KSC Open API
Kaspersky Security Center API description
Concatenation of arrays

Normally, arrays behave like values as IntValue or StringValue, as they are replaced as a whole. However, sometimes concatenating arrays may be useful, so that an array from the secondary policy is added to the end of the array from the primary policy.

As secondary policy is always modified by the primary policy, array items must have a key to understand which items are the same and which items are different, to prevent endless concatenation. This means that array items must have a special attribute, the "concatenation name" KLPRSS_ValConcatItemName, and the array must have the KLPRSS_ValConcatArray attribute (see the table below).

Attributes responsible for array concatenation in policies:

AttributeTypeDescriptionUsage
KLPRSS_ValConcatArrayparamBoolPolicy array concatenation flag. If the value is 'true', then arrays will be concatenated when the parent policy modifies a child one. Array items must have the KLPRSS_ValConcatItemName attribute.Attribute of the array.
KLPRSS_ValConcatItemNameparamStringConcatenation name. Items with the same name are considered to be the same. Absence of the attribute is considered to be an empty string. Attribute of the array item.

Arrays concatenation through policy hierarchy

Imagine we have the following:

  • The value of the paramArray type in both policies (upper one and lower one) has the KLPRSS_ValConcatArray attribute, and each array element has the KLPRSS_ValConcatItemName attribute.
  • In the upper-level policy, the value of the KLPRSS_Mnd lock of the array is equal to bArrayMandatory_Master, and the value of the KLPRSS_ValConcatArray attribute is equal to bConcatenate_Master.
  • In the lower-level policy, the value of the KLPRSS_Mnd lock of the array is equal to bArrayMandatory_Slave, and the value of the KLPRSS_ValConcatArray attribute is equal to bConcatenate_Slave.

The array will be concatenated if the expression (bArrayMandatory_Master && (bConcatenate_Slave || bConcatenate_Master)) is true. That is, if the array from the upper-level policy has lock pressed, and the KLPRSS_ValConcatArray attribute of the array is equal to true either in the upper-level policy or in the lower-level policy or in both of them.

Making an effective policy from the base policy and active profile

Imagine we have the following:

  • The value of the paramArray type in the base policy and the profile has the KLPRSS_ValConcatArray attribute, and each array element has the KLPRSS_ValConcatItemName attribute.
  • In the profile, the value of the KLPRSS_Mnd lock of the array is equal to bArrayMandatory_Master, and the value of the KLPRSS_ValConcatArray attribute is equal to bConcatenate_Master.
  • In the base policy, the value of the KLPRSS_Mnd lock of the array is equal to bArrayMandatory_Slave, and the value of the KLPRSS_ValConcatArray attribute is equal to bConcatenate_Slave.

The effective policy will obtain a concatenated array if the expression (bArrayMandatory_Master && (bConcatenate_Slave || bConcatenate_Master)) is true. That is, if the array from the profile has lock pressed, and the KLPRSS_ValConcatArray attribute of the array is equal to true either in the policy profile or in the base policy, or in both of them.

Details on the example of policy profiles

For policies affecting each other over the hierarchy, the behavior is the same.

If an array of the paramArray type has the KLPRSS_Mnd=true and KLPRSS_ValConcatArray=true attributes in the policy profile, and elements of the array both in the policy profile and in the base policy are named by means of the KLPRSS_ValConcatItemName attribute, then at the host side the effective policy (the base policy with applied active profiles) will have the array made up according the following rules:

  • In the beginning of the array, there will be elements taken from the profile, and they will go in the same order as in the profile.
  • In the end of the array, there will be elements taken from the base policy, and they will go in the same order as in the base policy.
  • If the element of the array with the name KLPRSS_ValConcatItemName=X is present in the profile, only then will it be taken from the profile.
  • If the element of the array with the name KLPRSS_ValConcatItemName=X is present in the base policy, only then will it be taken from the base policy.
  • If the element of the array with the name KLPRSS_ValConcatItemName=X is present both in the base policy and in the profile, then will it be taken from the profile.

