Managing applications run on client devices

This section describes the features of Kaspersky Security Center Cloud Console related to the management of applications run on client devices.

Using Application Control to manage executable files

You can use the Application Control component to allow or block startup of executable files on user devices. The Application Control component supports Windows-based and Linux-based operating systems.

For Linux-based operating systems, Application Control component is available starting from Kaspersky Endpoint Security 11.2 for Linux.

Prerequisites

• Kaspersky Security Center Cloud Console is deployed in your organization.
• The policy of Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Linux is created and is active.

Stages

Application Control usage scenario proceeds in stages:

1. Forming and viewing the list of executable files on client devices

   This stage helps you find out what executable files are found on managed devices. View the list of executable files and compare it with the lists of allowed and prohibited executable files. The restrictions on executable files usage can be related to the information security polices in your organization.

   How-to instructions: Obtaining and viewing a list of executable files installed on client devices

2. Creating categories for the executable files used in your organization

   Analyze the lists of executable files stored on managed devices. Based on the analysis, create categories for executable files. It is recommended to create a "Work applications" category that covers the standard set of executable files that are used at your organization. If different security groups use their own sets of executable files in their work, a separate category can be created for each security group.

   How-to instructions: Creating application category with content added manually, Creating application category that includes executable files from selected devices

3. Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

   Configure the Application Control component in Kaspersky Endpoint Security for Windows policy using the categories you have created on the previous stage.

   How-to instructions: Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

4. Turning on Application Control component in test mode

   To ensure that Application Control rules do not block executable files required for user's work, it is recommended to enable testing of Application Control rules and analyze their operation after creating new rules. When testing is enabled, Kaspersky Endpoint Security for Windows will not block executable files whose startup is forbidden by Application Control rules, but will instead send notifications about their startup to the Administration Server.

   When testing Application Control rules, it is recommended to perform the following actions:

   • Determine the testing period. Testing period can vary from several days to two months.
   • Examine the events resulting from testing the operation of Application Control.

   How-to instructions: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and enable the test mode in configuration process.

5. Changing the categories settings of Application Control component

   If necessary, make changes to the Application Control settings. Based on the test results, you can add executable files related to events of the Application Control component to an application category with content added manually.

   How-to instructions: Adding event-related executable files to the application category

6. Applying the rules of Application Control in operation mode

   After Application Control rules are tested and configuration of categories is complete, you can apply the rules of Application Control in operation mode.

   How-to instructions: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and disable the test mode in configuration process.

7. Verifying Application Control configuration

   Make sure of the following:

   • The list of categories for executable files is not empty. View the list of categories and make sure it contains the categories you have configured.
   • Application Control is configured using created categories for executable files. View the settings of the Kaspersky Endpoint Security for Windows policy and make sure you have configured Application Control in the Application settings → Security Controls → Application Control.
   • The rules of Application Control are applied in operation mode. Check the mode in the Kaspersky Endpoint Security for Windows policy and make sure you have disabled the Test mode in the Application settings → Security Controls → Application Control.

Results

When the scenario is complete, startup of executable files on managed devices is controlled. The users can run only those executable files that are allowed in your organization and cannot run executable files that are prohibited in your organization.

For detailed information about Application Control, refer to the following Help topics:

• Kaspersky Endpoint Security for Windows Online Help
• Kaspersky Endpoint Security for Linux Online Help

Application Control modes and categories

The Application Control component monitors users' attempts to start executable files. You can use Application Control rules to control the startup of executable files.

Application Control component is available for Kaspersky Endpoint Security for Windows and for Kaspersky Endpoint Security for Linux (version 11.2 and later). All the instructions in this section describe configuration of Application Control for Kaspersky Endpoint Security.

Startup of executable files whose settings do not match any of the Application Control rules is regulated by the selected operating mode of the component:

• Denylist. The mode is used if you want to allow the startup of all executable files except those specified in block rules. Denylist mode is selected by default.
• Allowlist. The mode is used if you want to block the startup of all executable files except those specified in allow rules.

The Application Control rules are implemented through categories for executable files. In Kaspersky Security Center Cloud Console there are two types of categories:

• Category with content added manually. You define conditions, for example, file metadata, file hashcode, file certificate, KL category, file path, to include executable files in the category.
• Category that includes executable files from selected devices. You specify a device whose executable files are automatically included in the category.

