A container is an isolated environment in which an application can run without directly interacting with the operating system. Using containers involves the following risks:
Hackers may be able to exploit containerization vulnerabilities to compromise applications inside the container.
Hackers may exploit an insecure configuration of the container environment to gain unauthorized access to data on the computer or to compromise the integrity of the system.
A successful attack on a container can allow a hacker to gain access to data on the computer.
Hackers may exploit network vulnerabilities to intercept network traffic.
Kaspersky Embedded Systems Security is an external tool for detecting malicious activity inside containers. This allows maintaining the performance of containers and prevents conflicts with other applications inside the container. Installing Kaspersky Embedded Systems Security inside the container is not supported.
In addition to providing container security, Kaspersky Embedded Systems Security allows managing applications inside containers using Applications Launch Control. Applications Launch Control is configured for containers in the same way as for applications installed on the computer. System Integrity Monitoring also supports containers.
Container requirements
The container must be a Docker container. Other containerization tools are not supported.
The container must run in process isolation mode. The Hyper-V isolation mode is not supported.
The container must be placed on a Windows Server 2016, 2019, or 2022 server (Docker Host).
The container must include a Windows image (Docker Image). Windows 10 and 11 are not supported. Linux images are not supported.
Scanning containers running in WSL2 – Windows Subsystem for Linux v2 (Docker Wine) mode is not supported.
Action on threat detection
If a threat is detected inside a container, the application applies the action selected for the Real-Time File Protection component. The container scan has additional settings (see the instructions below). If a threat is detected, the application blocks the malicious activity and executes the selected action (for example, attempts to disinfect the object). Kaspersky Embedded Systems Security can stop the container if it fails to disinfect the detected object. By default, container stopping is enabled.
In the Kaspersky Security Center Administration Console tree, select the Policies folder.
Select the necessary policy and double-click to open the policy properties.
In the policy properties window, select Real-Time Computer Protection.
In the Real-Time File Protection section, click Settings.
In the Scan of file operations executed in Windows containers block, configure the container scan settings:
Stop the container if disinfection fails. The application may not have read and write permissions for the detected object. In this case it is not possible to disinfect or delete the detected object. If the check box is selected, the application blocks the detected object and stops the container. If the check box is cleared, the application only blocks the detected object.
Do not scan file operations executed in Windows containers. If the check box is selected, the application scans the container only at the container startup. If the check box is cleared, the application scans the container continuously in real-time.
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Embedded Systems Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Real-Time Computer Protection → Real-Time File Protection and click the Configure button.
In the Scan of file operations executed in Windows containers block, configure the container scan settings:
Stop the container if disinfection fails. The application may not have read and write permissions for the detected object. In this case it is not possible to disinfect or delete the detected object. If the check box is selected, the application blocks the detected object and stops the container. If the check box is cleared, the application only blocks the detected object.
Do not scan file operations executed in Windows containers. If the check box is selected, the application scans the container only at the container startup. If the check box is cleared, the application scans the container continuously in real-time.
In the Kaspersky Embedded Systems Security Console tree, select Real-Time Computer Protection → Real-Time File Protection.
In the results pane of the Real-Time File Protection node, click Properties.
The Properties:Real-Time File Protection window opens.
In the Scan of file operations executed in Windows containers block, configure the container scan settings:
Stop the container if disinfection fails. The application may not have read and write permissions for the detected object. In this case it is not possible to disinfect or delete the detected object. If the check box is selected, the application blocks the detected object and stops the container. If the check box is cleared, the application only blocks the detected object.
Do not scan file operations executed in Windows containers. If the check box is selected, the application scans the container only at the container startup. If the check box is cleared, the application scans the container continuously in real-time.