Contents
Application Control
The Application Control component allows you to manage the launch of applications on protected devices. Application Control lowers the risk of device infection by limiting users' access to applications.
Application launching is regulated by Application Control rules.
The Application Control component can operate in one of two modes:
- Denylist. In this mode Kaspersky Embedded Systems Security allows all users to launch any applications that are not specified in the Application Control rules. By default, the Application Control component operates in this mode.
- Allowlist. In this mode, Kaspersky Embedded Systems Security prevents all users from launching any applications that are not specified in the Application Control rules or signed with certificates trusted by Application Control.
Thus, if the Application Control rules are created to the fullest extent possible, Kaspersky Embedded Systems Security prohibits the launching of all new applications that are not verified by the administrator of the organization's local network, but ensures the performance of the operating system and verified applications that users need to perform their job duties.
The Kaspersky Security Center administrator or a local user with the admin role assigned in the application can allow or deny process start under the root account using the Application Control.
Application Control is disabled by default. You can enable or disable Application Control, and also configure the component's operation settings:
- Select the Application Control mode: allowlist or denylist.
- Create Application Control rules for each of the modes.
- Select the action that Kaspersky Embedded Systems Security performs upon detecting an attempt to run an application that matches the rules. Kaspersky Embedded Systems Security can apply rules and perform the actions specified in the rules, or test the rules and only inform about an attempt to run an application that matches the rules.
- Enable or disable the use of trusted certificates by Application Control and configure the list of trusted certificates. Application Control in allowlist mode does not block applications that are signed with trusted certificates.
You can receive information about applications installed on protected devices using the Inventory task.
Application Control does not control the launch of Snap, Flatpak, or AppImage applications.
The Application Control task does not control the launching of scripts from interpreters that are not supported by Kaspersky Embedded Systems Security, or the launching of scripts that are not passed to the interpreter via the command line. Kaspersky Embedded Systems Security supports the following interpreters: python, perl, bash, ssh.
If the interpreter is allowed to launch by the Application Control rules, Kaspersky Embedded Systems Security does not block the script launched from this interpreter. If the launch of at least one script specified in the interpreter command line is prohibited by the Application Control rules, Kaspersky Embedded Systems Security blocks all the scripts specified in the interpreter command line. Exclusion: cat script.py | python.
About Application Control rules
An Application Control rule is a set of settings that contain the conditions for triggering a rule and the actions of the Application Control component when a rule is triggered (allowing or blocking users when starting the application):
- The application belonging to the application category. An application category is a group of applications with common characteristics. For example, a category that includes executable files of installed applications, or a category of applications required for operation, which includes a standard set of applications used by the organization. Each category can only be used in one rule.
Kaspersky Embedded Systems Security does not support use of the KL categories of Kaspersky Security Center.
- Permission or prohibition for selected users and/or user groups to run applications. You can specify a user and/or user group that is allowed or not allowed to run applications of the specified category.
- Rule triggering condition. A condition is represented by the following correspondence: "condition type – condition criterion – condition value". Based on the rule triggering condition, Kaspersky Embedded Systems Security applies or does not apply the rule to the application. The rules use inclusive and exclusive conditions:
- Inclusive conditions. Kaspersky Embedded Systems Security applies the rule to the application if the application meets at least one inclusive condition.
- Exclusive conditions. Kaspersky Embedded Systems Security does not apply the rule to the application if the application meets at least one exclusive condition or does not meet any of the inclusive conditions.
Rule triggering conditions are created using the following criteria:
- Name of the application's executable file.
- Name of the directory with the application's executable file.
- Hash of the application's executable file. Only SHA256 can be used.
For each criterion used in the condition, a value must be specified.
You can use masks to specify the names of files and directories.
If the settings of the application being launched match the criteria specified in the inclusive condition, the rule is triggered. In this case, Kaspersky Embedded Systems Security performs the action specified in the rule. If application settings match the criteria specified in the exclusive condition, Kaspersky Embedded Systems Security does not control the application launch.
Application control rules can have one of the following operation statuses:
- Enabled: the rule is enabled, Kaspersky Embedded Systems Security applies this rule to Application Control.
- Disabled: the rule is disabled and is not used for the Application Control.
- Test – Kaspersky Embedded Systems Security allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.
The priority of the rule operation status is higher than the priority of the action specified in the rule.
