File Threat Protection

Kaspersky Container Security uses the File Threat Protection component to search and analyze potential file threats in order to protect containerized files (including files in archives and email) from malware. If malware is detected, Kaspersky Container Security can block or delete the infected object, and terminate the malicious process started using that object. The results of malware scan are displayed together with the overall scan results.

You can enable or disable File Threat Protection and configure protection settings:

• Select the file interceptor operation mode (audit or blocking objects).
• Select a file scan mode (when opened, when opened and modified).
• Enable or disable scanning of archives, mail databases, email messages in text format.
• Temporarily exclude plain text files from re-scanning.
• Limit the size of an object to be scanned and the scan duration.
• Select the actions that the solution will perform on infected objects.
• Configure scan scopes. Kaspersky Container Security will scan objects in the specified area of the file system.
• Configure the use of the heuristic analyzer and the iChecker technology during a scan.
• Enable or disable the recording of information about scanned uninfected objects, scanning of archived objects, and unprocessed objects to the security event log.

The File Threat Protection settings can be activated under Policies → Runtime policies → Container runtime profiles, configured in the File Threat Protection settings window, and applied to all existing runtime policies.

If you do not want File Threat Protection to be activated when a certain security environment policy is started, disable it in the policy settings using the Disabled / Enabled toggle. Also, make sure that File Threat Protection is not running under a different applicable runtime policy.

Configuring the File Threat Protection settings

Configuring File Threat Protection requires the IS Administrator permissions.

To configure File Threat Protection:

1. In the Policies → Runtime policies → Container runtime profiles section, click the Settings button.

   The window for configuring the File Threat Protection settings opens.

2. Under File interceptor mode, select one of the following object scan modes:
   • In the Audit mode, the solution scans and keeps track of the content of objects.
   • In the Enforce mode, the solution blocks all objects that do not satisfy the configured rules and criteria.
3. Under Scan mode, select a File Threat Protection mode:
   • Smart mode (default): a file is scanned on attempts to open it, and then scanned again on attempts to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and modifies it, the solution scans the object again only when the process closes it for the last time.
   • Open and modify: a file is scanned on attempts to open it, and then scanned again on attempts to close it if the file has been modified.
   • Open: a file is scanned on attempts to open it for reading, execution, or modification.
4. Under Actions on detected objects, select the following from the drop-down lists:
   1. The First action that the File Threat Protection component will perform on a detected infected object:
      • Perform recommended action that depends on the risk severity level detected in the file and the possibility of disinfecting it (default).

        For example, Trojans are deleted immediately as they do not infect other files and disinfection is not applicable here.

      • Disinfect the object. A copy of the infected object will be moved to backup.
      • Block access to the object.
      • Remove an object. A copy of the infected object will be moved to backup.
   2. The Second action that the File Threat Protection component will perform on a detected infected object if the first action fails:
      • Perform recommended action that depends on the risk severity level detected in the file and the possibility of disinfecting it (default).
      • Disinfect the object. A copy of the infected object will be moved to backup.
      • Block access to the object.
      • Remove an object. A copy of the infected object will be moved to backup.

   We recommend specifying both actions for detected objects.

   Consider the following when selecting actions to perform on detected objects:

   • If Block or Remove is selected as the first action, the second action does not need to be specified.
   • If the second action is not selected, the default action is Block.
   • If the applicable runtime policy mode is set to Audit, no action is taken on detected objects.
5. Under Scan settings, use the check boxes to define the scan objects that contain files and directories to scan. If a check box is selected, the solution scans the selected objects. You can select one or several scan settings from the following list:
   • Scan archives: this check box enables or disables archive scanning. By default, the check box is cleared and the solution does not scan archives.

     The solution scans archives in such formats as .ZIP, .7Z *, .7-Z, .RAR, .ISO, .CAB, .JAR, .BZ, .BZ2, .TBZ, .TBZ2, .GZ, .TGZ, .ARJ, as well as .SFX self-extracting archives. The list of supported archive formats depends on the databases used.

     If archive scanning is enabled and Perform recommended action is set as the first action on a detected object, the solution deletes the infected object or the entire archive containing the threat, depending on the archive type.

     You can define the scope of archives for scanning by specifying Self-extracting archives or All archives. If you choose to scan self-extracting archives, the solution scans only archives that contain an executable unpacker.

     To start scanning, the solution first unpacks the archive, which may slow down the scan. You can reduce the duration of archive scanning by enabling and configuring the Skip object if scan takes longer than (sec) and Skip objects larger than (MB) settings.

   • Scan mail databases: this check box enables or disables scanning of Microsoft Outlook, Outlook Express, The Bat! and other mail application databases. By default, the check box is cleared, and the solution does not scan mail database files.
   • Scan plain mail: this check box enables or disables scanning of plain text email message files. By default, the check box is cleared and the solution does not scan plain text messages.
   • Skip text files: this check box enables or temporarily disables scanning of plain text files if they are reused by the same process within 10 minutes after the last scan. This setting allows you to optimize scanning of application logs. By default, the check box is cleared and the solution does not scan plain text files.
   • Skip object larger than (MB): this check box enables or disables scanning of objects with the specified maximum size in megabytes. If the size of an object to be scanned exceeds the specified value, the solution skips the object during scanning.

