Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

File Threat Protection task (File_Threat_Protection, ID:1)

File Threat Protection prevents infection of the device's file system. The File Threat Protection task is created automatically with default settings when you install Kaspersky Embedded Systems Security application on your device. By default, the File Threat Protection task starts automatically when the application starts. The task resides in the device's RAM and scans all opened, saved, and active files.

Administrator role privileges are required to start and stop the File Threat Protection task from the command line.

Upon detecting malware, Kaspersky Embedded Systems Security may remove the infected file and terminate the malware process started from this file.

When the File Threat Protection task is running, the application scans all namespaces and containers in all supported operating systems if NamespaceMonitoring is set to Yes in the general application settings. Additionally, for Astra Linux, a custom virus scan task (Scan_File) allows files from other namespaces to be scanned (as part of a mandatory scan). You can separately configure general scan settings for containers and namespaces.

The application does not scan namespaces and containers unless components for working with containers and namespaces are installed in the operating system. Moreover, when viewing application information in the Container monitoring row, "The task is available and not running" is displayed.

File Threat Protection user tasks cannot be created. You can modify the settings of the default File Threat Protection task.

If InterceptorProtectionMode is set to Notify in the general application settings, then when infected objects are detected, the application does not perform the actions specified in the FirstAction and SecondAction settings of the File Threat Protection task.

In this Help section

Special considerations for scanning symbolic links and hard links

File Threat Protection task settings

Specifying an exclusion scope

Optimizing network directory scanning
Page top
[Topic 197961]

Special considerations for scanning symbolic links and hard links

Kaspersky Embedded Systems Security lets you scan symbolic links and hard links to files.

Scanning symbolic links

The application scans symbolic links only if the file referenced by the symbolic link is within the protection scope of the File Threat Protection task.

If the file referenced by the symbolic link is not within the File Threat Protection task, the application does not scan this file. However, if the file contains malicious code, the security of the device is at risk.

Scanning hard links

When processing a file with more than one hard link, the application chooses an action depending on the specified action on objects:

  • If the Perform recommended action option is selected, the application automatically selects and performs an action on an object based on data about the danger level of the threat detected in the object and the possibility of disinfecting it.
  • If the Remove action is selected, the application removes the hard link being processed. The remaining hard links to this file will not be processed.
  • If the Disinfect action is selected, the application disinfects the source file. If disinfection fails, the application deletes the hard link and creates in its place a copy of the source file with the name of the deleted hard link.

When you restore a file with a hard link from the Storage, the application creates a copy of the source file with the name of the hard link that was moved to the Storage. Connections with the remaining hard links to the source file will not be restored.

Page top
[Topic 197963]

File Threat Protection task settings

The table describes all available values and default values of all the settings that you can specify for the File Threat Protection task.

File Threat Protection task settings

Setting

Description

Values

ScanArchived

Enables scanning of archives (including SFX self-extracting archives).

The application scans the following archives: .zip; .7z*; .7-z; .rar; .iso; .cab; .jar; .bz; .bz2; .tbz; .tbz2; .gz; .tgz; .arj. The list of supported archive formats depends on the application databases being used.

Yes—Scan archives. If the FirstAction=Recommended value is specified, then, depending on the archive type, the application deletes either the infected object or the entire archive that contains the threat.

No (default value) — Do not scan archives.

ScanSfxArchived

Enables scanning of self-extracting archives only (archives that contain an executable extraction module).

Yes — Scan self-extracting archives.

No (default value) — Do not scan self-extracting archives.

ScanMailBases

Enables scanning email databases of Microsoft Outlook, Outlook Express, The Bat, and other mail clients.

Yes — Scan files of email databases.

No (default value) — Do not scan files of email databases.

ScanPlainMail

Enables scanning of plain text email messages.

Yes — Scan plain text email messages.

No (default value) — Do not scan plain text email messages.

SkipPlainTextFiles

Temporary exclusion of files in text format from scans.

If the value of this setting is SkipPlainTextFiles=Yes, the application does not scan text files if they are reused by the same process for 10 minutes after the most recent scan. This setting makes it possible to optimize scans of application logs.

