Groups of applications

This section describes how to manage groups of applications installed on devices.

Creating application categories

Kaspersky Security Center allows you to create categories of applications installed on devices.

Application categories can be created in one of the following ways:

• The administrator specifies a folder in which executable files have been included in the selected category.
• The administrator specifies a device from which executable files are to be included in the selected category.
• The administrator sets criteria to be used to include applications in the selected category.

When an application category is created, the administrator can set rules for the application category. Rules define the behavior of applications included in the specified category. For example, you can block or allow startup of applications included in the category.

Managing applications run on devices

Kaspersky Security Center allows you to manage startup of applications on devices in Allowlist mode. For detailed description see Kaspersky Endpoint Security for Windows Online Help. While in Allowlist mode, on selected devices you can only start applications included in the specified categories. The administrator can view results of static analysis applied to rules of applications run on devices for each user.

Inventory of software installed on devices

Kaspersky Security Center allows you to perform inventory of software on devices running Windows. Network Agent retrieves information about all applications installed on devices. Information retrieved during inventory is displayed in the workspace of the Applications registry folder. The administrator can view detailed information about any application, including its version and manufacturer.

The number of executable files received from a single device cannot exceed 150,000. Having reached this limit, Kaspersky Security Center cannot receive any new files.

Licensed applications group management

Kaspersky Security Center allows you to create licensed applications groups. A licensed applications group includes applications that meet criteria set by the administrator. The administrator can specify the following criteria for licensed applications groups:

• Application name
• Application version
• Manufacturer
• Application tag

Applications that meet one or several criteria are automatically included in a group. To create a licensed applications group, you must set at least one criterion for including applications in this group.

Each licensed applications group has its own license key. The license key of a licensed applications group defines the maximum allowed number of installations for applications included in this group. If the number of installations has exceeded the limit set by the license key, an informational event is logged on Administration Server. The administrator can specify an expiration date for the license key. When this date arrives, an informational event is logged on Administration Server.

Viewing information about executable files

Kaspersky Security Center retrieves all information about executable files that have been run on devices since the operating system was installed on them. Information about executable files is displayed in the main application window, in the workspace of the Executable files folder.

Scenario: Application Management

You can manage applications startup on user devices. You can allow or block applications to be run on managed devices. This functionality is realized by the Application Control component. You can manage applications installed on Windows devices.

Prerequisites

• Kaspersky Security Center is deployed in your organization.
• The Kaspersky Endpoint Security for Windows policy is created and is active.

Stages

The Application Control usage scenario proceeds in stages:

1. Forming and viewing the list of applications on client devices

   This stage helps you find out what applications are installed on managed devices. You can view the list of applications and decide which applications you want to allow and which you want to prohibit, according to your organization's security policies. The restrictions can be related to the information security polices in your organization. You can skip this stage if you know exactly what applications are installed on managed devices.

   How-to instructions:

   • Administration Console: Viewing application registry
   • Kaspersky Security Center 13.1 Web Console: Obtaining and viewing a list of applications installed on client devices
2. Forming and viewing the list of executable files on client devices

   This stage helps you find out what executable files are found on managed devices. View the list of executable files and compare it with the lists of allowed and prohibited executable files. The restrictions on executable files usage can be related to the information security polices in your organization. You can skip this stage if you know exactly what executable files are installed on managed devices.

   How-to instructions:

   • Administration Console: Inventory of executable files
   • Kaspersky Security Center 13.1 Web Console: Obtaining and viewing a list of executable files stored on client devices
3. Creating application categories for the applications used in your organization

   Analyze the lists of applications and executable files stored on managed devices. Basing on the analysis, create application categories. It is recommended to create a "Work applications" category that covers the standard set of applications that are used at your organization. If different user groups use different sets of applications in their work, a separate application category can be created for each user group.

   Depending the set of criteria to create an application category, you can create application categories of three types.

