Recommended settings for HTTP mode
March 5, 2024
ID 225526
This section describes the recommended settings for Kaspersky Scan Engine in HTTP mode.
If you use the Kaspersky Scan Engine GUI, specify the recommended parameters as described in the table below.
Recommended settings for HTTP mode in the Kaspersky Scan Engine GUI
Settings in the Kaspersky Scan Engine GUI | Recommended settings |
|---|---|
Service > Keep-alive connection | See the description of |
Service > Connection timeout | See the description of |
Service > Sessions | See the description of |
Service > Connections | See the description of |
Service > Threads | Twice the value of |
Service > Processes | Equal to the number of processor cores |
Scanning > Enable reputation checking | Turn on the toggle switch |
Scanning > Enable Phishing Protection | Turn on the toggle switch |
Scanning > Object scan timeout | 10000 (10 seconds) |
Scanning > Heuristic analysis level | Low |
Scanning > Actions on detected objects | See the description of |
Scanning > Size limit for the received file | 10343 KB (10.1 MB) Get an updated value from your TAM at least once a year |
Scanning > Maximum depth | 5 |
Scanning > Types of files to scan | Select the checkbox:
|
If you do not use the Kaspersky Scan Engine GUI, specify the recommended parameters in the kavhttpd.xml configuration file as described in the table below.
Recommended settings for HTTP mode in the configuration file
Parameter in kavhttpd.xml | Recommended settings |
|---|---|
ScannersCount | Equal to the number of processor cores |
ThreadsCount | Twice the value of |
MaxIncomingConnectionsNum | See the description of |
MaxHTTPSessionsNum | See the description of |
QueueLen |
|
MaxTCPFileSize | 10591440 bytes (10.1 MB) Get an updated value from your TAM at least once a year |
Flags | Specify the flags:
|
Mode | See the description of |
MaxArchivesScanningDepth | 5 |
SessionTimeout | 10000 (10 seconds) |
KeepAliveSettings | See the description of |
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Processes.
The recommended number of scanning processes is equal to the number of processor cores. For example, if Kaspersky Scan Engine is running on a computer with a 4-core processor, set ScannersCount to 4.
See also subsection "Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings."
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Threads.
The recommended number of scanning threads depends on the number of scanning processes specified in ScannersCount: the value of ThreadsCount is twice the value of ScannersCount. For example, if Kaspersky Scan Engine is running on a computer with a 4-core processor and ScannersCount is set to 4, set ThreadsCount to 8.
See also the subsection "Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings."
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Connections.
You can configure this parameter to set the queue length of the incoming TCP connections waiting for connection with HTTPD. See section "Setting up the connection queue in HTTP mode" for connection queue setup details.
For example, you expect, on average, ten simultaneous connections with clients. If MaxHTTPSessionsNum value is set to 10, all 10 connections simultaneously occurred will be accepted by HTTPD for processing. The 11th incoming TCP connection will wait for connection with HTTPD. At least 11 additional connections can wait for HTTPD acceptance, the 12th additional connection will cause an error message. So, when setting the value for MaxIncomingConnectionsNum, consider the value for MaxHTTPSessionNum: the value specified in MaxIncomingConnectionsNum should be multiple times bigger than the value specified in MaxHTTPSessionNum.
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Sessions.
When specifying the value for this parameter, consider the following:
- the maximum number of scanning threads (
ThreadsCount). - the maximum length of the queue for scan tasks (
QueueLen). - the maximum length of the scan waiting queue (
MaxIncomingConnectionsNum). - specifics of the НТТPD: in general, HTTPD runs one scanning process for one scan task.
The recommended value is:
- greater than or equal to:
- 5*ThreadsCount/4 (when scanning files and URL).
- 3*ThreadsCount/2 (when scanning system memory).
- corresponds to the expected number of HTTP clients that make requests to HTTPD.
See also the subsection "Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings."
Since the scan tasks are enqueued from all simultaneously open sessions, consider the MaxHTTPSessionsNum settings. The queue length should not be less than the MaxHTTPSessionsNum value. Otherwise, some clients will get an error when opening sessions.
Since the scan tasks are processed by the threads from the queue, the queue length should not be less than the number of threads in ThreadsCount. Otherwise, some threads will be not in use.
The recommended QueueLen value is:
- greater than the
ThreadsCountvalue. - greater than or equal to
MaxHTTPSessionsNumvalue.
See also the subsection "Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings."
During scanning, HTTPD loads the files into the system memory. The greater the file size and the number of active sessions, the more system memory is consumed. The value specified should be less than the RAM size.
To increase performance, you can specify the maximum size of HTTP messages sent to HTTPD and set the value to 10591440 bytes (10.1 MB). This value provides detecting most of the malware.
