Managing the Real-Time File Protection task via the Administration Plug-in

In this section, learn how to navigate the Administration Plug-In interface and configure task settings for one or all protected devices on the network.

Navigation

Learn how to navigate to the required task settings via the chosen interface.

Opening policy settings for the Real-Time File Protection task

To open the Real-Time File Protection task settings via the Kaspersky Security Center policy:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure the task.
3. Select the Policies tab.
4. Double-click the policy name you want to configure.
5. In the Properties: <Policy name> window that opens, select the Real-time server protection section.
6. Click the Settings button in the Real-Time File Protection subsection.

   The Real-time file protection window opens.

If a protected device is being managed by an active Kaspersky Security Center policy and this policy blocks changes to the application settings, these settings cannot be edited via the Application Console.

Opening the Real-Time File Protection task properties

To open the Real-Time File Protection task settings window for a single network device:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure the task.
3. Select the Devices tab.
4. Open the Properties: <Protected device name> window in one of the following ways:
   • Double-click the name of the protected device.
   • Select the Properties item in the context menu of the protected device.

   The Properties: <Protected device name> window opens.

5. In the Tasks section, select the Real-Time File Protection task.
6. Click the Properties button.

   The Properties: Real-Time File Protection window opens.

Configuring the Real-Time File Protection task

To configure the Real-Time File Protection task settings:

1. Open the Real-time file protection window.
2. Configure the following task settings:
   • On the General tab:
     • Interception parameters
     • Heuristic analyzer
     • Integration with other components
   • On the Task management tab:
     • Scheduled task start settings.
3. Select the Protection scope tab and do the following:
   • Click the Add or Edit button to edit the protection scope.
     • In the window that opens, choose what you want to include in the task protection scope:
       • Predefined scope
       • Disk, folder or network location
       • File
     • Select one of the predefined security levels or manually configure the protection settings.
4. Click OK in the Real-time file protection window.

Kaspersky Security for Windows Server immediately applies the new settings to a running task. The date and time when the settings were modified, and the values of task settings before and after modification, are saved in the system audit log.

Selecting the protection mode

In the Real-Time File Protection task, the protection mode can be selected. The Objects protection mode section lets you specify the type of access attempts for which Kaspersky Security for Windows Server scans objects.

The value of the Objects protection mode setting applies to the entire protection scope specified in the task. You cannot specify different values for the setting for individual nodes within the protection scope.

To select the protection mode:

1. Open the Real-time file protection window.
2. In the window that opens, open the General tab and select the protection mode that you want to set:
   • Smart mode

     

     Kaspersky Security for Windows Server selects objects to be scanned on its own. An object is scanned on being opened and then again after being saved if the object has been modified. If the object is accessed multiple times and modified by the process, Kaspersky Security for Windows Server rescans the object only after the object is saved by the process for the last time.

   • On access and modification

     

     Kaspersky Security for Windows Server scans an object when it is opened and rescans after it is saved, if the object was modified.

     This option is selected by default.

   • On access

     

     Kaspersky Security for Windows Server scans all objects when they are opened for reading, execution, or modification.

   • When run

     

     Kaspersky Security for Windows Server scans a file only when it is accessed to be executed.

   • Deeper analysis of launching processes (process launch is blocked until the analysis ends)

     

     Kaspersky Security for Windows Server performs longer analysis of launching processes with higher probability to detect a threat. The process launch is blocked until the end of analysis.

3. Click OK.

The selected protection mode will take effect.

Configuring Heuristic Analyzer and integration with other application components

To start the KSN Usage task, you must accept the Kaspersky Security Network Statement.

To configure Heuristic Analyzer and integration with other components:

1. Open the Real-time file protection window.
2. On the General tab, clear or select the
   Use heuristic analyzer

   

   This check box enables / disables Heuristic Analyzer during object scanning.

   If the check box is selected, Heuristic Analyzer is enabled.

   If the check box is cleared, Heuristic Analyzer is disabled.

   The check box is selected by default.

   check box.
3. If necessary, adjust the level of analysis using the
   slider

   

   The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources and the time required for scanning.

   The following scanning sensitivity levels are available:

   • Light. Heuristic Analyzer performs fewer instructions within executable files. The probability of threat detection in this mode is somewhat lower. Scanning is faster and less resource-intensive.
   • Medium. Heuristic Analyzer performs the number of executable file instructions recommended by Kaspersky experts.

   This level is selected by default.

   • Deep. Heuristic Analyzer performs more instructions within executable files. The probability of threat detection in this mode is higher. Scanning uses more system resources, takes more time, and can produce a higher number of false alarms.

