Interception mechanism

Linux

The system event interception mechanism that the application uses:

• Fanotify technology (default value). If this option is selected, the application uses the fanotify technology for system event interception.
• Updatable kernel module. If this option is selected, the application uses the updatable kernel module for system event interception.

If the updatable kernel module fails to start

Linux

Action that the application performs if the updatable kernel module fails to start:

• Use fanotify (default value). If this option is selected, the application switches to the fanotify technology for system event interception.
• Disable system event interception (lower protection level). If the application is not using system event interception, real-time file scanning is not performed, and the protection level of the device is diminished.

This setting is available if the Updatable kernel module interception mechanism is selected.

Telemetry source

Linux

The source Kaspersky Endpoint Security uses for telemetry collection:

• Use eBPF only. Only eBPF technology is used.
• Default. Both eBPF technology and the auditd service are used.

Operating mode for auditd

Linux

In this mode, the auditd service records audit events for subsequent transmission to Detection and Response solutions:

• Exclusive. If this option is selected, Kaspersky Endpoint Security uses the auditd service exclusively. Third-party applications cannot connect to the audit stream.
• Non-exclusive. If this option is selected, the auditd service can accept multiple connections from different processes that use system audit.