Application Privilege Control
January 10, 2024
The Kaspersky Security functionality described in this section is available only if the application is installed on a virtual machine with a Windows desktop operating system.
Application Privilege Control prevents applications from performing actions that may be dangerous for the operating system, and ensures control over access to operating system resources and to personal data.
This component controls the activity of applications on the protected virtual machine, including their access to protected resources (such as files and folders, registry keys) by using application control rules. Application control rules are a set of restrictions that apply to various actions of applications in the operating system and to rights to access resources of the protected virtual machine.
The network activity of applications is monitored by the Firewall component.
Application startup may be initiated either by the user or by another running application. When application startup is initiated by another application, a startup sequence is created, which consists of parent and child processes.
When an application attempts to obtain access to a protected resource, Application Privilege Control analyzes all parent processes of the application to determine whether these processes have rights to access the protected resource. The minimum priority rule is then observed: when comparing the access rights of the application to those of the parent process, the access rights with a minimum priority are applied to the application's activity.
The priority of access rights is as follows:
- Allow. This access right has the highest priority.
- Block. This access right has the lowest priority.
This mechanism prevents a non-trusted application or an application with restricted rights from using a trusted application to perform actions that require certain privileges.
If the activity of an application is blocked due to the lack of rights that are granted to a parent process, you can edit these rights or disable the inheritance of restrictions from the parent process in local interface.
When an application is started on the protected virtual machine for the first time, Application Privilege Control scans the application and places it in one of the trust groups. A trust group defines the application control rules that Kaspersky Security application applies when controlling application activity.
For more efficient operation of Application Privilege Control, it is recommended to enable the use of Kaspersky Security Network in Kaspersky Security operation. Data that is obtained through Kaspersky Security Network allows you to sort applications into groups with more accuracy and to apply optimum application control rules.
The next time the application starts, Application Privilege Control verifies the integrity of the application. If the application is unchanged, the component applies the current application control rules to it. If the application has been modified, Application Privilege Control re-scans it as if it were being started for the first time.
This section describes how to configure Application Privilege Control settings using the Administration Console and the Light Agent for Windows local interface. You can also configure Application Privilege Control settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application Settings → Endpoint control → Application Privilege Control). Configuring application control rules using the Web Console is not supported.