Kaspersky Endpoint Security 8
ADMINISTRATOR'S
GUIDE
A P P L I C A TIO N V E R S I O N : 8.0
for Linux
2
Dear User!
Thank you for choosing our product. We hope that this documentation will help you in your work and will provide answers
regarding this software product.
Attention! This document is the property of Kaspersky Lab ZAO (herein also referred to as Kaspersky Lab): all rights to
this document are reserved by the copyright laws of the Russian Federation, and by international treaties. Illegal
reproduction and distribution of this document or parts hereof result in civil, administrative or criminal liability by
applicable law.
All materials may only be duplicated, regardless of form, or distributed, including in translation, with the written
permission of Kaspersky Lab.
This document and graphic images related to it may be used exclusively for informational, non-commercial, and personal
purposes.
The document can be modified without prior notification. For the latest version of this document, refer to the Kaspersky
Lab website at http://www.kaspersky.com/docs.
Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any materials used in this
document for which the rights are held by third parties, or for any potential damages associated with the use of such
documents.
This document involves the registered trademarks and service marks which are the property of their respective owners.
Revision date: 5/13/11
© 1997-2011 Kaspersky Lab ZAO. All Rights Reserved
http://www.kaspersky.com
http://support.kaspersky.com
3
CONTENTS
INTRODUCTION ............................................................................................................................................................ 8
General information about Kaspersky Endpoint Security ......................................................................................... 8
Real-time protection and on-demand scan ......................................................................................................... 9
Peculiarities in scanning of symbolic and hard links ........................................................................................... 9
About infected, suspicious objects and objects with the status "Warning" ........................................................ 10
About backup and quarantine ........................................................................................................................... 10
Programs detectable by Kaspersky Endpoint Security ..................................................................................... 11
Obtaining the information about Kaspersky Endpoint Security ............................................................................... 13
Sources of information for further research ....................................................................................................... 13
Contacting the Technical Support Service ........................................................................................................ 15
Discussion of Kaspersky Lab's applications in web forum ................................................................................ 15
STARTING AND STOPPING KASPERSKY ENDPOINT SECURITY .......................................................................... 16
MANAGING KASPERSKY ENDPOINT SECURITY TASKS ........................................................................................ 17
Creating an on-demand scan or update task .......................................................................................................... 17
Deleting an on-demand scan or update task .......................................................................................................... 18
Manual task management ...................................................................................................................................... 18
Automatic task management .................................................................................................................................. 18
Viewing task state ................................................................................................................................................... 19
Viewing task statistics ............................................................................................................................................. 20
UPDATING KASPERSKY ENDPOINT SECURITY ..................................................................................................... 21
Selecting an update source .................................................................................................................................... 22
Updating from local or network folder ..................................................................................................................... 22
Using the proxy server ............................................................................................................................................ 24
Last database update rollback ................................................................................................................................ 24
REAL-TIME PROTECTION .......................................................................................................................................... 25
Default protection settings ...................................................................................................................................... 25
Creating a protection scope .................................................................................................................................... 26
Restricting a protection area using masks and regular expressions ....................................................................... 27
Exclusion of objects from a protection area ............................................................................................................ 28
Creating a global exclusion area ....................................................................................................................... 28
Excluding objects from the protection area ....................................................................................................... 29
Exclusion of objects depending on user and group accounts accessing the objects ........................................ 29
Excluding objects by names of the threats detected in them ............................................................................ 30
Selecting interception mode ................................................................................................................................... 31
Selecting protection mode ...................................................................................................................................... 31
Using heuristic analysis .......................................................................................................................................... 32
Using scan mode depending on user and group accounts accessing the objects .................................................. 32
Selecting action to perform on detected objects ..................................................................................................... 33
Selecting actions depending on the threat type ...................................................................................................... 34
Scan optimization ................................................................................................................................................... 35
Compatibility with other Kaspersky Lab's applications ............................................................................................ 36
ON-DEMAND SCAN .................................................................................................................................................... 38
Default scan settings .............................................................................................................................................. 38
Quick scan of files and directories .......................................................................................................................... 39
A D M I N I S T R A T O R ' S G U I D E
4
Creating a scan area .............................................................................................................................................. 41
Restricting a scan area using masks and regular expressions ............................................................................... 42
Excluding objects from the scan area ..................................................................................................................... 42
Creating a global exclusion area ....................................................................................................................... 43
Excluding objects from the scan area ............................................................................................................... 43
Excluding objects by names of the threats detected in them ............................................................................ 44
Using heuristic analysis .......................................................................................................................................... 45
Selecting actions to perform on detected objects ................................................................................................... 45
Selecting actions depending on the threat type ...................................................................................................... 46
Scan optimization ................................................................................................................................................... 48
Selecting task priority ............................................................................................................................................. 48
ISOLATING SUSPICIOUS OBJECTS. DATA BACKUP .............................................................................................. 50
Viewing statistics of quarantined objects ................................................................................................................ 50
Scanning quarantined objects ................................................................................................................................ 51
Placing files to quarantine manually ....................................................................................................................... 52
Viewing object IDs .................................................................................................................................................. 52
Restoring objects .................................................................................................................................................... 53
Deleting objects ...................................................................................................................................................... 54
MANAGING LICENSES ............................................................................................................................................... 55
About the License Agreement ................................................................................................................................ 55
About Kaspersky Endpoint Security licenses.......................................................................................................... 55
About Kaspersky Endpoint Security key files.......................................................................................................... 56
Installing the key file ............................................................................................................................................... 57
Viewing information about a license prior to the key file installation ....................................................................... 57
Key file removal ...................................................................................................................................................... 58
Reviewing the license agreement ........................................................................................................................... 58
GENERATING REPORTS ........................................................................................................................................... 59
MANAGING KASPERSKY ENDPOINT SECURITY FROM THE COMMAND LINE .................................................... 60
Displaying Kaspersky Endpoint Security command help ........................................................................................ 63
Starting Kaspersky Endpoint Security .................................................................................................................... 64
Stopping Kaspersky Endpoint Security ................................................................................................................... 64
Restarting Kaspersky Endpoint Security ................................................................................................................ 64
Enabling events output ........................................................................................................................................... 64
Quick scan of files and directories .......................................................................................................................... 65
Rolling back the Kaspersky Endpoint Security database updates .......................................................................... 65
Commands for obtaining reports and statistics ....................................................................................................... 66
Viewing application information ......................................................................................................................... 66
Viewing reports on Kaspersky Endpoint Security operation .............................................................................. 66
Viewing reports on the most commonly encountered threats............................................................................ 68
Deleting Kaspersky Endpoint Security operation statistics ............................................................................... 69
Commands for managing Kaspersky Endpoint Security settings and tasks ........................................................... 70
Obtaining general Kaspersky Endpoint Security settings .................................................................................. 70
Modifying general Kaspersky Endpoint Security settings .................................................................................. 71
Viewing Kaspersky Endpoint Security task list .................................................................................................. 72
Viewing task state ............................................................................................................................................. 73
Starting the task ................................................................................................................................................ 75
Stopping the task .............................................................................................................................................. 75
C O N T E N T S
5
Pausing the task ............................................................................................................................................... 75
Resuming the task ............................................................................................................................................ 76
Obtaining task settings ...................................................................................................................................... 76
Modifying task settings ...................................................................................................................................... 77
Creating a task .................................................................................................................................................. 78
Deleting tasks ................................................................................................................................................... 79
Obtaining task schedule settings ...................................................................................................................... 79
Modifying task schedule settings ...................................................................................................................... 80
Deleting the task schedule ................................................................ ................................ ................................ 81
Searching for scheduled events ........................................................................................................................ 81
Licenses management commands ......................................................................................................................... 83
Validating a key file prior to installation ............................................................................................................. 83
Viewing information about a license prior to the key file installation .................................................................. 84
Viewing information about the installed key files ............................................................................................... 85
Viewing the status of installed licenses ............................................................................................................. 85
Active key file installation .................................................................................................................................. 86
Supplementary key file installation .................................................................................................................... 86
Active key file removal ...................................................................................................................................... 86
Supplementary key file removal ........................................................................................................................ 87
Quarantine and backup storage management commands ..................................................................................... 87
Obtaining brief quarantine or backup storage statistics .................................................................................... 87
Obtaining information about storage objects ..................................................................................................... 87
Obtaining information about one object in the storage ...................................................................................... 88
Restoring objects from the storage ................................................................................................................... 88
Placing an object in quarantine manually .......................................................................................................... 89
Deleting one object from the storage ................................................................................................................ 89
Exporting objects from the storage into a specified directory ............................................................................ 90
Importing previously exported objects into the storage ..................................................................................... 90
Clearing the storage .......................................................................................................................................... 91
Logs management commands ............................................................................................................................... 92
Obtaining the number of Kaspersky Endpoint Security events with a filter ....................................................... 92
Obtaining the information about Kaspersky Endpoint Security events .............................................................. 92
Viewing the time interval, during which the events will occur that are registered in the log .............................. 93
Event log rotation .............................................................................................................................................. 94
Removing objects from the event log ................................................................................................................ 94
Limiting selections using filters ............................................................................................................................... 95
Logical expressions .......................................................................................................................................... 95
Object parameters in quarantine / backup storage ........................................................................................... 96
Kaspersky Endpoint Security events and their settings .................................................................................... 99
KASPERSKY ENDPOINT SECURITY CONFIGURATION FILES' SETTINGS ......................................................... 107
Rules for editing Kaspersky Endpoint Security .ini configuration files ................................................................... 107
Real-time protection and on-demand scan tasks settings .................................................................................... 108
Update tasks settings ........................................................................................................................................... 123
Schedule settings ................................................................................................................................................. 127
Kaspersky Endpoint Security general settings ...................................................................................................... 130
Quarantine and backup storage settings .............................................................................................................. 132
Event log settings ................................................................................................................................................. 133
A D M I N I S T R A T O R ' S G U I D E
6
MANAGING KASPERSKY ENDPOINT SECURITY USING KASPERSKY ADMINISTRATION KIT ......................... 136
Viewing computer protection status ...................................................................................................................... 136
The "Application Settings" dialog box ................................................................................................................... 137
Creating and configuring tasks ............................................................................................................................. 137
Creating a task ..................................................................................................................................................... 137
The Local task creation wizard ............................................................................................................................. 138
Step 1. Entering general task settings ............................................................................................................ 139
Step 2. Selecting an application and defining task type .................................................................................. 139
Step 3. Configuring task settings .................................................................................................................... 139
Step 4. Scheduling the task ............................................................................................................................ 139
Step 5. Completing the wizard ........................................................................................................................ 140
Updating tasks settings......................................................................................................................................... 140
Creating a scan area ....................................................................................................................................... 140
Configuring security settings ........................................................................................................................... 141
Creating an excluded area ................................................................ ................................ .............................. 141
Selecting an update source............................................................................................................................. 142
Selecting the type of updates .......................................................................................................................... 143
Scheduling a task via Kaspersky Administration Kit ............................................................................................. 144
Creating a task start rule ................................................................................................................................. 144
Scheduling a task ............................................................................................................................................ 144
Creating and configuring policies .......................................................................................................................... 146
Creating a policy ............................................................................................................................................. 147
Configuring a policy ........................................................................................................................................ 147
Checking connection with Administration Server manually. The klnagchk utility .................................................. 147
Connecting to Administration Server manually. The klmover utility ...................................................................... 148
Tasks settings ....................................................................................................................................................... 149
Interception method ........................................................................................................................................ 150
Protection mode .............................................................................................................................................. 150
Heuristic analysis ............................................................................................................................................ 150
Action to perform on infected objects .............................................................................................................. 151
Action to be performed on suspicious objects ................................................................................................. 152
Actions to be performed on objects depending on the threat type .................................................................. 152
Excluding objects by name ............................................................................................................................. 153
Excluding objects by threat name ................................................................................................................... 153
Scan of compound files ................................................................................................................................... 154
Maximum object scan time.............................................................................................................................. 154
Maximum size of a scanned object ................................................................................................................. 154
Updates source ............................................................................................................................................... 154
FTP server mode ............................................................................................................................................ 155
FTP or HTTP server response wait time ......................................................................................................... 155
Using a proxy server to connect to update sources ........................................................................................ 155
Proxy server authentication............................................................................................................................. 155
Proxy server settings ...................................................................................................................................... 156
Directory for saving updates ........................................................................................................................... 156
Updates type ................................................................................................................................................... 156
KASPERSKY LAB ZAO ............................................................................................................................................. 156
INFORMATION ABOUT THIRD-PARTY CODE ........................................................................................................ 158
Program code ....................................................................................................................................................... 158
C O N T E N T S
7
BOOST 1.39.0 ................................................................................................................................................ 160
DEJAVU SANS 2.31 ....................................................................................................................................... 160
DROID SANS FALLBACK .............................................................................................................................. 161
EXPAT 1.95.8 ................................................................................................................................................. 163
LIBACL 2.2.45-1 ............................................................................................................................................. 164
ATTR 2.4.38-1 ................................................................................................................................................ 164
LIBFONTCONFIG 2.8 ..................................................................................................................................... 164
LIBFREETYPE 2.3.11 ..................................................................................................................................... 164
LIBICE 1.0.6 .................................................................................................................................................... 167
LIBPNG 1.2.44 ................................................................................................................................................ 167
LIBSM 1.1.1 .................................................................................................................................................... 167
LIBUTF............................................................................................................................................................ 168
LIBX11 1.3.2 ................................................................................................................................................... 168
LIBXAU 1.0.5 .................................................................................................................................................. 179
LIBXCURSOR 1.1.10 ...................................................................................................................................... 179
LIBXDMCP 1.0.3 ............................................................................................................................................. 179
LIBXEXT 1.1.1 ................................................................................................................................................ 180
LIBXFIXES 4.0.4 ............................................................................................................................................. 182
LIBXI 1.3 ......................................................................................................................................................... 183
LIBXINERAMA 1.1 .......................................................................................................................................... 184
LIBXML2 2.6.32 .............................................................................................................................................. 184
LIBXRANDR 1.3.0 .......................................................................................................................................... 184
LIBXRENDER 0.9.5 ........................................................................................................................................ 185
LIBXSLT 1.1.23 ............................................................................................................................................... 185
LZMALIB 4.43 ................................................................................................................................................. 186
NET-SNMP 5.5 ............................................................................................................................................... 186
QT 4.6.3 ................................................................................................................................ .......................... 190
SQLITE 3.6.17 ................................................................................................................................................ 191
ZLIB 1.2.3 ....................................................................................................................................................... 191
Distributed program code ..................................................................................................................................... 191
REDIRFS 0.10 (MODIFIED) ........................................................................................................................... 191
Other information .................................................................................................................................................. 191
8
INTRODUCTION
IN THIS SECTION
General information about Kaspersky Endpoint Security .................................................................................................. 8
Obtaining the information about Kaspersky Endpoint Security........................................................................................ 13
Kaspersky Endpoint Security 8 for Linux (hereinafter Kaspersky Endpoint Security or the application) provides protection
for workstations running under the Linux operating system against malware penetrating computers through file
exchange.
Kaspersky Endpoint Security scans the computer disks and other mounted devices. It can scan individual directories
accessible over SMB/CIFS and NFS as well as remote directories mounted on the workstation using the SMB/CIFS and
NFS protocols.
GENERAL INFORMATION ABOUT KASPERSKY ENDPOINT
SECURITY
Kaspersky Endpoint Security 8 for Linux (hereinafter Kaspersky Endpoint Security or the application) provides protection
for workstations running under the Linux operating system against malware that penetrates the file system through a
network connection or a removable device.
The application can:
Scan file system objects located on the computer's local drives, as well as shared and distributed resources
accessed via the SMB / CIFS and NFS protocols.
File system objects can be scanned both in real-time or on demand.
Detect infected and suspicious objects.
If an object is found to contain code from a known threat, Kaspersky Endpoint Security assigns it the infected
status. If it is not possible to determine for sure whether or not an object is infected, it is classified as suspicious.
Neutralize threats detected in files.
Depending on the type of threat, the application automatically selects the action required to neutralize it:
disinfect infected object, move suspicious object to Quarantine, delete object or skip, i.e. leave object
unchanged.
Move suspicious objects to Quarantine.
Kaspersky Endpoint Security isolates objects that it considers suspicious. The application places such objects to
quarantine, i.e., it moves them from their original location into a special storage. After every database update,
Kaspersky Endpoint Security automatically runs a scan of objects in Quarantine. Some of them can be
considered not infected and restored from Quarantine.
Save backup copies of files before they are processed. Restore files from backup copies.
Manage tasks and their settings.
The application provides four types of user-controllable tasks: real-time protection, on-demand scan, scan of
objects in Quarantine, and update. The tasks of other types are system tasks and are not intended to be
managed by the user.
I N T R O D U C T I O N
9
Generate statistics and reports about operational results.
Update Kaspersky Endpoint Security databases from Kaspersky Lab's update servers or from a user-specified
source by schedule or on demand.
The databases are used to find and treat infected files. Based on the records they contain, each file is scanned
for threats: the code of the file is matched against code that resembles a particular threat.
Configure settings and control tasks both locally through the computer's standard operating system, or remotely
from any computer in a local network or across the Internet.
You can manage Kaspersky Endpoint Security:
through the command bar;
by modifying the application's configuration file;
using the Kaspersky Administration Kit.
REAL-TIME PROTECTION AND ON-DEMAND SCAN
The following functions can be used to ensure computer protection: real-time protection and on-demand scan.
Real-time protection
By default, the real-time protection task starts automatically along with Kaspersky Endpoint Security at the computer
startup and keeps on running continuously in the background mode. Kaspersky Endpoint Security scans files when they
are accessed.
Kaspersky Endpoint Security scans files for multiple types of threats (see section "Programs detectable by Kaspersky
Endpoint Security" on page 11). When any application accesses a file on the computer (for example, reads or writes it),
Kaspersky Endpoint Security scans files when they are accessed and intercepts the operation on the file. It checks the
file for the presence of malware using its databases (see section "About infected, suspicious objects and objects with the
status "Warning" "on page 10). If Kaspersky Endpoint Security detects a malicious program in the file, it will perform the
actions you have specified for it, for example, it may attempt to disinfect the file or simply delete it. The program
attempting to access the file may only do so if this file is not infected or has been successfully disinfected.
On-demand scan
On-demand scan involves one-time complete or selective scan of files on the computer for the presence of threats.
PECULIARITIES IN SCANNING OF SYMBOLIC AND HARD LINKS
The following peculiarities in scanning of symbolic and hard links may be found during Kaspersky Endpoint Security.
Scanning symbolic links
The real-time protection and on-demand scan tasks of Kaspersky Endpoint Security scan symbolic links only if the file to
which the symbolic link refers is included within scan area.
If the file, which is accessed using a symbolic link, is not included in the protection area of the task, it will not be scanned
by the application trying to access this file. If such file contains malicious code, computer security will be at risk!
A D M I N I S T R A T O R ' S G U I D E
10
Scanning hard links
When Kaspersky Endpoint Security processes a file with more than one hard link depending on actions to be taken with
objects the following scenarios are available:
If Quarantine (move to quarantine) is selected, the processed hard link will be moved to quarantine, and other
hard links will not be processed;
if the Remove action is selected, the processed hard link is removed, other hard links is processed;
if the Cure action is selected – Kaspersky Anti-Virus either will disinfect the source file or it will replace the
processed hard link by the clean copy of the source file. The created copy will have the name of the processed
hard link.
When restoring the file from quarantine or backup, a copy of the source file is created with the name of the quarantined
hard link (backup). Connections to other hard links are not restored.
ABOUT INFECTED, SUSPICIOUS OBJECTS AND OBJECTS WITH THE
STATUS "WARNING"
Kaspersky Endpoint Security contains a set of databases. Databases are files containing records that are used to detect
the malicious code of hundreds of thousands of known potential threats in objects being scanned. These records contain
information about the control sections of the threats' code and algorithms used for disinfecting the objects in which these
threats are contained.
If Kaspersky Endpoint Security detects (in an object being scanned) sections of code that fully match the control code
sections of a threat based on the information provided in the databases, it will consider such object infected.
Kaspersky Endpoint Security will assign the status "Warning" to the detected object if it contains a section of code that
partially coincides with a control code section from a known threat (in accordance with certain conditions). At the same
time, a false alarm may occur.
