Contents
- Appendices
- Appendix 1. Resource consumption optimization
- Appendix 2. Commands for managing the Kaspersky application
- Appendix 3. Configuration files and default application settings
- Rules for editing application task configuration files
- Preset configuration files
- Default settings for command line tasks
- Default settings for the File_Threat_Protection task (ID:1)
- Default settings for the Scan_My_Computer task (ID:2)
- Default settings for the Scan_File task (ID:3)
- Default settings for the Critical_Areas_Scan task (ID:4)
- Default settings for Update task (ID:6)
- Default settings for the Web_Threat_Protection task (ID:14)
- Default settings for the Removable_Drives_Scan task (ID:16)
- Default settings for the Behavior_Detection task (ID:20)
- General application settings
- Encrypted connections scan settings
- Tasks schedule settings
- Appendix 4. Command line return codes
Appendix 1. Resource consumption optimization
When scanning objects, the Kaspersky application uses CPU resources, disk subsystem input/output, and RAM.
To view the resource consumption by the application, execute the following command:
top -bn1|grep kfl
The command must be executed when the system is loaded.
The command output shows the amount of used memory and processor time:
651 root 20 0 3014172 2.302g 154360 S 120.0 30.0 0:32.80 kfl
Column 6 displays the amount of resident memory – 2.302g.
Column 9 displays the percentage of the processor cores usage – 120.0, where each core is represented by 100 percent. Thus, 120% means that one core is fully used, and the other is used at 20%.
If the Kaspersky application scanning objects critically slows down the system, the application must be configured to optimize system resource usage.
How to identify a task that is hogging resources
To find out which application tasks are hogging system resources, it is necessary to distinguish the resource usage of File Threat Protection tasks (OAS type) and On-demand Scan tasks (ODS type).
How to analyze the performance of the File Threat Protection task
To analyze the operation of the File Threat Protection task:
- Stop all scan and monitoring tasks.
- Make sure that the on-demand scan tasks will not run during the scan or have no schedule. To do so:
- Get the list of all application tasks by executing the following command:
kfl-control --get-task-list - Get the schedule settings for the Malware Scan task by executing the following command:
kfl-control --get-schedule <task ID>If the command output is
RuleType=Manual, the task can only be started manually. - Get the schedule settings for all your Malware Scan and Custom Scan tasks, if any, and set them to start manually by executing the following command:
kfl-control --set-schedule <IDtasks> RuleType=Manual
- Get the list of all application tasks by executing the following command:
- Enable generation of application trace files with a high level of details by executing the following command:
kfl-control --set-app-settings TraceLevel=Detailed - Start the File Threat Protection task if it has not been started by executing the following command:
kfl-control --start-task 1 - Load the system in the mode that caused the performance problems; a few hours is enough.
While being loaded, the application writes a lot of information to the trace files; however only 5 files of 500 MB are stored by default, so the old information will be overwritten. If the problems with performance and resource consumption stop occurring, it means they are most likely caused by on-demand scan tasks and you can proceed to analyze the performance of ODS scan tasks.
- Disable creation of the application trace files by executing the following command:
kfl-control --set-app-settings TraceLevel=None - Determine the list of objects that have been scanned the most times by running the following command:
fgrep 'AVP ENTER' /var/log/kaspersky/kfl/kfl.* | awk '{print $8}' | sort | uniq -c | sort -k1 -n -r|lessThe result is loaded into less, a text viewer utility, where the objects that have been scanned the most times are displayed first.
- Determine whether the objects scanned the most number of times are dangerous. In case of any difficulties, contact Technical Support.
For example, directories and log files can be considered safe if a trusted process writes to them, database files can also be considered safe.
- Write down the paths to the objects that are safe, in your opinion; the paths will be required to configure exclusions from the scan scope.
- If various services frequently write data to files in the system, such files are scanned again in the pending queue. Determine the list of paths that have been scanned the most times in the pending queue by running the following command:
fgrep 'SYSCALL' /var/log/kaspersky/kfl/kfl.* | fgrep 'KLIF_ACTION_CLOSE_MODIFY' | awk '{print $9}' | sort | uniq -c | sort -k1 -n -rThe files that were scanned the most times will appear at the beginning of the list.
- If the counter for a file exceeds several thousands in a few hours, you should check whether you can trust this file in order to exclude it from scan.
The logic of to determine it is the same as for the previous study (see step 8): log files can be considered safe, since they cannot be launched.
- Even if some files are excluded from scan by the Real-time protection task, they can still be intercepted by the application. If excluding certain files from Real-time protection does not result in significant increase of performance, you can completely exclude the mount point where these files are located from the interception scope of the application. To do so, do the following:
- Run the following command to get the list of files intercepted by the application:
grep 'FACACHE.*needs' /var/log/kaspersky/kfl/kfl.* | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r - Using this list, determine the paths used for most of the file operation interceptions and configure interception exceptions.
- Run the following command to get the list of files intercepted by the application:
How to optimize the File Threat Protection task
If, after analysis of the File Threat Protection task's operation, you have created a list of directories and files that can be excluded from the scan scope, you need to add them to the exclusions.
