Default Applications Launch Control task settings

By default, the Applications Launch Control task has the settings described in the table below. You can change the values of these settings.

Default Applications Launch Control task settings

Setting

Default value

Description

Task mode

Statistics only. The task records denied launch events and allowed launch events based on the set rules. Application launch is not actually denied.

You can select Active mode after the final list of rules is generated.

Repeat action taken for the first file launch on all the subsequent launches for this file

Not applied

You can repeat actions taken for the first file launch on all the subsequent launches for this file.

Deny the command interpreters launch with no command to execute

Not applied.

You can deny launch of command interpreters with no command to execute.

Rules managing

Add policy rules to the local rules

You can select a mode in which rules specified in a policy are applied together with the rules on the protected device.

Rule usage scope

The task controls the launch of executable files, scripts, and MSI packages.The task also monitors loading of DLL modules.

You can specify the file types for which launch is controlled by rules.

KSN Usage

KSN application reputation data is not used.

You can use KSN application reputation data when running the Applications Launch Control task.

Automatically allow software distribution via applications and packages listed

Not applied.

You can allow software distribution using the installers and applications specified in the settings. By default, software distribution is only allowed using the Windows Installer service.

Always allow software distribution via Windows Installer

Applied (can be changed only when the Automatically allow software distribution via applications and packages listed setting is enabled).

You can allow any software installation or update if the operations are performed via Windows Installer.

Always allow software distribution via SCCM using the Background Intelligent Transfer Service

Not applied (can be changed only when the Automatically allow software distribution via applications and packages listed setting is enabled).

You can turn on or off automatic software distribution using the System Center Configuration Manager.

Task start

First run is not scheduled.

The Applications Launch Control task does not start automatically at start of Kaspersky Industrial CyberSecurity for Nodes. You can start the task manually or configure a scheduled start.

Rule Generator for Applications Launch Control task default settings

Setting

Default Value

Description

Prefix for allowing rules names

Identical to the name of the protected device on which Kaspersky Industrial CyberSecurity for Nodes is installed.

You can change the prefix for names of allowing rules.

Allowing rules usage scope

The scope of allowing rules includes the following file categories by default:

  • Files with the EXE extension located in the folders C:\Windows, C:\Program Files (x86) and C:\Program Files
  • MSI packages stored in the C:\Windows folder
  • Scripts stored in the C:\Windows folder

    The task also creates rules for all running applications, regardless of their location and format.

You can change the protection scope by adding or removing folder paths and specifying the types of files that will be allowed to launch by the automatically generated rules. You can also ignore running applications when creating allowing rules.

Criteria for generation of allowing rules

The digital certificate subject and thumbprint are used; rules are generated for all users and groups of users.

You can use the SHA256 hash when generating allowing rules.

You can select a user and group of users for which allowing rules need to be automatically generated.

Actions upon task completion

Allowing rules are added to the list of Applications Launch Control rules; new rules are merged with existing rules; duplicate rules are removed.

You can add rules to the existing rules without merging them and without deleting duplicate rules, or replace existing rules with the new allowing rules, or configure export of the allowing rules to a file.

Task launch settings with permissions

The task is started under a system account.

You can allow the Rule Generator for Applications Launch Control task to start under a system account or using the permissions of a specified user.

Task start schedule

First run is not scheduled.

The Rule Generator for Applications Launch Control task does not start automatically when Kaspersky Industrial CyberSecurity for Nodes starts. You can start the task manually or configure a scheduled start.

Page top