Behavior Detection task (Behavior

Support

Support for business applications

Kaspersky Endpoint Security 12 for Linux

Behavior Detection task (Behavior_Detection, ID:20)

January 23, 2024

ID 234873

The Behavior Detection task monitors malicious activity by applications in the operating system. When malicious activity is detected, Kaspersky Endpoint Security can terminate the process of the application that performs malicious activity.

If integration between Kaspersky Endpoint Security and Kaspersky Managed Detection and Response is enabled, exclusions by process are not applied.

By default, the Behavior Detection task starts automatically when the application starts. You can stop the task at any moment if necessary.

Behavior Detection task setting

Setting	Description	Values

`TaskMode`	Action performed by the application when malicious activity is detected in the operating system.	`Block` (default value) – terminate the process of the application performing malicious activity. `Notify` – do not terminate the process performing malicious activity; only log detection of malicious activity in the event log.
`UseTrustedPrograms`	Excluding processes from scans.	`Yes` – do not scan the activity of the indicated processes. `No` (default value) – scan all processes.
The [TrustedPrograms.item_#] section contains processes that are excluded from scans. Kaspersky Endpoint Security does not monitor the activity of the specified processes.
`ProgramPath`	Path to excluded process.	`<full path to process>` – Do not scan the process in the indicated local directory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.
`ApplyToDescendants`	Exclude child processes of the excluded process specified by the `ProgramPath` setting from scans.	`Yes` – exclude the specified process and all its child processes from scans. `No` (default value) – exclude only the specified process from scans, do not exclude its child processes from scans.
`ProgramDesc`	Description of the excluded process.
`UseTrustedProgram`	Exclude a process from scans.	`Yes` (default value) – Exclude the activity of the specified process from scans. `No` – Do not exclude the activity of the specified process from scans.

Kaspersky Endpoint Security for Linux: High protection without performance compromising

Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.