On-access scan

On-access scan is an operation mode of Kaspersky Security in which Kaspersky Security subsystems scan objects on SharePoint servers in real time. The subsystems scan an object in the moment the SharePoint user handles it (for example, when copying it from a SharePoint server to a computer).

Each of the application subsystems performs a scan of a single type. The table lists scan types that the application performs in on-access scan mode, as well as objects to which the respective scans apply.

Processing objects in on-access scan mode

If the subsystems that scan an object detect no threats, malicious links, and unwanted content, the application allows the user to handle this object. If a subsystem detects a threat, malicious link, or unwanted content, the application performs the action that has been configured for each scan type.

Objects are scanned by subsystems one by one. If an object was blocked by the application during a scan by a subsystem, the remaining subsystems do not scan this object. If a file was blocked during an anti-virus scan, the application does not apply content filtering to this file.

If failures occur in the operation of the application subsystems, some file may remain unscanned. By default, unscanned files are skipped without being scanned. You can configure the application so that it will block all files that cannot be scanned. Contact Technical Support for additional details.

Status labels assigned to files following on-access scan

Based on the results of on-access scanning, the application assigns one of the following status labels to the file:

• Not infected. No threats detected in the file.
• Infected. A file a segment of whose code fully matches a code segment of a known threat.
• Probably infected. A file whose code contains a modified segment of code of a known threat, or a file resembling a threat in the way it behaves.
• Password-protected. A password-protected archive.
• Corrupted. The file cannot be read by Kaspersky Security.

Based on the results of content filtering, the application assigns one of the following status labels to the file:

• Allowed. There is no unwanted content in the file.
• Forbidden format. The file has an unwanted format.
• Forbidden mask. The file name contains an unwanted mask.
• Forbidden content. The file has been found to contain unwanted words and phrases.

Based on the results of content filtering and phishing scanning, the application assigns one of the following status labels to the SharePoint web part:

• Allowed. The SharePoint web object does not contain unwanted content, malicious or phishing URLs.
• Forbidden content. The SharePoint web object has been found to contain malicious / phishing URLs or unwanted content.

About the restricted scan mode

If one of the scanning subsystems is freezing during an on-access scan, the application switches to the restricted scan mode by default. In this case, some objects may remain unscanned. When the application switches to the restricted scan mode, the following information is recorded to Windows Event Log:

• Date and time the restricted scan mode was enabled
• Name of the subsystem for which the mode was enabled
• Event level: Error
• Event category: Infrastructure
• Event ID: 6200

If the application switches to the restricted scan mode, the Control Center node displays a warning. For example, if a phishing scan is freezing, the following warning is displayed: Restricted scan mode enabled. Some objects can be skipped without being scanned for phishing. Information about files that have not been scanned by the application due to the restricted scan mode will be logged to the report with the Scan errors status.

The restricted scan mode does not affect on-demand scanning or data leak prevention.

The restricted scan mode can be disabled. For additional information about how to disable the restricted scan mode please contact Technical Support.