How to configure Behavior Detection

The Behavior Detection component allows you to monitor for any malicious activity from applications in the operating system. When malicious activity is detected, the Kaspersky application can terminate the process of the application that is performing malicious activity.

The Behavior Detection component is enabled automatically with the default settings on startup of the Kaspersky application. You can enable or disable the Behavior Detection component at any time.

By editing the settings of the Behavior Detection predefined task, you can:

Select an action to be performed by the Kaspersky application when malicious activity is detected in the operating system: inform the user or block the application that is performing malicious activity.
Configure scan exclusions for process activity.

In the application interface, you can manage the analysis of behavior of applications in the operating system using the Behavior Detection component.

The application interface allows you to:

Enable or disable the Behavior Detection component.
View pop-up notifications about detected threats; in these notifications, you can click the Open Reports link to navigate to application component reports and scan task results.
View the report of the Behavior Detection component.
Results of the Behavior Detection component are displayed in the report in the Behavior Detection section.

You can manage the analysis of application behavior in the operating system on the command line by using the Behavior Detection predefined task (Behavior_Detection).

For the Behavior Detection task to work correctly, the operating system of your device must support the fanotify technology. The fanotify technology allows you to track activity at the file system level, such as file access or modification, which is crucial for analyzing application behavior.

The Behavior Detection task is running by default. You can stop and start the task manually.

On the command line, you can view information about detected threats and check the current status of the task.

The task starts with default settings listed in Appendix 3. You can modify task settings.

You must modify the settings of a task before starting the task.

To stop the Behavior Detection task and enable the output of current events related to this task, run the following command:

kfl-control --stop-task 20 -W

To start the Behavior Detection task, enable the output of current events related to this task, and display the progress of the task, run the following command:

kfl-control --start-task 20 [-W] [--progress]

The Behavior Detection task starts with default settings listed in Appendix 3.

You can display the current values of the task settings in one of the following ways:

To the console using the task settings output command: kfl-control --get-settings 20 [--json]
To a configuration file using the task settings output command: kfl-control --get-settings 20 --file <path to configuration file> [--json]

If you need to modify the settings of the Behavior Detection task, you can:

Modify all task settings using the configuration file. To do so:
1. Output the task settings to the configuration file: kfl-control --get-settings 20 [--json]
  A configuration file with the current task settings is generated.
2. Edit task settings in the generated configuration file by choosing values from the following table.
3. If necessary, add an exclusion scope to the configuration file.
  To add an exclusion scope, add a [TrustedPrograms.item_#] section to exclude processes and specify its settings by choosing them from the table below.
4. Save the configuration file.
5. Run the following command: kfl-control --set-settings 20 --file <configuration file path> [--json]
Modify individual task settings: kfl-control --set-settings 20 <setting name>=<setting value> [<setting name>=<setting value>]
Restore default task settings: kfl-control --set-settings 20 --set-to-default

For detailed instructions on how to modify the settings of application tasks, see the How to manage task settings on the command line section.

The following table describes all the settings of the Behavior Detection task and their values.

Behavior Detection task setting

Setting	Description	Values

`TaskMode`	Action performed by the application when malicious activity is detected in the operating system.	`Block` (default value) – terminate the process of the application performing malicious activity. `Notify` – do not terminate the process performing malicious activity; only log detection of malicious activity in the event log.
`UseTrustedPrograms`	Excluding processes from scans.	`Yes` – do not scan the activity of the indicated processes. `No` (default value) – scan all processes.
The [TrustedPrograms.item_#] section contains processes that are excluded from scans. The Kaspersky application does not monitor the activity of the specified processes.
`ProgramPath`	Path to excluded process.	`<full path to process>` – Do not scan the process in the indicated local directory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.
`ApplyToDescendants`	Exclude child processes of the excluded process specified by the `ProgramPath` setting from scans.	`Yes` – exclude the specified process and all its child processes from scans. `No` (default value) – exclude only the specified process from scans, do not exclude its child processes from scans.
`ProgramDesc`	Description of the excluded process.
`UseTrustedProgram`	Enables the exclusion of the specified process from scanning.	`Yes` (default value) - enable exclusion of the specified process from scanning. `No` - do not exclude the specified process from scanning.

Article ID: 287143, Last review: Apr 9, 2025

Page top