How to enable the Blocked applications mode
The Blocked applications mode is the mode, when Application Control allows users to start all applications except for applications that are prohibited in Application Control rules. That is, if no deny rule exists, Application Control allows starting the application. This mode of Application Control is enabled by default.
Before enabling the Blocked applications mode, we recommend testing your Application Control rules. For this purpose, you can enable the test mode.
How to enable the Blocked applications mode in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Security Controls → Application Control.
- Select the Application Control check box.
- In the Application Control settings block use the Control mode drop-down list to select Denylist.
- In the Action drop-down list select the action for Application Control:
- Test rules. Application Control does not block applications that are prevented from running by the rules, but generates events about the running of applications that would otherwise be blocked.
- Apply rules. Application Control blocks the blocked applications and generates corresponding events.
- Select the status for the Application Control rules:
- On. This status means that the rule is used when the Application Control component is running.
- Off. This status means that the rule is ignored when the Application Control component is running.
- Test. This status means that Kaspersky Endpoint Security always allows the startup of applications to which the rule applies but logs information about the startup of such applications in the report.
If necessary, add new Application Control rules.
- Configure the advanced settings of Application Control:
- Monitor loading of DLL modules (significantly increases the load on the system). If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL modules when users attempt to start applications. Information about the DLL module and the application that loaded this DLL module is logged in the report.
When enabling control over the loading of DLL modules and drivers, make sure that one of the following rules is enabled in the Application Control settings: the default Golden Image rule or another rule that contains the "Golden Image\Trusted certificates" KL category and ensures that trusted DLL modules and drivers are loaded before Kaspersky Endpoint Security is started. Enabling control of the loading of DLL modules and drivers when the Golden Image rule is disabled may cause instability in the operating system.
Kaspersky Endpoint Security monitors only the DLL modules and drivers that have been loaded since the check box was selected. After selecting the check box, it is recommended to restart the computer to ensure that the application monitors all DLL modules and drivers, including those loaded before Kaspersky Endpoint Security starts.
- Use strict digital signature verification. You can select a certificate as a triggering condition for an Application Control rule. If this check box is selected, Kaspersky Endpoint Security applies rules to applications signed with certificates only from the trusted system certificate store. Applications signed with such a certificate are also considered trusted by the protection components, for example, the Malware Scan task. However, if you specify a certificate from a different store in an Application Control rule, Kaspersky Endpoint Security does not apply such a rule.
If the check box is cleared, Kaspersky Endpoint Security applies rules to applications signed by a certificate from the Windows Trusted Root Certificate Store. Such applications are not part of the trusted zone. Protection components monitor the activity of such applications.
- Message about blocking. Template of the message that is displayed when an Application Control rule that blocks an application from starting is triggered.
- Message to administrator. Template of the message that a user can send to the corporate LAN administrator if the user believes that an application was blocked by mistake.
- Monitor loading of DLL modules (significantly increases the load on the system). If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL modules when users attempt to start applications. Information about the DLL module and the application that loaded this DLL module is logged in the report.
- Save your changes. To apply the policy on computers, close the padlocks
.
How to enable the Blocked applications mode in the Web Console and Cloud Console
- In the main window of the Web Console, select the Assets (Devices) → Policies & profiles tab.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Security Controls → Application Control.
- Turn on the Application Control toggle.
- In the Application Control mode block, select Denylist.
- In the Action on starting applications blocked by rules block, select the action for Application Control:
- Inform (Test mode). Application Control does not block applications that are prevented from running by the rules, but generates events about the running of applications that would otherwise be blocked.
- Block. Application Control blocks the blocked applications and generates corresponding events.
- Select the status for the Application Control rules:
- Enabled. This status means that the rule is used when the Application Control component is running.
- Disabled. This status means that the rule is ignored when the Application Control component is running.
- Test mode. This status means that Kaspersky Endpoint Security always allows the startup of applications to which the rule applies but logs information about the startup of such applications in the report.
If necessary, add new Application Control rules.
- Configure the advanced settings of Application Control:
- Monitor loading of DLL modules (significantly increases the load on the system). If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL modules when users attempt to start applications. Information about the DLL module and the application that loaded this DLL module is logged in the report.
When enabling control over the loading of DLL modules and drivers, make sure that one of the following rules is enabled in the Application Control settings: the default Golden Image rule or another rule that contains the "Golden Image\Trusted certificates" KL category and ensures that trusted DLL modules and drivers are loaded before Kaspersky Endpoint Security is started. Enabling control of the loading of DLL modules and drivers when the Golden Image rule is disabled may cause instability in the operating system.
