Kaspersky Embedded Systems Security for Linux
3.3.0
English

Contents

Appendices

This section provides information that complements the primary Help text.

In this Help section

Appendix 1. Resource consumption optimization

Appendix 2. Application configuration files

Appendix 3. Command line return codes
Page top
[Topic 198081]

Appendix 1. Resource consumption optimization

When scanning objects, Kaspersky Embedded Systems Security uses CPU resources, disk subsystem input/output, and RAM.

To view the resource consumption by the application, execute the following command:

top -bn1|grep kess

The command must be executed when the system is loaded.

The command output shows the amount of used memory and processor time:

651 root 20 0 3014172 2.302g 154360 S 120.0 30.0 0:32.80 kess

Column 6 displays the amount of resident memory – 2.302g.

Column 9 displays the percentage of the processor cores usage – 120.0, where each core is represented by 100 percent. Thus, 120% means that one core is fully used, and the other is used at 20%.

If, while scanning objects, Kaspersky Embedded Systems Security critically slows down the system, the application must be configured to optimize system resource consumption.

In this section

Determining the task that consumes resources

Configuring the File Threat Protection task

Configuring the On-demand Scan task
Page top
[Topic 206054]

Determining the task that consumes resources

To determine which application tasks are consuming system resources, it is necessary to distinguish the resource consumption of File Threat Protection tasks (OAS type) and On-demand Scan tasks (ODS and ContainerScan types).

If the application is managed by Kaspersky Security Center policy, it is required to allow local task management for the period of the study.

In this section

File Threat Protection task operation analysis

On-demand Scan tasks operation analysis
Page top
[Topic 206066]

File Threat Protection task operation analysis

To analyze the operation of the File Threat Protection task:

  1. Stop all scan and monitoring tasks.
  2. Make sure that the on-demand scan tasks will not run during the scan or have no schedule. You can do it using Kaspersky Security Center or locally by doing the following steps:
    1. Get the list of all application tasks by executing the following command:

      kess-control --get-task-list

    2. Get the schedule settings for the Malware Scan task by executing the following command:

      kess-control --get-schedule <task ID>

      If the command output is RuleType=Manual, the task can only be started manually.

    3. Get the schedule settings for all your Malware Scan and Custom Scan tasks, if any, and set them to start manually by executing the following command:

      kess-control --set-schedule <task ID> RuleType=Manual

  3. Enable generation of application trace files with a high level of details by executing the following command:

    kess-control --set-app-settings TraceLevel=Detailed

  4. Start the File Threat Protection task if it has not been started by executing the following command:

    kess-control --start-task 1

  5. Load the system in the mode that caused the performance problems; a few hours is enough.

    While being loaded, the application writes a lot of information to the trace files; however only 5 files of 500 MB are stored by default, so the old information will be overwritten. If the problems with performance and resource consumption stop occurring, then they are most likely caused by on-demand scan tasks and you can proceed to analyzing the operation of ContainerScan and ODS scan tasks.

  6. Disable creation of the application trace files by executing the following command:

    kess-control --set-app-settings TraceLevel=None

  7. Determine the list of objects that have been scanned the most times by running the following command:

    fgrep 'AVP ENTER' /var/log/kaspersky/kess/kess.* | awk '{print $8}' | sort | uniq -c | sort -k1 -n -r|less

    The result is loaded into less, a text viewer utility, where the objects that have been scanned the most times are displayed first.

  8. Determine whether the objects scanned the most number of times are dangerous. In case of any difficulties, contact Technical Support.

    For example, directories and log files can be considered safe if a trusted process writes to them, database files can also be considered safe.

  9. Write down the paths to the objects that are safe, in your opinion; the paths will be required to configure exclusions from the scan scope.
  10. If various services frequently write data to files in the system, such files are scanned again in the pending queue. Determine the list of paths that have been scanned the most times in the pending queue by running the following command:

    fgrep 'SYSCALL' /var/log/kaspersky/kess/kess.* | fgrep 'KLIF_ACTION_CLOSE_MODIFY' | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r

    The files that were scanned the most times will appear at the beginning of the list.

