Configuring Rule Generator for Applications Launch Control group task

How to configure the Rule Generator for Applications Launch Control group task in the Kaspersky Security Center Administration Console

Open the properties of the Rule Generator for Applications Launch Control group task.
1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.
2. Select the administration group for which you want to configure the task.
3. Select the Tasks tab.
4. In the list of group tasks, open the Rule Generator for Applications Launch Control task by double-clicking the name of the task.
  The Properties: Rule Generator for Applications Launch Control window opens.
Go to the Options section.
If necessary, on the Rules tab, enter a prefix for rule names.
Under Allowing rule usage scope, specify the method you want to use for creating allow rules:
- Create allowing rules based on running applications.
  This check either box enables or disables generation of Applications Launch Control rules for applications that are already running.
  
  This option is recommended if the protected device has a reference set of applications based on which you want to create allowing rules.
  
  If this check box is selected, the task generates allow rules to control running applications.
  
  By default, the check box is cleared.
  
  This check box cannot be cleared if none of the folders are selected in the Create allowing rules for applications from the folders table.
- Create allowing rules for applications from the folders.
  In the following table you can add scopes for selecting executable files, MSI packages, and scripts. The task will create allow rules if files of the specified types and in the specified scopes are launched.
On the Settings tab, select the criterion that the task will apply when creating Applications Launch Control allow rules:
- Use digital certificate.
  If this option is selected, the presence of a digital certificate is specified as a rule triggering criterion in the settings of the newly generated allowing rules for Applications Launch Control. Kaspersky Embedded Systems Security will allow files that have a digital certificate. We recommend this option if you want to allow the start of any applications that are trusted in the operating system.
  
  This option is selected by default.
- Use digital certificate subject and thumbprint.
  This functionality enables or disables the use of the subject and thumbprint of the file's digital certificate as a criterion for triggering the allowing rules for Applications Launch Control.
  
  If this functionality is enabled, the subject and thumbprint values of the digital certificate of files for which the rules are generated are set as a criterion for triggering the allowing rules for Applications Launch Control. Kaspersky Embedded Systems Security will allow applications that are launched using files with the specified subject and thumbprint of the digital certificate.
  
  This functionality strictly restricts the triggering of allow rules based on a digital certificate because a thumbprint is a unique identifier of a digital certificate and cannot be forged.
  
  If this functionality is disabled, the existence of any digital certificate that is trusted in the operating system is set as a criterion for triggering the allowing rules for Applications Launch Control.
  
  This functionality is available if the Use digital certificate criterion is selected.
- If the certificate is missing, use.
  This is a drop-down list that allows you to select the criterion for triggering an allowing rule for Applications Launch Control if the file used to generate the rule, has no digital certificate.
  - SHA256 hash. The checksum of the file used to generate the rule is set as a criterion for triggering the allowing rule for Applications Launch Control. Kaspersky Embedded Systems Security will allow applications launched using files with a specified checksum.
  - Path to file. The path to the file used to generate the rule is set as a criterion for triggering the allowing rule for Applications Launch Control. Kaspersky Embedded Systems Security will allow application launched using files in folders specified on the Rules tab in the Create allowing rules for applications from the folders table.
  The drop-down list is available if the Use digital certificate criterion is selected.
- Use SHA256 hash.
  If this option is selected, the checksum of the file used to generate the rule is specified as a rule triggering criterion in the settings of the newly generated allowing rules for Applications Launch Control. Kaspersky Embedded Systems Security will allow applications launched using files with a specified checksum.
  
  Using a SHA256 checksum as a rule triggering criterion restricts the rule usage scope to one file.
Configure the Add a file path for rules generated based on hash sums setting.
If this check box is selected, when exporting rules, Kaspersky Embedded Systems Security adds full paths to executable files to the XML file. The full paths can help you tell which software an executable file belongs to.

If the check box is cleared, the XML file contains only names and SHA256 hashes of executable files. By default, the check box is cleared.
Add users and/or groups of users that you want to be able to launch applications that satisfy the rules created using the task.
1. In the context menu of the Add button, select the method for adding users or groups.
2. This opens a window; in that window, enter or select the name of a user or group of users.
3. Click OK.
4. Complete steps a through c for every user or group of users.
In the After task completes block, configure the following settings:
- Add allowing rules to the list of Applications Launch Control rules.
  The check box enables or disables adding the newly generated allowing rules to the list of Applications Launch Control rules.
  
  If this check box is selected, Kaspersky Embedded Systems Security adds the rules generated by the Rule Generator for Applications Launch Control task to the list of Applications Launch Control rules based on the selected principle for adding rules.
  
  If this check box is cleared, Kaspersky Embedded Systems Security does not add the newly generated allowing rules to the list of Applications Launch Control rules.
  
  By default, the check box is cleared.
- Principle of adding.
  This drop-down list is used to specify the method used to add the newly generated allowing rules to the list of Applications Launch Control rules.
  - Replace existing rules. The rules replace the existing rules in the list.
  - Add to existing rules. The rules are added to the list of existing rules. Rules with identical settings are duplicated.
  - Merge with existing rules. The rules are added to the list of existing rules. Rules with identical settings are not added; the rule is added if at least one rule parameter is unique.
  The list is available if the Add allowing rules to the list of Applications Launch Control rules check box is selected.
- Export allowing rules to file. You can click the Browse button to specify a path to which Kaspersky Embedded Systems Security will export allow rules to an XML file when the Rule Generator for Applications Launch Control task finishes.
- Add protected device details to the file name.
  The check box enables or disables adding of information about the protected device to the name of the XML file the Applications Launch Control rules are being saved to.
  
  If this check box is selected, the application adds the protected device name and the file creation date and time to the name of the XML file.
  
  The check box is selected by default.
If necessary, on the Exclusions tab, specify objects that you want to exclude from the scope of the task.
Click the OK button in the Properties: Rule Generator for Applications Launch Control window.

How to configure the Rule Generator for Applications Launch Control group task in the Kaspersky Security Center Web Console

In the main window of the Web Console, select Assets (Devices) → Tasks.
In the list of group tasks, open the Rule Generator for Applications Launch Control task.
The Rule Generator for Applications Launch Control window opens.
Open the Application settings tab.
If necessary, in the Allowing rule usage scope section, enter a prefix for rule names.
Under Allowing rule usage scope, specify the method you want to use for creating allow rules:
- Create allowing rules based on running applications
- Create allowing rules for applications from the folders
On the Parameters tab, select the criterion that the task will apply when creating Applications Launch Control allow rules:
Configure the Add a file path for rules generated based on hash sums setting.
If this check box is selected, when exporting rules, Kaspersky Embedded Systems Security adds full paths to executable files to the XML file. The full paths can help you tell which software an executable file belongs to.

If the check box is cleared, the XML file contains only names and SHA256 hashes of executable files. By default, the check box is cleared.
Add users and/or groups of users that you want to be able to launch applications that satisfy the rules created using the task.
1. Click Select user or group.
2. This opens a window; in that window, enter or select the name of a user or group of users.
3. Click Select.
4. Complete steps a through c for every user or group of users.
In the After task completes block, configure the following settings:
- Add allowing rules to the list of Applications Launch Control rules.
- Principle of adding.
- The allowing rules will be exported to a file. In the Specify the full path to a file with .xml extension field, you can specify a path to which Kaspersky Embedded Systems Security will export allow rules to an XML file when the Rule Generator for Applications Launch Control task finishes.
- Add protected device details to the file name.
If necessary, on the Exclusions tab, specify objects that you want to exclude from the scope of the task.
Click the OK button in the Rule Generator for Applications Launch Control window.

Page top