An Application Control rule is a set of settings required for the Application Control task to work:
The application belonging to the application category. An application category is a group of applications with common characteristics. For example, a category that includes executable files of installed applications, or a category of applications required for operation, which includes a standard set of applications used by the organization. Each category can only be used in one rule.
Kaspersky Endpoint Security does not support use of the KL categories of Kaspersky Security Center.
Permission or prohibition for selected users and/or groups of users to run applications. You can specify a user and/or user group that is allowed or not allowed to run applications of the specified category.
Rule triggering condition. A condition is represented by the following correspondence: "condition type – condition criterion – condition value". Based on the rule triggering condition, Kaspersky Endpoint Security applies or does not apply the rule to the application. The rules use inclusive and exclusive conditions:
Inclusive conditions. Kaspersky Endpoint Security applies the rule to the application if the application meets at least one inclusive condition.
Exclusive conditions. Kaspersky Endpoint Security does not apply the rule to the application if the application meets at least one exclusive condition or does not meet any of the inclusive conditions.
Rule triggering conditions are created using the following criteria:
Name of the application's executable file.
Name of the directory with the application's executable file.
Hash of the application's executable file. Only SHA-256 is allowed.
For each criterion used in the condition, a value must be specified.
You can use masks to specify the names of files and directories.
You can use the * character (any sequence of characters) or the ? character (any one character) as the file or directory name mask.
You can put the * character to represent any set of characters (including an empty set) in a file or directory name that includes the / character. For example, /dir/*/file*/ or /dir/file*/.
You can put a single ? character to represent any one character (including /) in the file or directory name.
If the settings of the application being launched match the values of the criteria specified in the inclusive condition, the rule is triggered. In this case, Application Control performs the action specified in the rule. If application settings match the values of the criteria specified in the exclusive condition, Application Control does not control the application launch.
If the name of the application executable file and the executable file directory are specified in the rule triggering conditions (inclusive or exclusive), but no hash (SHA-256) of the application executable file is specified, then a user having sufficient rights can copy the application to a different directory and run it.
For each mode of the Application Control task, you need to create separate rules and select an action that the Application Control task will perform when it detects an attempt to start an application.
The Application Control rules have three operation statuses:
Enabled – the rule is enabled, Kaspersky Endpoint Security applies this rule when the Application Control task is running.
Disabled – the rule is disabled and is not used when the Application Control task is running.
Test – Kaspersky Endpoint Security allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.
The priority of the rule operation status is higher than the priority of the action specified in the rule.