Kaspersky Endpoint Security assigns the suspicious status to objects detected by its Heuristic Analyzer. The Heuristic
Analyzer detects malicious objects based on their behavior. The code in such an object cannot be said to partially or
completely match the code of a known threat, but it does contain instructions or sequences of instructions that are
peculiar to threats.
ABOUT BACKUP AND QUARANTINE
Kaspersky Endpoint Security isolates found infected and suspicious objects to secure the protected computer from their
potential harmful effect.
Moving objects to quarantine
Kaspersky Endpoint Security quarantines detected infected and suspicious objects by moving them from the original
location to the quarantine or backup storage directory. Kaspersky Endpoint Security rescans quarantined objects after
each update of Kaspersky Endpoint Security databases. Having scanned quarantined objects after databases update,
Kaspersky Endpoint Security may acknowledge some of the objects to be not infected. Other objects can be found
infected by Kaspersky Endpoint Security.
If you suspect that a certain file may contain a threat while Kaspersky Endpoint Security recognizes it as clean, you can
manually place such object in quarantine to check it later using updated databases.
Backup copying of objects before disinfection or deletion
Kaspersky Endpoint Security places in the quarantine / backup directory copies of infected and suspicious objects prior
to disinfecting or deleting them. Such objects may be missing in the original location if they were deleted, or they may be
stored in a modified form if Kaspersky Endpoint Security disinfected them.
I N T R O D U C T I O N
11
You can restore an object from the quarantine or backup directory at any moment to its original location or to any other
directory specified on the computer. You may need to restore an object, for example, if the original infected file contained
valuable data but Kaspersky Endpoint Security could not preserve its integrity during disinfection and the information
inside became unavailable.
Restoring infected or suspicious objects may lead to computer infection.
PROGRAMS DETECTABLE BY KASPERSKY ENDPOINT SECURITY
Kaspersky Endpoint Security is capable of detecting hundreds of thousands of different programs that represent a threat
to computer security, within the computer's file system. Some of those programs impose great menace to the user,
others are only dangerous when specific conditions are met. After Kaspersky Endpoint Security detects a malicious
program in an object, it will assign it a certain category characterized by a certain severity level (high, medium, or low).
Kaspersky Endpoint Security distinguishes the following categories of malicious programs:
viruses and worms (Virware);
Trojan programs (Trojware);
other malicious software (Malware);
pornographic software (Pornware);
advertising software (Adware);
potentially dangerous software (Riskware).
A brief description of the threats is provided below. For a more detailed description of malicious programs and their
classification please visit the Kaspersky Lab Virus Encyclopedia (http://www.viruslist.com/en/viruses/encyclopedia).
Viruses and worms (Virware)
Danger level: high
This category includes classic viruses and network worms.
Classic viruses infect files of other programs or data. It adds its own code to such files in order to gain control when these
files are being opened. Once a classic virus penetrates a system, it activates itself upon a certain event and performs its
harmful operations.
Classic viruses differ depending on their environment and method they use for infecting other objects.
The term environment refers to areas of a computer, an operating system or an application, penetrated by the virus code.
Based on the environment, file, boot, macro and script viruses are distinguished.
The term method of infection refers to various methods of implanting malicious code into the objects being infected.
There are numerous types of viruses using various methods of infection. Overwriting viruses write their code over the
code of the file being infected, thus erasing its content. The infected file stops working and cannot be restored. Parasitic
viruses modify file code, leaving such files fully or partially operating. Companion viruses do not modify files, creating
duplicates of them instead. When such infected file is launched, the control will be overtaken by its duplicate, which is the
virus. There exist virus links as well as viruses infecting object modules (OBJ), compiler libraries (LIB), program source
texts, etc.
The code of a network worm, after it penetrates the system, gets activated and performs its malicious action in a manner
similar to that of the classic virus code. The network worm received its name due to its ability to tunnel from one
computer to another - to send copies of itself through various information channels.
Propagation method is the main attribute used to differentiate between various types of network worms. Worms of
various types can spread via email, instant messaging programs, IRC channels, file exchange networks, etc. Besides,
A D M I N I S T R A T O R ' S G U I D E
12
there are network worms spreading their copies within network resources. Malicious programs infect operating systems
exploiting their internal vulnerabilities and security breaches in applications running in those systems; they also penetrate
public resources or may accompany other threats.
Many network worms spread at a very high rate.
In addition to the damage they inflict to the infected computer, network worms discredit the owner of such computer,
cause additional charges for network traffic, and clutter up Internet channels.
Trojan programs (Trojware)
Danger level: high
Trojan programs (Trojan, Backdoor, Rootkit and other classes) perform the actions not authorized by the users of
computers, for example, they steal passwords, access Internet resources, download and install other malicious
programs.
Unlike worms and viruses, Trojan programs do not create copies of themselves penetrating files and infecting them.
They sneak into a computer, for example, via e-mail or using a web browser when the user visits an "infected" website.
Trojan programs are started with the user's participation. They begin performing their malicious actions right after they
are started.
However, Trojans may inflict far greater damage as compared to a regular virus attack.
Backdoor programs are considered to be most dangerous among Trojans. Their functionality resembles that of remote
administration utilities. They install themselves in a computer secretly from the users and enable intruders to control the
infected computer remotely.
Another type of Trojan is the Rootkit. Like other Trojan programs, Rootkits permeate the system without the user's
knowledge. Although they do not perform any malicious actions, they camouflage other malware and its activities and
thus extend the existence of such programs in the infected system. Rootkits may hide files or processes in the memory
of an infected computer and also conceal intruder's access to the system.
Other malicious software (Malware)
Danger level: medium
Other malicious programs do not impose any threat to the computer on which they are executed, yet they can be used to
organize network attacks on remote computers, hack other computers, create other viruses or Trojans.
Malicious software belonging to this category is very diverse. Thus, it includes programs performing network attacks
(DoS (Denial-of-Service) class). send multiple requests to remote computers, which cause these servers to fail. Hoaxes
(BadJoke, Hoax types) alarm users with virus-like messages: they can "detect" a virus in a clean file or display a
message about disk formatting, which will not take place in effect. Encrypting programs (FileCryptor, PolyCryptor
classes) encrypt other malicious programs to prevent them from being detected during an anti-virus scan. Constructors
(Constructor class) allow to generate original texts of viruses, object modules, or infected files. Spam utilities (SpamTool
class) collect email addresses on an infected computer or turn such computer into a spam-sending machine.
Pornographic software (Pornware)
Danger level: medium
Pornographic programs are included in a "not-a-virus" class of programs. They have functions, which may inflict damage
to the user only if special conditions are met.
Such programs are concerned with the display of pornographic information to the user. Depending on the behavior of the
programs, three types are distinguished: automatic dialers (Porn-Dialer), downloaders (Porn-Downloader), and tools
(Porn-Tool). Porn dialers connect to pay-per-visit pornographic Internet resources using a modem, pornographic
downloaders download pornography to the user's computer. Pornographic tools are programs related to the search and
display of pornographic materials (for example, specials toolbars for browsers or special video players).
I N T R O D U C T I O N
13
Advertising software (Adware)
Danger level: medium
Adware programs are included in a "not-a-virus" class. They are built-in into other programs without the user's knowledge
to display advertising messages in their interface. In many cases adware programs, in addition to displaying advertising
messages, gather users' personal information and send it to their developer, change browser's settings (browser home
page, search page, security levels, etc.) and create traffic that is not controlled by the user. In addition to the violation of
security rules, activities of adware may cause direct financial losses.
Riskware
Danger level: low
Potentially dangerous applications are included in a "not-a-virus" class of programs. Such programs may be legally
purchased and used in daily operations by the users, for example, system administrators.
Some remote management programs, such as Remote Administrator, and programs for obtaining network information
are considered potentially dangerous.
OBTAINING THE INFORMATION ABOUT KASPERSKY
ENDPOINT SECURITY
Kaspersky Lab provides various sources of information about Kaspersky Endpoint Security. Select a source most
convenient for you depending on the importance and urgency of your question.
If you already purchased Kaspersky Endpoint Security, contact the Technical Support service. If your question does not
require an immediate answer, you can discuss it with the Kaspersky Lab experts and other users in our forum at
http://forum.kaspersky.com.
SOURCES OF INFORMATION FOR FURTHER RESEARCH
The following sources of information about Kaspersky Endpoint Security are available:
Kaspersky Endpoint Security page at the Kaspersky Lab website;
documentation;
manual pages.
Page at the Kaspersky Lab website
http://www.kaspersky.com/endpoint-security-linux
This page contains general information about the application, its functionality and peculiarities. You can purchase
Kaspersky Endpoint Security or extend the period of its use in our online store.
Documentation
Installation Guide describes the purpose of Kaspersky Endpoint Security, requirements to the hardware and
software for the installation and operation of Kaspersky Endpoint Security, instructions for its installation, verification
of its operability and initial setup.
Administrator Guide includes information on how to manage Kaspersky Endpoint Security using command line
utility and Kaspersky Administration Kit.
A D M I N I S T R A T O R ' S G U I D E
14
These documents are supplied in PDF format in Kaspersky Endpoint Security distribution package. Alternatively,
you can download the documentation files from the Kaspersky Endpoint Security page at Kaspersky Lab website.
Manual pages
The following manual page files contain information about specific aspects of Kaspersky Endpoint Security:
manage Kaspersky Endpoint Security from the command line:
/opt/kaspersky/kes4lwks/share/man/man1/kes4lwks-control.1.gz;
Configuring general Kaspersky Endpoint Security settings:
/opt/kaspersky/kes4lwks/share/man/man5/kes4lwks.conf.5.gz;
configuring the real-time protection task:
/opt/kaspersky/kes4lwks/share/man/man5/kes4lwks-oas.conf.5.gz;
configuring on-demand scan tasks:
/opt/kaspersky/kes4lwks/share/man/man5/kes4lwks-ods.conf.5.gz;
configuring update tasks:
/opt/kaspersky/kes4lwks/share/man/man5/kes4lwks-update.conf.5.gz;
configuring the storage of quarantined objects and the storage of objects backed up before disinfection or
removal:
/opt/kaspersky/kes4lwks/share/man/man5/kes4lwks-quarantine.conf.5.gz;
configuring the event repository:
/opt/kaspersky/kes4lwks/share/man/man5/kes4lwks-events.conf.5.gz;
description of utility which changes settings for connection with the Kaspersky Administration Kit Administration
Server:
/opt/kaspersky/klnagent/share/man/man1/klmover.1.gz;
description of utility which checks settings for connection with the Kaspersky Administration Kit Administration
Server:
/opt/kaspersky/klnagent/share/man/man1/klnagchk.1.gz.
15
CONTACTING THE TECHNICAL SUPPORT SERVICE
If you have already purchased Kaspersky Endpoint Security, you can obtain information about it from the Technical
Support service by phone or via Internet.
Technical Support Service will answer your questions about installing and using the program. If your computer has been
infected, they will help eliminate the consequences of malicious programs.
Before contacting the Technical Support service, please read the Support rules for Kaspersky Lab’s products
(http://support.kaspersky.com/support/rules).
Email request to the Technical Support Service
You can ask your question to the Technical Support Service specialists by filling out the Helpdesk web form of
Request to Kaspersky Lab Technical Support (http://support.kaspersky.com/helpdesk.html).
You can send your inquiry in Russian, English, German, French or Spanish.
In order to send an email message with your question, you must indicate the client number obtained from the
Technical Support website during registration along with your password.
If you are not yet a registered user of Kaspersky Lab applications, you can fill out a registration form
(https://support.kaspersky.com/ru/personalcabinet/Registration/Form/?LANG=en). When registering, indicate the
application activation code or key file name.
The Technical Support service will reply to your request in your Personal Cabinet
(https://support.kaspersky.com/en/PersonalCabinet) and to the email address you have specified in your request.
Describe the problem you have encountered in the request web form providing as much detail as possible. Specify
the following information in the mandatory fields:
Request type. Select the topic, which is the closest to the problem you have encountered, e.g.: "Product
installation / removal problem", or "Virus scan / removal problem". If you do not find an appropriate topic, select
"General Question".
Application version name and number.
Request text. Describe the problem you have encountered providing as much detail as possible.
Customer ID and password. Enter the customer ID and password received during registration at the Technical
Support Service website.
Email address. The experts of the Technical Support Service will send their reply to your inquiry to that
address.
Technical support by phone
If an urgent problem has occurred, you can call the Technical Support Service in your city. Before contacting to the
Russian-speaking (http://support.kaspersky.ru/support/support_local) specialists or international
(http://support.kaspersky.com/support/international) technical support, please gather the information
(http://support.kaspersky.com/support/details) on your computer and set it on antivirus software. This will allow our
specialists to help you more quickly.
DISCUSSION OF KASPERSKY LAB'S APPLICATIONS IN WEB FORUM
If your question does not require an immediate answer, you can discuss it with the Kaspersky Lab experts and other
users in our forum at http://forum.kaspersky.com. In this forum you can view existing topics, leave your comments, create
new topics and use the search engine.
A D M I N I S T R A T O R ' S G U I D E
16
STARTING AND STOPPING KASPERSKY
ENDPOINT SECURITY
Before taking the actions or using the commands described above, make sure that the kes4lwks-supervisor service is
running on the computer!
By default, Kaspersky Endpoint Security starts automatically at the operating system startup (on default run levels for
each operating system). Kaspersky Endpoint Security runs all predefined and custom tasks, schedule settings (see
section "Schedule settings" on page 127) which is set to run PS.
If you stop Kaspersky Endpoint Security, execution of all tasks will be interrupted. After Kaspersky Endpoint Security
restart, interrupted custom tasks will not be resumed automatically. Only those custom tasks in the schedule settings
(see section "Schedule settings" on page 127) which is set to launch PS, will be launched again.
To run the Kaspersky Endpoint Security, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --start-app
To stop Kaspersky Endpoint Security, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --stop-app
To restart the Kaspersky Endpoint Security, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --restart-app
17
MANAGING KASPERSKY ENDPOINT
IN THIS SECTION
Creating an on-demand scan or update task .................................................................................................................. 17
Deleting an on-demand scan or update task ................................................................................................................... 18
Manual task management ............................................................................................................................................... 18
Automatic task management ........................................................................................................................................... 18
Viewing task state ........................................................................................................................................................... 19
Viewing task statistics ..................................................................................................................................................... 20
SECURITY TASKS
Task is a Kaspersky Endpoint Security component, implementing part of the program functionality. For example, the realtime protection task implements protection of the computer files in real time, the update task downloads and installs
Kaspersky Endpoint Security database updates, etc .
To obtain the lists of tasks of Kaspersky Endpoint Security, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --get-task-list
The user can manage the following types of tasks (see page 18):
OAS, real-time protection tasks;
ODS, on-demand scan tasks;
QS, tasks which scan quarantined objects;
Update, update tasks.
The tasks of other types are system tasks and are not intended to be managed by the user. You can only modify their
operation settings.
CREATING AN ON-DEMAND SCAN OR UPDATE TASK
The Kaspersky Endpoint Security installation creates one task of each type. You can create custom on-demand scan
and update tasks (see section "Creating a task" on page 78).
To create an on-demand scan task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--create-task <task name> --use-task-type=ODS \
[--file=<configuration file name>] [--file-format=<INI|XML>]
The settings for the created task are as follows:
all local and mounted objects will be scanned;
A D M I N I S T R A T O R ' S G U I D E
18
scan will be done with default settings (see section "Default scan settings" on page 38).
You can create an on-demand scan task with the required set of parameters. To do that, specify the full path to the file
containing the task settings, using the --file key of the --create-task command.
To create an update task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--create-task <task name> --use-task-type=Update \
--file=<path to the file containing the task settings>
DELETING AN ON-DEMAND SCAN OR UPDATE TASK
You can delete update tasks and on-demand scan tasks (except Quarantine scan (ID=10) and On-Demand Scan
(ID=9) and Custom Scan (ID=15) tasks).
You cannot delete the real-time protection task.
To delete the task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --delete-task <task ID>
MANUAL TASK MANAGEMENT
The actions described in this section are available for the OAS, ODS, QS, and Update task types.
You can pause and resume any task except for update tasks.
You can run several on-demand scan tasks simultaneously.
To start a task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --start-task <task ID>
To stop a task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --stop-task <task ID>
To pause a task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --suspend-task <task ID>
To resume a task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --resume-task <task ID>
AUTOMATIC TASK MANAGEMENT
In addition to managing Kaspersky Endpoint Security tasks manually, you can use automatic task management. To do
so, create a task schedule.
Task schedule is a set of rules that specify the start time and duration of the task.
The following types of tasks support automatic management:
real-time protection;
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U R I T Y T A S K S
19
Example:
Name: On-demand scan
Id: 9
Class: ODS
State: Stopped
on-demand scan;
databases update.
To configure task schedule using the configuration file:
1. Save the task scheduling settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --get-schedule <task ID> \
--file=<full path to the file>
2. Configure the schedule settings (see page 127).
3. Import the schedule settings into the task:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --set-schedule <task ID> \
--file=<full path to the file>
VIEWING TASK STATE
One of the aspects of task management is monitoring the task state.
Kaspersky Endpoint Security tasks may have one of the following states:
Started – the task is in progress;
Starting – the task is starting;
Stopped – the task is stopped;
Stopping – the task is stopping;
Suspended – the task is suspended;
Suspending – the task is suspending;
Resumed – the task has been resumed;
Resuming – the task is resuming;
Failed – the task has terminated with an error;
Interrupted by user – the task execution was interrupted by the user.
To view the task state, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --get-task-state <task ID>
The following example displays the command output:
A D M I N I S T R A T O R ' S G U I D E
20
VIEWING TASK STATISTICS
You can obtain the operating statistics for Kaspersky Endpoint Security tasks. Viewing statistics is available for the
following task types:
Application – general operating statistics for Kaspersky Endpoint Security;
Quarantine – quarantine statistics;
OAS – statistics for the real-time protection task;
ODS – statistics for the on-demand scan tasks;
Backup – backup storage statistics;
Update – statistics for update tasks.
For the ODS and Update task types, it is necessary to specify the task ID. If the task ID is not specified, general statistics
for the selected task type will be provided.
To view task statistics, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-stat <task type> [--task-id <task ID>]
You can specify the period, for which statistics is displayed.
The date and time of the beginning and end of the period are specified in format [YYYY-MM-DD] [HH24:MI:SS].
To obtain statistics for a specific period, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-stat <task type> --from=<beginning of period> --to=<end of period>
If the value of the <beginning of period> setting is not specified, statistics will be collected since the task start. If
the value of the <end of period> setting is not specified, statistics will be collected until the present moment.
You can save task statistics to files in two formats: HTML and CSV. By default, the file format is set by the file extension.
To save statistics to a file, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-stat <task type> [--task-id <task ID>] --export-report=<full path to the file>
21
UPDATING KASPERSKY ENDPOINT
SECURITY
During the license period you can download updates for the databases of Kaspersky Endpoint Security.
Databases are files containing records that are used to detect the malicious code of known threats in scanned objects.
These records contain information about the control sections of the threats' code and algorithms used for disinfecting the
objects in which these threats are contained.
Virus analysts at Kaspersky Lab detect hundreds of new threats daily, create records to identify them, and include them
in database updates. Database updates are one or several files, which contain records identifying threats that have been
detected since the previous update had been released. To minimize the risk of infecting the computer, we recommend
that you receive database updates regularly.
Kaspersky Lab can also release update packages for Kaspersky Endpoint Security application modules. Update
packages are classified as urgent (or critical) or routine. Urgent update packages remove vulnerabilities and fix errors;
routine updates add new functions or improve existing ones.
Within the validity period of your license you can download updates from the web site of Kaspersky Lab and install them
manually.
You can also automatically set module updates for other Kaspersky Lab applications.
Database updates
During installation the Kaspersky Endpoint Security has retrieved the current databases from an Kaspersky Lab's HTTP
server; if you have configured automatic database update, Kaspersky Endpoint Security starts the update according to
the schedule (once every 30 minutes) using the predefined update task (ID=6).
You can configure the preinstalled update task and create user-defined update tasks.
