About Application Control rules

An Application Control rule is a set of parameters required for the Application Control task to work:

• Assignment of an application to an application category. An application category is a group of applications with common characteristics. For example, a category that includes executable files of installed applications, or a category of applications required for operation, which includes a standard set of applications used by the organization. Each category can only be used in one rule. KL categories usage is not supported in Kaspersky Security Center.
• Permission or prohibition for selected users or user groups to run applications. You can specify a user or user group that is allowed or not allowed to run applications of the specified category.
• Rule triggering condition. A condition is represented by the following correspondence: "condition type – condition criterion – condition value". Based on the rule triggering condition, Kaspersky Industrial CyberSecurity for Linux Nodes applies or does not apply the rule to the application. The rules use inclusive and exclusive conditions:
  • Inclusive conditions. Kaspersky Industrial CyberSecurity for Linux Nodes applies the rule to the application if the application meets at least one inclusive condition.
  • Exclusive conditions. Kaspersky Industrial CyberSecurity for Linux Nodes does not apply the rule to the application if the application meets at least one exclusive condition or does not meet any of the inclusive conditions.

  Rule triggering conditions are created using the following criteria:

  • Name of the application's executable file.
  • Name of the directory with the application's executable file.
  • Hash (SHA-256) of the application executable file.

  For each criterion used in the condition, a value must be specified.

  You can use masks to specify the names of files and directories.

  You can use the * (asterisk) character to create a file or directory name mask.

  You can indicate a single * character to represent any set of characters (including an empty set) preceding the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

  You can indicate two consecutive * characters to represent any set of characters (including an empty set and the / character) in the file or directory name. For example, /dir/**/file*/ or /dir/file**/.

  The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

  To exclude the mount point /dir, you need to specifically indicate /dir (no asterisk).

  The mask /dir/* excludes all mount points at the level below /dir but not /dir itself. The /dir/** mask excludes all mount points below the level of /dir but not /dir itself.

  You can use a single ? character to represent any one character in the file or directory name.

  If the settings of the application being launched match the values ​​of the criteria specified in the inclusive condition, the rule is triggered. In this case, Application Control performs the action specified in the rule. If application settings match the values ​​of the criteria specified in the exclusive condition, Application Control does not control the application launch.

For each operation mode of the Application Control task, separate rules must be created and an action must be specified: apply rules or test rules. The Application Control task performs this action when it detects an attempt to start an application.

The Application control rules have three operation statuses:

• Enabled – the rule is enabled, Kaspersky Industrial CyberSecurity for Linux Nodes applies this rule when the Application Control task is running.
• Disabled – the rule is disabled and is not used when the Application Control task is running.
• Test – Kaspersky Industrial CyberSecurity for Linux Nodes allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.

The priority of the rule operation status is higher than the priority of the action specified in the rule.