002.11.6: Kaspersky Endpoint Security and Management. Unit III. Endpoint Control

002.11.6: Kaspersky Endpoint Security and Management. Unit III.
Endpoint control
002.11.6: Kaspersky Endpoint Security and Management. Unit III. Endpoint control
ed
ut
1.1 Purpose of the control components ..................................................................................................3
ib
1.2 Licenses and installation types .........................................................................................................3
1.3 Installing the control components .....................................................................................................5
r
st
2.1 How Application Control works .........................................................................................................6
Operation principles..........................................................................................................................6
How to configure Application Control ...............................................................................................7
di
2.2 How to configure application categories...........................................................................................7
A category that is created and updated manually ............................................................................9
Automatically filled folder-based category ......................................................................................16
re
Category based on a reference computer ......................................................................................17
What you can do with programs and categories after the initial configuration ...............................20
2.3 How to create control rules .............................................................................................................25
Application Control modes..............................................................................................................25
or
Application Control rules.................................................................................................................26
2.4 How it will work ...............................................................................................................................27
How to find out what a particular user is prohibited from ...............................................................27
d
Local notifications and user requests .............................................................................................28

User requests selection ..................................................................................................................29
Events .............................................................................................................................................30
e
Report on prohibited applications ...................................................................................................30

2.5 Default deny mode .........................................................................................................................31
pi
co
3.1 What can be blocked and how .......................................................................................................35

Additional options ...........................................................................................................................37
USB flash drive access log .............................................................................................................38
How to specify trusted Wi-Fi networks ...........................................................................................39
What Anti-Bridging does .................................................................................................................40
be
3.2 How to specify a trusted device ......................................................................................................41

3.3 How to configure interaction with users..........................................................................................44
3.4 How to configure temporary access ...............................................................................................45
How can the user send a request to get access to a blocked device? ..........................................45
How to create activation code ........................................................................................................46
to
How to activate temporary access .................................................................................................47

3.5 Monitoring Device Control ..............................................................................................................48
t
No
ed
4.1 Blocking criteria ..............................................................................................................................52
4.2 Configuring exclusions and trusted servers ...................................................................................54
4.3 Diagnostics and testing ..................................................................................................................55
4.4 Configuring interaction with users ..................................................................................................56
ut
4.5 Web Control statistics .....................................................................................................................59
4.6 Web control report ..........................................................................................................................60
ib
5.1 How to configure Adaptive Anomaly Control ..................................................................................61
5.2 Configuring interaction with users ..................................................................................................65
r
5.3 Adaptive Anomaly Control operation statistics ...............................................................................65
5.4 Adaptive Anomaly Control reports ..................................................................................................67
st
di
re
or
e d
pi
co
be
t to
No
ed
ut
r ib
st
di
re
or
e d
In addition to anti-malware protection, Kaspersky Endpoint Security contains control components that
restrict actions harmful to the computers or the company in general.
pi
— Application Control monitors users’ attempts to start programs and regulates software start
through the rules configured by the administrator
co
— Device Control brings the use of various devices to conformity with the company policy. The
Anti-Bridging component prohibits unauthorized network connections
— Web Control limits access to websites depending on their content; you can also block addresses
by masks
— Adaptive Anomaly Control contains a set of pre-configured rules and monitors non-typical
be
behavior on the device, which usually precedes an infection, and helps nip it in the bud
to
There are five functional areas in Kaspersky Security Center:

— Threat protection
—
t
Control components
— Encryption
No
— Vulnerability and Patch Management

— Mobile Device Management
002.11.6: Kaspersky Endpoint Security and Management. 1. General
Unit III. Endpoint control
ed
ut
r ib
st
di
The control components require a KESB Select license and are installed by default. Except the new
re
Adaptive Anomaly Control component, which is also installed by default, but requires a KESB
Advanced license.
or
e d
pi
co
be
In ММС console, Encryption settings and Control components are not displayed in the Kaspersky
Endpoint Security policy by default. You can enable representation of these setting in the main window of
the Console: click the link Configure functionality displayed in user interface:
— Display encryption and data protection—shows encryption settings

to
— Display endpoint control settings—shows the Control components
The Web Console does not need to be reconfigured, all functionality is immediately accessible.
t
No
002.11.6: Kaspersky Endpoint Security and Management. 1. General
ed
ut
r ib
st
di
re
Control components are enabled by default in the properties of the Kaspersky Endpoint Security package,
which is created automatically during the Administration Server installation.
or
The only technicality is that not all of the components will be installed on a server operating system.
e d
pi
co
be
If some components are not installed on the computers, the administrator can add them.
to
Use the Change application components task of Kaspersky Endpoint Security. This task is designed
especially for uninstalling or adding Kaspersky Endpoint Security components without reinstalling
the product. The task creates little traffic, as it reuses the .msi package of Kaspersky Endpoint Security,
which was saved on the client computer during the initial installation.
t
In the task properties, you can select the components to be installed, just like in an installation package.
No
However, you cannot select individual components while creating the task in the wizard. To specify
the necessary components, complete the task creation wizard and then open the task properties:
the choice of components is not limited there.
002.11.6: Kaspersky Endpoint Security and Management. 2. Application Control
ed
Application Control helps to implement the corporate security policy, in particular, restrict software start
ut
on the endpoints. At the same time, Application Control reduces the computer infection risk by
decreasing the attack surface.
r ib
st
di
re
or
e d
pi
Application Control allows the administrator to restrict which programs the users can run on
co
the computers. Software start permissions are specified in special rules.
When a program starts, Application Control checks:
— The category the program belongs to (the categories are configured by the administrator)
— The account under which the program was started
be
— Whether the Kaspersky Endpoint Security policy contains any rules that regulate the start of this
program category for this account
Application Control can operate in either of the two modes:
— Denylist: Everything is allowed by default. Only the programs that belong to categories that the
to
administrator prohibited in the Kaspersky Endpoint Security policy are blocked. Meaning, if there
is no matching block rule, the program will be permitted to start
— Allowlist: Everything is prohibited by default. Only the programs that belong to categories that
the administrator allowed in the Kaspersky Endpoint Security policy are permitted to start. If there
t
is no matching allow rule, the program will be blocked

No
The allowlist mode is used in the Default Deny approach. It is described in the respective section
of this chapter; also, refer to course KL 032 Default Deny for further details.
ed
ut
r ib
st
In two stages:
di
1. Create application categories
1.1. Make up the list of categories. For example, Web browsers, Games, Third-party
messengers, Allowed programs, etc.
re
1.2. Add all programs that we want to control to these categories. How to do it is described in the
next section.
Categories are configured once for the whole Administration Server: on the Operations |
Third-Party Applications | Application categories page;
or
2. Make up the list of rules. In the Kaspersky Endpoint Security policy, you can specify what
Kaspersky Endpoint Security is to do with the applications that belong to each application
category:
— Allow,
d
— Block,
— Just notify Kaspersky Security Center about each start.
e
Note that categories are specified for the whole server, while different rules may be configured for
pi
different computer groups. For example, Skype can be prohibited for everybody except individual users;
additionally, marketers can be allowed to use it, but every time when they start it, the administrator will
receive the respective notification.
co
be
Categories are created on the Kaspersky Security Center Administration Server and are transferred to
client computers similarly to policies and tasks. You can send the complete list and contents of categories
every time, or only the changes. This is configured in the Administration Server properties, in
the Application categories section.
to
This transfer option appeared in Kaspersky Security Center 10 SP2 MR1 and Kaspersky Endpoint
Security 10 SP2; in earlier versions, the full set of categories is always transferred, even if changes are
few and minor. That is why everything is transferred by default; otherwise, if there are older clients in the
network, they will not be able to receive changes only, and will receive nothing.
t
No
ed
ut
r ib
st
di
An application category is a list of conditions and exclusions that permits identifying a program or a group
re
of programs. The list is displayed in the Operations | Third-Party Applications |
Application Categories and is empty by default. New categories are created using a special wizard.
There are three types of categories:
— Filled manually—their conditions are added and changed only manually. For example, all
or
programs that have “zombies” in their names, or all programs signed with the specified certificate
— Filled automatically from a folder—the administrator selects a directory, which is scanned for
the following files: EXE, COM, DLL, SYS, BAT, PS1, CMD, JS, VBS, REG, MSI, MSC, CPL,
HTML, HTM, DRV, OCX, SCR. The Administration Server will also check the contents of
d
this directory on schedule, calculate checksums of executable files (SHA256 and/or MD5), and
update the list of the category criteria. A network folder where all prohibited or allowed programs
e
are copied may come in handy

— Filled automatically from the selected devices—the administrator selects one or several
pi
managed computers, and the Administration Server automatically includes executable files found
on the computers into the category. Meaning, you can specify a reference computer where, for
example, all allowed programs are installed
co
be
t to
No
ed
ut
r ib
st
di
At the first step, the New Category Wizard prompts you for the category name and creation method. If
re
you are not happy with the category contents when it is ready and want to modify the method, you will
have to re-create the category.
or
e d
pi
co
be
For a manually filled category, conditions for the programs are specified in the list; each condition can
contain several parameters. If a program matches at least one condition, it is included in the category.
to
Conditions can be set by various methods, but all of them can be boiled down to the following general
types:
— KL category—Kaspersky experts group allowlists into categories according to programs’

t
purpose. The category catalog helps to categorize an application or an individual file. In most
cases, Kaspersky Endpoint Security defines the category locally using the signature database or
No
requests the verdict from Kaspersky Security Network.