If update downloading is interrupted or terminates with an error, Kaspersky Endpoint Security automatically switches to
using databases with previously installed update. If Kaspersky Endpoint Security databases get corrupted, you can roll
them back to the previously installed updates.
By default, if Anti-Virus databases have not been updated within a week since Kaspersky Lab had released previous
database updates, Kaspersky Endpoint Security will log the Databases are outdated (AVBasesAreOutOfDate) event. If
the databases have not been updated within two weeks, it registers the event Databases are obsolete
(AVBasesAreTotallyOutOfDate).
Copying database and module updates. Distributing updates
You can download updates to each protected computer or use one computer as an intermediary by copying all updates
onto it and then distributing them to the computers. And if you use Kaspersky Administration Kit application for the
centralized administration of computer protection in an enterprise, you can use Kaspersky Administration Kit
administration server as an intermediary for updates distribution.
To save database updates on an intermediary computer without applying them, configure updates distribution in the
update task.
A D M I N I S T R A T O R ' S G U I D E
22
IN THIS SECTION
Selecting an update source ............................................................................................................................................. 22
Updating from local or network folder .............................................................................................................................. 22
Using the proxy server .................................................................................................................................................... 24
Last database update rollback ........................................................................................................................................ 24
SELECTING AN UPDATE SOURCE
Update source (see page 154) is a resource containing updates for Kaspersky Endpoint Security databases. Update
sources can be HTTP or FTP servers, or local or network folders.
The main updates source is Kaspersky Lab's update servers. These are special Internet sites which contain updates for
databases and application modules for all Kaspersky Lab products.
To select Kaspersky Lab's update servers as your update source,execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <update task ID> \
CommonSettings.SourceType=KLServers
To select Kaspersky Administration Kit server as an update source, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <update task ID> \
CommonSettings.SourceType=AKServer
To reduce Internet traffic, you can configure Kaspersky Endpoint Security database update from the local or network
folder (see page 22).
UPDATING FROM LOCAL OR NETWORK FOLDER
The procedure of retrieving updates from a local folder is arranged as follows:
1. One of the computers on the network retrieves the Kaspersky Endpoint Security update package from
Kaspersky Lab's update servers, or from a mirror server hosting a current set of updates.
2. The retrieved updates are placed in a shared folder.
3. Other computers on the network access the shared folder to retrieve Kaspersky Endpoint Security database
updates.
To download updates for Kaspersky Endpoint Security databases to a shared folder on one of the network
computers, perform the following steps:
1. Create a folder, to which Kaspersky Endpoint Security will download database.
2. Provide shared access to the created folder.
3. Create a configuration file that contains the following setting values:
UpdateType="RetranslateProductComponents"
[CommonSettings]
U P D A T I N G K A S P E R S K Y EN D P O I N T S E C U R I T Y
23
SourceType="KLServers"
UseKLServersWhenUnavailable=yes
UseProxyForKLServers=no
UseProxyForCustomSources=no
PreferredCountry=""
ProxyServer=""
ProxyPort=3128
ProxyBypassLocalAddresses=yes
ProxyAuthType="NotRequired"
ProxyAuthUser=""
ProxyAuthPassword=""
UseFtpPassiveMode=yes
ConnectionTimeout=10
[UpdateComponentsSettings]
Action="DownloadAndApply"
[RetranslateUpdatesSettings]
RetranslationFolder="<full path to the created directory>"
4. Import the settings from configuration file into the task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <update task ID> \
--file=<full path to the file>
5. Start the task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --start-task <update task ID>
Kaspersky Endpoint Security databases will be downloaded to the shared folder.
To specify the shared folder as an update source for other network computers, perform the following steps:
1. Create a configuration file that contains the following setting values:
UpdateType="AllBases"
[CommonSettings]
SourceType="Custom"
UseKLServersWhenUnavailable=yes
UseProxyForKLServers=no
UseProxyForCustomSources=no
PreferredCountry=""
ProxyServer=""
ProxyPort=3128
ProxyBypassLocalAddresses=yes
ProxyAuthType="NotRequired"
ProxyAuthUser=""
ProxyAuthPassword=""
UseFtpPassiveMode=yes
ConnectionTimeout=10
A D M I N I S T R A T O R ' S G U I D E
24
[CommonSettings:CustomSources]
Url="/home/bases"
Enabled=yes
[UpdateComponentsSettings]
Action="DownloadAndApply"
2. Import the settings from configuration file into the task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <update task ID> \
--file=<full path to the file>
USING THE PROXY SERVER
If you use a proxy server to connect to the Internet, you must configure its settings.
To enable using a proxy server to access Kaspersky Lab's update servers,execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <update task ID> \
CommonSettings.UseProxyForKLServers=yes \
CommonSettings.ProxyBypassLocalAddresses=yes \
CommonSettings.ProxyServer=proxy.company.com \
CommonSettings.ProxyPort=3128
To enable using a proxy server to access custom update sources, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <update task ID> \
CommonSettings.UseProxyForCustomSources=yes \
CommonSettings.ProxyBypassLocalAddresses=yes \
CommonSettings.ProxyServer=proxy.company.com \
CommonSettings.ProxyPort=3128
To specify authentication settings for connection to the proxy server, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <update task ID> \
CommonSettings.ProxyAuthType=Plain \
CommonSettings.ProxyAuthUser=user \
CommonSettings.ProxyAuthPassword=password
LAST DATABASE UPDATE ROLLBACK
The Kaspersky Endpoint Security creates backup copies of the original databases before it applies updates. If an update
procedure gets interrupted or fails, the Kaspersky Endpoint Security automatically reverts to the previous database
version containing updates installed earlier.
If you encounter problems after database update, you can roll back the databases to the previous version. To do this,
use the roll back to the previous Kaspersky Endpoint Security databases task.
To roll back to the previous databases, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --start-task 14
R E A L -T I M E P R O T E C T I O N
25
IN THIS SECTION
Default protection settings ............................................................................................................................................... 25
Creating a protection scope ............................................................................................................................................ 26
Restricting a protection area using masks and regular expressions ............................................................................... 27
Exclusion of objects from a protection area..................................................................................................................... 28
Selecting interception mode ............................................................................................................................................ 31
Selecting protection mode ............................................................................................................................................... 31
Using heuristic analysis ................................................................................................................................................... 32
Using scan mode depending on user and group accounts accessing the objects .......................................................... 32
Selecting action to perform on detected objects .............................................................................................................. 33
Selecting actions depending on the threat type ............................................................................................................... 34
Scan optimization ............................................................................................................................................................ 35
Compatibility with other Kaspersky Lab's applications .................................................................................................... 36
REAL-TIME PROTECTION
A real-time protection task allows to prevent computer file system infection. By default, the real-time protection task runs
automatically at the start of Kaspersky Endpoint Security. The task runs in the computer's RAM, scanning all files that are
opened, saved, or executed. You can stop, start, pause and resume it.
You cannot create custom real-time protection tasks.
DEFAULT PROTECTION SETTINGS
In Kaspersky Endpoint Security for real-time protection task the following default settings are configured.
ProtectionType="Full"
TotalScanners=4
[ScanScope]
UseScanArea=yes
AreaMask="*"
UseAccessUser=no
AreaDesc="All objects"
[ScanScope:AreaPath]
Path="/"
[ScanScope:AccessUser]
[ScanScope:ScanSettings]
ScanArchived=no
ScanSfxArchived=no
A D M I N I S T R A T O R ' S G U I D E
26
ScanMailBases=no
ScanPlainMail=no
ScanPacked=yes
UseTimeLimit=yes
TimeLimit=60
UseSizeLimit=no
SizeLimit=0
ScanByAccessType="SmartCheck"
InfectedFirstAction="Recommended"
InfectedSecondAction="Skip"
SuspiciousFirstAction="Recommended"
SuspiciousSecondAction="Skip"
UseAdvancedActions=yes
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
HeuristicLevel="Recommended"
[ScanScope:ScanSettings:AdvancedActions]
Verdict="Riskware"
FirstAction="Skip"
SecondAction="Skip"
CREATING A PROTECTION SCOPE
Note the peculiarities in scanning of symbolic and hard links (see page 9).
By default, the real-time protection task scans all files that are opened, modified, and saved within the local computer file
system.
You can extend or narrow down the protection area by adding or removing objects to be scanned, or by changing the
type of files to be scanned (see page 27).
Kaspersky Endpoint Security will scan objects in the specified scan areas in the order in which the areas are listed in the
configuration file. If you wish to configure different security settings for child and parent directories, place the subdirectory
in the list higher, than its parent directory.
To extend a protected area, perform the following steps:
1. Save the protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Add the following sections to the created file:
[ScanScope] which contains the following settings:
R E A L -T I M E P R O T E C T I O N
27
AreaMask which defines the name mask of objects to be scanned;
UseAccessUser which enables the scan mode depending on user and group accounts accessing the
objects (see page 32);
AreaDesc which defines the name of protection area.
[ScanScope:AreaPath] which contains the Path setting.
[ScanScope:AccessUser] which contains settings that define accounts whose file operations will be
intercepted by the real-time protection task.
[ScanScope:ScanSettings] which contains scan settings for the area to be added.
All settings must be assigned in the [ScanScope:ScanSettings] section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
To narrow down a protected area, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Delete from the created file the following sections, defining protection area:
[ScanScope];
[ScanScope:AreaPath];
[ScanScope:AccessUser];
[ScanScope:ScanSettings].
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
RESTRICTING A PROTECTION AREA USING MASKS AND
REGULAR EXPRESSIONS
By default, Kaspersky Endpoint Security scans all objects within a protected area.
You can specify templates for the names or paths of the files to scan. In this case, Kaspersky Endpoint Security will scan
files or directories from the protection area that are specified using Shell masks or ECMA-262 regular expressions.
You can use Shell masks to specify a file name template to be scanned by Kaspersky Endpoint Security.
You can also use regular expressions to specify a template for the file path which Kaspersky Endpoint Security should
scan. A regular expression cannot contain the name of the folder which defines the scan or protection area.
A D M I N I S T R A T O R ' S G U I D E
28
To specify file name or path templates for the files to be scanned, perform the following steps:
IN THIS SECTION
Creating a global exclusion area ..................................................................................................................................... 28
Excluding objects from the protection area ..................................................................................................................... 29
Exclusion of objects depending on user and group accounts accessing the objects ...................................................... 29
Excluding objects by names of the threats detected in them........................................................................................... 30
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Specify the value of the AreaMask setting in the [ScanScope] section which defines the protection area.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
EXCLUSION OF OBJECTS FROM A PROTECTION AREA
By default, the real-time protection task scans all objects that are included in protection areas defined for this task.
You can exclude several objects from the scan. To do that, you can create four types of exclusions:
exclusion of objects from a protection area: in this case the specified objects will only be excluded from the
selected protected area;
global exclusion of objects: in this case the specified objects will be excluded from all protection areas defined
for the task;
exclusion of objects depending on user and group accounts accessing the objects: in this case the objects will
be excluded from the protection area when they are accessed by specific accounts;
exclusion of objects by the name of the threat detected in them.
CREATING A GLOBAL EXCLUSION AREA
You can create a global exclusion area. Objects included in this area will be excluded from all areas defined for the realtime protection task.
To create a global exclusion area, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Add the following sections to the created file:
[ExcludedFromScanScope], which contains the following settings:
AreaMask, which defines templates of object names to be excluded from the scan;
R E A L -T I M E P R O T E C T I O N
29
UseAccessUser, which enables the exclusion mode depending on user and group accounts
accessing the objects;
AreaDesc, which defines a unique name for exclusion area;
[ExcludedFromScanScope:AreaPath], which contains the Path setting that defines the path to the
objects to be excluded from the scan.
[ExcludedFromScanScope:AccessUser], which contains settings that define accounts whose file
operations will be excluded from the scan.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
EXCLUDING OBJECTS FROM THE PROTECTION AREA
By default, Kaspersky Endpoint Security scans all objects within a protected area.
You can define name and path templates that are excluded from the protection area. In this case, Kaspersky Endpoint
Security will not scan files or directories from the protection area that are specified using Shell masks or ECMA-262
regular expressions.
You can use Shell masks to specify a file name template excluded from scanning by Kaspersky Endpoint Security.
You can also use regular expressions to specify a template for the paths to files which Kaspersky Endpoint Security
should not scan. The regular expression should not contain the name of the directory containing excluded object.
To exclude objects from the protection area, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseExcludeMasks setting in the [ScanScope:ScanSettings] section.
4. Specify file name or path templates using the ExcludeMasks setting in the [ScanScope:ScanSettings]
section.
To specify several file name or path templates, repeat the ExcludeMasks setting value the required number of
times.
5. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
EXCLUSION OF OBJECTS DEPENDING ON USER AND GROUP
ACCOUNTS ACCESSING THE OBJECTS
Kaspersky Endpoint Security allows excluding of objects from the protection area if they are accessed by applications
running under the specified user or group accounts.
A D M I N I S T R A T O R ' S G U I D E
30
To exclude objects from the protection area depending on user and group accounts accessing the objects, perform
the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseAccessUser setting in the [ExcludedFromScanScope] section;
4. Specify the user name, under which file operations will not be scanned, using the UserName setting in the
[ExcludedFromScanScope:AccessUser] section;
5. Specify the group name, under which file operations will not be scanned, using the UserGroup setting in the
[ExcludedFromScanScope:AccessUser] section.
If you wish to specify several user names or group names, specify values for the UserName and UserGroup
settings the required number of times in one section.
6. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
EXCLUDING OBJECTS BY NAMES OF THE THREATS DETECTED IN
THEM
If Kaspersky Endpoint Security considers a scanned object to be infected or suspicious, it performs the action on this
object specified in the task. If you consider this object to be harmless for the protected computer, you can exclude it from
the scan scope by the name of threat detected in it. In this case Kaspersky Endpoint Security considers such objects as
not infected and does not scan them.
The full name of the threat may contain the following information:
<threat class>:<threat type>.<brief name of operating system>.<threat name>.<threat modification code>. For
example, not-a-virus:NetTool.Linux.SynScan.a.
You can find the full name of the threat detected in an object in the Kaspersky Endpoint Security log.
You can also find the full name of the threat detected in a software product at the Virus Encyclopedia web site (see the
Virus Encyclopedia section at http://www.viruslist.com). To find the type of a threat, enter the name of the product in the
Search field.
When specifying threat name templates, you can use Shell masks and ECMA-262 regular expressions.
To exclude objects by the name of detected threat, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseExcludeThreats setting in the [ScanScope:ScanSettings] section.
R E A L -T I M E P R O T E C T I O N
31
4. Specify the threat name template using the ExcludeThreats setting in the [ScanScope:ScanSettings]
section.
To specify several threat name templates, repeat the ExcludeThreats setting value the required number of
times.
5. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
SELECTING INTERCEPTION MODE
Kaspersky Endpoint Security includes two components intercepting attempts to access files and scanning those files.
They are Samba interceptor (used to scan objects on remote computers accessed via the SMB / CIFS protocol) and the
kernel level interceptor (scanning objects accessed using other methods).
The Samba interceptor provides, as additional object information, the IP address of the remote computer on which an
application attempted to access an object when it was intercepted by Kaspersky Endpoint Security.
To enable the kernel level interceptor, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 ProtectionType=KernelOnly
To enable a Samba interceptor, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 ProtectionType=SambaOnly
To enable both interceptors, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 ProtectionType=Full
If the Samba interceptor is enabled, Kaspersky Endpoint Security will not scan objects that are not accessed using
SMB / CIFS.
SELECTING PROTECTION MODE
Protection mode (see page 150) is the condition which triggers the real-time protection task. By default, Kaspersky
Endpoint Security uses smart mode, which determines whether the object is to be scanned based on the actions
performed on it. For example, when working with a Microsoft Office document, Kaspersky Endpoint Security scans the
file when it is first opened and last closed. Intermediate operations that overwrite the file do not cause it to be scanned.
To change the object protection mode, perform the following steps:
1. Save the protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign one of the following values to the ScanByAccessType setting in
the [ScanScope:ScanSettings] section:
SmartCheck, to enable the Smart mode;
A D M I N I S T R A T O R ' S G U I D E
32
Open, to enable protection mode at an attempt to access the file;
OpenAndModify, to enable protection mode at an attempt to open and modify the file.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
USING HEURISTIC ANALYSIS
Objects are scanned using databases which contain descriptions of all known malware and the corresponding
disinfection methods. Kaspersky Endpoint Security compares each scanned object with the database's records to
determine firmly if the object is malicious, and if so, into which class of malware it falls. This approach is called signature
analysis and is always used by default.
Since new malicious objects appear daily, there is always some malware which is not described in the databases. And
these objects can only be detected using a heuristic analysis. This method presumes the analysis of the actions an
object performs within the system. If these actions are indicative of a malicious object, the object is likely to be classed as
malicious or suspicious. Consequently, new threats are identified before they become known to virus analysts.
Additionally you can set the detail level for scans. It sets the balance between the thoroughness of searches for new
threats, the load on the operating system's resources and the time required for scanning. The higher the detail level, the
more resources the scan will require, and the longer it will take.
To use the heuristic analysis and set the detail level for scans:
1. Save the real-time protection tasksettings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseAnalyzer setting in the [ScanScope:ScanSettings] section;
one of the values: Light, Medium, Deep or Recommended for the HeuristicLevel setting in the
[ScanScope:ScanSettings] section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
USING SCAN MODE DEPENDING ON USER AND GROUP
ACCOUNTS ACCESSING THE OBJECTS
Kaspersky Endpoint Security offers an opportunity to scan objects if they are accessed by applications running with the
permissions of the specified users or specified groups.
To enable the object scan mode depending on user and group accounts accessing the objects, perform the following
steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
R E A L -T I M E P R O T E C T I O N
33
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseAccessUser setting in the [ScanScope] section;
user account, under which file operations will be scanned to the UserName setting in the
[ScanScope:AccessUser] section;
group account, under which file operations will be scanned to the UserGroup setting in the
[ScanScope:AccessUser] section.
If you wish to specify several user names or group names, specify values for the UserName and UserGroup
settings the required number of times in one section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
SELECTING ACTION TO PERFORM ON DETECTED OBJECTS
As a result of the scan, Kaspersky Endpoint Security assigns one of the following statuses to the object:
infected, if code of a known virus is detected in the object;
suspicious, if the scan cannot determine whether the object is infected or not. This means that the application
detected a sequence of code in the file from an unknown virus, or modified code from a known virus.
You can specify two actions to perform on objects with each status. If the first action is failed to perform, it will perform
the second action.
You can specify the following actions to perform on detected objects:
Recommended. Kaspersky Endpoint Security automatically selects and performs actions on the object based
on data about the threat detected in the object and about the possibility of disinfecting it. For example,
Kaspersky Endpoint Security will immediately remove Trojans since they do not incorporate themselves into
other files and do not infect them; therefore they do not need to be disinfected.
Cure. Kaspersky Endpoint Security attempts to disinfect the object, and if disinfection is not possible, it leaves
the object intact.
Quarantine. Kaspersky Endpoint Security moves the object to quarantine.
Remove. Kaspersky Endpoint Security creates a backup copy of the object, then removes it.
Skip. Kaspersky Endpoint Security leaves the object intact.
The Recommended action can be selected only as the first action.
If Skip was selected as the first action, the second action can be Skip only.
If Recommended or Remove was selected as the first action, Quarantine cannot be selected as the second
action.
To specify actions to be performed on infected objects, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
A D M I N I S T R A T O R ' S G U I D E
34
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
InfectedFirstAction in the [ScanScope:ScanSettings] section;
InfectedSecondAction in the [ScanScope:ScanSettings] section;
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
To specify actions to be performed on suspicious objects, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
SuspiciousFirstAction in the [ScanScope:ScanSettings] section;
SuspiciousSecondAction in the [ScanScope:ScanSettings] section;
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
SELECTING ACTIONS DEPENDING ON THE THREAT TYPE
You can specify operations for the following types of threats:
Virware – viruses;
Trojware – Trojan programs;
Malware – programs which cannot harm your computer directly, but can be used by developers of malicious
code or various malicious programs;
Adware – advertising software;
Pornware – programs which download pornographic material or pornography sites without the user's
permission;
Riskware – harmless programs which could be used for malicious purposes. An example of such software is
You can specify two actions for each threat type. If the first action is failed to perform, it will perform the second action.