Configuring Application Control in the Web Console
In the Web Console, you can configure Application Control settings in the policy properties (Application settings → Security Controls→ Application Control)
Application Control component settings
Setting |
Description |
|---|---|
Application Control enabled / disabled |
This toggle switch enables or disables Application Control. The toggle button is switched off by default. |
Action on starting applications blocked by rules |
The action that Kaspersky Embedded Systems Security performs upon detecting an attempt to start an application that matches the configured rules:
|
Application Control mode |
Application Control task operation mode:
|
Trust applications signed by a trusted certificate / Do not trust applications signed by a trusted certificate |
This toggle switch enables or disables the use of the trusted certificate list by Application Control. When the toggle switch is enabled, Application Control in allowlist mode does not block applications that are signed with trusted certificates. This option is available if the Application Control setting is set to Allowlist. The Manage Application Control trusted certificates link opens a window in which you can configure the list of trusted certificates for Application Control. |
Application Control rules |
Clicking the Configure rules link opens the Application Control rules window. |
Applying rules |
In the drop-down list, you can select how rules are added:
|
Application Control rules window
The Application Control rules table has the tabs with the rules for each operation mode: Denylist (active) and Allowlist. Both tabs of the Application Control rules table are empty by default.
Application Control rules settings
Setting |
Description |
|---|---|
Category |
The name of the application category that is used by the rule. |
Status |
Operation status of the Application Control rule:
|
Application Control rule window
In this window, you can configure the settings for the Application Control rule.
Configuring an Application Control rule
Setting |
Description |
|---|---|
Rule description |
Description of the Application Control rule. |
Status |
You can select the operation status of the Application Control rule:
|
Category |
The Choose category link opens the Application categories window. |
Users and their rights |
The table contains a list of users or user groups to which the Application Control rule applies, and the types of access assigned to them, and consists of the following columns:
|
Application categories window
In this window, you can add a new category or configure the category settings for an Application Control rule.
Kaspersky Embedded Systems Security does not support use of the KL categories of Kaspersky Security Center.
Application Control categories
Setting |
Description |
|---|---|
Category name |
Search bar for added application categories. |
Add |
Clicking the button starts the category creation wizard. Follow the instructions of the Wizard. For details about creating a category, refer to the Kaspersky Security Center Help. |
Edit |
Clicking this button opens the category properties window, where you can change the category settings. The Golden Image (local) category cannot be edited. |
Remove |
Clicking the button deletes the selected category. The Golden Image (local) category cannot be deleted. |
Select user or group window
In this window, you can specify a local or domain user or user group for which you want to configure a rule.
Configuring an Application Control rule
Setting |
Description |
|---|---|
Manually |
If this option is selected, in the field below enter the name of the local or domain user or the name of a user group, to which the Application Control rule will apply. |
List of users and groups |
If this option is selected, in the search field you can enter search criteria for the name of the user or name of the user group, to which the Application Control rule will apply, or you can select the name of the user group in the list below. |
Trusted certificates of Application Control window
You can configure a list of certificates that will be trusted by Application Control. Application Control allows running applications signed by certificates from this list.
The following information is displayed for each certificate:
- certificate serial number
- certificate subject
- certificate issuer
- certificate start date
- certificate expiration date
- SHA256 certificate fingerprint
By default, the certificate list is empty.
You can add and remove certificates.
Adding a trusted certificate window
In this window, you can add a certificate to the list of trusted certificates.
The Add certificate link opens the standard file selection window. Indicate the path to the file that contains the certificate, in DER or PEM format.
After the certificate file is selected, the window displays certificate information and the file path.
Page topConfiguring Application Control in the Administration Console
In the Administration Console, you can configure Application Control settings in the policy properties (Security Controls→ Application Control).
Application Control component settings
Setting |
Description |
|---|---|
Enable Application Control |
The check box enables the Application Control component. This check box is cleared by default. |
Action on application startup attempt |
The action that Kaspersky Embedded Systems Security performs upon detecting an attempt to start an application that matches the configured rules:
|
Application Control mode |
Application Control task operation mode:
|
Trust applications signed by a trusted certificate |
This check box enables or disables the use of the trusted certificate list by Application Control. When the check box is selected, Application Control in allowlist mode does not block applications that are signed with trusted certificates. This check box is available if the Application Control setting is set to Allowlist. The Configure button opens a window in which you can configure the list of trusted certificates for Application Control. |
Application Control rules |
This group of settings contains the Configure button. Clicking this button opens the Application Control rules window. |
Applying rules |
In the drop-down list, you can select how rules are added:
|
Application Control rules window
The Application Control rules table contains the rules used by the Application Control component. The Application Control rules table is empty by default.
Application Control rules settings
Setting |
Description |
|---|---|
Category name |
The name of the application category that is used by the rule. |
Status |
Operation status of the Application Control rule:
You can change the rule status in the Add new rule window. |
You can add, modify and remove Application Control rules.
Page topAdding rule window
In this window, you can configure the settings for the Application Control rule.
Adding the Application Control rule
Setting |
Description |
|---|---|
Description |
Description of the Application Control rule. |
Rule status |
In the drop-down list, you can select the status of the Application Control rule:
|
Category |
The group of settings contains the Configure button. Clicking this button opens the Application categories window. |
Users and their rights |
The table contains a list of users or user groups to which the Application Control rule applies, and the types of access assigned to them, and consists of the following columns:
|
Application categories window
In this window, you can add a new category or configure the category settings for an Application Control rule.