For detailed information about Application Control, refer to the following Help topics:

• Kaspersky Endpoint Security for Windows Online Help
• Kaspersky Endpoint Security for Linux Online Help

Obtaining and viewing a list of applications installed on client devices

Kaspersky Security Center Cloud Console inventories all software installed on managed client devices running Linux and Windows.

Network Agent compiles a list of applications installed on a device, and then transmits this list to Administration Server. It takes about 10-15 minutes for the Network Agent to update the application list.

For Windows-based client devices, Network Agent receives most of the information about installed applications from the Windows registry. For Linux-based client devices, package managers provide information about installed applications to Network Agent.

To view the list of applications installed on managed devices:

1. In the main menu, go to Operations → Third-party applications → Applications registry.

   The page displays a table with the applications that are installed on managed devices. Select the application to view its properties, for example, vendor name, version number, list of executable files, list of devices on which the application is installed, list of available software updates, and list of detected software vulnerabilities.

2. You can group and filter the data of the table with installed applications as follows:
   • Click the settings icon () in the upper-right corner of the table.

     In the invoked Columns settings menu, select the columns to be displayed in the table. To view the operating system type of the client devices on which the application is installed, select the Operating system type column.

   • Click the filter icon () in the upper-right corner of the table, and then specify and apply the filter criterion in the invoked menu.

     The filtered table of installed applications is displayed.

To view the list of applications installed on a specific managed device,

In the main menu, go to Devices → Managed devices → <device name> → Advanced → Applications registry. In this menu, you can export the list of applications to a CSV file or TXT file.

For detailed information about Application Control, refer to the following Help topics:

• Kaspersky Endpoint Security for Windows Online Help
• Kaspersky Endpoint Security for Linux Online Help

Obtaining and viewing a list of executable files installed on client devices

You can obtain the list of executable files stored on client devices in one of the following ways:

• Enabling notifications about applications startup in Kaspersky Endpoint Security policy.
• Creating an inventory task.

Enabling notifications about applications startup in Kaspersky Endpoint Security policy

To enable notifications about applications startup:

1. Open the Kaspersky Endpoint Security policy settings, and then go to General settings → Reports and Storage.
2. In the Data transfer to Administration Server settings group, select the About started applications check box, and save the changes.

When a user attempts to start executable files, information about these files is added to the list of executable files on a client device. Kaspersky Endpoint Security sends this information to Network Agent, and then Network Agent sends it to Administration Server.

Creating an inventory task

The feature of inventorying executable files is available for the following applications:

• Kaspersky Endpoint Security for Windows
• Kaspersky Endpoint Security for Linux (version 11.2 and later)

You can reduce load on the database while obtaining information about the installed applications. To do this, we recommend that you run an inventory task on reference devices on which a standard set of software is installed. The preferable number of devices is 1-3.

We strongly do not recommend running the inventory task when using the following databases: MySQL, PostgreSQL, SQL Server Express Edition, MariaDB (all editions).

To create an inventory task for executable files on client devices:

1. In the main menu, go to Assets (Devices) → Tasks.

   The list of tasks is displayed.

2. Click the Add button.

   The New task wizard starts. Follow the steps of the wizard.

3. On the New task settings page, in the Application drop-down list, select Kaspersky Endpoint Security for Windows or Kaspersky Endpoint Security for Linux, depending on the operating system type of the client devices.
4. In the Task type drop-down list, select Inventory.
5. On the Finish task creation page, click the Finish button.

After the New task wizard is complete, the Inventory task is created and configured. If you want, you can change the settings for the created task. The newly created task is displayed in the list of tasks.

For a detailed description of the inventory task, refer to the following Helps:

• Kaspersky Endpoint Security for Windows Help
• Kaspersky Endpoint Security for Linux Help

After the Inventory task is performed, the list of executable files installed on managed devices is formed and you can view the list.

During inventory, the following formats of executable files can be detected (depending on the option that you select in the inventory task properties): MZ, COM, PE, NE, SYS, CMD, BAT, PS1, JS, VBS, REG, MSI, CPL, DLL, JAR, and HTML.

Viewing the list of executable files stored on managed devices

To view the list of executable files stored on client devices,

In the main menu, go to Operations → Third-party applications → Executable files.

The page displays the list of executable files installed on client devices.

If necessary, you can send the executable file of the managed device to the device where your Kaspersky Security Center Cloud Console is open.

To send an executable file:

1. In the main menu, go to Operations → Third-party applications → Executable files.
2. Click the link of the executable file that you want to send.
3. In the window that opens, go to the Devices section, and then select the check box of the managed device from which you want to send the executable file.