Remote Administrator utility.
You can specify the following actions:
Recommended. Kaspersky Endpoint Security automatically selects and performs actions on the object based
on data about the threat detected in the object and about the possibility of disinfecting it. For example,
Kaspersky Endpoint Security will immediately remove Trojans since they do not incorporate themselves into
other files and do not infect them; therefore they do not need to be disinfected.
R E A L -T I M E P R O T E C T I O N
35
Cure. Kaspersky Endpoint Security attempts to disinfect the object, and if disinfection is not possible, it leaves
the object intact.
Quarantine. Kaspersky Endpoint Security moves the object to quarantine.
Remove. Kaspersky Endpoint Security creates a backup copy of the object, then removes it.
Skip. Kaspersky Endpoint Security leaves the object intact.
The Recommended action can be selected only as the first action.
If Skip was selected as the first action, the second action can be Skip only.
If Recommended or Remove was selected as the first action, Quarantine cannot be selected as the second action.
To specify actions to perform on the threat of specific type, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseAdvancedActions setting in the [ScanScope:ScanSettings] section.
4. Add the [ScanScope:ScanSettings:AdvancedActions] section to the configuration file.
5. Specify the threat type using the Verdict setting in the [ScanScope:ScanSettings:AdvancedActions]
section.
6. Specify actions to be performed on the threat of selected type using the FirstAction and SecondAction
settings in the [ScanScope:ScanSettings:AdvancedActions] section.
7. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
SCAN OPTIMIZATION
You can shorten the scan time and speed up Kaspersky Endpoint Security. To do so, you can specify two types of
restrictions:
restriction on the scan duration: once the specified time period elapses, the object scan will be stopped;
restriction on the maximum size of the object to scan: objects larger than the specified limit will be skipped
during the scan.
To impose a time restriction on the scan duration, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseTimeLimit setting in the [ScanScope:ScanSettings] section;
A D M I N I S T R A T O R ' S G U I D E
36
maximum object scan time (in seconds) – to the TimeLimit setting in the [ScanScope:ScanSettings]
section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
To enable restriction on the maximum size of the object to scan, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseSizeLimit setting in the [ScanScope:ScanSettings] section;
maximum object size (in bytes) – to the SizeLimit setting in the [ScanScope:ScanSettings] section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
COMPATIBILITY WITH OTHER KASPERSKY LAB'S
APPLICATIONS
To ensure compatibility of the Kaspersky Endpoint Security 8 with Kaspersky Anti-Virus for Linux Mail Server, Kaspersky
Anti-Spam, and Kaspersky Mail Gateway, you should exclude support directories of these programs from being scanned
in the real-time protection task.
To configure simultaneous operation of the Kaspersky Endpoint Security 8 and Kaspersky Anti-Virus for Linux Mail
Server, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Add the following section to the created file:
[ExcludedFromScanScope]
AreaMask="*"
UseAccessUser=yes
[ExcludedFromScanScope:AreaPath]
Path=<path to directory of the mail queue of mail agent integrated with Kaspersky
Anti-Virus for Linux Mail Server>
[ExcludedFromScanScope:AccessUser]
UserName=<name of user who is the owner of the mail queue>
3. Repeat the section specified above for all mail agents integrated with Kaspersky Anti-Virus for Linux Mail
Server.
4. To exclude from the scan the temporary directory for Kaspersky Anti-Virus for Linux Mail Server filter and
services, add the following section to the created file:
[ExcludedFromScanScope]
AreaMask="*"
UseAccessUser=yes
[ExcludedFromScanScope:AreaPath]
Path="/var/tmp"
R E A L -T I M E P R O T E C T I O N
37
[ExcludedFromScanScope:AccessUser]
UserName="kluser"
5. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
To configure simultaneous operation of Kaspersky Anti-Virus 8 with Kaspersky Anti-Spam, perform the following
steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. Add the following section to the created file:
[ExcludedFromScanScope]
AreaMask="*"
UseAccessUser=yes
[ExcludedFromScanScope:AreaPath]
Path=<path to directory of the mail queue of mail agent integrated with Kaspersky
Anti-Spam>
[ExcludedFromScanScope:AccessUser]
UserName=<name of user who is the owner of the mail queue>
3. Repeat the section specified above for all mail agents integrated with Kaspersky Anti-Spam.
4. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
To configure simultaneous operation of Kaspersky Anti-Virus 8 with Kaspersky Mail Gateway, perform the following
steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 8 --file=<full path to the file>
2. To exclude from the scan the Kaspersky Mail Gateway queue directory, add the following section to the created
file:
[ExcludedFromScanScope]
AreaMask="*"
UseAccessUser=yes
[ExcludedFromScanScope:AreaPath]
Path="/var/spool/kaspersky/mailgw"
[ExcludedFromScanScope:AccessUser]
UserName="kluser"
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings 8 --file=<full path to the file>
38
ON-DEMAND SCAN
IN THIS SECTION
Default scan settings ....................................................................................................................................................... 38
Quick scan of files and directories ................................................................................................................................... 39
Creating a scan area ....................................................................................................................................................... 41
Restricting a scan area using masks and regular expressions........................................................................................ 42
Excluding objects from the scan area ............................................................................................................................. 42
Using heuristic analysis ................................................................................................................................................... 45
Selecting actions to perform on detected objects ............................................................................................................ 45
Selecting actions depending on the threat type ............................................................................................................... 46
Scan optimization ............................................................................................................................................................ 48
Selecting task priority ...................................................................................................................................................... 48
On-demand scan involves one-time complete or selective scan for the malicious programs on the computer. Kaspersky
Endpoint Security may run several on-demand scan tasks at the same time.
Kaspersky Endpoint Security includes two predefined on-demand scan tasks:
On-demand scan. Scans all local objects on the computer with the recommended security settings and all the
shared objects, regardless of access protocol.
Scanning quarantined objects. Scans quarantined objects. By default, this task starts automatically after each
database update.
Kaspersky Endpoint Security allows to scan files and directories quickly (see section "Quick scan of files and directories"
on page 39) from the command line.
You can create on-demand scan tasks.
DEFAULT SCAN SETTINGS
In Kaspersky Endpoint Security for on-demand scan task the following default settings are configured.
ScanPriority="System"
[ScanScope]
UseScanArea=yes
AreaMask="*"
AreaDesc="All objects"
[ScanScope:AreaPath]
O N - D E M A N D S C A N
39
Path="/"
[ScanScope:ScanSettings]
ScanArchived=yes
ScanSfxArchived=yes
ScanMailBases=no
ScanPlainMail=no
ScanPacked=yes
UseTimeLimit=no
TimeLimit=120
UseSizeLimit=no
SizeLimit=0
InfectedFirstAction="Recommended"
InfectedSecondAction="Skip"
SuspiciousFirstAction="Recommended"
SuspiciousSecondAction="Skip"
UseAdvancedActions=yes
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
HeuristicLevel="Recommended"
[ScanScope:ScanSettings:AdvancedActions]
Verdict="Riskware"
FirstAction="Skip"
SecondAction="Skip"
QUICK SCAN OF FILES AND DIRECTORIES
Kaspersky Endpoint Security allows to scan files and directories without configuring the scan area (see section "Creating
scan area" on page 41). You can define name templates for files and directories being scanned or their paths using Shell
masks.
You can use Shell masks to specify templates for the file or directory name to be scanned by Kaspersky Endpoint
Security.
A D M I N I S T R A T O R ' S G U I D E
40
To scan file or directory:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --scan-file <path to file or directory>
To scan several files or directories:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --scan-file <path to file or director>
<path to file or director> etc.
Configuration for running files and directories default scan using the --scan-file command:
ScanPriority="System"
[ScanScope]
UseScanArea=yes
AreaMask="*"
AreaDesc="Scan one file"
[ScanScope:AreaPath]
Path="<path to scanned files and directories>"
[ScanScope:ScanSettings]
ScanArchived=yes
ScanSfxArchived=yes
ScanMailBases=yes
ScanPlainMail=yes
ScanPacked=yes
UseTimeLimit=no
TimeLimit=120
UseSizeLimit=no
SizeLimit=0
InfectedFirstAction="Skip"
InfectedSecondAction="Skip"
SuspiciousFirstAction="Skip"
SuspiciousSecondAction="Skip"
UseAdvancedActions=no
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
O N - D E M A N D S C A N
41
HeuristicLevel="Recommended"
By default, all detected objects will be skipped and the corresponding data will be recorded in the report. You can specify
one of the following actions performed on detected objects: Recommended, Cure, Quarantine, Remove, Skip.
To specify actions on detected objects:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --action <action> --scan-file <path to
file or directory>
CREATING A SCAN AREA
Note the peculiarities in scanning of symbolic and hard links (see page 9).
The on-demand scan task scans objects within the computer file system that are included in the scan area. You can
extend or narrow down the scan area by adding or removing objects to be scanned, or by changing the type of files to be
scanned (see page 42).
Kaspersky Endpoint Security will scan objects in the specified scan areas in the order in which the areas are listed in the
configuration file. If you wish to configure different security settings for child and parent directories, place the subdirectory
in the list higher, than its parent directory.
To extend a scan area, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Add the following sections to the created file:
[ScanScope] which contains the following settings:
AreaMask which defines the name mask of objects to be scanned;
AreaDesc which defines the name of protection area.
[ScanScope:AreaPath] which contains the Path setting.
[ScanScope:ScanSettings] which contains scan settings for the area to be added.
All settings must be assigned in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
To narrow down a scan area, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Delete from the created file the following sections, defining protection area:
[ScanScope];
A D M I N I S T R A T O R ' S G U I D E
42
[ScanScope:AreaPath];
[ScanScope:ScanSettings].
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
RESTRICTING A SCAN AREA USING MASKS AND REGULAR
EXPRESSIONS
By default, Kaspersky Endpoint Security scans all objects within a protected area.
You can specify templates for the names or paths of the files to scan. In this case, Kaspersky Endpoint Security will scan
files or directories from the protection area that are specified using Shell masks or ECMA-262 regular expressions.
You can use Shell masks to specify a file name template to be scanned by Kaspersky Endpoint Security.
You can also use regular expressions to specify a template for the file path which Kaspersky Endpoint Security should
scan. A regular expression cannot contain the name of the folder which defines the scan or protection area.
To specify file name or path templates for the files to be scanned, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Specify the value of the AreaMask setting in the [ScanScope] section which defines the protection area.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
EXCLUDING OBJECTS FROM THE SCAN AREA
By default, the on-demand scan task scans all objects included in the scan areas defined for this task.
You can exclude several objects from the scan. To do that, you can create three types of exclusions:
exclusion of objects from a scan area: in this case the specified objects will only be excluded from the selected
scan area;
global exclusion of objects: in this case the specified objects will be excluded from all scan areas defined for the
task;
exclusion of objects by the name of the threat detected in them.
O N - D E M A N D S C A N
43
IN THIS SECTION
Creating a global exclusion area ..................................................................................................................................... 43
Excluding objects from the scan area ............................................................................................................................. 43
Excluding objects by names of the threats detected in them........................................................................................... 44
CREATING A GLOBAL EXCLUSION AREA
You can create a global exclusion area. Objects included in this area will be excluded from all areas defined for the ondemand scan task.
To create a global exclusion area, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Add the following sections to the created file:
[ExcludedFromScanScope], which contains the following settings:
AreaMask, which defines templates of object names to be excluded from the scan;
AreaDesc, which defines a unique name for exclusion area.
[ExcludedFromScanScope:AreaPath], which contains the Path setting that defines the path to the
objects to be excluded from the scan.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
EXCLUDING OBJECTS FROM THE SCAN AREA
By default, Kaspersky Endpoint Security scans all objects within the scan area.
You can define name and path templates that are excluded from the scan area. In this case, Kaspersky Endpoint
Security will not scan files or directories from the scan area that are specified using Shell masks or ECMA-262 regular
expressions.
You can use Shell masks to specify a file name template excluded from scanning by Kaspersky Endpoint Security.
You can also use regular expressions to specify a template for the paths to files which Kaspersky Endpoint Security
should not scan. The regular expression should not contain the name of the directory containing excluded object.
To exclude objects from the scan area, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing.
A D M I N I S T R A T O R ' S G U I D E
44
3. Assign the value yes to the UseExcludeMasks setting in the [ScanScope:ScanSettings] section.
4. Specify file name or path templates using the ExcludeMasks setting in the [ScanScope:ScanSettings]
section.
To specify several file name or path templates, repeat the ExcludeMasks setting value the required number of
times.
5. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
EXCLUDING OBJECTS BY NAMES OF THE THREATS DETECTED IN
THEM
If Kaspersky Endpoint Security considers a scanned object to be infected or suspicious, it performs the action on this
object specified in the task. If you consider this object to be harmless for the protected computer, you can exclude it from
the scan scope by the name of threat detected in it. In this case Kaspersky Endpoint Security considers such objects as
not infected and does not scan them.
The full name of the threat may contain the following information:
<threat class>:<threat type>.<brief name of operating system>.<threat name>.<threat modification code>. For
example, not-a-virus:NetTool.Linux.SynScan.a.
You can find the full name of the threat detected in an object in the Kaspersky Endpoint Security log.
You can also find the full name of the threat detected in a software product at the Virus Encyclopedia web site (see the
Virus Encyclopedia section at http://www.viruslist.com). To find the type of a threat, enter the name of the product in the
Search field.
When specifying threat name templates, you can use Shell masks and ECMA-262 regular expressions.
To exclude objects by the name of detected threat, perform the following steps:
1. Save theon-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseExcludeThreats setting in the [ScanScope:ScanSettings] section.
4. Specify the threat name template using the ExcludeThreats setting in the [ScanScope:ScanSettings]
section.
To specify several threat name templates, repeat the ExcludeThreats setting value the required number of
times.
5. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
O N - D E M A N D S C A N
45
USING HEURISTIC ANALYSIS
Objects are scanned using databases which contain descriptions of all known malware and the corresponding
disinfection methods. Kaspersky Endpoint Security compares each scanned object with the database's records to
determine firmly if the object is malicious, and if so, into which class of malware it falls. This approach is called signature
analysis and is always used by default.
Since new malicious objects appear daily, there is always some malware which is not described in the databases. And
these objects can only be detected using a heuristic analysis. This method presumes the analysis of the actions an
object performs within the system. If these actions are indicative of a malicious object, the object is likely to be classed as
malicious or suspicious. Consequently, new threats are identified before they become known to virus analysts.
Additionally you can set the detail level for scans. It sets the balance between the thoroughness of searches for new
threats, the load on the operating system's resources and the time required for scanning. The higher the detail level, the
more resources the scan will require, and the longer it will take.
To use the heuristic analysis and set the detail level for scans:
1. Save on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseAnalyzer setting in the [ScanScope:ScanSettings] section;
one of the values: Light, Medium, Deep or Recommended for the HeuristicLevel setting in the
[ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
SELECTING ACTIONS TO PERFORM ON DETECTED
OBJECTS
As a result of the scan, Kaspersky Endpoint Security assigns one of the following statuses to the object:
infected, if code of a known virus is detected in the object;
suspicious, if the scan cannot determine whether the object is infected or not. This means that the application
detected a sequence of code in the file from an unknown virus, or modified code from a known virus.
You can specify two actions to perform on objects with each status. If the first action is failed to perform, it will perform
the second action.
You can specify the following actions to perform on detected objects:
Recommended. Kaspersky Endpoint Security automatically selects and performs actions on the object based
on data about the threat detected in the object and about the possibility of disinfecting it. For example,
Kaspersky Endpoint Security will immediately remove Trojans since they do not incorporate themselves into
other files and do not infect them; therefore they do not need to be disinfected.
Cure. Kaspersky Endpoint Security attempts to disinfect the object, and if disinfection is not possible, it leaves
the object intact.
A D M I N I S T R A T O R ' S GU I D E
46
Quarantine. Kaspersky Endpoint Security moves the object to quarantine.
Remove. Kaspersky Endpoint Security creates a backup copy of the object, then removes it.
Skip. Kaspersky Endpoint Security leaves the object intact.
The Recommended action can be selected only as the first action.
If Skip was selected as the first action, the second action can be Skip only.
If Recommended or Remove was selected as the first action, Quarantine cannot be selected as the second
action.
To specify actions to be performed on infected objects, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
InfectedFirstAction in the [ScanScope:ScanSettings] section;
InfectedSecondAction in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
To specify actions to be performed on suspicious objects, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
SuspiciousFirstAction in the [ScanScope:ScanSettings] section;
SuspiciousSecondAction in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
SELECTING ACTIONS DEPENDING ON THE THREAT TYPE
You can specify operations for the following types of threats:
Virware – viruses;
Trojware – Trojan programs;
Malware – programs which cannot harm your computer directly, but can be used by developers of malicious
code or various malicious programs;
O N - D E M A N D S C A N
47
Adware – advertising software;
Pornware – programs which download pornographic material or pornography sites without the user's
permission;
Riskware – harmless programs which could be used for malicious purposes. An example of such software is
Remote Administrator utility.
You can specify two actions for each threat type. If the first action is failed to perform, it will perform the second action.
You can specify the following actions:
Recommended. Kaspersky Endpoint Security automatically selects and performs actions on the object based
on data about the threat detected in the object and about the possibility of disinfecting it. For example,
Kaspersky Endpoint Security will immediately remove Trojans since they do not incorporate themselves into
other files and do not infect them; therefore they do not need to be disinfected.
Cure. Kaspersky Endpoint Security attempts to disinfect the object, and if disinfection is not possible, it leaves
the object intact.
Quarantine. Kaspersky Endpoint Security moves the object to quarantine.
Remove. Kaspersky Endpoint Security creates a backup copy of the object, then removes it.
Skip. Kaspersky Endpoint Security leaves the object intact.
The Recommended action can be selected only as the first action.
If Skip was selected as the first action, the second action can be Skip only.
If Recommended or Remove was selected as the first action, Quarantine cannot be selected as the second action.
To specify actions to perform on the threat of specific type, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseAdvancedActions setting in the [ScanScope:ScanSettings] section.
4. Add the [ScanScope:ScanSettings:AdvancedActions] section to the configuration file.
5. Specify the threat type using the Verdict setting in the [ScanScope:ScanSettings:AdvancedActions]
section.
6. Specify actions to be performed on the threat of selected type using the FirstAction and SecondAction
settings in the [ScanScope:ScanSettings:AdvancedActions] section.
7. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
A D M I N I S T R A T O R ' S G U I D E
48
SCAN OPTIMIZATION
You can shorten the scan time and speed up Kaspersky Endpoint Security. To do so, you can specify two types of
restrictions:
restriction on the scan duration: once the specified time period elapses, the object scan will be stopped;
restriction on the maximum size of the object to scan: objects larger than the specified limit will be skipped
during the scan.
To impose a time restriction on the scan duration, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseTimeLimit setting in the [ScanScope:ScanSettings] section;
maximum object scan time (in seconds) – to the TimeLimit setting in the [ScanScope:ScanSettings]
section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
To enable restriction on the maximum size of the object to scan, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseSizeLimit setting in the [ScanScope:ScanSettings] section;
maximum object size (in bytes) – to the SizeLimit setting in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> --file=<full path to the file>
SELECTING TASK PRIORITY
By default, all on-demand scan tasks are executed with the priority defined by the system when the task is launched. You
can assign one of the following priorities to the task:
System. Priority of the process is defined by the operating system.
High. Decreases the duration of task execution, but it can also affect negatively the performance of processes
belonging to other active applications.
Select this option if the task should be performed as soon as possible, despite the possible load on the
protected computer.
O N - D E M A N D S C A N
49
Medium. Priority of the process changes from System to the value recommended by Kaspersky Lab.
Low. Increases the duration of task execution, but it can also affect negatively the performance of processes
belonging to other active applications.
Select this option if the load on the protected computer should be decreased during task execution.