   The setting is available if the Use heuristic analyzer check box is selected.

   .
4. In the Integration with other components section, configure the following settings:
   • Select or clear the
     Apply Trusted Zone

     

     This check box enables / disables use of the Trusted Zone for a task.

     If the check box is selected, Kaspersky Security for Windows Server adds file operations of trusted processes to the scan exclusions configured in the task settings.

     If the check box is cleared, Kaspersky Security for Windows Server disregards the file operations of trusted processes when forming the protection scope for the task.

     The check box is selected by default.

     check box.
   • Select or clear the
     Use KSN for protection

     

     This check box enables or disables the use of KSN services.

     If the check box is selected, the application uses Kaspersky Security Network data to ensure that the application responds more quickly to new threats and to reduce the likelihood of false positives.

     If the check box is cleared, the task does not use KSN services.

     The check box is selected by default.

     check box.

     The Send data about scanned files check box must be selected in the KSN Usage task settings.

   • Select or clear the Block access to network shared resources for the hosts that show malicious activity check box.
   • Select or clear the
     Launch critical areas scan when active infection is detected

     

     If the check box is selected, when active infection is detected, Kaspersky Security for Windows Server creates and launches a temporary Critical Areas Scan task. When the Critical Areas Scan temporary task finishes, Kaspersky Security for Windows Server removes this temporary task.

     If the check box is cleared, when active infection is detected, Kaspersky Security for Windows Server does not create and launch Critical Areas Scan task.

     The check box is selected by default.

     check box.
   • Select or clear the
     Use Kaspersky Sandbox for protection

     

     This check box enables or disables the use of Kaspersky Sandbox.

     If the check box is selected, Kaspersky Endpoint Agent sends objects to Kaspersky Sandbox. Kaspersky Sandbox analyzes the behavior of these objects to identify malicious activity and signs of targeted attacks.

     If the check box is cleared, the task does not send objects to Kaspersky Sandbox.

     The check box is cleared by default.

     check box.

     The Kaspersky Sandbox functionality does not work if Kaspersky Endpoint Agent is not installed on the protected device.

     The running Traffic Security task might obstruct the use of Kaspersky Sandbox. To use the Traffic Security task and Kaspersky Sandbox on the same protected device, restart Traffic Security task after the installation of Kaspersky Security for Windows Server and Kaspersky Endpoint Agent.

5. Click OK.

The configured task settings are applied immediately to a running task. If the task is not running, the modified settings are applied at next start.

Configuring the task start schedule settings

You can configure the start schedule for local system and custom tasks in the Application Console. You cannot configure a start schedule for group tasks.

To configure group task start schedule settings:

1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.
2. Select the group that the protected device belongs to.
3. In the details pane, select the Tasks tab.
4. Open the Properties: <Task name> window in one of the following ways:
   • Double-click the name of the task.
   • Open the context menu of the task name and select the Properties item.
5. Select the Schedule section.
6. In the Schedule settings block, select the Run by schedule check box.

   Fields with the schedule settings for the On-Demand Scan and Update tasks are unavailable if scheduled start of these tasks is blocked by a Kaspersky Security Center policy.

7. Configure schedule settings in accordance with your requirements. To do this, perform the following actions:
   1. In the Frequency list, select one of the following values:
      • Hourly, if you want the task to run at intervals of a specified number of hours; specify the number of hours in the Every <number> hour(s) field.
      • Daily, if you want the task to run at intervals of a specified number of days; specify the number of days in the Every <number> day(s) field.
      • Weekly, if you want the task to run at intervals of a specified number of weeks; specify the number of weeks in the Every <number> week(s) field. Specify the days of the week on which the task will be started (by default the task runs on Mondays).
      • At application launch, if you want the task to run every time Kaspersky Security for Windows Server starts.
      • After application database update, if you want the task to run after every update of the application databases.
   2. Specify the time for the first task start in the Start time field.
   3. In the Start date field, specify the date from which the schedule applies.

      After you have specified the task start frequency, the time of the first task start, and the date from which the schedule applies, the estimated time for the next task start will appear in the top part of the window in the Next start field. The estimated time of the next task start will be updated and displayed each time you open the Task settings window on the Schedule tab.

      The Blocked by policy value is displayed in the Next start field if the active policy settings of Kaspersky Security Center prohibit start of scheduled system tasks.