Kaspersky Endpoint Security monitors only the DLL modules and drivers that have been loaded since the check box was selected. After selecting the check box, it is recommended to restart the computer to ensure that the application monitors all DLL modules and drivers, including those loaded before Kaspersky Endpoint Security starts.
- Use strict digital signature verification. You can select a certificate as a triggering condition for an Application Control rule. If this check box is selected, Kaspersky Endpoint Security applies rules to applications signed with certificates only from the trusted system certificate store. Applications signed with such a certificate are also considered trusted by the protection components, for example, the Malware Scan task. However, if you specify a certificate from a different store in an Application Control rule, Kaspersky Endpoint Security does not apply such a rule.
If the check box is cleared, Kaspersky Endpoint Security applies rules to applications signed by a certificate from the Windows Trusted Root Certificate Store. Such applications are not part of the trusted zone. Protection components monitor the activity of such applications.
- Message about blocking. Template of the message that is displayed when an Application Control rule that blocks an application from starting is triggered.
- Message to administrator. Template of the message that a user can send to the corporate LAN administrator if the user believes that an application was blocked by mistake.
- Monitor loading of DLL modules (significantly increases the load on the system). If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL modules when users attempt to start applications. Information about the DLL module and the application that loaded this DLL module is logged in the report.
- Save your changes. To apply the policy on computers, close the padlocks
.
How to enable the Blocked applications mode in the application interface
- In the main application window, click the
button. - In the application settings window, select Security Controls → Application Control.
- Turn on the Application Control toggle.
- In the Application Startup Control mode block, select Denylist. All applications, except for the ones in the rules list, are allowed.
- In the Action on starting applications blocked by rules block, select the action for Application Control:
- Inform (Test mode) and log events in report. Application Control does not block applications that are prevented from running by the rules, but generates events about the running of applications that would otherwise be blocked.
- Block. Application Control blocks the blocked applications and generates corresponding events.
- Select the status for the Application Control rules:
- Enabled. This status means that the rule is used when the Application Control component is running.
- Disabled. This status means that the rule is ignored when the Application Control component is running.
- Test mode. This status means that Kaspersky Endpoint Security always allows the startup of applications to which the rule applies but logs information about the startup of such applications in the report.
If necessary, add new Application Control rules.
- Configure the advanced settings of Application Control:
- Monitor loading of DLL modules. If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL modules when users attempt to start applications. Information about the DLL module and the application that loaded this DLL module is logged in the report.
When enabling control over the loading of DLL modules and drivers, make sure that one of the following rules is enabled in the Application Control settings: the default Golden Image rule or another rule that contains the "Golden Image\Trusted certificates" KL category and ensures that trusted DLL modules and drivers are loaded before Kaspersky Endpoint Security is started. Enabling control of the loading of DLL modules and drivers when the Golden Image rule is disabled may cause instability in the operating system.
Kaspersky Endpoint Security monitors only the DLL modules and drivers that have been loaded since the check box was selected. After selecting the check box, it is recommended to restart the computer to ensure that the application monitors all DLL modules and drivers, including those loaded before Kaspersky Endpoint Security starts.
- Use strict digital signature verification. You can select a certificate as a triggering condition for an Application Control rule. If this check box is selected, Kaspersky Endpoint Security applies rules to applications signed with certificates only from the trusted system certificate store. Applications signed with such a certificate are also considered trusted by the protection components, for example, the Malware Scan task. However, if you specify a certificate from a different store in an Application Control rule, Kaspersky Endpoint Security does not apply such a rule.
If the check box is cleared, Kaspersky Endpoint Security applies rules to applications signed by a certificate from the Windows Trusted Root Certificate Store. Such applications are not part of the trusted zone. Protection components monitor the activity of such applications.
- Templates of messages about application blocking. Template of the message that is displayed when an Application Control rule that blocks an application from starting is triggered.
- Template message text that is displayed when an application is blocked from starting. Template of the message that a user can send to the corporate LAN administrator if the user believes that an application was blocked by mistake.
- Monitor loading of DLL modules. If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL modules when users attempt to start applications. Information about the DLL module and the application that loaded this DLL module is logged in the report.
- Save your changes.
As a result, Application Control blocks the blocked applications. Kaspersky Endpoint Security also generates Application startup prohibited events. You can use these events to generate the Report on prohibited applications report in the Kaspersky Security Center console. In the summary of the report, you can view the list of applications and computers on which the Application Control rule triggered.
Page top