Scan exclusions
To exclude the /tmp/logs directory and all subdirectories and files recursively, execute the following command:
kfl-control --set-settings 1 --add-exclusion /tmp/logs
To exclude a specific file or files by mask in the /tmp/logs directory, execute the following command:
kfl-control --set-settings 1 --add-exclusion /tmp/logs/*.log
To exclude all files with the .LOG extension in the /tmp/ directory and subdirectories using a recursive mask, execute the following command:
kfl-control --set-settings 1 --add-exclusion /tmp/**/*.log
Interception exclusions
If you want to exclude files in a certain directory not only from scan, but also from interception, you can exclude the entire mount point.
To exclude an entire mount point:
- If the directory is not a mount point, create a mount point from it. For example, to create a mount point from the /tmp directory, execute the following command:
mount --bind /tmp/ /tmp - To keep the mount point after the server reboot, add the following line to the /etc/fstab file:
/tmp /tmp none defaults,bind 0 0 - Add the /tmp directory to the global exceptions by executing the following command:
kfl-control --set-app-settings ExcludedMountPoint.item_0000=/tmp - If you want to add several directories, increase the item_0000 counter by one (item_0001, item_0002, and so on).
It is also recommended to exclude mount points that are mounted remote resources with unstable or slow connection.
Changing scan type
By default, the File Threat Protection task can scan files when they are opened or closed. If analysis of the File Threats Protection task performance shows that too many files are being written, you can make the task operate only when files are opened by running the following command:
kfl-control --set-set 1 ScanByAccessType=Open
In this operation mode, changes made to the file after it is opened are not scanned until the next opening of the file.
Page topHow to analyze the performance of on-demand scan tasks
Tasks of the ODS type can also cause significant resource consumption. Follow these recommendations for the tasks of ODS type:
- Make sure that several on-demand scan tasks are not running at the same time. The application allows for operation in this mode, but resource consumption can significantly increase. Check the schedule of all ODS tasks (as described for the File Threat Protection task).
- Run the scan during the minimum server load.
- Make sure that there are no mounted remote resources (SMB/NFS) at the specified scan path. If a remote resource scan task cannot be performed directly on the server that provides the resource, do not perform the resource scan on servers with critical services, as execution of this task can take a long time (depending on the connection speed and the number of files).
- Optimize the settings of the on-demand scan task before start.
How to optimize an on-demand scan task
Scan exclusions
You can configure scan exclusions for on-demand scan (ODS) tasks. You can configure this in the same way as scan exclusions for the File Threat Protection task.
Scan exclusion settings for one scan task do not affect other scan tasks. Exclusions must be configured separately for each scan task.
Setting the memory usage limits when unpacking archives
The on-demand scan task uses RAM to unpack archives when scanning the archives recursively. The application allows adjusting the memory usage while scanning files using the ScanMemoryLimit parameter in the kfl.ini configuration file. The default value is 8192 MB. The minimum value is 2 MB. If the specified value is less than 2 MB, the application uses the minimum value (2 MB). If the specified value is greater than the amount of RAM available in the system, the application uses up to 25% of the RAM. This value cannot be changed.
How to limit memory usage by the application
You can limit the amount of RAM that the Kaspersky application uses when running OAS and ODS tasks.
Limiting memory usage can be useful for systems with a large amount of RAM (more than 5 GB).
You can use the ScanMemoryLimit setting in the kfl.ini configuration file to adjust the amount of RAM used by the application when scanning files. Default value: 8192 MB. The minimum value is 2 MB. If the specified value is less than 2 MB, the application uses the minimum value (2 MB). If the specified value is greater than the amount of RAM available on the device, the application uses up to 25% of the RAM. This value cannot be changed.
This setting limits only the amount of memory used when scanning files. That means that the total amount of memory required by the application can be more than the value of this setting.
To specify a limit on memory use when scanning files:
- Stop the Kaspersky application.
- Open the /var/opt/kaspersky/kfl/common/kfl.ini file for editing.
- Under [General], specify the required amount of RAM in the
ScanMemoryLimitsetting:ScanMemoryLimit=<amount of memory in megabytes> - Start the Kaspersky application.
The new memory usage limit for scanning files will be in effect after the application restarts.
Page topAppendix 2. Commands for managing the Kaspersky application
You can manage the Kaspersky application on the command line using management commands.
You can view the help on management commands of the application by running the following command:
kfl-control --help <command group prefix>
Where <command group prefix> accepts the following values:
- -B: commands for managing Backup
- -E: commands for managing application events
- -J: commands for managing the collection of system performance metrics
- -L: commands for managing license keys
- -N: commands for managing encrypted connections scan settings
- -S: statistics commands
- -T: commands for managing application tasks and settings
- -U: commands for managing users and roles
- -W: event display commands
Commands for managing application tasks and settings
-T is a prefix indicating that the command belongs to the group of commands for managing application settings and tasks.
-N is a prefix indicating that the command belongs to the group of commands for managing secure connections scan settings.
kfl-control --export-settings
This command outputs all application settings to the console or exports to a configuration file. These settings include encrypted connections scan settings, general application settings, and task settings.
Command syntax
kfl-control [-T] --export-settings [--file <configuration file path>] [--json]
Arguments and options
--file <configuration file path> is the full path to the configuration file where the application settings will be saved.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
kfl-control --import-settings
This command imports all application settings from a configuration file, including encrypted connections scan settings, general application settings, and task settings.