   How-to instructions:

   • Administration Console: Creating application categories for Kaspersky Endpoint Security for Windows policies, Creating an application category with content added manually, Creating an application category with content added automatically
   • Kaspersky Security Center 13.1 Web Console: Creating application category with content added manually, Creating application category that includes executable files from selected devices, Creating application category that includes executable files from selected folder
4. Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

   Configure the Application Control component in the Kaspersky Endpoint Security for Windows policy using the application categories you have created on the previous stage.

   How-to instructions:

   • Administration Console: Configuring application startup management on client devices
   • Kaspersky Security Center 13.1 Web Console: Configuring Application Control in the Kaspersky Endpoint Security for Windows policy
5. Turning on Application Control component in test mode

   To ensure that Application Control rules do not block applications required for user's work, it is recommended to enable testing of Application Control rules and analyze their operation after creating new rules. When testing is enabled, Kaspersky Endpoint Security for Windows will not block applications whose startup is forbidden by Application Control rules, but will instead send notifications about their startup to the Administration Server.

   When testing Application Control rules, it is recommended to perform the following actions:

   • Determine the testing period. Testing period can vary from several days to two months.
   • Examine the events resulting from testing the operation of Application Control.

   How-to instructions for Kaspersky Security Center 13.1 Web Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and enable the Test Mode option in configuration process.

6. Changing the application categories settings of Application Control component

   If necessary, make changes to the Application Control settings. Based on the test results, you can add executable files related to events of the Application Control component to an application category with content added manually.

   How-to instructions:

   • Administration Console: Adding event-related executable files to the application category
   • Kaspersky Security Center 13.1 Web Console: Adding event-related executable files to the application category
7. Applying the rules of Application Control in operation mode

   After Application Control rules are tested and configuration of application categories is complete, you can apply the rules of Application Control in operation mode.

   How-to instructions for Kaspersky Security Center 13.1 Web Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and disable the Test Mode option in configuration process.

8. Verifying Application Control configuration

   Be sure that you have done the following:

   • Created application categories.
   • Configured Application Control using the application categories.
   • Applied the rules of Application Control in operation mode.

Results

When the scenario is complete, applications startup on managed devices is controlled. The users can start only those applications that are allowed in your organization and cannot start applications that are prohibited in your organization.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

Creating application categories for Kaspersky Endpoint Security for Windows policies

You can create application categories for Kaspersky Endpoint Security for Windows policies from the Application categories folder and from the Properties window of a Kaspersky Endpoint Security for Windows policy.

To create an application category for a Kaspersky Endpoint Security policy from the Application categories folder:

1. In the console tree, select Advanced → Application management → Application categories.
2. In the workspace of the Application categories folder, click the New category button.

   The New Category Wizard starts.

3. On the Category type page, select the type of user category:
   • Category with content added manually. Specify the criteria that will be used to assign executable files to the category that is being created.
   • Category that includes executable files from selected devices. Specify a device whose executable files must be automatically assigned to the category.
   • Category that includes executable files from a specific folder. Specify a folder whose executable files must be automatically assigned to the category.
4. Follow the instructions of the Wizard.

When the Wizard finishes, a custom application category is created. You can view newly created categories by using the list of categories in the workspace of the Application categories folder.

You can also create an application category from the Policies folder.

To create an application category from the Properties window of a Kaspersky Endpoint Security for Windows policy:

1. In the console tree, select the Policies folder.
2. In the workspace of the Policies folder, select a Kaspersky Endpoint Security policy for which you want to create a category.
3. Right-click and select Properties.
4. In the Properties window that opens, in the left Sections pane select Security Controls → Application control.
5. In the Application control section, in the Control mode and Action drop-down lists make selections for the Allowlist or Denylist, and then click the Add button.

   The Application Control rule window containing a list of categories opens.

6. Click the Create new button.
7. Enter the name of the new category and click OK.

   The New Category Wizard starts.

8. On the Category type page, select the type of user category:
   • Category with content added manually. Specify the criteria that will be used to assign executable files to the category that is being created.
   • Category that includes executable files from selected devices. Specify a device whose executable files must be automatically assigned to the category.
   • Category that includes executable files from a specific folder. Specify a folder whose executable files must be automatically assigned to the category.
9. Follow the instructions of the Wizard.

