Application Control task (Application_Control, ID:21)

During execution of the Application Control task, Kaspersky Embedded Systems Security controls the launching of applications on user devices. This helps reduce the risk of device infection by restricting access to applications. Application launching is regulated by Application Control rules.

The Application Control task can operate in two modes:

• Denylist. In this mode Kaspersky Embedded Systems Security allows all users to launch any applications that are not specified in the Application Control rules. This is the default operation mode of the Application Control task.
• Allowlist. In this mode Kaspersky Embedded Systems Security prevents all users from launching any applications that are not specified in the Application Control rules.

Thus, if the Application Control rules are created to the fullest extent possible, Kaspersky Embedded Systems Security prohibits the launching of all new applications that are not verified by the administrator of the organization's local network, but ensures the performance of the operating system and verified applications that users need to perform their job duties.

The Kaspersky Security Center administrator or a local user with the admin role assigned in the application can control process start under the root account with the help of Application Control.

For each operation mode of the Application Control task, separate rules can be created and an action can be specified: apply rules or test rules. Kaspersky Embedded Systems Security performs this action when it detects an attempt to start an application on a user device.

If you change the list of allowed applications or prohibit the launch of all applications or applications affecting Kaspersky Embedded Systems Security's operation, then when modifying the task settings using the configuration file or using the command line, run the --set-settings command with the --accept flag.

Kaspersky Embedded Systems Security supports the following interpreters: python, perl, bash, ssh.

The Application Control task does not control the launching of scripts from interpreters that are not supported by Kaspersky Embedded Systems Security, or the launching of scripts that are not passed to the interpreter via the command line. If the interpreter is allowed to launch by the Application Control rules, Kaspersky Embedded Systems Security does not block the script launched from this interpreter. If the launch of at least one script specified in the interpreter command line is prohibited by the Application Control rules, Kaspersky Embedded Systems Security blocks all the scripts specified in the interpreter command line. Exclusion: cat script.py | python.

About Application Control rules

An Application Control rule is a set of settings required for the Application Control task to work:

• The application belonging to the application category. An application category is a group of applications with common characteristics. For example, a category that includes executable files of installed applications, or a category of applications required for operation, which includes a standard set of applications used by the organization. Each category can only be used in one rule.

  Kaspersky Embedded Systems Security does not support use of the KL categories of Kaspersky Security Center.

• Permission or prohibition for selected users and/or user groups to run applications. You can specify a user and/or user group that is allowed or not allowed to run applications of the specified category.
• Rule triggering condition. A condition is represented by the following correspondence: "condition type – condition criterion – condition value". Based on the rule triggering condition, Kaspersky Embedded Systems Security applies or does not apply the rule to the application. The rules use inclusive and exclusive conditions:
  • Inclusive conditions. Kaspersky Embedded Systems Security applies the rule to the application if the application meets at least one inclusive condition.
  • Exclusive conditions. Kaspersky Embedded Systems Security does not apply the rule to the application if the application meets at least one exclusive condition or does not meet any of the inclusive conditions.

  Rule triggering conditions are created using the following criteria:

  • Name of the application's executable file.
  • Name of the directory with the application's executable file.
  • Hash (SHA-256) of the application executable file. Only SHA256 can be used.

  For each criterion used in the condition, a value must be specified.

  You can use masks to specify the names of files and directories.

  You can use the * character (any sequence of characters) or the ? character (any one character) as the file or directory name mask.

  You can put the * character to represent any set of characters (including an empty set) in a file or directory name that includes the / character. For example, /dir/*/file*/ or /dir/file*/.

  You can put a single ? character to represent any one character (including /) in the file or directory name.

  If the settings of the application being launched match the values ​​of the criteria specified in the inclusive condition, the rule is triggered. In this case, Application Control performs the action specified in the rule. If application settings match the values ​​of the criteria specified in the exclusive condition, Application Control does not control the application launch.

For each operation mode of the Application Control task, separate rules must be created and an action must be specified: apply rules or test rules. The Application Control task performs this action when it detects an attempt to start an application.

The Application Control rules have three operation statuses:

• Enabled – the rule is enabled, Kaspersky Embedded Systems Security applies this rule when the Application Control task is running.
• Disabled – the rule is disabled and is not used when the Application Control task is running.
• Test – Kaspersky Embedded Systems Security allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.

The priority of the rule operation status is higher than the priority of the action specified in the rule.

Application Control task settings

The table describes all available values and the default values of all the settings that you can specify for the Application Control task.

Application Control task settings

Page top

Viewing the list of created categories

You can view the list of created application categories.

The following categories are displayed in the list of created categories:

• Categories created in Kaspersky Security Center.
• Categories added in the Application Control task settings using the command line.
• The GoldenImage category created using the Inventory Scan task (in Kaspersky Security Center or using the command line).

To view the list of created application categories, execute the following command:

kess-control [-A] --get-categories [--json]

where:

--json – output format for the list of categories. If this parameter is not specified, the INI format is used for the output.

Kaspersky Embedded Systems Security displays the following information about the application category:

• Unique identifier (GUID) of the category
• Category name
• Category description (if any)
• The list of conditions for including a file or directory with files in a category
• The list of conditions for excluding a file or directory with files from a category

If in the Application Control task settings, in the [Categories.item_#] section for inclusive or exclusive conditions for triggering a rule, you specify symbolic links to an application file or directory with executable files, then when viewing the list of categories for these conditions, the source path to which the symbolic link points is displayed.

Page top