Adding event-related executable files to the application category

After you configure Application Control in the Kaspersky Endpoint Security for Windows policies, the following events will be displayed in the list of events:

Application startup prohibited (Critical event). This event is displayed if you have configured Application Control to apply rules.
Application startup prohibited in test mode (Info event). This event is displayed if you have configured Application Control to test rules.
Message to administrator about application startup prohibition (Warning event). This event is displayed if you have configured Application Control to apply rules and a user has requested access to the application that is blocked at startup.

It is recommended to create event selections to view events related to Application Control operation.

You can add executable files related to Application Control events to an existing application category or to a new application category. You can add executable files only to an application category with content added manually.

To add executable files related to Application Control events to an application category:

In the main menu, go to MONITORING & REPORTING → EVENT SELECTIONS.
The list of event selections is displayed.
Select the event selection to view events related to Application Control and start this event selection.
If you have not created event selection related to Application Control, you can select and start a predefined selection, for example, Recent events.

The list of events is displayed.
Select the events whose associated executable files you want to add to the application category, and then click the Assign to category button.
The New Category Wizard starts. Proceed through the Wizard by using the Next button.
On the Wizard page, specify the relevant settings:
- In the Action on executable file related to the event section, select one of the following options:
  - Add to a new application category
    Select this option if you want to create a new application category based on event-related executable files.
    
    By default, this option is selected.
    
    If you have selected this option, specify a new category name.
  - Add to an existing application category
    Select this option if you want to add event-related executable files to an existing application category.
    
    By default, this option is not selected.
    
    If you have selected this option, select the application category with content added manually to which you want to add executable files.
- In the Rule type section, select one of the following options:
  - Rules for adding to inclusions
  - Rules for adding to exclusions
- In the Parameter used as a condition section, select one of the following options:
  - Certificate details (or SHA-256 hashes for files without a certificate)
    Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.
    
    Each file has its own unique SHA256 hash function. When you select an SHA256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.
    
    Select this option if you want to add to the category rules the certificate details of an executable file (or the SHA256 hash function for files without a certificate).
    
    By default, this option is selected.
  - Certificate details (files without a certificate will be skipped)
    Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.
    
    Select this option if you want to add the certificate details of an executable file to the category rules. If the executable file has no certificate, this file will be skipped. No information about this file will be added to the category.
  - Only SHA-256 (files without a hash will be skipped)
    Each file has its own unique SHA256 hash function. When you select an SHA256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.
    
    Select this option if you want to add only the details of the SHA256 hash function of the executable file.
  - Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version)
    Each file has its own unique MD5 hash function. When you select an MD5 hash function, only one corresponding file, for example, the defined application version, ends up in the category.
    
    Select this option if you want to add only the details of the MD5 hash function of the executable file. Computing of the MD5 hash function is supported by Kaspersky Endpoint Security 10 Service Pack 1 for Windows and all earlier versions.
Click OK.

When the Wizard finishes, executable files related to the Application Control events are added to the existing application category or to a new application category. You can view settings of the application category that you have modified or created.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.