You can manage application Behavior Detection in the operating system via the command line by using the Behavior_Detection predefined task.
|
|
|
|
Setting
|
Description
|
Values
|
|
UseTrustedPrograms
|
Excluding processes from scans.
|
Yes – do not scan the activity of the indicated processes.
No (default value) – scan all processes.
|
|
TaskMode
|
Action performed by the application when malicious activity is detected in the operating system.
|
Block (default value) – terminate the process of the application performing malicious activity.
Notify – do not terminate the process performing malicious activity; only log detection of malicious activity in the event log.
|
|
The [TrustedPrograms.item_#] section contains processes that are excluded from Behavior Detection scans. Kaspersky Endpoint Security does not monitor the activity of the specified processes.
|
|
ProgramPath
|
Path to excluded process.
|
<full path to process> – Do not scan the process in the indicated local directory. You can use masks to specify the path.
You can use the * (asterisk) character to create a file or directory name mask.
You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.
You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.
The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.
You can use a single ? character to represent any one character in the file or directory name.
|
|
ApplyToDescendants
|
Exclude child processes of the excluded process specified by the ProgramPath setting from scans.
|
Yes – exclude the specified process and all its child processes from scans.
No (default value) – exclude only the specified process from scans, do not exclude its child processes from scans.
|
|
ProgramDesc
|
Description of the excluded process.
|
|
|
UseTrustedProgram
|
Exclude the activity of the specified process from scanning.
|
Yes (default value) – Exclude the activity of the specified process from scanning.
No – do not exclude the activity of the specified process from scanning.
|
|
UseTrustedProgramForDetects
|
Excluding the activity of a process from scanning by Behavior Detection.
|
If set to Yes, the activity of the specified process is excluded from scanning by Behavior Detection.
If set to No (default), the activity of the specified process is not excluded from scanning by Behavior Detection.
|
|
UseTrustedProgramForMDRAndEDR
|
Exclusion of the process from telemetry collected by the MDR and EDR Expert (on-premise) components.
|
Yes – exclude the activity of this process from telemetry collected by the MDR and EDR Expert (on-premise) components.
No (default value) – do not exclude the activity of this process from telemetry.
|
|
TelemetrySource
|
Additional settings for the collection of telemetry sent to Detection and Response solutions when integrated with such.
The UseTelemetryMonopolyMode setting is applied only if TelemetrySource is set to Default.
|
Default (default) means the eBPF technology and auditd service are used to collect telemetry.
OnlyEBPF means that only the eBPF technology is used to collect telemetry.
|
|
UseTelemetryMonopolyMode
|
True (default) means Kaspersky Endpoint Security uses the auditd service in exclusive mode.
False means the auditd service is used in multicast mode.
|