Command syntax
kfl-control [-T] --import-settings --file <configuration file path> [--json]
Arguments and options
--file <configuration file path> is the full path to the configuration file from which you want to import settings into the application.
--json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
Commands for managing general application settings
kfl-control --get-app-settings
The command outputs the current values of the general application settings to the console or a configuration file.
Command syntax
kfl-control [-T] --get-app-settings [--file <configuration file path>] [--json]
Arguments and keys
--file <configuration file path> is the path to the configuration file where the application general settings will be written. If you do not specify the --file option, settings will be output to the console.
If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, no configuration file will be generated.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
kfl-control --set-app-settings
This command configures the general application settings via command options or by importing settings from a configuration file.
Command syntax
Define settings via command options:
kfl-control [-T] --set-app-settings <option name>=<option value> [<option name>=<option value>]
Define settings via a configuration file:
kfl-control [-T] --set-app-settings --file <configuration file path> [--json]
Arguments and options
<option name>=<option value>: the name and value of a general application setting.
--file <configuration file path> is the full path to the configuration file from which you want to import settings into the application.
--json is specified to import the settings from the configuration file into the application in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
Commands for managing task settings
kfl-control --get-settings
This command outputs the current settings for a specified task to the console or a configuration file.
Command syntax
kfl-control [-T] --get-settings <task ID/name> [--file <configuration file path>] [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
--file <configuration file path> is the path to the configuration file into which the task settings will be written. If you do not specify the --file option, settings will be output to the console.
If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, no configuration file will be generated.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
kfl-control --set-settings
This command defines the settings for a specified task via command options or by importing settings from a configuration file.
Command syntax
Define settings via command options:
kfl-control [-T] --set-settings <task name/ID> <setting name>=<setting value> [<setting name>=<setting value>] [--add-path <path>] [--del-path <path>] [--add-exclusion <path>] [--del-exclusion <path>]
Define settings via a configuration file:
kfl-control [-T] --set-settings <task ID/name> --file <configuration file path> [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
<setting name>=<setting value> is the name and value of one of the task settings.
--add-path <path> adds the path to the directory with the objects to be scanned.
--del-path <path> deletes the path to the directory with the objects to be scanned.
--add-exclusion <path>: add the path to the directory with objects to exclude from scanning.
--del-exclusion <path> deletes the path to the directory with the objects to be excluded.
--file <configuration file path> is the full path to the configuration file from which the task settings will be imported.
--json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
kfl-control --set-to-default
The command restores the default settings for the specified task.
Command syntax
kfl-control [-T] --set-settings <task ID/name> --set-to-default
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
kfl-control --get-schedule
The command outputs the current schedule of the specified task to the console or a configuration file.
Command syntax
kfl-control [-T] --get-schedule <task ID/name> [--file <configuration file path>] [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
--file <configuration file path> is the path to the configuration file in which the settings for the task run schedule will be written. If you do not specify the --file option, settings will be output to the console.
If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, no configuration file will be generated.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
kfl-control --set-schedule
The command defines a schedule for the specified task via command options or by importing settings from a configuration file.
Command syntax
Define settings via command options:
kfl-control [-T] --set-schedule <task ID/name> <setting name>=<setting value> [<setting name>=<setting value>]
Define settings via a configuration file:
kfl-control [-T] --set-schedule <task ID/name> --file <configuration file path> [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
<setting name>=<setting value> is the name and value of one of the settings for the task schedule.
--file <configuration file path> is the full path to the configuration file from which the task schedule settings will be imported.
--json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
Commands for managing tasks
kfl-control --get-task-list
This command outputs a list of existing tasks.
Command syntax
kfl-control [-T] --get-task-list [--json]
Arguments and options
--json is specified to output the settings in JSON format.
kfl-control --get-task-state
This command outputs the status of the specified task.
Command syntax
kfl-control [-T] --get-task-state <task ID/name> [--json]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
--json is specified to output the settings in JSON format.
kfl-control --create-task
This command creates a task of the specified type with the default settings or settings specified in a configuration file.
Command syntax
Create a task with the default settings:
kfl-control [-T] --create-task <task name> --type <task type>
Create a task with the settings from a configuration file:
kfl-control [-T] --create-task <task name> --type <task type> [--file <configuration file path>] [--json]
Arguments and options
<task name> is the name that you specify for the new task.
<task type> is the identifier for the type of the created task.
--file <configuration file path>: the full path to the configuration file to import settings from.
--json is specified to import the settings from the configuration file in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
kfl-control --delete-task
This command deletes a task.
Command syntax
kfl-control [-T] --delete-task <task ID/name>
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
kfl-control --start-task
This command starts a task.
Command syntax
kfl-control [-T] --start-task <task ID/name> [-W] [--progress]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
[-W]: enable current events output.
[--progress]: display task progress.
kfl-control --stop-task
This command stops a task.
Command syntax
kfl-control [-T] --stop-task <task ID/name> [-W]
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
[-W]: enable current events output.
kfl-control --suspend-task
This command pauses a task.
Command syntax
kfl-control [-T] --suspend-task <task ID/name>
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
kfl-control --resume-task
This command resumes a task.
Command syntax
kfl-control [-T] --resume-task <task ID/name>
Arguments and options
<task ID/name> is the ID assigned to the task at the time of its creation, or the name of the task in the command line.
kfl-control --scan-file
This command creates and runs a custom scan task.
