Configuring anti-malware protection on Android devices

For timely detection of threats, viruses, and other malicious applications, you can configure the settings for real-time protection and automatic malware scans.

Kaspersky Endpoint Security for Android detects the following types of objects:

Viruses, worms, Trojans, and malicious tools
Adware
Legitimate apps that intruders can use to compromise users' devices or data

Anti-Malware has several limitations:

Due to technical limitations, Kaspersky Endpoint Security for Android cannot scan files with a size of 2 GB or more. During a scan, the app skips such files without notifying you that such files were skipped.
On devices running Android 11 or later, Kaspersky Endpoint Security for Android can't scan the "Android/data" and "Android/obb" folders and detect malware in them due to technical limitations.

Configuring real-time protection

To configure real-time protection settings for mobile devices:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Protection section.
On the Real-time protection card, click Settings.
The Real-time protection window opens.
Enable the settings using the Real-time protection toggle switch.
If the toggle switch is turned on, device protection is enabled, but can be manually disabled by the user.

If the toggle switch is turned off, device protection is disabled and the user can't enable it.
In the App scan drop-down list, select the app scan mode:
- Do not scan apps
- Scan only new apps
- Scan all apps and monitor actions with files
In the Action on threat detection drop-down list, select one of the following options:
- Delete
  Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.
- Skip
  If detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file is deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.
- Delete and save a backup copy of file in quarantine
To enable additional scanning of new apps before they are started for the first time on the user's device with the help of the Kaspersky Security Network cloud service, select the Additional protection by Kaspersky Security Network check box.
To block adware and apps that can be exploited by criminals to harm the device or user data, select the Detect adware, autodialers, and legitimate apps that intruders can use to compromise the user's device and data check box.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring automatic malware scans

To configure autorun of malware scans on the mobile device:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Protection section.
On the Scan card, click Settings.
The Scan window opens.
Enable the settings using the Scan toggle switch.
In the Action on threat detection list, select one of the following options:
- Delete
  Detected objects will be automatically deleted. The user is not required to take any additional actions. Prior to deleting an object, Kaspersky Endpoint Security for Android will display a temporary notification about the detection of the object.
- Skip
  If detected objects have been skipped, Kaspersky Endpoint Security for Android warns the user about problems in device protection. For each skipped threat, the app provides actions that the user can perform to eliminate the threat. The list of skipped objects may change, for example, if a malicious file is deleted or moved. To receive an up-to-date list of threats, run a full device scan. To ensure reliable protection of your data, eliminate all detected objects.
- Delete and save a backup copy of file in quarantine
- Ask user
  Kaspersky Endpoint Security for Android displays a notification prompting the user to choose the action to take on the detected object: Skip or Delete.
  
  Kaspersky Endpoint Security for Android must be set as an Accessibility feature to ensure the display of notifications on mobile devices running Android 10 or later. Kaspersky Endpoint Security for Android prompts the user to set the app as an Accessibility feature through the Initial Configuration Wizard. The user can skip this step or disable this service in the device settings at a later time. In this case, Kaspersky Endpoint Security for Android displays an Android system window prompting the user to choose the action to take on the detected object: Skip or Delete. To apply an action to multiple objects, you need to open Kaspersky Endpoint Security.
If during a scan Kaspersky Endpoint Security for Android detects malicious apps on users' devices, the actions differ depending on the device management mode.

On corporate devices, installed malicious apps detected by Kaspersky Endpoint Security for Android are deleted from the device automatically if the Delete option is selected. If Kaspersky Endpoint Security for Android detects malicious system apps, they are prohibited from being displayed and launched on users' devices.

In a corporate container, installed malicious apps detected by Kaspersky Endpoint Security for Android are not deleted but prohibited from being displayed and launched on users' devices without notifying device users.

If the Ask user option is selected, Kaspersky Endpoint Security for Android prompts users to select an action for each detected app, both on corporate devices and devices with a corporate container.

Installed malicious apps cannot be quarantined. Accordingly, if the Delete and save a backup copy of file in quarantine option is selected, a detected malicious app is deleted.

On personal devices, detected malicious apps cannot be deleted automatically. In this case, Kaspersky Endpoint Security for Android prompts the user to delete or skip the detected app.
In the Scheduled scan field, you can configure the settings for automatic launching a full scan of the device file system.
If you selected a weekly or daily scan, specify the day of the week (for weekly scans) and start time in the Day and Time fields.
If the device is in battery saver mode, the app may perform this task later than specified.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center. Kaspersky Endpoint Security for Android scans all files, including the contents of archives.

To keep mobile device protection up to date, configure the anti-malware database update settings.

By default, anti-malware database updates are disabled when the device is roaming. Scheduled updates of anti-malware databases are not performed.

Configuring database updates

To configure settings for anti-malware database updates:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Protection section.
On the Database update card, click Settings.
The Database update window opens.
Enable the settings using the Database update toggle switch.
In the Scheduled database update field, you can configure the settings for automatic anti-malware database updates on the user's device.
If you selected a weekly or daily database update, specify the day of the week (for weekly database updates) and start time in the Day and Time fields.
If the device is in battery saver mode, the app may perform this task later than specified.
In the Database update source section, specify the update source from which Kaspersky Endpoint Security for Android receives and installs anti-malware database updates:
- Kaspersky servers
  Using a Kaspersky update server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To update databases using Kaspersky servers, Kaspersky Endpoint Security for Android transmits data to Kaspersky (for example, the update task run ID). The list of data that is transmitted during database updates is provided in the End User License Agreement.
- Administration Server
  Using the repository of Kaspersky Security Center Administration Server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices.
- Other source
  Using a third-party server as an update source for downloading the databases of Kaspersky Endpoint Security for Android on users' mobile devices. To start an update, you must enter the address of an HTTP server in the field below (for example, http://domain.com/).
If you want Kaspersky Endpoint Security for Android to download database updates according to the update schedule when the device is roaming, select the Allow database update while roaming check box in the Database update while roaming section.
Even if the check box is cleared, the user can manually start an anti-malware database update when the device is roaming.
Click OK.
Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top