Kaspersky Embedded Systems Security does not support use of the KL categories of Kaspersky Security Center.
Application Control categories
Setting |
Description |
|---|---|
Category name |
List of the added Application Control categories. |
Add |
Clicking the button starts the category creation wizard. Follow the instructions of the Wizard. For details about creating a category, refer to the Kaspersky Security Center Help. |
Edit |
Clicking this button opens the category properties window, where you can change the category settings. The Golden Image (local) category cannot be edited. |
User or group window
In this window, you can specify a local or domain user or user group for which you want to configure a rule.
Adding the Application Control rule
Setting |
Description |
|---|---|
Type |
The User or Group to which the Application Control rule applies. |
User or group name |
Name of the user or user group to which the Application Control rule applies. |
Access |
Access type: Allow launching the applications or Block launching the applications. |
Trusted certificates of Application Control window
You can configure a list of certificates that will be trusted by Application Control. Application Control allows running applications signed by certificates from this list.
The following information is displayed for each certificate:
- certificate subject
- certificate serial number
- certificate issuer
- certificate start date
- certificate expiration date
- SHA256 certificate fingerprint
By default, the certificate list is empty.
You can add and remove certificates.
Page topAdding certificate window
In this window, you can add a certificate to the trusted certificate list in one of the following ways:
- Indicate the path to the certificate file. The Browse button opens the standard file selection window. Indicate the path to the file that contains the certificate, in DER or PEM format.
- Copy the contents of the certificate file to the Enter certificate details field.
Configuring Application Control in the command line
In the command line, you can manage Application Control by using the Application Control predefined task (Application_Control).
By default, the Application Control task does not run. You can start and stop the task manually.
You can configure Application Control on a device by editing the settings of the Application Control predefined task.
If you change the list of allowed applications or prohibit the launch of all applications or applications affecting Kaspersky Embedded Systems Security's operation, then when modifying the task settings using the configuration file or using command line options, run the kess-control --set-settings command with the --accept flag.
You can also configure Application Control using Application Control commands:
- Create and edit lists of categories.
- View the list of categories created in the application.
- Configure the list of application control rules.
- Configure the list of certificates trusted by Application Control.
Application Control task settings
The table describes all available values and the default values of all the settings that you can specify for the Application Control task.
Application Control task settings
Setting |
Description |
Values |
|---|---|---|
|
Application Control task operation mode. |
|
|
Enable trusted certificates for Application Control. |
You can configure the list of trusted certificates for Application Control using application commands.
|
|
The action that Kaspersky Embedded Systems Security performs upon detecting an attempt to start an application that matches the configured rules. |
|
The [Categories.item_#] section contains the following settings: |
||
|
Name of the application category to which the rule applies. |
|
|
Usage of inclusive conditions to trigger the rule. |
|
|
Name of the executable file that triggers the rule. |
You can use masks to specify the file name. |
|
Name of the directory with the application's executable file that triggers the rule. |
You can use masks to specify the directory name. |
|
SHA256 hash of the executable file that triggers the rule. |
Only SHA256 can be used. |
|
Usage of excluding conditions to trigger the rule. |
|
|
Name of the executable file that triggers the rule. |
You can use masks to specify the file name. |
|
Name of the directory with the application's executable file that triggers the rule. |
You can use masks to specify the directory name. |
|
SHA256 hash of the executable file that triggers the rule. |
Only SHA256 can be used. |
The [AllowListRules.item_#] section contains a list of Application Control rules for the AllowList operation mode. Each [AllowListRules.item_#] section contains the following settings: |
||
|
Description of the Application Control rule. |
|
|
Operation status of the Application Control rule: |
|
|
Name of the application category for which the rule applies. You can specify the "Golden Image" category. |
|
The [AllowListRules.item_#.ACL.item_#] section contains a list of users who are allowed or denied to run applications. |
||
|
Access type assigned to a user or user group. |
|
|
User or user group to which the Application Control rule applies. |
|
The [DenyListRules.item_#] section contains a list of Application Control rules for the DenyList operation mode. Each [DenyListRules.item_#] section contains the following settings: |
||
|
Description of the Application Control rule. |
|
|
Operation status of the Application Control rule: |
|
|
Name of the created application category to which the rule applies. You can specify the "Golden Image" list of applications as a category. |
|
The [DenyListRules.item_#.ACL.item_#] section contains a list of users who are allowed or denied to run applications. |
||
|
Access type assigned to a user or user group. |
|
|
User or user group to which the Application Control rule applies. |
|
Creating and editing a list of categories
You can create a new category in two ways:
- Using the "kess --set-settings" command and the Application Control task settings configuration file (Application_Control)
- Using the "kess --set-categories" command and the category settings configuration file
To create application categories, run the following command:
kess-control --set-categories --file <path to configuration file>
where:
--file <path to configuration file> – path to the configuration file with the category settings.