Command syntax
kfl-control [-T] --scan-file <path> [--action <action>]
Arguments and options
<path>: the path to the file or directory to scan. You can specify multiple paths by separating them with a space.
--action <action> is the action to be performed by the application on the infected objects. If you do not specify the --action option, the application performs the recommended action.
Commands for managing encrypted connections scan settings
-N is a prefix indicating that the command belongs to the group of commands for managing secure connections scan settings.
kfl-control -N --query
The command outputs lists of exclusions from encrypted connections scanning:
- a list of exclusions added by the user;
- a list of exclusions added by the application;
- list of exclusions received from the application databases.
Command syntax
kfl-control -N --query user
kfl-control -N --query auto
kfl-control -N --query kl
kfl-control --clear-web-auto-excluded
This command clears the list of domains that the application has automatically excluded from scanning.
Command syntax
kfl-control -N --clear-web-auto-excluded
kfl-control --get-net-settings
The command outputs the current encrypted connections scan settings to the console or a configuration file.
Command syntax
kfl-control [-N] --get-net-settings [--file <configuration file path>] [--json]
Arguments and options
--file <configuration file path>: the path to the configuration file to output the encrypted connections scan settings to. If you do not specify the --file option, settings will be output to the console.
If you specify the name of a file without its path, the file will be created in the current directory. If a file already exists in the specified path, it will be overwritten. If the specified directory does not exist, no configuration file will be generated.
--json is specified to output the settings in JSON format. If the --json option is not specified, the settings are output in the INI format.
kfl-control --set-net-settings
The command configures the encrypted connections scan settings with command options or by importing settings from a configuration file.
Command syntax
Define settings via command options:
kfl-control [-N] --set-net-settings <setting name>=<setting value> [<setting name>=<setting value>]
Define settings via a configuration file:
kfl-control [-N] --set-net-settings --file <configuration file path> [--json]
Arguments and options
<option name> = <option value >: the name and value of an encrypted connections scan option.
--file <configuration file path>: the full path to the configuration file to import encrypted connections scan settings from.
--json is specified to import the settings from the configuration file into the application in JSON format. If the --json option is not specified, the application attempts to import from an INI file. If the import fails, an error is displayed.
kfl-control --list-certificates
This command outputs a list of trusted root certificates.
Command syntax
kfl-control [-N] --list-certificates
kfl-control --add-certificate
This command adds a certificate to the list of trusted root certificates.
Command syntax
kfl-control [-N] --add-certificate <path to certificate>
Arguments and options
<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).
kfl-control --remove-certificate
This command removes a certificate from the list of trusted root certificates.
Command syntax
kfl-control [-N] --remove-certificate <certificate subject>
Statistics commands
-S is a prefix indicating that the command belongs to the statistics command group.
kfl-control --app-info
This command outputs information about the application.
Command syntax
kfl-control [-S] --app-info [--json]
Arguments and options
--json is specified to output the settings in JSON format.
kfl-control --omsinfo
This command creates a JSON file for integration with Microsoft Operations Management Suite.
Command syntax
kfl-control [-S] --omsinfo --file <file path>
Commands for displaying events
kfl-control -W
This command enables the display of current application events. The command returns the name of the event and additional information about the event. You can use the command to display all current application events or only events associated with a currently running task.
Command syntax
kfl-control -W [--query "<filter conditions>"]
Arguments and keys
<filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value>', combined with the logical operator and to output specific current events.
Commands for managing application events
-E: a prefix indicating that the command belongs to the group of commands used for managing application events.
kfl-control -E
This command outputs information about all events in the application event log. You can use the less command to navigate through the list of displayed events.
Command syntax
kfl-control -E
kfl-control -E --query
This command outputs information about events from the application event log. You can use the less command to navigate through the list of displayed events. You can use a filter to output specific events or output a list of events to a file.
Command syntax
kfl-control -E --query "<filter conditions>" [--db <database file>] [-n <number>] [--file <file path>] [--json] [--reverse]
Arguments and options
<database file> is the full path to the event log database file to output events from. By default, the application saves information about events to the database in the /var/opt/kaspersky/kfl/private/storage/events.db database. The location of the database is determined by the EventsStoragePath global application setting.
<filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results.
<number> – number of the latest events of the selection (number of records from the end of the selection) to be displayed.
--file <file path> is the full path to the file to output events to. If you specify the name of a file without specifying its path, the file will be created in the current directory. If a file with the specified name already exists in the specified path, it will be overwritten. If the specified directory cannot be found on the disk, file will not be created.
If you do not specify the --file option, the list of events will be output to the console.
--json: output events in JSON format.
--reverse: display events in reverse order (from the newest event at the top to the oldest at the bottom).
Commands for managing license keys
-L is a prefix indicating that the command belongs to the group of commands used to manage license keys.
kfl-control --add-active-key
This command adds an active license key to the application.
Command syntax
kfl-control [-L] --add-active-key <activation code>
Arguments and keys
<activation code> – activation code.
kfl-control --add-reserve-key
This command adds a reserve license key to the application.
If an active key has not yet been added to the application on the device, the command fails.
Command syntax
kfl-control [-L] --add-reserve-key <activation code>
Arguments and keys
<activation code> – activation code.