When the Wizard finishes, a custom application category is created. You can view newly created categories in the list of categories.

Application categories are used by the Application Control component included in Kaspersky Endpoint Security for Windows. Application Control allows the administrator to impose restrictions on the startup of applications on client devices—for example, restricting the startups to applications in a specified category.

Creating an application category with content added manually

Expand all | Collapse all

To create an application category with content added manually:

1. In the console tree, in the Advanced → Application management folder select the Application categories subfolder.
2. Click the New category button.

   The New Category Wizard starts. Proceed through the wizard by using the Next button.

3. On the Category type wizard page, select Category with content added manually as the user category type.
4. On the Enter the application category name wizard page, enter the new application category name.
5. On the Configuring conditions for inclusion of applications in categories page, click the Add button.
6. In the drop-down list, specify the relevant settings:
   • From the list of executable files

     If this option is selected, you can use the list of executable files on the client device to select and add applications to the category.

   • From file properties

     If this option is selected, you can specify the detailed data for the executable files that will be added to the user application category.

   • Metadata from files in folder

     Specify a folder on the client device that contains executable files. The metadata in the executable files that are included in the specified folder will be sent to Administration Server. Executable files that contain the same metadata will be added to the user application category.

   • Checksums of the files in the folder

     If this option is selected, you can select or create a folder on the client device. The MD5 hash of the files in a specified folder will be sent to Administration Server. The applications that have the same hash as the files in the specified folder are added to the user application category.

   • Certificates for the files from the folder

     If this option is selected, you can specify the folder on the client device, which contains executable files signed with certificates. Certificates of executable files are read and added to the category's conditions. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

   • MSI installer files metadata

     If this option is selected, you can specify an MSI installer file as the condition of adding applications to the user category. The application installer metadata will be sent to Administration Server. The applications for which the installer metadata is the same as for the specified MSI installer are added to the user application category.

   • Checksums of the files from the MSI installer of the application

     If this option is selected, you can specify an MSI installer file as the condition of adding applications to the user category. The hash of the application installer files will be sent to Administration Server. The applications for which the hash of MSI installer files is identical to the specified hash are added to the user application category.

   • From KL category

     If this option is selected, you can specify a Kaspersky application category as the condition of adding applications to the user category. The applications from the specified Kaspersky category will be added to the user application category.

   • Specify path to application (masks supported)

     If this option is selected, you can specify the path to the folder on the client device containing the executable files that are to be added to the user application category.

   • Select certificate from repository

     If this option is selected, you can specify certificates from the storage. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

   • Drive type

     If this option is selected, you can specify the type of the medium (any drive or removable drive) on which the application is run. Applications that have been run on the selected drive type are added to the user application category.

7. On the Creating the application category wizard page, click the Finish button.

   Kaspersky Security Center only handles metadata from digitally signed files. No category can be created on the basis of metadata from files that do not contain a digital signature.

When the Wizard has completed, a user application category is created, with content added manually. You can view the newly created category using the list of categories in the workspace of the Application categories folder.

Creating an application category with content added automatically

Expand all | Collapse all

To create an application category with content added automatically:

1. In the console tree, in the Advanced → Application management folder select the Application categories subfolder.
2. Click the New category button to start the New Category Wizard.

   In the Wizard window, select Category with content added automatically as the user category type.

3. In the Repository folder window, specify the relevant settings:
   • Path to folder for automatic category content addition

     In this field, specify the path to the folder in which Administration Server will regularly search for executable files. The path to this folder is specified when the category is created. The path to this folder cannot be changed.

   • Include dynamic-link libraries (DLL) in this category

     The application category includes dynamic-link libraries (files in DLL format), and the Application Control component logs the actions of such libraries running in the system. Including DLL files in the category may lower the performance of Kaspersky Security Center.

     By default, this check box is cleared.

   • Include script data in this category

     The application category includes data on scripts, and scripts are not blocked by Web Threat Protection. Including the script data in the category may lower the performance of Kaspersky Security Center.

     By default, this check box is cleared.

