Support of managing Default Deny rules via Kaspersky Security Center through a low-capacity channel

Latest update: June 03, 2019 ID: 15035

This article refers to the following applications:

  • Kaspersky Security for Windows Server version 10.1.2 and later.
  • Kaspersky Security for Windows Server version 10.1.1 with Core 4 critical fix installed.
  • Kaspersky Embedded Systems Security 2.3 and later.
  • Kaspersky Embedded Systems Security version 2.1 with Core 13 critical fix installed.

If the application is installed on a device with a low-capacity channel (less than 100 Mbit per second) and managed remotely via Kaspersky Security Center, you may experience problems synchronizing application parameters that include large data arrays, such as lists of rules in the Application Launch Control component. The maximum number of rules that can be set within this task is about 64000. These rules cannot be sent through a low-capacity channel. If the application is unable to synchronize a local list of Applications Launch Control rules with the Administration Server, the attempt to apply the policy will fail.

If you are managing the Default Deny feature with Kaspersky Security Center and the managed devices are connected by channels of too low a capacity, we recommended doing the following:

  1. Create all the necessary Application Launch Control rules specifically for each device in the managed group. Configure the parameters locally on each device.
  2. Disable the mandatory synchronization of local Applications Launch Control task parameters between the Administration Server and the device with the application installed. Find the NeedSyncAppControl parameter in the registry and set the value to 0: 
    • If Kaspersky Embedded Systems Security is installed on the device:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\KESS\<application version>\Environment
      "NeedSyncAppControl" : REG_DWORD = 0

    • If Kaspersky Security for Windows Server is installed on the device:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\KSWS\<application version>\Environment
      "NeedSyncAppControl" : REG_DWORD = 0

    By default, synchronization is enabled, and the NeedSyncAppControl=1 value is set.

    If you don’t configure these settings, the application will continue to try and exchange data. This will lead to errors synchronizing the Applications Launch Control task with the Administration Server, as well as errors applying policies.

    After disabling synchronization of the Applications Launch Control task, you will not be able to view the values of the Applications Launch Control task parameters via the device’s properties in the Administration Server console.

  3. Create a small number of rules in the policy that iare suitable for the current group of managed devices. Select the following mode of synchronizing local lists of rules and the list of rules in the policy: Add policy rules to the local rules.

If these settings are not suitable for your organization, or if they did not solve the problem synchronizing lists of Default Deny rules, submit a request with a detailed description of the situation to Kaspersky Lab technical support via Kaspersky CompanyAccount.

Did you find what you were searching for?
Thank you for your feedback!