Example: Add a reserve key using the /home/test/00000002.key file:
|
kfl-control --remove-active-key
This command lets you remove an active license key.
Command syntax
kfl-control [-L] --remove-active-key
kfl-control --remove-reserve-key
This command lets you remove a reserve license key.
Command syntax
kfl-control [-L] --remove-reserve-key
kfl-control -L --query
The -L --query command outputs information about the license that the application is activated with and the license key currently in use.
Command syntax
kfl-control -L --query [--json]
Arguments and options
--json: output data in JSON format.
Commands for managing Backup
-B is a prefix indicating that the command belongs to the group of commands used to manage the Backup storage.
kfl-control --mass-remove
The command deletes some or all objects from Backup.
Command syntax
Delete all objects:
kfl-control [-B] --mass-remove
Delete objects that match the filter conditions:
kfl-control [-B] --mass-remove --query "<filter conditions>"
Arguments and options
<filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results.
kfl-control -B --query
This command outputs information about Backup objects.
Command syntax
Output information about all objects in Backup:
kfl-control -B --query [-n <number>] [--json] [--reverse]
Output information about Backup objects that match the filter conditions:
kfl-control -B --query ["<filter conditions>"] [-n <number>] [--json] [--reverse]
Arguments and options
<filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results. If you do not specify any filter conditions, the application will display the details of all objects in Backup.
<number>: the number of the most recent objects to display. If you do not specify the -n switch, the last 30 objects will be displayed. Specify 0 to show all objects.
--json: output data in JSON format.
--reverse – output objects in reverse order (from the newest object at the top to the oldest at the bottom).
kfl-control --restore
This command restores an object from Backup.
Command syntax
kfl-control [-B] --restore <object ID> [--file <file path>]
Arguments and options
<object ID>: the ID of the Backup object.
--file <file path>: the new name of the file and the path to the directory to save it to. If you do not specify the --file option, the object will be restored with its original name and to its original location.
Commands for managing users and roles
-U is a prefix indicating that the command belongs to the group of commands for managing users and roles.
kfl-control --get-user-list
This command outputs a list of users and roles.
Command syntax
kfl-control [-U] --get-user-list
kfl-control --grant-role
This command assigns a role to a specific user.
Command syntax
kfl-control [-U] --grant-role <role> <user>
kfl-control --revoke-role
This command revokes a role from a specific user.
Command syntax
kfl-control [-U] --revoke-role <role> <user>
Commands for managing system performance metrics
kfl-control --export-metrics
This command allows configuring the collection of operating system performance metrics.
Command syntax
kfl-control [-J] --export-metrics [--period <interval in seconds between exports>|--interactive]
Arguments and options
--period enables periodic output of results.
<interval in seconds between exports> (in seconds) sets the output period.
--interactive enables interactive output (on the Enter key being pressed).
Appendix 3. Configuration files and default application settings
The following configuration files are used for managing the Kaspersky application:
- The configuration file that contains the initial configuration settings of the application and is used when installing the application on the command line.
- Preset configuration files generated automatically during the initial configuration of the application and containing the options set during the initial configuration. These settings are applied at run time.
- Configuration files that you can create with Kaspersky management commands. These configuration files may contain task settings and other application settings. You can modify these files and import into the application to modify the corresponding options.
Rules for editing application task configuration files
When editing a configuration file, adhere to the following rules:
- Specify all mandatory settings in the configuration file. You can specify individual task settings without a file using the command line.
- If a setting belongs to a certain section, specify it only in this section. You can specify the settings in any order within the one section.
- Enclose the names of sections in square brackets [ ].
- Enter the values of settings in the format
<setting name>=<setting value>(spaces between the a setting name and its value are not processed).Example:
[ScanScope.item_0000]AreaDesc=HomeAreaMask.item_0000=*docPath=/homeSpace and tab characters are ignored before the first quotation mark and after the last quotation mark of a string value, and at the beginning and end of a string value that is not enclosed in quotation marks.
- If you need to specify several values for a setting, repeat the setting the same number of times as the number of values that you want to specify.
Example:
AreaMask.item_0000=*xmlAreaMask.item_0001=*doc - Be case-sensitive when entering values for the following types of settings:
- Names (masks) of scanned objects and excluded objects.
- Names (masks) of threats.
The remaining setting values are not case-sensitive.
- Specify Boolean setting values as follows:
Yes/No. - Use quotation marks to enclose string values containing a space character (for example, names of files and directories and their paths, expressions containing the date and time in the format "YYYY-MM-DD HH:MM:SS").
You can enter the remaining values with or without quotation marks.
Example:
AreaDesc="Scanning of email databases"A single quotation mark in the beginning or end of a string is considered an error.
Preset configuration files
After the initial configuration, the application creates the following configuration files:
- /var/opt/kaspersky/kfl/common/agreements.ini
The agreements.ini configuration file contains settings related to the End User License Agreement, Privacy Policy, and Kaspersky Security Network Statement.
- /var/opt/kaspersky/kfl/common/kfl.ini
The kfl.ini configuration file contains the settings described in the following table.
If necessary, you can edit the values of the settings in these files.
The default values in these files should be changed only under the supervision of Technical Support specialists and in accordance with their instructions.