The file with category settings must have the following structure:
[
{
"Exclude" : [ "(FilePath like <full path to the executable file>)", "(FileHash == <executable file hash>)" ],
"GUID" : "<unique category ID>",
"Include" : [ "(FilePath like <full path to executable file>)", "(FileHash == <executable file hash>)" ],
"Name" : "<name of category 1>"
},
{
"Exclude" : [ "(FilePath like <full path to the executable file>)", "(FileHash == <executable file hash>)" ],
"GUID" : "<unique category ID>",
"Include" : [ "(FilePath like <full path to executable file>)", "(FileHash == <executable file hash>)" ],
"Name" : "<name of category 2>"
}
]
To specify the file name in the Exclude and Include fields, you can use masks.
The Name setting is required. If you do not specify the name of the category, it will not be created or will be deleted. The GUID setting is also required. If you do not specify it, an error message is displayed and the category is not created. The GUID setting must be specified without hyphens.
To edit the list of created application categories, run the following command:
kess-control --set-categories [--names <name of category 1> <name of category 2> ... <name of category N>] --file <path to configuration file>
where:
<name of category 1> <name of category 2> ... <name of category N>– names of the categories whose information you want to change. If you want to change information about several categories, specify the names of the categories, separated by a space. If you do not specify a category name, existing categories are deleted and new categories are created from the specified file.--file <path to configuration file>– path to the configuration file with the category settings.
Viewing the list of created categories
In the command line, you can view the list of created application categories using the Application Control administration command.
The list of created categories contains the following categories:
- Categories created in Kaspersky Security Center.
- Categories added in the Application Control task settings using the command line.
- The "GoldenImage" category created using the Inventory task (in Kaspersky Security Center or using the command line).
To view the list of all created application categories, run the following command:
kess-control --get-categories [--file <path to configuration file>] [--json]
where:
--file <path to configuration file>– full path to the JSON configuration file to which the settings will be output.--jsonis specified to output the settings in JSON format. If the --json option is omitted, the settings are output in the INI format.
Kaspersky Embedded Systems Security displays the following information about each application category:
- Unique identifier (GUID) of the category
- Category name
- list of inclusive conditions to trigger the rule
- list of exclusive conditions to trigger the rule
To view the list of created application categories, execute the following command:
kess-control --get-categories [--names <name of category 1> <name of category 2> ... <name of category N>] [--file <path to configuration file>] [--json]
where:
<name of category 1> <name of category 2> ... <name of category N>– names of the categories whose information you want to view. If you want to view information about several categories, specify the names of the categories, separated by a space.--file <path to configuration file>– full path to the JSON configuration file to which the category list will be exported.--jsonis specified to output the settings in JSON format. If the --json option is omitted, the settings are output in the INI format.
If in the Application Control task settings, in the [Categories.item_#] section for inclusive or exclusive conditions for triggering a rule, you specify symbolic links to an application file or directory with executable files, then when viewing the list of categories for these conditions, the source path to which the symbolic link points is displayed.
Configuring the Application Control rule list
To view the list of Application Control rules, run the following command:
kess-control --get-settings 21 [--file <path to configuration file>] [--json]
where:
--file <path to configuration file>– full path to the configuration file to which the settings will be exported.--json: output data in JSON format.
Kaspersky Embedded Systems Security displays the following information about Application Control rules:
- Application Control task operation mode;
- the action that Application Control takes upon detecting an attempt to launch an application that matches the configured rule;
- Description of the Application Control rule (if any);
- Operation status of the Application Control rule;
- Name of the application category the rule applies to;
- Access type assigned to a user or user group;
- User or user group to which the Application Control rule applies.
To edit the list of application categories and Application Control rules, run the following command:
kess-control --get-settings 21 [--file <path to configuration file>] [--json]
where:
--file <path to configuration file>– full path to the configuration file from which the settings will be imported.--json– import data from a JSON file.
To delete the list of application categories and Application Control rules, run the following command:
kess-control --set-settings 21 --set-to-default
Managing the list of trusted certificates of Application Control
To add a certificate to the trusted certificate list for Application Control, run the following command:
kess-control --add-app-control-trust-certificates path to certificate >
where:
<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).
To remove a certificate from Application Control's trusted certificate list, run the following command:
kess-control --remove-app-control-trust-certificates < certificate serial number >
To view Application Control's list of trusted certificates, run the following command:
kess-control --query-app-control-trust-certificates
The following information is displayed for each certificate:
- certificate subject
- serial number
- certificate issuer
- certificate start date
- certificate expiration date
- SHA256 certificate fingerprint