Same Info in:   Русский English 
You are welcome to subscribe to "New articles in Knowledge Base" mailing list.


 
Search :  
Search tips Article ID # :     
 

Application Privilege Control









Operation principles

The main purpose of the Application Privilege Control is to regulate the activities of the running programs, namely, access to the file system and registry as well as interaction with other programs.

Similar to the Application Startup Control, applications are separated into categories, for which limitations are specified; but the classification is based on different principles. Every program receives one of the four trust levels:

  • Trusted
  • Low Restricted
  • High Restricted
  • Untrusted

For each category, standard activity limits are pre-defined. The administrator can change these restrictions within the categories. Additionally, individual limitations can be configured for every program in the policy.



Policy specifics

You can see that Application Privilege Control uses the same trust levels as the Firewall. It is not just a similarity; these components actually use the same trust levels. A program trusted by Firewall is trusted by Application Privilege Control, too, and vice versa.

Similar to the Firewall, Application Privilege Control defines access rights for the trust groups in the policy. On the client computer, Kaspersky Endpoint Security assigns a trust group to every specific application.

Meanwhile, the administrator can also manually assign a trust level to a particular program in the policy. If necessary, tougher restrictions than those set for the trust group can be specified for a particular program. New programs are added in the list the same way as in the Firewall: the executable file of an application is selected from the list of files ever started on the client computers. The policy has higher priority than the locally assigned trust group.



Automatic categorization

Kaspersky Endpoint Security assigns a trust group to a program when it starts for the first time; and the start is suspended until the analysis is over. The main categorization tool is Kaspersky Security Network. If it is inaccessible or KSN lacks information about the program, the assigned category depends on the policy settings:

  • Use heuristic analysis to define group—if this checkbox is selected, KES defines the program status using a special heuristic algorithm that emulates the program start. Emulation and analysis require time. By default, the time for assigning a trust group is limited to 30 seconds. There is a separate setting named Maximum time to define group for this purpose. After the specified time, the analysis is finished and the program gets placed into a trust group
  • Automatically move to group—an alternative to heuristic trust group definition. This setting allows assigning one of the 3 trust levels (High Restricted, Low Restricted,or Untrusted) to a program without the analysis
  • Trust applications that have a digital signature—if this parameter is enabled, the programs having a valid digital signature are automatically placed in the Trusted group

There are two additional parameters in the policy that influence already categorized programs:

  • Update control rules for previously unknown applications from KSN databases—program trust group will be changed automatically if it appears in the KSN
  • Delete rules for applications that are not started for more than 60 days—the programs that have not been started for a long time will be automatically deleted from the trust groups on the client computer. The threshold is adjustable

These settings influence only the trust groups and information saved locally on the client computer and have no effect on the programs whose trust group is specified in the policy by the administrator.



Interaction with programs

Application Privilege Control allows limiting program interaction with other programs and operating system services depending on its trust group. The limitations can be configured both at the trust group level and for separate programs. Interaction rules include a wide list of various actions, for each of which the Allow or Block value is specified. The list of controlled actions is hard-coded.

By default, the restrictions for trust categories are as follows:

  • Trusted—no limitations
  • Low Restricted—everything is allowed except for building into operating system modules
  • High Restricted—interaction with operating system modules and other programs are prohibited. A program is allowed to work only with its own segment of system memory
  • Untrusted—a program is prohibited even from starting

Application Privilege Control, just like Application Startup Control, can block an application start. There is no contradiction here: if a program must be blocked according to the settings of one of the components, it is blocked regardless of the other component settings.



Access to resources

Application Privilege Control helps limit access to files, folders and registry keys on the hard drives. Files and registry keys are organized into groups, for which the rights of programs belonging to different trust categories are specified. Additionally, the restrictions specified for a group can be changed at the subgroup level, or individually for a file or registry key.

Initially, the list of protected resources contains groups of most important files and registry keys. The administrator can modify and create the categories. Access rights can be specified both in the list of protected resources, and in the program properties within the trust categories.

Rights to access a group of resources are defined independently for four operation types:

  • Read
  • Write
  • Delete
  • Create

By default, the following limitations are set for the trust categories:

  • Trusted—no restrictions
  • Low Restricted—everything is allowed except for changing important system files (boot.ini, system.ini, autoexec.bat, executable files within the system directory, etc.)
  • High Restricted—only Read access is allowed to the data from the operating system directories and registry branches
  • Untrusted—the program is prohibited even from starting

The limitations configured for a program are inherited by all its child processes, even if their executable files are included in the Trusted group. Thus, the programs with lower trust level may not evade the prohibitions using the privileges of programs having higher trust levels.



Hardening privilege control mode

Most of the widely used programs are automatically placed in the Trusted category, because they either have a digital signature of the manufacturer, or are included in the KSN Allow list. This allows toughening the restrictions for the other programs: they can be automatically moved in the High Restricted or Untrusted category. In the latter case, KES will automatically block the start of unknown programs that have no digital signature and for which there are no allowing rules within the policy. If a program necessary for work is blocked, you can configure an exclusion for it.



Configuring exclusions

If the limitations set by the Application Privilege Control still block a necessary program, you can configure the corresponding exclusion. There are two types of exclusions in Application Privilege Control:

  • Exclusions for resources—allow any program to perform any operation with the specified group of resources
  • Exclusions for programs—allow the specified program to perform any operation

Exclusions for resources are configured in the properties of the Application Privilege Control, on the Protected resources tab. You can configure exclusions for folders, files and registry keys.

Exclusions for programs are configured in the Trusted zone, and provide several additional capabilities:

  • Do not monitor application activity—disable the restrictions that concern the specified program
  • Do not inherit restrictions of the parent process (application)—disable the limitations inherited from the process that started the program and the parent processes of higher levels
  • Do not monitor child application activity—disable the restrictions for the processes started by the program for which the exclusion is created



Back Back Next Next

 


Kaspersky Lab

Copyright © 1997-2014 Kaspersky Lab
Site map  |   International Support Service  |  Send us a suspected file
Login CompanyAccount  |   Register  |   FAQ for CompanyAccount  |   Login Your Personal Cabinet

Stay connected