Settings in the kfl.ini configuration file
Setting |
Description |
Values |
|---|---|---|
The [General] section contains the following settings: |
||
|
The locale used for texts (events, notifications, task results, and others). The locale of the application interface and the command line interface depends on the value of the |
The locale in the format specified by RFC 3066. If the |
|
Format of the installed application package. This setting does not affect the operation of the application. The value of the setting is filled in automatically during initial application configuration. |
|
|
Indicates use of fanotify notifications. This setting does not affect the operation of the application. The value of the setting is filled in automatically during initial application configuration. |
|
|
Enables generation of trace files at application startup. |
|
|
Display information in trace files that may contain personal data (for example, passwords). |
|
|
Enables asynchronous tracing, in which information is logged to trace files in asynchronously. |
|
|
Enables the creation of a dump file when application failure occurs. |
|
|
Path to the directory where the dump files are stored. |
Default value: /var/opt/kaspersky/kfl/common/dumps. Root privileges are required to access the default dump file directory. |
|
The minimum amount of disk memory that will remain after writing a dump file, in megabytes. |
Default value: 300. |
|
Limit on the application's use of memory in megabytes. |
Default value: 8192. |
|
The user's unique device ID. |
The value of the setting is filled in automatically during installation of the application. |
|
Path to a socket for a remote connection used, for example, by the application interface and the kfl-control utility. |
Default value: /var/run/bl4control. |
|
Limit on the number of subscriptions to changes in files and directories (user watches) in /proc/sys/fs/inotify/max_user_watches. |
Default value: 300000. |
|
Limit on the number of subscriptions to changes in files and directories for a single user. |
Default value: 2048. |
|
The number of environment variables that the application captures from the command call. |
Default value: 50. |
|
Number of arguments that the application captures from the exec call. |
Default value: 20. |
|
Indicates use of a public DNS. If there are errors accessing servers through the system DNS, the application uses a public DNS. This is needed for updating application databases and maintaining device security. The application will use the following public DNSes in this order:
|
The application's requests may contain domain addresses and the user's external IP address, since the application establishes a TCP/UDP connection with the DNS server. This information is necessary, for example, to check the certificate of a web resource when interacting via HTTPS. If the application is using a public DNS server, data processing rules are governed by the Privacy Policy of the corresponding service. If you need to block the application from using a public DNS server, contact Technical Support for a private patch. |
The [Network] section contains the following settings: |
||
|
A mark in the iptables rules for forwarding traffic to the application for processing by Web Threat Protection component. You may need to change this mark if a device with the application runs other software that uses the ninth bit of the TCP packet mask, and a conflict occurs. |
A decimal value or hexadecimal number with the prefix 0x. Default value: 0x100. |
|
A mark used to indicate packets created or scanned by the application, so that the application does not scan them again. |
A decimal value or hexadecimal number with the prefix 0x. Default value: 0x400. |
|
A mark used to indicate packages created or scanned by the application to prevent them from being logged by the iptable utility. |
A decimal value or hexadecimal number with the prefix 0x. Default value: 0x800. |
|
Number of the routing table. |
Default value: 101. |
The [Watchdog] section contains the following settings: |
||
|
Maximum time to wait for the kfl process to finish from the moment the Watchdog server sends the HEADSHOT signal to the kfl process. |
Default value: 2 minutes.
|
|
Maximum time to wait for the application to start (in minutes), after which the kfl process is restarted. |
Default value: 3 minutes. |
|
Maximum time to wait for the controlled kfl process to complete from the moment the Watchdog server sends the SIGKILL signal to the kfl process. If the kfl process does not finish before this time elapses, the action specified by the --failed-kill setting is performed. |
Default value: 2 days. |
|
The interval with which the application attempts to send a PONG message to a server in response to a received PING message. |
Default value: 2000 ms. |
|
Maximum number of consecutive unsuccessful attempts to start the application. |
Default value: 5. |
|
Maximum time interval during which the application should send a message to the Watchdog server. If a message is not received from the application within this time interval, the Watchdog server begins the procedure to terminate the kfl process. |
Default value: 2 minutes. |
|
Maximum time from the start of the kfl process to the moment when a connection with the Watchdog server is established by the application. If the application does not establish a connection in this time interval, the Watchdog server begins the procedure to terminate the kfl process. |
Default value: 3 minutes. |
|
Maximum time from the moment the application connects to the Watchdog server to the moment the server receives a REGISTER message. |
Default value: 500 ms. |
|
Maximum time to wait for the kfl process to finish from the moment the Watchdog server sends the SHUTDOWN signal to the kfl process. |
Default value: 2 minutes. |
|
Limit on the use of resident memory by the kfl process. If the kfl process uses more resident memory than this limit, the Watchdog server begins the procedure to terminate the kfl process. |
Default value: |
|
Limit on the use of virtual memory by the kfl process. If the kfl process uses more virtual memory than this limit, the Watchdog server begins the procedure to terminate the kfl process. |
|
|
Limit on the size of the swap file of the kfl process. If the swap file of the kfl process exceeds this limit, the Watchdog server begins the procedure to terminate the kfl process. |
|
|
Enabling application stability monitoring. If application stability monitoring is enabled, the Watchdog server tracks the number of abnormal halts of the application. |
|
|
The path to the file used for application stability monitoring. |
Default value: /var/opt/kaspersky/kfl/private/kfl_health.log. |
|
Time interval (in seconds) in which the application must experience the specified number of abnormal halts before displaying a notification about unstable operation. |
Default value: 3600 seconds |
|
Number of abnormal halts of the application that are required before displaying a notification about unstable application operation. |
Default value: 10. If the value is 0, an unstable application notification is not displayed. |
|
Time interval (in seconds) after which the application's unstable status will be cleared. |
Default value: 86400 seconds. |
Default settings for command line tasks
This section contains the default options for all predefined tasks that are provided for managing the Kaspersky application on the command line.
