The main purpose of the Application Privilege Control is to regulate the activities of the running programs, namely, access to the file system and registry as well as interaction with other programs.
Similar to the Application Startup Control, applications are separated into categories, for which limitations are specified; but the classification is based on different principles. Every program receives one of the four trust levels:
For each category, standard activity limits are pre-defined. The administrator can change these restrictions within the categories. Additionally, individual limitations can be configured for every program in the policy.
You can see that Application Privilege Control uses the same trust levels as the Firewall. It is not just a similarity; these components actually use the same trust levels. A program trusted by Firewall is trusted by Application Privilege Control, too, and vice versa.
Similar to the Firewall, Application Privilege Control defines access rights for the trust groups in the policy. On the client computer, Kaspersky Endpoint Security assigns a trust group to every specific application.
Meanwhile, the administrator can also manually assign a trust level to a particular program in the policy. If necessary, tougher restrictions than those set for the trust group can be specified for a particular program. New programs are added in the list the same way as in the Firewall: the executable file of an application is selected from the list of files ever started on the client computers. The policy has higher priority than the locally assigned trust group.
Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time; and the start is suspended until the analysis is over. The main categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the program, the assigned category depends on the policy settings:
Use heuristic analysis to define group—if this checkbox is selected, KES defines the program status using a special heuristic algorithm that emulates the program start. Emulation and analysis require time. By default, the time for assigning a trust group is limited to 30 seconds. There is a separate setting named Maximum time to define group for this purpose. After the specified time, the analysis is finished and the program gets placed into a trust group
Automatically move to group—an alternative to heuristic trust group definition. This setting allows assigning one of the 3 trust levels (High Restricted, Low Restricted,or Untrusted) to a program without the analysis
Trust applications that have a digital signature—if this parameter is enabled, the programs having a valid digital signature are automatically placed in the Trusted group
There are two additional parameters in the policy that influence already categorized programs:
Update control rules for previously unknown applications from KSN databases—program trust group will be changed automatically if it appears in the KSN
Delete rules for applications that are not started for more than 60 days—the programs that have not been started for a long time will be automatically deleted from the trust groups on the client computer. The threshold is adjustable
These settings influence only the trust groups and information saved locally on the client computer and have no effect on the programs whose trust group is specified in the policy by the administrator.
Interaction with programs
Application Privilege Control allows limiting program interaction with other programs and operating system services depending on its trust group. The limitations can be configured both at the trust group level and for separate programs. Interaction rules include a wide list of various actions, for each of which the Allow or Block value is specified. The list of controlled actions is hard-coded.
By default, the restrictions for trust categories are as follows:
Low Restricted—everything is allowed except for building into operating system modules
High Restricted—interaction with operating system modules and other programs are prohibited. A program is allowed to work only with its own segment of system memory
Untrusted—a program is prohibited even from starting
Application Privilege Control, just like Application Startup Control, can block an application start. There is no contradiction here: if a program must be blocked according to the settings of one of the components, it is blocked regardless of the other component settings.
Access to resources
Application Privilege Control helps limit access to files, folders and registry keys on the hard drives. Files and registry keys are organized into groups, for which the rights of programs belonging to different trust categories are specified. Additionally, the restrictions specified for a group can be changed at the subgroup level, or individually for a file or registry key.
Initially, the list of protected resources contains groups of most important files and registry keys. The administrator can modify and create the categories. Access rights can be specified both in the list of protected resources, and in the program properties within the trust categories.
Rights to access a group of resources are defined independently for four operation types:
By default, the following limitations are set for the trust categories:
Low Restricted—everything is allowed except for changing important system files (boot.ini, system.ini, autoexec.bat, executable files within the system directory, etc.)
High Restricted—only Read access is allowed to the data from the operating system directories and registry branches
Untrusted—the program is prohibited even from starting
The limitations configured for a program are inherited by all its child processes, even if their executable files are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions using the privileges of programs having higher trust levels.
Hardening privilege control mode
Most of the widely used programs are automatically placed in the Trusted category, because they either have a digital signature of the manufacturer, or are included in the KSN Allow list. This allows toughening the restrictions for the other programs: they can be automatically moved in the High Restricted or Untrusted category. In the latter case, KES will automatically block the start of unknown programs that have no digital signature and for which there are no allowing rules within the policy. If a program necessary for work is blocked, you can configure an exclusion for it.
If the limitations set by the Application Privilege Control still block a necessary program, you can configure the corresponding exclusion. There are two types of exclusions in Application Privilege Control:
Exclusions for resources—allow any program to perform any operation with the specified group of resources
Exclusions for programs—allow the specified program to perform any operation
Exclusions for resources are configured in the properties of the Application Privilege Control, on the Protected resources tab. You can configure exclusions for folders, files and registry keys.
Exclusions for programs are configured in the Trusted zone, and provide several additional capabilities:
Do not monitor application activity—disable the restrictions that concern the specified program
Do not inherit restrictions of the parent process (application)—disable the limitations inherited from the process that started the program and the parent processes of higher levels
Do not monitor child application activity—disable the restrictions for the processes started by the program for which the exclusion is created