  11. If the counter for a file exceeds several thousands in a few hours, you should check whether you can trust this file in order to exclude it from scan.

    The logic of to determine it is the same as for the previous study (see step 8): log files can be considered safe, since they cannot be launched.

  12. Even if some files are excluded from scan by the Real-time protection task, they can still be intercepted by the application. If excluding certain files from Real-time protection does not result in significant increase of performance, you can completely exclude the mount point where these files are located from the interception scope of the application. To do so, do the following:
    1. Run the following command to get the list of files intercepted by the application:

      grep 'FACACHE.*needs' /var/log/kaspersky/kess/kess.* | awk '{print $9}' | sort | uniq -c | sort -k1 -n -r

    2. Using this list, determine the paths used for most of the file operation interceptions and configure interception exceptions.
Page top
[Topic 248489]

On-demand Scan tasks operation analysis

Tasks of the ODS and ContainerScan types can also cause significant resource consumption. Follow these recommendations for the tasks of ODS type:

  • Make sure that several on-demand scan tasks are not running at the same time. The application allows for operation in this mode, but resource consumption can significantly increase. Check the schedule of all tasks of the ODS and ContainerScan types locally (as described for the File Threat Protection task) or using Kaspersky Security Center.
  • Run the scan during the minimum server load.
  • Make sure that there are no mounted remote resources (SMB/NFS) at the specified scan path. If a remote resource scan task cannot be performed directly on the server that provides the resource, do not perform the resource scan on servers with critical services, as execution of this task can take a long time (depending on the connection speed and the number of files).
  • Optimize the settings of the on-demand scan task before start.

Page top

[Topic 206098]

Configuring the File Threat Protection task

If, after analysis of the File Threat Protection task's operation, you have created a list of directories and files that can be excluded from the scan scope, you need to add them to the exclusions.

Scan exclusions

To exclude the /tmp/logs directory and all subdirectories and files recursively, execute the following command:

kess-control --set-settings 1 --add-exclusion /tmp/logs

To exclude a specific file or files by mask in the /tmp/logs directory, execute the following command:

kess-control --set-settings 1 --add-exclusion /tmp/logs/*.log

To exclude all files with the .log extension in the /tmp/ directory and subdirectories using a recursive mask, execute the following command:

kess-control --set-settings 1 --add-exclusion /tmp/**/*.log

Interception exclusions

If you want to exclude files in a certain directory not only from scan, but also from interception, you can exclude the entire mount point.

To exclude an entire mount point:

  1. If the directory is not a mount point, create a mount point from it. For example, to create a mount point from the /tmp directory, execute the following command:

    mount --bind /tmp/ /tmp

  2. To keep the mount point after the server reboot, add the following line to the /etc/fstab file:

    /tmp /tmp none defaults,bind 0 0

  3. Add the /tmp directory to the global exceptions by executing the following command:

    kess-control --set-app-settings ExcludedMountPoint.item_0000=/tmp

  4. If you want to add several directories, increase the item_0000 counter by one (item_0001, item_0002, and so on).

It is also recommended to exclude mount points that are mounted remote resources with unstable or slow connection.

Changing scan type

By default, the File Threat Protection task can scan files when they are opened or closed. If analysis of the File Threats Protection task's operation shows that too many files are being written, you can change the task mode to make it run only when files are opened; to do so, run the following command:

kess-control --set-set 1 ScanByAccessType=Open

In this operation mode, changes made to the file after it is opened are not scanned until the next opening of the file.

Page top
[Topic 248490]

Configuring the On-demand Scan task

On-demand ODS and ContainerScan tasks are configured in the same way as configuring scan exclusions for the File Threat Protection task. However, the setting for excluding mount points does not apply to on-demand ODS and ContainerScan tasks.

Scan exclusion settings for one scan task do not affect other scan tasks. Exclusions must be configured separately for each scan task.

