This section describes the recommended settings for Kaspersky Scan Engine in HTTP mode.
If you use the Kaspersky Scan Engine GUI, specify the recommended parameters as described in the table below.
Recommended settings for HTTP mode in the Kaspersky Scan Engine GUI
Settings in the Kaspersky Scan Engine GUI |
Recommended settings |
---|---|
Service > Keep-alive connection |
See the description of |
Service > Connection timeout |
See the description of |
Service > Sessions |
See the description of |
Service > Connections |
See the description of |
Service > Threads |
Twice the value of |
Service > Processes |
Equal to the number of processor cores |
Scanning > Enable reputation checking |
Turn on the toggle switch |
Scanning > Enable Phishing Protection |
Turn on the toggle switch |
Scanning > Object scan timeout |
10000 (10 seconds) |
Scanning > Heuristic analysis level |
Low |
Scanning > Actions on detected objects |
See the description of |
Scanning > Size limit for the received file |
10343 KB (10.1 MB) Get an updated value from your TAM at least once a year |
Scanning > Maximum depth |
5 |
Scanning > Types of files to scan |
Select the checkbox:
|
If you do not use the Kaspersky Scan Engine GUI, specify the recommended parameters in the kavhttpd.xml configuration file as described in the table below.
Recommended settings for HTTP mode in the configuration file
Parameter in kavhttpd.xml |
Recommended settings |
---|---|
ScannersCount |
Equal to the number of processor cores |
ThreadsCount |
Twice the value of |
MaxIncomingConnectionsNum |
See the description of |
MaxHTTPSessionsNum |
See the description of |
QueueLen |
|
MaxTCPFileSize |
10591440 bytes (10.1 MB) Get an updated value from your TAM at least once a year |
Flags |
Specify the flags:
|
Mode |
See the description of |
MaxArchivesScanningDepth |
5 |
SessionTimeout |
10000 (10 seconds) |
KeepAliveSettings |
See the description of |
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Processes.
The recommended number of scanning processes is equal to the number of processor cores. For example, if Kaspersky Scan Engine is running on a computer with a 4-core processor, set ScannersCount
to 4
.
See also subsection "Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings."
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Threads.
The recommended number of scanning threads depends on the number of scanning processes specified in ScannersCount
: the value of ThreadsCount
is twice the value of ScannersCount
. For example, if Kaspersky Scan Engine is running on a computer with a 4-core processor and ScannersCount
is set to 4
, set ThreadsCount
to 8
.
See also the subsection "Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings."
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Connections.
You can configure this parameter to set the queue length of the incoming TCP connections waiting for connection with HTTPD. See section "Setting up the connection queue in HTTP mode" for connection queue setup details.
For example, you expect, on average, ten simultaneous connections with clients. If MaxHTTPSessionsNum
value is set to 10, all 10 connections simultaneously occurred will be accepted by HTTPD for processing. The 11th incoming TCP connection will wait for connection with HTTPD. At least 11 additional connections can wait for HTTPD acceptance, the 12th additional connection will cause an error message. So, when setting the value for MaxIncomingConnectionsNum
, consider the value for MaxHTTPSessionNum
: the value specified in MaxIncomingConnectionsNum
should be multiple times bigger than the value specified in MaxHTTPSessionNum
.
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Sessions.
When specifying the value for this parameter, consider the following:
ThreadsCount
).QueueLen
).MaxIncomingConnectionsNum
).The recommended value is:
See also the subsection "Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings."
Since the scan tasks are enqueued from all simultaneously open sessions, consider the MaxHTTPSessionsNum
settings. The queue length should not be less than the MaxHTTPSessionsNum
value. Otherwise, some clients will get an error when opening sessions.
Since the scan tasks are processed by the threads from the queue, the queue length should not be less than the number of threads in ThreadsCount
. Otherwise, some threads will be not in use.
The recommended QueueLen
value is:
ThreadsCount
value.MaxHTTPSessionsNum
value.See also the subsection "Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings."
