General application settings

General application settings define the operation of the application as a whole and the operation of individual functions.

Setting	Description	Values
`SambaConfigPath`	Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the `AllShared` or `Shared:SMB` values can be used for the `Path` setting. The application must be restarted after this setting is changed.	The standard directory of the SAMBA configuration file on the computer is specified by default. Default value: /etc/samba/smb.conf.
`NfsExportPath`	The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the `AllShared` or `Shared:NFS` values can be used for the `Path` setting. The application must be restarted after this setting is changed.	The standard directory of the NFS configuration file on the computer is specified by default. Default value: /etc/exports.
`TraceLevel`	Enable application tracing and the level of detail in the trace files.	`Detailed` – Generate a detailed trace file. `MediumDetailed` – Generate a trace file that contains informational messages and error messages. `NotDetailed` – Generate a trace file that contains error messages. `None` (default value) — Do not generate a trace file.
`TraceFolder`	The directory that stores the application trace files. The application must be restarted after this setting is changed.	Default value: /var/log/kaspersky/kesl. If you specify a different directory, make sure that the account under which Kaspersky Endpoint Security is running has only read/write permissions for this directory (rwx-------- 700 permissions). Root privileges are required to access the default trace files directory.
`TraceMaxFileCount`	Maximum number of application trace files. The application must be restarted after this setting is changed.	1–10000 Default value: 10.
`TraceMaxFileSize`	Specifies the maximum size of an application trace file (in megabytes). The application must be restarted after this setting is changed.	1–1000 Default value: 500.
`BlockFilesGreaterMaxFileNamePath`	Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, scan tasks skip this file during scanning. This setting only applies to operating systems that do not support fanotify. After changing the value of this setting, the File Threat Protection task needs to be restarted.	4096–33554432 Default value: 16384.
`DetectOtherObjects`	Enable detection of legitimate applications that intruders can use to compromise devices or data.	`Yes`: enable detection of legitimate applications that intruders can use to compromise devices or data. `No` (default): disable detection of legitimate applications that intruders can use to compromise devices or data.
`NamespaceMonitoring`	Enable scanning of namespaces and containers. The application does not scan namespaces and containers unless components for working with containers and namespaces are installed in the operating system.	`Yes` (default value) — Enable scanning of namespaces and containers. `No` — Disable scanning of namespaces and containers.
`FileBlockDuringScan`	Enabling the file operation intercept mode with blocking access to files for the duration of the scan. The file operation interception mode affects the File Threat Protection and Device Control components.	`Yes` (default value) to block access to files for the duration of the scan. `No` to allow access to files during the scan. Requests to any file is allowed, scanning is done asynchronously. This file operation interception mode has less impact on the system performance, but there is a risk that a threat in a file will not be disinfected or deleted if the file can, for example, change its name during a scan before the application makes a decision on the status of the file.
`UseKSN`	Configure Kaspersky Security Network for the application.	`Basic` - enable use of Kaspersky Security Network in standard mode. `Extended` - enable use of Kaspersky Security Network in extended mode. `No` (default value) — do not use the Kaspersky Security Network.
`CloudMode`	Enable cloud mode. Cloud mode is available if use of KSN is enabled. If you plan to use cloud mode, make sure KSN is available on your device. This setting applies only if the application is used in Standard mode.	`Yes` — enable the operating mode in which Kaspersky Endpoint Security uses a lightweight version of the malware databases. `No` (default value) – use the full version of the malware databases. Cloud mode is disabled automatically if use of KSN is disabled.
`UseMDR`	Enabling the Managed Detection and Response component for integration with Kaspersky Managed Detection and Response. If you enable the MDR component, and Kaspersky Security Network is disabled or used in standard mode, an error message is displayed and the MDR component is not enabled. To enable the MDR component, you must enable KSN in Extended mode.	`Yes` to enable the Managed Detection and Response component. `No` (default value) – disable the Managed Detection and Response component.
`UseEdrOptimum`	Enabling the EDR Optimum component for integration with Kaspersky Endpoint Detection and Response Optimum.	`Yes` – Enable the EDR Optimum component. `No` (default) – Disable the EDR Optimum component.
