Migrating KSWS Applications Launch Control rules

KSWS Applications Launch Control is block-by-default. That is, Applications Launch Control automatically blocks all applications that are not specified in rules as allowed applications. Therefore the migration wizard for KES Application Control automatically sets the Allowlist control mode, which corresponds to the block-by-default principle.

You can migrate rules from KSWS to KES using the Policies and Tasks Batch Conversion Wizard or the wizard for creating a new KES policy based on the KSWS policy.

Migrating the mode of Applications Launch Control

The mode of KSWS Applications Launch Control migrates to KES Application Control as follows:

Migrating KSWS Applications Launch Control predefined rules

By default, KSWS Applications Launch Control includes two rules:

Predefined rules allow running scripts, MSI packages, and executable files signed by a trusted root certificate. If at least one predefined KSWS rule has the Allow type, the migration wizard creates a new allowing rule, Applications with trusted root certificates. That is, KES Application Control uses a single rule to allow running trusted scripts, MSI packages, and executable files.

If both KSWS predefined rules have the Deny type, KES ignores the predefined rules.

Migrating KSWS Applications Launch Control custom rules

KSWS Applications Launch Control rules regulate the execution of files in accordance with the following criteria:

Rules are created differently in KSWS and KES, therefore the migration wizard creates application categories, which include conditions and exclusions from KSWS rules, and adds these application categories to KES rules. The wizard uses the Certificate, Folder path, and File hash conditions in application categories. New application categories are available in the Kaspersky Security Center Administration Console in the Manage applications → Application categories section.

The migration wizard groups KSWS rules by type and by user. Next, the wizard creates application categories that include conditions and exclusions from KSWS rules, and adds the application categories to new KES rules. The wizard specifies the names of KSWS rules in the Description field of KES rules.

Migrating KSWS Applications Launch Control advanced settings

The principle of operation of KSWS Applications Launch Control and KES Application Control is different so the migration wizard may migrate a subset of settings.

Applications Launch Control settings

Kaspersky Security for Windows Server settings

Kaspersky Endpoint Security for Windows settings

Repeat action taken for the first file launch on all the subsequent launches for this file

(does not migrate)

Kaspersky Endpoint Security scans the application every time it attempts to run.

Deny the command interpreters launch with no command to execute

(does not migrate)

Kaspersky Endpoint Security allows running command interpreters if they are not prohibited by Application Control.

Apply rules to executable files

(does not migrate)

Rule application scope cannot be configured in KES Application Control settings. KES Application Control applies rules to all types of files: executable files, scripts, and MSI packages. If all file types are included in the rule application scope in KSWS, during migration KES carries over the KSWS rules. If some file type is excluded from the rule application scope in KSWS, during migration KES also carries over KSWS rules, but Test rules is selected as the Application Control action.

Monitor loading of DLL modules

Monitor loading of DLL modules (significantly increases the load on the system)

Apply rules to scripts and MSI packages

(does not migrate)

Rule application scope cannot be configured in KES Application Control settings. KES Application Control applies rules to all types of files: executable files, scripts, and MSI packages. If all file types are included in the rule application scope in KSWS, during migration KES carries over the KSWS rules. If some file type is excluded from the rule application scope in KSWS, during migration KES carries over KSWS rules, but Test rules is selected as the Application Control action.

Deny applications untrusted by KSN

(does not migrate)

Kaspersky Endpoint Security does not take into account the reputation of applications and allows or denies running applications in accordance with rules.

Allow applications trusted by KSN

During the migration, KES adds a new allowing rule. The Other SoftwareApplications trusted according to reputation in KSN KL category is specified as the rule triggering condition.

Users and / or user groups allowed to run applications trusted by KSN

Users and their rights in an Application Control allow rule that includes the KL category Other applicationsApplications trusted according to reputation in KSN

Automatically allow software distribution via applications and packages listed

Software Distribution Control in KSWS and KES works differently. During the migration, KES adds new allowing rules for applications that have automatic software distribution allowed. The file hash is specified as the rule triggering condition.

Always allow software distribution via Windows Installer

Software Distribution Control in KSWS and KES works differently. During the migration, KES adds new allowing rules for applications that have automatic software distribution allowed (Software distribution applications and packages allowed). The file hash is specified as the rule triggering condition. In account properties Trusted Updaters check box is selected.

Always allow software distribution via SCCM using the Background Intelligent Transfer Service

(does not migrate)

Software distribution applications and packages allowed

Software Distribution Control in KSWS and KES works differently. During the migration, KES adds new allowing rules for applications that have automatic software distribution allowed. The file hash is specified as the rule triggering condition. In account properties Trusted Updaters check box is selected.

Schedule settings

(does not migrate)

If a schedule is configured for the component in KSWS settings, the Application Control component is enabled upon migration. If a schedule is not configured for the component in KSWS settings, Application Control is disabled upon migration.

It is not possible to configure a separate schedule for the component. The component is always on while Kaspersky Endpoint Security is operational.

Page top