Configuring the File Threat Protection settings

Configuring File Threat Protection requires the IS Administrator permissions.

To configure File Threat Protection:

In the Policies → Runtime policies → Container runtime profiles section, click the Settings button.
The window for configuring the File Threat Protection settings opens.
Under File interceptor mode, select one of the following object scan modes:
- In the Audit mode, the solution scans and keeps track of the content of objects.
- In the Enforce mode, the solution blocks all objects that do not satisfy the configured rules and criteria.
Under Scan mode, select a File Threat Protection mode:
- Smart mode (default): a file is scanned on attempts to open it, and then scanned again on attempts to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and modifies it, the solution scans the object again only when the process closes it for the last time.
- Open and modify: a file is scanned on attempts to open it, and then scanned again on attempts to close it if the file has been modified.
- Open: a file is scanned on attempts to open it for reading, execution, or modification.
Under Actions on detected objects, select the following from the drop-down lists:
1. The First action that the File Threat Protection component will perform on a detected infected object:
  - Perform recommended action that depends on the risk severity level detected in the file and the possibility of disinfecting it (default).
    For example, Trojans are deleted immediately as they do not infect other files and disinfection is not applicable here.
  - Disinfect the object. A copy of the infected object will be moved to backup.
  - Block access to the object.
  - Remove an object. A copy of the infected object will be moved to backup.
2. The Second action that the File Threat Protection component will perform on a detected infected object if the first action fails:
  - Perform recommended action that depends on the risk severity level detected in the file and the possibility of disinfecting it (default).
  - Disinfect the object. A copy of the infected object will be moved to backup.
  - Block access to the object.
  - Remove an object. A copy of the infected object will be moved to backup.
We recommend specifying both actions for detected objects.

Consider the following when selecting actions to perform on detected objects:
- If Block or Remove is selected as the first action, the second action does not need to be specified.
- If the second action is not selected, the default action is Block.
- If the applicable runtime policy mode is set to Audit, no action is taken on detected objects.
Under Scan settings, use the check boxes to define the scan objects that contain files and directories to scan. If a check box is selected, the solution scans the selected objects. You can select one or several scan settings from the following list:
- Scan archives: this check box enables or disables archive scanning. By default, the check box is cleared and the solution does not scan archives.
  The solution scans archives in such formats as .ZIP, .7Z *, .7-Z, .RAR, .ISO, .CAB, .JAR, .BZ, .BZ2, .TBZ, .TBZ2, .GZ, .TGZ, .ARJ, as well as .SFX self-extracting archives. The list of supported archive formats depends on the databases used.
  
  If archive scanning is enabled and Perform recommended action is set as the first action on a detected object, the solution deletes the infected object or the entire archive containing the threat, depending on the archive type.
  
  You can define the scope of archives for scanning by specifying Self-extracting archives or All archives. If you choose to scan self-extracting archives, the solution scans only archives that contain an executable unpacker.
  
  To start scanning, the solution first unpacks the archive, which may slow down the scan. You can reduce the duration of archive scanning by enabling and configuring the Skip object if scan takes longer than (sec) and Skip objects larger than (MB) settings.
- Scan mail databases: this check box enables or disables scanning of Microsoft Outlook, Outlook Express, The Bat! and other mail application databases. By default, the check box is cleared, and the solution does not scan mail database files.
- Scan plain mail: this check box enables or disables scanning of plain text email message files. By default, the check box is cleared and the solution does not scan plain text messages.
- Skip text files: this check box enables or temporarily disables scanning of plain text files if they are reused by the same process within 10 minutes after the last scan. This setting allows you to optimize scanning of application logs. By default, the check box is cleared and the solution does not scan plain text files.
- Skip object larger than (MB): this check box enables or disables scanning of objects with the specified maximum size in megabytes. If the size of an object to be scanned exceeds the specified value, the solution skips the object during scanning.
  Available values: 0–999999. If the value is set to 0, the solution scans files of any size.
  
  Default value: 0.
- Skip object if scan takes longer than (sec): this check box enables or disables time limit in seconds for scanning an object. After the specified time expires, the solution stops scanning the file.
  Available values: 0–9999. If the value is set to 0, the scan time is unlimited.
  
  Default value: 60.
In the Technologies section, select the check boxes to define the technology that the solution will use to scan objects. You can select one of the following options:
- Use iChecker: this check box enables or disables scanning of only new files and files that have been modified since the last scan. iChecker is a scanning method that reduces the overall scan time by skipping some of the previously scanned files that have not been modified since the scan.
  If the check box is selected, the solution scans only new files and those modified since the last scan. If the check box is cleared, the solution scans files regardless of their creation or modification dates.
  
  The check box is selected by default.
- Use heuristic analysis: this check box enables or disables the use of heuristic analysis when scanning objects. Heuristic analysis enables the solution to identify security threats unknown to malware analysts.
  The check box is selected by default.
  
  If the Use heuristic analysis check box is selected, you can select the heuristic analysis level. A heuristic analysis level balances the rigor of security threat scanning, the load on the operating system, and the scan duration. The higher the level, the more resources the scan requires, and the longer it takes. You can select one of the following options:
  - Recommended (default): the optimal level recommended by Kaspersky experts. This provides an optimal combination of protection quality and impact on the performance of protected servers.
  - Light: the least detailed scan, minimal system load.
  - Medium: medium scan detail, balanced system load.
  - Deep: the most detailed scan, maximum system load.
Under Event logging, select the check boxes to determine whether the event will be recorded in the security event log. You can select one or several options for event logging:
- Log clean objects: this check box enables or disables the logging of information about scanned objects that the solution has recognized as uninfected.
- Log unprocessed objects: this check box enables or disables the logging of information about scanned objects that have not been processed for any reason.
- Log packed objects: this check box enables or disables logging of information about scanned objects that are part of composite objects, such as archives.
If the check box is selected, the solution logs the event for all objects. If the check box is cleared, the event is not logged. The check box is cleared by default.
Click Save.

Page top