Configuring priority

The on-demand scan tasks have the ScanPriority setting, which allows you to specify how the application allocates system resources for running tasks.

Available values:

  • Idle – no more than 10% load on one processor (regardless of whether it is busy or not).
  • Normal – 50% load on all available processors.
  • High – without limitations.

Limitations on the processor load also reduce resource consumption by the disk subsystem input/output.

To specify the Idle priority for a task, execute the following command:

kess-control --set-settings <task ID> ScanPriority=Idle

Setting the memory usage limits when unpacking archives

The on-demand scan task uses RAM to unpack archives when scanning the archives recursively. By default, the application's limit is 40% of all available RAM, but not less than 2 GB. Therefore, if the system has more than 5 GB of RAM, you can manually set the memory usage limit. This is especially useful for the servers that have hundreds of gigabytes of RAM.

To specify a limit on memory use when scanning:

  1. Stop Kaspersky Embedded Systems Security.
  2. Open the /var/opt/kaspersky/kess/common/kess.ini file for editing.
  3. Add the ScanMemoryLimit setting with the required value (for example, 8192) to the [General] section:

    ScanMemoryLimit=8192

  4. Start Kaspersky Embedded Systems Security.

The ScanMemoryLimit setting limits the amount of memory used when scanning files, but not the total amount of memory used by the application. So, the total amount of memory can be greater than the value specified by this setting.

Page top

[Topic 206183][Topic 236953]

Application settings configuration files

After the post-installation configuration, the application creates the following configuration files:

  • /var/opt/kaspersky/kess/common/agreements.ini

    The agreements.ini configuration file contains settings related to the License Agreement, Privacy Policy, and Kaspersky Security Network Statement.

  • /var/opt/kaspersky/kess/common/kess.ini

    The kess.ini configuration file contains the settings described in the following table.

If necessary, you can edit the values of the settings in these files.

The default values in these files should be changed only under the supervision of Technical Support specialists and in accordance with their instructions.

The kess.ini configuration file settings

Setting

Description

Values

The [General] section contains the following settings:

ScanMemoryLimit

Limit on the application's use of memory in megabytes.

Default value: 8192.

ExecArgMax

Number of arguments that the application captures from the exec call.

Default value: 50.

RevealSensitiveInfoInTraces

Display information in trace files that may contain personal data (for example, passwords).

True/Yes (default value) — display information in application trace files that may contain personal data.

False/No (default value) — do not display information that may contain personal data in trace files.

PackageType

Format of the installed application package.

RPM – an RPM package is installed.

DEB – a DEB package is installed.

Filled out automatically during the post-installation configuration of the application.

Locale

The locale used for the application events sent to Kaspersky Security Center.

The locale of the graphical interface and the application command line depends on the value of the LANG environment variable. If the locale that is not supported by Kaspersky Embedded Systems Security is specified as the value of the LANG environment variable, the graphical interface and the command line are displayed in English.

Locale in the format specified by RFC 3066.

If the Locale setting is not specified, the operating system locale is used. If the application fails to determine the operating system localization language or the operating system localization is not supported, the default value will be used – en_US.utf8.

UseFanotify

Indicates use of fanotify notifications.

True/Yes – The operating system supports fanotify notifications.

False/No – The operating system does not support fanotify notifications.

Filled out automatically during the initial setup of the application.

MachineId

The user's unique device ID.

Filled out automatically during the initial setup of the application.

CoreDumps

Enables the creation of a dump file when application failure occurs.

True/Yes (default value) – Create a dump file when the application fails.

False/No – Do not create a dump file when the application fails.

SocketPath

The path to the socket for remote connection, through which, for example, the graphical interface and the kess-control utility are connected.

Default value: /var/run/bl4control.

StartupTraces

Enables generation of trace files at application startup.

True/Yes – Create trace files at application startup.

False/No (default value) – Do not create trace files at application startup.

MaxInotifyWatches

Limit on the number of subscriptions to changes in files and directories (user watches) in /proc/sys/fs/inotify/max_user_watches.

