Custom Container Scan task (Custom_Container

Support

Support for business applications

Kaspersky Endpoint Security 11 for Linux

Custom Container Scan task (Custom_Container_Scan, ID:19)

December 12, 2023

ID 201799

The Custom Container Scan task is used to store the setting values that are applied by executing the kesl-control --scan-container command.

To use the task, a license that includes the corresponding function is required.

When the Custom Container Scan task is run, the application creates a temporary Container Scan task (ContainerScan type) with the Custom_Container_Scan task settings. You can change the setting values of the Custom_Container_Scan task using the command line. After the scan is complete, the Custom_Container_Scan task is automatically deleted. The Custom Container Scan task cannot be deleted manually.

To start the Custom Container Scan task, execute the following command:

kesl-control --scan-container <container ID or image ID|container name|image name[:tag]>

If there are several entities with the same name, the application scans all of them.

You can use masks to scan several objects.

When you create the Custom Container Scan task by executing the kesl-control --create-task <task name> --type ContainerScan command, the application uses the same setting values as for the Container Scan task (Container_Scan), except for the ScanPriority=Normal setting.

Examples:

Scan the container named my_container:

kesl-control --scan-container my_container

Scan the image named my_image (all tags):

kesl-control --scan-container my_image*

The table describes all available values and the default values of all the container and image scan settings.

Custom Container Scan task settings

Setting

Description

Values

ScanContainers

Scan of containers specified by mask You can specify masks using the ContainerNameMask setting.

Yes (default value) — Scan containers defined by mask.

No — Do not scan containers defined by mask.

ContainerNameMask

Specifies a name or a name mask that defines a container to scan.

Masks are specified in command shell format. You can use the ? and * symbols.

Before specifying this setting, make sure that ScanContainers=Yes.

Default value: * (scan all containers).

Examples:

Scan a container with my_container name:

ContainerNameMask=my_container

Scan all containers whose names start with my_container:

ContainerNameMask=my_container*

Scan all containers whose names start with my_, then contain any five characters, then _container, and end with any characters sequence:

ContainerNameMask=my_?????_container*

ScanImages

Scan of images specified by mask You can specify masks using the ImageNameMask setting.

Yes (default value) — Scan images defined by mask.

No — Do not scan images defined by mask.

ImageNameMask

Specifies a name or a name mask that define images to scan.

Before specifying this setting, make sure that the ScanImages setting is set to Yes.

Masks are specified in command shell format.

If you want to specify several masks, each mask must be specified on a new line with a new index.

Default value: * (scan all images).

Examples:

Scan images with the "my_image" name, and the "latest" tag:

ImageNameMask=my_image:latest

Scan all images whose names start with my_image and with any tag:

ImageNameMask=my_image*

DeepScan

Checking all image layers and running containers.

Yes – Scan all layers.

No (default value) – Do not scan any layer.

ContainerScanAction

Action to be performed on a container when an infected object is detected. Actions on an infected object inside the container are described below.

StopContainerIfFailed (default value) — The application stops the container if an infected object disinfection failed.

StopContainer — The application stops the container when an infected object is detected.

Skip — The application does not perform any action on containers when an infected object is detected.

ImageAction

Specifies the action to be performed on an image when an infected object is detected. Actions on an infected object inside the image are described below.

Skip (default value) — The application does not perform any action on images when an infected object is detected.

Delete — The application deletes the image when an infected object is detected (not recommended).

All dependencies will also be deleted. Running containers will be stopped, and then deleted.

The settings described below are applied to the objects inside containers and images.

Custom Container Scan task settings

Setting

Description

Values

ScanArchived

Enables scanning of archives (including SFX self-extracting archives).

The application scans the following archives: .zip; .7z*; .7-z; .rar; .iso; .cab; .jar; .bz; .bz2; .tbz; .tbz2; .gz; .tgz; .arj. The list of supported archive formats depends on the application databases being used.

Yes (default value) — Scan archives. If the FirstAction=Recommended value is specified, then, depending on the archive type, the application deletes either the infected object or the entire archive that contains the threat.

No — Do not scan archives.

ScanSfxArchived

Enables scanning of self-extracting archives only (archives that contain an executable extraction module).

Yes (default value) — Scan self-extracting archives.

No — Do not scan self-extracting archives.

ScanMailBases

Enables scanning email databases of Microsoft Outlook, Outlook Express, The Bat, and other mail clients.

Yes — Scan files of email databases.

No (default value) — Do not scan files of email databases.

ScanPlainMail

Enables scanning of plain text email messages.

Yes — Scan plain text email messages.

No (default value) — Do not scan plain text email messages.

ScanPriority

Task priority. Task priority is a setting that combines a number of internal application settings and process start settings. By using this setting, you can specify the way the application consumes system resources for running tasks.

Idle — Run the task with a low priority: no more than 10% of processor resource consumption. Specify this value to release the application resources for other tasks, including user processes. The current scan task takes longer to complete.

Normal — Run the task with a normal priority: no more than 50% of all processor resources.