   Before you send the executable file, make sure that the managed device has a direct connection to the Administration Server, by selecting the Do not disconnect from the Administration Server check box. The maximum total number of devices with the Do not disconnect from the Administration Server option selected is 300.

4. Click the Send button.

The selected executable file is downloaded for further sending to the device where your Kaspersky Security Center Cloud Console is open.

Creating application category with content added manually

Expand all | Collapse all

You can specify a set of criteria as a template of executable files for which you want to allow or block a start in your organization. On the basis of executable files corresponding to the criteria, you can create an application category and use it in the Application Control component configuration.

To create an application category with content added manually:

1. In the main menu, go to Operations → Third-party applications → Application categories.

   The page with a list of application categories is displayed.

2. Click the Add button.

   The New category wizard starts. Proceed through the wizard by using the Next button.

3. On the Select category creation method step, select the Category with content added manually. Data of executable files is manually added to the category option.
4. On the Conditions step, click the Add button to add a condition criterion to include files in the creating category.
5. On the Condition criteria step, select a rule type for the creation of category from the list:
   • From KL category

     If this option is selected, you can specify a Kaspersky application category as the condition of adding applications to the user category. The applications from the specified Kaspersky category will be added to the user application category.

   • Select certificate from repository

     If this option is selected, you can specify certificates from the storage. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

   • Specify path to application (masks supported)

     If this option is selected, you can specify the path to the file or folder on the client device containing the executable files that are to be added to the user application category. You can use regular expressions such as C:\path_to_exe\*, for example: C:\Program Files\Internet Explorer\*.

   • Removable drive

     If this option is selected, you can specify the type of the medium (any drive or removable drive) on which the application is run. Applications that have been run on the selected drive type are added to the user application category.

   • Hash, metadata, or certificate:
     • Select from list of executable files

       If this option is selected, you can use the list of executable files on the client device to select and add applications to the category.

     • Select from applications registry

       If this option is selected, application registry is displayed. You can select an application from the registry and specify the following file metadata:

       • File name.
       • File version. You can specify precise value of the version or describe a condition, for example "greater than 5.0".
       • Application name.
       • Application version. You can specify precise value of the version or describe a condition, for example "greater than 5.0".
       • Vendor.
     • Specify manually

       If this option is selected, you must specify file hash, or metadata, or certificate as the condition of adding applications to the user category.

       File Hash

       Depending on the version of the security application installed on devices on your network, you must select an algorithm for hash value computing by Kaspersky Security Center Cloud Console for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

       SHA256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions support SHA256 computing. Computing of the MD5 hash function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows.

       Select either of the options of hash value computing by Kaspersky Security Center Cloud Console for files in the category:

       • If all instances of security applications installed on your network are Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions, select the SHA256 check box. We do not recommend that you add any categories created according to the criterion of the SHA256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows. This may result in failures in the security application operation. In this case, you can use the MD5 cryptographic hash function for files of the category.
       • If any versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are installed on your network, select the MD5 hash. You cannot add a category that was created based on the criterion of the MD5 checksum of an executable file for Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions. In this case, you can use the SHA256 cryptographic hash function for files of the category.
       • If different devices on your network use both earlier and later versions of Kaspersky Endpoint Security 10, select both the SHA256 check box and the MD5 hash check box.

       Metadata

       If this option is selected, you can specify file metadata as file name, file version, vendor. The metadata will be sent to Administration Server. Executable files that contain the same metadata will be added to the application category.

       Certificate

       If this option is selected, you can specify certificates from the storage. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

     • From file or from MSI package/archived folder

       If this option is selected, you can specify an MSI installer file as the condition of adding applications to the user category. The application installer metadata will be sent to Administration Server. The applications for which the installer metadata is the same as for the specified MSI installer are added to the user application category.

   The selected criterion is added to the list of conditions.

   You can add as many criteria for the creating application category as you need.

6. On the Exclusions step, click the Add button to add an exclusive condition criterion to exclude files from the category that is being created.
7. On the Condition criteria step, select a rule type from the list, in the same way that you selected a rule type for category creation.

When the wizard finishes, the application category is created. It is displayed in the list of application categories. You can use the created application category when you configure Application Control.

For detailed information about Application Control, refer to the following Help topics:

• Kaspersky Endpoint Security for Windows Online Help
• Kaspersky Endpoint Security for Linux Online Help

Creating application category that includes executable files from selected devices

Expand all | Collapse all

You can use executable files from selected devices as a template of executable files that you want to allow or block. Based on executable files from selected devices, you can create a category and use it in the Application Control component configuration.