Default value: 300000.

MaxInotifyInstances

Limit on the number of subscriptions to changes in files and directories for a single user.

Default value: 2048.

ExecEnvMax

The number of environment variables that the application captures from the command call.

Default value: 50.

AdditionalDNSLookup

Indicates use of a public DNS.

If there are errors accessing servers through the system DNS, the application uses a public DNS. This is needed for updating application databases and maintaining device security. The application will use the following public DNSes in this order:

  • Google Public DNS (8.8.8.8).
  • Cloudflare DNS (1.1.1.1).
  • Alibaba Cloud DNS (223.6.6.6).
  • Quad9 DNS (9.9.9.9).
  • CleanBrowsing (185.228.168.168).

The application's requests may contain domain addresses and the user's external IP address, since the application establishes a TCP/UDP connection with the DNS server. This information is necessary, for example, to check the certificate of a web resource when interacting via HTTPS. If the application is using a public DNS server, data processing rules are governed by the Privacy Policy of the corresponding service. If you need to block the application from using a public DNS server, contact Technical Support for a private patch.

True/Yes – Use a public DNS to access Kaspersky servers.

False/No (default value) – Do not use a public DNS to access Kaspersky servers.

The [Network] section contains the following settings:

WtpFwMark

A mark in the iptables rules for forwarding traffic to the application for processing by Web Threat Protection tasks. You may need to change this mark if a device with the application runs other software that uses the ninth bit of the TCP packet mask, and a conflict occurs.

A decimal value or hexadecimal number with the prefix 0x.

Default value: 0x100.

NtpFwMark

A mark in the iptables rules for forwarding traffic to the application for processing by Network Threat Protection tasks.

You may need to change this mark if a device with the application runs other software that uses the ninth bit of the TCP packet mask, and a conflict occurs.

A decimal value or hexadecimal number with the prefix 0x.

Default value: 0x200.

BypassFwMark

A mark used to indicate packets created or scanned by the application, so that the application does not scan them again.

A decimal value or hexadecimal number with the prefix 0x.

Default value: 0x400.

BypassNFlogMark

A mark used to indicate packages created or scanned by the application to prevent them from being logged by the iptable utility.

A decimal value or hexadecimal number with the prefix 0x.

Default value: 0x800.

ProxyRouteTable

Number of the routing table.

Default value: 101.

The [Watchdog] section contains the following settings:

TimeoutAfterHeadshot

Maximum time to wait for the controlled process to complete from the moment the Watchdog server sends the HEADSHOT signal to the controlled process.

Default value: 2 minutes.

 

StartupTimeout

Maximum time interval from the moment the REGISTER message is received to the moment the SUCCESSFUL_STARTUP message is received.

Default value: 3 minutes.

TimeoutAfterKill

 

Maximum time to wait for the controlled process to complete from the moment the Watchdog server sends the SIGKILL signal to the controlled process.

If the controlled process does not finish before this time elapses, the action specified by the --failed-kill setting is performed.

Default value: 2 days.

PingInterval

The interval with which the application attempts to send a PONG message to a server in response to a received PING message.

Default value: 2000 ms.

MaxRestartCount

 

Maximum number of consecutive unsuccessful attempts to start the application.

Default value: 5.

ActivityTimeout

 

Maximum time interval during which the application should send a message to the Watchdog server.

If a message is not received from the application within this time interval, the Watchdog server begins the procedure to terminate the controlled process.

Default value: 2 minutes.

ConnectTimeout

 

Maximum time from the start of the controlled process to the moment when a connection with the Watchdog server is established by the application.

If the application does not establish a connection in this time interval, the Watchdog server begins the procedure to terminate the controlled process.

Default value: 3 minutes.

RegisterTimeout

Maximum time from the moment the application connects to the Watchdog server to the moment the server receives a REGISTER message.

Default value: 500 ms.

TimeoutAfterShutdown

 

Maximum time to wait for the controlled process to complete from the moment the Watchdog server sends the SHUTDOWN signal to the controlled process.