     Available values: 0–999999. If the value is set to 0, the solution scans files of any size.

     Default value: 0.

   • Skip object if scan takes longer than (sec): this check box enables or disables time limit in seconds for scanning an object. After the specified time expires, the solution stops scanning the file.

     Available values: 0–9999. If the value is set to 0, the scan time is unlimited.

     Default value: 60.

6. In the Technologies section, select the check boxes to define the technology that the solution will use to scan objects. You can select one of the following options:
   • Use iChecker: this check box enables or disables scanning of only new files and files that have been modified since the last scan. iChecker is a scanning method that reduces the overall scan time by skipping some of the previously scanned files that have not been modified since the scan.

     If the check box is selected, the solution scans only new files and those modified since the last scan. If the check box is cleared, the solution scans files regardless of their creation or modification dates.

     The check box is selected by default.

   • Use heuristic analysis: this check box enables or disables the use of heuristic analysis when scanning objects. Heuristic analysis enables the solution to identify security threats unknown to malware analysts.

     The check box is selected by default.

     If the Use heuristic analysis check box is selected, you can select the heuristic analysis level. A heuristic analysis level balances the rigor of security threat scanning, the load on the operating system, and the scan duration. The higher the level, the more resources the scan requires, and the longer it takes. You can select one of the following options:

     • Recommended (default): the optimal level recommended by Kaspersky experts. This provides an optimal combination of protection quality and impact on the performance of protected servers.
     • Light: the least detailed scan, minimal system load.
     • Medium: medium scan detail, balanced system load.
     • Deep: the most detailed scan, maximum system load.
7. Under Event logging, select the check boxes to determine whether the event will be recorded in the security event log. You can select one or several options for event logging:
   • Log clean objects: this check box enables or disables the logging of information about scanned objects that the solution has recognized as uninfected.
   • Log unprocessed objects: this check box enables or disables the logging of information about scanned objects that have not been processed for any reason.
   • Log packed objects: this check box enables or disables logging of information about scanned objects that are part of composite objects, such as archives.

   If the check box is selected, the solution logs the event for all objects. If the check box is cleared, the event is not logged. The check box is cleared by default.

8. Click Save.

File interceptor operation

When running object scan jobs, File Threat Protection uses the file operation interceptor. It is set to one of the following file interception modes (InterceptorProtectionMode):

• Enforce (default): blocks files for the duration of the scan job that uses the file interceptor. No file can be accessed until the scan has been completed. When detecting infected objects, the solution performs the actions specified in the settings under Actions on detected objects.
• Audit: does not block files during the scan job that uses a file interceptor. Access to any file is allowed; scanning is performed asynchronously. When infected objects are detected, the solution only records an event in the Event Log. The actions specified in the settings under Actions on detected objects are not performed.

  If the Audit value is selected, the solution enables the notification mode of File Threat Protection.

The configured component settings are applied when File Threat Protection is activated in runtime policies. These settings are the same for all created runtime policies. If the applicable runtime policy is set to audit mode and InterceptorProtectionMode in File Threat Protection is set to Enforce, the solution blocks the files.

Database updates

The File Threat Protection databases are kept up to date to ensure the maximum level of containerized object protection against file threats. Updates run automatically on a schedule or on demand.

When a new agent is deployed, the solution updates and then applies the updated File Threat Protection databases.

When the solution is deployed in a public corporate network, an update is performed directly from the update server. When installing the solution in a private corporate network, the updated File Threat Protection databases are added to the kcs-updates container for subsequent running and updating.

Applying updated databases to a running agent does not violate active runtime protection of nodes. Database updates are recorded in the event log.

If an error occurs while updating the databases, the solution cancels the File Threat Protection updates and continues using the previously installed databases. Errors that occur during the update are logged to the events.db file located in the node-agent pod.

The events.db file is available if File Threat Protection is enabled for the group of agents.

Force disabling of File Threat Protection

In Kaspersky Container Security 2.0, you can completely disable the File Threat Protection component. This can be necessary if you experience problems with the component.

You can forcibly disable the File Threat Protection component in two ways—by modifying the file for deploying agents on the cluster, and by modifying running agents.

To forcibly disable File Threat Protection using an agent deployment file:

1. Open the .YAML file with instructions for deploying agents on the cluster that you downloaded when you deployed the agents.
2. In the DaemonSet section for the node-agent, set the FILE_THREAT_PROTECTION_ENABLED environment variable to false.

   name: FILE_THREAT_PROTECTION_ENABLED

   value: false

3. Save changes to the instructions file.
4. In the console, apply the instructions file by running kubectl apply -f agents.yaml

   The orchestrator redeploys the node-agent pods with File Threat Protection disabled.

To forcibly disable File Threat Protection when agents are running:

1. In the console, open running agents using the kubectl edit command.
2. In the DaemonSet section for the node-agent, set the FILE_THREAT_PROTECTION_ENABLED environment variable to false.

   name: FILE_THREAT_PROTECTION_ENABLED

   value: false

3. Save your changes.

   The orchestrator applies the saved changes and disables File Threat Protection.