Scanning the computer
A scan is vital to computer security. Regularly run malware scans to rule out the possibility of spreading malware that is undetected by protection components due to a low security level setting or for other reasons. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.
Kaspersky Endpoint Security has the following standard tasks predefined: Full Scan, Critical Areas Scan, Custom Scan. If your organization has the Kaspersky Security Center administration system deployed, you can create a Malware Scan task and configure the scan.
How to run a scan task in the Administration Console (MMC)
How to run a scan task in the Web Console and Cloud Console
How to run a scan task in the application interface
.To optimize Kaspersky Endpoint Security performance while scanning the computer, you can manage the advanced settings of the Full Scan task and limit the usage of CPU resources.
In Kaspersky Security Center, you can also use the Background Scan task instead of the Full Scan task to optimize the performance of the application. This will not affect the security level of the computer. The background scan cannot be configured.
As a result, Kaspersky Endpoint Security scans the computer and if a threat is detected, executes the action configured in application settings. Typically the application attempts to disinfect infected files. As a result, the infected files can receive the following statuses:
- Postponed. The infected file could not be disinfected. The application deletes the infected file after computer restart.
- Logged. The infected file could not be disinfected. The application adds information about detected infected files to the list of active threats.
- Write not supported or Write error. The infected file could not be disinfected. The application has no write access.
- Already processed. The application detected an infected file earlier. The application disinfects or deletes the infected file after computer restart.
Scan settings
Parameter
Description
Security level
Kaspersky Endpoint Security can use different groups of settings for running a scan. These groups of settings that are stored in the application are called security levels:
- High. Kaspersky Endpoint Security scans all types of files. When scanning compound files, the application scans archives, distribution packages, files in office formats, but does not scan password-protected archives. When this security level is set, the application uses heuristic analysis with the Deep scan level of detail.
- Recommended. Kaspersky Endpoint Security scans all types of files. When scanning compound files, the application scans archives, distribution packages, files in office formats, but does not scan password-protected archives. When this security level is set, the application uses heuristic analysis with the Medium scan level of detail.
- Low. Kaspersky Endpoint Security scans only the specified file formats. When scanning compound files, the application scans archives, distribution packages, files in office formats, but does not scan password-protected archives. When this security level is set, the application uses heuristic analysis with the Light scan level of detail.
You can select one of the preset security levels or manually configure security level settings. If you change the security level settings, you can always revert back to the recommended security level settings.
Action on threat detection
Disinfect, delete if disinfection fails. If this option is selected, the application automatically attempts to disinfect infected file that is detected. If disinfection fails, the application deletes the file.
Disinfect, inform if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security adds the information about the infected files that are detected to the list of active threats.
Inform. If this option is selected, Kaspersky Endpoint Security adds the information about infected files to the list of active threats on detection of these files.
Before attempting to disinfect or delete an infected file, the application creates a backup copy of the file in case you need to restore the file or if it can be disinfected in the future.
On detection of infected files that are part of the Windows Store application, Kaspersky Endpoint Security attempts to delete the file.
Run Advanced Disinfection immediately
(available only in the Kaspersky Security Center Console)
Advanced Disinfection during a virus scan task on a computer is performed only if the Advanced Disinfection feature is enabled in the properties of the policy applied to this computer.
If the check box is selected, Kaspersky Endpoint Security disinfects the active infection immediately after it is detected during the execution of the virus scan task. After the active infection is disinfected, Kaspersky Endpoint Security reboots the computer without prompting the user.
If the check box is cleared, Kaspersky Endpoint Security does not disinfect the active infection immediately after it is detected during the execution of the virus scan task. Kaspersky Endpoint Security generates active infection events in local application reports and on the Kaspersky Security Center side. The active infection can be disinfected when the virus scan task is run again with the Advanced Disinfection feature turned on. In this way, the system administrator can choose the appropriate time to do Advanced Disinfection and subsequently reboot the computers automatically.
Scan scope
List of objects that Kaspersky Endpoint Security scans while performing a scan task. Objects within the scan scope can include the kernel memory, running processes, boot sectors, system backup storage, hard drive, removable drive or network drive, folder or file.
In Kaspersky Endpoint Security for Windows 12.12 email is excluded from the application scan scope. The scan of incoming and outgoing email messages is performed by the Mail Threat Protection component. If you are using an earlier version of the management plug-in, the application excludes email from the scan scope, even if the policy includes it.
Scan schedule
Manually. Run mode in which you can start scan manually at a time when it is convenient for you.
By schedule. In this scan task run mode, the application starts the scan task in accordance with the schedule that you create. If this scan task run mode is selected, you can also start the scan task manually.
Postpone running after application startup for N minutes
Postponed start of the scan task after application startup. At operating system startup, many processes are running, therefore it is advantageous to postpone running the scan task instead of running it immediately after Kaspersky Endpoint Security startup.