— Certificate—this function is available since Kaspersky Endpoint Security 10 SP2. You can
specify a folder on a client device that contains executable files signed by certificates. Certificates
of executable files will be added to the category conditions. You can also add certificates from a
ed
certificate store
— Application folder—all programs from the specified directory will be added to the category
— Removable drive—a special parameter that allows the administrator to create a separate
ut
category for the files started from a removable drive
— Metadata—file name, its version, name of the program and manufacturer. The version does not
have to be specified exactly. You can select all files older or younger than the specified version.
Various file characteristics constitute a single condition, rather than several individual conditions.
ib
When specifying metadata, you can allow only files signed with a valid certificate, or those for
which KSN returns the Trusted verdict
— Checksum—the checksum returned by SHA-256 function that allows unambiguous identification
r
of the file (the checksums of different files are different)
st
Note: In Kaspersky Endpoint Security version 10 SP1 MR3 and earlier, MD5 checksum was
used for file identification in Application Control instead of SHA-256. Starting with Kaspersky
Endpoint Security 10 SP2, only SHA-256 is used.
di
If there are various Kaspersky Endpoint Security versions in the network, select the
corresponding checkbox in the category properties, for example, collect not only SHA-256, but
also MD5. Then the same category will be usable for policies configured for different Kaspersky
re
Endpoint Security versions.
On the other hand, if application categories become too large as a result, you can create
different categories for different versions of Kaspersky Endpoint Security.
or
e d
pi
co
be
The administrator can create a condition based on the Executable files list. It is a list of executable files
to
that have been started on the client computers or detected by an Inventory task.
Note: In Kaspersky Endpoint Security 11.6, information about started executable files will be transferred
only after you enable the Application Control component.
t
This list of files is displayed in the Operations | Third-Party Applications | Executable files.
No
ed
ut
r ib
st
di
re
The Applications registry node contains programs installed on computers and displayed in their
Programs and Features. Network Agents gather names and attributes of these programs and transfer
them to the Administration Server. The gathered information about the installed programs does not
or
contain data about the program executable files, but it is the data about executables that is necessary to
create a condition. That is why the Administration Server compares data about installed programs and
data about executable files detected on the computers, and after that creates a condition based on
the hash sum of the program executables.
d
It might happen that a program is considered to be installed by mistake, or a program is installed but
started extremely rarely and the data about its executable file is missing on the Administration Server.
e
In this case, a condition for this program may fail to be created. On the other hand, if a program has
pi
several executable files, the applications registry simplifies rule creation. The Administration Server
automatically adds conditions for all executable files associated with the program.
If a program is installed but its executable files haven’t been reported to the Administration Server yet,
co
the administrator may consider running an Inventory task to speed up the process.
We will describe inventory tasks in detail later.

be
When selecting a file on the drive, the administrator can specify a simple SHA-256 (MD5) condition for it,
or a more flexible condition based on metadata or certificate.
A hash sum unambiguously identifies a file. This condition should be used when exact coincidence is
to
important. For example, hash sums are used in automatically filled categories described earlier, because
it is important to permit starting the exact file versions installed on the reference computer or included in
an approved distribution. Any changes made to the file by malware or malevolent users will result in
changing the hash sum and blocking the file start.
t
Hash sums are also convenient if you need to prohibit renamed files from starting. Renaming does not
No
influence the hash sum and the blocking rule will still work.
ed
ut
r ib
st
di
At the same time, you may need to include several application versions in a category. In this case you
re
should create a condition based on file attributes, such as name, manufacturer name and version
number. The version number may not only coincide with the specified value, but also be more or less
than the specified value, or start from it, etc.; so, you will be able to block old program versions or recent
releases that have not been approved yet.
or
Metadata-based conditions implicitly rely on digital signatures. When Kaspersky Endpoint Security checks
file metadata to determine if the condition applies, it ignores files without digital signatures (certificates).
Unsigned files will never match a metadata-based condition. This applies to many open-source and
freeware tools. You may create a condition based on the file name and then be surprised that a file with a
d
matching name is not treated as expected. Most probably, this means that the file has no digital
signature.
e
In general, you should use metadata-based conditions for commercial software that is likely to be digitally
signed by the vendor’s certificate. To control open-source and freeware programs, use other condition
types.
pi
co
be
t to
No
If a folder or an MSI package is specified when creating a condition manually, the selected folder or
ed
package will be scanned once when creating the category, and later will not be rescanned. The
administrator can add any other condition to such a category.
ut
r ib
st
di
re
or
The described conditions enable the administrator to allow or prohibit known programs—programs whose
hash sum, or attributes, or location on the drive, etc. are known or can be found out.
d
In practice, it is often necessary to prohibit unknown programs, for example, all games, or all browsers
except for one, etc. This task is not easy to solve using the described tools.
e
The solution is to use KL categories. These categories define program class or type: email programs,
web browsers, development tools, electronic payment systems, etc. ‘KL category’ means that
pi
the programs are categorized by Kaspersky experts.
The program categorization information is a part of the downloadable databases. That is why
co
the Download updates to the repository task must run at least once before you can create conditions
based on KL categories.
Programs started on each computer are independently scanned for correspondence to the conditions,
and if different database versions are used on different computers, application control rules can work to
different effects. Also, if the use of KSN is enabled on a computer, it will try to receive the latest data
be
about KL categories in real time.
Kaspersky experts, certainly, cannot process and categorize all executable files that exist in the world. All
uncategorized files are automatically associated with the Other Software KL category.
t to
No
ed
ut
r ib
st
di
re
So far, all conditions checked the hash sum or attributes of the files. These conditions were independent
of the file location. Copying or moving the executable file would not influence the file start regulations
based on these conditions.
or
The following two types of conditions consider only the file location:
— Application folder—defines the local path to the file. The administrator can, for example, prohibit
starting executable files from the desktop or from the whole user’s home directory.
d
Alternatively, the administrator can permit starting executable files from the system folders:
e
C:\Windows, C:\Program Files and prohibit from all other computer locations.
The condition is recursive, meaning, it works for the files in subfolders of the specified folder.
pi
— Device type—can have only one value: Removable device. Essentially, its purpose is to enable
the administrator to prohibit starting programs from removable drives.
co
be
t to
No
ed
ut
r ib
st
di
re
A more reliable method than using file path, but less reliable than SHA-256, is selecting files by
certificates. You can select from among the certificates on the Administration Server.
or
If you need to prohibit all programs that match the specified conditions except for one, add an exclusion
to the category. Exclusions can use the same types of conditions. The programs that meet at least one
d
exclusion condition will be excluded from the category.

e
pi
co
be
t to
No
ed
ut
r ib
st
di
re
The contents of an automatically filled category are updated when the source folder contents change
(executable files are deleted or added). Also, you can make a category update to schedule.
or
If the specified folder contains archives or installation packages (for example, *.msi), the Administration
Server will automatically unpack them (into a temporary folder) and include data about the executable
files within the archive or package into the category. So, if you place program distribution into the folder,
the category will include not only the installation file, but also program files.
d
This method of creating a category is useful if the company has a repository of program distributions to be
installed on the corporate computers. Start of these programs must be allowed. The administrator may
e
occasionally add programs to the list or replace them with newer versions.
pi
co
be
t to
No
To avoid manual updating of the category rules for the allowed distributions, place them into a folder and
make the Administration Server automatically monitor the changes and add parameters of the detected
files to the dedicated category. Afterwards, the administrator will only have to create one allowing rule for
ed
this category in the policy to allow start of all the used programs.
ut
r ib
st
di
re
You can also select to Include dynamic-link libraries (.DLL) in this category. If this checkbox is
selected, Kaspersky Security Center will calculate checksums of DLL files and add them to the category
or
along with executable files.
It makes sense to care about DLL files because Windows permits starting processes from them through
the rundll32.exe utility. Generally, some of the processes started from library files may be allowed, while
others blocked.
d
In this regard .dll files are similar to script files (*.js or *.vbs), which are not executable, but are started via
e
the cscript.exe (or wscript.exe) utility, and can also be allowed or blocked.
pi
To include scripts into a category, select the checkbox Include script data in this category.
Similar to other category types, you can use hash sums. If various KES versions are installed in the
network, 10 SP2 and older, you can select both checkboxes. Then the category will be larger, but will
co
work for all Kaspersky Endpoint Security versions.