`UseProxy`	Enables use of a proxy server by Kaspersky Endpoint Security components. The proxy server can be used for access to Kaspersky activation servers, to update sources for databases and application modules, to Kaspersky Security Network, and when verifying website certificates using the Web Threat Protection component. If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the use of a proxy server for connecting to Kaspersky Security Network, the SVM, and the Integration Server is not supported.	`Yes` - enable the use of a proxy server. `No` (default) - Disable the use of a proxy server.
`ProxyServer`	Address of the proxy server used to connect to the Internet. When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.	Address of the proxy server in one of the following formats: `<connection protocol>://<IP address of the proxy server>:<port number>` if the proxy server connection does not require authentication `<connection protocol>://<user name>:<password>@<IP address of the proxy server>:<port number>` if the proxy server connection requires authentication Connecting to a proxy server over HTTPS is not supported.
`ProxyBypass`	List of addresses for which the proxy server is to be bypassed.	The address is specified in the [`<address>[:<port>`] format. To specify addresses, you can use masks (`*` symbols) and comments (after a \ symbol).
`ProxyBypassEdr`	Bypass the proxy server when connecting to KATA servers.	`Yes` to bypass the proxy server when connecting to KATA servers. `No` (default value) to use the proxy server when connecting to KATA servers.
`ProxyBypassNdr`	Bypass the proxy server when connecting to NDR servers.	`Yes` to bypass the proxy server when connecting to NDR servers. `No` (default value) to use the proxy server when connecting to NDR servers.
`ProxyBypassSandbox`	Use the proxy server when connecting to Central Node servers that provide interaction with KATA Sandbox (Sandbox servers).	`Yes` to bypass the proxy server when connecting to Sandbox servers. `No` (default value) to use the proxy server when connecting to Sandbox servers.
`MaxEventsNumber`	The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events.	Default value: 500000. If the value is 0, new events are not saved, and old events are deleted.
`LimitNumberOfScanFileTasks`	The maximum number of custom scan tasks that a non-privileged user can simultaneously start on the device. This setting does not limit the number of tasks that a user with root privileges can start.	0–100000 0 means a non-privileged user cannot start custom scan tasks. Default value: 5.
`UseSyslog`	Enable logging of event information to syslog Root privileges are required to access syslog.	`Yes` — Enable logging of information about events to syslog. `No` (default value) — Disable logging of information about events to syslog.
`EventsStoragePath`	Path to the main file of the event log database. Root privileges are required to access the default event database.	Default value: /var/opt/kaspersky/kesl/private/storage/events.db.
`ExcludedMountPoint.item_#`	The mount point to exclude from the scan scope. The exclusion applies to the operation of the File Threat Protection, Anti-Cryptor, and Container Monitoring components and the Removable Drives Scan task, and is also configured in the operation of ODS and ContainerScan scan tasks. You can specify several mount points to be excluded from scans. Mount points must be specified in the same way as they are displayed in the `mount` command output. The `ExcludedMountPoint.item_#` setting is left unspecified by default.	`AllRemoteMounted` — Exclude all remote directories mounted on the device using SMB and NFS protocols from file operation interception. `Mounted:NFS` — Exclude all remote directories mounted on the device using the NFS protocol from file operation interception. `Mounted:SMB` — Exclude all remote directories mounted on the device using the SMB protocol from file operation interception. `Mounted:<file system type>` — Exclude all mounted directories with the specified file system type from file operation interception. `/mnt` — Exclude objects in the /mnt mount point (including subdirectories) from file operation interception. This directory is used as the temporary mount point for removable drives. `<path that contains the` `/mnt/user` `or` `/mnt//user_share>` — Exclude objects in mount points whose names contain the specified mask from file operation interception. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir//file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. To exclude the mount point `/dir`, you need to specifically indicate `/dir` (no asterisk). The mask `/dir/` excludes all mount points at the level below `/dir` but not `/dir` itself. The `/dir/*` mask excludes all mount points below the level of `/dir` but not `/dir` itself. You can use a single `?` character to represent any one character in the file or directory name.
`MemScanExcludedProgramPath.item_#`	Exclude process memory from scans. The application does not scan the memory of the indicated process.	`<full path to process>` – Do not scan the process in the indicated local directory. You can use masks to specify the path. You can use the `` (asterisk) character to create a file or directory name mask. You can indicate a single `` character to represent any set of characters (including an empty set) preceding the `/` character in the file or directory name. For example, `/dir//file` or `/dir///file`. You can indicate two consecutive `` characters to represent any set of characters (including an empty set and the `/` character) in the file or directory name. For example, `/dir/*/file/` or `/dir/file/`. The `` mask can be used only once in a directory name. For example, `/dir///file` is an incorrect mask. You can use a single `?` character to represent any one character in the file or directory name.
`UseOnDemandCPULimit`	Enables CPU usage limits for tasks of the following types: ODS, ContainerScan, and InventoryScan.	`Yes`: enable the CPU usage limit for ODS, ContainerScan, and InventoryScan tasks. `No` (default): disable CPU usage limits for tasks.
`OnDemandCPULimit`	Maximum utilization of all processor cores (as a percentage) for tasks of the following types: ODS, ContainerScan, and InventoryScan.	Integer value from 10 to 100. Default value: 100.
`BackupDaysToLive`	Time period for storing objects in the Backup storage (in days). After the specified time has elapsed, the application deletes the oldest backup copies of files. To remove the object retention limit, set 0.	0–10000 0–unlimited retention. Default value: 30.
`BackupSizeLimit`	Maximum Backup size in MB. When the maximum Backup storage size is reached, the application deletes the oldest backup copies of files. To remove the Backup size limit, set 0.	0–999999 0–unlimited size. Default value: 0.
`QuarantineBackupFolder`	The path to the directory where backup copies of files and quarantined files are stored. You can change the default directory. If the specified directory does not exist or is unavailable, the application uses the default directory.	Default value: /var/opt/kaspersky/kesl/common/objects-backup/ Root privileges are required for access to the default directory.
`QuarantineFillingNotification`	The percentage of Quarantine that must be full to generate an event about Quarantine being full. To disable generating events about Quarantine being full, enter 0.	0–100 0 – generating events about Quarantine being full is disabled. Default value: 90.
`QuarantineSizeLimit`	Maximum size of the Quarantine (in megabytes). When the maximum Quarantine size is reached, the application deletes the oldest files. To make the size of Quarantine unlimited, enter 0.	0–999999 0 means the Quarantine size is not limited. The default value is 200 if the application is being used in Standard mode, and 100 if the application is being used in Light Agent mode.
`ShowPopUpNotifications`	Enables displaying pop-up notifications in the graphical user interface.	`Yes` (default value) – show pop-up notifications in the graphical user interface. `No` – do not show pop-up notifications in the graphical user interface.
`PowerSaveMode`	Canceling scheduled tasks on a device running on battery power.	`Yes` (default value) skips scheduled tasks when the device is running on battery power. `No` runs scheduled tasks regardless of whether the device is running on battery power or not.
`InterceptorMode`	The system event interception mechanism used by Kaspersky Endpoint Security: This setting is applied only on devices where the operating system supports fanotify and the application is used in standard mode.	`UseFanotify` (default) – use the fanotify technology to intercept system events. `UseUpdatableKernelModule` – use an updatable kernel module to intercept system events.
`InterceptorFallbackStrategy`	What the application does if the updatable kernel module fails to start. This setting is applied only on devices where the operating system supports fanotify and the application is used in standard mode.	`FallbackToFanotify` (default) – switch to fanotify for system event interception. `FallbackToLimitedMode` – do not use system event interception. If the application does not use system event interception, real-time file scanning is not performed, and the protection level of the device is reduced.
`InterceptorApplyStrategy`	If the application switches to using the updatable kernel module, the application must be restarted to start the module. This setting lets you specify if you want the application to be restarted automatically or if you prefer to restart the application manually. This setting is applied only on devices where the operating system supports fanotify and the application is used in standard mode.	`RestartServiceAutomatically` automatically restarts the application to start the updatable kernel module. `RestartServiceManually` starts the updatable kernel module after the application is restarted manually by the user. We recommend automatically restarting the application to switch to using the updatable kernel module. Starting the updatable kernel module manually after restarting the application can lead to application errors.

