Configuring Software Distribution Control

To add a trusted distribution package via the Application Console:

1. Open the Task settings window.
2. On the Software Distribution Control tab, select the Automatically allow software distribution via applications and packages listed check box.
   

   The check box enables and disables automatic creation of exclusions for all files started using the distribution packages specified in the list.

   If the check box is selected, the application automatically allows files in the trusted distribution packages to start. The list of applications and distribution packages allowed to start can be edited.

   If the check box is cleared, the application does not apply the exclusions specified in the list.

   By default, the check box is cleared.

   You can select the Automatically allow software distribution via applications and packages listed, if the Applications Launch Control check box in the Apply rules to executable files tab is selected in the General task settings.

3. Clear the Always allow software distribution via Windows Installer check box if required.
   

   The check box enables and disables automatic creation of exclusions for all files added to the allow list and executed via Windows Installer.

   If the check box is selected, files installed via Windows Installer will always be allowed to start.

   If the check box is cleared, files will not be allowed to start without fulfilling the Applications Launch Control criteria, even if they are started via Windows Installer.

   The check box is selected by default.

   The check box is not editable if the Automatically allow software distribution via applications and packages listed check box is not selected.

   Clearing the Always allow software distribution via Windows Installer check box is only recommended if it is absolutely necessary. Turning off this function may cause issues with updating operating system files and also prevent the launch of files extracted from a distribution package.

4. If required, select the Always allow software distribution via SCCM using the Background Intelligent Transfer Service check box.
   

   The check box turns on or off automatic software distribution using the System Center Configuration Manager.

   If the check box is selected, Kaspersky Embedded Systems Security for Windows automatically allows Microsoft Windows deployment using the System Center Configuration Manager. The application allows software distribution only via the Background Intelligent Transfer Service.

   The application controls start of objects with the following extensions:

   • .exe
   • .msi

   By default, the check box is cleared.

   The application controls the software distribution cycle on the protected device — from package delivery to installation or update. The application does not control processes if any stage of distribution was performed before installation of the application on the protected device.

5. To create the allow list or to edit the existing list of trusted distribution packages, click Change packages list and select one of the following methods in the window that appears:
   • Add one distribution package.
     1. Click the Browse button.
     2. Select the executable file or distribution package.

        The Trusting criteria block is automatically populated with data about the selected file.

     3. Clear or select the Allow the further distribution of programs created from this distribution package check box.
     4. Select one of two available options for criteria to use to determine whether a file or distribution package is trusted:
        • Use digital certificate
        • Use SHA256 hash
   • Add several packages by hash

     You can select an unlimited number of executable files and distribution packages, and add them to the list all at the same time. Kaspersky Embedded Systems Security for Windows examines the hash and allows the operating system to launch the specified files.

   • Change selected package

     Use this option to select a different executable file or distribution package, or to change the trust criteria.

   • Import distribution packages list from file.
     

     You can import the list of trusted distribution packages from a configuration file. To be recognized by Kaspersky Embedded Systems Security for Windows, such a file must satisfy the following parameters:

     • The file extension is TXT.
     • The file contains information structured as a list of lines, where each line includes data for one of the trusted files.
     • The file must contain a list in one of the following formats:
       • <file name>:<SHA256 hash>.
       • <SHA256 hash>*<file name>.

     In the Open window, specify the configuration file containing a list of trusted distribution packages.

   If you create a trusted distribution package based on an executable file and you added a process in the Trusted Zone settings based on that same executable file and made it trusted for the Applications Launch Control task, the Trusted Zone settings have a higher priority. Kaspersky Embedded Systems Security for Windows blocks this executable file from starting, but considers the executable file's process to be trusted.

6. If you want to remove a previously added application or distribution package from the trusted list, click the Delete distribution packages button. Extracted files will be allowed to run.

   To prevent extracted files from starting, uninstall the application on the protected device or create a denying rule in the Applications Launch Control task settings.

7. Click the OK button.

The specified settings are saved.