Adding a trigger condition for the Application Control rule

For more convenience when creating Application Control rules, you can create application categories.

It is recommended to create a "Work applications" category that covers the standard set of applications that are used at the company. If different user groups use different sets of applications in their work, a separate application category can be created for each user group.

To create an application category in the Administration Console:

1. Open the Kaspersky Security Center Administration Console.
2. In the Administration Console tree, select the Additional → Application management → Application categories folder.
3. Click the New category button in the workspace.

   The user category creation wizard starts.

4. Follow the instructions of the user category creation wizard.

Step 1. Selecting the category type

At this step, select one of the following types of application categories:

• Category with content added manually. If you selected this type of category, at the "Configuring the conditions for including applications in a category" step and the "Configuring the conditions for excluding applications from a category" step, you will be able to define the criteria whereby executable files will be included into the category.
• Category that includes executable files from selected devices. If you selected this type of category, at the "Settings" step you will be able to specify a computer whose executable files will be automatically included in the category.
• Category that includes executable files from a specific folder. If you selected this type of category, at the "Repository folder" step you will be able to specify a folder from which executable files will be automatically included in the category.

When creating a category with content added automatically, Kaspersky Security Center performs inventory on files with the following formats: EXE, COM, DLL, SYS, BAT, PS1, CMD, JS, VBS, REG, MSI, MSC, CPL, HTML, HTM, DRV, OCX, and SCR.

Step 2. Entering a user category name

At this step, specify a name for the application category.

Step 3. Configuring the conditions for including applications in a category

This step is available if you selected the Category with content added manually category type.

At this step, in the Add drop-down list, select the conditions for including applications into the category:

• From the list of executable files. Add applications from the list of executable files on the client device to the custom category.
• From file properties. Specify detailed data of executable files as a condition for adding applications to the custom category.
• Metadata from files in folder. Select a folder on the client device that contains executable files. Kaspersky Security Center will indicate the metadata of these executable files as a condition for adding applications to the custom category.
• Checksums of the files in the folder. Select a folder on the client device that contains executable files. Kaspersky Security Center will indicate the hashes of these executable files as a condition for adding applications to the custom category.
• Certificates for the files from the folder. Select a folder on the client device that contains executable files signed with certificates. Kaspersky Security Center will indicate the certificates of these executable files as a condition for adding applications to the custom category.

  It is not recommended to use conditions whose properties do not have the Certificate thumbprint parameter specified.

• MSI installer files metadata. Select the MSI package. Kaspersky Security Center will indicate the metadata of executable files packed in this MSI package as a condition for adding applications to the custom category.
• Checksums of the files from the MSI installer of the application. Select the MSI package. Kaspersky Security Center will indicate the hashes of executable files packed in this MSI package as a condition for adding applications to the custom category.
• From KL category. Specify a KL category as a condition for adding applications to the custom category. A KL category is a list of applications that have shared theme attributes. The list is maintained by Kaspersky experts. For example, the KL category known as "Office applications" includes applications from the Microsoft Office suite, Adobe Acrobat, and others.

  You can select all KL categories to generate an extended list of trusted applications.

• Specify path to application. Select a folder on the client device. Kaspersky Security Center will add executable files from this folder to the custom category.
• Select certificate from repository. Select certificates that were used to sign executable files as a condition for adding applications to the custom category.

  It is not recommended to use conditions whose properties do not have the Certificate thumbprint parameter specified.

• Drive type. Specify the type of storage device (all hard drives and removable drives, or only removable drives) as a condition for adding applications to the custom category.

Step 4. Configuring the conditions for excluding applications from a category

This step is available if you selected the Category with content added manually category type.

Applications specified at this step are excluded from the category even if these applications were specified at the "Configuring the conditions for including applications in a category" step.

At this step, in the Add drop-down list, select conditions for excluding applications from the category:

• From the list of executable files. Add applications from the list of executable files on the client device to the custom category.
• From file properties. Specify detailed data of executable files as a condition for adding applications to the custom category.
• Metadata from files in folder. Select a folder on the client device that contains executable files. Kaspersky Security Center will indicate the metadata of these executable files as a condition for adding applications to the custom category.
• Checksums of the files in the folder. Select a folder on the client device that contains executable files. Kaspersky Security Center will indicate the hashes of these executable files as a condition for adding applications to the custom category.
• Certificates for the files from the folder. Select a folder on the client device that contains executable files signed with certificates. Kaspersky Security Center will indicate the certificates of these executable files as a condition for adding applications to the custom category.
• MSI installer files metadata. Select the MSI package. Kaspersky Security Center will indicate the metadata of executable files packed in this MSI package as a condition for adding applications to the custom category.
• Checksums of the files from the MSI installer of the application. Select the MSI package. Kaspersky Security Center will indicate the hashes of executable files packed in this MSI package as a condition for adding applications to the custom category.
• From KL category. Specify a KL category as a condition for adding applications to the custom category. A KL category is a list of applications that have shared theme attributes. The list is maintained by Kaspersky experts. For example, the KL category known as "Office applications" includes applications from the Microsoft Office suite, Adobe Acrobat, and others.

