The Real-Time File Protection component of Kaspersky Embedded Systems Security scans the following protected device objects when they are accessed:
When any application writes or reads a file on the protected device, Kaspersky Embedded Systems Security intercepts the file, scans it for threats, and, if a threat is detected, performs a default action or an action you have specified: try to disinfect, move to Quarantine, or delete it. Before disinfection or deletion, Kaspersky Embedded Systems Security saves an encrypted copy of the source file to the Backup folder.
Kaspersky Embedded Systems Security intercepts file operations, executed in Windows Server 2016 and Windows Server 2019 containers.
A container is an isolated environment, which allows applications to run without direct interaction with the operating system. If container is located in the component protection scope, Kaspersky Embedded Systems Security scans container files, which are being accessed by users, for computer threats. When a threat is detected, the application attempts to disinfect the container. If disinfection succeeds, the container continues to work. If disinfection fails, the container is turned off.
Kaspersky Embedded Systems Security also detects malware for processes running under Windows Subsystem for Linux®. For such processes, the Real-Time File Protection component applies action defined by the current configuration.