Default value: 2 minutes.

MaxVirtualMemory

 

Limit on the use of virtual memory by the controlled process.

If the controlled process uses more virtual memory than this limit, the Watchdog server begins the procedure to terminate the controlled process.

off (default value) – The virtual memory size is not limited.

<value>MB – a value in megabytes.

MaxSwapMemory

 

Limit on the size of the swap file of the controlled process.

If the swap file of the controlled process exceeds this limit, the Watchdog server begins the procedure to terminate the controlled process.

off (default value) – The size of the swap file is not limited.

<value >% – a value between 0 and 100, expressing a percentage of memory.

<value>MB – a value in megabytes.

lowest/<value>%/<value>MB – the smaller value between the value as a percentage and the value in megabytes.

highest/<value>%/<value>MB– the larger value between the value as a percentage and the value in megabytes.

MaxMemory

 

Limit on the resident set size for the controlled process.

If the resident set size of the controlled process exceeds this limit, the Watchdog server begins the procedure to terminate the controlled process.

off – the resident set size is not limited.

<value >% – a value between 0 and 100, expressing a percentage of memory.

<value>MB – a value in megabytes.

lowest/<value>%/<value>MB – the smaller value between the value as a percentage and the value in megabytes.

highest/<value>%/<value>MB– the larger value between the value as a percentage and the value in megabytes.

Default value: highest/50%/2048MB/.

Page top

[Topic 247007]

Rules for editing application task configuration files

When editing a configuration file, adhere to the following rules:

  • Specify all mandatory settings in the configuration file. You can specify individual task settings without a file using the command line.
  • If a setting belongs to a certain section, specify it only in this section. You can specify the settings in any order within the one section.
  • Enclose the names of sections in square brackets [ ].
  • Enter the values of settings in the format <setting name>=<setting value> (spaces between the a setting name and its value are not processed).

    Example:

    [ScanScope.item_0000]

    AreaDesc=Home

    AreaMask.item_0000=*doc

    Path=/home

    Space and tab characters are ignored before the first quotation mark and after the last quotation mark of a string value, and at the beginning and end of a string value that is not enclosed in quotation marks.

  • If you need to specify several values for a setting, repeat the setting the same number of times as the number of values that you want to specify.

    Example:

    AreaMask.item_0000=*xml

    AreaMask.item_0001=*doc
  • Be case-sensitive when entering values for the following types of settings:
    • Names (masks) of scanned objects and excluded objects.
    • Names (masks) of threats.

    The remaining setting values are not case-sensitive.

  • Specify Boolean setting values as follows: Yes / No.
  • Use quotation marks to enclose string values containing a space character (for example, names of files and directories and their paths, expressions containing the date and time in the format "YYYY-MM-DD HH:MM:SS").

    You can enter the remaining values with or without quotation marks.

    Example:

    AreaDesc="Scanning of email databases"

    A single quotation mark in the beginning or end of a string is considered an error.

Page top
[Topic 201432]

File Threat Protection task configuration file

ScanArchived=No

ScanSfxArchived=No

ScanMailBases=No

ScanPlainMail=No

SkipPlainTextFiles=No

TimeLimit=60

SizeLimit=0

FirstAction=Recommended

SecondAction=Block

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportPackedObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

UseIChecker=Yes

ScanByAccessType=SmartCheck

[ScanScope.item_0000]

AreaDesc=All objects

UseScanArea=Yes

Path=/

AreaMask.item_0000=*

Page top
[Topic 201430]

Configuration file for the Malware Scan task

ScanFiles=Yes

ScanBootSectors=Yes

ScanComputerMemory=Yes

ScanStartupObjects=Yes

ScanArchived=Yes

ScanSfxArchived=Yes

ScanMailBases=No

ScanPlainMail=No

TimeLimit=0

SizeLimit=0

FirstAction=Recommended

SecondAction=Skip

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportPackedObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

UseIChecker=Yes

ScanPriority=Normal

DeviceNameMasks.item_0000=/**

[ScanScope.item_0000]