8. Use the Advanced tab to configure the following schedule settings in accordance with your requirements.
   • In the Task stop settings section:
     1. Select the Duration check box and, in the fields to the right, enter the maximum number of hours and minutes of task execution.
     2. Select the Pause from check box and, in the fields to the right, enter the start and end values of a time interval under 24 hours during which task execution will be paused.
   • In the Advanced settings section:
     1. Select the Cancel schedule from check box and specify the date from which the schedule will cease to apply.
     2. Select the Run skipped tasks check box to enable the start of skipped tasks.
     3. Select the Randomize the task start time within the interval of check box and specify a value in minutes.
9. Click OK.
10. Click the Apply button to save the task start settings.

If you want to configure application settings for a single task using Kaspersky Security Center, perform the steps described in Section "Configuring local tasks in the Application settings window of the Kaspersky Security Center".

Creating and configuring the task protection scope

To create and configure the task protection scope via the Kaspersky Security Center:

1. Open the Real-time file protection window.
2. Select the Protection scope tab.
3. All items already protected by the task are listed in the Protection scope table.
4. Click the Add button to add new item to the list.

   The Add objects to protection scope window opens.

5. Select an object type to add it to a protection scope:
   • Predefined scope - to include one of the predefined scopes in the protection scope on the device. Then in the drop-down list, select the desired protection scope.
   • Disk, folder or network location - to include individual drive, folder or a network object in the protection scope. Then select the desired protection scope by clicking the Browse button.
   • File - to include an individual file in the protection scope. Then select the desired protection scope by clicking the Browse button.

     You cannot add an object to a protection scope if it has already been added as an exclusion from a protection scope.

6. To exclude individual items from the protection scope, clear check boxes next to the names of these items or take the following steps:
   1. Open the context menu of the protection scope by right-clicking it.
   2. In the context menu, select the Add exclusion option.
   3. In the Add exclusion window, select an object type that you want to add as an exclusion from the protection scope following the procedure used when adding an object to the protection scope.
7. To modify the protection scope or an existing exclusion, select the Edit scope option in the context menu of the desired protection scope.
8. To hide a previously added protection scope or an exclusion in the list of network file resources, select the Remove scope option in the context menu of the desired protection scope.

   A protection scope is removed from the Real-Time File Protection task scope when it is removed from the network file resource list.

9. Click OK.

The Protection scope settings window closes. Your newly configured settings are saved.

The Real-Time File Protection task can be started if at least one of the device’s file resource nodes is included in a protection scope.

Selecting predefined security levels for On-Demand Scan tasks

You can apply one of the following three predefined security levels to a node selected in the device's file resource list: Maximum performance, Recommended, and Maximum protection.

To select one of the predefined security levels:

1. Open the Properties: Real-Time File Protection window.
2. Select the Protection scope tab.
3. In the protected device's list, select an item included in the protection scope in order to set a predefined security level.
4. Click the Configure button.

   The Real-time file protection settings window opens.

5. On the Security level, tab select the security level to be applied.

   The window displays the list of security settings corresponding to the security level selected.

6. Click OK.
7. Click OK in the Properties: Real-Time File Protection window.

   Configured task settings are saved and applied immediately to a running task. If the task is not running, the modified settings are applied at next start.

Configuring security settings manually

By default, the Real-Time File Protection task uses common security settings for the entire protection scope. These settings correspond to the Recommended predefined security level.

The default values of security settings can be modified by configuring them as common settings for the entire protection scope or as different settings for individual items in the device's file resource list or nodes in the tree.

To configure the security settings of the selected node manually:

1. Open the Real-time file protection window.
2. On the Protection scope tab, select the node whose security settings you want to configure, and click Configure.

   The Real-time file protection settings window opens.

3. On the Security level tab, click the Settings button to customize the configuration.
4. You can configure custom security settings for the selected node in accordance with your requirements:
   • General settings
   • Actions
   • Performance
5. Click OK in the Real-time file protection window.

The new protection scope settings are saved.

Configuring general task settings

To configure the general security settings of the Real-Time File Protection task:

1. Open the Real-time file protection settings window.
2. Select the General tab.
3. In the Objects protection section, specify the objects types that you want to include in the protection scope:
   • All objects

     

     Kaspersky Security for Windows Server scans all objects.

   • Objects scanned by format

     

     Kaspersky Security for Windows Server scans only infectable objects based on file format.

     Kaspersky compiles the list of formats. It is included in the Kaspersky Security for Windows Server databases.

   • Objects scanned according to list of extensions specified in anti-virus database

     

     Kaspersky Security for Windows Server scans only infectable objects based on file extension.

     Kaspersky compiles the list of extensions. It is included in the Kaspersky Security for Windows Server databases.