   • Hash value computing algorithm

     Depending on the version of the security application installed on devices on your network, you must select an algorithm for hash value computing by Kaspersky Security Center for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

     SHA-256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions support SHA-256 computing. Computing of the MD5 hash function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows.

     Select either of the options of hash value computing by Kaspersky Security Center for files in the category:

     • If all instances of security applications installed on your network are Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions, select the SHA-256 check box. We do not recommend that you add any categories created according to the criterion of the SHA-256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows. This may result in failures in the security application operation. In this case, you can use the MD5 cryptographic hash function for files of the category.
     • If any versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are installed on your network, select the MD5 hash. You cannot add a category that was created based on the criterion of the MD5 checksum of an executable file for Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions. In this case, you can use the SHA-256 cryptographic hash function for files of the category.

     If different devices on your network use both earlier and later versions of Kaspersky Endpoint Security 10, select both the SHA-256 check box and the MD5 hash check box.

     The Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions) check box is selected by default.

     The Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows) is cleared by default.

   • Force folder scan for changes

     If this option is enabled, the application regularly checks the folder of category content addition for changes. You can specify the frequency of checks (in hours) in the entry field next to the check box. By default, the time interval between forced checks is 24 hours.

     If this option is disabled, the application does not force any checks of the folder. The Server attempts to access files if they have been modified, added, or deleted.

     By default, this option is disabled.

   • Force folder scan for changes

     In this field, you can specify the time interval (in hours) after which the application starts a forced check for changes to the folder of automatic category content addition. By default, the time interval between forced checks is 24 hours. This field is available if the Force folder scan for changes check box is selected.

     By default, this check box is cleared.

4. Follow the instructions of the Wizard.

When the Wizard completes, an application category with content added automatically is created. You can view the newly created category using the list of categories in the workspace of the Application categories folder.

Adding event-related executable files to the application category

Expand all | Collapse all

You can add executable files related to the Application startup prohibited and Application startup prohibited in test mode events to an existing application category with content added manually or to a new application category.

To add executable files related to Application Control events to the application category:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. On the Events tab, select the required events.
4. In the context menu of one of the selected events, select Add to category.
5. In the Action on executable file related to the event window that opens, specify the relevant settings:

   Select one of the following:

   • Add to a new application category

     Select this option if you want to create a new application category.

     Click the OK button to start the Create User Category Wizard. When the Wizard completes, the category with the specified settings is created.

     By default, this option is not selected.

   • Add to an existing application category

     Select this option if you have to add rules to an existing application category. Select the relevant category in the list of application categories.

     This option is selected by default.

   In the Rule type section, select one of the following settings:

   • Add to category

     Select this option if you have to add rules to the conditions of the application category.

     This option is selected by default.

   • Rules for adding to exclusions

     Select this option if you want to add rules to the exclusions of the application category.

   In the File info type section, select one of the following settings:

   • Certificate details (or SHA-256 hashes for files without certificate)

     Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

     Each file has its own unique SHA-256 hash function. When you select an SHA-256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

     Select this option if you want to add to the category rules the certificate details of an executable file (or the SHA-256 hash function for files without a certificate).

     By default, this option is selected.

   • Certificate details (files without a certificate will be skipped)

     Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

     Select this option if you want to add the certificate details of an executable file to the category rules. If the executable file has no certificate, this file will be skipped. No information about this file will be added to the category.

   • Only SHA-256 (files without hash will be skipped)

     Each file has its own unique SHA-256 hash function. When you select an SHA-256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

     Select this option if you want to add only the details of the SHA-256 hash function of the executable file.

   • Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version)

     Each file has its own unique MD5 hash function. When you select an MD5 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

     Select this option if you want to add only the details of the MD5 hash function of the executable file. Computing of the MD5 hash function is supported by Kaspersky Endpoint Security 10 Service Pack 1 for Windows and all earlier versions.

