Actions to perform during automatic rule generation

To configure the actions of Kaspersky Security for Windows Server during the running and upon the completion of the Rule Generator for Applications Launch Control task:

1. Open the Task settings window of the Rule Generator for Applications Launch Control task.
2. Open the Options tab.
3. In the While generating allowing rules section, configure the following settings:
   • Use digital certificate
     

     If this option is selected, the presence of a digital certificate is specified as a rule-triggering criterion in the settings of the newly generated allowing rules for Applications Launch Control. The application will now allow start of programs launched using files with a digital certificate. We recommend this option if you want to allow the start of any applications that are trusted in the operating system.

     This option is selected by default.

   • Use digital certificate subject and thumbprint
     

     The check box enables or disables the use of the subject and thumbprint of the file's digital certificate as a criterion for triggering the allowing rules for Applications Launch Control. Selecting this check box lets you specify stricter digital certificate verification conditions.

     If this check box is selected, the subject and thumbprint values of the digital certificate of files for which the rules are generated are set as a criterion for triggering the allowing rules for Applications Launch Control. Kaspersky Security for Windows Server will allow applications that are launched using files with the specified thumbprint and digital certificate.

     Selecting this check box highly restricts the triggering of allowing rules based on a digital certificate because a thumbprint is a unique identifier of a digital certificate and cannot be forged.

     If this check box is cleared, the existence of any digital certificate that is trusted in the operating system is set as a criterion for triggering the allowing rules for Applications Launch Control.

     This check box is active if the Use digital certificate option is selected.

     The check box is selected by default.

   • If the certificate is missing, use
     

     This is a drop-down list that allows you to select the criterion for triggering an allowing rule for Applications Launch Control if the file used to generate the rule, has no digital certificate.

     • SHA256 hash. The checksum of the file used to generate the rule is set as a criterion for triggering the allowing rule for Applications Launch Control. The application will allow start of programs launched using files with the specified checksum.
     • path to file. The path to the file used to generate the rule is set as a criterion for triggering the allowing rule for Applications Launch Control. The application will now allow start of programs launched using files located in the folders specified in the Create allowing rules for applications from the folders table in the Settings section.
   • Use SHA256 hash
     

     If this option is selected, the checksum of the file used to generate the rule is specified as a rule-triggering criterion in the settings of the newly generated allowing rules for Applications Launch Control. The application will allow start of programs launched using files with the specified checksum.

     We recommend this option for cases when the generated rules must achieve the highest level of security: a SHA256 checksum may be used as a unique file ID. Using a SHA256 checksum as a rule-triggering criterion restricts the rule usage scope to one file.

   • Generate rules for user or group of users.
     

     This is a field that displays a user or group of users. The application will control any applications run by the specified user or group of users.

     The default selection is Everyone.

4. In the After task completes section, configure the following settings:
   • Add allowing rules to the list of Applications Launch Control rules.
     

     The check box enables or disables adding the newly generated allowing rules to the list of Applications Launch Control rules. The list of Applications Launch Control rules is displayed when you click the Applications Launch Control rules link in the details pane of the Applications Launch Control node.

     If this check box is selected, Kaspersky Security for Windows Server adds the rules generated by the Rule Generator for Applications Launch Control task to the list of Applications Launch Control rules based on the selected principle for adding rules.

     If this check box is cleared, Kaspersky Security for Windows Server does not add the newly generated allowing rules to the list of Applications Launch Control rules. The generated rules are only exported to a file.

     The check box is selected by default.

   • Principle of adding.
     

     This drop-down list is used to specify the method used to add the newly generated allowing rules to the list of Applications Launch Control rules.

     • Add to existing rules. The rules are added to the list of existing rules. Rules with identical settings are duplicated.
     • Replace existing rules. The rules replace the existing rules in the list.
     • Merge with existing rules. The rules are added to the list of existing rules. Rules with identical settings are not added; the rule is added if at least one rule parameter is unique.

     By default, the Merge with existing rules method is selected.

   • Export allowing rules to file.
   • Add protected device details to file name.
     

     The check box enables or disables adding information about the protected device to the name of the file to which the allowing rules will be exported.

     If this check box is selected, the application adds the protected device name and the file creation date and time to the name of the export file.

     If the check box is cleared, the application does not add information about the protected device to the name of the export file.

     The check box is selected by default.

5. Click OK in the Task settings window.

The specified settings are saved.