Example of array concatenation

Let's say we have in the base policy a section with the following contents: 

    +--- (PARAMS_T)
        +---KLPRSS_Mnd = (BOOL_T)true
        +---KLPRSS_Val (ARRAY_T)
        |   +---0 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"cmd.exe from a secondary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for cmd.exe"
        |   +---1 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"mysql.exe from a secondary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for mysql.exe"
        |   +---2 (PARAMS_T)
        |       +---KLPRSS_Mnd = (BOOL_T)true
        |       +---KLPRSS_Val = (STRING_T)"iexplore.exe from a secondary server"
        |       +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe"
        +---KLPRSS_ValConcatArray = (BOOL_T)true


And the profile has following contents 

    +--- (PARAMS_T)
        +---KLPRSS_Mnd = (BOOL_T)true
        +---KLPRSS_Val (ARRAY_T)
        |   +---0 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"iexplore.exe from a primary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe"
        |   +---1 (PARAMS_T)
        |       +---KLPRSS_Mnd = (BOOL_T)true
        |       +---KLPRSS_Val = (STRING_T)"sqlserver.exe from a primary server"
        |       +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for sqlserver.exe"
        +---KLPRSS_ValConcatArray = (BOOL_T)true

That is:

  • Element "Rule for iexplore.exe" is present both in the profile and in the base policy.
  • Element "Rule for sqlserver.exe" is present in the profile only.
  • Elements "Rule for cmd.exe" and "Rule for mysql.exe" are present in the base policy only.


Then, if the profile is active at the target host the effective policy will have a section with the following contents: 

    +--- (PARAMS_T)
        +---KLPRSS_Mnd = (BOOL_T)true
        +---KLPRSS_Val (ARRAY_T)
        |   +---0 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"iexplore.exe from a primary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for iexplore.exe"
        |   |   +---KLPRSS_ValLck = (BOOL_T)true
        |   |   +---KLPRSS_ValLckGroup = (STRING_T)""
        |   |   +---KLPRSS_ValLckGrpId = (INT_T)-1
        |   |   +---KLPRSS_ValLckPolId = (INT_T)-1
        |   |   +---KLPRSS_ValLckPolicy = (STRING_T)""
        |   +---1 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"sqlserver.exe from a primary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for sqlserver.exe"
        |   |   +---KLPRSS_ValLck = (BOOL_T)true
        |   |   +---KLPRSS_ValLckGroup = (STRING_T)""
        |   |   +---KLPRSS_ValLckGrpId = (INT_T)-1
        |   |   +---KLPRSS_ValLckPolId = (INT_T)-1
        |   |   +---KLPRSS_ValLckPolicy = (STRING_T)""
        |   +---2 (PARAMS_T)
        |   |   +---KLPRSS_Mnd = (BOOL_T)true
        |   |   +---KLPRSS_Val = (STRING_T)"cmd.exe from a secondary server"
        |   |   +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for cmd.exe"
        |   +---3 (PARAMS_T)
        |       +---KLPRSS_Mnd = (BOOL_T)true
        |       +---KLPRSS_Val = (STRING_T)"mysql.exe from a secondary server"
        |       +---KLPRSS_ValConcatItemName = (STRING_T)"Rule for mysql.exe"
        +---KLPRSS_ValConcatArray = (BOOL_T)true
        +---KLPRSS_ValLck = (BOOL_T)true

That is:

  • Element "Rule for iexplore.exe" that was present both in the profile and the base policy is taken just from the profile.
  • Element "Rule for sqlserver.exe" that was present in the profile is only taken from the profile.
  • Elements "Rule for cmd.exe" and "Rule for mysql.exe" that were present in the base policy are only taken from the base policy.
  • Elements taken from the profile are put into the beginning of the array in the same order as they were in the profile.
  • Elements taken from the base policy are put into the end of the array in the same order as they were in the base policy.
See also:
Policy format description