1. Go to the Applications Launch Control settings in the policy that you want to configure.
   1. In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.
   2. Select the administration group for which you want to configure the task.
   3. Select the Policies tab.
   4. Double-click the policy name you want to configure.
   5. In the policy properties window, go to the Local activity control section.
   6. In the Applications Launch Control block, click the Settings button.

      The Applications Launch Control window opens on the General tab.

2. Enable Applications Launch Control using the check box with the same name.
3. In the Operating mode for blocking rules block, configure the following settings:
   • Task operating mode:
     • Block. Kaspersky Embedded Systems Security applies all created Applications Launch Control rules.
     • Inform. Kaspersky Embedded Systems Security does not use Applications Launch Control rules. It only records information about the start of applications in the task log. All applications are allowed to start. You can use this mode to generate a list of Applications Launch Control rules based on the information about denied application launches recorded in the task log.
   • Repeat action taken for the first file launch on all the subsequent launches for this file.
     

     The option enables or disables launch control for the second and subsequent attempts to start applications based on the event information stored in the cache.

     If the option is enabled, Kaspersky Embedded Systems Security allows or denies subsequent launches of an application based on the task's conclusion regarding the first launch of the application. For example, if the first application launch was allowed by the rules, information about this decision will be stored in the cache, and the second and all subsequent launches will also be allowed without rechecking.

     If the application is installed on a computer running Windows XP, when working with files through Explorer, the first application startup conclusions may be overwritten, causing the function to not work properly.

     If the option is disabled, Kaspersky Embedded Systems Security analyzes an application every time a launch is attempted.

     This option is disabled by default.

   • Deny the command interpreters launch with no command to execute.
     

     If this functionality is enabled, Kaspersky Embedded Systems Security denies launching of a command-line interpreter when any of the following conditions is met:

     • The launch of a command-line interpreter is denied by Applications Launch Control rules.
     • The command-line interpreter starts without parameters.

     If the option is disabled, Kaspersky Embedded Systems Security only considers allowing rules when launching a command line interpreter. Launch is blocked if none of the Applications Launch Control allow rules is applicable. If the allowing rule of Applications Launch Control applies, a command line interpreter can be launched with or without a command to execute.

     Kaspersky Embedded Systems Security controls the launch of the following command interpreters:

     • cmd.exe
     • powershell.exe
     • python.exe
     • perl.exe
     • wscript.exe

     This option is disabled by default.

4. In the Rule usage scope block, configure the following settings:
   • Apply rules to executable files.
     

     The option either enables or disables launch control of executable files.

     If this functionality is enabled, Kaspersky Embedded Systems Security allows or denies the launch of executable files using Applications Launch Control rules.

     If this functionality is disabled, Kaspersky Embedded Systems Security does not control the launch of executable files using Applications Launch Control rules. Startup of executable files is allowed.

     This option is enabled by default.

   • Monitor loading of DLL modules.
     

     This functionality is available if the Apply rules to executable files functionality is enabled.

     This functionality enables or disables the control of loading of DLL modules.

     If this functionality is enabled, Kaspersky Embedded Systems Security allows or denies the loading of DLL modules using Applications Launch Control rules.

     If this functionality is disabled, Kaspersky Embedded Systems Security does not control the loading of DLL modules using Applications Launch Control rules. Loading of DLL modules is allowed.

     This option is disabled by default.

     Controlling loading of DLL modules may affect the performance of the operating system.

   • Apply rules to scripts and MSI packages.
     

     The option either enables or disables launch of scripts and MSI packages.

     If this functionality is enabled, Kaspersky Embedded Systems Security allows or denies the launch of scripts and MSI packages using Applications Launch Control rules.

     If the check box is cleared, Kaspersky Embedded Systems Security does not control the launch of MSI scripts and packages using Applications Launch Control rules. Start of scripts and MSI packages is allowed.

     This option is enabled by default.

5. Under Certificate monitoring, enable or disable the Ignore a missing signature timestamp when validating certificates functionality.
   

   If this functionality is enabled, Kaspersky Embedded Systems Security allows launching applications that are signed with certificates that have expired or have an undefined expiration date.

   If this functionality is disabled, Kaspersky Embedded Systems Security denies launching applications that are signed with certificates that have expired or have an undefined expiration date.

   This option is disabled by default.

6. In the Applications Launch Control window, click OK to save your changes.

Kaspersky Embedded Systems Security immediately applies the new settings to the running task. Information about the date and time when the settings were modified, and the values of task settings before and after modification, are saved in the system audit log.

1. In the Application Console tree, select the Computer Control → Applications Launch Control section.
2. Click the Properties link in the results pane.

   The Applications Launch Control window opens on the General tab.

3. Enable Applications Launch Control using the check box with the same name.
4. In the Operating mode for blocking rules block, configure the following settings:
   • Task operating mode:
     • Block. Kaspersky Embedded Systems Security applies all created Applications Launch Control rules.
     • Inform. Kaspersky Embedded Systems Security does not use Applications Launch Control rules. It only records information about the start of applications in the task log. All applications are allowed to start. You can use this mode to generate a list of Applications Launch Control rules based on the information about denied application launches recorded in the task log.
   • Repeat action taken for the first file launch on all the subsequent launches for this file.
   • Deny the command interpreters launch with no command to execute.
5. In the Rule usage scope block, configure the following settings:
   • Apply rules to executable files.
   • Monitor loading of DLL modules.

     Controlling loading of DLL modules may affect the performance of the operating system.

   • Apply rules to scripts and MSI packages.
6. Under Certificate monitoring, enable or disable the Ignore a missing signature timestamp when validating certificates functionality.
7. In the Applications Launch Control window, click OK to save your changes.

Kaspersky Embedded Systems Security immediately applies the new settings to the running task. Information about the date and time when the settings were modified, and the values of task settings before and after modification, are saved in the system audit log.

1. Go to the Applications Launch Control settings in the policy that you want to configure.
   1. In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
   2. Click the name of the Kaspersky Embedded Systems Security policy.

      The policy properties window opens.

   3. Select the Application settings tab.
   4. Select the Local activity control section.
   5. In the Applications Launch Control block, click the Configure button.

      The Applications Launch Control window opens on the General tab.

2. Enable Applications Launch Control using the check box with the same name.
3. In the Operating mode for blocking rules block, configure the following settings:
   • Task operating mode:
     • Block. Kaspersky Embedded Systems Security applies all created Applications Launch Control rules.
     • Inform. Kaspersky Embedded Systems Security does not use Applications Launch Control rules. It only records information about the start of applications in the task log. All applications are allowed to start. You can use this mode to generate a list of Applications Launch Control rules based on the information about denied application launches recorded in the task log.
   • Repeat action taken for the first file launch on all the subsequent launches for this file.
   • Deny the command interpreters launch with no command to execute.
4. In the Rule usage scope block, configure the following settings:
   • Apply rules to executable files.
   • Monitor loading of DLL modules.

     Controlling loading of DLL modules may affect the performance of the operating system.

   • Apply rules to scripts and MSI packages.
5. Under Certificate monitoring, enable or disable the Ignore a missing signature timestamp when validating certificates functionality.
6. In the Applications Launch Control window, click OK to save your changes.
7. Save the modified policy.

Kaspersky Embedded Systems Security immediately applies the new settings to the running task. Information about the date and time when the settings were modified, and the values of task settings before and after modification, are saved in the system audit log.