If you have followed the recommendation above, we also recommend consulting with your Technical Account Manager (TAM) once a year to get an updated recommended value, as the average malware size changes from year to year.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Types of files to scan, Settings > Scanning > Heuristic analysis level and Settings > Scanning > Enable reputation checking.
The recommended value for Flags is the following:
KAV_O_M_PACKED | KAV_O_M_ARCHIVED | KAV_O_M_MAILPLAIN | KAV_O_M_MAILBASES | KAV_O_M_HEURISTIC_LEVEL_SHALLOW | KAV_SHT_ENGINE_KSN
If the KAV_SHT_ENGINE_KSN flag is used, it is also recommended to enable Phishing Protection by using one of the following ways:
- In the Flags element of the kavhttpd.xml configuration file, add the
KAV_SHT_ENGINE_APUFflag. - On the Settings > Scanning page of the Kaspersky Scan Engine GUI, turn on the Enable Phishing Protection toggle switch.
Phishing Protection is useful when Kaspersky Scan Engine checks URLs.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Actions on detected objects.
If it is expected to specify the object local path (request scanfile to scan a local file), specify the following:
KAV_DELETE(if the object is to be deleted without a disinfection attempt).KAV_CLEAN_DELETE(if the object is to be disinfected or to be deleted, if disinfection is impossible).
Specify KAV_SKIP in all other cases.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Maximum depth.
We recommend that you limit the maximum depth of nested archives to be unpacked during scanning. The recommended value for MaxArchivesScanningDepth is 5.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Object scan timeout.
You can set a timeout for all operations in a session: connection with a client, data receipt, and object checking. Timeout configuring can be used with the X-KAV-Timeout header (see Setting the session timeout).
Setting the timeout allows the following:
- immediate releasing the scanning thread, if the session time has expired.
- faster managing the queue of the incoming TCP connections (the queue length is set in
MaxIncomingConnectionsNum).
Initially, HTTPD receives the data, and then loads the files into the system memory during scanning. The greater the file size and the number of active sessions, the more system memory is consumed. To increase performance, you can specify the maximum size of HTTP messages sent to HTTPD (see MaxTCPFileSize above) and limit the session time in SessionTimeout. This will allow you to skip the large objects or objects requiring a long time for scanning.
Before setting a value to SessionTimeout, we recommend that you estimate the expected number of HTTP clients requesting the HTTPD, as well as probable length of the incoming TCP connections queue.
Generally, the default value for SessionTimeout is 10000 (10 seconds).
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Keep-alive connection.
We recommend enabling Keep-Alive. When Keep-Alive is enabled, Kaspersky Scan Engine maintains a persistent connection even after the request has been processed and the session timed out. This gives the following advantages:
- reduce network traffic.
- reduce the use of server resources.
- reduce latency in processing requests.
Keep-Alive is especially useful for HTTPS connections that require more CPU time and more client-server interactions.
To enable Keep-Alive, set the Enabled element in KeepAliveSettings to 1.
To determine the values for TimeoutMs and MaxRequests, estimate the number of clients and the number of requests from clients.
For example, you have estimated that the maximum number of clients is 10, so you set MaxHTTPSessionsNum to 10. If TimeoutMs and MaxRequests are unlimited, and all 10 clients send requests continuously, Kaspersky Scan Engine maintains connections with these 10 clients without limits. As a result, new connections cannot be accepted by HTTPD for processing.
Another example. You have estimated that the maximum number of clients is 10, so you set MaxHTTPSessionsNum to 10. You have also estimated that the maximum number of requests from one client is 15, so you set MaxRequests to 15. If you did not set the limit for TimeoutMs, and clients do not send 15 requests, Kaspersky Scan Engine maintains connections with these 10 clients without limits, so new connections cannot be accepted by HTTPD for processing.
Example of Kaspersky Scan Engine work in HTTP mode depending on the ScannersCount, ThreadsCount, QueueLen, MaxIncomingConnectionsNum, and MaxHTTPSessionsNum settings
Let's say Kaspersky Scan Engine is installed on a computer with four CPU cores, there are 15 simultaneous connections to this computer, and Kaspersky Scan Engine is configured as follows:
- ScannersCount = 4
- ThreadsCount = 8
- QueueLen = 20
- MaxHTTPSessionsNum = 10
- MaxIncomingConnectionsNum = 20
In this case:
- Five out of fifteen clients will be enqueued for connection.
- Ten sessions will open for ten clients.
- Ten open sessions will form a queue of scan tasks. If the number of scan tasks surpass the value of
QueueLen, the client will receive the error503-Service overloaded. - Kaspersky Scan Engine runs four scanning processes.
- Four scanning processes create eight threads for simultaneous processing of eight scan tasks from the queue (one thread for one scan task).
