About the Rule Generator for Applications Launch Control
October 25, 2023
You can create lists of Applications Launch Control rules using Kaspersky Security Center tasks and policies simultaneously for all protected devices and groups of protected devices on the corporate network. The scenarios listed below are recommended if the corporate network does not have a reference machine and you are unable to create a list of allowing rules based on applications installed on the template machine.
You can run the Rule Generator for Applications Launch Control task locally via the Application Console to create a list of rules based on the applications running on a single protected device.
The Applications Launch Control component is installed with two preset allowing rules:
- Allowing rule for scripts and Windows Installer packages with a certificate trusted by the operating system.
- Allowing rule for executable files with a certificate trusted by the operating system.
You can create lists of Applications Launch Control rules on the side of Kaspersky Security Center in one of the following ways:
- Using a Rule Generator for Applications Launch Control group task.
Under this scenario, a group task generates its own list of Applications Launch Control rules for each protected device on the network and saves those lists to an XML file in the specified shared folder. The XML file generated by the Rule Generator for Applications Launch Control task contains the allowing rules specified in task settings before the task starts. No rules will be created for applications that are not allowed to start in the specified task settings. The start of such applications is denied by default. You can then manually import the created list of rules into the Applications Launch Control task for the Kaspersky Security Center policy.
You can configure the generated rules to be automatically imported into the list of rules for the Applications Launch Control task.
This scenario is recommended when you need to quickly create lists of Applications Launch Control rules. We recommend that you configure the scheduled launch of the Rule Generator for Applications Launch Control task only if the allowing rules usage scope includes folders and files you know to be safe.
Before using the Applications Launch Control task in the network, make sure that all protected devices have access to a shared folder. If the organization's policy does not provide for the use of a shared folder in the network, we recommend that you start the Rule Generator for Applications Launch Control task on a protected device in the test protected devices group or on a reference machine.
- Based on a report of task events generated in Kaspersky Security Center by the Applications Launch Control task running in Statistics only mode.
Under this scenario, Kaspersky Embedded Systems Security for Windows does not deny the launch of applications. Instead, with Applications Launch Control running in the Statistics only mode, it reports all allowed and denied application launches across all network protected devices in the Events tab of the Administration Server node's workspace in the Kaspersky Security Center. Kaspersky Security Center uses the reports to generate a single list of events in which application launches were denied.
You need to configure the task execution period so that all possible scenarios involving the protected devices and protected device groups, and at least one protected device restart are performed during the specified time period. After the end of the task execution period, you can import application launch data from the saved Kaspersky Security Center event report (TXT format) and generate Applications Launch Control allowing rules for such applications based on this data.
This scenario is recommended if a corporate network includes a large number of protected devices of different type (with a different software installed).
- Based on denied application launch events received through Kaspersky Security Center, without creating and importing a configuration file.
To use this feature, the Applications Launch Control task on the protected device must be running under an active Kaspersky Security Center policy. In this case, all events on the protected device are sent to the Administration Server.
We recommend that you update the list of rules when the set of applications installed on network protected devices changes (for example, when updates are installed or operating systems are reinstalled). We recommend that you generate an updated list of rules by running the Rule Generator for Applications Launch Control task or the Applications Launch Control task in Statistics only mode on protected devices in the test administration group. The test administration group includes the protected devices required to test the launch of new applications before they are installed on network protected devices.
XML files containing lists of allowing rules are created based on an analysis of tasks started on the protected device. To account for all applications used on the network when generating lists of rules you are advised to start the Rule Generator for Applications Launch Control task and the Applications Launch Control task in Statistics only mode on a template machine.
Before generating allowing rules based on the applications launched on a reference machine, make sure that the template machine is secure and there is no malware on it.
Before adding allowing rules, select one of the available rule application modes. The list of Kaspersky Security Center policy rules displays only rules specified by the policy, regardless of the rule application mode. The local rule list includes all applied rules — both local rules and rules added through a policy.