Configuring system event interception

To function properly, the application must intercept system events, that is, file operations and the starting of processes. If the application does not use system event interception, real-time file scanning is not performed, and the protection level of the device is reduced.

If the operating system of your device supports fanotify, you can select the mechanism that the application uses to intercept system events:

• Interception mechanism based on an updatable kernel module. Using an updatable kernel module allows optimizing the interception of started processes by Kaspersky Endpoint Security. The updatable kernel module is included in the distribution kit of the application.
• System interception mechanism based on fanotify. This mechanism is used by default.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the updatable kernel module is not supported.

For operating systems that do not support fanotify, selection of interception mechanism is not available. The application uses a special kernel module to intercept system events to provide File Threat Protection. This module is automatically compiled when File Threat Protection is started, provided that all the dependencies and build tools are available.

The application can use the interception mechanism based on the updatable kernel module if the operating system satisfies the requirements for installing the updatable kernel module.

You can use the Kaspersky ULKM tool to check whether your device satisfies the requirements for installing the updatable kernel module.

You can install the updatable kernel module during application installation or later as part of an update that enables the support of the updatable kernel module. After installing the application, you can select a system event interception mechanism in the Web Console, the Administration Console, or on the command line.

If you have selected an interception mechanism based on the updatable kernel module, you can configure the application's behavior if an error occurs when the updatable kernel module is started and the module does not start. In this case, the application can fall back to fanotify or disable system event interception.

The application can switch to using an updatable kernel module in the following situations:

• In the application settings, you have changed the mechanism for intercepting system events to the updatable kernel module.
• On a device where the updatable kernel module was not started, a database and module update introduced updates that support for the updatable kernel module.

For the application to work correctly, the switch to using the updatable kernel module must be performed after the application is automatically restarted.

You can view information about the status and availability of the updatable kernel module on your device:

• In the Web Console or the Administration Console, by looking at the status of the Updatable kernel module functional component.
• On the command line, in the output of the kesl-control --app-info command.

Information about the state of the updatable kernel module is displayed in the form of statuses:

• Running means the module is installed and running.
• Stopped means the module is installed but not running.
• Unavailable means the module is not supported on the device.
• Malfunction means an error occurred while starting the module, and the module is not running.

In this section Checking if the updatable kernel module can be installed "Safe" mode when using the updatable kernel module Managing interception settings in the Web Console Managing interception settings in the Administration Console Managing interception settings on the command line

Page top