About Application Control rules
Oct 22, 2023
An Application Control rule is a set of settings required for the Application Control task to work:
- The application belonging to the application category. An application category is a group of applications with common characteristics. For example, a category that includes executable files of installed applications, or a category of applications required for operation, which includes a standard set of applications used by the organization. Each category can only be used in one rule.
KL categories usage is not supported in Kaspersky Security Center.
- Permission or prohibition for selected users and/or groups of users to run applications. You can specify a user and/or user group that is allowed or not allowed to run applications of the specified category.
- Rule triggering condition. A condition is represented by the following correspondence: "condition type – condition criterion – condition value". Based on the rule triggering condition, Kaspersky Endpoint Security applies or does not apply the rule to the application. The rules use inclusive and exclusive conditions:
- Inclusive conditions. Kaspersky Endpoint Security applies the rule to the application if the application meets at least one inclusive condition.
- Exclusive conditions. Kaspersky Endpoint Security does not apply the rule to the application if the application meets at least one exclusive condition or does not meet any of the inclusive conditions.
Rule triggering conditions are created using the following criteria:
- Name of the application's executable file.
- Name of the directory with the application's executable file.
- Hash (SHA-256) of the application executable file.
For each criterion used in the condition, a value must be specified.
You can use masks to specify the names of files and directories.
If the settings of the application being launched match the values of the criteria specified in the inclusive condition, the rule is triggered. In this case, Application Control performs the action specified in the rule. If application settings match the values of the criteria specified in the exclusive condition, Application Control does not control the application launch.
For each operation mode of the Application Control task, separate rules must be created and an action must be specified: apply rules or test rules. The Application Control task performs this action when it detects an attempt to start an application.
The Application Control rules have three operation statuses:
- Enabled – the rule is enabled, Kaspersky Endpoint Security applies this rule when the Application Control task is running.
- Disabled – the rule is disabled and is not used when the Application Control task is running.
- Test – Kaspersky Endpoint Security allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.
The priority of the rule operation status is higher than the priority of the action specified in the rule.