Configuring a Rule Generator for Applications Launch Control task

To configure the Rule Generator for Applications Launch Control task:

1. Open the Properties: Rule Generator for Applications Launch Control window.
2. In the Notification section, configure the task event notification settings.

   For detailed information on configuring settings in this section, see Kaspersky Security Center Help.

3. In the Settings section, you can configure the following settings:
   • Specify prefix for rule names.
   • Select how to create allowing rules:
     • Create allowing rules based on running applications
       

       This check either box enables or disables generation of Applications Launch Control rules for applications that are already running. This option is recommended if the protected device has a reference set of applications based on which you want to create allowing rules.

       If this check box is selected, allowing rules for Applications Launch Control are generated based on running applications.

       If this check box is cleared, running applications are not taken into account when generating allowing rules.

       By default, the check box is cleared.

       This check box cannot be cleared if none of the folders are selected in the Create allowing rules for applications from the folders table.

     • Create allowing rules for applications from the folders
       

       You can use the table to select or specify folders for the task and the types of executable files to be taken into account when creating Applications Launch Control rules. The task will generate allowing rules for files of the selected types that are located in the specified folders.

4. In the Options section, you can specify actions to perform while creating allowing rules for applications launch control:
   • Use digital certificate
     

     If this option is selected, the presence of a digital certificate is specified as a rule triggering criterion in the settings of the newly generated allowing rules for Applications Launch Control. The application will now allow start of programs launched using files with a digital certificate. We recommend this option if you want to allow the start of any applications that are trusted in the operating system.

     This option is selected by default.

   • Use digital certificate subject and thumbprint
     

     The check box enables or disables the use of the subject and thumbprint of the file's digital certificate as a criterion for triggering the allowing rules for Applications Launch Control. Selecting this check box lets you specify stricter digital certificate verification conditions.

     If this check box is selected, the subject and thumbprint values of the digital certificate of files for which the rules are generated are set as a criterion for triggering the allowing rules for Applications Launch Control. Kaspersky Embedded Systems Security for Windows will allow applications that are launched using files with the specified thumbprint and digital certificate.

     Selecting this check box highly restricts the triggering of allowing rules based on a digital certificate because a thumbprint is a unique identifier of a digital certificate and cannot be forged.

     If this check box is cleared, the existence of any digital certificate that is trusted in the operating system is set as a criterion for triggering the allowing rules for Applications Launch Control.

     This check box is active if the Use digital certificate option is selected.

     The check box is selected by default.

   • If the certificate is missing, use
     

     This is a drop-down list that allows you to select the criterion for triggering an allowing rule for Applications Launch Control if the file used to generate the rule, has no digital certificate.

     • SHA256 hash. The checksum of the file used to generate the rule is set as a criterion for triggering the allowing rule for Applications Launch Control. The application will allow start of programs launched using files with the specified checksum.
     • path to file. The path to the file used to generate the rule is set as a criterion for triggering the allowing rule for Applications Launch Control. The application will now allow start of programs launched using files located in the folders specified in the Create allowing rules for applications from the folders table in the Settings section.
   • Use SHA256 hash
     

     If this option is selected, the checksum of the file used to generate the rule is specified as a rule triggering criterion in the settings of the newly generated allowing rules for Applications Launch Control. The application will allow start of programs launched using files with the specified checksum.

     We recommend this option for cases when the generated rules must achieve the highest level of security: a SHA256 checksum may be used as a unique file ID. Using a SHA256 checksum as a rule triggering criterion restricts the rule usage scope to one file.

   • Generate rules for user or group of users.
     

     This is a field that displays a user or group of users. The application will control any applications run by the specified user or group of users.

     The default selection is Everyone.

   You can configure settings for configuration files with lists of allowing rules for Device Control and Applications Launch Control. Kaspersky Embedded Systems Security for Windows creates these lists when the task is complete.

5. Configure the task schedule in the Schedule section (you can configure a schedule for all task types except Rollback of Database Update).
6. In the Account section, specify the account whose rights will be used to run the task.
7. If required, specify the objects to exclude from the task scope in the Exclusions from task scope section.

   For detailed information on configuring settings in these sections, see Kaspersky Security Center Help.

8. Click the OK button in the Properties: <Task name> window.

   The newly configured group task settings are saved.