Using Application Control to manage executable files
You can use the Application Control component to allow or block startup of executable files on user devices. The Application Control component supports Windows-based and Linux-based operating systems.
For Linux-based operating systems, Application Control component is available starting from Kaspersky Endpoint Security 11.2 for Linux.
Prerequisites
- Kaspersky Security Center Linux is deployed in your organization.
- The policy of Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows is created and is active. The Application Control component is enabled in the policy.
Stages
The Application Control usage scenario proceeds in stages:
- Forming and viewing the list of executable files on client devices
This stage helps you find out what executable files are found on managed devices. View the list of executable files and compare it with the lists of allowed and prohibited executable files. The restrictions on executable files usage can be related to the information security polices in your organization. You can skip this stage if you know exactly what executable files are used on managed devices.
How-to instructions: Obtaining and viewing a list of executable files stored on client devices
- Creating categories for executable files used in your organization
Analyze the lists of executable files stored on managed devices. Based on the analysis, create categories for executable files. It is recommended to create a "Work applications" category that covers the standard set of executable files that are used at your organization. If different security groups use their own sets of executable files in their work, a separate category can be created for each security group.
Startup of executable files whose settings do not match any of the Application Control rules is regulated by the selected operating mode of the component:
- Denylist. The mode is used if you want to allow the startup of all executable files except those specified in block rules. This mode is selected by default.
- Allowlist. The mode is used if you want to block the startup of all executable files except those specified in allow rules.
The Application Control rules are implemented through categories for executable files. In Kaspersky Security Center Linux there are three types of categories for executable files:
- Category with content added manually. You define conditions, for example, file metadata, file hashcode, file certificate, file path, to include executable files in the category.
- Category that includes executable files from selected devices. You specify a device whose executable files are automatically included in the category.
- Category that includes executable files from selected folder. You specify a folder from which executable files are automatically included in the category.
- Configuring Application Control in the Kaspersky Endpoint Security policy
Configure the Application Control component in Kaspersky Endpoint Security for Linux policy using the categories you have created on the previous stage.
How-to instructions: Configuring Application Control in the Kaspersky Endpoint Security for Windows policy
- Turning on Application Control component in test mode
To ensure that Application Control rules do not block executable files required for user's work, it is recommended to enable testing of Application Control rules and analyze their operation after creating new rules. When testing is enabled, Kaspersky Endpoint Security for Windows will not block executable files whose startup is forbidden by Application Control rules, but will instead send notifications about their startup to the Administration Server.
When testing Application Control rules, it is recommended to perform the following actions:
- Determine the testing period. Testing period can vary from several days to two months.
- Examine the events resulting from testing the operation of Application Control.
How-to instructions for Kaspersky Security Center Web Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and enable the Test Mode option in configuration process.
- Changing the settings of Application Control component
If necessary, make changes to the Application Control settings. Based on the test results, you can add executable files related to events of the Application Control component to a category with content added manually.
How-to instructions: Kaspersky Security Center Web Console: Adding event-related executable files to the application category
- Applying the rules of Application Control in operation mode
After Application Control rules are tested and configuration of categories is complete, you can apply the rules of Application Control in operation mode.
How-to instructions for Kaspersky Security Center Web Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and disable the Test Mode option in configuration process.
- Verifying Application Control configuration
Be sure that you have done the following:
- Created categories for executable files.
- Configured Application Control using the categories.
- Applied the rules of Application Control in operation mode.
Results
When the scenario is complete, startup of executable files on managed devices is controlled. The users can run only those executable files that are allowed in your organization and cannot run executable files that are prohibited in your organization.
For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.