During scanning, HTTPD loads the files into the system memory. The greater the file size and the number of active sessions, the more system memory is consumed. The value specified should be less than the RAM size.
To increase performance, you can specify the maximum size of HTTP messages sent to HTTPD and set the value to 10591440 bytes (10.1 MB). This value provides detecting most of the malware.
If you have followed the recommendation above, we also recommend consulting with your Technical Account Manager (TAM) once a year to get an updated recommended value, as the average malware size changes from year to year.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Types of files to scan, Settings > Scanning > Heuristic analysis level and Settings > Scanning > Enable reputation checking.
The recommended value for Flags
is the following:
KAV_O_M_PACKED | KAV_O_M_ARCHIVED | KAV_O_M_MAILPLAIN | KAV_O_M_MAILBASES | KAV_O_M_HEURISTIC_LEVEL_SHALLOW | KAV_SHT_ENGINE_KSN
If the KAV_SHT_ENGINE_KSN flag
is used,
it is also recommended to enable
Phishing Protection by using one of the following ways:
KAV_SHT_ENGINE_APUF
flag.Phishing Protection is useful when Kaspersky Scan Engine checks URLs.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Actions on detected objects.
If it is expected to specify the object local path (request scanfile
to scan a local file), specify the following:
KAV_DELETE
(if the object is to be deleted without a disinfection attempt).KAV_CLEAN_DELETE
(if the object is to be disinfected or to be deleted, if disinfection is impossible).Specify KAV_SKIP
in all other cases.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Maximum depth.
We recommend that you limit the maximum depth of nested archives to be unpacked during scanning. The recommended value for MaxArchivesScanningDepth
is 5
.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Object scan timeout.
You can set a timeout for all operations in a session: connection with a client, data receipt, and object checking. Timeout configuring can be used with the X-KAV-Timeout
header (see Setting the session timeout).
Setting the timeout allows the following:
MaxIncomingConnectionsNum
).Initially, HTTPD receives the data, and then loads the files into the system memory during scanning. The greater the file size and the number of active sessions, the more system memory is consumed. To increase performance, you can specify the maximum size of HTTP messages sent to HTTPD (see MaxTCPFileSize
above) and limit the session time in SessionTimeout
. This will allow you to skip the large objects or objects requiring a long time for scanning.
Before setting a value to SessionTimeout
, we recommend that you estimate the expected number of HTTP clients requesting the HTTPD, as well as probable length of the incoming TCP connections queue.
Generally, the default value for SessionTimeout
is 10000
(10 seconds).
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Keep-alive connection.
We recommend enabling Keep-Alive. When Keep-Alive is enabled, Kaspersky Scan Engine maintains a persistent connection even after the request has been processed and the session timed out. This gives the following advantages:
Keep-Alive is especially useful for HTTPS connections that require more CPU time and more client-server interactions.
To enable Keep-Alive, set the Enabled element in KeepAliveSettings
to 1
.
To determine the values for TimeoutMs
and MaxRequests
, estimate the number of clients and the number of requests from clients.
For example, you have estimated that the maximum number of clients is 10, so you set MaxHTTPSessionsNum
to 10. If TimeoutMs
and MaxRequests
are unlimited, and all 10 clients send requests continuously, Kaspersky Scan Engine maintains connections with these 10 clients without limits. As a result, new connections cannot be accepted by HTTPD for processing.
Another example. You have estimated that the maximum number of clients is 10, so you set MaxHTTPSessionsNum
to 10. You have also estimated that the maximum number of requests from one client is 15, so you set MaxRequests
to 15
. If you did not set the limit for TimeoutMs
, and clients do not send 15 requests, Kaspersky Scan Engine maintains connections with these 10 clients without limits, so new connections cannot be accepted by HTTPD for processing.
Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings
Let's say Kaspersky Scan Engine is installed on a computer with four CPU cores, there are 15 simultaneous connections to this computer, and Kaspersky Scan Engine is configured as follows:
In this case:
QueueLen
, the client will receive the error 503
- Service overloaded.