Configuring exclusions from file operation interception

Files excluded from scanning may still be intercepted by the application during File Threat Protection and scanning tasks. The application intercepts file operation events and blocks actions until the events are processed. After the scan, the application can:

• Unblock and allow the operation.
• Block the operation and perform the actions specified in protection or verification settings.

Intercepting events takes time, which affects the performance of other applications and the operating system.

You can get file interception statistics using the following command:

kesl-control --get-statistic --files

This command lets you display file operation interception statistics over the last 24 hours.

If necessary, you can use application trace files for more detailed analysis. By default, the application does not generate trace files. You can enable tracing using the following command:

kesl-control --set-app-settings TraceLevel=Detailed

Enabling tracing may impact overall system performance. We recommend disabling tracing when you no longer need trace files.

You can disable tracing using the following command:

kesl-control --set-app-settings TraceLevel=None

By analyzing trace files, you can get a list of files intercepted by the application and identify paths associated with a lot of file operation interception. You can get a list of intercepted files by running the following command:

grep 'FACACHE.*needs' /var/log/kaspersky/kesl/kesl.* | awk '{print $9}' | tr -d '}'|awk -F':' '{print $2}'|sort | uniq -c | sort -k1 -n -r

If you need to aggregate file operation interception statistics in subdirectories down to a certain depth starting from the root directory /, you can add cut -d/ -f 1-X to the command, where X is the nesting depth, for example:

grep 'FACACHE.*needs' /var/log/kaspersky/kesl/kesl.* | awk '{print $9}' | tr -d '}'|awk -F':' '{print $2}'| cut -d/ -f 1-3|sort | uniq -c | sort -k1 -n -r|less

To exclude files in a certain directory not only from scan, but also from interception, you need to exclude the entire mount point. Exclusion of mount points (global exclusion) allows you to exclude local or remote directories mounted on the device from interception of file operations.

Global exclusions have no effect on paths that are not mount points.

Kaspersky experts recommend using global exclusions in the following cases:

• The connection to a mounted remote resource, such as NFS or SMB, is slow.
• Even minimal lag is not acceptable.

To protect shared network resources, use the Kaspersky Endpoint Security application on the device where the resources are physically stored.

You can configure global exclusions in a policy using the Web Console or Administration Console, or locally on the device using the command line.

Below is an example of configuring a file operation interception exclusion using the command line.

To exclude all files in the /tmp directory from interception:

1. If the directory is not a mount point, create a mount point from it. For example, to create a mount point from the /tmp directory, run the following command:

   mount --bind /tmp/ /tmp

2. To keep the mount point after the server reboot, add the following line to the /etc/fstab file:

   /tmp /tmp none defaults,bind 0 0

3. Add the /tmp directory to the global exceptions by executing the following command:

   kesl-control --set-app-settings ExcludedMountPoint.item_0000=/tmp

4. If you want to add several directories, increase the item_0000 counter by one (item_0001, item_0002, and so on).

Page top