Application rules / Group rules

File

(only in the Application rules window)

Reference information about an application and about the application's executable file. Kaspersky application receives information about an application from the application's executable file and from Kaspersky Security Network.

Files and system registry

Rules for accessing system registry keys and files related to operation of the operating system or to your personal data.

The individual access settings for read, write, create, and delete operations can be defined independently by using the menu in the cells of the corresponding table columns. The menu items are described in the Intrusion Prevention rules section.

Rights

Rights to access operating system resources and processes, and startup rights. You can set access rights by using the menu in the cells of the Action column. The menu items are described in the Intrusion Prevention rules section.

Network rules

Rules applied by Kaspersky application to regulate the network activity of an application or application group.

By default, the list displays the predefined application network rules that are recommended by Kaspersky experts. You cannot delete or edit predefined network rules (except changing the action in the Permission column; please refer to the description of available actions in the Intrusion Prevention rules section).

When adding or editing a rule, you can define the following settings:

• Action:
  • Allow. Kaspersky application allows the network connection.
  • Block. Kaspersky application blocks the network connection.
  • Ask user. If the Perform recommended actions automatically check box is cleared under Settings → Security settings → Exclusions and actions on object detection, Kaspersky application asks the user to decide whether or not to allow or deny the network connection. If the check box is selected, the action is chosen automatically. You can follow the footnote in the application window to read about exactly which action will be selected.
• Name.
• Direction:
  • Inbound. Kaspersky application applies the rule to network connections opened by a remote computer.
  • Outbound. Kaspersky application applies the rule to the network connection that was opened by your computer.
  • Inbound / Outbound. Kaspersky application applies the rule both to inbound and outbound data packets or streams, regardless of which computer (your computer or a remote computer) initiated the network connection.
• Protocol.
• ICMP settings. You can specify the type and code of data packets to be scanned. The settings section is available if the ICMP or ICMPv6 protocols are selected.
• Remote ports (ports of a remote computer).
• Local ports (ports of your computer).

You can specify a range of remote or local ports (for example, 6660–7000), list multiple ports separated by commas, or combine both methods (for example, 80–83,443,1080).

• Address:
  • Any address.
  • Subnet addresses. Kaspersky application applies the rule to IP addresses of all networks that are currently connected and are of the specified type (Public, Local or Trusted). The network type can be selected from the drop-down list that is displayed below if the Subnet addresses option is selected.
  • Addresses from the list. Kaspersky application applies the rule to IP addresses within the specified range. You can specify IP addresses in the Remote address field, which is displayed below if the Addresses from the list option is selected.
• Network adapters traversed by network packets.
• Use of TTL. Kaspersky application controls the transmission of network packets whose time to live (TTL) does not exceed the specified value.
• Logging events to Kaspersky application report.

To quickly add a rule, you can select one of the predefined templates in the drop-down list in the lower part of the window.

Exclusions

(only in the Application rules window)

You can select rules that will be used to exclude an application from scans:

• Do not scan opened files.
• Do not monitor application activity. Intrusion Prevention does not monitor any application activity.
• Do not inherit restrictions from the (application’s) parent process. If restrictions of a parent process or application are not inherited, application activity is monitored according to your defined rules or according to the rules of the trust group to which the application belongs.
• Do not monitor the activity of child applications.
• Do not block interaction with Kaspersky application interface. The application is allowed to manage Kaspersky application by using its graphical interface. You may need to allow the application to manage the interface of Kaspersky application when using a remote desktop connection application or an application supporting the operation of a data input device. Examples of such devices include touch pads and graphic tablets.
• Do not scan all traffic (or encrypted traffic). Depending on the selected option (Do not scan all traffic or Do not scan encrypted traffic), Kaspersky application excludes all network traffic of the application or traffic transmitted over SSL from being scanned. The value of this setting does not affect Firewall operation: Firewall scans application traffic in accordance with Firewall settings. Exclusions affect Mail Anti-Virus, Safe Browsing, and Anti-Spam. You can specify the IP addresses or network ports to which the traffic control restriction must apply.

History

(only in the Application rules window)

Reference information about actions taken on the application, such as starting the application or assigning a trust group.

Kaspersky assigns trust groups to all applications started on a computer depending on the level of danger that these applications pose to the system.

The trust groups are as follows:

• Trusted. This group is for applications that have a digital signature from trusted vendors, and applications that have a record in the database of trusted applications. These applications are not restricted from any activity in the system. Activity of these applications is monitored by Proactive Defense and File Anti-Virus.
• Low Restricted. This group is for applications that do not have a digital signature from trusted vendors or corresponding records in the database of trusted applications but pose a low level of threat (based on Kaspersky Security Network data). They are allowed to perform specific operations, such as access to other processes, management of the system, and hidden network access. User permission is required for most operations.
• High Restricted. This group is for applications that do not have a digital signature or records in the database of trusted applications. These applications pose a medium level of threat. Applications in this group require user permission to perform most operations in the system.
• Untrusted. This group is for applications that do not have a digital signature or records in the database of trusted applications. These applications have a high threat level. Kaspersky blocks all activity of these applications.