To function properly, the application must intercept system events, that is, file operations and the starting of processes. If the application does not use system event interception, real-time file scanning is not performed, and the protection level of the device is reduced.
If the operating system of your device supports fanotify, you can select the mechanism that the application uses to intercept system events:
If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the updatable kernel module is not supported.
For operating systems that do not support fanotify, selection of interception mechanism is not available. The application uses a special kernel module to intercept system events to provide File Threat Protection. This module is automatically compiled when File Threat Protection is started, provided that all the dependencies and build tools are available.
The application can use the interception mechanism based on the updatable kernel module if the operating system satisfies the requirements for installing the updatable kernel module.
You can use the Kaspersky ULKM tool to check whether your device satisfies the requirements for installing the updatable kernel module.
You can install the updatable kernel module during application installation or later as part of an update that enables the support of the updatable kernel module. After installing the application, you can select a system event interception mechanism in the Web Console, the Administration Console, or on the command line.
If you have selected an interception mechanism based on the updatable kernel module, you can configure the application's behavior if an error occurs when the updatable kernel module is started and the module does not start. In this case, the application can fall back to fanotify or disable system event interception.
The application can switch to using an updatable kernel module in the following situations:
For the application to work correctly, the switch to using the updatable kernel module must be performed after the application is automatically restarted.
You can view information about the status and availability of the updatable kernel module on your device:
kesl-control --app-info
command.Information about the state of the updatable kernel module is displayed in the form of statuses: