Creating a Portable Scanner

Before creating the Portable Scanner, make sure that there is no running Portable Scanner database update process.

How to create a Portable Scanner using the Portable Scanner setup wizard

In the notification area, in the context menu of the application icon, select the Compact Diagnostic Interface.
In the Compact Diagnostic Interface window that opens, click the Create Portable Scanner link.
A New Portable Scanner Wizard window opens at the welcome step.

To proceed to the next step of the wizard, click Next.
If necessary, import the Portable Scanner settings from a previously created XML file.
1. Click Import.
2. In the window that opens, select the XML file containing the Portable Scanner settings.
3. Click Open.
4. The settings from the XML file will be displayed at the subsequent wizard steps.
Add the key file required for creating the Portable Scanner.
1. Click Select license file.
2. In the window that opens, select the key file for the Portable Scanner.
3. Click Open.
4. The license information will be displayed in the wizard window.
Enable the actions to be performed by the Portable Scanner when started on the device:
- Scan selected area with anti-virus databases. A Portable Scanner scans a selected area for viruses and other threats. A Portable Scanner applies the default security level: Disinfect. Delete if disinfection fails.
- Record traffic from all network interfaces. A Portable Scanner records inbound and outbound traffic from a device being scanned for a specified amount of time.
- Scan the system with OVAL rules. Depending on the settings, a Portable Scanner can scan a device for vulnerabilities, assess device security and operating system compliance, or collect device configuration data using rules written in OVAL and XCCDF.
Set up a scan scope.
1. Click Add.
2. In the opened Scan scope window, select the type of object that you want to add:
  - Predefined scope, if you want the scan scope to include one of the predefined scopes on the protected device. Then in the drop-down list, select the desired scan scope.
  - Disk, folder or network location, to include a single drive or folder in the scan scope. Then select the required scope in the window, opened by the Browse button.
  - File, to include a single file in the scan scope. Then, in the Browse window that opens, select the file.
3. Click the OK button in the Scan scope window.
4. Enable or disable the scan scope items by selecting or clearing the check box to the left of the scan scope name.
Configure the scan.
1. Click Scan settings.
  The Scan settings window opens.
2. On the General tab, select the appropriate options:
  - Scan objects.
    The following options are available:
    
    All objects
    Objects scanned by format
    Objects scanned by the list of extensions specified in anti-virus databases
    Objects scanned by specified list of extensions
    Scan disk boot sectors
    Scan alternate NTFS streams.
  - Scan of compound objects.
    The following options are available:
    
    Archives
    SFX archives
    Email databases
    Packed objects
    Plain email
    Embedded OLE objects.
3. On the Additional tab, select the appropriate options:
  - General settings.
    Restore file attributes after scanning
    If a file is opened during the scan, the last accessed time for the file is updated. As a result, the archivers and cloud storages recalculate file data to transfer it to a cloud or to a backup. To avoid the recalculation process, you can restore the last accessed time after scanning is performed. By default, the option is disabled.
    Limit CPU usage for scan tasks
    This setting is used to avoid making the computer hang during scanning. This option may be crucial for industrial systems, where the main software is not supposed to freeze. By default, the option is disabled.
  - Folder for temporary files created during scanning.
    Click the Browse button to specify the folder for temporary files that will be created during the scan. By default, temporary files are created on the USB drive.
  - Action to perform on detected objects.
    Disinfect, delete if disinfection fails
    Quarantine is unavailable for the Portable Scanner, so leaving a probably infected object may be unsafe. Use this option to remove the detected file if disinfection fails. By default, the option is enabled.
    Inform
    Use this option for a quick scan. The security officers take the security measures when receiving a notification about the detected objects. Use this option for systems, where the workflow is not supposed to be interrupted by removing the industrial software modules. By default, the option is disabled.
  - Actions on unmodifiable compound files.
    Select the following option if applicable.
    
    Entirely remove the compound file that cannot be modified by the application in case of embedded object detection.
4. On the Performance tab, select the appropriate options:
  - Exclusions.
    Exclude files
    Use this option to exclude the files from scan scope and not remove them if detected. You can both specify a full path and use a mask. By default, the option is disabled.
    Do not detect objects by type
    Use this option to avoid detection and subsequent removal of the objects. You can both specify a full path and use a mask. By default, the option is disabled.
  - Advanced settings.
    Stop scanning if it takes longer than (sec)
    Use this option for scanning large files and the network when scanning takes a long time to complete. If it takes too long to scan an object, the timeout terminates the frozen process and the scanner proceeds with the scan scope examination. By default, the option is disabled.
    Do not scan compound objects larger than (MB)
    Use this option to accelerate scanning. For example, you may want to skip the 100 GB database archives and exclude them from the scan scope. By default, the option is disabled.
    Use iChecker technology
    For more information about iChecker technology, please refer to the article. By default, the option is enabled.
If required, under Network traffic recording, change the period for the Portable Scanner to record inbound and outbound traffic from the device being scanned. The default is 300 seconds.
Under Source of scanning rules, select the rule source that the Portable Scanner will use to audit device security.
- Kaspersky ICS CERT vulnerabilities database for SCADA. If this source is selected, the Portable Scanner scans the device for all vulnerabilities described in the OVAL rules, in the Kaspersky ICS CERT for ICS vulnerability database.
- Rules for collecting host configuration data. When this source is selected, the Portable Scanner collects configuration data from the host.
  Rules collect the following host data:
  - running services
  - Installed drivers
  - Scheduled tasks
  - Installed applications and patches
  - Names of shared network resources
  - Startup items
  - Host information (IP address, DNS name)
  - Local users and groups
  - Host hardware.
- Compliance and security configurations for operating systems. If this source is selected, the Portable Scanner checks the device operating system settings for compliance with the security standards described in the OVAL and XCCDF rules.
Kaspersky ICS CERT vulnerabilities database for SCADA, Rules for collecting host configuration data, and Compliance and security configurations for operating systems are provided with the Portable Scanner databases. Therefore, before starting the Portable Scanner with at least one of the listed rule sources selected, make sure that the Portable Scanner databases are up to date.
- Custom rule database. If this source is selected, the Portable Scanner checks the device for vulnerabilities described in custom OVAL and XCCDF rules.
Select the removable drive where the Portable Scanner will be created:
- Connected removable drive. Removable USB drive. Select the removable drive from the drop-down list.
- Secure removable drive. Rutoken removable USB drive protected from reading, copying, and writing by the administrator password. If you have selected this option, select a secure removable drive at the next wizard step.
If required, enable Verify scanner data after writing to the disk.
This feature verifies the Portable Scanner data. For example, if you are planning to create several Portable Scanners in a row with the same settings, verifying data for the very first Portable Scanner and discovering the discrepancies at an early stage saves time.
If you selected Secure removable drive, select from the drop-down list the connected Rutoken removable drive where to set up the Portable Scanner.
To have the Rutoken removable drive displayed in the list of connected removable media on a computer running Windows Server 2022, you must replace the UMDF2 driver for USB card readers with the WUDF driver.
Under Security settings, in the Enter the current administrator password field, enter the administrator password set on the Rutoken removable drive to protect its contents from being read, copied, or written by potential intruders.
Change current administrator password if required.
1. Select the Change the current password of administrator (only digits and Latin symbols are allowed) check box.
2. Enter a new password in the appropriate field.
3. Retype the password in the appropriate field.
Click Next.
A wizard window opens containing a description of the Portable Scanner configuration.
If required, export the current Portable Scanner settings to an XML file.
1. Click Export.
2. In the window that opens, select the path where you want to save the XML file containing the Portable Scanner settings.
3. Enter a name for the XML file.
4. Click the Save button.
Click Create to create a Portable Scanner with the specified settings.

The portable scanner will be written to the selected removable drive. A Kavscan folder will appear on the removable drive, containing the files and folders required for the Portable Scanner to work.

If there is already a Portable Scanner on the removable drive, the wizard overwrites its files, except for reports.

If you decide to abort writing, the installation wizard terminates write operation without rolling back the changes made.

After you complete the setup, the wizard prompts you to create another Portable Scanner.

How to create a Portable Scanner on the command line

On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
Using the cd command, navigate to the folder where the kavshell.exe file is located.
For example: cd C:\Program Files (x86)\Kaspersky Lab\Kaspersky Industrial CyberSecurity for Nodes 4.5.0

You can also add the executable file path to the %PATH% system variable and run the command without navigating to the application folder.

Run the following command:

KAVSHELL PORTABLESCANNER /drive=<Name of the removable drive or serial number of the Rutoken removable drive> /license=<path to the license key file> [/tokenpin=<password> [/newtokenpin=<password>]] [/verify] [/av <settings of the scan for viruses and other threatening programs>] [/traffic <settings for recording of incoming and outgoing traffic on the scanned device>] [/oval <settings of the security audit task>]

Command parameters for creating a Portable Scanner

Parameter	Description
`PORTABLESCANNER`	Required argument. Initiates the creation of a Portable Scanner.
`/drive=<Name of the removable drive or serial number of the Rutoken removable drive>`	Required argument. Select the removable drive on which you want to generate a Portable Scanner: If the Portable scanner is to be written to a Rutoken removable drive, you must enter a ten-digit serial number of the Rutoken drive.
`/license=<path to the license key file>`	Required argument. Specifies the path to the key file that is necessary for creating a Portable Scanner.
`/tokenpin=<password>`	Optional argument. Sets an administrator password for access to the Rutoken drive.
`/newtokenpin=<password>`	Optional argument. Sets a new administrator password for access to the Rutoken drive.
`/verify`	Optional argument. Verifies the Portable Scanner after it is written to the removable drive.
`/av <settings of the scan for viruses and other threatening programs>`	Optional argument. Scans for viruses and other threatening programs.
`/traffic <settings for recording of incoming and outgoing traffic on the scanned device>`	Optional argument. Records incoming and outgoing traffic on the scanned device.
`/oval <settings of the security audit task>`	Optional argument. Enables the security audit task.

At least one of the /av, /oval, or /traffic arguments must be specified.

Settings of the scan for viruses and other threatening programs
`<list of files>`	Space-delimited list of files, folders, network paths, or predefined scan scopes.
`/l=<path to file with a list of scan scopes>`	Path to file with a list of scan scopes. The file must be created manually and saved in TXT format. The file must be saved with UTF-8 encoding without BOM.
`/memory`	Starts scanning all memory processes.
`/shared`	Starts scanning the shared folders.
`/startup`	Starts scanning the startup objects.
`/remdrives`	Starts scanning all removable drives.
`/fixdrives`	Starts scanning all fixed drives.
`/mycomp`	Starts scanning the entire computer.
`/fa`	Scan all files If this setting is enabled, the application checks all files without exception (all formats and extensions).
`/fc`	Scan objects by format. The application scans only objects whose formats are included in the list of formats of infectable objects.
`/fe`	Scan objects by extension. The application scans only objects with extensions included into the list of extensions of infectable objects.
`/ai=<action>`	Action to be applied to a detected infected object. Possible values: `disinfdel` means disinfect, delete if disinfection fails. `report` means send a report.
`/e=<object type>`	Exclude the specified object types. Possible values: `a` excludes RAR, ARJ, ZIP, CAB, LHA, JAR, ICE archives from the scan. `b` excludes mail databases, incoming and outgoing email messages.
`/em=<file mask>`	Files that match the file mask are excluded from the scan scope. For example: The mask `.exe` will include all paths to files that have the exe extension. The mask `example` will include all paths to files named EXAMPLE.
`/et=<scan duration in seconds>`	Files that take longer to scan than the specified time limit (in seconds) are excluded from the scan scope.
`/es=<size in megabytes>`	Files that are larger than the specified size limit (in megabytes) are excluded from the scan scope.
`/norecall`	Scan files without copying to disk (if possible).
`/noichecker`	Disable iChecker.
`/w=<file path>`	Path and name of the scan log file.

Settings for recording of incoming and outgoing traffic on the scanned device

/limit=<duration in seconds>

Specifies for how long you want traffic to be recorded.

Accepts values from 1 to 1800.

Settings of the security audit task
`/source=<kl\|kl-compl\|file>`	Specifies the source of rules required by the Security Audit. Possible parameter values: `kl` – Kaspersky ICS CERT vulnerability database included in the distribution kit. `kl-compl` – Security configurations and standards compliance for operating systems, which are included in the distribution kit. `file` – Custom rule database from file.
`/path=<full path to ZIP archive with security audit rules>`	This parameter passes the path to the files with rules for the Custom rule base from file source (/`source=file`). Initiates a security audit task according to the rules inside the specified ZIP archive. The ZIP archive must contain an XML file with rules in the OVAL language. You need to provide the complete path to the ZIP file, including its name. OVAL rules must be saved in the UTF-8 encoding without BOM.
`/mode=<all\|exclude\|include>`	This parameter defines the vulnerability scan mode. Possible parameter values: `all` – scans all vulnerabilities listed in the source. `exclude` – scans the vulnerabilities listed in the source, except for those specified by the `/definitions` parameter. `include —` scans the vulnerabilities specified by the `/definitions` parameter. Used together with the `/source=kl` parameter.
`/definitions=<vulnerability_type_01;vulnerability_type_02;...;vulnerability_type_N>`	Semicolon-separated list of vulnerability types that must be scanned or must be excluded from being scanned. For example: `oval:org.mitre.oval.test:def:998;oval:org.mitre.oval.test:def:999`. Used together with the `/mode=include` or `/mode=exclude` parameter.

Example:

KAVSHELL PORTABLESCANNER /drive=E: /license=C:\0000000A.key /verify /av /l="C:\Documents and Settings\file.txt" /ai=disinfdel

Page top