AreaDesc=All objects

UseScanArea=Yes

Path=/

AreaMask.item_0000=*

Page top
[Topic 246946]

Custom Scan task configuration file

ScanFiles=Yes

ScanBootSectors=No

ScanComputerMemory=No

ScanStartupObjects=No

ScanArchived=Yes

ScanSfxArchived=Yes

ScanMailBases=No

ScanPlainMail=No

TimeLimit=0

SizeLimit=0

FirstAction=Recommended

SecondAction=Skip

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportPackedObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

UseIChecker=Yes

ScanPriority=High

DeviceNameMasks.item_0000=/**

[ScanScope.item_0000]

AreaDesc=All objects

UseScanArea=Yes

Path=/

AreaMask.item_0000=*

Page top
[Topic 198085]

Critical Areas Scan task configuration file

ScanFiles=No

ScanBootSectors=Yes

ScanComputerMemory=Yes

ScanStartupObjects=Yes

ScanArchived=Yes

ScanSfxArchived=Yes

ScanMailBases=No

ScanPlainMail=No

TimeLimit=0

SizeLimit=0

FirstAction=Recommended

SecondAction=Skip

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportPackedObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

UseIChecker=Yes

ScanPriority=Normal

DeviceNameMasks.item_0000=/**

[ScanScope.item_0000]

AreaDesc=All objects

UseScanArea=Yes

Path=/

AreaMask.item_0000=*

Page top
[Topic 198086]

Update task configuration file

SourceType="KLServers"

UseKLServersWhenUnavailable=Yes

ApplicationUpdateMode=DownloadOnly

ConnectionTimeout=10

Page top
[Topic 198088]

Storage management task configuration file

DaysToLive=90

BackupSizeLimit=0

BackupFolder=/var/opt/kaspersky/kess/common/objects-backup/

Page top
[Topic 198089]

System Integrity Monitoring task configuration file

UseExcludeMasks=No

[ScanScope.item_0000]

AreaDesc=Kaspersky internal objects

UseScanArea=Yes

Path=/opt/kaspersky/kess/

AreaMask.item_0000=*

Page top
[Topic 198091]

Firewall Management task configuration file

DefaultIncomingAction=Allow

DefaultIncomingPacketAction=Allow

OpenNagentPorts=Yes

[NetworkZonesTrusted]

[NetworkZonesLocal]

[NetworkZonesPublic]

Page top
[Topic 198090]

Anti-Cryptor task configuration file

UseHostBlocker=Yes

BlockTime=30

UseExcludeMasks=No

[ScanScope.item_0000]

AreaDesc=All shared directories

UseScanArea=Yes

Path=AllShared

AreaMask.item_0000=*

Page top
[Topic 198092]

Web Threat Protection task configuration file

UseTrustedAddresses=Yes

ActionOnDetect=Block

CheckMalicious=Yes

CheckPhishing=Yes

UseHeuristicForPhishing=Yes

CheckAdware=No

CheckOther=No

Page top
[Topic 198093]

Device Control task configuration file

RulesAction=ApplyRules

[DeviceClass]

HardDrive=DependsOnBus

RemovableDrive=DependsOnBus

Printer=DependsOnBus

FloppyDrive=DependsOnBus

OpticalDrive=DependsOnBus

Modem=DependsOnBus

TapeDrive=DependsOnBus

MultifuncDevice=DependsOnBus

SmartCardReader=DependsOnBus

PortableDevice=DependsOnBus

WiFiAdapter=DependsOnBus

NetworkAdapter=DependsOnBus

BluetoothDevice=DependsOnBus

ImagingDevice=DependsOnBus

SerialPortDevice=DependsOnBus

ParallelPortDevice=DependsOnBus

InputDevice=DependsOnBus

SoundAdapter=DependsOnBus

[DeviceBus]

USB=Allow

FireWire=Allow

[Schedules.item_0000]