Setting

Description

Values

SambaConfigPath

Directory that stores the Samba configuration file. The Samba configuration file is required to ensure that the AllShared or Shared:SMB values can be used for the Path setting.

The application must be restarted after this setting is changed.

The standard directory of the SAMBA configuration file on the computer is specified by default.

Default value: /etc/samba/smb.conf.

NfsExportPath

The directory where the NFS configuration file is stored. The NFS configuration file is required to ensure that the AllShared or Shared:NFS values can be used for the Path setting.

The application must be restarted after this setting is changed.

The standard directory of the NFS configuration file on the computer is specified by default.

Default value: /etc/exports.

TraceLevel

Enable application tracing and the level of detail in the trace files.

Detailed – Generate a detailed trace file.

MediumDetailed – Generate a trace file that contains informational messages and error messages.

NotDetailed – Generate a trace file that contains error messages.

None (default value) — Do not generate a trace file.

TraceFolder

The directory that stores the application trace files.

The application must be restarted after this setting is changed.

Default value: /var/log/kaspersky/kesl.

If you specify a different directory, make sure that the account under which Kaspersky Endpoint Security is running has only read/write permissions for this directory (rwx-------- 700 permissions). Root privileges are required to access the default trace files directory.

TraceMaxFileCount

Maximum number of application trace files.

The application must be restarted after this setting is changed.

1–10000

Default value: 10.

TraceMaxFileSize

Specifies the maximum size of an application trace file (in megabytes).

The application must be restarted after this setting is changed.

1–1000

Default value: 500.

BlockFilesGreaterMaxFileNamePath

Blocks access to files for which the full path length exceeds the defined settings value specified in bytes. If the length of the full path to the scanned file exceeds the value of this setting, scan tasks skip this file during scanning.

This setting only applies to operating systems that do not support fanotify.

After changing the value of this setting, the File Threat Protection task needs to be restarted.

4096–33554432

Default value: 16384.

DetectOtherObjects

Enable detection of legitimate applications that intruders can use to compromise devices or data.

Yes: enable detection of legitimate applications that intruders can use to compromise devices or data.

No (default): disable detection of legitimate applications that intruders can use to compromise devices or data.

NamespaceMonitoring

Enable scanning of namespaces and containers.

The application does not scan namespaces and containers unless components for working with containers and namespaces are installed in the operating system.

Yes (default value) — Enable scanning of namespaces and containers.

No — Disable scanning of namespaces and containers.

FileBlockDuringScan

Enabling the file operation intercept mode with blocking access to files for the duration of the scan. The file operation interception mode affects the File Threat Protection and Device Control components.

Yes (default value) to block access to files for the duration of the scan.

No to allow access to files during the scan. Requests to any file is allowed, scanning is done asynchronously. This file operation interception mode has less impact on the system performance, but there is a risk that a threat in a file will not be disinfected or deleted if the file can, for example, change its name during a scan before the application makes a decision on the status of the file.

UseKSN

Configure Kaspersky Security Network for the application.

Basic - enable use of Kaspersky Security Network in standard mode.

Extended - enable use of Kaspersky Security Network in extended mode.

No (default value) — do not use the Kaspersky Security Network.

CloudMode

Enable cloud mode. Cloud mode is available if use of KSN is enabled.

If you plan to use cloud mode, make sure KSN is available on your device.

This setting applies only if the application is used in Standard mode.

Yes — enable the operating mode in which Kaspersky Endpoint Security uses a lightweight version of the malware databases.

No (default value) – use the full version of the malware databases.

Cloud mode is disabled automatically if use of KSN is disabled.

