About Application Startup Control rules
Kaspersky Endpoint Security controls the startup of applications by users by means of rules. An Application Startup Control rule specifies the triggering conditions and the action performed by Application Startup Control when the rule is triggered (allowing or blocking application startup by users).
Rule-triggering conditions
A condition for triggering the rule has the following correspondence: "condition type - condition criterion - condition value" (see the figure below). Based on the rule-triggering conditions, Kaspersky Endpoint Security applies (or does not apply) a rule to an application.
Application Startup Control rule. Rule-triggering condition parameters
Rules use inclusion and exclusion conditions:
- Inclusion conditions. Kaspersky Endpoint Security applies the rule to the application if the application matches at least one of the inclusion conditions.
- Exclusion conditions. Kaspersky Endpoint Security does not apply the rule to the application if the application matches at least one of the exclusion conditions and does not match any of the inclusion conditions.
Rule-triggering conditions are created using criteria. The following criteria are used to create rules in Kaspersky Endpoint Security:
- Path to the folder containing the executable file of the application or path to the executable file of the application.
- Metadata: application executable file name, application executable file version, application name, application version, application vendor.
- Hash of the executable file of the application.
- Certificate: issuer, principal, thumbprint.
- Inclusion of the application in a KL category.
- Location of the application executable file on a removable drive.
The criterion value must be specified for each criterion used in the condition. If the parameters of the application being started match the values of criteria specified in the inclusion condition, the rule is triggered. In this case, Application Startup Control performs the action prescribed in the rule. If application parameters match the values of criteria specified in the exclusion condition, Application Startup Control does not control startup of the application.
Decisions made by the Application Startup Control component when a rule is triggered
When a rule is triggered, Application Startup Control allows users (or user groups) to start applications or blocks startup according to the rule. You can select individual users or groups of users that are allowed or not allowed to start applications that trigger a rule.
If a rule does not specify those users allowed to start applications satisfying the rule, this rule is called a block rule.
If a rule that does not specify any users who are not allowed to start applications that match the rule, this rule is called an allow rule.
The priority of a block rule is higher than the priority of an allow rule. For example, if an Application Startup Control allow rule has been specified for a user group while an Application Startup Control block rule has been specified for one user in this user group, this user will be blocked from starting the application.
Operating status of a rule
Application Startup Control rules can have one of two operating status values:
- On.
This rule operating status means that the rule is enabled.
- Off.
This rule status means that the rule is disabled.
Default Application Startup Control rules
By default, Application Startup Control operates in Black List mode. This component allows all users to start all applications. When a user attempts to start an application that is blocked by Application Startup Control rules, Kaspersky Endpoint Security blocks this application from starting (if the Block action is selected) or saves information about the application startup in a report (if the Notify action is selected).