be
In addition to the repository of allowed program distributions, there may be a reference computer in the
organization where all the programs used in the company are installed. Such a reference computer is
usually necessary for creating images to be deployed on new computers. As a result of such a
deployment, the operating system and all programs necessary for work are installed on the computer,
and the whole process takes much less time than installing everything from distributions. The
administrator periodically upgrades programs on the reference computer and updates the image
to
accordingly.
t
No
ed
ut
r ib
st
di
With this approach, it is logical to automatically make all programs installed on the reference computer
re
allowed. For this purpose, you need to scan the computer, add all programs to a category, and then
create an allow rule for it in the policy. This is what a category automatically filled with files from selected
computers is designed for.
or
e d
pi
co
be
Sometimes it is necessary to split the files found on the reference computer into a few categories. For
example, separate Windows files from those found among Program Files. In this case, you can configure
a filter based on the folder where a file is located. The category will include only the files that are located
in the specified folder of the reference computer.
to
Unlike folder-based categories, where the changes are monitored by the Administration Server itself, with
a computer-based category, the Administration Server relies on the detection of executable files by
Kaspersky Endpoint Security. This means that a reference computer must be equipped with the
Application Control component of Kaspersky Endpoint Security, which will draw up the list of executable
t
files, and with Kaspersky Network Agent, which will send the data to the Administration Server. There will
No
be more details on how this works later in this chapter.

ed
ut
r ib
st
di
The administrator can specify the scanning interval, the same way as within a category filled from a
re
folder.
The detected files will be added to the category and will later be identifiable by SHA-256 (for the latest
versions of Kaspersky Endpoint Security) or MD5 sums (for Kaspersky Endpoint Security 10 SP1 MR3 or
earlier)—depending on the Kaspersky Endpoint Security version installed on the reference computer.
or
Note: Unlike for a folder-based category, here you must select either SHA-256 or MD5 (depending on the
Kaspersky Endpoint Security version installed on the reference computer). Which means that if
Kaspersky Endpoint Security of different versions is installed in the network, you need to use two
d
reference computers for a category

e
A computer-based category will include the list of found files and SHA-256 or MD5 checksum of each file.
pi
co
be
t to
No
ed
ut
r ib
st
di
re
or
If the administrator wants to know which KL category includes a specific executable file, they can find this
information either in Kaspersky Endpoint Security interface on the client computer, or in the
Administration console. The local verdicts (which may vary slightly on different computers because of
d
different database versions) are available in the Application Activity Monitor window.
e
Information in the Administration Console can be used for troubleshooting as well as for planning
the rules. The list of executable files is located on the Operations | Third-Party Applications |
pi
Executable files page. The administrator can view the attributes and KL category of each file.
Since there can be a lot of files on the list (reported from all the computers in the network), search and
filtering options may help finding the necessary one. The administrator can search for a file using a part of
co
its name, or apply a filter and search by the values of various file attributes.
You can use the list of executable files not only to view KL categories, file attributes and various statistics,
such as when the file was first detected on the computers, but also to add or exclude the file to or from
an administrator-defined category. There is a button that adds the file to administrator-defined categories.
be
You can add the file to an existing category or create a new one. And when modifying an existing
category, you can either add the file to the inclusion conditions or to the exclusions. In all cases, the
resulting condition will be based on the file’s SHA-256 or MD5 sum or certificate data.
to
If the administrator notices something new when looking through the list of executable files detected on
computers connected to Kaspersky Security Center, and decides to add the program to a category, he or
she does not need to memorize its name and go to the container with program categories. You can
simply select the necessary executable file or program and carry out the Assign to category command.
t
Then select how to add: To an existing category or create a new one. Where to add: You can add
No
programs to categories or exclusions.
The program will be added by hash sum or certificate with which its executable file is signed.
ed
ut
r ib
st
di
re
The list of executable files that we can see on the Kaspersky Security Center Administration Server
or
consists of all executable files detected by Kaspersky Security Center and Kaspersky Endpoint Security
on all computers connected to this Administration Server. Meaning, this list can be very long.
e d
pi
co
be
to
However, when you know what you are looking for, it is very handy. You can sort it by names, or use
filters.
t
No
ed
ut
r ib
st
di
re
On which computers and when it was detected for the first time (but not how), when it undertook network
activity for the first time, whether it is signed with a certificate.
or
e d
pi
co
be
to
Right after the installation, the Executable files container will be empty on the Administration Server.
Gradually, when new clients are connected, new data will be sent to the Administration Server on the
condition that the Application Control component is enabled in Kaspersky Endpoint Security 11.6.
t
Important: If Application Control is disabled, data about executable files will not be transferred when
No
applications start.
ed
ut
r ib
st
di
Except for that, there is an option for sending information about found executable files; it is enabled by
re
default. You can find it in the Kaspersky Endpoint Security policy: Application Settings | General
Settings | Reports and Storage, the option About started applications. This checkbox enables
sending information about running applications, as well as results of the Inventory task.
or
Note: we recommend that you do not enable sending information about installed applications for all client
computers; exclude, for example, weak computers or non-persistent virtual machines.
e d
pi
co
be
to
There is a list of executable files in the properties of each managed computer. This list is supplemented
by:
t
1. The Inventory task, which scans the client computers’ folders specified in its properties
No
2. Application Control which, when enabled, collects information about all executable files started on
the client computers.
Network Agent also gathers information about software, but only about installed applications, for which it
ed
scans the registry.
ut
r ib
st
di
re
or
It is not created by default. This means that the list of executable files will include only those files that
have been started on computers where the Application Control component is enabled. However, some
files start very rarely. It may take a very long time until all executable files are intercepted and reported to
the Administration Server. A faster way to detect files is by using an Inventory task.
e d
pi
co
be
to
This is a Kaspersky Endpoint Security task, which can be created for a group or computer selection. With
standard settings, the task searches for executable files in the following directories:
t
— %SystemRoot%
No
— %ProgramFiles%
— %ProgramFiles(x86)%
The list of folders is configurable. The information about discovered files is sent to the Administration
ed
Server and is available in the Web Console on the Operations | Third-Party Applications | Executable
Files page.
Unlike the monitoring components, this task can detect executable files within archives and installation
ut
packages. Select the Scan archives and Scan distributions checkboxes.
When executable files are being searched for, their checksums are calculated, which may slow down
the computers. To reduce resource consumption, you can use the option to Scan only new and
ib
changed files. The information about changes is obtained using the iSwift technology and requires
almost no calculations.
Alternatively, you can schedule the task to run during nonworking time, or use the option that suspends
r
scheduled scanning when the computer is being used and resumes it when screensaver is on and the
st
computer is locked.
di
re
Note that Application Control is disabled by default in Kaspersky Endpoint Security starting with version
10 Service Pack 1. That is why the information about executable files is not sent by default. The first thing
or
the administrator needs to do before configuring rules is to enable the component and select the mode:
Allowlist or Denylist (for detailed information about these modes, see section 2.1 “How Application Control
works”.)
e d
pi
co
be
to
By default, right after you enable Application Control, the Notify mode will be used. It is recommended
to test the rules first. Instead of real denies, only events will be sent to the Administration Server:
Application startup prohibited in test mode or Application startup allowed in test mode. You can
generate a report based on these events, analyze it, adjust the rules if necessary, and then switch them
t
to the block mode. Later, to test new rules without interrupting those already applied, the administrator
No
can add a rule with the Test mode status. After you make sure that the new rules do not interrupt useful
applications, Enable them.
ed
ut
r ib
st
di
Each rule (regardless of the selected mode, allow or denylist) can use one of the following three statuses:
—
—
— re
Block means that the Application Control component uses the rule.
Rule is disabled means that the Application Control component does not use the rule.
Test mode means that Kaspersky Endpoint Security will always permit starting the programs to
which this rule applies, but will send information about starting these programs to the
or
Administration Server.
The checkbox Control DLL and drivers enables you to restrict start of DLL libraries and drivers, but
increases the load on the computer, and is recommended to be used only if it is really indispensable. For
d
example, with rigid Default Deny.

