File Threat Protection

for Windows, macOS, and Linux

The File Threat Protection component lets you prevent infection of a computer file system. By default, the File Threat Protection component resides permanently in the computer's RAM and scans all files that are opened, saved, or run, in real time. This component scans files on all computer drives, including connected drives. The component provides computer protection with the help of anti-virus databases, the Kaspersky Security Network cloud service, and heuristic analysis.

The component scans the files accessed by a user or application. If a malicious file is detected, Kaspersky Endpoint Security blocks the file operation. The application then disinfects or deletes the malicious file, depending on the settings of the File Threat Protection component.

When attempting to access a file whose contents reside in OneDrive cloud storage, Kaspersky Endpoint Security downloads and scans the file contents.

Linux For Linux devices, the component is affected by the file operation interception mode, which you can select in general application settings. By default, access to the file is blocked for the duration of the scan.

File Threat Protection settings

Settings	OS	Description
Scan exclusions	`Windows` `macOS` `Linux`	A scan exclusion is a set of conditions that must be fulfilled so that Kaspersky Endpoint Security will not scan a particular object for viruses and other threats. Scan exclusions make it possible for the safe use of legitimate software that can be exploited by criminals to damage a computer or user data. Although they do not have any malicious functions, such applications can be exploited by intruders. For details on legitimate software that can be used by intruders to damage your computer or personal data, please refer to the Kaspersky IT Encyclopedia website. Kaspersky Endpoint Security supports environment variables and the `*` and `?` characters when entering a mask.
Action on threat detection	`Windows` `macOS` `Linux`	Disinfect, delete if disinfection fails. If this option is selected, the application automatically attempts to disinfect infected file that is detected. If disinfection fails, the application deletes the file. Disinfect, block if disinfection fails. If this option is selected, Kaspersky Endpoint Security automatically attempts to disinfect all infected files that are detected. If disinfection fails, Kaspersky Endpoint Security blocks the files (read / write). Block. `Windows` `Linux` If this option is selected, the File Threat Protection component automatically blocks all infected files without attempting to disinfect them. `macOS` Kaspersky Endpoint Security displays a notification window with information about the type of malicious object that has infected the file and prompts the user to choose the action to be taken by Kaspersky Endpoint Security. The available actions may vary depending on the status of the object. `Windows` Inform. If this option is selected, Kaspersky Endpoint Security records information about the infected file and the malicious object that infected the file in the report. Before attempting to disinfect or delete an infected file, the application creates a backup copy of the file in case you need to restore the file or if it can be disinfected in the future.
Protection scope	`Windows` `macOS` `Linux`	Contains objects that are scanned by the File Threat Protection component. A scan object may be a hard drive, removable drive, network drive, folder, file, or multiple files defined by a mask. By default, the File Threat Protection component scans files that are started on any hard drives, removable drives, or network drives. The protection scope for these objects cannot be changed or deleted. You can also exclude an object (such as removable drives) from scans.
Scan optimization	`Windows` `macOS`	Under Scan optimization, you can configure Kaspersky Endpoint Security for greater performance while scanning files. `Windows` `macOS` Scan only new and modified files. Scans only new files and those files that have been modified since the last time they were scanned. This helps reduce the duration of a scan. This mode applies both to simple and to compound files. `Windows` Stop container if disinfection fails. The application may not have sufficient read and write rights for the detected object. In that case, disinfecting or deleting the detected object is impossible. If this check box is selected, the application blocks the detected object and stops the container. If this check box is cleared, the application only blocks the detected object. `macOS` Skip scanning of read-only system volume. If the check box is selected, the application does not scan the read-only system volume. This significantly reduces scan time. `Windows` Do not scan file operations executed in Windows containers. If this check box is selected, the application scans the container only when the container is started. If the check box is cleared, the application scans the container continuously in real time.
Scan of compound files	`Windows` `macOS` `Linux`	A common technique of concealing viruses and other malware is to implant them in compound files, such as archives or databases. To detect viruses and other malware that are hidden in this way, the compound file must be unpacked, which may slow down scanning. Archives. Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The application scans archives not only by extension, but also by format. When checking archives, the application performs a recursive unpacking. This allows the detection of threats inside multi-level archives (an archive within an archive). Distribution packages and self-extracting archives. Scanning installation packages of third-party applications and self-extracting archives. Self-extracting archives incorporate an executable extraction module. To have self-extracting archives scanned, you need to select the Scan archives check box. `Windows` `macOS` Office format files and embedded OLE objects. Microsoft Office files (for example, DOC, DOCX, XLS, PPT) and OLE objects embedded in files (for example, Excel tables, macros, email attachments). `Windows` `Linux` Mail format files. Scanning email message files in plain text format.
Allow background unpacking of archives larger than (MB)	`Windows` `macOS`	If the check box is selected, the application provides access to compound files that are larger than the specified value before these files are scanned. In this case, Kaspersky Endpoint Security unpacks and scans compound files in the background. The application provides access to compound files that are smaller than this value only after unpacking and scanning these files. If the check box is not selected, the application provides access to compound files only after unpacking and scanning files of any size.
Do not scan archives larger than (MB)	`Windows` `macOS`	If this check box is selected, the application does not scan compound files if their size exceeds the specified value. If this check box is cleared, the application scans compound files of all sizes. The application scans large files that are extracted from archives regardless of whether the check box is selected or not.
Limit the time for checking objects to (sec)	`Linux`	If the check box is selected, the application stops scanning compound files after the specified time elapses. Valid values are `0–9999`. If the value is set to `0`, scan time is not limited. The default value is `60`.
Background Scan	`Windows`	Background Scan is a scan mode of Kaspersky Endpoint Security that does not display notifications for the user. Background Scan requires fewer computer resources than other types of scans (such as a full scan). In this mode, Kaspersky Endpoint Security scans startup objects, the boot sector, system memory, and the system partition.
Scan from Context Menu	`Windows`	Kaspersky Endpoint Security lets you run a scan of individual files for viruses and other malware from the context menu. When performing a scan from the context menu, Kaspersky Endpoint Security does not scan files whose contents are located in OneDrive cloud storage.
Block access to files during scans	`Linux`	If the check box is selected, the application blocks access to files on the device while the File Threat Protection and Device Control components perform a scan.

Page top