To create a category that includes executable files from selected devices:

1. In the main menu, go to Operations → Third-party applications → Application categories.

   The page with a list of categories for executable files is displayed.

2. Click the Add button.

   The New category wizard starts. Proceed through the wizard by using the Next button.

3. On the Select category creation method step, specify the category name and select the Category that includes executable files from selected devices. These executable files are processed automatically and their metrics are added to the category option.
4. Click Add.
5. In the window that opens, select a device or devices whose executable files will be used to create the category.
6. Specify the following settings:
   • Hash value computing algorithm

     Depending on the version of the security application installed on devices on your network, you must select an algorithm for hash value computing by Kaspersky Security Center Cloud Console for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

     SHA256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions support SHA256 computing. Computing of the MD5 hash function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows.

     Select either of the options of hash value computing by Kaspersky Security Center Cloud Console for files in the category:

     • If all instances of security applications installed on your network are Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions, select the SHA256 check box. We do not recommend that you add any categories created according to the criterion of the SHA256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows. This may result in failures in the security application operation. In this case, you can use the MD5 cryptographic hash function for files of the category.
     • If any versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are installed on your network, select the MD5 hash. You cannot add a category that was created based on the criterion of the MD5 checksum of an executable file for Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions. In this case, you can use the SHA256 cryptographic hash function for files of the category.

     If different devices on your network use both earlier and later versions of Kaspersky Endpoint Security 10, select both the SHA256 check box and the MD5 hash check box.

     The Calculate SHA256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions) check box is selected by default.

     The Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows) is cleared by default.

   • Synchronize data with Administration Server repository

     Select this option if you want that Administration Server periodically to check changes in the specified folder (or folders).

     By default, this option is disabled.

     If you enable this option, specify the period (in hours) to check changes in the specified folder (folders). By default, scan interval is 24 hours.

   • File type

     In this section, you can specify file type that is used to create the application category.

     All files. All files are taken into consideration when creating the category. By default, this option is selected.

     Only files outside the application categories. Only files outside the application categories are taken into consideration when creating the category.

   • Folders

     In this section you can specify which folders from the selected device (devices) contain files that are used to create the application category.

     All folders. All folders are taken into consideration for the creating category. By default, this option is selected.

     Specified folder. Only specified folder is taken into consideration for the creating category. If you select this option you must specify path to the folder.

When the wizard finishes, the category for executable files is created. It is displayed in the list of categories. You can use the created category when you configure Application Control.

Viewing the list of application categories

You can view the list of configured application categories and the settings of each application category.

To view the list of application categories,

In the main menu, go to Operations → Third-party applications → Application categories.

The page with a list of application categories is displayed.

To view properties of an application category,

Click the name of the application category.

The properties window of the application category is displayed. The properties are grouped on several tabs.

Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

After you create Application Control categories, you can use them for configuring Application Control in Kaspersky Endpoint Security for Windows policies.

To configure Application Control in the Kaspersky Endpoint Security for Windows policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.

   A page with a list of policies is displayed.

2. Click Kaspersky Endpoint Security for Windows policy.

   The policy settings window opens.

3. Go to Application settings → Security Controls → Application Control.

   The Application Control window with Application Control settings is displayed.

4. The Application Control option is enabled by default. Switch the toggle button Application Control DISABLED to disable the option.
5. In the Application Control Settings block settings, enable the operation mode to apply the Application Control rules and allow Kaspersky Endpoint Security for Windows to block startup of applications.

   If you want to test the Application Control rules, in the Application Control Settings section, enable test mode. In test mode, Kaspersky Endpoint Security for Windows does not block startup of applications, but logs information about triggered rules in the report. Click the View report link to view this information.

6. Enable the Control DLL modules load option if you want Kaspersky Endpoint Security for Windows to monitor the loading of DLL modules when applications are started by users.

   Information about the module and the application that loaded the module will be saved to a report.

   Kaspersky Endpoint Security for Windows monitors only the DLL modules and drivers loaded after the Control DLL modules load option is selected. Restart the computer after selecting the Control DLL modules load option if you want Kaspersky Endpoint Security for Windows to monitor all DLL modules and drivers, including those loaded before Kaspersky Endpoint Security for Windows is started.

7. (Optional) In the Message templates block, change the template of the message that is displayed when an application is blocked from starting and the template of the email message that is sent to you.
8. In the Application Control Mode block settings, select the Denylist or Allowlist mode.

