Kaspersky Endpoint Security 12 for Windows

Application Control

25 April 2024

ID 176742

Application Control manages the startup of applications on users' computers. This allows you to implement a corporate security policy when using applications. Application Control also reduces the risk of computer infection by restricting access to applications.

Configuring Application Control consists of the following steps:

  1. Creating application categories.

    The administrator creates categories of applications that the administrator wants to manage. Categories of applications are intended for all computers in the corporate network, regardless of administration groups. To create a category, you can use the following criteria: KL category (for example, Browsers), file hash, application vendor, and other criteria.

  2. Creating Application Control rules.

    The administrator creates Application Control rules in the policy for the administration group. The rule includes the categories of applications and the startup status of applications from these categories: blocked or allowed.

  3. Selecting the Application Control mode.

    The administrator chooses the mode for working with applications that are not included in any of the rules (application denylist and allowlist).

When a user attempts to start a prohibited application, Kaspersky Endpoint Security will block the application from starting and will display a notification (see the figure below).

A test mode is provided to check the configuration of Application Control. In this mode, Kaspersky Endpoint Security does the following:

  • Allows the startup of applications, including prohibited ones.
  • Shows a notification about the startup of a prohibited application and adds information to the report on the user's computer.
  • Sends data about the startup of prohibited applications to Kaspersky Security Center.

    Notification about blocked application startup. The user can create a request to launch the application.

    Application Control notification

Application Control operating modes

The Application Control component operates in two modes:

  • Denylist. In this mode, Application Control allows users to start all applications except for applications that are prohibited in Application Control rules.

    This mode of Application Control is enabled by default.

  • Allowlist. In this mode, Application Control blocks users from starting any applications except for applications that are allowed and not prohibited in Application Control rules.

    If the allow rules of Application Control are fully configured, the component blocks the startup of all new applications that have not been verified by the LAN administrator, while allowing the operation of the operating system and of trusted applications that users rely on in their work.

    You can read the recommendations on configuring Application Control rules in allowlist mode.

Application Control can be configured to operate in these modes both by using the Kaspersky Endpoint Security local interface and by using Kaspersky Security Center.

However, Kaspersky Security Center offers tools that are not available in the Kaspersky Endpoint Security local interface, such as the tools that are needed for the following tasks:

This is why it is recommended to use Kaspersky Security Center to configure the operation of the Application Control component.

Application Control operating algorithm

Kaspersky Endpoint Security uses an algorithm to make a decision about starting an application (see the figure below).

Application Control operating algorithm

Application Control component settings



Action on starting applications blocked by rules

Apply rules. Kaspersky Endpoint Security manages the startup of applications according to the selected mode.

Test rules. Kaspersky Endpoint Security allows the startup of an application that is blocked in the current Application Control mode, but logs information about the application startup in the report.

Application Startup Control mode

You can choose one of the following options:

  • Denylist. If this option is selected, Application Control allows all users to start any applications, except in cases that satisfy the conditions of Application Control block rules.
  • Allowlist. If this option is selected, Application Control blocks all users from starting any applications, except in cases that satisfy the conditions of Application Control allow rules.

When Allowlist mode is selected, two Application Control rules are automatically created:

  • Golden Image.
  • Trusted Updaters.

You cannot edit the settings of or delete automatically created rules. You can enable or disable these rules.

Control DLL modules load

If the check box is selected, Kaspersky Endpoint Security controls the loading of DLL modules when users attempt to start applications. Information about the DLL module and the application that loaded this DLL module is logged in the report.

When enabling control over the loading of DLL modules and drivers, make sure that one of the following rules is enabled in the Application Control settings: the default Golden Image rule or another rule that contains the "Trusted certificates" KL category and ensures that trusted DLL modules and drivers are loaded before Kaspersky Endpoint Security is started. Enabling control of the loading of DLL modules and drivers when the Golden Image rule is disabled may cause instability in the operating system.

Kaspersky Endpoint Security monitors only the DLL modules and drivers that have been loaded since the check box was selected. After selecting the check box, it is recommended to restart the computer to ensure that the application monitors all DLL modules and drivers, including those loaded before Kaspersky Endpoint Security starts.

Templates of messages about application blocking

Message about blocking. Template of the message that is displayed when an Application Control rule that blocks an application from starting is triggered.

Message to administrator. Template of the message that a user can send to the corporate LAN administrator if the user believes that an application was blocked by mistake. After the user requests to provide access, Kaspersky Endpoint Security sends an event to Kaspersky Security Center: Application startup blockage message to administrator. The event description contains a message to administrator with substituted variables. You can view these events in the Kaspersky Security Center console using the predefined event selection User requests. If your organization does not have Kaspersky Security Center deployed or there is no connection to the Administration Server, the application will send a message to administrator to the specified email address.

See also: Managing the application via the local interface

Application Control functionality limitations

Enabling and disabling Application Control

Managing Application Control rules

Testing Application Control rules

Selecting the Application Control mode

Rules for creating name masks for files or folders

Editing Application Control message templates

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.