Managing Application Control rules

Kaspersky Endpoint Security controls the startup of applications by users by means of rules. An Application Control rule specifies the triggering conditions and actions performed by the Application Control component when the rule is triggered (allowing or blocking application startup by users).

Rule-triggering conditions

A rule-triggering condition has the following correlation: "condition type - condition criterion - condition value". Based on the rule-triggering conditions, Kaspersky Endpoint Security applies (or does not apply) a rule to an application.

The following types of conditions are used in rules:

• Inclusion conditions. Kaspersky Endpoint Security applies the rule to the application if the application matches at least one of the inclusion conditions.
• Exclusion conditions. Kaspersky Endpoint Security does not apply the rule to the application if the application matches at least one of the exclusion conditions and does not match any of the inclusion conditions.

Rule-triggering conditions are created using criteria. The following criteria are used to create rules in Kaspersky Endpoint Security:

• Path to the folder containing the executable file of the application or path to the executable file of the application.
• Metadata: application executable file name, application executable file version, application name, application version, application vendor.
• Hash of the executable file of the application.
• Certificate: issuer, subject, thumbprint.
• Inclusion of the application in a KL category.
• Location of the application executable file on a removable drive.

The criterion value must be specified for each criterion used in the condition. If the parameters of the application being started match the values of criteria specified in the inclusion condition, the rule is triggered. In this case, Application Control performs the action prescribed in the rule. If application parameters match the values of criteria specified in the exclusion condition, Application Control does not control startup of the application.

If you have selected a certificate as a rule-triggering condition, you need to ensure that this certificate is added to the trusted system storage on the computer, and check the trusted system storage usage settings in the application.

Decisions made by the Application Control component when a rule is triggered

When a rule is triggered, Application Control allows users (or user groups) to start applications or blocks startup according to the rule. You can select individual users or groups of users that are allowed or not allowed to start applications that trigger a rule.

If a rule does not specify those users allowed to start applications satisfying the rule, this rule is called a block rule.

If a rule that does not specify any users who are not allowed to start applications that match the rule, this rule is called an allow rule.

The priority of a block rule is higher than the priority of an allow rule. For example, if an Application Control allow rule has been assigned for a user group while an Application Control block rule has been assigned for one user in this user group, this user will be blocked from starting the application.

Operating status of a rule

Application Control rules can have one of the following operating statuses:

• Enabled. This status means that the rule is used when the Application Control component is running.
• Disabled. This status means that the rule is ignored when the Application Control component is running.
• Testing. This status signifies that Kaspersky Endpoint Security allows the startup of applications to which the rules apply but logs information about the startup of such applications in the report.