Threat Protection

Kaspersky Scan Engine helps you protect your network and data by detecting malware and legitimate software that can be used by intruders.

Before you start using Kaspersky Scan Engine, decide on your use case, in the following order:

1. Decide what data you want to scan:
   • Data uploaded to your network by your users.
   • Data created inside your organization, such as documents.
   • Data uploaded from sources outside your network. This can prevent supply chain attacks.

   You can also use Kaspersky Scan Engine to add scanning functionality to your own applications and security services. Kaspersky Scan Engine scans objects of any format, including packed objects.

2. Decide whether HTTP or ICAP mode is better for your environment.
3. Decide where you want to deploy Kaspersky Scan Engine.
4. Decide how you will gain access to scan results:
   • In Kaspersky Scan Engine GUI
   • In a client application
5. Decide which features of Kaspersky Scan Engine you will use:
   • Decide whether you want to use Kaspersky Security Network (KSN) for checking the reputation of files and URLs
   • Decide what level of heuristics you want to use
   • Decide what actions Kaspersky Scan Engine must perform after detecting malware or legitimate software that can be used by intruders
   • Decide whether you want to scan packed executables
   • Decide whether you want to scan archives
   • Decide whether you want to scan email
   • Decide whether you want to scan email databases

After determining your use case for Kaspersky Scan Engine, proceed to getting started with Kaspersky Scan Engine.

Below, you can find instructions for typical tasks that Kaspersky Scan Engine performs in HTTP mode and in ICAP mode.

Scanning files with the sample HTTP client (HTTP mode)

This instruction assumes that you have already installed and configured Kaspersky Scan Engine, by using the configuration file or the GUI.

To scan files with Kaspersky Scan Engine:

1. Start the kavhttpd service.
2. Start the sample HTTP client. The client is located in the /bin/kavhttp_client directory of the distribution kit.
3. Pass the files that you want to scan to the sample HTTP client:
   • Scan files that are larger than 4 megabytes (MB) in scanfile mode. Use the -f option and pass the local paths to the files to the sample HTTP client.

     The example below shows how to scan two files in scanfile mode:

   ./kavhttp_client -f /usr/dir1/example1.zip /usr/dir2/example2.iso

   • Scan files that are smaller than 4 MB in scanmemory mode. Pass the paths (network or local) to the sample HTTP client. To do this, use the -s option.

     The example below shows how to scan a file in scanmemory mode:

   ./kavhttp_client -s 192.0.2.0:888 /usr/dir/example.txt

4. Review the scan results.

Scanning traffic that passes through a proxy server (ICAP mode)

This instruction assumes that you have already installed and configured Kaspersky Scan Engine, by using the configuration file or the Kaspersky Scan Engine GUI.

To scan traffic that passes through a proxy server:

1. Configure your proxy server to work with Kaspersky Scan Engine (see the example of using Kaspersky Scan Engine in ICAP mode with Squid).
2. Create a response template that you want to display or script to execute when malware or legitimate software that can be used by intruders is detected.
3. Configure ICAP service rules for a situation when Kaspersky Scan Engine detects malware or legitimate software that can be used by intruders. You can do it either manually or by using the GUI.
4. Start the kavicapd service.

Kaspersky Scan Engine will automatically detect malware or legitimate software that can be used by intruders, and then process it according to the ICAP service rules.