e
pi
co
be
t to
No
There can be as many rules as you wish; prohibition always has a higher priority. The deny and allowlists
have different sets of rules. For example, if you first selected the Denylist, added a rule, and then
switched to Allowlist, your rule will not be there.
Each rule has the following parameters:
ed
— Category—an application category created on the Administration Server beforehand. A policy
may contain only one rule for each category
— Users and/or groups that are granted permission—the list of local or domain users and groups
ut
who are allowed to start the programs belonging to the selected category. If more than one entity
needs to be specified, separate them with a semicolon (;)
— There is a related option Deny for other users. When enabled, it automatically denies
ib
permission to all unlisted users. All versions of Kaspersky Endpoint Security earlier than 10
Service Pack 1 acted as if this option were always enabled. In Kaspersky Endpoint Security 11,
this option is configurable and disabled by default. Unlisted users are granted or denied
permission based on the rest of the rules
r
— Users and/or groups that are denied permission—this parameter explicitly defines the list of users
st
and groups who are prohibited from starting the programs
— Trusted updaters—consider all programs of this category to be trusted updaters1
di
Denial has a higher priority than permission. For example, if a rule is configured to allow program start to
all users and prohibit for the Tom user, this user will not be able to start the program according to this
rule.
re
The list of rules is initially empty for the denylist mode; for the allowlist, it contains two system rules that
cannot be deleted:
— Trusted updaters—if this rule is enabled, the applications installed by trusted updaters will not
or
be blocked even if there are no allowing rules for them. It is a special KL category2 that includes
programs that download and install module updates, for example, Adobe Updater, Chrome
Component Updater, etc. The rule is enabled by default, meaning, Trusted updaters are allowed.
— Golden Image—contains the executable files necessary for the operating system, as well as
d
executable files supplied with the system—various standard utilities and applications; to prevent
Kaspersky Endpoint Security from accidentally blocking files important for the operating system
e
The list lacks the up and down buttons, because the order of rules does not matter. When a program
starts on a computer, Kaspersky Endpoint Security analyses all enabled rules together. Different rules
pi
regulate start of different application categories; but some programs may belong to several categories at
once. If there is at least one rule according to which program start must be prohibited, it will be prohibited
regardless of what the other rules say.
co
If a program does not belong to any category, in the denylist mode, it will be allowed, and in the allowlist
mode, blocked.
be
to
There is the Static analysis button next to the list of startup control rules in the Kaspersky Endpoint
Security policy. It opens the window where you can select a user or a group; in the right pane, the list of
prohibited categories and blocked files will be displayed.
t
No
1
This option is described in detail later in this chapter.
2 This KL category cannot be selected when configuring program category conditions.
ed
ut
r ib
st
di
Static analysis is available only in the MMC console.
re
or
e d
pi
co
be
When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a pop-up
notification so that the user is not confused about the reason for the application behavior.
to
If the user needs this program for work, the pop-up notification permits sending the administrator a
request to allow program start. The user should click the Request access link in the notification window
and then click the Send button.
The text of the pop-up notification, as well as the request to allow a program to start, can be modified in
t
the Kaspersky Endpoint Security policy. You can use variables there, which provide information about a
specific event, for example, the name of the blocked program, the computer where the event was
No
registered, etc.
ed
ut
r ib
st
di
re
The standard User requests event selection contains the Application startup blockage message to
administrator events registered over the last 7 days. The Application startup blockage message to
or
administrator event is registered when a user sends a request to allow program start; it includes
the request text along with the information about the computer, username and the program in question:
complete information necessary for the administrator to make a decision.
e d
pi
co
be
to
It may happen that a user would need a program urgently. That is why, if the administrator rarely opens
User requests, it might be worthwhile to configure email notification for the event Application startup
blockage message to administrator. This will enable the administrator to process the requests as soon
as possible.
t
It is possible to use the request events to modify application categories. An event contains complete
No
important information about the blocked file, including its SHA-256 (MD5 for older versions of Kaspersky
Endpoint Security). The administrator can use the Assign to category command to immediately add the
blocked file to an existing or a new category either as an inclusion condition or as an exclusion.
ed
ut
r ib
st
di
Application Control generates five types of events:
—
re
or
Application startup allowed
— Application startup prohibited
— Application startup allowed in test mode
— Application startup prohibited in test mode
— Application startup blockage message to administrator
d
By default, all the events except for Application startup allowed are transferred to the Administration
Server.
e
If the test mode is used for rules, it might be worthwhile to create a selection for the Application startup
pi
prohibited in test mode event.

co
be
t to
No
Based on the Application startup prohibited event, Kaspersky Security Center generates a Report on
ed
prohibited applications, which shows the distribution of the number of blocked starts on the client
computers by applications. Switch to the Details tab to consult information about all computers and
programs detected by Application Control.
ut
Starting with Kaspersky Security Center version 10 SP2 MR1, you can generate a report on program
starts blocked in the test mode. It will contain only events about blocked starts, regardless of the selected
mode: Denylist or Allowlist.
r ib
st
Default deny is a scenario when Application Control prohibits devices from running any programs except
those specified in allowing rules configured in the allowlist of Application Control.
di
The main difficulty when working in the allowlist mode (when the start of uncategorized programs is
prohibited by default) is operating system malfunction, because the system files that are not explicitly
allowed will be blocked along with other programs. That is why there is an allow rule for operating system
files in the allowlist by default.
re
or
e d
pi
co
For example, there can be a policy for using programs on the computers that are used as point-of-sale
(POS) terminals. Only special programs must be allowed to start on them, and all unknown programs
must be prohibited.
be
t to
No
Various configurations of allow rules are possible; it will be necessary to create one or several categories
ed
for system executable files and configure allow rules for them using one of the following methods:
— Use a reference computer with the operating system and allowed programs installed for creating
an automatically filled category
ut
— Use a directory with distributions of allowed programs for creating an automatically filled category
r ib
st
di
re
or
For those programs for which allow rules are configured not to be blocked after upgrades, use the
standard rule Trusted updaters. This rule exists by default in the list and cannot be deleted; but it is
d
disabled by default. When enabled, the programs downloaded and installed by the applications included
in the Trusted updaters category will not be blocked even if the corresponding allow rules are not
configured.
e
The administrator can also manually assign the Trusted updaters flag to a category in the properties of
pi
an allow rule.
For more details about configuring Kaspersky Endpoint Security to default deny, refer to course KL 032.
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 3. Device Control
ed
ut
r ib
st
di
re
The main purpose of the Device Control is clear from its name. It enables the administrator to monitor
or
various devices in the corporate network and, if necessary, prohibit using some of them.
The Device Control component allows the administrator to enforce the corporate security standards, by
specifying who, when and which devices can use on the computers. The rules may be applied to
removable drives, printers, CD/DVD, non-corporate network connections, Wi-Fi, Bluetooth, etc.
d
The most popular use case for this component is blocking USB flash drives. A user may bring an infected
e
file from home; accidentally or deliberately, a user can take away files that are of commercial value for
the company on a USB drive or other removable media. Users could also connect a workstation to the
internet via a smartphone. Restrictions help prevent such problems.
pi
co
be
t to
No
Different settings are available for different device types. Maximum flexibility is provided for storage
ed
devices such as:
— Hard drives
— Removable drives
—
ut
Floppy disks
— CD/DVD drives
You can specify the accounts allowed / prohibited to access the devices, you can permit only copying
ib
information from the devices and prohibit writing, or you can configure a schedule to allow access to
devices only during business hours.
Other device types can only be allowed or blocked, without any flexible settings.
r
st
Wi-Fi devices deserve specific mention, but we will tell about them later.
di
re
or
e d
pi
More globally, Device Control can block a connection bus completely, meaning, any devices that will be
connected to a specific physical port of the computer will be inaccessible.
co
Note: Keyboard and mouse cannot be blocked, they are not subject to Device Control rules. To protect
against attacks when an infected USB flash drive pretends to be a keyboard, install and use a special
component, BadUSB Attack Prevention.
be
The Device Control component permits you to draw up a list of trusted devices that will always be
accessible, regardless of the rules. Plus, you can specify the users who will be allowed to work with each
specific trusted device.
Also, the administrator will be able to grant temporary access to a prohibited device if a user needs to
to
work with it.

