This rule is designed to detect the execution of the Kaspersky antivirus stop script on Linux systems, either through direct command execution or the use of the systemctl command. The detection focuses specifically on the command line arguments associated with stopping the Kaspersky Endpoint Security service, indicated by the inclusion of terms like 'stop' and 'kesl' in the command line execution. This behavior could signify a legitimate action taken by a system administrator to stop the antivirus service for maintenance or configuration changes. However, it also raises concerns as it could be a tactic employed by malicious actors attempting to evade detection by disabling endpoint protection mechanisms. The rule is applicable to Linux environments where Kaspersky Endpoint Security has been deployed and aims to alert on any unauthorized or suspicious activities related to the termination of antivirus services.