Creating and editing the Application Startup Control rule
You can create Application Startup Control rules that allow or block corporate LAN users from starting applications on protected virtual machines.
To create or edit the Application Startup Control rule:
Open Kaspersky Security Center Administration Console.
In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
In the workspace, select the Policies tab.
Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
In the policy properties window, select the Application Startup Control section in the list on the left.
In the right part of the window, in the Application Startup Control settings section, in the drop-down list, select the Application Startup Control mode:
Allowlist of applications. If this mode is selected, Application Startup Control blocks all users from starting any applications except those that are specified in the created Application Startup Control rule.
This operating mode is selected by default.
Denylist of applications. If this mode is selected, Application Startup Control allows all users to start any applications except those that are specified in the created Application Startup Control rule.
In the Action drop-down list, select the action that Kaspersky Security must perform when a user attempts to start an application that is not allowed by an Application Startup Control rule:
Block. If this item is selected, when a user attempts to start an application that is not allowed by a rule, Kaspersky Security blocks this application from starting.
Inform. If this item is selected, when a user attempts to start an application that is not allowed by a rule, Kaspersky Security allows this application to start but logs information about this in the local interface report and sends this information to Kaspersky Security Center.
This action is set by default.
In the Application Startup Control settings section, perform one of the following actions:
To create a new rule, click the Add button.
If you want to edit the rule, select it in the list of rules and click the Edit button.
In the Application Startup Control rule window that opens, perform one of the following actions:
If you want to create a rule based on previously created application categories, select the created application category from the Category drop-down list.
If you want to create a new application category and use it to create a rule, click the Create category button and follow the instructions of the New Category Wizard (for more details about working with categories, please refer to the Kaspersky Security Center help).
In the Description field, enter a description of the application category.
In the Users and/or groups table, specify the names of users and/or groups of users that are allowed or blocked from starting applications in the category specified above. To do this, perform the following actions:
Click the Add button.
The standard Select Users or Groups window in Microsoft Windows opens.
Enter the names of users and/or a group of users.
Click OK.
The selected users and groups are displayed in the Application Startup Control rule window in the table in the User and/or group column.
In the Application Startup Control rule window, perform one of the following actions:
If you select the Allowlist of applications operation mode, select the Allow check box next to the user or group that you want to allow to start the applications of the specified category.
If you select the Denylist of applications operation mode, select the Block check box next to the user or group that you want to prevent from starting the applications of the specified category.
Select the Block for other users check box if you want to block the startup of applications in the category specified above for all other users not specified in the Users and/or groups table.
If you want Kaspersky Security to consider applications from the category that is specified in the rule as trusted updaters, and to allow them to start other applications for which no Application Startup Control rules are defined, select the Trusted Updaters check box.
In the Application startup control rule window, click OK.