t
No
ed
ut
r ib
st
di
re
or
e d
pi
co
Device Control is configured in Kaspersky Endpoint Security policy. From the component properties, you
be
can open the rules for device types, connection buses’ settings, the list of trusted devices, or configure
Anti-Bridging.
Some devices can be allowed, but with limitations: you can explicitly specify the prohibition schedule,
restrict only writing operations or make exclusions for some users but not others. You can do that for:
to
— Hard drives
— Removable drives
— Floppy disks
— CD/DVD drives
t
No
ed
ut
r ib
st
di
All other device types you can only disable completely:
—
—
—
—
Printers
Modems
Tape devices
Multifunctional devices
re
or
— Smart card readers
— Windows CE USB ActiveSync devices
— Cameras and scanners
— Smart card readers
— Portable devices (MTP)
d
— Bluetooth
e
Access to Wi-Fi networks is special, we will tell about it later.

pi
Mobile phones, tablets, players and other portable devices may be treated either as portable devices
(MTP) or as removable drives, if connected as external data carriers.
co
The list omits image-processing devices (in particular, scanners). These can also be prohibited, but only
by blocking their connection buses.
Kaspersky Endpoint Security permits blocking connected devices by interface type (bus):
— USB
be
— FireWire
— Infra-Red
— Serial Port
— Parallel Port
— PCMCIA
to
The administrator can totally block, for example, all USB devices.
Rules for devices have a higher priority. If the USB bus is prohibited, but removable drives are allowed, a
USB flash drive will work correctly.
t
By default, all devices work in the “Depends on bus” mode, and all buses are allowed.
No
ed
ut
r ib
st
di
re
or
e d
pi
co
be
Kaspersky Endpoint Security permits blocking only those types of devices that are included in the list.
This list cannot be edited to add new devices.
You can flexibly restrict the use of removable drives, CD/DVD, hard drives and floppy disks.
The following options are available:

to
— You can select to prohibit only reading or writing

— The list of accounts that are allowed to use the device type. You can select accounts from
the domain to which the computer where the Administration Console is started belongs, or among
t
local users if there is no domain. The rule will work on any computer where the policy is enforced.
The Everyone universal account is always available.
No
— Access schedule—when it is allowed and when prohibited. You can manage Read and Write
permissions independently. The schedule is specified by hours and days of the week. For
example, you can allow Read operations for removable drives each working day from 8-00 to 21-
ed
00 to Everyone and Write operations only to the Administrators and only during business hours
ut
r ib
st
di
re
If several rules fit a user, the most restrictive of them will be applied. If a device is “allowed”, it means
“always allow everyone to perform any operation.”
or
You can combine the rules. For example, prohibit USB devices and removable drives, but make an
exclusion for the administrators: allow them to use USB flash drives during business hours.
The changed policy comes into operation as soon as it is enforced. If, for example, removable data
d
carriers are blocked while the user has plugged in a USB flash drive and has copied something there, it
will become unavailable as soon as the policy is enforced and the next operation will be blocked.
e
pi
co
be
t to
No
If USB flash drives are allowed at the company in principle, but the company does not welcome using
them, you can configure logging access to USB flash drives. Then for each of the selected operations the
corresponding event will be sent to the Administration Server, File operation performed. It will specify
ed
who (which account) copied or deleted a file.
Unlike other events, this event will not be stored locally.
ut
By default, logging access to USB flash drives is disabled. To enable it, click the Logging button. It is
available only for removable drives. You can select which operations to log (writing and/or deleting) and
file formats:
ib
⎯ Text files
⎯ Video files
⎯ Audio files
⎯
r
Graphic files
⎯ Executable files
st
⎯ Office files
⎯ Database files
⎯ Archives
di
re
or
e d
pi
co
Device Control permits you to regulate access to Wi-Fi networks. Three actions can be taken when a
device connects to a network:
be
— Allow
— Block
— Block with exceptions— contains additional settings, which permit to draw up a list of trusted
Wi-Fi networks based on network name, authentication type and encryption type. A network is
considered trusted only if all the specified parameters are matched. If network name is not
to
specified, it may vary.
Connecting corporate laptops to public Wi-Fi networks is not always desired. You can use Device
control to disable Wi-Fi. However, for laptops, which the users may take home, it is not the most optimal
t
solution. It will be more logical to use the option Block with exceptions and specify trusted networks, for
example, corporate and home.
No
ed
ut
r ib
st
di
re
Device control includes the Anti-Bridging component, which enables the administrator to prohibit users
from establishing two network connections simultaneously to prevent unauthorized bridges to the internal
or
network that bypass perimeter protection.
For example, a user’s computer is connected to the corporate network. The user has connected a Wi-Fi
adapter to the computer and configured it to act as a wireless access point. This access point may be
used not only by those for whom it was created, but also criminals who can use exploits for the adapter,
d
brute-force username and password, or employ other methods to bypass protection. As a result, the
user’s computer will be compromised and criminals will have a stepping stone for further development of
the attack vector. In this case, Anti-Bridging is a part of protection that stops criminals from gaining
e
access to the internal network, because as soon as the user turns on the Wi-Fi adapter, Anti-Bridging
will automatically disrupt all network connections, including access to the local network, and only the Wi-
pi
Fi network will be active.
A similar threat to corporate network security may arise if a user’s laptop is connected to the
co
organization’s network using a wired connection. The user may create a hotspot on the smartphone to
bypass the organization’s protection solutions and connect the laptop to it over Wi-Fi. After that,
accidentally or intentionally open a webpage that contains an exploit pack, which will compromise the
laptop, and criminals will receive the capability to attack the organization’s internal network from the
internet.
be
In both cases, there are two networks—local and Wi-Fi—on the user’s computer, which is connected to
the organization’s network. To eliminate simultaneous operation of two networks and give preference, for
example, to a wired connection, the administrator is to turn On all controls in Anti-Bridging settings and
give maximum priority to the network adapter. In this case, the user will not be able to turn on Wi-Fi
network on a computer unless disables the wired network.
to
The Anti-Bridging component is disabled by default; to enable it, in the Device Control properties, click
the corresponding link and Enable Anti-Bridging in the window that opens. After Anti-Bridging is
enabled, Kaspersky Endpoint Security will block already established connections according to the
connection rules. The higher the rule on the list, the higher its priority. Anti-Bridging can block all
t
connections except the one that has maximum priority. For this purpose, in the Anti-Bridging window,
turn On all controls and define priorities for all devices:
No
— Network adapter
— Wi-Fi
— Modem
Note: If several wired connections are configured, only one of them will be allowed (arbitrary). If the Wi-Fi
ed
adapter is not connected to a network, it will not be blocked until the user tries to connect.
ut
r ib
st
di
re
or
If there are removable drives in the company that must be allowed always and everywhere, it might be
d
worthwhile to make them trusted.
Devices can be made trusted by their ID, a mask of ID or by model.

e
pi
co
be
t to
Trusted devices are specified in the Kaspersky Endpoint Security policy, in the Device Control | Trusted
No
devices.
To make information about a device accessible in a policy, first connect the device to a workstation where
ed
Kaspersky Endpoint Security is installed with the Device control component enabled; then wait for the
connection event to reach the Administration Server.
ut
r ib
st
di
The following options are available:
re
or
— Devices by ID
— Devices by model
— Devices by ID mask
d
The first two options allow you to select the device that you want to make trusted and its ID and model will
be added to the list. The Administration Server must have the device in its database. If the Administration
e
Server is unaware of this particular device you can’t make it trusted.
The Devices by ID mask option allows you to type the device ID or a part of it. This doesn’t rely on
pi
the Administration Server knowledge of the device, only on the administrator’s knowledge of the device
ID. Device ID can be found in the Windows Device Manager in the device properties on the Details tab.
Look for the value of the Device Instance Path property. It looks somewhat like
co
USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0
When adding a mask, you can replace a part of the ID with ‘*’ or ‘?’ to make it applicable to multiple
devices, e.g., ‘NEC*CDR??’. This helps when a company has a lot of devices with similar IDs that should
be
be trusted. Adding a device by model can also help in this case, if all devices are from the same vendor
and of the same type.
There is also a Comment field when adding a trusted device, which the administrator can fill in to
describe why this trusted device (or a group) is added.
to
To add a device by model or by ID without typing it, connect the device to a managed computer with
Kaspersky Endpoint Security installed. The Device Control component must be installed too. Then you
need to wait for some time till the information about the device makes it to the Administration Server.
To simplify the search for the necessary device, you can choose the device type and also specify the
t
name of the computer where it is or was connected. Then click the Refresh button to display the filtered
No
results.
ed
ut
r ib
st
di
You can also import /export the list of trusted devices in XML format. This capability may come in handy,
re
for example, when you need to edit the name of a trusted device displayed in Kaspersky Security Center
interface, add many similar devices, save a backup copy of the list of trusted devices, or move the list to
another server.
Before adding the device, you can also restrict the list of users that will have access to it. You may want
or
to have trusted devices, but you may not necessarily want everybody to have access to them. Perhaps
only administrators should be able to use them.
You can import or export the list of devices only in the MMC console.
e d
pi
co
be
t to
No
ed
ut
r ib
st
di
re
When the user attempts to connect a prohibited device, a pop-up notification is displayed.
If notifications are disabled, the user might think that there is a hardware problem, contact the technical
or
support, or even worse, try to “fix” it without assistance. The administrator can modify the notification text,
for example, add the contact information of the person responsible for device access.
Notification templates are available in the Kaspersky Endpoint Security policy, in the Device Control
settings. You can use variables in the notification text, for example, the name of the device or the blocked
d
operation.
If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither
e
disabled nor hidden.