To change the priority of the on-demand scan task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-settings <task ID> ScanPriority=<priority>
50
ISOLATING SUSPICIOUS OBJECTS. DATA
IN THIS SECTION
Viewing statistics of quarantined objects ......................................................................................................................... 50
Scanning quarantined objects ......................................................................................................................................... 51
Placing files to quarantine manually ................................................................................................................................ 52
Viewing object IDs ........................................................................................................................................................... 52
Restoring objects ............................................................................................................................................................ 53
Deleting objects ............................................................................................................................................................... 54
BACKUP
Kaspersky Endpoint Security isolates objects that it considers suspicious. The application places such objects to
quarantine, i.e., it moves them from their original location into a special storage.
The default storage volume is 1 GB. Once the limit is exceeded, objects will not be added to the storage.
After each database update Kaspersky Endpoint Security automatically scans all quarantined objects. Some of them can
be considered not infected and restored from Quarantine. Besides, you can restore objects from Quarantine manually.
Restoring infected or suspicious objects may lead to computer infection.
Kaspersky Endpoint Security saves to a storage copies of objects before disinfecting or deleting them.
If an object is a part of a compound object, Kaspersky Endpoint Security will save such compound object entirely in the
backup storage. For example, if Kaspersky Endpoint Security has found one of the objects in a mail database to be
infected, the entire mail database is backed up.
An object placed in Quarantine or Backup is described using a number of settings (see page 96).
VIEWING STATISTICS OF QUARANTINED OBJECTS
You can obtain brief and detailed statistics of quarantined objects.
To view brief statistics, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q --get-stat --query
"(OrigType!=s'Backup')"
The command returns the number of objects stored in quarantine at the moment and total disk space, which they
occupy.
To view detailed statistics, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -S --get-stat Quarantine
If the start and end dates for the report are not specified (see page 66), the statistics for the whole Kaspersky Endpoint
Security operating period.
I S O L A T I N G S U S P I C I O U S O B J E C T S . D A T A B A C K U P
51
FIELD
DESCRIPTION
Quarantined
objects
The total number of quarantined objects.
Auto saved objects
The number of objects, quarantined by Kaspersky Endpoint Security.
Manually saved
objects
The number of objects quarantined by user.
Restored objects
Number of objects restored from the quarantine.
Removed objects
Number of objects deleted from the quarantine.
Infected objects
The number of infected objects (see section "About infected, suspicious objects and objects with
the status "Warning"" on page 10): a) that were assigned the Infected status after the quarantined
object was scanned, and b) that Kaspersky Endpoint Security placed to Quarantine based on the
value of the Action to perform depending on threat type setting.
Suspicious objects
The number of suspicious objects (see section "About infected, suspicious objects and objects with
the "Warning" status" on page 10).
Curable objects
The number of objects in the storage that Kaspersky Endpoint Security considers infected and
curable.
Password protected
objects
Number of password-protected objects.
Corrupted objects
The number of corrupted objects.
False detected
objects
The number of objects that were assigned the False alarm status, because after scanning using
updated databases, quarantined objects were acknowledged to be not infected.
THE "QUARANTINE SCAN" TASK SETTINGS
VALUE
ID
10
Scan area
Quarantined objects
Default schedule
After databases update
Security settings
Common for the entire scan area. You cannot modify them. The table
below contains setting values.
Table1. Statistics fields of quarantined objects
SCANNING QUARANTINED OBJECTS
By default, Kaspersky Endpoint Security executes the Quarantine scan task after each database update. Task settings
are described in the table below. You cannot modify them.
Having scanned quarantined objects after database update, Kaspersky Endpoint Security may recognize some of the
objects as clean (the value of the Type field (see page 96) for such objects will change to Clean). Other objects can be
found infected by Kaspersky Endpoint Security.
You may start the Scanning quarantined objects task manually.
To start the Quarantine scan task, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --start-task 10
Table 2. The Quarantine scan task settings
A D M I N I S T R A T O R ' S G U I D E
52
Table 3. Security settings in the Quarantine scan task
SECURITY SETTINGS
VALUE
Action to perform on infected objects
Skip
Action to be performed on suspicious objects
Skip
Excluding objects by name
No
Excluding objects by threat name
No
Maximum object scan time
600 sec
Maximum size of a scanned object
Not specified
Scan of compound files
Archives
SFX-archives
Packed objects
Example:
Objects returned: 1
Object ID: 1
Filename: /home/corr/eicar.com
Object type: UserAdded
Compound object: no
UID: 0
GID: 0
PLACING FILES TO QUARANTINE MANUALLY
If you suspect that a file is infected, it can be placed to quarantine manually. A file placed to quarantine is harmless.
To place a file to quarantine manually, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--add-object <full path to the file>
VIEWING OBJECT IDS
Using the -Q modifier in commands described in this section is mandatory.
When the object is placed in the storage, Kaspersky Endpoint Security assigns a numeric identifier to it. This identifier is
used to perform actions on quarantined and backed up objects.
To obtain identifiers of quarantined objects, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q --query "(OrigType!=s'Backup')"
The following example displays the command output:
I S O L A T I N G S U S P I C I O U S O B J E C T S . D A T A B A C K U P
53
Mode: 644
AddTime: 2009-03-29 09:20 PM:32
Size: 73
Example:
Objects returned: 2
Object ID: 1
Filename: /home/cur/eicar.com
Object type: Backup
Compound object: no
UID: 0
GID: 0
Mode: 644
AddTime: 2009-03-29 10:24 PM:50
Size: 73
To obtain identifiers of backed up objects, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q --query "(OrigType==s'Backup')"
The following example displays the command output:
To perform actions on objects, use the value of the Object ID field.
RESTORING OBJECTS
Restoring infected or suspicious objects may lead to computer infection.
You can restore any object from the quarantine / backup. This may be required in the following cases:
If the original file that appeared to be infected contained important information and during disinfection Kaspersky
You can select where to save the restored object: in its original location or in a directory you specify.
During restoration you can save the object under a different name.
Endpoint Security was unable to preserve its integrity and the information in the file became unavailable.
If, having scanning the quarantined objects after database update, Kaspersky Endpoint Security recognizes the
object as not infected (the value of the Type field (see page 96) for such objects will change to Clean).
If you consider the object harmless for the computer and wish to use it. To prevent Kaspersky Endpoint Security
from isolating this object during subsequent scans, you can exclude the object from being scanned in the realtime protection and on-demand scan tasks. To do so, specify the object as a value for the Exclude objects by
file name security setting (see page 153) or Exclude objects by threat name (see page 153) in these tasks.
A D M I N I S T R A T O R ' S G U I D E
54
Date and time when the file restored from quarantine was created differs from the date and time of the original file.
To restore an object from the quarantine / backup to the original location, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --restore <object ID>
To restore an object from the quarantine / backup to a specified directory, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--restore <object ID> -F <file name and path>
DELETING OBJECTS
Using the -Q modifier in commands described in this section is mandatory.
If you are sure that a quarantined or backed up object is harmless for the computer, you can delete it from
quarantine or backup.
To delete one object from the quarantine / backup, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q \
--remove <object ID>
Besides, you can delete all objects from quarantine or backup.
To delete all objects from quarantine, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q \
--mass-remove --query "(OrigType!=s'Backup')"
To delete all objects from backup, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q \
--mass-remove --query "(OrigType==s'Backup')"
You can empty the quarantine or backup partially using the special command arguments -Q --mass-remove (see page
91).
M A N A G I N G L I C E N S E S
55
MANAGING LICENSES
As far as Kaspersky Lab's application licensing is concerned, it is important to know about the following concepts:
the License Agreement;
license;
key file;
activation code;
application activation.
These concepts are indissolubly interconnected and form a single licensing scheme.
Provided below is the detailed description of each concept.
ABOUT THE LICENSE AGREEMENT
License Agreement is a legal contract between an individual or legal entity, who/that lawfully holds in ownership a copy
of Kaspersky Endpoint Security, and Kaspersky Lab ZAO. The License Agreement is included in each Kaspersky Lab's
application kit. It contains detailed information about the rights and limitations to use Kaspersky Endpoint Security.
In accordance with the License Agreement, by purchasing and installing a Kaspersky Lab's application, you obtain a right
of perpetual use of its copy.
Kaspersky Lab is delighted to offer you additional services:
technical support;
Kaspersky Endpoint Security database updates;
Kaspersky Endpoint Security program modules updates.
To obtain these services, you should purchase and activate a license (see section "About Kaspersky Endpoint Security
licenses" on page 55).
ABOUT KASPERSKY ENDPOINT SECURITY LICENSES
License is the right to use Kaspersky Endpoint Security and related additional services provided by Kaspersky Lab and
its partners.
Each license is characterized by license period and type.
License validity period is the period of time over which you are able to use the additional services (see section "About
the licensing agreement" on page 55). The range of services depends on the license type.
The following types of licenses are provided:
Trial - a free license with a limited validity period, for example, 30 days, intended to acquaint users with
Kaspersky Endpoint Security.
The trial license can only be used once!
A D M I N I S T R A T O R ' S G U I D E
56
It is supplied with the trial version of the application. You cannot contact Technical Support if you only have a
Example:
License period: 300 days
The key write date is 9/1/2010.
Validity period of the key file: 300 days
The key file installation date (license activation date) is 9/10/2010, which is 9 days after the key write date.
Result:
trial license. After the expiration date of the license, Kaspersky Endpoint Security stops performing all of its
functions.
Commercial - a paid license with a validity period of, for example, one year, issued when you purchase
Kaspersky Endpoint Security. This license comes with certain restrictions, for example, on the number of
computers it can be used for or the amount of daily traffic that can be scanned.
Under clause 3.6 of the license agreement, if Kaspersky Endpoint Security is purchased for use on more than
one computer, the validity period of the license shall begin when the application is activated on the first
computer.
All functions and additional services are available during the validity period of a commercial license.
When the commercial license expires, Kaspersky Endpoint Security continues to perform all of its functions;
additional services, however, are not provided. As before, you will be able to scan your computer for viruses and
use the protection components, but using only the anti-virus databases you had when the license expired.
Consequently, Kaspersky Lab does not guarantee 100% protection for your computer against new viruses after
expiry of the license validity period.
To use the application and its additional services, you should purchase a commercial license and activate it.
The activation of a license is performed using the installation of a key file (see section "About Kaspersky Endpoint
Security key files" on page 56) associated with the license.
ABOUT KASPERSKY ENDPOINT SECURITY KEY FILES
Key file – a tool used to activate a corresponding license (see section "About Kaspersky Endpoint Security licenses" on
page 55), as well as your right to use the application and additional services (see page 55).
The key file is included in the application distribution kit, if you purchase it from the Kaspersky Lab's distributors, or is
sent to you by mail, if you purchase the application in the Kaspersky Lab's eStore.
The key file contains the following information:
Period of license validity.
License type (trial or commercial).
License restrictions (for example, the number of hosts for which the license is valid, or the volume of protected
mail traffic).
Technical Support Service contact information.
Validity period.
The key file validity period is the key file "shelf life", assigned to the key file when it is created. It is a time period after
which the key file becomes invalid, and activation of the associated license is unavailable.
Let us examine, how the key file validity period and the license period are connected as an example.
M A N A G I N G L I C E N S E S
57
The calculated license validity period is 300 days-9 days = 291days.
FIELD
DESCRIPTION
Application
name
The name of the application for which the key file was written.
Key file creation
date
Key file write date (see page 56).
Key file
expiration date
License expiration date.
License number
The license serial number.
License type
License type: trial or commercial.
Usage restriction
Number of objects defined in restriction. Restriction to use Kaspersky Endpoint Security provided for
by the license.
License period
License validity period (see page 55).
INSTALLING THE KEY FILE
You can immediately install two key files (see page 56): an active key file and a supplementary key file. The active key
file takes effect from its installation. The supplementary key file automatically takes effect immediately after the end of the
active key file validity period.
If you install the key file as the active key file, although there is an active key file in Kaspersky Endpoint Security already,
the new key file will replace the previously installed one. The key file installed earlier will be removed.
If you install the key file as a supplementary key file, although there is a supplementary key file in Kaspersky Endpoint
Security already, the new key file will replace the previously installed one. The key file installed earlier will be removed.
To install a key file as an active key, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--install-active-key <key filename>
To install a key file as a supplementary key, execute the command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--install-suppl-key <key filename>
VIEWING INFORMATION ABOUT A LICENSE PRIOR TO THE
KEY FILE INSTALLATION
You can view license information stored in the key file before its installation.
To view license information (see page 55), execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--show-license-info <full path to the file>
This command outputs the following license information (see the table below).
Table 4. License information
Example of command output:
A D M I N I S T R A T O R ' S G U I D E
58
License info:
Application name: Kaspersky Endpoint Security BO Suite
International Edition. 10-14 Workstation 6 months Beta License
Key file creation date: 2010-09-03
Key file expiration date: 2011-04-04
License number: 1222-0003F4-0A451011
License type: Beta
Usage restriction: 10 Workstations
License period: 183
KEY FILE REMOVAL
You can remove the key file. If you remove the active key file, the supplementary key file will automatically become
active.
To remove the active key file, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--revoke-active-key
To remove a supplementary key file, execute the following command:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--revoke-suppl-key
REVIEWING THE LICENSE AGREEMENT
License Agreement is a legal contract between an individual or legal entity, who/that lawfully holds in ownership a copy
of Kaspersky Endpoint Security, and Kaspersky Lab ZAO. The License Agreement is included in each Kaspersky Lab's
application kit. It contains detailed information about the rights and limitations to use Kaspersky Endpoint Security.
In accordance with the License Agreement, by purchasing and installing a Kaspersky Lab's application, you obtain a right
of perpetual use of its copy.
To view the provision of the License Agreement,
open the file /opt/kaspersky/kes4lwks/share/doc/LICENSE.
G E N E R A T I N G R E P O R T S
59
GENERATING REPORTS
You can generate the following reports:
about the number of malicious objects detected in the largest number of objects on the computers (see
page 68);
reports on the activity of Kaspersky Endpoint Security components (see page 66).
You can use the command line to obtain reports on the activity of any individual product component.
You can perform the following operations:
generate reports for the specified time intervals;
save created reports in the files of the following formats: HTML or CSV.
60
MANAGING KASPERSKY ENDPOINT
COMMANDS
DESCRIPTION
--help (see page 63)
Displays Kaspersky Endpoint Security command help.
Kaspersky Endpoint Security management commands
--start-app (see page 64)
Starts Kaspersky Endpoint Security.
--restart-app (see page 64)
Restarts Kaspersky Endpoint Security.
--stop-app (see page 64)
Stops Kaspersky Endpoint Security.
--scan-file (see page 65)
Scans files or directories.
-R (see page 65)
Rolls back to previous databases.
Commands for obtaining Kaspersky Endpoint Security statistics
-S
This prefix indicates that the command is one of a group of commands for obtaining
statistics (optional).
-S --app-info (see page 66)
Displays information about Kaspersky Endpoint Security.
-S --get-stat (see page 66)
Creates reports about the operation of Kaspersky Endpoint Security and its
components.
-S --top-viruses (see page 68)
Creates reports on threats that are most commonly encountered on the computer.
-S --clean-stat (see page 69)
Deletes statistics about Kaspersky Endpoint Security operation.
Commands to output events of Kaspersky Endpoint Security
-W (see page 64)
Enables output of Kaspersky Endpoint Security events.
Commands for managing Kaspersky Endpoint Security settings and tasks
SECURITY FROM THE COMMAND LINE
Apply the following rules when entering Kaspersky Endpoint Security commands:
Please remember that commands are case-sensitive.
Delimit the keys with the space character.
Using brief (literal) command or key name, enter the value immediately following the command or a space.
Using full command or key name, enter the value following the symbol "equal to" (=) or a space.
The list of Kaspersky Endpoint Security commands is provided in the table below.
Table 5. The list of Kaspersky Endpoint Security commands
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
61
COMMANDS
DESCRIPTION
-T
This prefix indicates that the command is one of a group of commands for managing
the Kaspersky Endpoint Security settings and tasks (optional).
-T --get-app-settings (see page
70)
Outputs general Kaspersky Endpoint Security settings.
-T --set-app-settings (see page
71)
Specifies general Kaspersky Endpoint Security settings.
-T --get-task-list (see section
"Viewing Kaspersky Endpoint
Security task list" on page 72)
Returns the list of existing Kaspersky Endpoint Security tasks.
-T --get-task-state (see page 73)
Outputs the state of selected task (for example, In progress, Stopped, or Paused).
-T --start-task (see page 75)
Starts the task.
-T --stop-task (see page 75)
Stops the task.
-T --suspend-task (see page 75)
Pauses the task.
-T --resume-task (see page 76)
Resumes the task.
-T --get-settings (see page 76)
Outputs task settings.
-T --set-settings (see page 77)
Defines task settings.
-T --create-task (see page 78)
Creates a task of specified type; imports task settings from the specified configuration
file.
-T --delete-task (see page 79)
Deletes the task.
-T --set-schedule (see page 79)
Sets task scheduling settings or imports them from a configuration file.
-T --get-schedule (see page 80)
Outputs task scheduling settings.
-T --del-schedule (see page 81)
Sets task scheduling settings, specified by default.
-T --show-schedule (see page 81)
Searches for past scheduled events.
Licenses management commands
A D M I N I S T R A T O R ' S G U I D E
62
COMMANDS
DESCRIPTION
-L
This prefix indicates that the command is one of a group of commands for managing
licenses (optional).
-L --validate-key (see page 83)
Authenticates the license using the Kaspersky Lab database and outputs information
from a key file to the console without installing the license.
-L --show-license-info (see
section "Viewing information
about a license prior to the key
file installation" on page 84)
Outputs information about the license from the key file without installing the license.
-L --get-installed-keys (see page
85)
Outputs information about installed licenses.
-L --query-status (see page 83)
Outputs the status of installed licenses.
-L --install-active-key (see page
86)
Installs an active license.
-L --install-suppl-key (see page
86)
Installs a supplementary license.
-L --revoke-active-key (see page
87)
Deletes an active license.
-L --revoke-suppl-key (see page
87)
Deletes a supplementary license.
Quarantine and backup storage management commands
-Q
This prefix indicates that the command is one of a group of commands for managing
the quarantine and backup storage (optional).
-Q --get-stat (see page 87)
Outputs brief storage statistics.
-Q --query (see page 87)
Displays information about storages objects.
-Q --get-one (see page 88)
Displays information about one object in the storage.
-Q --restore (see page 88)
Restores an object from the storage.
-Q --add-object (see page 89)
Places a copy of the object to quarantine.
-Q --remove (see page 89)
Deletes the object from storage.
-Q --export (see page 90)
Exports objects from storage into a specified directory.
-Q --import (see page 90)
Imports objects into the storage from a specified directory, into which they were
previously exported.
-Q --mass-remove (see page 91)
Removes some or all objects from the storage.
Logs management commands
-E
This prefix indicates that the command is one of a group of commands for managing
logs (optional).
-E --count (see page 92)
Outputs the number of events matching the filter defined in the event log or specified
rotation file.
-E --query (see page 92)
Outputs information about events matching the filter defined in the event log or
specified rotation file.
-E --period (see page 93)
Outputs to the console the time interval, during which events will occur that are
stored in the event log or the specified rotation file.
-E --rotate (see page 94)
Rotates the event log.
-E --remove (see page 94)
Removes events from the log or the specified rotation file.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
63
IN THIS SECTION
Displaying Kaspersky Endpoint Security command help................................................................................................. 63
Starting Kaspersky Endpoint Security ............................................................................................................................. 64
Stopping Kaspersky Endpoint Security ........................................................................................................................... 64
Restarting Kaspersky Endpoint Security ......................................................................................................................... 64
Enabling events output .................................................................................................................................................... 64
Quick scan of files and directories ................................................................................................................................... 65
Rolling back the Kaspersky Endpoint Security database updates ................................................................................... 65
Commands for obtaining reports and statistics ............................................................................................................... 66
Commands for managing Kaspersky Endpoint Security settings and tasks .................................................................... 70
Licenses management commands .................................................................................................................................. 83
Quarantine and backup storage management commands .............................................................................................. 87
Logs management commands ........................................................................................................................................ 92
Limiting selections using filters ........................................................................................................................................ 95
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<set ofKaspersky Endpoint
Security commands>
Specify the set of Kaspersky Endpoint Security commands on which you want to get help.
