Configuring Software Distribution Control
October 25, 2023
To add a trusted distribution package via the Administration Plug-in:
- Open the Applications Launch Control window.
- On the Software Distribution Control tab, select the Automatically allow software distribution via applications and packages listed check box.
You can select the Automatically allow software distribution via applications and packages listed, if the Applications Launch Control check box in the Apply rules to executable files tab is selected in the General task settings.
- Clear the Always allow software distribution via Windows Installer check box if required.
Clearing the Always allow software distribution via Windows Installer check box is only recommended if it is absolutely necessary. Turning off this function may cause issues with updating operating system files and also prevent the launch of files extracted from a distribution package.
- If required, select the Always allow software distribution via SCCM using the Background Intelligent Transfer Service check box.
The application controls the software distribution cycle on the protected device — from package delivery to installation or update. The application does not control processes if any stage of distribution was performed before installation of the application on the protected device.
- To create the allow list or to edit the existing list of trusted distribution packages, click Change packages list and select one of the following methods in the window that appears:
- Add one distribution package.
- Click the Browse button.
- Select the executable file or distribution package.
The Trusting criteria block is automatically populated with data about the selected file.
- Clear or select the Allow the further distribution of programs created from this distribution package check box.
- Select one of two available options for criteria to use to determine whether a file or distribution package is trusted:
- Use digital certificate
- Use SHA256 hash
- Add several packages by hash
You can select an unlimited number of executable files and distribution packages, and add them to the list all at the same time. Kaspersky Embedded Systems Security for Windows examines the hash and allows the operating system to launch the specified files.
- Change selected package
Use this option to select a different executable file or distribution package, or to change the trust criteria.
- Import distribution packages list from file.
In the Open window, specify the configuration file containing a list of trusted distribution packages.
If you create a trusted distribution package based on an executable file and you added a process in the Trusted Zone settings based on that same executable file and made it trusted for the Applications Launch Control task, the Trusted Zone settings have a higher priority. Kaspersky Embedded Systems Security for Windows blocks this executable file from starting, but considers the executable file's process to be trusted.
- Add one distribution package.
- If you want to remove a previously added application or distribution package from the trusted list, click the Delete distribution packages button. Extracted files will be allowed to run.
To prevent extracted files from starting, uninstall the application on the protected device or create a denying rule in the Applications Launch Control task settings.
- Click the OK button.
The specified settings are saved.