Generating Applications Launch Control may become more complicated if you want to control the distribution of software. For example, you may want to do it on protected devices where installed software are automatically updated on a regular basis. In this case, the list of allowing rules must be updated after each software update for newly created files to be considered in the Applications Launch Control task settings. To simplify launch control in software distribution scenarios, you can use Software Distribution Control.
An installation package (hereinafter referred to as “package”) represents one or several applications to be installed on a protected device. An installation package may also contain updates and individual commands.
The Software Distribution Control subsystem is implemented as an additional list of exclusions. When an installation package is added to the list, it becomes trusted. Unpacking is allowed for trusted packages, and automatic startup is allowed for applications installed or updated from trusted packages. The extracted files can inherit the trusted attribute of the primary distribution package. A primary distribution package is a package that has been added to the list of Software Distribution Control exclusions by a user and has become a trusted package.
Kaspersky Embedded Systems Security controls only the full cycle of application distribution and cannot correctly process the launch of files modified by a trusted package if, when the package is started for the first time, Software Distribution Control is turned off or the Applications Launch Control component is not installed.
To use Software Distribution Control, you must enable the Apply rules to executable files functionality in general Applications Launch Control settings.
Software distribution cache
Kaspersky Embedded Systems Security uses a dynamically generated software distribution cache (“distribution cache”) to establishes the relationship between trusted packages and files created during software distribution. When a package is first started, Kaspersky Embedded Systems Security detects all files created by the package during the software distribution process and stores file checksums and paths in the distribution cache. Then, by default, all files that have information saved in the distribution cache are allowed to start.
You cannot review, delete, or manually modify the distribution cache via the user interface. The cache is populated and controlled by Kaspersky Embedded Systems Security.
You can export the distribution cache to a configuration file (XML format) or delete the distribution cache on the command line.
To export the distribution cache to a configuration file, execute the following command:
kavshell appcontrol /config /savetofile:<full path> /sdc
To delete the distribution cache, execute the following command:
kavshell appcontrol /config /clearsdc
Kaspersky Embedded Systems Security updates the distribution cache every 24 hours. If the checksum of a previously allowed file is changed, the application deletes the record for this file from the distribution cache. If the Applications Launch Control task is started in Active mode, subsequent attempts to start this file will be blocked. If the full path to the previously allowed file is changed, subsequent attempts to start this file will not be blocked, because the checksum is stored within the distribution cache.
Processing the extracted files
Extracted files and packages created by a primary trusted distribution package (at the first level of nesting) inherit the trusted attribute when their checksums are added to the distribution cache when the software distribution package in the exclusion list is opened for the first time. Hence, the distribution package itself and all files extracted from this package will also be trusted.
For example, if test.msi, a package containing several packages and applications, is added to the list of exclusions and the Allow launching of all child files as trusted distribution packages functionality is enabled, all packages and applications contained in the test.msi package can be unpacked and run, even if they contain other nested files. This scenario works for extracted files on all nested levels.
If the test.msi package is added to the list of exclusions, and the Allow launching of all child files as trusted distribution packages functionality is disabled, the application assigns the trusted attribute only to those packets and executable files that have been extracted directly from the trusted packet (at the first level of nesting). The checksums of such files are stored in the distribution cache. All files on the second level of nesting and beyond will be blocked by the Default Deny principle.
Extracted files will retain the trusted attribute after the operating system restarts.
To remove the inheritance attribute from all extracted files, you must delete the distribution cache and disable the Allow launching of all child files as trusted distribution packages functionality before you run the trusted installation package again.
Working with the Applications Launch Control rule list
The list of trusted packages of Software Distribution Control is a list of exclusions, which amplifies, but does not replace the general list of applications launch control rules.
Denying applications launch control rules have the highest priority: trusted package decompression and start of new or modified files will be blocked, if these packages and files are affected by the applications launch control denying rules.
Software distribution control exclusions are applied both for trusted packages and files created or modified by these packages, if no denying rules in the applications launch control list are applied for those packages and files.
Page top