Kaspersky Endpoint Security 12.1 for Linux

Kaspersky Endpoint Security 12.1 for Linux ("Kaspersky Endpoint Security," "Application") designed to protect devices running Linux operating systems against various types of threats, including network and scam attacks.

The application allows you to protect both physical devices and virtual machines. You can use Kaspersky Endpoint Security as part of Kaspersky Security for Virtualization Light Agent to protect virtual machines running Linux guest operating systems.

The following functional components and tasks of the application provide the main functions of device protection and control:

• File Threat Protection prevents infection of the file system on the user device. The File Threat Protection component starts automatically when Kaspersky Endpoint Security is launched and scans all files that are opened, saved, and started in real time.

  You can also scan protected devices on demand using the following scan tasks:

  • Malware Scan. The application scans for the presence of malware in file system objects located on local disks of the device, as well as mounted and shared resources, which are accessed via SMB and NFS protocols. You can use this task to perform a full or custom scan of the device.
  • Critical Areas Scan. The application scans boot sectors, startup objects, process memory, and kernel memory.
• Removable Drives Scan. The Removable Drives Scan component allows you to monitor the connection of removable drives to the device in real time and scan a removable drive and its boot sectors for malware. Kaspersky Endpoint Security can scan the following removable drives: CDs, DVDs, Blu-ray discs, flash drives (including USB modems), external hard drives, and floppy disks.
• Container Scan. The Container Scan component allows you to scan namespaces and running containers for malware in real time. Integration with Docker container management system, CRI-O framework, and Podman and runc utilities is supported. You can use the Container Scan task to scan containers and images on demand.
• Web Threat Protection. The Web Threat Protection component allows you to scan inbound traffic, prevent downloads of malicious files from the Internet, and block phishing, adware, and other malicious websites. Kaspersky Endpoint Security can scan encrypted connections.
• Network Threat Protection. The Network Threat Protection component allows you to scan inbound network traffic for activity that is typical for network attacks.
• Firewall Management. The Firewall Management component allows you to monitor the firewall settings of the operating system and filter all network activity in accordance with the network packet rules that you have configured.
• Anti-Cryptor. The Anti-Cryptor component allows you to scan remote devices' calls to files located in local directories with network access via SMB/NFS protocols and protect files from remote malicious encryption.
• Device Control. The Device Control component allows you to manage user access to the devices that are installed on or connected to the client device (for example, hard drives, cameras, or Wi-Fi modules). This lets you protect the client device from infection when external devices are connected, and prevent data loss or leaks. User access to devices is governed by access regimes and access rules that you have configured.
• Application Control. The Application Control component allows you to manage the launch of applications on user devices. This reduces the risk of device infection by restricting access to applications. Application launching is regulated by the Application Control rules that you have configured.
• Inventory. The Inventory task provides information about all applications executable files stored on the client devices. This information can be useful, for example, for creating Application Control rules.
• Web Control. The Web Control component controls user access to web resources. This allows you to reduce traffic consumption and reduce inappropriate use of working time. If a user tries to open a website to which access is restricted by Web Control, Kaspersky Endpoint Security blocks access or displays a warning.
• Behavior Detection. The Behavior Detection component allows you to monitor for any malicious activity from applications in the operating system. When malicious activity is detected, Kaspersky Endpoint Security can terminate the process of the application that performs malicious activity.
• System Integrity Monitoring allows you to track changes to files and directories of the operating system. The System Integrity Monitoring component monitors the actions performed with objects from the monitoring scope specified in the component settings in real time. You can use the System Integrity Check task to check the integrity of the system on demand. The check is performed by comparing the current states of objects included in the monitoring scope with their initial states, which were previously established as a baseline.

Kaspersky Endpoint Security allows you to detect infected objects and neutralize the threats detected in them. For this, the application can use:

• Application databases to detect and disinfect infected files. During the scan process, the application analyzes each file for the presence of a threat: it compares the file code with the code of a specific threat and looks for possible matches.
• Kaspersky Security Network. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky Endpoint Security to various threats, improves the performance of some protection components, and reduces the likelihood of false positives.

Prior to disinfection or removal, Kaspersky Endpoint Security saves backup copies of files in the Backup located on the device. If after disinfection, you partially or completely lose access to important information in a disinfected file, you can restore the file from the copy.

While performing scan tasks, Kaspersky Endpoint Security can disinfect and delete files that are protected from modification: files with the 'immutable' and 'append-only' attributes and files in directories with the 'immutable' and 'append-only' attributes. Backup stores copies of these files that were created before disinfection or deletion. You can restore files from backup copies, if necessary. When scan tasks are completed, the 'immutable' and 'append-only' attributes of disinfected files are reset.

Kaspersky Endpoint Security can operate in Notify-only mode. Notify-only mode is an operation mode for the application in which, if a threat is detected, application components and tasks do not attempt to disinfect or delete malicious objects, deny access or block the activity of applications. Instead, the application only informs the user about the detected threat.

Kaspersky Endpoint Security supports integration with other Kaspersky solutions to expand the capabilities of the application:

• Integration with Kaspersky Managed Detection and Response enables continuous search, detection and elimination of threats aimed at your organization.
• Integration with Kaspersky Endpoint Detection and Response (KATA), a component of the Kaspersky Anti Targeted Attack Platform ensures the protection of your organization's IT infrastructure and prompt detection of threats, including zero-day attacks, targeted attacks, and advanced persistent threats.
• Integration with Kaspersky Endpoint Detection and Response Optimum protects the organization’s IT infrastructure from threats such as exploits, ransomware, fileless attacks and attackers' use of legitimate system tools to harm devices or data.

You can use Kaspersky Endpoint Security as a container application (hereinafter also referred to as KESL container) for embedding into external systems in order to scan container images in repositories.

The KESL container functionality is not supported if Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments.

To keep the application up to date, additional application functions are provided:

• Activating the application with a key file or activation code.

  If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, activation is performed on the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent).

• Updating the databases and application modules from Kaspersky update servers, via the Administration Server, or from a user-specified source on schedule and on demand.

  If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, the application receives updates of databases and application modules from the Protection Server (a component of Kaspersky Hybrid Cloud Security for Virtualization Light Agent).

• User access control for the application functions according to the user roles.
• Notification of the administrator about events that occurred while the application was running.
• Integrity check of application components using the integrity check tool.

You can manage Kaspersky Endpoint Security using the following methods:

• Using Kaspersky Security Center through the Kaspersky Security Center Web Console, Kaspersky Security Center Cloud Console, or the Administration Console.
• Using control commands from the command line.
• Using a graphical user interface.

  If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments, it is not possible to manage the application using Kaspersky Security Center Cloud Console and the graphical user interface.

In the territory of the USA, the update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality will no longer be available in the application starting 12:00 AM Eastern Daylight Time (EDT) September 10, 2024 in compliance with trade restrictions.