Possible values include:
-T [--task-and-settings] – commands managing the tasks and general settings of
Kaspersky Endpoint Security;
-L [--licenser] – license management commands;
-Q [--quarantine-and-backup] are quarantine and backup storage management
commands;
-S [--statistics] – are statistics management commands for Kaspersky Endpoint
Security;
-E [--event-log] – are event management commands for Kaspersky Endpoint Security.
DISPLAYING KASPERSKY ENDPOINT SECURITY
COMMAND HELP
The kes4lwks-control --help command <set of Kaspersky Endpoint Security commands> displays Kaspersky Endpoint
Security command help.
Command syntax
kes4lwks-control --help [<set of Kaspersky Endpoint Security commands>]
A D M I N I S T R A T O R ' S G U I D E
64
STARTING KASPERSKY ENDPOINT SECURITY
Examples:
Enable the output of Kaspersky Endpoint Security events:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -W
Enable saving of Kaspersky Endpoint Security events to a file, save events in a file named 081808.xml in the current
Before taking the actions or using the commands described above, make sure that the kes4lwks-supervisor service is
running on the computer!
The kes4lwks-control command with --start-app key starts Kaspersky Endpoint Security.
Command syntax
kes4lwks-control --start-app
STOPPING KASPERSKY ENDPOINT SECURITY
Before taking the actions or using the commands described above, make sure that the kes4lwks-supervisor service is
running on the computer!
The kes4lwks-control command with --stop-app key stops Kaspersky Endpoint Security.
Command syntax
kes4lwks-control --stop-app
RESTARTING KASPERSKY ENDPOINT SECURITY
Before taking the actions or using the commands described above, make sure that the kes4lwks-supervisor service is
running on the computer!
The kes4lwks-control command with --restart-app key restarts Kaspersky Endpoint Security.
Command syntax
kes4lwks-control --restart-app
ENABLING EVENTS OUTPUT
The -W command enables the output of Kaspersky Endpoint Security events. You can use this command either by itself,
to output all Kaspersky Endpoint Security events, or together with the --start-task command (start task (see section
"Starting the task" on page 75)), so as to output only events associated with the task being executed.
Event name and additional event information will be returned.
Command syntax
kes4lwks-control -W [--file=<file name>]
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
65
directory:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
-W --file 081808.xml
KEY
DESCRIPTION AND POSSIBLE VALUES
--file <file name>
The log file name in which the information about Kaspersky Endpoint Security events will be
stored. The saved log file has XML format.
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
--scan-file <path to file or
directory>
Name of file or directory which Kaspersky Endpoint Security will scan quickly.
--action <action>
Optional key.
Available values:
Recommended – perform recommended action.
Cure.
Quarantine.
Remove.
Skip.
Default value: Skip.
QUICK SCAN OF FILES AND DIRECTORIES
The kes4lwks-control command with --scan-file key performs a quick scan of files and directories.
Command syntax
kes4lwks-control --action <action> --scan-file <path to the file or directory>[ <path to
the file or directory> ...]
ROLLING BACK THE KASPERSKY ENDPOINT SECURITY
DATABASE UPDATES
The Kaspersky Endpoint Security creates backup copies of the original databases before it applies updates. If an update
procedure gets interrupted or fails, the Kaspersky Endpoint Security automatically reverts to the previous database
version containing updates installed earlier.
If you encounter problems after database update, you can roll back the databases to the previous version. To do this,
use the roll back to the previous Kaspersky Endpoint Security databases task.
Task start syntax
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -R
A D M I N I S T R A T O R ' S G U I D E
66
COMMANDS FOR OBTAINING REPORTS AND STATISTICS
IN THIS SECTION
Viewing application information ....................................................................................................................................... 66
Viewing reports on Kaspersky Endpoint Security operation ............................................................................................ 66
Viewing reports on the most commonly encountered threats .......................................................................................... 68
Deleting Kaspersky Endpoint Security operation statistics .............................................................................................. 69
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
--export-report=<report
filename>
Optional key. The file name in which the obtained information will be stored. If you specify
only a file name without specifying a path to it, then the configuration file will be created in the
current directory. If the file with the name specified already exists at the location pointed at
the specified path, such file will be overwritten. If the directory specified does not exist on this
drive, the file will not be created.
You can save the file in HTML or CSV format and assign it the HTML or CSV extension. If
you additionally describe the file format using the --report-type key, you can assign the file
any extension.
--report-type=<report file
format>
Optional key. By default, the format of the file specified by the --export-report key will be
determined by its extension. Specify this key if you specified any file extension other than
HTML or CSV. Possible key values: HTML, CSV.
FIELD
DESCRIPTION
Name
Kaspersky Endpoint Security name
Version
Kaspersky Endpoint Security version
Install date
Date and time of Kaspersky Endpoint Security latest installation
License state
The license state
License expire date
License expiration date
VIEWING APPLICATION INFORMATION
The --app-info command outputs the information about Kaspersky Endpoint Security.
Command syntax
kes4lwks-control [-S] --app-info [--export-report=<file name>] \
[--report-type=<report file format>]
This command outputs the following information:
VIEWING REPORTS ON KASPERSKY ENDPOINT SECURITY
OPERATION
The --get-stat command outputs the Kaspersky Endpoint Security operation statistics; allows to create reports about the
operation of individual components of Kaspersky Endpoint Security over a specified time period; allows to save reports to
a file.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
67
Examples:
To view the operation statistics of Kaspersky Endpoint Security:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --get-stat Application
To view real-time protection statistics for January 2009:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-stat OAS --from=2009-01-01 --to=2009-01-31
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<Kaspersky Endpoint
Security component>
Specify the Kaspersky Endpoint Security component for which you want to view statistics.
Possible values include:
Application – an application;
OAS – real-time protection;
ODS – on-demand scan;
Quarantine – quarantine;
Backup – backup storage;
Update – update.
--from=<start date>
The report starting date. You can assign the following values:
date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain
information starting at midnight (00:00) of the specified date;
date and time, formatted as YYYY-MM-DD HH:MM:SS , to obtain information starting at
the specified time on the specified date;
When specifying the date and time should enclose all the expression in quotation marks,
and between the date and time to put a space.
time, formatted as HH:MM:SS, to obtain information starting at the specified time of the
current day.
If you do not specify the --from=<start date> argument, the report will collect information from
the time the Kaspersky Endpoint Security was installed.
Command syntax
kes4lwks-control [-S] --get-stat <Kaspersky Endpoint Security component> \
[--from=<start date>][--to=<end date>] \
[--task-id=<ID task (only for on-demand scan and update)>] \
[--export-report=<report filename>] [--report-type=<report file format>] [--use-name]
A D M I N I S T R A T O R ' S G U I D E
68
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
--to=<end date>
The report ending date. You can assign the following values:
date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain
information until the specified date, inclusive;
date and time, formatted as YYYY-MM-DD HH:MM:SS , to obtain information before the
specified time on the specified date;
When specifying the date and time should enclose all the expression in quotation marks,
and between the date and time to put a space.
time, formatted as HH:MM:SS, to obtain information up to the specified time of the current
day.
If you do not specify the --to=<end date> argument, the report will collect information up to
the current time.
--task-id=<task ID (only
for on-demand scan and
update tasks)>
The identification number of the Kaspersky Endpoint Security on-demand scan task.
The report will include statistics from the on-demand scan or update task having the
specified ID number for the period since the most recent start of the task.
This argument is not used together with --from=<start date> and --to=<end date> keys.
--export-report=<report
filename>
Optional key. The file name in which the obtained report will be stored. If you specify only a
file name without specifying a path to it, then the configuration file will be created in the
current directory. If the file with the name specified already exists at the location pointed at
the specified path, such file will be overwritten. If the directory specified does not exist on this
drive, the file will not be created.
You can save the report file in HTML or CSV format and assign it the HTML or CSV
extension. If you additionally describe the file format using the --report-type key, you can
assign the file any extension.
--report-type=<report file
format>
Optional key. By default, the format of the file specified by the --export-report key will be
determined by its extension. Specify this key if you specified any file extension other than
HTML or CSV. Possible key values: HTML, CSV.
--use-name
-N
Task name.
Examples:
To obtain information on the five most commonly encountered malicious programs found on the computer in January
2009, and save a report in the /home/kavreports/2009_01_top_viruses.html file:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
VIEWING REPORTS ON THE MOST COMMONLY ENCOUNTERED
THREATS
The --top-viruses command displays information about which malicious programs were found in greatest numbers on the
computer during the specified time interval. This information is displayed on the console and may be saved in a report
file.
Command syntax
kes4lwks-control [-S] --top-viruses <number of malicious programs> \
[--from=<start date>][--to=<end date>][--export-report=<file name>] \
[--report-type=<report file format>]
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
69
--top-viruses 5 --from=2009-01-01 --to=2009-01-31 \
--export-report=/home/kavreports/2009_01_top_viruses.html
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<the number of malicious
programs>
The number of malicious programs. The report will include information only on the specified
number of malicious programs most commonly encountered on the computer.
--from=<start date>
The report starting date. You can assign the following values:
date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain
information starting at midnight (00:00) of the specified date;
date and time, formatted as YYYY-MM-DD HH:MM:SS, to obtain information starting at
the specified time on the specified date;
time, formatted as HH:MM:SS, to obtain information starting at the specified time of the
current day.
If you do not specify the --from=<start date> argument, the report will collect information from
the time the Kaspersky Endpoint Security was installed.
--to=<end date>
The report ending date. You can assign the following values:
date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain
information until the specified date, inclusive;
date and time, formatted as YYYY-MM-DD HH:MM:SS, to obtain information up to the
specified time on the specified date;
time, formatted as HH:MM:SS, to obtain information up to the specified time of the current
day.
If you do not specify the --to=<end date> argument, the report will collect information up to
the current time.
--export-report=<report
filename>
Optional key. The file name in which the obtained report will be stored. If you specify only a
file name without specifying a path to it, then the configuration file will be created in the
current directory. If the file with the name specified already exists at the location pointed at
the specified path, such file will be overwritten. If the directory specified does not exist on this
drive, the report file will not be created.
You can save the report file in HTML or CSV format and assign it the HTML or CSV
extension. If you additionally describe the file format using the --report-type key, you can
assign the file any extension.
--report-type=<report file
format>
Optional key. By default, the format of the file specified by the --export-report key will be
determined by its extension. Specify this key if you specified any file extension other than
HTML or CSV. Possible key values: HTML, CSV.
DELETING KASPERSKY ENDPOINT SECURITY OPERATION
STATISTICS
The --clean-stat command deletes statistics about Kaspersky Endpoint Security operation.
A D M I N I S T R A T O R ' S G U I D E
70
COMMANDS FOR MANAGING KASPERSKY ENDPOINT
IN THIS SECTION
Obtaining general Kaspersky Endpoint Security settings ................................................................................................ 70
Modifying general Kaspersky Endpoint Security settings ................................ ................................ ................................ 71
Viewing Kaspersky Endpoint Security task list ................................................................................................................ 72
Viewing task state ........................................................................................................................................................... 73
Starting the task .............................................................................................................................................................. 75
Stopping the task ............................................................................................................................................................ 75
Pausing the task .............................................................................................................................................................. 75
Resuming the task .......................................................................................................................................................... 76
Obtaining task settings ................................................................ .................................................................................... 76
Modifying task settings ................................ ................................ ................................................................ .................... 77
Creating a task ................................................................................................................................................................ 78
Deleting tasks .................................................................................................................................................................. 79
Obtaining task schedule settings ..................................................................................................................................... 79
Modifying task schedule settings ..................................................................................................................................... 80
Deleting the task schedule .............................................................................................................................................. 81
Searching for scheduled events ...................................................................................................................................... 81
SECURITY SETTINGS AND TASKS
OBTAINING GENERAL KASPERSKY ENDPOINT SECURITY SETTINGS
The --get-app-settings command outputs the general Kaspersky Endpoint Security settings (see page 130). Using this
command, you can also obtain the general settings of Kaspersky Endpoint Security that are defined using command-line
arguments.
You can use this command to modify general Kaspersky Endpoint Security, installed on the computer:
1. Save the general Kaspersky Endpoint Security settings to a configuration file using the --get-app-settings
command.
2. Open the configuration file created, modify the required settings and save the changes made.
3. Import the settings from the configuration file into Kaspersky Endpoint Security using the --set-app-settings
command (see page 71). Kaspersky Endpoint Security will apply new configuration settings after you stop and
then start it again using the --stop-app and --start-app commands.
You can use the configuration file created to import the settings into Kaspersky Endpoint Security installed on another
computer.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
71
Examples:
Export general Kaspersky Endpoint Security settings into the file kav_config.xml. Save the file created in the current
directory:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-app-settings -F kav_config.xml
Output the TraceLevel setting value:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-app-settings TraceLevel
KEYS
DESCRIPTION AND POSSIBLE VALUES
--file=<configuration file name>
-F <configuration file name>
Name of the configuration file in which Kaspersky Endpoint Security settings will be
saved. If you specify only a file name without specifying a path to it, then the
configuration file will be created in the current directory. If the file with the name
specified already exists at the location pointed at the specified path, such file will be
overwritten. If the directory specified does not exist on this drive, the configuration file
will not be created.
You can save the configuration file in XML or INI format. You can assign to the file XML
or INI extension or, if you provide an additional description of the file format using the -file-format key, you can assign any extension to the file.
--file-format=<INI|XML>
Optional key. By default, the format of the configuration file specified by the -F key will
be determined by its extension. Specify this key if the configuration file's extension will
be different from its format. Possible values: XML, INI.
Command syntax
kes4lwks-control [-T] \
--get-app-settings [--file=<configuration file name>] [--file-format=<INI|XML>]
kes4lwks-control [-T] --get-app-settings [<parameter name>]
MODIFYING GENERAL KASPERSKY ENDPOINT SECURITY SETTINGS
The --set-app-settings command modifies general Kaspersky Endpoint Security settings using command-line arguments
or imports them from a specified configuration file (see page 130).
You can use this command to modify general Kaspersky Endpoint Security:
1. Save the general settings of Kaspersky Endpoint Security to a configuration file using the --get-app-settings
command (see page 70).
2. Open the configuration file created, modify the required settings and save the changes made.
3. Import the settings from the configuration file into Kaspersky Endpoint Security using the --set-app-settings
command. Kaspersky Endpoint Security will apply new configuration settings after you stop and then start it
again using the --stop-app and --start-app commands or using the --restart-app command.
Command syntax
kes4lwks-control [-T] --set-app-settings \
--file=<configuration file name> [--file-format=<INI|XML>]
kes4lwks-control [-T] \
--set-app-settings <setting name>=<setting value> \
<setting name>=<setting value>
A D M I N I S T R A T O R ' S G U I D E
72
Examples:
Import the general settings into Kaspersky Endpoint Security from the configuration file with the
/home/test/kav_config.xml name:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-app-settings -F /home/test/kav_config.xml
Set the level of detail in the "Important events" trace log:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--set-app-settings TraceLevel=Warning
KEYS
DESCRIPTION AND POSSIBLE VALUES
--file=<configuration file name>
-F <configuration file name>
The name of the configuration file settings of which will be imported into Kaspersky
Endpoint Security; it includes full path to the file.
--file-format=<INI|XML>
Optional key. By default, the format of the configuration file specified by the -F key will
be determined by its extension. Specify the key if the format of the configuration file
does not match its extension. Possible values: XML, INI.
FIELD
DESCRIPTION
Name
Task name; the user defines the name of a custom task when it is created (names of
system tasks are assigned by the Kaspersky Endpoint Security).
Id
Task ID number (ID, alternative name, which Kaspersky Endpoint Security assigns to a
task when it is created).
VIEWING KASPERSKY ENDPOINT SECURITY TASK LIST
The --get-task-list command returns the list of existing Kaspersky Endpoint Security tasks.
Command syntax
kes4lwks-control [-T] --get-task-list
The following information about Kaspersky Endpoint Security tasks will be displayed:
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
73
Class
Kaspersky Endpoint Security task type. The setting can assume the following values:
tasks, which users can manage:
Update – predefined update task (ID=6);
OAS – real-time protection task (ID=8);
ODS – predefined on-demand scan task (ID=9);
QS – task for scanning of quarantined objects (ID=10);
Rollback – task for rolling back to the previous databases (ID=14);
service tasks:
EventManager – implements message exchange within the program (ID=1);
AVS – anti-virus scan service task (ID=2);
Quarantine – manages quarantine and backup (ID=3);
Statistics – collects statistics (ID=4);
License – implements the license server (ID=5);
EventStorage – implements the events log service (ID=11);
State
Task status. Available values:
Stopped – the task is stopped;
Stopping – the task is stopping;
Started – the task is in progress;
Starting – the task is starting;
Suspended – the task is suspended;
Suspending – the task is suspending;
Resumed – the task has been resumed;
Resuming – the task is resuming;
Failed – the task has terminated with an error.
Example:
Obtain the status of the task with ID=9:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --get-task-state 9
VIEWING TASK STATE
The --get-task-state command returns the status of the specified task (for example, Running, Stopped and Paused).
Command syntax
kes4lwks-control [-T] --get-task-state <task ID> [--use-name]
A D M I N I S T R A T O R ' S G U I D E
74
ARGUMENTS, KEYS
DESCRIPTION AND POSSIBLE VALUES
<task ID>
Specify the task ID number (ID, alternative name, which Kaspersky Endpoint Security
assigns to a task being created). To view Kaspersky Endpoint Security tasks ID numbers,
use the kes4lwks-control --get-task-list command.
--use-name
-N
Task name.
The following information about the task will be displayed:
FIELD
DESCRIPTION
Name
Task name; the user defines the name of a custom task when it is created (names of system
tasks are assigned by the Kaspersky Endpoint Security).
Id
Task ID number (ID, alternative name, which Kaspersky Endpoint Security assigns to a task
when it is created).
Class
Kaspersky Endpoint Security task type. The setting can assume the following values:
tasks, which users can manage:
Update – predefined update task (ID=6);
OAS – real-time protection task (ID=8);
ODS – predefined on-demand scan task (ID=9);
QS – task for scanning of quarantined objects (ID=10);
Rollback – task for rolling back to the previous databases (ID=14);
service tasks:
EventManager – implements message exchange within the program (ID=1);
AVS – anti-virus scan service task (ID=2);
Quarantine – manages quarantine and backup (ID=3);
Statistics – collects statistics (ID=4);
License – implements the license server (ID=5);
EventStorage – implements the events log service (ID=11);
State
Task status. Available values:
Complete – the task is completed successfully;
Stopping – the task is stopping;
Started – the task is in progress;
Starting – the task is starting;
Suspended – the task is suspended;
Suspending – the task is suspending;
Resuming – the task is resuming;
Failed – the task has terminated with an error;
Interrupted by user – the task execution was interrupted by the user.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
75
Example:
Start the task with ID=6:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --start-task 6
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<task ID>
Specify the task ID number (ID, alternative name, which Kaspersky Endpoint Security assigns
to a task being created). To view Kaspersky Endpoint Security tasks ID numbers, use the -T -get-task-list command.
--progress
Displays task progress.
--use-name
-N
Task name.
Example:
Stop the task with ID=6:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --stop-task 6
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<task ID>
Specify the task ID number (ID, alternative name, which Kaspersky Endpoint Security assigns
to a task). To view Kaspersky Endpoint Security tasks ID numbers, use the -T--get-task-list
command.
--use-name
-N
Task name.
Example:
STARTING THE TASK
The --start-task command launches the task with specified ID number. This command can be used with the commandline argument -W (see page 64), in this case information about events occurring during task execution is displayed.
Command syntax
kes4lwks-control --start-task <task ID> --[progress] [--use-name]
STOPPING THE TASK
The --stop-task command stops the task with specified ID number.
Command syntax
kes4lwks-control [-T] --stop-task <task ID> [--use-name]
PAUSING THE TASK
The --suspend-task command pauses the task with specified ID number. You can pause real-time protection and ondemand scan tasks. You cannot pause update tasks.
Command syntax
kes4lwks-control [-T] --suspend-task <task ID> [--use-name]
A D M I N I S T R A T O R ' S G U I D E
76
Pause the task with ID=9:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --suspend-task 9
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<task ID>
Specify the task ID number (ID, alternative name, which Kaspersky Endpoint Security assigns
to a task). To view Kaspersky Endpoint Security tasks ID numbers, use the kes4lwks-control T --get-task-list command.
