Importing Applications Launch Control rules from an XML file
You can import reports generated by the Rule Generator for Applications Launch Control group task and apply them as a list of allowing rules in the policy you are configuring.
When the Rule Generator for Applications Launch Control group task finishes, the application exports the created allowing rules into XML files saved in the specified shared folder. Each file with a rule list is created by analyzing files executed and applications launched on each separate protected device on the corporate network. The lists contain allowing rules for files and applications whose type matches the type specified in the Rule Generator for Applications Launch Control group task.
To specify Applications Launch Control allowing rules for a group of protected devices based on an automatically generated list of allowing rules:
In the properties of the created Rule Generator for Applications Launch Control group task or in the task wizard, specify the following settings:
In the Notification section, configure the settings for saving the task execution report.
For detailed instructions on configuring settings in this section, see the Kaspersky Security Center Help.
In the Settings section, specify the types of applications whose start will be allowed by the rules that are created. You can edit the set of folders containing allowed applications: exclude default folders from the task scope or add new folders manually.
In the Options section, specify the operations to be performed by the task while it is running and after it is finished. Specify the rule-generating criterion and the name of the file to which the generated rules will be exported.
In the Schedule section, configure the task start schedule settings.
In the Account section, specify the user account under which the task will be executed.
In the Exclusions from task scope section, specify the groups of protected devices to be excluded from the task scope.
Kaspersky Embedded Systems Security does not create allowing rules for applications launched on excluded protected devices.
On the Tasks tab on the detail pane of the group of protected devices being configured, in the list of group tasks select the Rule Generator for Applications Launch Control task that you have created, and click the Start button to start the task.
When the task is finished, the automatically generated lists of allowing rules are saved in XML files in a shared folder.
Before using the Applications Launch Control task in the network, make sure that all protected devices have access to a shared folder. If the organization’s policy does not provide for the use of a shared folder in the network, we recommend that you start the Rule Generator for Applications Launch Control task on a protected device in the test protected devices group or on a reference machine.
To add the generated lists of allowing rules to the Applications Launch Control task:
Click the Add button and in the list that opens select Import rules from XML file.
Select the principle for adding the automatically generated allowing rules to the list of previously created Applications Launch Control rules:
Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with identical settings are duplicated.
Replace existing rules if you want to replace the existing rules with the imported rules.
Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with identical settings are not added; the rule is added if at least one rule parameter is unique.
In the standard Microsoft Windows window that opens, select XML files created after completion of the Rule Generator for Applications Launch Control group task.
Click Save in the Applications Launch Control rules window.
If you want to apply the created rules to control the launch of application, in the policy in the properties of the Applications Launch Control task, select the Active mode for the task.
Allowing rules automatically generated based on task runs on each separate protected device are applied to all network protected devices covered by the policy being configured. On these protected devices, the application will allow the launch of only those applications for which allowing rules have been created.