About Applications Launch Control rules

Support

Support for business applications

Kaspersky Security 11.x for Windows Server

Applications Launch Control

About Applications Launch Control rules

June 10, 2022

ID 148394

Save as PDF

How Applications Launch Control rules work

The operation of Applications Launch Control rules is based on the following components:

Type of rule.
Applications Launch Control rules can allow or deny the start of application. Accordingly, they are called allowing or denying rules. To create a list of allowing rules for Applications Launch Control, you can use the Rule Generator for generating allowing rules or use the Applications Launch Control task in Statistics only mode. You can also add allowing rules manually.
User and / or user group.
Applications Launch Control rules can control the start of specified applications by a user and / or user group.
Rule usage scope.
Applications Launch Control rules can be applied to executable files, scripts, and MSI packages.
Rule-triggering criterion.
Applications Launch Control rules control the launch of files that satisfy one of the criteria specified in the rule settings: signed by the specified digital certificate, matching the specified SHA256 hash, or located at the specified path.

If Digital certificate is set as the rule-triggering criterion, the created rule controls the start of all trusted applications in the operating system. You can set stricter conditions for this criterion by selecting the following check boxes:
- Use subject
  The check box either enables or disables the use of the subject of the digital certificate as a rule-triggering criterion.
  
  If the check box is selected, the specified digital certificate subject is used as a rule-triggering criterion. The created rule will control the start of applications only for the vendor specified in the subject.
  
  If the check box is cleared, the application will not use the subject of the digital certificate as a rule-triggering criterion. If the Digital certificate criterion is selected, the created rule will control the start of applications signed with a digital certificate containing any subject.
  
  The subject of the digital certificate used to sign the file can be specified only from the properties of the selected file using the Set rule triggering criterion from file properties button located above the Rule triggering criterion section.
  
  The check box is cleared by default.
- Use thumb
  The check box enables / disables the use of the thumbprint of the digital certificate as a rule-triggering criterion.
  
  If the check box is selected, the specified digital certificate thumbprint is used as a rule-triggering criterion. The created rule will control the start of applications signed with a digital certificate with the specified thumbprint.
  
  If the check box is cleared, the application will not use the thumbprint of the digital certificate as a rule-triggering criterion. If the Digital certificate criterion is selected, the application will control the start of applications signed with a digital certificate with any thumbprint.
  
  The thumbprint of the digital certificate used to sign the file can be specified only from the properties of the selected file using the Set rule triggering criterion from file properties button located above the Rule triggering criterion section.
  
  The check box is cleared by default.
Thumbprints allow for the most restrictive triggering of application start rules based on a digital certificate, because a thumbprint uniquely identifies a digital certificate and cannot be forged, unlike the subject of a digital certificate.

You can specify exclusions for Applications Launch Control rules. Exclusions to Applications Launch Control rules are based on the same criteria used to trigger rules: digital certificate, SHA256 hash, and file path. Exclusions to Applications Launch Control rules may be required for certain allowing rules: for example, if you want to allow users to start applications from the C:\Windows path, while blocking launch of the Regedit.exe file.

If operating system files fall within the scope of the Applications Launch Control task, we recommend that when creating Applications Launch Control rules you make sure that such applications are allowed by the newly created rules. Otherwise, the operating system may fail to start.

Managing Applications Launch Control rules

You can perform the following actions with Applications Launch Control rules:

Add rules manually.
Generate and add rules automatically.
Remove rules.
Export rules to file.
Check selected files for rules that allow execution of these files.
Filter the rules in the list according to specified criterion.

Kaspersky Security for Windows Server: Prompt detection of all kinds of threats

Launch control and exploit prevention for businesses of all sizes. Buy as part of Endpoint Security for Business Advanced.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.