--use-name
-N
Task name.
Example:
Resume the task with ID=9:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --resume-task 9
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<task ID>
Specify the task ID number (ID, alternative name, which Kaspersky Endpoint Security assigns to
a task). To view Kaspersky Endpoint Security tasks ID numbers, use the -T --get-task-list
command.
--use-name
-N
Task name.
Examples:
Export the settings of the task with ID=9 into the /home/test/configkavscanner.xml file:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 9 -F /home/test/configkavscanner.xml
RESUMING THE TASK
The --resume-task command resumes the task having the specified identification number that had been suspended
using the --suspend-task command (see page 75).
Command syntax
kes4lwks-control [-T] --resume-task <task ID> [--use-name]
OBTAINING TASK SETTINGS
The --get-settings command outputs all settings for a specified task or its settings defined in the command line options.
You can export task settings to the configuration file on one computer, and import settings (see section "Modifying task
settings" on page 77) from this configuration file into the task of a corresponding type on another server.
Command syntax
kes4lwks-control [-T] --get-settings <task ID> \
[--file=<configuration file name>] -- [--use-name] [--use-name]
kes4lwks-control [-T] --get-settings <task ID> \
<INI file section name>.<setting value> [--use-name]
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
77
Export the settings of the task with ID=9 into the configkavscanner.xml file, located in the current directory:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 9 --file=configkavscanner.xml
Output to the console the value of the Path setting from the AreaPath subsection of the ScanScope section, defined
in the on-demand scan task:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-settings 9 ScanScope.AreaPath.Path
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
--get-settings <task ID>
Specify the task ID number (ID, alternative name, which Kaspersky Endpoint Security
assigns to a task being created). To view Kaspersky Endpoint Security tasks ID numbers,
use the -T --get-task-list command.
--file=<configuration file
name>
-F <configuration file
name>
The name of the configuration file in which the task settings will be saved. If you specify only
a file name without specifying a path to it, then the configuration file will be created in the
current directory. If the file with the name specified already exists at the location pointed at
the specified path, such file will be overwritten. If the directory specified does not exist, the
configuration file will not be created.
You can save the configuration file in XML or INI format. You can assign to the file XML or
INI extension or, if you provide an additional description of the file format using the --fileformat key, you can assign any extension to the file.
--file-format=<INI|XML>
Optional key. By default, the format of the configuration file specified by the -F key will be
determined by its extension. Specify this key if you specified any file extension other than
XML or INI. Possible key values: XML, INI.
--use-name
-N
Task name.
Example:
Import the settings from the /home/test/config_fridayscan.xml configuration file into the task with ID=9:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --set-settings 9 \
--file=/home/test/config_fridayscan.xml
MODIFYING TASK SETTINGS
The --set-settings command defines the configuration file task settings using command-line arguments or imports them
from the specified configuration file.
You can import the settings from the configuration file into the task being executed. Kaspersky Endpoint Security will
apply new configuration settings immediately in the real-time protection task and at the next task launch in the tasks of all
other types.
Command syntax
kes4lwks-control [-T] --set-settings <task ID> \
--file=<configuration file name> [--file-format=<INI|XML>] [--use-name]
kes4lwks-control [-T] --set-settings <task ID> \
<setting name>=<setting value> <setting name>=<setting value> \
[--use-name]
A D M I N I S T R A T O R ' S G U I D E
78
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
--set-settings <task ID>
Specify the task ID number (ID, alternative name, which Kaspersky Endpoint Security
assigns to a task).
To view Kaspersky Endpoint Security tasks ID numbers, use the -T --get-task-list command.
--file=<configuration file
name>
-F <configuration file
name>
The name of the configuration file settings of which will be imported into the task; it includes
full path to the file.
--file-format=<INI|XML>
Optional key. By default, the format of the configuration file specified by the -F key will be
determined by its extension. Specify the key if the extension of the specified file does not
match its format. Possible values: XML, INI.
--use-name
-N
Task name.
Example:
Create an on-demand scan task with the Fridayscan name; import settings from the
/home/test/config_kavscanner.xml configuration file into the task:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--create-task Fridayscan --use-task-type=ODS \
--file=/home/test/config_kavscanner.xml
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
--create-task <task name>
-C <task name>
Assign a name to the task. The name may contain any number of ASCII characters.
--use-task-type=<task
type>
Mandatory key. Specify the type of the task being created. Available values:
ODS – on-demand scan task;
Update – update task.
--file=<configuration file
name>
-F <configuration file
name>
Optional key. Specify a full path to the existing configuration file. Kaspersky Endpoint
Security imports the settings described in this file into the task.
--file-format=<INI|XML>
Optional key. By default, the format of the configuration file specified by the -F key will be
determined by its extension. Specify the key if the extension of the specified configuration
file does not match its format. Possible values: XML, INI.
CREATING A TASK
The --create-task command creates a Kaspersky Endpoint Security task for the specified component; imports the
settings from the specified configuration files into the task. The command returns an ID number of the task created.
You can create new on-demand scan and update tasks.
Command syntax
kes4lwks-control [-T] --create-task <task name> \
--use-task-type=<task type> [--file=<configuration file name>] \
[--file-format=<INI|XML>]
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
79
Example:
Delete the task with ID=20:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --delete-task 20
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
--delete-task <task ID>
-D <task ID>
Specify the task ID number (ID, alternative name, which Kaspersky Endpoint Security assigns
to a task being created). To view Kaspersky Endpoint Security tasks ID numbers, use the -T -get-task-list command.
--use-name
-N
Task name.
Examples:
Save Kaspersky Endpoint Security settings to the file on_demand_schedule.xml. Save the file created in the current
directory:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-schedule 9 -F on_demand_schedule.xml
Output RuleType setting value in the real-time protection task schedule:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--get-schedule 9 RuleType
DELETING TASKS
The --delete-task command deletes the Kaspersky Endpoint Security task with the specified ID number. You can delete
on-demand scan tasks (except for the Quarantine scan task) and update tasks.
You cannot delete the real-time protection task.
Command syntax
kes4lwks-control [-T] --delete-task <task ID> [--use-name]
OBTAINING TASK SCHEDULE SETTINGS
The --get-schedule command outputs the task schedule settings (see page 127). Using this command, you can also
obtain the task schedule settings that are defined using command-line arguments.
You can use this command to modify task schedule:
1. Save the schedule settings to a configuration file using the -T --get-schedule command.
2. Open the configuration file created, modify the required settings and save the changes made.
3. Import the settings from the configuration file into Kaspersky Endpoint Security using the --set-schedule (see
section "Modifying task schedule settings" on page 80). Kaspersky Endpoint Security will apply the new
schedule settings immediately.
Command syntax
kes4lwks-control [-T] --get-schedule <task ID> \
[--file=<configuration file name>] -- [--use-name] [--use-name]
kes4lwks-control [-T] --get-schedule <task ID> <parameter name> [--use-name]
A D M I N I S T R A T O R ' S G U I D E
80
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<task ID>
The identification number of the Kaspersky Endpoint Security task.
--file=<configuration file name>
-F <configuration file name>
The name of the configuration file in which the schedule settings will be saved. If you
specify only a file name without specifying a path to it, then the configuration file will be
created in the current directory. If the file with the name specified already exists at the
location pointed at the specified path, such file will be overwritten. If the directory
specified does not exist on this drive, the configuration file will not be created.
You can save the configuration file in XML or INI format. You can assign to the file XML
or INI extension or, if you provide an additional description of the file format using the -file-format key, you can assign any extension to the file.
--file-format=<INI|XML>
Optional key. By default, the format of the configuration file specified by the -F key will
be determined by its extension. Specify this key if the configuration file's extension will
be different from its format. Possible values: XML, INI.
--use-name
-N
Task name.
Example:
Import the schedule settings from configuration file named /home/test/on_demand_schedule.xml into the task with
ID=9:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -T \
--set-schedule 9 -F /home/test/on_demand_schedule.xml
MODIFYING TASK SCHEDULE SETTINGS
The -T --set-schedule command modifies task schedule settings using command-line arguments or imports them from a
specified configuration file (see page 127).
You can use this command to modify Kaspersky Endpoint Security:
1. Save the schedule settings to a configuration file using the -T --get-schedule (see section "Obtaining task
schedule settings" on page 79).
2. Open the configuration file created, modify the required settings and save the changes made.
3. Import the settings from the configuration file into Kaspersky Endpoint Security using the -T --set-schedule
command. Kaspersky Endpoint Security will apply the new schedule settings immediately.
Command syntax
kes4lwks-control -T --set-schedule <task ID> --file=<configuration file name> \
[--file-format=<INI|XML>] [--use-name]
kes4lwks-control -T --set-schedule <task ID> \
<setting name>=<setting value> <setting name>=<setting value> \
[--use-name]
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
81
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<task ID>
The identification number of the Kaspersky Endpoint Security task.
--file=<configuration file name>
-F <configuration file name>
Name of the configuration file, from which the schedule parameters will be imported into
the task. The file name includes its full path.
--file-format=<INI|XML>
Optional key. By default, the format of the configuration file specified by the -F key will
be determined by its extension. Specify this key if the configuration file's extension will
be different from its format. Possible values: XML, INI.
--use-name
-N
Task name.
Example:
Set scheduling settings for task with ID=15, specified by default:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -T --del-schedule 15
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<task ID>
The identification number of the Kaspersky Endpoint Security task.
--use-name
-N
Task name.
Example:
Find events which are scheduled for precise time of the first start within the range from 3/28/11 to 4/1/11:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--show-schedule Time --from=2011-03-28 --to=2011-04-01
The command output:
DELETING THE TASK SCHEDULE
The -T --del-schedule command sets task scheduling settings, specified by default during the initial configuration of
Kaspersky Endpoint Security (see Guide of Kaspersky Endpoint Security 8 for Linux).
Command syntax
kes4lwks-control -T --del-schedule <task ID> [--use-name]
SEARCHING FOR SCHEDULED EVENTS
The -T --show-schedule command searches for scheduled events.
Command syntax
kes4lwks-control -T --show-schedule <rule type> --from=<start date> \
--to=<end date> --task-id=<task ID> [--use-name]
Command examples
The following example displays the command to search for events in the specified time interval and the command output.
A D M I N I S T R A T O R ' S GU I D E
82
Events number: 2
TaskId #9, Event: Start, Date: 2011-04-05 02:00 PM:00, Start Rule: [Daily, 02:00 PM:00;;
1] TaskId #16, Event: Start, Date: 2011-04-06 12:00 AM:00, Start Rule: [Once, 2011-04-06
12:00 AM:00]
The following example displays the output of the command to search for events and the command output.
Example:
Search the following scheduled events for the specified task:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--show-schedule Time --task-id="On-demand scan" --use-name
The command output:
Events number: 1
TaskId #9, Event: Start, Date: 2011-04-25 04:30 PM:00, Start Rule: [Monthly, 04:30 PM:00;
25]
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<rule type>
Schedule rule type.
Available values:
Time – rules containing the time for the task start.
Startup – rules containing a PS condition (at Kaspersky Endpoint Security start).
Basereload – rules containing a BR condition (upon database update).
--from=<start date>
The report starting date. You can assign the following values:
date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD) , to start
searching from midnight (00:00) of the specified date;
date and time, formatted as YYYY-MM-DD HH:MM:SS , to obtain information starting
at the specified time on the specified date;
time, formatted as HH:MM:SS , to start searching from the specified time of the
current day.
If you skip the option --from=<start date>, search will begin with the command
execution time.
--to=<end date>
The report ending date. You can assign the following values:
date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD) , to search
information until the specified date, inclusive;
date and time, formatted as YYYY-MM-DD HH:MM:SS , to search information up to
the specified time on the specified date;
time, formatted as HH:MM:SS , to search information up to the specified time of the
current day.
If you skip the option --to=<end date>, search will cover a week period since the
command execution.
--task-id=<task ID>
Identification number of the task, for which schedule search is performed.
--use-name
-N
Task name.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
83
IN THIS SECTION
Validating a key file prior to installation ........................................................................................................................... 83
Viewing information about a license prior to the key file installation ................................................................................ 84
Viewing information about the installed key files ............................................................................................................. 85
Viewing the status of installed licenses ........................................................................................................................... 85
Active key file installation ................................................................................................................................................ 86
Supplementary key file installation .................................................................................................................................. 86
Active key file removal..................................................................................................................................................... 86
Supplementary key file removal ...................................................................................................................................... 87
Example:
Validate the license in file /home/test/00000001.key:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--validate-key /home/test/00000001.key
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<path to key file>
Path to the key file; if the key file is located in the current directory. It will be enough to specify
the name of the file.
LICENSES MANAGEMENT COMMANDS
VALIDATING A KEY FILE PRIOR TO INSTALLATION
The kes4lwks-control --validate-key command uses Kaspersky Lab's database to verify if a key file is genuine and is
issued for Kaspersky Endpoint Security. This command outputs information about the key file to the console, without
installing it.
Command syntax
kes4lwks-control [-L] --validate-key <path to key file>
This command outputs the following license information.
A D M I N I S T R A T O R ' S G U I D E
84
FIELD
DESCRIPTION
Application name
Kaspersky Endpoint Security name.
Key file creation date
License creation date.
License expiration date
Date when the license validity period completes calculated by Kaspersky Endpoint Security; it
is the date when the license validity period will expire if you activate it at the moment, but not
later than the date after which the key file becomes invalid.
License number
License number.
License type
License type: trial or commercial.
Usage restriction
Usage restriction. If any; the number of objects defined in the restriction.
License period
License validity period (in days) since the moment of the license release.
Example:
Output license information from the /home/test/00000001.key file:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--show-license-info /home/test/00000001.key
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<path to key file>
Path to the key file; if the key file is located in the current directory. It will be enough to specify
the name of the file.
FIELD
DESCRIPTION
Application name
Kaspersky Endpoint Security name.
Key file creation date
License creation date.
Key file expiration
date
This date denotes the end of the key file "shelf life", i.e. the date on which the key file becomes
invalid. This date is specified when the license is issued.
License number
License number.
License type
License type: trial or commercial.
Usage restriction
Usage restriction. If any; the number of objects defined in the restriction.
License period
License validity period (in days) since the moment of the license release.
VIEWING INFORMATION ABOUT A LICENSE PRIOR TO THE KEY FILE
INSTALLATION
The --show-license-info command outputs license information to the console without installing the key file.
Command syntax
kes4lwks-control [-L] --show-license-info <path to key file>
This command outputs the following license information.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
85
FIELD
DESCRIPTION
Activation date
License activation date.
Expiration date
The date, on which the license expires, calculated by Kaspersky Endpoint Security when the
license is installed. This date occurs at the end of the license validity period after the license
becomes active, but not later than the key file expiration date.
Aggregate expiration
date
The end date of the combined active and supplementary license validity period.
Days remaining until
aggregate expiration
The number of days remaining until the end of the combined active and supplementary
license validity period.
License status
The license status; may have one of the following values:
Valid – the license is valid;
Expired – the license has expired;
Blacklisted – the license has been blacklisted;
Trial period is over – the license trial period has expired.
Functionality
Kaspersky Endpoint Security functionality; may have one of the following values:
Full functionality – the application is fully functional;
Functioning without updates – the application is functioning without updates, this mode is
activated upon expiration of a commercial license;
No features – Kaspersky Endpoint Security performs none of its functions. This mode is
activated upon expiration of a trial license.
Detailed license information:
Application name
Kaspersky Endpoint Security name.
Key file creation date
Date when the key file was issued.
Key file expiration date
This date denotes the end of the key file "shelf life", i.e. the date on which the key file
becomes invalid. This date is specified when the license is issued.
License number
License number.
License type
License type: trial or commercial.
Usage restriction
Usage restriction. If any; the number of objects defined in the restriction.
License period
License validity period (in days) since the moment of the license release.
VIEWING INFORMATION ABOUT THE INSTALLED KEY FILES
The kes4lwks-control --get-installed-keys command outputs information about the installed key files to the console.
Command syntax
kes4lwks-control [-L] --get-installed-keys
The command displays the following information about the installed key files.
VIEWING THE STATUS OF INSTALLED LICENSES
The --query-status command outputs the status of installed licenses to the console.
A D M I N I S T R A T O R ' S G U I D E
86
Command syntax
Example:
Install a license as an active license from the /home/test/00000001.key file:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--install-active-key /home/test/00000001.key
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<path to key file>
Path to the key file; if the key file is located in the current directory. It will be enough to specify
the name of the file.
Example:
Install a supplementary license from the /home/test/00000002.key file:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
--install-suppl-key /home/test/00000002.key
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<path to key file>
Path to the key file; if the key file is located in the current directory. It will be enough to specify
the name of the file.
kes4lwks-control [-L] --query-status
ACTIVE KEY FILE INSTALLATION
The --install-active-key command installs the active key file. For details on key files please refer to the "About Kaspersky
Endpoint Security key files" section (see page 55).
Command syntax
kes4lwks-control [-L] --install-active-key <path to key file>
SUPPLEMENTARY KEY FILE INSTALLATION
The --install-suppl-key command installs a supplementary key file. For details on key files please refer to the "About
Kaspersky Endpoint Security key files" section (see page 55).
If the active key file is not installed, a supplementary key file will be installed as the active key file.
Command syntax
kes4lwks-control [-L] --install-suppl-key <path to key file>
ACTIVE KEY FILE REMOVAL
The --revoke-active-key command removes the installed active key file.
Command syntax
kes4lwks-control [-L] --revoke-active-key
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
87
IN THIS SECTION
Obtaining brief quarantine or backup storage statistics ................................................................................................... 87
Obtaining information about storage objects ................................................................................................................... 87
Obtaining information about one object in the storage .................................................................................................... 88
Restoring objects from the storage ................................................................................................................................. 88
Placing an object in quarantine manually ........................................................................................................................ 89
Deleting one object from the storage .............................................................................................................................. 89
Exporting objects from the storage into a specified directory .......................................................................................... 90
Importing previously exported objects into the storage ................................................................................................... 90
Clearing the storage ........................................................................................................................................................ 91
Examples:
To view brief quarantine statistics:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q \
--get-stat --query "(OrigType!=s'Backup')"
To view brief backup storage statistics:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q \
--get-stat --query "(OrigType==s'Backup')"
SUPPLEMENTARY KEY FILE REMOVAL
The --revoke-suppl-key command removes the installed supplementary key file.
Command syntax
kes4lwks-control [-L] --revoke-suppl-key
QUARANTINE AND BACKUP STORAGE MANAGEMENT
COMMANDS
OBTAINING BRIEF QUARANTINE OR BACKUP STORAGE STATISTICS
The --get-stat command displays the number of objects and the overall volume of data currently in the storage.
Command syntax
kes4lwks-control [-Q] --get-stat [--query "<logical expression>"]
OBTAINING INFORMATION ABOUT STORAGE OBJECTS
The --query command displays information about objects currently in the storage. You can use filters.
A D M I N I S T R A T O R ' S G U I D E
88
Command syntax
Examples:
To displays information about storages objects.
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q --query ""
To view information about objects in quarantine and display 51 entries starting with the 50th entry:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q --query "(OrigType!=s'Backup')" \
--limit=50 --offset=50
To displays information about objects from the backup storage:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q --query "(OrigType==s'Backup')"
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
"<logical expression>"
Creates a filter consisting of a logical expression (see page 95).
--limit=<maximum number
of records>
Sets a filter: maximum number of records from query, which should be displayed.
--offset=<offset from the
query beginning>
Sets a filter: maximum number of records from query, which should be skipped from the
query beginning.
--detailed
Displays additional service information about objects in the repository.
Example:
To obtain information about the object with ID=1:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --get-one 1
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<object ID>
To obtain the object identification number, you can use the -Q --query command (see page
87).
--detailed
Displays additional service information about object in the repository.
kes4lwks-control [-Q] --query "<logical expression>" \
[--limit=<maximum number of records>] \
[--offset=<offset from the query beginning>][--detailed]
OBTAINING INFORMATION ABOUT ONE OBJECT IN THE STORAGE
The --get-one command displays information about the storage object having the specified identification number.
Command syntax
kes4lwks-control [-Q] --get-one <object ID> [--detailed]
RESTORING OBJECTS FROM THE STORAGE
The --restore command restores the object having the specified identification number from the storage.
