KSC Open API
Kaspersky Security Center API description
Concatenation of arrays

Normally, arrays behave like values as IntValue or StringValue, as they are replaced as a whole. However, sometimes concatenating arrays may be useful, so that an array from the secondary policy is added to the end of the array from the primary policy.

As secondary policy is always modified by the primary policy, array items must have a key to understand which items are the same and which items are different, to prevent from endless concatenation. This means that array items must have a special attribute, the "concatenation name" KLPRSS_ValConcatItemName, and the array must have the KLPRSS_ValConcatArray attribute (see the table below).

Attributes responsible for array concatenation in policies

AttributeTypeDescriptionUsage
KLPRSS_ValConcatArrayparamBoolPolicy array concatenation flag. If value is 'true', then arrays will be concatenated when the parent policy modifies a child one. Array items must have KLPRSS_ValConcatItemName attribute.Attribute of the array.
KLPRSS_ValConcatItemNameparamStringConcatenation name. Items with the same name are considered to be the same. Absence of the attribute is considered to be an empty string. Attribute of the array item.

Arrays concatenation through policy hierarchy

Imagine we have the following:

  • The value of type paramArray in both policies (upper one and lower one) has the attribute KLPRSS_ValConcatArray, and each array element has the attribute KLPRSS_ValConcatItemName.
  • If the upper-level policy the value of the array's lock KLPRSS_Mnd is equal to bArrayMandatory_Master, and the value of KLPRSS_ValConcatArray is equal to bConcatenate_Master.
  • If the lower-level policy the value of the array's lock KLPRSS_Mnd is equal to bArrayMandatory_Slave, and the value of KLPRSS_ValConcatArray is equal to bConcatenate_Slave.

The array will be concatenated if the expression (bArrayMandatory_Master && (bConcatenate_Slave || bConcatenate_Master)) is true. That is, if the array from the upper-level policy has lock pressed, and the array's attribute KLPRSS_ValConcatArray is equal to true either in the upper-level policy or in the lower-level policy or in both of them.

Making an effective policy from the base policy and active profile

Imagine we have the following:

  • The value of type paramArray both in the base policy and the profile has the attribute KLPRSS_ValConcatArray, and each array element has the attribute KLPRSS_ValConcatItemName.
  • In the profile, the value of the array's lock KLPRSS_Mnd is equal to bArrayMandatory_Master, and the value of KLPRSS_ValConcatArray is equal to bConcatenate_Master.
  • In the base policy, the value of the array's lock KLPRSS_Mnd is equal to bArrayMandatory_Slave, and the value of KLPRSS_ValConcatArray is equal to bConcatenate_Slave.

The effective policy will obtain a concatenated array if the expression (bArrayMandatory_Master && (bConcatenate_Slave || bConcatenate_Master)) is true. That is, if the array from the profile has lock pressed, and the array's attribute KLPRSS_ValConcatArray is equal to true either in the policy profile, or in the base policy, or in both of them.

Details on the example of policy profiles

For policies affecting each other over the hierarchy, the behavior is the same.

If the array (i.e. value of type paramArray) has the attributes KLPRSS_Mnd=true and KLPRSS_ValConcatArray=true in the policy profile, and elements of the array both in the policy profile and in the base policy are named by means of KLPRSS_ValConcatItemName, then at the host side the effective policy (the base policy with applied active profiles) will have the array made up according the following rules:

  • In the beginning of the array, there will be elements taken from the profile, and they will go in the same order as in the profile.
  • In the end of the array, there will be elements taken from the base policy, , and they will go in the same order as in the base policy.
  • If the element of the array with the name KLPRSS_ValConcatItemName=X is present in the profile, only then will it be taken from the profile.
  • If the element of the array with the name KLPRSS_ValConcatItemName=X is present in the base policy, only then will it be taken from the base policy.
  • If the element of the array with the name KLPRSS_ValConcatItemName=X is present both in the base policy and in the profile, then will it be taken from the profile.

Example of array concatenation

Let's say we have in the base policy a section with the following contents: 

    +--- (PARAMS_T)
        +---KLPRSS_Mnd = (BOOL_T)true
        +---KLPRSS_Val (ARRAY_T)
        |   +---0 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"cmd.exe from a secondary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for cmd.exe"
        |   +---1 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"mysql.exe from a secondary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for mysql.exe"
        |   +---2 (PARAMS_T)
        |       +---KLPRSS_Mnd = (BOOL_T)true
        |       +---KLPRSS_Val = (STRING_T)"iexplore.exe from a secondary server"
        |       +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe"
        +---KLPRSS_ValConcatArray = (BOOL_T)true


And the profile has following contents 

    +--- (PARAMS_T)
        +---KLPRSS_Mnd = (BOOL_T)true
        +---KLPRSS_Val (ARRAY_T)
        |   +---0 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"iexplore.exe from a primary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe"
        |   +---1 (PARAMS_T)
        |       +---KLPRSS_Mnd = (BOOL_T)true
        |       +---KLPRSS_Val = (STRING_T)"sqlserver.exe from a primary server"
        |       +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for sqlserver.exe"
        +---KLPRSS_ValConcatArray = (BOOL_T)true

That is:

  • Element "Rule for iexplore.exe" is present both in the profile and in the base policy.
  • Element "Rule for sqlserver.exe" is present in the profile only.
  • Elements "Rule for cmd.exe" and "Rule for mysql.exe" are present in the base policy only.


Then, if the profile is active at the target host the effective policy will have a section with the following contents: 

    +--- (PARAMS_T)
        +---KLPRSS_Mnd = (BOOL_T)true
        +---KLPRSS_Val (ARRAY_T)
        |   +---0 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"iexplore.exe from a primary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe"
        |   |   +---KLPRSS_ValLck = (BOOL_T)true
        |   |   +---KLPRSS_ValLckGroup = (STRING_T)""
        |   |   +---KLPRSS_ValLckGrpId = (INT_T)-1
        |   |   +---KLPRSS_ValLckPolId = (INT_T)-1
        |   |   +---KLPRSS_ValLckPolicy = (STRING_T)""
        |   +---1 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"sqlserver.exe from a primary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for sqlserver.exe"
        |   |   +---KLPRSS_ValLck = (BOOL_T)true
        |   |   +---KLPRSS_ValLckGroup = (STRING_T)""
        |   |   +---KLPRSS_ValLckGrpId = (INT_T)-1
        |   |   +---KLPRSS_ValLckPolId = (INT_T)-1
        |   |   +---KLPRSS_ValLckPolicy = (STRING_T)""
        |   +---2 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"cmd.exe from a secondary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for cmd.exe"
        |   +---3 (PARAMS_T)
        |       +---KLPRSS_Mnd = (BOOL_T)true
        |       +---KLPRSS_Val = (STRING_T)"mysql.exe from a secondary server"
        |       +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for mysql.exe"
        +---KLPRSS_ValConcatArray = (BOOL_T)true
        +---KLPRSS_ValLck = (BOOL_T)true

That is:

  • Element "Rule for iexplore.exe" that was present both in the profile and the base policy is taken just from the profile.
  • Element "Rule for sqlserver.exe" that was present in the profile is only taken from the profile.
  • Elements "Rule for cmd.exe" and "Rule for mysql.exe" that were present in the base policy are only taken from the base policy.
  • Elements taken from the profile are put into the beginning of the array in the same order as they were in the profile.
  • Elements taken from the base policy are put into the end of the array in the same order as they were in the base policy.
See also:
Policy format description