Creating an application category with content added manually

Expand all | Collapse all

You can specify a set of criteria as a template of executable files for which you want to allow or block a start in your organization. On the basis of executable files corresponding to the criteria, you can create an application category and use it in the Application Control component configuration.

To create an application category with content added manually:

1. In the main menu, go to Operations → Third-party applications → Application categories.

   The page with a list of application categories is displayed.

2. Click the Add button.

   The New category wizard starts. Proceed through the wizard by using the Next button.

3. On the Select category creation method step, specify the application category name and select the Category with content added manually. Data of executable files is manually added to the category option.
4. On the Conditions step, click the Add button to add a condition criterion to include files in the creating category.
5. On the Condition criteria step, do the following:
   1. Select a rule type for the creation of the category:
      • From KL category

        If this option is selected, you can specify a Kaspersky application category as the condition of adding applications to the user category. The applications from the specified Kaspersky category will be added to the user application category.

      • Select certificate from repository

        If this option is selected, you can specify certificates from the repository. The category condition matches only the executable files signed by the specified certificate.

        Certificates are added to the repository if you created and started an inventory task or selected the About started applications check box in the Kaspersky Endpoint Security policy. You can perform both actions.

      • Specify path to application (masks supported)

        If this option is selected, you can specify the path to the folder on the client device containing the executable files that are to be added to the user application category.

      • Removable drive

        If this option is selected, you can specify the type of the medium (any drive or removable drive) on which the application is run. Applications that have been run on the selected drive type are added to the user application category.

      • Hash, metadata, or certificate:
        • Select from list of executable files

          If this option is selected, you can use the list of executable files on the client device to select and add applications to the category.

        • Select from applications registry

          If this option is selected, application registry is displayed. After you select an application from the registry, the window opens with the parameters filled in with metadata from the application that you selected:

          • File name.
          • File version. You can specify precise value of the version or describe a condition, for example "greater than 5.0".
          • Application name.
          • Application version. You can specify precise value of the version or describe a condition, for example "greater than 5.0".
          • Vendor.

          Note that only the launch of executable files that meet the specified parameters is blocked, not the launch of the application you select. If the selected application metadata matches the one of the executable file that is launched when you launch the application, then you can proceed to the next step. Otherwise, you have to change the values manually to match the metadata of the executable file.

        • Specify manually

          If this option is selected, you must specify file hash, or metadata, or certificate as the condition of adding applications to the user category.

          File Hash

          Depending on the version of the security application installed on devices on your network, you should select an algorithm for hash value computing by Kaspersky Security Center Linux for files in this category. Information about hash values computed by hash functions is stored in the Administration Server database.

          SHA256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security for Linux supports SHA256 computing.

          Select either of the options of hash value computing by Kaspersky Security Center Linux for files in the category:

          • If all instances of security applications installed on your network are Kaspersky Endpoint Security for Linux, select the SHA256 check box.
          • Select the MD5 hash check box only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support the MD5 hash function.

          Metadata

          If this option is selected, you can specify file metadata as file name, file version, vendor. The category condition matches only the executable files with the same metadata.

          Certificate

          If this option is selected, you can specify certificates from the repository. The category condition matches only the executable files signed by the specified certificate.

          Certificates are added to the repository if you created and started an inventory task or selected the About started applications check box in the Kaspersky Endpoint Security policy. You can perform both actions.

        • From archived folder

          If this option is selected, you can specify a file of an archived folder, and then select which condition you want to use to add applications to the user category. The archived folder is unpacked and the conditions that you select are applied to the files in the folder. As a condition, you can select one of the following criteria:

          • File Hash

            You select which hash function (MD5 or SHA256) you want to use to calculate hash values. The applications that have the same hash value as the files in the archived folder are added to the user application category.

            Select an MD5 hash function only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support the MD5 hash function.

          • Metadata

            You select which metadata you want to use as criteria. Executable files that contain the same metadata will be added to the user application category.

          • Certificate

            You select which certificate properties (certificate subject, fingerprint, or issuer) you want to use as criteria. Executable files that have been signed with the certificates that have the same properties will be added to the user category.

          If this option is selected, you can specify a file of an archived folder, and then select which condition you want to use to add applications to the user category. The archived folder is unpacked and the conditions that you select are applied to the files in the folder. As a condition, you can select one of the following criteria:

          • File Hash

            You select which hash function (MD5 or SHA256) you want to use to calculate hash values. The applications that have the same hash value as the files in the archived folder are added to the user application category.

            Select an MD5 hash function only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support the MD5 hash function.

          • Metadata

            You select which metadata you want to use as criteria. Executable files that contain the same metadata will be added to the user application category.

          • Certificate

            You select which certificate properties (certificate subject, fingerprint, or issuer) you want to use as criteria. Executable files that have been signed with the certificates that have the same properties will be added to the user category.

   2. If necessary, add a comment in the Description field. The number of symbols cannot exceed 1000.

      Later, you can edit or delete the comment by opening the Conditions tab in the application category properties, and then in the Condition criterion column, click the link with the condition for which you want to edit or delete the comment.

      When selecting the From KL category rule type, you can add one comment for all conditions to be created based on this rule type. You can edit or delete the comment for every condition separately.

   The selected criterion is added to the list of conditions.

   You can add as many criteria as you need for the application category that is being created.

6. On the Exclusions step, click the Add button to add an exclusive condition criterion to exclude files from the category that is being created.

   If necessary, you can add a comment in the Description field. The number of symbols cannot exceed 1000.

   Later, you can edit or delete the comment by opening the Exclusions tab in the application category properties, and then in the Condition criterion column, click the link with the condition for which you want to edit or delete the comment.

7. On the Condition criteria step, select a rule type from the list, in the same way that you selected a rule type for category creation.

When the wizard finishes, the application category is created and displayed in the list of application categories. You can use the created application category when you configure Application Control.

For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.

See also: Using Application Control to manage executable files

Page top