6. Click OK.

Configuring application startup management on client devices

Categorization of applications allows you to optimize management of application runs on devices. You can create an application category and configure Application Control for a policy so only applications from the specified category will be started on devices to which that policy is applied. For example, you have created a category that includes applications named Application_1 and Application_2. After you add this category to a policy, only two applications are allowed to start on devices to which that policy is applied: Application_1 and Application_2. If a user attempts to start an application that has not been included in that category, for example, Application_3, this application is blocked from being started. The user is shown a notification stating that Application_3 is blocked from starting, in accordance with an Application Control rule. You can create a category with content added automatically based on various criteria from a specific folder. In this case, files are automatically added to the category from the specified folder. Executable files of applications are copied to the specified folder and processed automatically; their metrics are added to the category.

To configure the applications run management on client devices:

1. In the Advanced → Application management folder in the console tree, select the Application categories subfolder.
2. In the workspace of the Application categories folder, create a category of applications that you want to manage while they are being started.
3. In the Managed devices folder, on the Policies tab click the New policy button to create a new policy for Kaspersky Endpoint Security for Windows, and follow the instructions of the Wizard.

   If such a policy already exists, you can skip this step. You can configure management of the startup of applications in a specified category through the settings of this policy. The newly created policy is displayed in the Managed devices folder on the Policies tab.

4. Select Properties from the context menu of the policy for Kaspersky Endpoint Security for Windows.

   The properties window of the policy for Kaspersky Endpoint Security for Windows opens.

5. In the properties window of the Kaspersky Endpoint Security for Windows policy, in the Security Controls → Application Control section, select the Application Control check box.
6. Click the Add button.

   The Application Control rule window opens.

7. In the Application Control rule window, in the Category drop-down list select the application category that the startup rule will cover. Configure the startup rule for the selected application category.

   For Kaspersky Endpoint Security 10 Service Pack 2 and later, no categories are displayed if they were created upon the criterion of the MD5 hash of an executable file.

   We do not recommend that you add any categories created according to the criterion of the SHA-256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2. This may result in application failures.

   Detailed instructions on configuring control rules are provided in the Kaspersky Endpoint Security for Windows Online Help.

8. Click OK.

Applications will be run on devices included in the specified category according to the rule that you created. The newly created rule is displayed in the properties window of the Kaspersky Endpoint Security for Windows policy, in the Application Control section.

Viewing the results of static analysis of startup rules applied to executable files

To view information about which executable files are prohibited for users to run:

1. In the Managed devices folder in the console tree, select the Policies tab.
2. Select Properties from the context menu of the policy for Kaspersky Endpoint Security for Windows.

   The properties window of the application policy opens.

3. In the Sections pane, select Security Controls and then select the Application Control subsection.
4. Click the Static analysis button.

   The Analysis of the access rights list window opens. In the left part of the window a user list based on Active Directory data is displayed.

5. Select a user from the list.

   The right part of the window displays categories of applications assigned to this user.

6. To view executable files that the user is not allowed to run, in the Analysis of the access rights list window click the View files button.

   A window opens, displaying a list of prohibited executable files.

7. To view a list of executable files included in a category, select the application category and click the View files in category button.

   A window opens, displaying a list of executable files included in the application category.

Viewing the applications registry

Kaspersky Security Center inventories all software installed on managed devices.

Network Agent compiles a list of applications installed on a device, and then transmits this list to Administration Server. Network Agent automatically receives information about installed applications from the Windows registry.

Retrieval of information about installed applications is only available for devices running Microsoft Windows.

To view the registry of applications installed on client devices,

In the Advanced → Application management folder in the console tree, select the Applications registry subfolder.

The workspace of the Applications registry folder displays a list of applications installed on client devices and the Administration Server.

You can view the details of any application by opening its context menu and selecting Properties. The application properties window displays the application details and information about its executable files, as well as a list of devices on which the application is installed.

In the context menu of any application in the list you can:

• Add this application to an application category.
• Assign a tag to the application.
• Export the list of applications to a CSV file or TXT file.
• View the application properties, for example, vendor name, version number, list of executable files, list of devices on which the application is installed, list of available software updates, or list of detected software vulnerabilities.

To view applications that meet specific criteria, you can use filtering fields in the workspace of the Applications registry folder.