High (default value) — Run the task with a high priority, without limiting the consumption of processor resources. Specify this value to perform the current scan task faster.

TimeLimit

Maximum object scan duration (in seconds). The application stops scanning the object if it takes longer than the time specified by this setting.

0 – 9999

0 — The object scan time is unlimited.

Default value: 0.

SizeLimit

Maximum size of an object to be scanned (in megabytes). If the object to be scanned is larger than the specified value, the application skips this object.

0 – 999999

0 — The application scans objects of any size.

Default value: 0.

FirstAction

Selection of the first action to be performed by the application on the infected objects.

If an infected object is detected in a file referenced to by a symbolic link that is included in the scan scope (while the file referenced by this symbolic link is not included in the scan scope), the specified action will be performed to the target file. For example, if you specify the Remove action, the application removes the target file, but the symbolic link file remains and refers to a non-existent file.

Disinfect — The application tries to disinfect an object and save a copy of it to the Storage. If disinfection fails (for example, if the type of object or the type of threat in the object cannot be disinfected), then the application leaves the object unchanged. If the first action is Disinfect, it is recommended to specify a second action using the SecondAction setting.

Remove — The application removes the infected object after creating a backup copy of it.

Recommended (perform recommended action) — The application automatically selects and performs an action on the object based on information about the threat detected in the object. For example, the application immediately removes Trojans since they do not incorporate themselves into other files and therefore they do not need to be disinfected.

Skip — The application does not try to disinfect or delete infected objects. Information about the infected object is logged.

Default value: Recommended.

SecondAction

Selection of the second action to be performed by the application on the infected objects. The application performs the second action if the first action fails.

The possible values of the SecondAction setting are the same as those of the FirstAction setting.

If Skip or Remove is selected as the first action, the second action does not need to be specified. It is recommended to specify two actions in all other cases. If you have not specified the second action, the application applies Skip as the second action.

Default value: Skip.

UseExcludeMasks

Enables exclusion of the objects specified by the ExcludeMasks setting from scan.

Yes — Exclude objects specified by the ExcludeMasks setting from scan.

No (default value) — Do not exclude objects specified by the ExcludeMasks setting from scan.

ExcludeMasks

Excludes objects from being scanned by name or mask. You can use this setting to exclude an individual file from the specified scan scope by name or exclude several files at once using masks in the shell format.

The default value is not defined.

Example:

UseExcludeMasks=Yes

ExcludeMasks.item_0000=eicar1.*

ExcludeMasks.item_0001=eicar2.*

UseExcludeThreats

Enables exclusion of objects containing the threats specified by the ExcludeThreats setting from scans.

Yes — Exclude objects containing the threats specified by the ExcludeThreats setting from scans.

No (default value) — Do not exclude objects containing the threats specified by the ExcludeThreats setting from scans.

ExcludeThreats

Excludes objects from scans by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is enabled.

In order to exclude an object from scans, specify the full name of the threat detected in this object – the string containing the application's decision that the object is infected.

For example, you may be using a utility to collect information about your network. To keep the application from blocking it, add the full name of the threat contained in it to the list of threats excluded from scans.

You can find the full name of the threat detected in an object in the application log or on the Virus Encyclopedia website.

The setting value is case-sensitive.

The default value is not defined.

Example:

UseExcludeThreats=Yes

ExcludeThreats.item_0000=EICAR-Test-*

ExcludeThreats.item_0001=?rojan.Linux

ReportCleanObjects

Enables logging of information about scanned objects that the application reports as not being infected.

You can enable this setting, for example, to make sure that a particular object was scanned by the application.

Yes — Log information about non-infected objects.

No (default value) — Do not log information about non-infected objects.

ReportPackedObjects

Enables logging of information about scanned objects that are part of compound objects.

You can enable this setting, for example, to make sure that an object within an archive has been scanned by the application.

Yes — Log information about scanned objects within archives.

No (default value) — Do not log information about scanned objects within archives.

ReportUnprocessedObjects

Enables logging of information about objects that have not been processed for some reason.

Yes — Log information about unprocessed objects.

No (default value) — Do not log information about unprocessed objects.

UseAnalyzer

Enables heuristic analysis.

Heuristic analysis helps the application to detect threats even before they become known to virus analysts.

Yes (default value) — Enable Heuristic Analyzer.

No — Disable Heuristic Analyzer.

HeuristicLevel

Specifies the heuristic analysis level.

You can specify the heuristic analysis level. The heuristic analysis level sets the balance between the thoroughness of searches for threats, the load on the operating system's resources, and the scan duration. The higher the heuristic analysis level, the more resources and time are required for scanning.

Light — The least thorough scan with minimum load on the system.

Medium — A medium heuristic analysis level with a balanced load on the system.

Deep — The most thorough scan with maximum load on the system.

Recommended (default value) — The recommended value.

UseIChecker

Enables usage of the iChecker technology.

Yes (default value) — Enable use of the iChecker technology.

No — Disable use of the iChecker technology.

Kaspersky Endpoint Security for Linux: High protection without performance compromising

Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.