Date and time when the file recovered from quarantine was created differs from the date and time of the original file.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
89
Examples:
To restore the object with ID=1 to its original location:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --restore 1
To restore the object with ID=1 to the current directory, in a file named restored.exe:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --restore 1 -F restored.exe
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<object ID>
To obtain the object identification number, you can use the -Q --query command (see page
87).
--file=<file name>
-F <file name>
Name of the file in which Kaspersky Endpoint Security will save the object during restoration,
it includes the file path.
If you do not specify a file path, Kaspersky Endpoint Security will save the file in the current
directory.
If you omit this argument, Kaspersky Endpoint Security will save the object in its original
location under its original name.
Example:
To place a copy of the /home/sample.exe file to quarantine:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --add-object /home/sample.exe
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<file name>
The name of the file, a copy of which you want to place to quarantine, includes the file path.
Example:
To delete the object with ID=1:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q --remove 1
Command syntax
kes4lwks-control [-Q] --restore <identification number of object in storage> \
[--file=<file name and path to file>]
PLACING AN OBJECT IN QUARANTINE MANUALLY
The --add-object command places a copy of the object to quarantine.
Command syntax
kes4lwks-control [-Q] --add-object <file name>
DELETING ONE OBJECT FROM THE STORAGE
The --remove command deletes the object having the specified identification number from the storage.
Command syntax
kes4lwks-control [-Q] --remove <object ID>
A D M I N I S T R A T O R ' S G U I D E
90
ARGUMENT
DESCRIPTION AND POSSIBLE VALUES
<object ID>
To obtain the object identification number, you can use the -Q --query command (see page
87).
Examples:
To export all objects from the storage to the /media/flash128/avpstorage directory:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q\
--export /media/flash128/avpstorage
To export 50 quarantined objects to the /media/flash128/avpstorage directory, starting with the 51st
entry:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q \
--export /media/flash128/avpstorage --query "(OrigType!=s'Backup')" \
--limit=50 --offset=50
To export all backed-up objects to the /media/flash128/avpstorage directory:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q \
--export /media/flash128/avpstorage --query "(OrigType==s'Backup')"
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
<destination directory>
Directory in which Kaspersky Endpoint Security stores objects from the backup storage. If
the directory does not exist, it will be created. You can specify a directory for remote
resources mounted on the computer using SMB/CIFS and NFS.
--query="<logical
expression>"
Creates a filter consisting of a logical expression (see page 95).
--limit=<maximum number
of records>
Sets a filter: maximum number of records from query, which should be displayed.
--offset=<offset from the
query beginning>
Sets a filter: maximum number of records from query, which should be skipped from the
query beginning.
EXPORTING OBJECTS FROM THE STORAGE INTO A SPECIFIED
DIRECTORY
The --export command exports objects from the storage to a specified directory. You may need to export objects from the
storage to free space on the computer. The location of the storage directory on the computer is specified in the
quarantine and backup storage configuration file (see page 132).
You can use filters to export only selected objects, for example, only quarantined objects.
Command syntax
kes4lwks-control [-Q] --export <target directory> \
[--query "<logical expression>"] \
[--limit=<maximum number of records>] \
[--offset=<offset from the query beginning>]
IMPORTING PREVIOUSLY EXPORTED OBJECTS INTO THE STORAGE
The --import command imports previously exported objects into the storage.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
91
Example:
To import objects from the /media/flash128/avpstorage directory into the storage:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q\
--import /media/flash128/avpstorage
Examples:
To delete all objects from the storage:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --mass-remove
To delete quarantined objects only, 50 entries, starting with the 51st entry:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q --mass-remove \
--query "(OrigType!=s'Backup')" --limit=50 --offset=50
To delete objects from the backup storage:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -Q \
--mass-remove --query "(OrigType==s'Backup')"
KEYS
DESCRIPTION AND POSSIBLE VALUES
--query="<logical
expression>"
Creates a filter consisting of a logical expression (see page 95).
--limit=<maximum number
of records>
Sets a filter: maximum number of records from query, which should be displayed.
--offset=<offset from the
query beginning>
Sets a filter: maximum number of records from query, which should be skipped from the
query beginning.
The location of the storage directory on the computer is specified in the quarantine and backup storage configuration file
(see page 132).
Command syntax
kes4lwks-control [-Q] --import <directory containing exported objects>
CLEARING THE STORAGE
The --mass-remove command clears the storage, deleting either all or part of the contents.
Before executing this command, stop the real-time protection task and any on-demand scan tasks.
Command syntax
kes4lwks-control [-Q] --mass-remove [--query="<logical expression>"] \
[--limit=<maximum number of records>] [--offset=<offset from the query beginning>]
A D M I N I S T R A T O R ' S G U I D E
92
LOGS MANAGEMENT COMMANDS
IN THIS SECTION
Obtaining the number of Kaspersky Endpoint Security events with a filter ..................................................................... 92
Obtaining the information about Kaspersky Endpoint Security events ............................................................................ 92
Viewing the time interval, during which the events will occur that are registered in the log ............................................. 93
Event log rotation ............................................................................................................................................................ 94
Removing objects from the event log .............................................................................................................................. 94
Examples:
To obtain the number of Kaspersky Endpoint Security events, stored in the trace log:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --count ""
Obtain the number of Kaspersky Endpoint Security events stored in the rotation file EventStorage-2009-12-01-23-
57-23.db:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --count "" \
--db=EventStorage-2009-12-01-23-57-23.db
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
"<logical expression>"
Creates a filter consisting of a logical expression (see page 95).
--db=<rotation file>
The rotation file, information in which you wish to view (this file has the extension .db).
If you do not provide this modifier, Kaspersky Endpoint Security will display the number of
events in the log at the moment.
OBTAINING THE NUMBER OF KASPERSKY ENDPOINT SECURITY
EVENTS WITH A FILTER
The --count command outputs to the console the number of events that are stored in the event log or in the specified
rotation file, using filters. This command allows estimating the data volume to be output if you enter the -E --query
command (see page 92).
Command syntax
kes4lwks-control [-E] --count "<logical expression>" [--db=<rotation file>]
OBTAINING THE INFORMATION ABOUT KASPERSKY ENDPOINT
SECURITY EVENTS
The --query command allows obtaining information about Kaspersky Endpoint Security events from Kaspersky Endpoint
Security event log or from the rotation file; and it allows saving the obtained information in a file.
Command syntax
kes4lwks-control -E --query "<logical expression>" \
[--db=<rotation file name>][--limit=<maximum number of records>] \
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
93
Example:
To view information on the most recent 50 quarantine events:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control \
-E --query "(TaskType == s'Quarantine')" --limit=50
ARGUMENT, KEYS
DESCRIPTION AND POSSIBLE VALUES
"<logical expression>"
Creates a filter consisting of a logical expression (see page 95).
--db=<rotation file name>
The rotation file, information about events in which you wish to obtain (this file has the
extension .db).
If you do not provide this modifier, Kaspersky Endpoint Security will display the information
from the event log.
--limit=<maximum number
of records>
Sets a filter: maximum number of records from query, which should be displayed.
--offset=<offset from the
query beginning>
Sets a filter: maximum number of records from query, which should be skipped from the
query beginning.
--file=<log filename>
-F <log filename>
Optional key. Name of the file in which Kaspersky Endpoint Security events will be saved. If
you specify only a file name without specifying a path to it, then the log file will be created in
the current directory. If the file with the name specified already exists at the location pointed
at the specified path, such file will be overwritten. If the directory specified does not exist on
this drive, the log file will not be created.
You can save log file in XML or INI format. You can assign to the log file XML or INI
extension or, if you provide an additional description of the log file format using the --fileformat key, you can assign any extension to the log file.
--file-format=<log file
format>
Optional key. By default, the format of the log file specified by the -F key will be determined
by its extension. Specify this key if the log file extension will be different from its format.
Possible values: XML, INI.
Examples:
To view the time interval during which the events occur that are stored in the event log or in the specified rotation
file:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --period
To view the time interval during which the events occur that are stored in the event log or in the specified rotation file
EventStorage-2009-12-01-23-57-23.db:
/opt/kaspersky/kes4lwks/bin/kes4lwks-control --period \
--db=EventStorage-2009-12-01-23-57-23.db
[--offset=<offset from the query beginning>][--file=<log filename>]\
[--file-format=<log file format>]
VIEWING THE TIME INTERVAL, DURING WHICH THE EVENTS WILL
OCCUR THAT ARE REGISTERED IN THE LOG
This command allows you to know the time interval during which the events occur that are stored in the event log or in
the specified rotation file.
Command syntax
kes4lwks-control [-E] --period [--db=<rotation file>]
A D M I N I S T R A T O R ' S G U I D E
94
ARGUMENT AND KEYS
DESCRIPTION AND POSSIBLE VALUES
--db=<rotation file>
The rotation file (this file has the extension .db), information about which you wish to obtain.
If you do not provide this modifier, Kaspersky Endpoint Security will display the information
about the event log.
Example:
To delete from the event log only records about the events related to assigning the detected objects the status "not
infected" (the ReportCleanObjects setting was enabled):
/opt/kaspersky/kes4lwks/bin/kes4lwks-control -E \
--remove "((EventType==s'ObjectProcessed') and (ObjectReason==s'ObjectClean'))"
ARGUMENT AND KEYS
DESCRIPTION AND POSSIBLE VALUES
"<logical expression>"
Creates a filter consisting of a logical expression (see page 95).
--db=<rotation file>
Rotation file, the records from which you wish to delete (this file has the extension .db).
If you do not provide this modifier, Kaspersky Endpoint Security will delete records from
Kaspersky Endpoint Security event log.
EVENT LOG ROTATION
The --rotate command performs forced rotation of events in the log in accordance with the RotateMethod and
RotateMoveFolder settings configured in the event log configuration file.
If the RotateMethod setting has the Erase value, Kaspersky Endpoint Security deletes information about events from the
log.
If the RotateMethod setting has the Move value, Kaspersky Endpoint Security transfers information about events from
the log into the RotateMoveFolder directory and saves it in the rotation file.
Command syntax
kes4lwks-control [-E] --rotate
REMOVING OBJECTS FROM THE EVENT LOG
The --remove command deletes records about events from Kaspersky Endpoint Security log or from the specified
rotation file.
You can delete all records, or just several records, by using filters.
Command syntax
kes4lwks-control [-E] --remove ["<logical expression>"] \
[--db=<rotation file>]
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
95
IN THIS SECTION
Logical expressions ......................................................................................................................................................... 95
Object parameters in quarantine / backup storage .......................................................................................................... 96
Kaspersky Endpoint Security events and their settings ................................................................................................... 99
Example:
Obtain information about quarantined objects having the danger level High:
-Q --query "(DangerLevel == s'High')"
LIMITING SELECTIONS USING FILTERS
LOGICAL EXPRESSIONS
You can use logical expressions as an argument or a --query parameter in the following commands, in order to limit the
information selected by the command:
obtaining information about the number of Kaspersky Endpoint Security events: -E --count "<logical
expression>" (see page 92);
obtaining information about the events of Kaspersky Endpoint Security: -E --count "<logical expression>" (see
page 92);
obtaining information about objects in quarantine or in the backup storage: -Q --query "<logical expression>"
(see page 87);
obtaining concise statistical information about objects in quarantine or in the backup storage: -Q --get-stat --
query "<logical expression>" (see page 87);
selective removal of objects from the storage: -Q --mass-remove --query "<logical expression>" (see page 91);
selective export of objects from quarantine or from the backup storage: -Q --export --query "<logical
expression>" (see page 90).
You can specify several filters, combining their effect using logical "AND" or "OR" operators. Enclose each filter in
parenthesis and enclose each logical expression in quotes.
You can sort event (object) information by any field in ascending or descending order.
Syntax
"(<field> <comparison operator> <type>'<value>'){<field> <order>}"
"((<field> <comparison operator> <type>'<value>') <logical operator> (<field> <comparison
operator> <type>'<value>')){<field> <order>}"
A D M I N I S T R A T O R ' S G U I D E
96
ELEMENTS
DESCRIPTION AND POSSIBLE VALUES
<comparison operator>
>
is greater than
<
is less than
like
matches the specified pattern
==
is equal to
!=
is not equal to
>=
is greater than or equal to
<=
is less than or equal to
<logical operator>
and
logical "AND"
or
logical "OR"
{<field><order>}
Event output order. The option is not used with the -E --query command.
You can sort events on any field in ascending or descending order.
For the -Q --query, -Q --get-stat and -Q --mass-remove commands you can specify as fields
the parameters of objects in storage (see page 96).
The order can assume the following values:
a
ascending
d
descending
<type>
i
numerical
s
line-oriented (string)
OBJECT PARAMETERS IN QUARANTINE / BACKUP STORAGE
You can filter objects in the quarantine / backup storage by the fields described in the following table.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
97
FIELD
TYPE
DESCRIPTION AND POSSIBLE VALUES
Filename
s
The file name and a full path to the file. You can use masks with the aid of the 'like'
comparison operator.
OrigType
Type
s
OrigType – the state of the object, assigned when the object is placed in the storage.
Type – the state of an object in quarantine after it has been scanned using updated
databases.
Possible values include:
Clean – not infected;
Backup – is a backup copy;
Infected – infected;
UserAdded – added by a user;
Error – an error has occurred while scanning the object;
PasswordProtected – is password-protected;
Corrupted – is corrupted;
Curable – the object may be disinfected.
OrigVerdict
Verdict
s
OrigVerdict – type of threat detected in the object when the object was placed in the
storage.
Verdict – type of threat detected in the quarantined object after scanning with updated
databases.
Possible values include:
Virware – classic viruses and network worms;
Trojware – Trojan programs;
Malware – other malicious programs;
Adware – advertising software;
Pornware – pornographic software;
Riskware – potentially dangerous software.
OrigDangerLevel
DangerLevel
s
OrigDangerLevel – danger level of the threat detected in an object when the object was
placed in the storage.
DangerLevel – danger level of the threat in the quarantined object after scanning with
updated databases.
The danger level of an object depends on the type of threat in the object (see section
"Programs detectable by Kaspersky Endpoint Security” on page 11). The danger level may
assume the following values:
High . The object may contain a threat of the network worm, classical virus, or Trojan
type.
Medium . The object may contain some other malicious program, adware, or a program
with pornographic content.
Low . The object may contain a threat of riskware type.
Info . The object is quarantined by the user.
OrigDetectCertainty
DetectCertainty
s
OrigDetectCertainty – the state of a detected object upon its placement in the storage.
DetectCertainty – the state Kaspersky Endpoint Security assigns to an object in quarantine
Table 6. Object parameters in quarantine/backup storage
A D M I N I S T R A T O R ' S G U I D E
98
FIELD
TYPE
DESCRIPTION AND POSSIBLE VALUES
after scanning it using updated databases.
Possible values include:
Sure – object is classified as infected;
Suspicion – object is classified as suspicious (the object has been found using the
Heuristic Analyzer);
Warning – object has the status "Warning" (the object code partly coincides with the code
of a known threat; a false alarm may occur).
OrigThreatName
ThreatName
s
OrigThreatName – the name of the threat, based on the Kaspersky Lab classification, found
in the object when the object is placed in the storage.
ThreatName – the name of the threat detected in a quarantined object after scanning with
updated databases.
You can use masks with the aid of the 'like' comparison operator.
Compound
i
Indicates, whether the object is a compound object.
Possible values include:
yes – the object is a compound object;
no – the object is not compound.
UID i The ID (UID) of the user that created the object.
GID i The ID (GID) of the group to which the user who created the object belongs.
Mode
i
Access permissions.
AddTime
s
The date and time the object was placed in the storage, formatted as "YYYY-MM-DD
HH:MM:SS".
If you specify the date but not the time, the time will be specified as 00:00:00.
If you specify the time but not the date, the current date will be specified.
If you specify the date and time as follows:
(AddTime== s''), then the current date and time will be specified.
Size
i
Original size of the object, in bytes.
M A N A G I N G K A S P E R S K Y E N D P O I N T S E C U RI T Y F R O M T H E C O M M A N D L I N E
99
№
EVENT NAME
DESCRIPTION
SETTINGS
1
ApplicationStarted
Kaspersky Endpoint Security is
running; the event occurs after all
tasks necessary for Kaspersky
Endpoint Security are started.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
2
ApplicationSettingsChanged
General Kaspersky Endpoint
Security settings have changed.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
3
LicenseInstalled
The license is installed.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
4
LicenseNotInstalled
A license installation error has
occurred.
Date, EventId, EventType,
RuntimeTaskID, KeySerial,
TaskName, TaskType
5
LicenseRevoked
The license has been successfully
revoked.
Date, EventId, EventType,
RuntimeTaskID, KeySerial,
TaskName, TaskType
6
LicenseNotRevoked
A license revocation error has
occurred.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
7
LicenseExpired
The license period has expired.
Date, EventId, EventType,
RuntimeTaskID, TaskName,
TaskType
8
LicenseExpiresSoon
The license period will soon expire.
Date, EventId, EventType,
RuntimeTaskID, DaysLeft, TaskName,
TaskType
9
LicenseError
Licensing subsystem internal error.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
10
AVBasesAttached
Updated Kaspersky Endpoint
Security databases have been
successfully installed.
Date, EventId, EventType,
RuntimeTaskID, AVBasesDate,
TaskId, TaskName, TaskType
11
AVBasesAreOutOfDate
The Kaspersky Endpoint Security
databases are outdated.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
12
AVBasesAreTotallyOutOfDate
The Kaspersky Endpoint Security
databases are obsolete.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
13
AVBasesIntegrityCheckOK
Integrity check of Kaspersky
Endpoint Security databases
completed successfully.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
14
AVBasesIntegrityCheckFailed
Kaspersky Endpoint Security
databases failed an integrity check.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
15
AVBasesApplied
The Kaspersky Endpoint Security
databases are applied.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
KASPERSKY ENDPOINT SECURITY EVENTS AND THEIR SETTINGS
You can filter Kaspersky Endpoint Security based on their settings. The following table describes Kaspersky Endpoint
Security events, event settings are described in the next table below.
Table 7. Events
A D M I N I S T R A T O R ' S G U I D E
100
№
EVENT NAME
DESCRIPTION
SETTINGS
16
UpdateSourceSelected
An update source has been
selected.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
17
UpdateSourceNotSelected
An update source connection error
has occurred.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
18
NothingToUpdate
No update is required. This event
occurs if the version of the database
updates installed on the computer
corresponds to or is newer than the
version of the database updates on
the update source.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
19
UpdateError
An error occurred while updating.
Date, EventId, EventType,
ModuleName, RuntimeTaskID,
TaskId, TaskName, TaskType
20
ModuleDownloaded
A program module has been
downloaded.
Date, EventId, EventType,
ModuleName, RuntimeTaskID,
TaskId, TaskName, TaskType
21
ModuleNotDownloaded
A program module downloading
error has occurred.
Date, EventId, EventType,
ModuleName, RuntimeTaskID,
TaskId, TaskName, TaskType
22
ModuleRetranslated
Program module has been
successfully copied for distribution.
Date, EventId, EventType,
ModuleName, RuntimeTaskID,
TaskId, TaskName, TaskType
23
ModuleNotRetranslated
A program module copying error has
occurred.
Date, EventId, EventType,
ModuleName, RuntimeTaskID,
TaskId, TaskName, TaskType
24
TaskStateChanged
The task state has changed.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskState, TaskType
25
TaskSettingsChanged
The task settings have changed.
Date, EventId, EventType,
RuntimeTaskID, PersistentTaskId,
TaskName, TaskType
26
PackedObjectDetected
A packed object has been detected.
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, PackerName,
FileName, FileOwner, FileOwnerId,
ObjectName, ObjectSource,
RuntimeTaskID, TaskID, TaskName,
TaskType
27
ThreatDetected
A threat has been detected.
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, DetectCertainty,
FileName, FileOwner, FileOwnerId,
ObjectName, RuntimeTaskID, TaskId,
TaskName, TaskType, ThreatName,
VerdictType
28
ObjectProcessed
The object has been processed.
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId, ObjectName,
ProcessResult, RuntimeTaskID,
TaskId, TaskName, TaskType
29
ObjectNotProcessed
The object has not been processed.
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
Loading...