UseMDR

Enabling the Managed Detection and Response component for integration with Kaspersky Managed Detection and Response.

If you enable the MDR component, and Kaspersky Security Network is disabled or used in standard mode, an error message is displayed and the MDR component is not enabled. To enable the MDR component, you must enable KSN in Extended mode.

Yes to enable the Managed Detection and Response component.

No (default value) – disable the Managed Detection and Response component.

UseEdrOptimum

Enabling the EDR Optimum component for integration with Kaspersky Endpoint Detection and Response Optimum.

Yes – Enable the EDR Optimum component.

No (default) – Disable the EDR Optimum component.

UseProxy

Enables use of a proxy server by Kaspersky Endpoint Security components. The proxy server can be used for access to Kaspersky activation servers, to update sources for databases and application modules, to Kaspersky Security Network, and when verifying website certificates using the Web Threat Protection component.

If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the use of a proxy server for connecting to Kaspersky Security Network, the SVM, and the Integration Server is not supported.

Yes - enable the use of a proxy server.

No (default) - Disable the use of a proxy server.

ProxyServer

Address of the proxy server used to connect to the Internet.

When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.

Address of the proxy server in one of the following formats:

<connection protocol>://<IP address of the proxy server>:<port number> if the proxy server connection does not require authentication
<connection protocol>://<user name>:<password>@<IP address of the proxy server>:<port number> if the proxy server connection requires authentication

Connecting to a proxy server over HTTPS is not supported.

ProxyBypass

List of addresses for which the proxy server is to be bypassed.

The address is specified in the [<address>[:<port>] format.

To specify addresses, you can use masks (* symbols) and comments (after a \ symbol).

ProxyBypassEdr

Bypass the proxy server when connecting to KATA servers.

Yes to bypass the proxy server when connecting to KATA servers.

No (default value) to use the proxy server when connecting to KATA servers.

ProxyBypassNdr

Bypass the proxy server when connecting to NDR servers.

Yes to bypass the proxy server when connecting to NDR servers.

No (default value) to use the proxy server when connecting to NDR servers.

ProxyBypassSandbox

Use the proxy server when connecting to Central Node servers that provide interaction with KATA Sandbox (Sandbox servers).

Yes to bypass the proxy server when connecting to Sandbox servers.

No (default value) to use the proxy server when connecting to Sandbox servers.

MaxEventsNumber

The maximum number of events stored by the application. When the specified number of events is exceeded, the application deletes the oldest events.

Default value: 500000.

If the value is 0, new events are not saved, and old events are deleted.

LimitNumberOfScanFileTasks

The maximum number of custom scan tasks that a non-privileged user can simultaneously start on the device. This setting does not limit the number of tasks that a user with root privileges can start.

0–100000

0 means a non-privileged user cannot start custom scan tasks.

Default value: 5.

UseSyslog

Enable logging of event information to syslog

Root privileges are required to access syslog.

Yes — Enable logging of information about events to syslog.

No (default value) — Disable logging of information about events to syslog.

EventsStoragePath

Path to the main file of the event log database.

Root privileges are required to access the default event database.

Default value: /var/opt/kaspersky/kesl/private/storage/events.db.

ExcludedMountPoint.item_#

The mount point to exclude from the scan scope. The exclusion applies to the operation of the File Threat Protection, Anti-Cryptor, and Container Monitoring components and the Removable Drives Scan task, and is also configured in the operation of ODS and ContainerScan scan tasks.

You can specify several mount points to be excluded from scans.

Mount points must be specified in the same way as they are displayed in the mount command output.

The ExcludedMountPoint.item_# setting is left unspecified by default.

AllRemoteMounted — Exclude all remote directories mounted on the device using SMB and NFS protocols from file operation interception.

Mounted:NFS — Exclude all remote directories mounted on the device using the NFS protocol from file operation interception.

Mounted:SMB — Exclude all remote directories mounted on the device using the SMB protocol from file operation interception.

Mounted:<file system type> — Exclude all mounted directories with the specified file system type from file operation interception.

