Custom Scan of files and directories on the command line

You can perform a custom scan of the specified files and directories using the following command: kess-control --scan-file.

A custom scan is performed with the settings stored in the predefined task Scan_File (ID: 3). You can configure settings for a custom scan of files by editing the settings of this task (see the table below).

To start a custom scan of the specified files and directories, execute the following command:

kess-control --scan-file <path> [--action <action>]

where:

  • <path> is the path to the file or directory that you want to scan. You can specify multiple paths by separating them with a space.
  • --action <action> is the action to be performed by the application on the infected objects. Possible values: Disinfect, Removed, Recommended, Skip. If you do not specify the --action option, the application performs the Recommended action.

As a result of executing the command, a temporary file scan task is created, which is automatically deleted after completion. In this case, the scan results are output to the console.

The table describes all available values and the default values of all the settings that you can specify for the Scan_File task.

The [ScanScope.item_ #] and [ExcludedFromScanScope.item_ #] sections defined in the Scan_File task are not taken into account when performing the custom scan.

Scan_File task settings

Setting

Description

Values

ScanFiles

Enables file scan.

Yes (default value) — Scan files.

No — Do not scan files.

ScanBootSectors

Enables boot sector scans.

Yes — Scan boot sectors.

No (default value) — Do not scan boot sectors.

ScanComputerMemory

Enables process memory and kernel memory scans.

Yes — Scan process memory and kernel memory.

No (default value) — Do not scan process memory and kernel memory.

ScanStartupObjects

Enables startup object scans.

Yes — Scan startup objects.

No (default value) — Do not scan startup objects.

ScanArchived

Enables scanning of archives (including SFX self-extracting archives).

The application scans the following archives: .zip; .7z*; .7-z; .rar; .iso; .cab; .jar; .bz; .bz2; .tbz; .tbz2; .gz; .tgz; .arj. The list of supported archive formats depends on the application databases being used.

Yes (default value) — Scan archives. If the FirstAction=Recommended value is specified, then, depending on the archive type, the application deletes either the infected object or the entire archive that contains the threat.

No — Do not scan archives.

ScanSfxArchived

Enables scanning of self-extracting archives only (archives that contain an executable extraction module).

Yes (default value) — Scan self-extracting archives.

No — Do not scan self-extracting archives.

ScanMailBases

Enables scanning email databases of Microsoft Outlook, Outlook Express, The Bat!, and other mail clients.

Yes — Scan files of email databases.

No (default value) — Do not scan files of email databases.

ScanPlainMail

Enables scanning of plain text email messages.

Yes — Scan plain text email messages.

No (default value) — Do not scan plain text email messages.

SizeLimit

Maximum size of an object to be scanned (in megabytes). If the object to be scanned is larger than the specified value, the application skips this object.

0–999999

0 — The application scans objects of any size.

Default value: 0.

TimeLimit

Maximum object scan duration (in seconds). The application stops scanning the object if it takes longer than the time specified by this setting.

0–9999

0 — The object scan time is unlimited.

Default value: 0.

FirstAction

Selection of the first action to be performed by the application on the infected objects.

 

Disinfect — The application tries to disinfect an object and save a copy of it to Backup. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected), then the application leaves the object unchanged. If the first action is Disinfect, it is recommended to specify a second action using the SecondAction setting.

Remove — The application removes the infected object after creating a backup copy of it.

Recommended (perform recommended action) — The application automatically selects and performs an action on the object based on information about the threat detected in the object. For example, Kaspersky Embedded Systems Security immediately removes Trojans because they do not incorporate themselves into other files and therefore they do not need to be disinfected.

Skip — The application does not try to disinfect or delete infected objects. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by the application on the infected objects. The application performs the second action if the first action fails.

The possible values of the SecondAction setting are the same as those of the FirstAction setting.

If Skip or Remove is selected as the first action, the second action does not need to be specified. It is recommended to specify two actions in all other cases. If you have not specified the second action, the application applies Skip as the second action.

Default value: Skip.

UseExcludeMasks

Enables exclusion of the objects specified by the ExcludeMasks.item_# setting from the scan.

Yes — Exclude objects specified by the ExcludeMasks.item_# setting from the scan.

No (default value) — Do not exclude objects specified by the ExcludeMasks.item_# setting from the scan.

ExcludeMasks.item_#

Excludes objects from being scanned by name or mask. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

 

UseExcludeThreats

Enables exclusion of objects containing the threats specified by the ExcludeThreats setting from scans.

Yes — Exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

No (default value): do not exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

ExcludeThreats.item_#

Excludes objects from scans by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude an object from scans, specify the full name of the threat detected in this object – the string containing the application's decision that the object is infected.

For example, you may be using a utility to collect information about your network. To keep the application from blocking it, add the full name of the threat contained in it to the list of threats excluded from scans.

You can find the full name of the threat detected in an object in the application log or on the website https://threats.kaspersky.com.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

 

 

UseGlobalExclusions

Enables global exclusions for scanning.

Yes (default value) — Use the global exclusions.

No — Do not use global exclusions.

UseOASExclusions

Enables File Threat Protection exclusions for scanning.

Yes (default value) — Use File Threat Protection exclusions.

No — do not use File Threat Protection exclusions.

ReportCleanObjects

Enables logging of information about scanned objects that the application reports as not being infected.

You can enable this setting, for example, to make sure that a particular object was scanned by the application.

Yes — Log information about non-infected objects.

No (default value) — Do not log information about non-infected objects.

ReportPackedObjects

Enables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by the application.

Yes — Log information about scanned objects within archives.

No (default value) — Do not log information about scanned objects within archives.

ReportUnprocessedObjects

Enables logging of information about objects that have not been processed for some reason.

Yes — Log information about unprocessed objects.

No (default value) — Do not log information about unprocessed objects.

UseAnalyzer

Enables heuristic analysis.

Heuristic analysis helps the application to detect threats even before they become known to virus analysts.

Yes (default value) — Enable Heuristic Analyzer.

No — Disable Heuristic Analyzer.

HeuristicLevel

Specifies the heuristic analysis level.

You can specify the heuristic analysis level. The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Light — The least thorough scan with minimum load on the system.

Medium — A medium heuristic analysis level with a balanced load on the system.

Deep — The most thorough scan with maximum load on the system.

Recommended (default value) — The recommended value.

UseIChecker

Enables usage of the iChecker technology.

Yes (default value) — Enable use of the iChecker technology.

No — Disable use of the iChecker technology.

DeviceNameMasks.item_#

List of device names. The application will scan boot sectors of these devices.

The setting value cannot be empty. At least one device name mask must be specified to run this task.

AllObjects – scan boot sectors of all devices.

<device name mask> – Scan boot sectors of the devices whose names match the specified mask.

Default value: /** – any set of characters in the device name, including the / character.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan scope, which contains additional information about the scan scope. The maximum length of the string specified using this setting is 4096 characters.

Default value: All objects.

Example:

AreaDesc="Scanning of email databases"

 

UseScanArea

Enables scans of the specified scope. To run the task, enable scans of at least one scope.

Yes (default value) — Scan the specified scope.

No — Do not scan the specified scope.

AreaMask.item_#

Scan scope limitation. Within the scan scope, the application scans only the files that are specified using the masks in the shell format.

If this setting is not specified, the application scans all the objects in the scan scope. You can specify several values for this setting.

The default value is * (scan all objects).

Example:

AreaMask.item_<item number>=*doc

 

Path

Path to the directory with objects to be scanned.

 

<path to local directory> — Scan objects in the specified directory.

Shared:NFS — Scan the device file system resources that are accessible via the NFS protocol.

Shared:SMB – Scan the device file system resources that are accessible via the Samba protocol.

Mounted:NFS – Scan the remote directories mounted on a device using the NFS protocol.

Mounted:SMB – Scan the remote directories mounted on a device using the Samba protocol.

AllRemoteMounted – Scan all remote directories mounted on the device using the Samba and NFS protocols.

AllShared – Scan all the device file system resources that are accessible via the Samba and NFS protocols.

<file system type> — Scan all the resources of the specified device file system.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan exclusion scope, which contains additional information about the exclusion scope.

The default value is not defined.

UseScanArea

Excludes the specified scope from scans.

Yes (default value) — Exclude the specified scope.

No — Do not exclude the specified scope.

AreaMask.item_#

Limitation of scan exclusion scope. In the exclusion scope, the application excludes only the files that are specified using masks in the shell format.

If this setting is not specified, the application excludes all the objects in the exclusion scope. You can specify several values for this setting.

Default value: * (exclude all objects)

Path

Path to the directory with objects to be excluded.

<path to local directory> — Exclude objects in the specified directory (including subdirectories) from scans. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion /.snapshots/*/snapshot/.

Mounted:NFS– Exclude the remote directories mounted on a device using the NFS protocol from scan.

Mounted:SMB – Exclude the remote directories mounted on a device using the Samba protocol from scan.

AllRemoteMounted – Exclude all remote directories mounted on the device using the Samba and NFS protocols from scan.

<file system type> — Exclude all the resources of the specified device file system from scans.

Remote directories are excluded from scanning by the application only if they were mounted before the task was started. Remote directories mounted after the task is started are not excluded from scanning.

Page top

[Topic 197638]