   • Objects scanned by specified list of extensions

     

     Kaspersky Security for Windows Server scans files based on file extension. The list of file extensions can be manually customized in the List of extensions window, which can be opened by clicking the Modify button.

   • Scan disk boot sectors and MBR

     

     Enables protection of boot sectors and master boot records.

     If the check box is selected, Kaspersky Security for Windows Server scans boot sectors and master boot records on hard drives and removable drives of the protected device.

     The check box is selected by default.

   • Scan alternate NTFS streams

     

     Scanning of alternative file and folder streams on drives with the NTFS file system.

     If the check box is selected, the application scans a probably infected object and all NTFS streams associated with that object.

     If the check box is cleared, the application scans only the object that was detected and considered as probably infected.

     The check box is selected by default.

4. In the Performance group box, select or clear the
   Protect only new and modified files

   

   This check box enables / disables scanning and protection of files that have been recognized by Kaspersky Security for Windows Server as new or modified since the last scan.

   If the check box is selected, Kaspersky Security for Windows Server scans and protects only the files that it has recognized as new or modified since the last scan.

   If the check box is cleared, Kaspersky Security for Windows Server scans and protects files regardless of their modification status.

   By default, the check box for the Maximum performance security level is selected. If the Maximum protection or Recommended security levels are set, the check box is cleared.

   check box.

   To switch between available options when the check box is cleared, click on the All / Only new link for each of the compound object types.

5. In the Compound objects protection section, specify the compound objects that you want to include in the protection scope:
   • All

     

     Scanning of ZIP, CAB, RAR, and ARJ archives and other archive formats.

     If this check box is selected, Kaspersky Security for Windows Server scans archives.

     If this check box is cleared, Kaspersky Security for Windows Server skips archives during scanning.

     The default value depends on the selected protection level.

     / Only new archives
   • All

     

     Scanning of self-extracting archives.

     If this check box is selected, Kaspersky Security for Windows Server scans SFX archives.

     If this check box is cleared, Kaspersky Security for Windows Server skips SFX archives during scanning.

     The default value depends on the selected protection level.

     This option is active when the Archives check box is cleared.

     / Only new SFX archives
   • All

     

     Scanning of Microsoft Outlook and Microsoft Outlook Express mail database files.

     If this check box is selected, Kaspersky Security for Windows Server scans mail database files.

     If this check box is cleared, Kaspersky Security for Windows Server skips mail database files during scanning.

     The default value depends on the selected security level.

     / Only new email databases
   • All

     

     Scanning of executable files packed by binary code packers, such as UPX or ASPack.

     If this check box is selected, Kaspersky Security for Windows Server scans executable files packed by packers.

     If this check box is cleared, Kaspersky Security for Windows Server skips executable files packed by packers during scanning.

     The default value depends on the selected protection level.

     / Only new packed objects
   • All

     

     Scanning of files in mail formats, such as Microsoft Outlook and Microsoft Outlook Express messages.

     If this check box is selected, Kaspersky Security for Windows Server scans files in mail formats.

     If this check box is cleared, Kaspersky Security for Windows Server skips files in mail formats during scanning.

     The default value depends on the selected security level.

     / Only new plain email
   • All

     

     Scanning of objects embedded in files (such as Microsoft Word macros, or email message attachments).

     If this check box is selected, Kaspersky Security for Windows Server scans objects embedded in files.

     If this check box is cleared, Kaspersky Security for Windows Server skips objects embedded in files during scanning.

     The default value depends on the selected protection level.

     / Only new embedded OLE objects
6. Click Save.

The new task configuration will be saved.

Configuring actions

To configure actions on infected and other detected objects during the Real-Time File Protection task:

1. Open the Real-time file protection settings window.
2. Select the Actions tab.
3. Select the action to be performed on infected and other detected objects:
   • Notify only

     

     When this mode is selected, Kaspersky Security for Windows Server does not block access to nor perform any actions on infected or other detected objects. The following event is recorded in the task log: Object not disinfected. Reason: no action was taken to neutralize detected object due to user-defined settings. The event specifies all available information about the detected object.

     Notify only mode should be separately configured for each protection or scan area. This mode is not used by default in any of the security levels. If you select this mode, Kaspersky Security for Windows Server automatically changes the security level to Custom.

     .
   • Block access

     

     When this option is selected, Kaspersky Security for Windows Server blocks access to the detected or probably infected object. In the drop-down list, you can select an additional action to perform on blocked objects.

     .
   • Perform additional action.

