Importing rules from a Kaspersky Security Center report on blocked applications
You can import data on blocked application launches from a report generated in Kaspersky Security Center after the Applications Launch Control task is run in Statistics only mode and use this data to generate a list of Applications Launch Control allowing rules in the policy being configured.
When generating a report on events occurring during the Applications Launch Control task, you can keep track of the applications whose launch is blocked.
When importing data from a report on blocked applications into policy settings, make sure that the list you are using contains only applications whose launch you want to allow.
To specify Applications Launch Control allowing rules for a group of protected devices based on a blocked applications report from Kaspersky Security Center:
In the Task mode section, select Statistics only mode.
In the policy properties in the Event notification section, make sure that:
For Critical Events, the task log retention period for Application launch denied events exceeds the planned period for running the task in Statistics only mode (the default value is 30 days).
For events with an importance level of Warning, the task log retention period for Statistics only mode: application launch denied events exceeds the planned period for running the task in Statistics only mode (the default value is 30 days).
When the retention period for events elapses, information about the logged events is deleted and is not reflected in the report file. Before running the Applications Launch Control task in Statistics only mode, make sure that the task run time does not exceed the configured period for the specified events.
When the task has finished, export the logged events to a TXT file:
In the workspace of the Administration Server node in Kaspersky Security Center, select the Events tab.
Click the Create a selection button to create a selection of events based on the Blocked criterion to view the applications whose start will be blocked by the Applications Launch Control task.
In the results pane of the selection, click Export events to file to save the blocked application starts report to a TXT file.
Before importing and applying the generated report in a policy, make sure that the report only contains data on the applications whose start you want to allow.
Import data on blocked application starts into the Applications Launch Control task. To do so, in the policy properties in the Applications Launch Control task settings:
On the General tab, click the Rules list button.
The Applications Launch Control rules window opens.
Click the Add button and, in the button’s context menu, select Import data of blocked applications from Kaspersky Security Center report.
Select the principle for adding rules from the list created based on a Kaspersky Security Center report to the list of previously configured Applications Launch Control rules:
Add to existing rules if you want to add the imported rules to the list of existing rules. Rules with identical settings are duplicated.
Replace existing rules if you want to replace the existing rules with the imported rules.
Merge with existing rules if you want to add the imported rules to the list of existing rules. Rules with identical settings are not added; the rule is added if at least one rule parameter is unique.
In the standard Microsoft Windows window that opens, select the TXT file to which events from the blocked application launch report have been exported.
Click Save in the Applications Launch Control rules window.
Rules created based on the Kaspersky Security Center report on blocked applications are added to the list of Applications Launch Control rules.