pi
co
be
t to
No
If the user sends a request, it will be transferred to the server as a Warning event. Similar to the other
control components, requests are displayed in a special selection named User requests.
The administrator does not have to react to a request; but if they want to, they can, for example, configure
the corresponding email notifications in the Kaspersky Endpoint Security policy.
ed
ut
r ib
st
di
re
Kaspersky Endpoint Security enables users to request temporary access to blocked devices.
The procedure is as follows:
or
1. The user finds out that the necessary device is blocked
2. Generates a request file for it in the Kaspersky Endpoint Security local interface
3. Emails the request access file to the administrator
d
4. The administrator examines the request, and in the case of an affirmative answer, creates and
sends the user a special access key
e
Important: You can create a special access key only in the MMC console.
pi
5. The user activates the received key. After this, the selected device (and only that device)
becomes accessible for the time span specified by the administrator. The user cannot pause
temporary access to use it later; and the administrator cannot remotely revoke temporary access
co
It goes without saying that many users may believe that their devices are blocked by mistake, and will ask
the administrator for temporary access. To avoid numerous requests, you can disable this capability: in
the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow request for
temporary access checkbox.
be
In the local interface of Kaspersky Endpoint Security, click the button Settings and go to section Security
Controls | Device Control. Click the button Request access. The window that opens by default lists the
to
currently connected devices, including blocked ones (to display all devices ever connected to the
computer, apply the filter For the entire runtime). Select the device to which you want to receive
temporary access and click the button Generate request access file. Specify how long you will need to
access the device (by default, 24 hours), click the button Save and send the .akey file to the
administrator.
t
No
Note: If the administrator prohibits requesting temporary access, the button Request access appears
dimmed.
ed
ut
ib r
st
di
re
or
e d
pi
co
be
t to
No
Temporary access is granted to a specific user for the specified device on the specified computer. That is
ed
why the key is generated using the client computer’s shortcut menu, neither in the policy nor in the group
properties.
Important: You can create a special access key only in the MMC console.
ut
A client computer can be conveniently found in the Administration Console by the Search utility. Then
the administrator should open its shortcut menu and select the Grant access to devices and data in
offline mode command. In the window that opens, switch to the Device Control tab and click the
ib
Browse button to select the .akey file received from the user.
The Administration Server checks the file integrity and whether it belongs to the selected computer, and
r
then displays the request. If necessary, the administrator can change the access duration and activation
window. Both periods cannot be less than an hour or more than 999 hours. The default value for both is
st
24 hours.
Then the administrator is to save the generated key into an .acode file and send it to the user.
di
So, the key is generated for the exact device and the computer where the user generated the request
access file. Any other devices will still be blocked; also, the device for which the access was granted will
re
be blocked on other computers.
The key is also bound to the username. Another user will not be able to access the same device on
the same computer using this access key. If temporary access is activated by the user who requested it
and another user logs on to the computer during the allowed period, they will not be able to use
or
the device.
e d
pi
co
be
to
In the same window where the request key was generated, the user clicks the Activate access key
button and specifies the received .acode file. The device can be used immediately. Neither restart, nor
synchronization with the Administration Server is necessary.
t
The key must be activated before the specified activation window expires, and the access duration
No
countdown starts at the moment of activation. The device may be connected at any time (or even several
times) during this period, or not connected at all. The access countdown cannot be paused.
When temporary access is activated, a notification is sent to the Administration Server, but it is not
ed
included either in the selection of user requests, or in the report on Device Control events.
ut
r ib
st
di
re
or
Every time a user attempts to connect a blocked device, an event is sent to the Administration Server. It
contains the time, name of the computer where the attempt was registered, bus or type of the device, its
d
ID, operation and the account that initiated it.

e
The event is named Operation with the device prohibited, it is Critical and is displayed in the selection of
Critical events. If necessary, the administrator can make a separate selection for blocked device access
attempts.
pi
The Operation with the device allowed event having the Info severity will be sent if a non-prohibited
device is connected. The number of such events shows the use frequency of USB flash drives, local
co
printers, scanners, removable drives, etc.
All events, including user requests, are stored on the server for 30 days by default.
The Report on Device Control events provides a general view of the Device Control operation. It displays
be
a chart with the distribution of its responses by usernames. By default, the report includes all actions—
device connecting, disconnecting and blocking. To generate a report about device blocking only, leave
only the Device connection blocked checkbox selected in the Settings section of the report properties.
If necessary, the administrator can configure receiving daily email statistics about who and when tried to
connect, for example, USB flash drives. Deliver reports task serves this purpose, which is described in
to
Unit IV Maintenance.
t
No
ed
ut
ib r
st
di
re
or
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 4. Web Control
ed
ut
r ib
st
di
re
The task of web control is to filter internet access according to the internal policy of the company. Usually
or
it is used to block social networks, music, video, non-corporate web mail, etc. during business hours. If a
user tries to open such a website, either a notification that the access is blocked or a warning about
an unwelcome website can be displayed, depending on the settings in the policy.
e d
pi
co
be
to
Web Control operates similarly to firewalls. The administrator creates a set of blocking and allowing rules.
The rule properties include addresses or content type, user accounts, schedule and the action.
Only HTTP and HTTPS traffic is scanned.

t
No
ed
ut
r ib
st
di
Web Control is configured in Kaspersky Endpoint Security policy. The rules are applied in the order
re
specified by the administrator, and a page is processed according to the first applicable rule.
There are two default rules, which are applied depending on the selected operation mode:
— Allow all except the rules list—the Denylist mode

or
— Deny everything except the rules list—the Allowlist mode
By default, the Allow all universal rule is used and nothing is blocked.
e d
pi
co
be
to
Each rule has a name and the following attributes:
— Rule status
t
— Active
— Inactive
No
— Action
ed
— Allow
— Block
— Warn
—
ut
Filter type
— By content categories
— By types of data
ib
— List of addresses
— Apply to all addresses
— Apply to individual addresses and/or groups
r
— Users
st
— Apply to all users
— Apply to individual users and/or groups
— Schedule
di
re
or
e d
pi
co
be
First, access can be denied or allowed by site address. The administrator can explicitly specify the URLs
to be blocked, or use the * wildcard to block sites by address masks—for example, *.fm or *shop*.
Kaspersky Endpoint Security can also analyze webpage content (over HTTP) and classify pages to the
following categories:
to
— Online stores, banks, payment systems

— Shops and auctions
— Banks
— Payment systems
t
— Cryptocurrencies and mining

No
— Internet communication
ed
— Web-based email
— Social networks
— Chats and forums
— Blogs
ut
— Dating sites
— Religions, religious associations
— Job search
ib
— Weapons, explosives, pyrotechnics
— News media
— Software, audio, video
r
— Torrents
— File sharing
st
— Audio and video
— Anonymizers
— Banners
di
— Profanity, obscenity
— Violence
— Computer games
re
— Adult content
— Alcohol, tobacco, narcotics
— Gambling, lotteries, sweepstakes
The content can also be categorized by data types:

or
— Video
— Sound
— Office files
— Executable files
— Archives
d
— Graphic files
e
The administrator can restrict access to any category or data type, but cannot edit or add the lists of
categories and data types.
pi
Filtering by category and type can be combined within a rule: For example, you can block office files and
archives received by web mail.
co
Sites are categorized using the database of known addresses (pc*.dat files in the updates folder) and
heuristic analysis of page content. URL reputation can also be requested from Kaspersky Security
Network.
Data types are hard-coded in Kaspersky Endpoint Security and include the following file types:
be
Category Category contents