In the properties window of the selected device, in the Applications registry section, you can view the list of applications installed on the device.

Generating a report on installed applications

In the Applications registry workspace, you can also click the View report on installed applications button to generate a report containing detailed statistics on the installed applications, including the number of devices on which each application is installed. This report, which opens on the Report on Installed applications page, contains information about both the Kaspersky applications and third-party software. If you want information only on Kaspersky applications installed on client devices, in the Summary list, select AO Kaspersky Lab.

Information about Kaspersky applications and third-party software installed on devices that are connected to secondary and virtual Administration Servers is also stored in the applications registry of the primary Administration Server. After you add data from secondary and virtual Administration Servers, click the View report on installed applications button, and on the Report on installed applications page that opens, you can view this information.

To add information from secondary and virtual Administration Servers to the report on installed applications:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. On the Reports tab, select Report on installed applications.
4. Select Properties from the context menu of the report.

   The Properties: Report on installed applications window opens.

5. In the Hierarchy of Administration Servers section, select the Include data from secondary and virtual Administration Servers check box.
6. Click OK.

Information from secondary and virtual Administration Servers will be included in the Report on installed applications.

Changing the software inventory start time

Kaspersky Security Center inventories all software installed on managed client devices running Windows.

Network Agent compiles a list of applications installed on a device, and then transmits this list to Administration Server. Network Agent automatically receives information about installed applications from the Windows registry.

To save the device resources, Network Agent by default starts receiving information about installed applications 10 minutes after the Network Agent service starts.

To change the software inventory start time, which elapses after the Network Agent service runs on a device:

1. Open the system registry of the device on which Network Agent is installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\NagentFlags

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\NagentFlags

3. For the KLINV_INV_COLLECTOR_START_DELAY_SEC key, set the required value in seconds.

   The default value is 600 seconds.

4. Restart the Network Agent service.

The software inventory start time, which elapses after the Network Agent service runs, is changed.

About license key management of third-party applications

Kaspersky Security Center allows you to track license key usage for third-party applications installed on the managed devices. The list of applications for which you can track license key usage is taken from the applications registry. For each license key, you can specify and track violation of the following restrictions:

• Maximum number of devices on which the application using this license key can be installed
• Expiration date of the license key

Kaspersky Security Center does not check whether or not you specify a real license key. You can only track the restrictions that you specify. If one of the restrictions that you impose on a license key is violated, Administration Server registers an informational, warning, or functional failure event.

License keys are bound to applications groups. An applications group is a group of third-party applications that you combine on a basis of a criterion or several criteria. You can define applications by the name of the application, its version, vendor, and tag. An application is added to the group if at least one of the criteria is met. To each applications group, you can bind several license keys, but each license key can be bound to a single applications group only.

One more tool that you can use to track license key usage is Report on status of licensed applications groups. This report provides information about the current status of licensed applications groups, including:

• Number of installations of license keys on each applications group
• Number of license keys in use and vacant license keys
• Detailed list of licensed applications installed on managed devices

The tools for license key management of third-party applications are located in the Third-party licenses usage subfolder (Advanced → Application management → Third-party licenses usage). In this subfolder, you can create applications groups, add license keys, and generate the Report on statuses on licensed application groups.

The tools for license key management of third-party applications are available only if you enabled Vulnerability and Patch Management option in the Configure interface window.

Creating licensed applications groups

Expand all | Collapse all

To create a licensed applications group:

1. In the Advanced → Application management folder in the console tree, select the Third-party licenses usage subfolder.
2. Click the Add a licensed applications group button to run Licensed Application Group Addition Wizard.

   Licensed Application Group Addition Wizard starts.

3. On the Details of licensed applications group step, specify which applications you want to include into the applications group:
   • Name of licensed applications group
   • Track violated restrictions

     If one of the restrictions that you impose on a license key of the applications group is violated, Administration Server registers an informational, warning, or functional failure event:

     • Informational event: Limit of installations will soon be exceeded (more than 95% is used up) for one of the licensed applications groups
     • Warning event: Limit of installations will soon be exceeded for one of the licensed applications groups
     • Functional failure event: Limit of installations has been exceeded for one of the licensed applications groups

       An event is registered only once, when the stated condition is met. Next time, the same event can be registered only when the number of installations is returned to a normal level, and then the event happens again. An event cannot be registered more than once per hour.

