File Threat Protection

The File Threat Protection component lets you prevent infection of the file system of the computer. By default, the File Threat Protection component permanently resides in the computer's RAM. The component scans files on all drives of the computer, as well as on connected drives. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.

The component scans the files accessed by the user or application. If a malicious file is detected, Kaspersky Endpoint Security blocks the file operation. The application then disinfects or deletes the malicious file, depending on the settings of the File Threat Protection component.

When attempting to access a file whose contents are stored in the OneDrive cloud, Kaspersky Endpoint Security downloads and scans the file contents.

File Threat Protection component settings

Parameter

Description

Security level

(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)

For File Threat Protection, Kaspersky Endpoint Security can apply different groups of settings. These groups of settings that are stored in the application are called security levels:

  • High. When this file security level is selected, the File Threat Protection component takes the strictest control of all files that are opened, saved, and started. The File Threat Protection component scans all file types on all hard drives, removable drives, and network drives of the computer. It also scans archives, installation packages, and embedded OLE objects.
  • Recommended. This file security level is recommended by Kaspersky Lab experts. The File Threat Protection component scans only the specified file formats on all hard drives, removable drives, and network drives of the computer, and embedded OLE objects. The File Threat Protection component does not scan archives or installation packages.
  • Low. The settings of this file security level ensure maximum scanning speed. The File Threat Protection component scans only files with specified extensions on all hard drives, removable drives, and network drives of the computer. The File Threat Protection component does not scan compound files.

File types

(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)

All files. If this setting is enabled, Kaspersky Endpoint Security checks all files without exception (all formats and extensions).

Files scanned by format. If this setting is enabled, the application scans infectable files only. Before scanning a file for malicious code, the internal header of the file is analyzed to determine the format of the file (for example, .txt, .doc, or .exe). The scan also looks for files with particular file extensions.

Files scanned by extension. If this setting is enabled, the application scans infectable files only. The file format is then determined based on the file's extension.

Scan scope

Contains objects that are scanned by the File Threat Protection component. A scan object may be a hard drive, removable drive, network drive, folder, file, or multiple files defined by a mask.

By default, the File Threat Protection component scans files that are started on any hard drives, removable drives, or network drives. The protection scope for these objects cannot be changed or deleted. You can also exclude an object (such as removable drives) from scans.

Machine learning and signature analysis

(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)

The machine learning and signature analysis method uses the Kaspersky Endpoint Security databases that contain descriptions of known threats and ways to neutralize them. Protection that uses this method provides the minimum acceptable security level.

Based on the recommendations of Kaspersky experts, machine learning and signature analysis is always enabled.

Heuristic Analysis

(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)

The technology was developed for detecting threats that cannot be detected by using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.

When scanning files for malicious code, the heuristic analyzer executes instructions in the executable files. The number of instructions that are executed by the heuristic analyzer depends on the level that is specified for the heuristic analyzer. The heuristic analysis level ensures a balance between the thoroughness of searching for new threats, the load on the resources of the operating system, and the duration of heuristic analysis.

Action on threat detection

Disinfect, delete if disinfection fails. If this option is selected, the application automatically attempts to disinfect all infected files that are detected. If disinfection fails, the application deletes the files.

Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection is not possible, Kaspersky Endpoint Security adds the information about the infected files that are detected to the list of active threats.

Block. If this option is selected, the File Threat Protection component automatically blocks all infected files without attempting to disinfect them.

Before attempting to disinfect or delete an infected file, the application creates a backup copy of the file in case you need to restore the file or if it can be disinfected in the future.

Scan only new and modified files

Scans only new files and those files that have been modified since the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to simple and to compound files.

Scan archives

Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The application scans archives not only by extension, but also by format. When checking archives, the application performs a recursive unpacking. This allows to detect threats inside multi-level archives (archive within an archive).

Scan distribution packages

This check box enables/disables scanning of third-party distribution packages.

Scan files in Microsoft Office formats

Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well. Kaspersky Endpoint Security scans office format files that are smaller than 1 MB, regardless of whether the check box is selected or not.

Do not unpack large compound files

If this check box is selected, the application does not scan compound files if their size exceeds the specified value.

If this check box is cleared, the application scans compound files of all sizes.

The application scans large files that are extracted from archives regardless of whether the check box is selected or not.

Unpack compound files in the background

If the check box is selected, the application provides access to compound files that are larger than the specified value before these files are scanned. In this case, Kaspersky Endpoint Security unpacks and scans compound files in the background.

The application provides access to compound files that are smaller than this value only after unpacking and scanning these files.

If the check box is not selected, the application provides access to compound files only after unpacking and scanning files of any size.

Scan mode

(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)

Kaspersky Endpoint Security scans files accessed by the user, operating system, or an application running under the user's account.

Smart mode. In this mode, File Threat Protection scans an object based on an analysis of actions taken on the object. For example, when working with a Microsoft Office document, Kaspersky Endpoint Security scans the file when it is first opened and last closed. Intermediate operations that overwrite the file do not cause it to be scanned.

On access and modification. In this mode, File Threat Protection scans objects whenever there is an attempt to open or modify them.

On access. In this mode, File Threat Protection scans objects only upon an attempt to open them.

On execution. In this mode, File Threat Protection only scans objects upon an attempt to run them.

Use iSwift technology

(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)

This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scanning by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date that the file was last scanned on, and any modifications to the scanning settings. The iSwift technology is an advancement of the iChecker technology for the NTFS file system.

Use iChecker technology

(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)

This technology allows increasing scan speed by excluding certain files from scanning. Files are excluded from scans by using a special algorithm that takes into account the release date of Kaspersky Endpoint Security databases, the date when the file was last scanned, and any modifications to the scan settings. There are limitations to iChecker Technology: it does not work with large files and applies only to files with a structure that the application recognizes (for example, EXE, DLL, LNK, TTF, INF, SYS, COM, CHM, ZIP, and RAR).

Pause File Threat Protection

(available only in the Administration Console (MMC) and in the Kaspersky Endpoint Security interface)

This temporarily and automatically pauses operation of File Threat Protection at the specified time or when working with the specified applications.

See also: Managing the application via the local interface

Enabling and disabling File Threat Protection

Automatic pausing of File Threat Protection

Changing the action taken on infected files by the File Threat Protection component

Forming the protection scope of the File Threat Protection component

Using scan methods

Using scan technologies in the operation of the File Threat Protection component

Optimizing file scanning

Scanning compound files

Changing the scan mode

Page top