Executable Win32 PE—exe, dll, ocx, scr, drv, vdx and other extensions of Win32 PE files
files Microsoft Installer Archive—msi
Adobe Flash Video—flv, f4v
to
Audio/Video Interleave—avi
MPEG4 ISO format—3gp, 3g2, 3gp2, 3p2
MPEG4—divx, mp4, m4a
Matroska—mkv
Video Apple Quicktime—mov, qt
t
Microsoft Container—asf, wma, wmv

No
RealMedia CB/VB—rm, rmvb

MPEG2 (DVD) format—vob
VCD (MPEG 1)—dat, mpg
Bink Video—bik
MPEG-1 Layer 3—mp3
ed
Lossless Audio—flac, ape
OGG Vorbis Audio—ogg
Advanced Audio Coding—aac
Windows Media Audio—wma
Sound AC3 multichannel audio—ac3
ut
Microsoft Wave—wav
Matroska Audio—mka
RealAudio—rm, ra, ravb
ib
MIDI—mid, midi
CD digital Audio—cdr, cda
Open XML documents—docx, xlsx, pptx, dotx, potx and others
Office files Office 2007 macro enabled docs—docm, xlsm, pptm, dotm
r
MS Office documents—doc, xls, ppt, dot, pot
st
Adobe Acrobat—pdf
ZIP archive—zip, g-zip
7-zip archive—7z, 7-z
RAR archive—rar
di
Archives ISO-9660 CD Disk—iso
Windows Cabinet—cab
Java (ZIP) archive—jar
re
BZIP2 archive—bzip2, bz
JPEG/JFIF—jpg, jpe, jpeg, jff
GIF—gif
Portable Graphics—png
Graphic Windows Bitmap (DIB)—bmp
or
files Targa Image File Format—tif, tiff
Windows Meta-File—emf, wmf
Post-Script Format—eps
Adobe Photoshop—psd
Corel Draw—cdr
d
Let’s mention some specifics of Kaspersky Endpoint Security types and categories:
e
— The type is defined by the file format rather than extension.

pi
— Data types inside archives are not checked—if executable files are prohibited while archives are
not, archived executable files will be allowed
— PDF documents are included in the Office files category. Therefore, if this category is blocked,
co
some sites that use pdf may display incorrectly

— In old versions of Kaspersky Anti-Virus (6.0.x), Anti-Banner was implemented as a separate
component. In Kaspersky Endpoint Security, you can block banners with the corresponding
content category in Web Control
— Flash videos in SWF format can be blocked only by extension mask; usually, it is *.swf
be
to
Sometimes a site can be blocked by mistake. For example, a corporate portal can be recognized as
a social network, or online trainings can be blocked because of video files. In this case, it is easier to
create an allow rule instead of creating a separate group with a special policy. You can configure an allow
rule giving access to some categories or data types located on the specified servers.
t
No
To have such a rule applied before the blocking rules, place it higher on the list.
The organization policy can even prohibit the internet during business hours and allow only the corporate
site. An exclusion can be made only for the IT department. In this case, the administrator creates
the general rule: during business hours, deny everybody everything. Then adds two allow rules above it:
ed
The first allowing any content to the IT department employees, and the second allowing everybody to
access the corporate site.
ut
r ib
st
di
re
or
e d
pi
co
be
When there are many rules, it is sometimes difficult to monitor which of them were applied and why. For
this purpose, Kaspersky Endpoint Security has an offline diagnostics tool for Web Control.
to
To use it, first enforce the policy on a workstation, and then open the local Kaspersky Endpoint Security
interface on that workstation. Open the Settings, select Web Control and click Rules diagnostics. It
opens the window where you can specify the conditions of a presumed request:
t
— Select categories
— Select data types
No
— Specify day and time

— Select accounts
— Type site address (the * wildcard is allowed)
As a result, you will see if web control blocks this address and the list of rules applicable to these
ed
conditions.
For example, the administrator can check whether access to a personal home mail server of an employee
is blocked by the rule that blocks web mail. On the other hand, if users complain that they cannot access
ut
an allowed site, you can find out which rule works incorrectly.
r ib
st
di
re
or
e d
If Web Control blocks a part of page contents, the user may overlook it. If the page is completely
forbidden, a replacement page with the Web Control message will be displayed: either a warning that
access is undesired, or a message about blocking.
pi
If the site is just undesirable (a Warning rule has been triggered), the user can proceed to the page by
clicking one of the links in the warning message: The link to the specific page that was requested, the link
co
that enables access to all pages of the website, or all pages of the website and its sub sites (meaning,
*.amazon.com/* rather than only www.amazon.com/*).
If the site is blocked by Web Control, there are no links to proceed, access is completely denied.
be
There is also a Request access link in Web Control messages for the users who disagree with the policy
and want to request access to a blocked website. Requests are sent to the Administration Server as
events and fall into the User requests selection.
t to
No
ed
ut
ib r
st
di
re
or
e d
pi
co
be
t to
No
ed
ut
r ib
st
di
Notification templates are available in the Kaspersky Endpoint Security policy, in the Web Control
re
settings. You can use variables.
There is the To (Email address) field in the webpage request template in case the Administration Server
is inaccessible. In this case, a request will be sent to the server in an email message rather than event.
or
e d
pi
co
be
t to
No
ed
ut
r ib
st
di
re
When Web Control blocks access or warns that the access is unwanted, it simultaneously sends
the corresponding event to the Administration Server: Access blocked with Critical severity, or Warning
about unwanted content with Warning severity, respectively.
or
In both cases, an event contains the access time, site URL, applied rule, computer name, user account
and Web Control verdict. If the rule was created for a category or data type, they are also specified.
Note: Web Control independently processes each object of which the site consists. That is why, for
d
example, when graphic files are prohibited, blockage of each little image generates a separate event.
Therefore, an attempt to access a forbidden site can result in sending hundreds of events, which does not
e
necessarily signify that the user browses the internet day and night. That is why these events are not
transferred to the Administration Server by default.
pi
co
be
t to
No
If a user ignores the warning about undesired access and opens the site, the Access to unwanted content
successfully attempted after warning event with the Warning severity is sent to the server.
ed
ut
r ib
st
di
re
Reports come in handy for regular control and general information. It provides aggregate statistics on the
number of warnings and blockages for each rule. Allowing rules are not included.
or
e d
pi
co
be
t to
No
002.11.6: Kaspersky Endpoint Security and Management. 5. Adaptive Anomaly Control
ed
ut
r ib
st
di
re
Adaptive Anomaly Control contains a set of activity patterns (heuristics), which are updated together with
or
antivirus databases.
These patterns describe most common behaviors characteristic of malware that may indicate possible
attempts to compromise security.
d
On the other hand, some of these activities may be legitimate for a specific computer or group of
computers. For example, PowerShell run from another program is quite an ordinary event on an
administrator’s or developer’s computer. Obfuscated PowerShell scripts may also be used for automating
e
various tasks at a company.

pi
The administrator is to instruct Adaptive Anomaly Control which activity is typical for a specific computer
and which is not; that is why the component works in the training mode (Smart Mode) for two weeks by
default. During this time, it monitors activities, informs the administrator about them, and it is the
co
administrator (rather than the component) who makes the decision whether a specific activity is normal
for a computer.
Training in Smart Mode goes independently for each rule on each computer; meaning, on some
computers it will complete sooner, while on some others, later.
be
Note: Unlike other control components, Adaptive Anomaly Control needs at least KESB Advanced
license.
to
The Adaptive Anomaly Control component is installed and enabled by default; but it works in the Smart
t
mode at first.
No
Adaptive Anomaly Control is configured in Kaspersky Endpoint Security policy. From the component’s
properties, you can open its reports and the list of rules.
ed
ut
r ib
st
di
Adaptive Anomaly Control uses rules (activity patterns), which are supplied together with antivirus
re
databases, meaning, are updatable. The rules comprise several categories:
— Activity of office applications

