Creating rules with the Rule Generator for Device Control local task

A local Rule Generator for Device Control task allows automatically adding Device Control rules for external devices connected to the protected computer to the settings of the local Device Control task and generating an XML file with the Device Control rules. After that, you can import the XML file in the Device Control settings, in the Kaspersky Security Center group policy or in the local Device Control task on any protected computer.

To secure the protected device, we recommend finalizing the list of Device Control rules before running the Device Control task in active mode. For this reason, we recommend collecting data on connections from controlled external devices in Device Control Statistics Only mode.

To set up Device Control rules using a local Rule Generator for Device Control task:

Open the properties of the policy that manages the device you are planning to connect external devices to.
Enable Device Control Statistics Only mode.
Activate the policy.
Connect the controlled external devices you want to create Device Control rules for to the protected computer.
Go to the settings of the local Rule Generator for Device Control task.
Go to the Configuration section.
Select a task running mode under Mode:
- Consider system data about all external devices that have ever been connected
- Consider currently connected external devices only
Under After task completes, specify actions for Kaspersky Embedded Systems Security for Windows to perform upon task completion:
- Add allowing rules to the list of Device Control rules.
  The check box enables or disables adding the newly generated allowing rules to the list of Device Control rules.
  
  If this check box is selected, Kaspersky Embedded Systems Security for Windows adds the rules generated by the Rule Generator for Device Control task to the list of Device Control rules based on the selected principle for adding rules.
  
  If this check box is cleared, Kaspersky Embedded Systems Security for Windows does not add the newly generated allowing rules to the list of Device Control rules.
  
  By default, the check box is cleared.
- Principle of adding.
  The drop-down list is available if the Add allowing rules to the list of Device Control rules check box is selected.
  
  This drop-down list is used to specify the method used to add the newly generated allowing rules to the list of Device Control rules.
  - Add to existing rules. The rules are added to the list of existing rules. Rules with identical settings are duplicated.
  - Replace existing rules. The rules replace the existing rules in the list.
  - Merge with existing rules. The rules are added to the list of existing rules. Rules with identical settings are not added; the rule is added if at least one rule parameter is unique.
  By default, the Merge with existing rules method is selected.
- Export allowing rules to file.
  The check box enables or disables export of Device Control allow rules to the XML file.
  
  If the check box is selected, Kaspersky Embedded Systems Security for Windows will export the allow rules to the XML file specified in the field below when the Rule Generator for Device Control task completes.
  
  If this check box is cleared, the application will not export the allow rules to the XML file when the Rule Generator for Device Control task completes.
  
  By default, the check box is cleared.
- Add protected device details to file name.
  The check box enables or disables adding of information about the protected device to the name of the XML file the Device Control rules are being saved to.
  
  If this check box is selected, the application adds the protected device name and the file creation date and time to the name of the XML file.
  
  If the check box is cleared, the application does not add information about the protected device to the name of the XML file.
  
  The check box is selected by default.
If you have enabled the Export allowing rules to file action, specify the path to the XML file the Device Control rules will be saved to.
1. Click the Select button.
2. An Open window opens.
3. Specify the path where you want to save the XML file containing the Device Control rules.
4. In the field with the same name, enter the name of the XML file.
5. Click the Open button.
  The full path to the XML file and the file name will be displayed in the Settings window.
In the Properties: Rule Generator for Device Control window, click OK.
In the list of tasks, select the previously configured Rule Generator for Device Control task.
In the context menu of the Rule Generator for Device Control task, select Run to start the task.

When the task completes, the automatically generated Device Control rules will be saved in the settings of the local Device Control task and/or to an XML file inside the specified folder.

Page top