Managing the startup of applications on Windows devices

You can block applications from running on Windows devices if those applications do not meet your corporate security requirements. Application startup is restricted through Application Control.

This feature is available only if you activated Kaspersky Endpoint Security Cloud under a Kaspersky Endpoint Security Cloud Pro license.

To configure Application Control on Windows devices:

  1. Open Kaspersky Endpoint Security Cloud Management Console.
  2. Select the Security managementSecurity profiles section.

    The Security profiles section contains a list of security profiles configured in Kaspersky Endpoint Security Cloud.

  3. In the list, select the security profile for the devices on which you want to configure Application Control.
  4. Click the link with the profile name to open the security profile properties window.

    The security profile properties window displays settings available for all devices.

  5. In the Windows group, select the Application Control section.

    The Application Control settings page opens.

  6. Set the toggle switch to Application Control is enabled.
  7. Under Application Control mode, select the global mode:
    • Allow all applications, except

      This mode is Default allow, which allows users to start an application unless it is on the list of blocked ones.

    • Block all applications, except

      This mode is Default deny, which prevents users from starting an application unless it is on the list of allowed ones.

  8. Specify a list of exceptions.

    For each Application Control mode, you can add up to five exceptions.

    Do any of the following:

    • To add an Application Control exception:
      1. Click the Add button.
      2. In the Add a new Application Control exception window that opens, define the exception settings, as described later in this section.
      3. Click Apply to close the Add a new Application Control exception window.
    • To enable or disable an added Application Control exception, set the toggle switch next to that exception to the desired state:
      • If the toggle switch is green, the exception is enabled. Depending on the Application Control mode, the applications specified in the exception are either blocked or allowed.

        By default, a newly added exception is enabled.

      • If the toggle switch is gray, the exception is disabled. When the user attempts to start the applications specified in the exception, the software behavior is determined by the Application Control mode.
    • To edit an added Application Control exception:

      You cannot edit the predefined exception Trusted installation packages that is displayed if the Application Control mode is Block all applications, except.

      1. Select the check box next to the required exception.
      2. Click the Edit button.
      3. In the Edit an Application Control exception window that opens, define the new settings of the exception, as described later in this section.
      4. Click Apply to close the Edit an Application Control exception window.
    • To delete Application Control exceptions that were added:

      You cannot delete the predefined exception Trusted installation packages that is displayed if the Application Control mode is Block all applications, except.

      1. Select the check boxes next to the required exceptions.
      2. Click the Delete button.
      3. In the confirmation window that opens, click the Delete button.
  9. Click Save to save the changes.

The list of Application Control exceptions is updated.

After the security profile is applied, Application Control is enabled on Windows devices. User access to applications is governed according to the currently defined settings.

To define the settings of an Application Control exception:

  1. Start adding or editing an exception, as described earlier in this section.
  2. In the Exception name field, enter the name of the exception.
  3. Select the criteria to be applied to applications.

    You can specify either of the following criteria:

    • Application categories

      Kaspersky Endpoint Security Cloud manages access to applications from the selected categories.

      Do the following:

      1. Click the Settings link.
      2. In the Application categories window that opens, select the check boxes next to the required categories.
      3. Click OK to close the Application categories window.
    • Individual applications

      Kaspersky Endpoint Security Cloud manages access only to the specified applications.

      Do the following:

      1. Click the Settings link.
      2. In the Individual applications window that opens, specify the list of applications to be excluded.

        You can use masks:

        • The * (asterisk) character takes the place of any set of characters. For example, C:\Users\User\Desktop\*.exe.
        • The ? (question mark) character takes the place of any single character. For example, C:\Users\User\Desktop\test?.exe.
      3. Click OK to close the Individual applications window.
    • All applications from removable drives

      Kaspersky Endpoint Security Cloud manages access to all applications that are stored on removable drives.

  4. Click Apply to save the changes.

The defined settings are saved.

Page top