ScheduleName=Default

DaysHours=All

[HardDrivePrincipals.item_0000]

Principal=\Everyone

[HardDrivePrincipals.item_0000.AccessRules.item_0000]

UseRule=Yes

ScheduleName=Default

Access=Allow

[RemovableDrivePrincipals.item_0000]

Principal=\Everyone

[RemovableDrivePrincipals.item_0000.AccessRules.item_0000]

UseRule=Yes

ScheduleName=Default

Access=Allow

[FloppyDrivePrincipals.item_0000]

Principal=\Everyone

[FloppyDrivePrincipals.item_0000.AccessRules.item_0000]

UseRule=Yes

ScheduleName=Default

Access=Allow

[OpticalDrivePrincipals.item_0000]

Principal=\Everyone

[OpticalDrivePrincipals.item_0000.AccessRules.item_0000]

UseRule=Yes

ScheduleName=Default

Access=Allow

Page top
[Topic 233812]

Removable Drives Scan task configuration file

ScanRemovableDrives=NoScan

ScanOpticalDrives=NoScan

BlockDuringScan=No

Page top
[Topic 198095]

Network Threat Protection task configuration file

ActionOnDetect=Block

BlockAttackingHosts=Yes

BlockDurationMinutes=60

UseExcludeIPs=No

Page top
[Topic 198119]

Container Scan task configuration file

ScanArchived=Yes

ScanSfxArchived=Yes

ScanMailBases=No

ScanPlainMail=No

TimeLimit=0

SizeLimit=0

FirstAction=Recommended

SecondAction=Skip

UseExcludeMasks=No

UseExcludeThreats=No

ReportCleanObjects=No

ReportPackedObjects=No

ReportUnprocessedObjects=No

UseAnalyzer=Yes

HeuristicLevel=Recommended

UseIChecker=Yes

ScanContainers=Yes

ContainerNameMask=*

ScanImages=Yes

ImageNameMask=*

DeepScan=No

ScanPriority=Normal

ContainerScanAction=StopContainerIfFailed

ImageAction=Skip

You can also use the settings in this configuration file for the Custom Container Scan task, except for the ScanPriority=Normal setting. For the Custom scan task, set the value of this setting to ScanPriority=High.

Page top
[Topic 198097]

Behavior Detection task configuration file

UseTrustedPrograms=No

TaskMode=Block

Page top
[Topic 234862]

Application Control task configuration file

AppControlMode=DenyList

AppControlRulesAction=ApplyRules

Page top
[Topic 246944]

Inventory task configuration file

ScanScripts=Yes

ScanBinaries=Yes

ScanAllExecutable=Yes

ScanPriority=Normal

CreateGoldenImage=No

[ScanScope.item_0000]

AreaDesc=All objects

UseScanArea=Yes

Path=/usr/bin

AreaMask.item_0000=*

Page top
[Topic 198087]

Appendix 3. Command line return codes

Kaspersky Embedded Systems Security has the following command line return codes:

0 – command/task completed successfully.

1 – general error in command arguments.

2 – error in passed application settings.

64 – Kaspersky Embedded Systems Security is not running.

66 – application databases are not downloaded (used only by the kess-control --app-info command).

67 – activation 2.0 ended with an error due to network problems.

68 – the command cannot be executed because the application is running under a policy.

69 – the application is located in the Amazon Paid Ami infrastructure.

70 – an attempt to start a running task, delete a running task, change the settings of a running task, stop a stopped task, pause a suspended task, or resume a running task.

71 – Kaspersky Security Network Statement has not been accepted.

72 – threats were detected during execution of the Custom Scan or Custom Container Scan task.

73 – an attempt to specify the Application Control task settings that affect the application operation without confirming these settings using the --accept flag.

74 – Kaspersky Embedded Systems Security must be restarted after an update.

75 – the device must be restarted.

76 — connection prohibited, as only users with root rights should have write access to the specified path.

77 — the specified license key is already in use on the device.

128 – unknown error.

65 – all other errors.

Page top
[Topic 245132]