     Select the action from the drop-down list:

     • Disinfect.
     • Disinfect. Remove if disinfection fails.
     • Remove

       

       Kaspersky Security for Windows Server deletes the object and places a copy of it in Backup.

       .
     • Recommended

       

       Kaspersky Security for Windows Server performs an action recommended by Kaspersky experts.

       .
4. Select the action to be performed on probably infected objects:
   • Notify only.
   • Block access.
   • Perform additional action.

     Select the action from the drop-down list:

     • Quarantine.
     • Remove.
     • Recommended.
5. Configure actions to be performed on objects depending on the type of object detected:
   1. Clear or select the
      Perform actions depending on the type of object detected

      

      If the check box is selected, you can independently set primary and secondary actions for each type of detected object by clicking the Settings button next to the check box. However, Kaspersky Security for Windows Server will not allow to open or execute an infected object regardless of your choice.

      If the check box is cleared, Kaspersky Security for Windows Server performs actions that are selected in the Action to perform on infected and other objects and Action to perform on probably infected objects sections for named object types respectively.

      The check box is cleared by default.

      check box.
   2. Click the Settings button.
   3. In the window that opens, select a primary action and a secondary action (to be performed if the primary action fails) for each type of detected object.
   4. Click OK.
6. Select the action to perform on unmodifiable compound files: select or clear the
   Entirely remove compound file that cannot be modified by the application in case of embedded object detect

   

   This check box enables or disables forced removal of the parent compound file when a malicious, probably infected or other detectable embedded child object is detected.

   If the check box is selected and the task is configured to remove infected and probably infected objects, Kaspersky Security for Windows Server forcibly removes the entire parent compound object when a malicious or other embedded object is detected. The parent file along with all of its contents are forcibly removed if the application cannot remove only the detected child object (for example, if the parent object cannot be modified).

   If this check box is cleared and the task is configured to remove infected and probably infected objects, Kaspersky Security for Windows Server does not perform the selected action if the parent object cannot be modified.

   check box.
7. Click Save.

The new task configuration will be saved.

Configuring performance

To configure performance settings for the Real-Time File Protection task:

1. Open the Real-time file protection settings window.
2. Select the Performance tab.
3. In the Exclusions section:
   • Clear or select the
     Exclude files

     

     Excluding files from scanning by file name or file name mask.

     If this check box is selected, Kaspersky Security for Windows Server skips the specified objects during scanning.

     If this check box is cleared, Kaspersky Security for Windows Server scans all objects.

     The check box is cleared by default.

     check box.
   • Clear or select the
     Do not detect

     

     Objects are excluded from scanning by the name or name mask of the detectable object. The list of names of detectable objects is available on the Virus Encyclopedia website.

     If this check box is selected, Kaspersky Security for Windows Server skips specified detectable objects during scanning.

     If the check box is cleared, Kaspersky Security for Windows Server detects all objects specified in the application by default.

     The check box is cleared by default.

     check box.
   • Click the Edit button for each setting to add exclusions.
4. In the Advanced settings section:
   • Stop scanning if it takes longer than (sec.)

     

     Limits the duration of object scanning. The default value is 60 seconds.

     If the check box is selected, scanning is limited to the specified maximum duration.

     If the check box is cleared, scanning is unlimited.

     By default, the check box for the Maximum performance security level is selected.

   • Do not scan compound objects larger than (MB)

     

     Excludes objects larger than the specified size from scanning.

     If the check box is selected, Kaspersky Security for Windows Server skips compound objects whose size exceeds the specified limit during a virus scan.

     If this check box is cleared, Kaspersky Security for Windows Server scans compound objects of any size.

     By default, the check box is selected for the Maximum performance security level.

   • Use iSwift technology

     

     iSwift compares a file’s NTFS identifier stored in a database with its current identifier. Scanning is performed only for files whose identifiers have changed (new files and files modified since the last scan of NTFS system objects).

     If the check box is selected, Kaspersky Security for Windows Server scans only new files or those modified since the last scan of NTFS system objects.

     If the check box is cleared, Kaspersky Security for Windows Server scans NTFS file system objects regardless of the file creation date or file modification date, except for files from network folders.

     The check box is selected by default.

   • Use iChecker technology

     

     iChecker calculates and remembers checksums of scanned files. If an object is modified, the checksum changes. The application compares all checksums and scans only files that are new and have been modified since the last scan.

     If the check box is selected, Kaspersky Security for Windows Server scans only new and modified files.

     If the check box is cleared, Kaspersky Security for Windows Server scans files regardless of the file creation date or file modification date.

     The check box is selected by default.