Yes – Do not scan text files if they are reused by the same process for 10 minutes after the most recent scan.

No (default value) – scan files in plain text format.

SizeLimit

Maximum size of an object to be scanned (in megabytes). If the object to be scanned is larger than the specified value, the application skips this object.

0–999999

0 — The application scans objects of any size.

Default value: 0.

TimeLimit

Maximum object scan duration (in seconds).

The application stops scanning the object if it takes longer than the time specified by this setting.

0–9999

0 — The object scan time is unlimited.

Default value: 60.

FirstAction

Selection of the first action to be performed by the application on the infected objects.

Before performing the action specified by you on an object, Kaspersky Embedded Systems Security blocks access to the object by applications that attempt to access it.

 

If InterceptorProtectionMode is set to Notify in the general application settings, then when infected objects are detected, the application does not perform the action specified in the FirstAction setting.

Disinfect — The application tries to disinfect an object and save a copy of it to the Storage. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected), then the application leaves the object unchanged. If the first action is Disinfect, it is recommended to specify a second action using the SecondAction setting.

Remove — The application removes the infected object after creating a backup copy of it.

Recommended (perform recommended action) — The application automatically selects and performs an action on the object based on information about the threat detected in the object. For example, Kaspersky Embedded Systems Security immediately removes Trojans since they do not incorporate themselves into other files and therefore they do not need to be disinfected.

Block – The application blocks access to an infected object. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by the application on the infected objects. The application performs the second action if the first action fails.

If InterceptorProtectionMode is set to Notify in the general application settings, then when infected objects are detected, the application does not perform the action specified in the SecondAction setting.

The possible values of the SecondAction setting are the same as those of the FirstAction setting.

If Block or Remove is selected as the first action, the second action does not need to be specified. It is recommended to specify two actions in all other cases. If you have not specified a second action, the application applies Block as the second action.

Default value: Block.

UseExcludeMasks

Enables exclusion of the objects specified by the ExcludeMasks.item_# setting from the scan.

Yes — Exclude objects specified by the ExcludeMasks.item_# setting from the scan.

No (default value) — Do not exclude objects specified by the ExcludeMasks.item_# setting from the scan.

ExcludeMasks.item_#

Excludes objects from being scanned by name or mask.

You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

 

UseExcludeThreats

Enables exclusion of objects containing the threats specified by the ExcludeThreats setting from scans.

Yes — Exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

No (default value): do not exclude objects containing the threats specified by the ExcludeThreats.item_# setting from the scan.

ExcludeThreats.item_#

Excludes objects from scans by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude an object from scans, specify the full name of the threat detected in this object – the string containing the application's decision that the object is infected.

For example, you may be using a utility to collect information about your network. To keep the application from blocking it, add the full name of the threat contained in it to the list of threats excluded from scans.

You can find the full name of the threat detected in an object in the application log or on the Virus Encyclopedia website.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

 

ReportCleanObjects

Enables logging of information about scanned objects that the application reports as not being infected.

You can enable this setting, for example, to make sure that a particular object was scanned by the application.

Yes — Log information about non-infected objects.

No (default value) — Do not log information about non-infected objects.

ReportPackedObjects

Enables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by the application.

Yes — Log information about scanned objects within archives.

No (default value) — Do not log information about scanned objects within archives.

ReportUnprocessedObjects

Enables logging of information about objects that have not been processed for some reason.

Yes — Log information about unprocessed objects.

No (default value) — Do not log information about unprocessed objects.

UseAnalyzer

Enables heuristic analysis.

Heuristic analysis helps the application to detect threats even before they become known to virus analysts.

Yes (default value) — Enable Heuristic Analyzer.

No — Disable Heuristic Analyzer.

HeuristicLevel

Specifies the heuristic analysis level.

The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Light — The least thorough scan with minimum load on the system.

Medium — A medium heuristic analysis level with a balanced load on the system.

Deep — The most thorough scan with maximum load on the system.

