Configuring Applications Launch Control task settings

To configure general Applications Launch Control task settings:

Open the Applications Launch Control window.
On the General tab, select the following settings in the Task mode section:
- In the Task mode drop-down list, specify the task mode.
  In this drop-down list, you can select the Applications Launch Control task's mode:
  - Active. Kaspersky Embedded Systems Security for Windows uses the specified rules to control the launch of any application.
  - Statistics only. Kaspersky Embedded Systems Security for Windows does not use Applications Launch Control rules. It only records information about the start of applications in the task log. All applications are allowed to start. You can use this mode to generate a list of Applications Launch Control rules based on the information about denied application launches recorded in the task log.
  By default, the Applications Launch Control task runs in Statistics only mode.
- Clear or select the Repeat action taken for the first file launch on all the subsequent launches for this file check box.
  The check box enables or disables launch control for the second and subsequent attempts to start applications based on the event information stored in the cache.
  
  If the check box is selected, Kaspersky Embedded Systems Security for Windows allows or denies subsequent launches of an application based on the task's conclusion regarding the first launch of the application. For example, if the first application launch was allowed by the rules, information about this decision will be stored in the cache, and the second and all subsequent launches will also be allowed without rechecking.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows analyzes an application every time a launch is attempted.
  
  By default, the check box is cleared.
- Clear or select the Deny the command interpreters launch with no command to execute.
  If the check box is selected, Kaspersky Embedded Systems Security for Windows denies the launch of command line interpreters even if launching interpreters is allowed. A command line interpreter can only be launched with no command if both of the following conditions are met:
  - Launch of the command line interpreter is allowed.
  - The command to be executed is allowed.
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows only considers allowing rules when launching a command line interpreter. The launch is denied if no allowing rule applies or the executable process is not trusted by KSN. If an allowing rule applies or the process is trusted by KSN, a command line interpreter can be launched with or without a command to execute.
  
  Kaspersky Embedded Systems Security for Windows recognizes the following command line interpreters:
  - cmd.exe
  - powershell.exe
  - python.exe
  - perl.exe
  By default, the check box is cleared.
In the Rules managing block, configure settings for applying rules:
1. Click the Rules list button to add allowing rules for the Applications Launch Control task.
  Kaspersky Embedded Systems Security for Windows does not recognize paths that contain slashes ("/"). Use backslash ("\") to enter the path correctly.
2. Select the mode for applying rules:
  - Replace local rules with policy rules
    The application applies the rule list specified in the policy for centralized application launch control on a group of protected devices. Local rule lists cannot be created, edited, or applied.
  - Add policy rules to the local rules
    The application applies the rule list specified in a policy together with local rule lists. You can edit the local rule lists using the Rule Generator for Applications Launch Control task.
In the Rule usage scope section, specify the following settings:
- Apply rules to executable files.
  The check box either enables or disables launch control of executable files.
  
  If this check box is selected, Kaspersky Embedded Systems Security for Windows allows or blocks start of executable files using the specified rules whose settings specify Executable files as the scope.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows does not control start of executable files using the specified rules. Startup of executable files is allowed.
  
  The check box is selected by default.
- Monitor loading of DLL modules.
  The check box either enables or disables control of loading of DLL modules.
  
  If this check box is selected, Kaspersky Embedded Systems Security for Windows allows or blocks loading of DLL modules using the specified rules whose settings specify Executable files as the scope.
  
  If this check box is cleared, Kaspersky Embedded Systems Security for Windows does not control loading of DLL modules using the specified rules. Loading of DLL modules is allowed.
  
  The check box is active if the Apply rules to executable files check box is selected.
  
  The check box is selected by default.
  
  Controlling loading of DLL modules may affect the performance of the operating system.
- Apply rules to scripts and MSI packages.
  The check box either enables or disables launch of scripts and MSI packages.
  
  If this check box is selected, Kaspersky Embedded Systems Security for Windows allows or blocks start of scripts and MSI packages using the specified rules whose settings specify Scripts and MSI packages as the scope.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows does not control start of scripts and MSI packages using specified rules. Start of scripts and MSI packages is allowed.
  
  The check box is selected by default.
In the KSN Usage group box, configure the following application launch settings:
- Deny applications untrusted by KSN.
  The check box either enables or disables Applications Launch Control according to application reputation data in KSN.
  
  If this check box is selected, Kaspersky Embedded Systems Security for Windows blocks any application from running if it is not trusted in KSN. Applications Launch Control allowing rules that apply to applications not trusted in KSN will not be triggered. Selecting the check box provides additional protection from malware.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows does not consider the reputation of applications not trusted in KSN and allows or blocks start in accordance with the rules that apply to such applications.
  
  By default, the check box is cleared.
- Allow applications trusted by KSN.
  The check box either enables or disables Applications Launch Control according to application reputation data in KSN.
  
  If this check box is selected, Kaspersky Embedded Systems Security for Windows allows applications to run if they are trusted in KSN. Denying application launch control rules that apply to KSN-trusted applications have higher priority: if an application is trusted by KSN services, the application launch will be blocked.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows does not consider the reputation of KSN-trusted applications and allows or denies launch in accordance with rules that apply to such applications.
  
  By default, the check box is cleared.
- Users and / or user groups allowed to launch applications trusted in KSN:
  1. In the context menu of the Edit button, select the method for adding users.
    The Select user or user group window opens.
  2. Select a user or user group.
  3. Click the OK button.
On the Software Distribution Control tab, configure the settings for software distribution control.
On the Task management tab, configure the task start schedule settings.
Click the OK button in the Applications Launch Control window.

Kaspersky Embedded Systems Security for Windows immediately applies the new settings to the running task. Information about the date and time when the settings were modified, and the values of task settings before and after modification, are saved in the system audit log.

Page top