  You can select all KL categories to generate an extended list of trusted applications.

• Specify path to application. Select a folder on the client device. Kaspersky Security Center will add executable files from this folder to the custom category.
• Select certificate from repository. Select certificates that were used to sign executable files as a condition for adding applications to the custom category.
• Drive type. Specify the type of storage device (all hard drives and removable drives, or only removable drives) as a condition for adding applications to the custom category.

Step 5. Settings

This step is available if you selected the Category that includes executable files from selected devices category type.

At this step, click the Add button and specify the computers whose executable files will be added to the application category by Kaspersky Security Center. All executable files from the specified computers presented in the Executable files folder will be added to the application category by Kaspersky Security Center.

At this step, you can also configure the following settings:

• Algorithm for hash function calculation. To select an algorithm, you must select at least one of the following check boxes:
  • Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions).
  • Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows).
• Synchronize data with Administration Server repository check box. Select this check box if you want Kaspersky Security Center to periodically clear the application category and add to it all executable files from the specified computers presented in the Executable files folder.

  If the Synchronize data with Administration Server repository check box is cleared, Kaspersky Security Center will not make any modifications to an application category after it is created.

• Scan period (h) field. In this field, you can specify the period of time (in hours) after which Kaspersky Security Center clears the application category and adds to it all executable files from the specified computers presented in the Executable files folder.

  The field is available if the Synchronize data with Administration Server repository check box is selected.

Step 6. Repository folder

This step is available if you selected the Category that includes executable files from a specific folder category type.

At this step, specify the folder in which Kaspersky Security Center will search for executable files to automatically add applications to the application category.

At this step, you can also configure the following settings:

• Include dynamic-link libraries (DLL) in this category check box. Select this check box if you want dynamic-link libraries (DLL files) to be included in the application category.

  Including DLL files in the application category may reduce the performance of Kaspersky Security Center.

• Include script data in this category check box. Select this check box if you want scripts to be included in the application category.

  Including scripts in the application category may reduce the performance of Kaspersky Security Center.

• Algorithm for hash function calculation. To select an algorithm, you must select at least one of the following check boxes:
  • Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions).
  • Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows).
• Force folder scan for changes check box. Select this check box if you want Kaspersky Security Center to periodically search for executable files in the folder used for automatically adding to the application category.

  If the Force folder scan for changes check box is cleared, Kaspersky Security Center searches for executable files in the folder used for automatically adding to the application category only if changes have been made in the folder, files have been added to it or deleted from it.

• Scan period (h) field. In this field, you can specify the time interval (in hours) after which Kaspersky Security Center will search for executable files in the folder used for automatically adding to the application category.

  This field is available if the Force folder scan for changes check box is selected.

Step 7. Creating a custom category

Exit the Wizard.

To add a new trigger condition for an Application Control rule in the application interface:

1. In the main application window, click the button.
2. In the application settings window, select Security Controls → Application Control.
3. Click the Blocked applications or Allowed applications button.

   This opens the list of Application Control rules.

4. Select the rule for which you want to configure a trigger condition.

   The Application Control rule properties open.

5. Select the Conditions tab or Exclusions tab and click the Add button.
6. Select the trigger conditions for the Application Control rule:
   • Conditions from properties of started applications. In the list of running applications, you can select the applications to which the Application Control rule will be applied. Kaspersky Endpoint Security also lists applications that were previously running on the computer. You need to select the criterion that you want to use to create one or multiple rule trigger conditions: File hash, Certificate, KL category, Metadata or Path to file or folder.
   • Conditions "KL category". A KL category is a list of applications that have shared theme attributes. The list is maintained by Kaspersky experts. For example, the KL category known as "Office applications" includes applications from the Microsoft Office suite, Adobe® Acrobat®, and others.
   • Custom condition. You can select the application file and select one of the rule trigger conditions: File hash, Certificate, Metadata or Path to file or folder.
   • Condition by file drive (removable drive). The Application Control rule is applied only to files that are run on a removable drive.
   • Conditions from properties of files in the specified folder. The Application Control rule is applied only to files in the specified folder. You can also include or exclude files from subfolders. You need to select the criterion that you want to use to create one or multiple rule trigger conditions: File hash, Certificate, KL category, Metadata or Path to file or folder.
7. Save your changes.

When adding conditions, please take into account the following special considerations for Application Control:

• Kaspersky Endpoint Security does not support an MD5 file hash and does not control startup of applications based on an MD5 hash. An SHA256 hash is used as a rule trigger condition.
• It is not recommended to use only the Issuer and Subject criteria as rule trigger conditions. Use of these criteria is unreliable.
• If you are using a symbolic link in the Path to file or folder field, you are advised to resolve the symbolic link for correct operation of the Application Control rule. To do so, click the Resolve symbolic link button.