Run skipped tasks
If the check box is selected, Kaspersky Endpoint Security starts the skipped task as soon as it becomes possible. The task may be skipped, for example, if the computer was off at the scheduled task start time. When the application gets an opportunity to execute missed tasks, it runs the tasks randomly within a certain time interval to distribute the load on the computer.
If the check box is cleared, Kaspersky Endpoint Security does not run skipped tasks. Instead, it carries out the next task in accordance with the current schedule.
Run only when the computer is idle
Postponed start of the task when computer resources are busy. Kaspersky Endpoint Security starts the scan task if the computer is locked or if the screen saver is on. If you have interrupted the execution of the task, for example by unlocking the computer, Kaspersky Endpoint Security automatically runs the task, continuing from the point where it was interrupted. This schedule option lets you conserve computer resources when the computer is being used.
Run scan as
By default the scan task is run in the name of the user with whose rights you are registered in the operating system. The protection scope may include network drives or other objects that require special rights to access. You can specify a user that has the required rights in the application settings and run the scan task under this user's account.
File types
Kaspersky Endpoint Security considers files without an extension as executable ones. The application always scans executable files regardless of the file types that you select for scanning.
All files. If this setting is enabled, Kaspersky Endpoint Security checks all files without exception (all formats and extensions).
Files scanned by format. If this setting is enabled, the application scans infectable files only. Before scanning a file for malicious code, the internal header of the file is analyzed to determine the format of the file (for example, .txt, .doc, or .exe). The scan also looks for files with particular file extensions.
Files scanned by extension. If this setting is enabled, the application scans infectable files only. The file format is then determined based on the file's extension.
By default, Kaspersky Endpoint Security scans files by their format. Scanning files by extension is less safe because a malicious file can have an extension that is not on the list of potentially infectable (for example,
.123).Scan only new and modified files
Scans only new files and those files that have been modified since the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to simple and to compound files.
Skip file that is scanned for longer than N seconds
Limiting the task execution time. After the specified amount of time, Kaspersky Endpoint Security stops the task. The task is not marked as completed. Next time Kaspersky Endpoint Security runs the task, it will be run from the beginning and on schedule.
Do not run multiple scan tasks at the same time
Postponed start of scan tasks if a scan is already running. Kaspersky Endpoint Security will enqueue new scan tasks if the current scan continues. This helps optimize the load on the computer. For example, let's assume that the application has started a Full Scan task according to the schedule. If a user attempts to start a quick scan from the application interface, Kaspersky Endpoint Security will enqueue this quick scan task and then automatically start this task after the Full Scan task is finished.
However, Kaspersky Endpoint Security immediately starts a scan task even if one of the following scan tasks is running:
- Scan of removable drives on connection.
- Scan from Context Menu.
- Critical Areas Scan that was started upon detection of an Indicator of Compromise (IoC).
If this check box is cleared, Kaspersky Endpoint Security lets you run multiple scan tasks at the same time. Running multiple scan tasks requires more computer resources.
Scan archives
Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The application scans archives not only by extension, but also by format. When checking archives, the application performs a recursive unpacking. This allows the detection of threats inside multi-level archives (an archive within an archive).
Scan distribution packages
Scanning distribution packages of third-party applications.
Scan files in Microsoft Office formats
Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well. The application scans office format files that are smaller than 1 MB, regardless of whether the check box is selected or not.
Scan email format files
Scanning email format files and the email database. The application scans PST and OST files used by MS Outlook and Windows Mail mail clients as well as EML files.
Kaspersky Endpoint Security does not support the 64-bit version of MS Outlook email client. This means that Kaspersky Endpoint Security does not scan MS Outlook files (PST and OST files) if a 64-bit version of MS Outlook is installed on the computer, even if mail is included in the scan scope.
If the check box is selected, Kaspersky Endpoint Security splits the mail-format file into its components (header, body, attachments) and scans them for threats.
If this check box is cleared, Kaspersky Endpoint Security scans the mail-format file as a single file.
When a malicious object is discovered in PST or OST files, Kaspersky Endpoint Security renders it harmless in accordance with the selected action (for example, disinfection or deletion of the file).
When a malicious file is detected in files of other mail clients (for example, Mozilla Thunderbird), Kaspersky Endpoint Security only marks the infected message. You need to delete the message with an infected attachment manually.
Scan password-protected archives
If the check box is selected, the application scans password-protected archives. Before files in an archive can be scanned, you are prompted to enter the password.
If the check box is cleared, the application skips scanning of password-protected archives.
Do not unpack large compound files
If this check box is selected, the application does not scan compound files if their size exceeds the specified value.
If this check box is cleared, the application scans compound files of all sizes.
The application scans large files that are extracted from archives regardless of whether the check box is selected or not.
Machine learning and signature analysis
The machine learning and signature analysis method uses the Kaspersky Endpoint Security databases that contain descriptions of known threats and ways to neutralize them. Protection that uses this method provides the minimum acceptable security level.
Based on the recommendations of Kaspersky experts, machine learning and signature analysis is always enabled.
Heuristic analysis
The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.
When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.
iSwift Technology
(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)
This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.
iChecker Technology
(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)
This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).