A container is an isolated environment in which an application can run without directly interacting with the operating system. Using containers involves the following risks:
Hackers may be able to exploit containerization vulnerabilities to compromise applications inside the container.
Hackers may exploit an insecure configuration of the container environment to gain unauthorized access to data on the computer or to compromise the integrity of the system.
A successful attack on a container can allow a hacker to gain access to data on the computer.
Hackers may exploit network vulnerabilities to intercept network traffic.
Kaspersky Endpoint Security scans files not just on disks but also inside containers. That is, Kaspersky Endpoint Security is an external tool for detecting malicious activity inside containers. This allows maintaining the performance of containers and prevents conflicts with other applications inside the container. Installing Kaspersky Endpoint Security inside the container is not supported.
In addition to providing container security, Kaspersky Endpoint Security allows managing applications inside containers using Application Control. Application Control is configured for containers in the same way as for applications installed on the computer. System Integrity Monitoring also supports containers.
Container requirements
The container must be a Docker container. Other containerization tools are not supported.
The container must run in process isolation mode. The Hyper-V isolation mode is not supported.
The container must be placed on a Windows Server 2016, 2019, or 2022 server (Docker Host).
The container must include a Windows image (Docker Image). Windows 10 and 11 are not supported. Linux images are not supported.
Scanning containers running in WSL2 mode (Windows Subsystem for Linux v2 (Docker Wine)) is not supported.
Action on threat detection
If a threat is detected inside a container, the application applies the action selected for the File Threat Protection component. Container Scan has additional settings (see the instructions below). If a threat is detected, the application blocks the malicious activity and performs the selected action (for example, attempts to disinfect the object). Kaspersky Endpoint Security can stop the container if the detected object cannot be disinfected. By default, the container stopping functionality is disabled.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → File Threat Protection.
Click Settings.
In the window that opens, select the Additional tab.
In the Scan of file operations executed in Windows containers block, configure the containers scan settings:
Stop the container if disinfection fails. The application may not have sufficient read and write rights for the detected object. In that case, disinfecting or deleting the detected object is impossible. If this check box is selected, the application blocks the detected object and stops the container. If this check box is cleared, the application only blocks the detected object.
Do not scan file operations executed in Windows containers. If this check box is selected, the application scans the container only when the container is started. If the check box is cleared, the application scans the container continuously in real time.
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Essential Threat Protection → File Threat Protection.
In the Scan of file operations executed in Windows containers block, configure the containers scan settings:
Stop the container if disinfection fails. The application may not have sufficient read and write rights for the detected object. In that case, disinfecting or deleting the detected object is impossible. If this check box is selected, the application blocks the detected object and stops the container. If this check box is cleared, the application only blocks the detected object.
Do not scan file operations executed in Windows containers. If this check box is selected, the application scans the container only when the container is started. If the check box is cleared, the application scans the container continuously in real time.
In the application settings window, select Essential Threat Protection → File Threat Protection.
In the Scan of file operations executed in Windows containers block, configure the containers scan settings:
Stop the container if disinfection fails. The application may not have sufficient read and write rights for the detected object. In that case, disinfecting or deleting the detected object is impossible. If this check box is selected, the application blocks the detected object and stops the container. If this check box is cleared, the application only blocks the detected object.
Do not scan file operations executed in Windows containers. If this check box is selected, the application scans the container only when the container is started. If the check box is cleared, the application scans the container continuously in real time.
button.