Recommended (default value) — The recommended value.

UseIChecker

Enables usage of the iChecker technology.

Yes (default value) — Enable use of the iChecker technology.

No — Disable use of the iChecker technology.

ScanByAccessType

File Threat Protection task operation mode. The ScanByAccessType setting applies only to the File Threat Protection task.

SmartCheck (default value) — Scan a file on attempts to open it, and scan it again on attempts to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and modifies it, the application scans the object again only when the process closes it for the last time.

OpenAndModify — Scan a file on attempts to open it, and scan it again on attempts to close it if the file has been modified.

Open — Scan a file on attempts to open it for reading, execution, or modification.

The [ScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan scope, which contains additional information about the scan scope.

The maximum length of the string specified using this setting is 4096 characters.

Default value: All objects.

Example:

AreaDesc="Scanning of email databases"

 

UseScanArea

Enables scans of the specified scope. To run the task, enable scans of at least one scope.

Yes (default value) — Scan the specified scope.

No — Do not scan the specified scope.

AreaMask.item_#

Scan scope limitation. With this scan scope, the application only scans files that are specified using masks in the shell format.

If this setting is not specified, the application scans all the objects in the scan scope. You can specify several values for this setting.

The default value is * (scan all objects).

Example:

AreaMask_item_<item number>=*doc

 

Path

Path to the directory with objects to be scanned.

 

<path to local directory> — Scan objects in the specified directory. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Shared:NFS — Scan the device file system resources that are accessible via the NFS protocol.

Shared:SMB – Scan the device file system resources that are accessible via the Samba protocol.

Mounted:NFS – Scan the remote directories mounted on a device using the NFS protocol.

Mounted:SMB – Scan the remote directories mounted on a device using the Samba protocol.

AllRemoteMounted – Scan all remote directories mounted on the device using the Samba and NFS protocols.

AllShared – Scan all the device file system resources that are accessible via the Samba and NFS protocols.

<file system type> — Scan all the resources of the specified device file system.

The [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Description of the scan exclusion scope, which contains additional information about the exclusion scope.

The default value is not defined.

UseScanArea

Excludes the specified scope from scans.

Yes (default value) — Exclude the specified scope.

No — Do not exclude the specified scope.

AreaMask.item_#

Limitation of scan exclusion scope. In the exclusion scope, the application excludes from scans only files that are specified using masks in the shell format.

If this setting is not specified, the application does not scan any of the objects within the exclusion scope. You can specify several values for this setting.

Default value: * (exclude all objects from scan)

Path

Path to the directory with objects to be excluded.

 

<path to local directory> — Exclude objects in the specified directory from scan. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

<path to local directory> – Exclude objects in the specified directory, as well as subdirectories, from scanning. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

In order to optimize the operation of scan tasks, it is recommended to add the path with snapshots mounted by the system in the read-only mode to the exclusions for the systems with the btrfs file system and enabled active snapshots. For example, for the systems based on SUSE/OpenSUSE, you can add the following exclusion /.snapshots/*/snapshot/.

Mounted:NFS– Exclude the remote directories mounted on a device using the NFS protocol from scan.

Mounted:SMB – Exclude the remote directories mounted on a device using the Samba protocol from scan.

AllRemoteMounted – Exclude all remote directories mounted on the device using the Samba and NFS protocols from scan.

<file system type> — Exclude all the resources of the specified device file system from scans.

Remote directories are excluded from scanning by the application only if they were mounted before the task was started. Remote directories mounted after the task is started are not excluded from scanning.

The [ExcludedForProgram.item_#] section contains the following settings:

ProgramPath

Path to excluded process.

<full path to process> – Do not scan the process in the indicated local directory.

ApplyToDescendants

Exclude child processes of the excluded process specified by the ProgramPath setting from scans.

Yes – exclude the specified process and all its child processes from scans.

No (default value) – exclude only the specified process from scans, do not exclude its child processes from scans.

AreaDesc

Description of the process exclusion scope.

Default value: All objects.

UseExcludedForProgram

Excludes the specified scope from scans.