The Rollback and License tasks have no settings.
Default settings for the File_Threat_Protection task (ID:1)
ScanArchived=No
ScanSfxArchived=No
ScanMailBases=No
ScanPlainMail=No
SkipPlainTextFiles=No
TimeLimit=60
SizeLimit=0
FirstAction=Recommended
SecondAction=Block
UseExcludeMasks=No
UseExcludeThreats=No
ReportCleanObjects=No
ReportPackedObjects=No
ReportUnprocessedObjects=No
UseAnalyzer=Yes
HeuristicLevel=Recommended
UseIChecker=Yes
ScanByAccessType=SmartCheck
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/
AreaMask.item_0000=*
Default settings for the Scan_My_Computer task (ID:2)
ScanFiles=Yes
ScanBootSectors=Yes
ScanComputerMemory=Yes
ScanStartupObjects=Yes
ScanArchived=Yes
ScanSfxArchived=Yes
ScanMailBases=No
ScanPlainMail=No
TimeLimit=0
SizeLimit=0
FirstAction=Recommended
SecondAction=Skip
UseExcludeMasks=No
UseExcludeThreats=No
ReportCleanObjects=No
ReportPackedObjects=No
ReportUnprocessedObjects=No
UseAnalyzer=Yes
HeuristicLevel=Recommended
UseIChecker=Yes
UseGlobalExclusions=Yes
UseOASExclusions=Yes
DeviceNameMasks.item_0000=/**
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/
AreaMask.item_0000=*
Default settings for the Scan_File task (ID:3)
ScanFiles=Yes
ScanBootSectors=No
ScanComputerMemory=No
ScanStartupObjects=No
ScanArchived=Yes
ScanSfxArchived=Yes
ScanMailBases=No
ScanPlainMail=No
TimeLimit=0
SizeLimit=0
FirstAction=Recommended
SecondAction=Skip
UseExcludeMasks=No
UseExcludeThreats=No
ReportCleanObjects=No
ReportPackedObjects=No
ReportUnprocessedObjects=No
UseAnalyzer=Yes
HeuristicLevel=Recommended
UseIChecker=Yes
UseGlobalExclusions=Yes
UseOASExclusions=Yes
DeviceNameMasks.item_0000=/**
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/
AreaMask.item_0000=*
Default settings for the Critical_Areas_Scan task (ID:4)
ScanFiles=No
ScanBootSectors=Yes
ScanComputerMemory=Yes
ScanStartupObjects=Yes
ScanArchived=Yes
ScanSfxArchived=Yes
ScanMailBases=No
ScanPlainMail=No
TimeLimit=0
SizeLimit=0
FirstAction=Recommended
SecondAction=Skip
UseExcludeMasks=No
UseExcludeThreats=No
ReportCleanObjects=No
ReportPackedObjects=No
ReportUnprocessedObjects=No
UseAnalyzer=Yes
HeuristicLevel=Recommended
UseIChecker=Yes
UseGlobalExclusions=Yes
UseOASExclusions=Yes
DeviceNameMasks.item_0000=/**
[ScanScope.item_0000]
AreaDesc=All objects
UseScanArea=Yes
Path=/
AreaMask.item_0000=*
Default settings for Update task (ID:6)
SourceType=KLServers
UseKLServersWhenUnavailable=Yes
ApplicationUpdateMode=DownloadOnly
ConnectionTimeout=10
Default settings for the Web_Threat_Protection task (ID:14)
UseTrustedAddresses=Yes
ActionOnDetect=Block
CheckMalicious=Yes
CheckPhishing=Yes
UseHeuristicForPhishing=Yes
CheckAdware=No
CheckOther=No
Default settings for the Removable_Drives_Scan task (ID:16)
ScanRemovableDrives=NoScan
ScanOpticalDrives=NoScan
BlockDuringScan=No
Default settings for the Behavior_Detection task (ID:20)
UseTrustedPrograms=No
TaskMode=Block
General application settings
General application settings define the operation of the application as a whole and the operation of individual functions.
