About Software Distribution Control
August 3, 2023
Generating Applications Launch Control rules can be complicated if you also need to control software distribution on a protected device, for example, on protected devices where installed software is periodically automatically updated. In this case, the list of allowing rules must be updated after each software update for newly created files to be considered in the Applications Launch Control task settings. To simplify launch control in software distribution scenarios, you can use the Software Distribution Control subsystem.
A software distribution package (hereinafter referred to as “package”) represents a software application to be installed on a protected device. Each package contains at least one application and may also contain individual files, updates, or even an individual command, in addition to applications, particularly when you are installing a software application or update.
The Software Distribution Control subsystem is implemented as an additional list of exclusions. When an installation package is added to the list, it becomes trusted. Unpacking is allowed for trusted packages, and automatic startup is allowed for applications installed or updated from trusted packages. The extracted files can inherit the trusted attribute of the primary distribution package. A primary distribution package is a package that has been added to the list of Software Distribution Control exclusions by a user and has become a trusted package.
Kaspersky Industrial CyberSecurity for Nodes controls only full software distribution cycles. The application cannot correctly process the launch of files modified by a trusted package if, when the package is started for the first time, software distribution control is turned off or the Application Launch Control component is not installed.
Software distribution control is not available if the Apply rules to executable files check box is cleared in the Applications Launch Control task settings.
Software distribution cache
Kaspersky Industrial CyberSecurity for Nodes uses a dynamically generated software distribution cache (“distribution cache”) to establishes the relationship between trusted packages and files created during software distribution. When a package is first started, Kaspersky Industrial CyberSecurity for Nodes detects all files created by the package during the software distribution process and stores file checksums and paths in the distribution cache. Then all files in the distribution cache are allowed to start by default.
You cannot review, clear or manually modify the distribution cache via the user interface. The cache is populated and controlled by Kaspersky Industrial CyberSecurity for Nodes.
You can export the distribution cache to a configuration file (XML format) and clear the cache using command line options.
To export the distribution cache to a configuration file, execute the following command:
kavshell appcontrol /config /savetofile:<full path> /sdc
To clear the distribution cache, execute the following command:
kavshell appcontrol /config /clearsdc
Kaspersky Industrial CyberSecurity for Nodes updates the distribution cache every 24 hours. If the checksum of a previously allowed file is changed, the application deletes the record for this file from the distribution cache. If the Applications Launch Control task is started in Active mode, subsequent attempts to start this file will be blocked. If the full path to the previously allowed file is changed, subsequent attempts to start this file will not be blocked, because the checksum is stored within the distribution cache.
Processing the extracted files
All files extracted from a trusted package inherit the trusted attribute upon first launch of the package. If you clear the check box after first launch, all files extracted from the package will retain the inherited attribute. To reset the inherited attribute on all extracted files, you need to clear the distribution cache and clear the Allow the further distribution of programs created from this distribution package check box before starting the trusted distribution package again.
Extracted files and packages created by a primary trusted distribution package inherit the trusted attribute when their checksums are added to the distribution cache when the software distribution package in the exclusion list is opened for the first time. Hence, the distribution package itself and all files extracted from this package will also be trusted. By default, the number of levels of inheritance of the trusted attribute is unlimited.
Extracted files will retain the trusted attribute after the operating system restarts.
The processing of files is configured in the Software Distribution Control settings by selecting or clearing the Allow the further distribution of programs created from this distribution package check box.
For example, if test.msi, a package containing several packages and applications, is added to the list of exclusions and the check box is selected, all packages and applications contained in the test.msi package can be unpacked and run, even if they contain other nested files. This scenario works for extracted files on all nested levels.
If you add a test.msi package to the exclusions list and clear the Allow the further distribution of programs created from this distribution package check box, the application will assign the trusted attribute only to the packages and executable files extracted directly from the primary trusted package (on the first level of nesting). The checksums of such files are stored in the distribution cache. All files on the second level of nesting and beyond will be blocked by the Default Deny principle.
Working with the Applications Launch Control rule list
The list of trusted packages of software distribution control subsystem is a list of exclusions, which amplifies, but does not replace the general list of applications launch control rules.
Denying applications launch control rules have the highest priority: trusted package decompression and start of new or modified files will be blocked, if these packages and files are affected by the applications launch control denying rules.
Software distribution control exclusions are applied both for trusted packages and files created or modified by these packages, if no denying rules in the applications launch control list are applied for those packages and files.
Using KSN conclusions
KSN conclusions that a file is untrusted have a higher priority than the Software Distribution Control exclusions. Unpacking of trusted packages and the launch of files created or modified by trusted packages will be blocked if a KSN conclusion has been received and indicates that such files are untrusted.
At that, after unpacking from a trusted package, all child files will be allowed to run regardless of KSN usage within the Applications Launch Control scope. At that, states of Deny applications untrusted by KSN and Allow applications trusted by KSN check boxes do not affect the operation of the Allow the further distribution of programs created from this distribution package check box.