Yes (default value) — Exclude the specified scope.

No — Do not exclude the specified scope.

AreaMask.item_#

Limitation of the process exclusion scope. In the process exclusion scope, the application excludes from scans only the files that are specified using masks in the shell format.

If this setting is not specified, the application excludes from scans all the objects within the process exclusion scope. You can specify several values for this setting.

Default value: * (exclude all objects from scan)

Path

Path to a directory with files that are modified by the process.

 

<path to local directory> — Exclude objects in the specified directory from scan. You can use masks to specify the path.

You can use the * (asterisk) character to create a file or directory name mask.

You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

You can use a single ? character to represent any one character in the file or directory name.

Shared:NFS — Exclude device file system resources that are accessible via the NFS protocol from scans.

Shared:SMB — Exclude device file system resources that are accessible via the Samba protocol from scans.

Mounted:NFS– Exclude the remote directories mounted on a device using the NFS protocol from scan.

Mounted:SMB – Exclude the remote directories mounted on a device using the Samba protocol from scan.

AllRemoteMounted – Exclude all remote directories mounted on the device using the Samba and NFS protocols from scan.

AllShared – Exclude all device file system resources that are accessible using the Samba and NFS protocols from scan.

<file system type> — Exclude all the resources of the specified device file system from scans.

Page top

[Topic 234812]

Specifying an exclusion scope

You can specify an exclusion scope for the File Threat Protection task. Files in the exclusion scope are excluded from protection scopes.

To create an exclusion scope:

  1. Save the File Threat Protection task settings to a file using the following command:

    kess-control --get-settings 1 --file <full path to the configuration file>

  2. Add the [ExcludedFromScanScope.item_#] section to the created file. This section contains the following settings:
    • AreaDesc – a description of the exclusion scope, which contains additional information about the exclusion scope.
    • Path – the path to the files or directories to be excluded from the protection scope.
    • AreaMask.item_# – file name mask for the files to be excluded from the protection scope.

      Example:

      [ExcludedFromScanScope.item_0000]

      AreaDesc=

      UseScanArea=Yes

      Path=/tmp/notchecked

      AreaMask.item_0000=*
  3. Import settings from the configuration file to the File Threat Protection task by using the following command:

    kess-control --set-settings 1 --file <full path to the configuration file>

You can also manage exclusion scopes from the command line.

Page top
[Topic 197965]

Optimizing network directory scanning

To optimize the File Threat Protection task, you can exclude from scans any files being copied from network directories. Files are scanned only after the process of copying to a local directory is finished. To exclude files located in network directories from scans, configure scan exclusion for the utility used to copy files from network directories (for example, for the cp utility).

To configure exclusion of network directories from scans:

  1. Save the File Threat Protection task settings to a file using the following command:

    kess-control --get-settings 1 --file <full path to the configuration file>

  2. Add the [ExcludedForProgram.item_#] section to the created file. This section contains the following settings:
    • ProgramPath – path to the process to be excluded or to the directory with the processes to be excluded.
    • ApplyToDescendants parameter indicates whether the scan should exclude child processes of the excluded process specified by the ProgramPath parameter (possible values: Yes or No).
    • AreaDesc – a description of the process exclusion scope, which contains additional information about the exclusion scope.
    • UseExcludedForProgram parameter indicates whether the scan task should exclude the specified scope (possible values: Yes or No).
    • Path – path to the files or directory with files modified by the process.
    • AreaMask.item_# is the file name mask for the files to be excluded from the scan. You can also specify the full path to the file.

      Example:

      [ExcludedForProgram.item_0000]

      ProgramPath=/usr/bin/cp

      ApplyToDescendants=No

      AreaDesc=

      UseExcludedForProgram=Yes

      Path=AllRemoteMounted

      AreaMask.item_0000=*
  3. Import settings from the configuration file to the File Threat Protection task by using the following command:

    kess-control --set-settings 1 --file <full path to the configuration file>

The application does not scan the files in network directories, but the cp command itself (for the example given above) and local files are scanned.

Page top
[Topic 235226]