— Use of Windows Management Instrumentation (WMI)
— Activity of script engines and frameworks
or
— Abnormal program activity
e d
pi
co
be
When the administrator opens the rules, there is the message that updates are to be approved. The
to
approval is rather informational and does not influence the component’s operation. However, the
administrator will only be able to add an exclusion to a rule after clicks the Approve updates button.
If a new rule is added later, the update approval message will appear again to draw the administrator’s
attention.
t
No
Rules have the following settings: On/Off status, Smart/Block/Notify operation mode and exclusions.
You can explicitly specify the Block or Notify mode for each rule; by default, the Smart mode is enabled.
ed
ut
r ib
st
di
The Smart mode is tightly related to Kaspersky Security Center and the administrator’s actions. As we
re
already mentioned, the component learns for approximately two weeks after the installation; during this
time, nothing is blocked, but information about matched rules is sent to Kaspersky Security Center.
In an ideal situation when there are no matches in these two weeks, it means that the behavior described
in the rules is not typical for the computer. Adaptive Anomaly Control switches to the Smart Block mode
or
and if a non-typical activity is detected, it will be blocked.
If some rules are matched during the training period, the respective events appear in Operations |
Repositories | Triggering of Rules in Smart Training State on the Administration Server, which require
the administrator’s attention.
e d
pi
co
be
to
When an event arrives, the administrator is to process it. The administrator can confirm that the activity is
abnormal or add it to exclusions.
t
No
— Confirm means that the administrator agrees that this behavior is suspicious and illegitimate
— Exclude means that the administrator considers this activity to be normal and wants to create an
exclusion in the rule for this specific activity
Why process events? What if the administrator ignores them?
ed
Event processing influences only the duration of the training mode. Adaptive Anomaly Control needs
about 14 days to complete training. If the administrator does not process events, the counter will be reset
every time when a new event arrives. If the server receives no verdicts in 14 consecutive days, Adaptive
ut
Anomaly Control will switch to the Smart Block mode. Adaptive Anomaly Control may get looped in
eternal training if a rule is matched regularly (at least once every 14 days), but the administrator does not
process it.
ib
If the administrator pays enough attention to the events and processes them in a timely manner, the
counter will not be reset and training will complete in two weeks.
Training goes on individually for each rule on each computer and information about confirmed verdicts is
r
stored locally on the computers; each rule has its own training duration counter.
st
Important: The Adaptive Anomaly Control component cannot decide whether a behavior is typical on its
own. For Adaptive Anomaly Control, any activity that matches a rule is non-typical, and only the
di
administrator can tell that a suspicious activity is legitimate. For this purpose, add the activity to
exclusions within the rule that detects this activity. In the Block mode, Adaptive Anomaly Control operates
on the default deny principle, meaning, a non-typical activity will be blocked until the administrator creates
an exclusion for it.
re
or
e d
pi
co
Exclusions are added to the Kaspersky Endpoint Security policy and apply to all computers where it is
be
enforced.
The main parameters of exclusions are:
— User
— Source process
to
— Source process hash

— Target process
— Target process hash
t
Note that the same system processes will have different checksums on different operating systems, and
an exclusion created from an event logged on one computer may not be applicable to others. In this case,
No
you need to either create additional exclusions, or adjust the current one, for example, remove the
checksum and leave only the path to the process.
ed
ut
r ib
st
di
re
When non-typical activity is detected, a pop-up notification is displayed.
or
If notifications are disabled, the user might think that something is wrong with an application or the
operating system, contact the technical support, or even worse, try to “fix” it without assistance. The
administrator can modify the notification text, for example, add the contact information of the person
responsible for device access.
d
Notification templates are available in the Kaspersky Endpoint Security policy, in the Adaptive Anomaly
Control settings.
e
If pop-up notification about blocking is enabled, it contains the Request access link, which can be neither
disabled nor hidden.
pi
co
If the user sends a request, it will be transferred to the server as a Warning event. Similar to the other
control components, requests are displayed in a special selection named User requests.
be
The administrator does not have to react to a request; but if they want to, they can, for example, configure
the corresponding email notifications in the Kaspersky Endpoint Security policy.
Every time when a rule is matched in the Block, Smart Block, or Notify mode, Adaptive Anomaly Control
sends the corresponding Critical or Information event to the Administration Server.
to
In any case, an event contains the rule name, description of the suspicious activity with processes and
checksums, name of the user, computer name, date and time.
t
No
ed
ut
r ib
st
di
The administrator can study an event and if the activity is legitimate, add an exclusion to the Kaspersky
re
Endpoint Security policy for the Adaptive Anomaly Control component right from the event. For this
purpose, select the event and carry out the Exclude from Adaptive Anomaly Control command. If
several policies are configured for Kaspersky Endpoint Security, the wizard will prompt you to select the
necessary one.
or
e d
pi
co
be
Adaptive Anomaly Control has two types of events:
— Process action skipped—Information

— Process action blocked—Critical
to
The former event is generated if an Adaptive Anomaly Control rule is matched in the Notify mode. The
latter event is generated if an Adaptive Anomaly Control rule is matched in the Block or Smart Block
mode.
If Adaptive Anomaly Control is used in the network, we recommend that the administrator creates an
t
individual selection for its events.

No
All events, including user requests, are stored on the server for 30 days by default.
ed
ut
r ib
st
di
re
or
e d
pi
co
be
Reports come in handy for regular control and general information. Adaptive Anomaly Control has two
reports:
— Report on Adaptive Anomaly Control rules state

to
— Report on triggered rules of Adaptive Anomaly Control
The former shows in which mode a rule works. By default, an aggregate chart displays how many rules
are operating in each mode. The Details tab provides particularized information about rules’ status on
each specific computer.
t
Also, this report is the only place where you can see which rules have switched from the Smart Training
No
mode to Smart Block.

ed
ut
r ib
st
di
The Adaptive Anomaly Control report shows which rules have been matched and in which mode: Block or
re
Notify. The Summary tab shows an aggregate chart for rule matches; and the Details tab, detailed
information for each computer.
If a rule switches to the Smart Block mode, information about its matches will also be included in the
report.
or
e d
pi
co
be
t to
No
v1.0.2

002.11.6: Kaspersky Endpoint Security and Management. Unit III. Endpoint Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

002.11.6: Kaspersky Endpoint Security and Management. Unit III. Endpoint Control

Uploaded by

Copyright:

Available Formats

002.11.6: Kaspersky Endpoint Security and Management. Unit III.

Local notifications and user requests .............................................................................................28

Report on prohibited applications ...................................................................................................30

3.1 What can be blocked and how .......................................................................................................35

3.2 How to specify a trusted device ......................................................................................................41

How to activate temporary access .................................................................................................47

There are five functional areas in Kaspersky Security Center:

— Vulnerability and Patch Management

— Display encryption and data protection—shows encryption settings

— Display endpoint control settings—shows the Control components

the computers. Software start permissions are specified in special rules.

When a program starts, Application Control checks:

Application Control can operate in either of the two modes:

is no matching allow rule, the program will be blocked

are copied may come in handy

— KL category—Kaspersky experts group allowlists into categories according to programs’

requests the verdict from Kaspersky Security Network.

We will describe inventory tasks in detail later.

the programs are categorized by Kaspersky experts.

about KL categories in real time.

exclusion condition will be excluded from the category.

work for all Kaspersky Endpoint Security versions.

be more details on how this works later in this chapter.

reference computers for a category

programs to categories or exclusions.

example, with rigid Default Deny.

Each rule has the following parameters:

prohibited in test mode event.

work with it.

Access to Wi-Fi networks is special, we will tell about it later.

The following options are available:

— You can select to prohibit only reading or writing

Unlike other events, this event will not be stored locally.

specified, it may vary.

Fi network will be active.

worthwhile to make them trusted.

Devices can be made trusted by their ID, a mask of ID or by model.

Server is unaware of this particular device you can’t make it trusted.

disabled nor hidden.

ID, operation and the account that initiated it.

printers, scanners, removable drives, etc.

Only HTTP and HTTPS traffic is scanned.

— Allow all except the rules list—the Denylist mode

Each rule has a name and the following attributes:

— Online stores, banks, payment systems

— Cryptocurrencies and mining

The content can also be categorized by data types:

Category Category contents

Microsoft Container—asf, wma, wmv

RealMedia CB/VB—rm, rmvb

MPEG-1 Layer 3—mp3

— The type is defined by the file format rather than extension.

some sites that use pdf may display incorrectly

— Specify day and time

various tasks at a company.

— Activity of office applications

Why process events? What if the administrator ignores them?

The main parameters of exclusions are:

— Source process hash

Adaptive Anomaly Control has two types of events:

— Process action skipped—Information

individual selection for its events.

— Report on Adaptive Anomaly Control rules state