/mnt — Exclude objects in the /mnt mount point (including subdirectories) from file operation interception. This directory is used as the temporary mount point for removable drives.

<path that contains the /mnt/user* or /mnt/**/user_share> — Exclude objects in mount points whose names contain the specified mask from file operation interception.

MemScanExcludedProgramPath.item_#

Exclude process memory from scans.

The application does not scan the memory of the indicated process.

<full path to process> – Do not scan the process in the indicated local directory. You can use masks to specify the path.

UseOnDemandCPULimit

Enables CPU usage limits for tasks of the following types: ODS, ContainerScan, and InventoryScan.

Yes: enable the CPU usage limit for ODS, ContainerScan, and InventoryScan tasks.

No (default): disable CPU usage limits for tasks.

OnDemandCPULimit

Maximum utilization of all processor cores (as a percentage) for tasks of the following types: ODS, ContainerScan, and InventoryScan.

Integer value from 10 to 100.

Default value: 100.

BackupDaysToLive

Time period for storing objects in the Backup storage (in days). After the specified time has elapsed, the application deletes the oldest backup copies of files.

To remove the object retention limit, set 0.

0–10000

0–unlimited retention.

Default value: 30.

BackupSizeLimit

Maximum Backup size in MB. When the maximum Backup storage size is reached, the application deletes the oldest backup copies of files.

To remove the Backup size limit, set 0.

0–999999

0–unlimited size.

Default value: 0.

QuarantineBackupFolder

The path to the directory where backup copies of files and quarantined files are stored.

You can change the default directory. If the specified directory does not exist or is unavailable, the application uses the default directory.

Default value: /var/opt/kaspersky/kesl/common/objects-backup/

Root privileges are required for access to the default directory.

QuarantineFillingNotification

The percentage of Quarantine that must be full to generate an event about Quarantine being full.

To disable generating events about Quarantine being full, enter 0.

0–100

0 – generating events about Quarantine being full is disabled.

Default value: 90.

QuarantineSizeLimit

Maximum size of the Quarantine (in megabytes). When the maximum Quarantine size is reached, the application deletes the oldest files.

To make the size of Quarantine unlimited, enter 0.

0–999999

0 means the Quarantine size is not limited.

The default value is 200 if the application is being used in Standard mode, and 100 if the application is being used in Light Agent mode.

ShowPopUpNotifications

Enables displaying pop-up notifications in the graphical user interface.

Yes (default value) – show pop-up notifications in the graphical user interface.

No – do not show pop-up notifications in the graphical user interface.

PowerSaveMode

Canceling scheduled tasks on a device running on battery power.

Yes (default value) skips scheduled tasks when the device is running on battery power.

No runs scheduled tasks regardless of whether the device is running on battery power or not.

InterceptorMode

The system event interception mechanism used by Kaspersky Endpoint Security:

This setting is applied only on devices where the operating system supports fanotify and the application is used in standard mode.

UseFanotify (default) – use the fanotify technology to intercept system events.

UseUpdatableKernelModule – use an updatable kernel module to intercept system events.

InterceptorFallbackStrategy

What the application does if the updatable kernel module fails to start.

This setting is applied only on devices where the operating system supports fanotify and the application is used in standard mode.

FallbackToFanotify (default) – switch to fanotify for system event interception.

FallbackToLimitedMode – do not use system event interception. If the application does not use system event interception, real-time file scanning is not performed, and the protection level of the device is reduced.

InterceptorApplyStrategy

If the application switches to using the updatable kernel module, the application must be restarted to start the module. This setting lets you specify if you want the application to be restarted automatically or if you prefer to restart the application manually.

This setting is applied only on devices where the operating system supports fanotify and the application is used in standard mode.

RestartServiceAutomatically automatically restarts the application to start the updatable kernel module.

RestartServiceManually starts the updatable kernel module after the application is restarted manually by the user.

We recommend automatically restarting the application to switch to using the updatable kernel module. Starting the updatable kernel module manually after restarting the application can lead to application errors.

Page top