General application settings
Setting |
Description |
Values |
|---|---|---|
|
Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the |
The standard directory of the SAMBA configuration file on the computer is specified by default. Default value: /etc/samba/smb.conf. The application must be restarted after this setting is changed. |
|
The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the |
The standard directory of the NFS configuration file on the computer is specified by default. Default value: /etc/exports. The application must be restarted after this setting is changed. |
|
Enable application tracing and the level of detail in the trace files. |
|
|
The directory that stores the application trace files. |
Default value: /var/log/kaspersky/kfl. If you specify a different directory, make sure that the user under which the Kaspersky application is running has read/write permissions for this directory. Root privileges are required to access the default trace files directory. The application must be restarted after this setting is changed. |
|
Maximum number of application trace files. |
1–10000 Default value: 10. The application must be restarted after this setting is changed. |
|
Specifies the maximum size of an application trace file (in megabytes). |
1–1000 Default value: 500. The application must be restarted after this setting is changed. |
|
Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, scan tasks skip this file during scanning. This setting is not available for operating systems that use the fanotify technology. |
4096–33554432 Default value: 16384. After changing the value of this setting, the File Threat Protection task needs to be restarted. |
|
Enable detection of legitimate applications that intruders can use to compromise devices or data. |
|
|
Enabling the file operation intercept mode with blocking access to files for the duration of the scan. The file operation interception mode affects the operation of the File Threat Protection component. |
|
|
Enabling Kaspersky Security Network usage: |
|
|
Enables use of a proxy server by components of the Kaspersky application. A proxy server can be used to communicate with Kaspersky Security Network, to activate the application, and when updating application databases and modules. |
|
|
Proxy server options in the format: [ When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised. |
— |
|
The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events. |
Default value: 500000. If 0 is specified, events are not saved. |
|
The maximum number of custom scan tasks that a non-privileged user can simultaneously start on the device. This setting does not limit the number of tasks that a user with root privileges can start. |
0–4294967295 Default value: 0. If 0 is specified, a non-privileged user cannot start custom scan tasks. If you installed the application interface package when installing the application, the |
|
Enable logging of information about events to syslog Root privileges are required to access syslog. |
|
|
The database directory where the application saves information about events. Root privileges are required to access the default event database. |
Default value: /var/opt/kaspersky/kfl/private/storage/events.db. |
|
The mount point to exclude from the scan scope. This exclusion applies to the File Threat Protection component and the Removable Drives Scan task, and is also configured for scan tasks (of the ODS type). You can specify several mount points to be excluded from scans. Mount points must be specified in the same way as they are displayed in the The |
|
|
Exclude process memory from scans. The application does not scan the memory of the indicated process. |
|
|
Enables a limit on CPU resource usage by scan tasks of the ODS type. |
|
|
The maximum utilization of all processor cores (as a percentage) when running tasks of the ODS type. |
10–100 Default value: 100. |
|
Time period for storing objects in the Backup storage (in days). After the specified time has elapsed, the application deletes the oldest backup copies of files. To remove the object retention limit, set 0. |
0–10000 0–unlimited retention. Default value: 30. |
|
Maximum Backup size in MB. When the maximum Backup storage size is reached, the application deletes the oldest backup copies of files. To remove the Backup size limit, set 0. |
0–999999 0–unlimited size. Default value: 0. |
|
Path to the Backup directory. You can specify a custom Backup storage directory that is different from the default directory. You can use directories on any device as the Backup storage. It is not recommended to assign directories that are located on remote devices, such as those mounted via the Samba and NFS protocols. If the specified directory does not exist or is unavailable, the application uses the default directory. |
Default value: /var/opt/kaspersky/kfl/common/objects-backup/ Root privileges are required to access the default Backup storage directory. |
Encrypted connections scan settings
Encrypted connections scan settings
Setting |
Description |
Values |
|---|---|---|
|
Enables or disables encrypted traffic scan. For the FTP protocol, secure connections scan is disabled by default. |
|
|
Specifies the action to perform when a secure connection scan error occurs on a website. |
|
|
Specifies the way the Kaspersky application verifies certificates. If a certificate is self-signed, the application does not perform additional verification. |
|
|
The action to take when an unconfirmed certificate is detected. |
|
|
Using exclusions when scanning encrypted traffic. |
|
|
Specifies the way the Kaspersky application monitors network ports. |
Specifying this value may significantly increase an operating system load. |
The [Exclusions.item_#] section contains domains excluded from scans. The application does not scan secure connections established when visiting specified domains. |
||
|
Specifies the domain name. You can use masks to specify the domain. |
The default value is not defined. |
The [NetworkPorts.item_#] section contains the network ports monitored by the application. |
||
|
Network port description. |
The default value is not defined. |
|
Network port numbers to be monitored by the application. |
The default value is not defined. |
Tasks schedule settings
Task start schedule settings
Setting |
Description |
Values |
|---|---|---|
|
Task launch schedule. |
|
|
Task start date and time. The |
|
|
A time interval from 0 to the specified value (in minutes), which will be added to the task start time to avoid starting tasks at the same time. |
|
|
Run a missed task after the application starts. |
|
Appendix 4. Command line return codes
The Kaspersky application has the following command line return codes:
0 – command/task completed successfully.
1 – general error in command arguments.
2 – error in passed application settings.
64 – the Kaspersky application is not running.
66 – application databases are not downloaded (used only by the kfl-control --app-info command).
67 – activation 2.0 ended with an error due to network problems.
68 – the command cannot be executed because the application is running under a policy.
69 – the application is located in the Amazon Paid Ami infrastructure.
70 – an attempt to start a running task, delete a running task, change the settings of a running task, stop a stopped task, pause a suspended task, or resume a running task.
71 – Kaspersky Security Network Statement has not been accepted.
72 – threats were detected by the Custom scan task.
74 – the Kaspersky application must be restarted after an update.
75 means the device must be restarted.
76 — connection prohibited, as only users with root rights should have write access to the specified path.
77 — the specified license key is already in use on the device.
128 – unknown error.
65 – all other errors.
Page top