   By default, the Denylist mode is selected.

9. Click the Rules Lists Settings link.

   The Denylists and allowlists window opens to let you add an application category. By default, the Denylist tab is selected if the Denylist mode is selected, and the Allowlist tab is selected if the Allowlist mode is selected.

10. In the Denylists and allowlists window, click the Add button.

    The Application Control rule window opens.

11. Click the Please choose a category link.

    The Application Category window opens.

12. Add the application category (or categories) that you created earlier.

    You can edit the settings of a created category by clicking the Edit button.

    You can create a new category by clicking the Add button.

    You can delete a category from the list by clicking the Delete button.

13. After the list of application categories is complete, click the OK button.

    The Application Category window closes.

14. In the Application Control rule window, in the Subjects and their rights section, create a list of users and groups of users to apply the Application Control rule.
15. Click the OK button to save the settings and to close the Application Control rule window.
16. Click the OK button to save the settings and to close the Denylists and allowlists window.
17. Click the OK button to save the settings and to close the Application Control window.
18. Close the window with the Kaspersky Endpoint Security for Windows policy settings.

Application Control is configured. After the policy is propagated to the client devices, the startup of executable files is managed.

For detailed information about Application Control, refer to the following Help topics:

• Kaspersky Endpoint Security for Windows Online Help
• Kaspersky Endpoint Security for Linux Online Help

Adding event-related executable files to the application category

Expand all | Collapse all

After you configure Application Control in the Kaspersky Endpoint Security for Windows policies, the following events will be displayed in the list of events:

• Application startup prohibited (Critical event). This event is displayed if you have configured Application Control to apply rules.
• Application startup prohibited in test mode (Info event). This event is displayed if you have configured Application Control to test rules.
• Message to administrator about application startup prohibition (Warning event). This event is displayed if you have configured Application Control to apply rules and a user has requested access to the application that is blocked at startup.

It is recommended to create event selections to view events related to Application Control operation.

You can add executable files related to Application Control events to an existing application category or to a new application category. You can add executable files only to an application category with content added manually.

To add executable files related to Application Control events to an application category:

1. In the main menu, go to Monitoring & reporting → Event selections.

   The list of event selections is displayed.

2. Select the event selection to view events related to Application Control and start this event selection.

   If you have not created event selection related to Application Control, you can select and start a predefined selection, for example, Recent events.

   The list of events is displayed.

3. Select the events whose associated executable files you want to add to the application category, and then click the Assign to category button.

   The New category wizard starts. Proceed through the wizard by using the Next button.

4. On the wizard page, specify the relevant settings:
   • In the Action on executable file related to the event section, select one of the following options:
     • Add to a new application category

       Select this option if you want to create a new application category based on event-related executable files.

       By default, this option is selected.

       If you have selected this option, specify a new category name.

     • Add to an existing application category

       Select this option if you want to add event-related executable files to an existing application category.

       By default, this option is not selected.

       If you have selected this option, select the application category with content added manually to which you want to add executable files.

   • In the Rule type section, select one of the following options:
     • Rules for adding to inclusions
     • Rules for adding to exclusions
   • In the Parameter used as a condition section, select one of the following options:
     • Certificate details (or SHA256 hashes for files without a certificate)

       Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

       Each file has its own unique SHA256 hash function. When you select an SHA256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

       Select this option if you want to add to the category rules the certificate details of an executable file (or the SHA256 hash function for files without a certificate).

       By default, this option is selected.

     • Certificate details (files without a certificate will be skipped)

       Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

       Select this option if you want to add the certificate details of an executable file to the category rules. If the executable file has no certificate, this file will be skipped. No information about this file will be added to the category.

     • Only SHA256 (files without a hash will be skipped)

       Each file has its own unique SHA256 hash function. When you select an SHA256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

       Select this option if you want to add only the details of the SHA256 hash function of the executable file.

     • Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version)

       Each file has its own unique MD5 hash function. When you select an MD5 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

       Select this option if you want to add only the details of the MD5 hash function of the executable file. Computing of the MD5 hash function is supported by Kaspersky Endpoint Security 10 Service Pack 1 for Windows and all earlier versions.

5. Click OK.

When the wizard finishes, executable files related to the Application Control events are added to the existing application category or to a new application category. You can view settings of the application category that you have modified or created.

For detailed information about Application Control, refer to the following Help topics:

• Kaspersky Endpoint Security for Windows Online Help
• Kaspersky Endpoint Security for Linux Online Help