   • Criteria for adding detected applications to this licensed applications group

     Specify criteria to define which applications you want to include into the applications group. You can define applications by the name of the application, its version, vendor, and tag. You must specify at least one criterion. An application is added to the group if at least one of the criteria is met.

4. On the Enter data about existing license keys step, specify the license keys that you want to track. Select the Control if license limit is exceeded option, and then add the license keys:
   1. Click the Add button.
   2. Select the license key that you want to add, and then click the OK button. If the required license key is not listed, click the Add button, and then specify the license key properties.
5. On the Add licensed applications group step, click the Finish button.

A licensed applications group is created and displayed in the Third-party licenses usage folder.

Managing license keys for licensed applications groups

To create a license key for a licensed applications group:

1. In the Advanced → Application management folder in the console tree, select the Third-party licenses usage subfolder.
2. In the workspace of the Third-party licenses usage folder, click the Manage license keys of licensed applications button.

   The License Key Management in licensed applications window opens.

3. In the License Key Management in licensed applications window, click the Add button.

   The License key window opens.

4. In the License key window, specify the properties of the license key and restrictions that the license key imposes on the licensed applications group.
   • Name. The name of the license key.
   • Comment. Notes on the selected license key.
   • Restriction. The number of devices on which the application using this license key can be installed.
   • Expires. The expiration date of the license key.

Created license keys are displayed in the License Key Management in licensed applications window.

To apply a license key to a licensed applications group:

1. In the Advanced → Application management folder in the console tree, select the Third-party licenses usage subfolder.
2. In the Third-party licenses usage folder, select a licensed applications group to which you want to apply a license key.
3. Select Properties from the context menu of the licensed applications group.

   This opens the properties window of the licensed applications group.

4. In the properties window of the licensed applications group, in the License keys section, select Control if license limit is exceeded.
5. Click the Add button.

   The Selecting a license key window opens.

6. In the Selecting a license key window, select a license key that you want to apply to a licensed applications group.
7. Click OK.

Restrictions imposed on a licensed applications group and specified in the license key will also apply to the selected licensed applications group.

Inventory of executable files

You can use an inventory task to inventory executable files on client devices. Kaspersky Endpoint Security for Windows provides the feature of inventorying executable files.

The number of executable files received from a single device cannot exceed 150,000. Having reached this limit, Kaspersky Security Center cannot receive any new files.

You can reduce load on the database while obtaining information about the installed applications. To do this, we recommend that you run an inventory task on reference devices on which a standard set of software is installed.

Before you begin, enable notifications about the applications startup in the Kaspersky Endpoint Security policy and the Network Agent policy, so you can transfer data to Administration Server.

To enable notifications about applications startup:

• Open the Kaspersky Endpoint Security policy settings and do the following:
  1. Go to General settings → Reports and Storage.
  2. In the Data transfer to Administration Server section, select the About started applications check box.
  3. Save your changes.
• Open the Network Agent policy settings and do the following:
  1. Go to the Repositories section.
  2. Select the Details of installed applications check box.
  3. Save your changes.

To create an inventory task for executable files on client devices:

1. In the console tree, select the Tasks folder.
2. Click the New task button in the workspace of the Tasks folder.

   The Add Task Wizard starts.

3. In the Select the task type window of the Wizard, select Kaspersky Endpoint Security as the task type, and then select Inventory as the task subtype, and click Next.
4. Follow the rest of the Wizard instructions.

After the Wizard is done, an inventory task for Kaspersky Endpoint Security is created. The newly created task is displayed in the list of tasks in the workspace of the Tasks folder.

A list of executable files that have been detected on devices during inventory is displayed in the workspace of the Executable files folder.

During inventory, the application detects executable files of the following formats: MZ, COM, PE, NE, SYS, CMD, BAT, PS1, JS, VBS, REG, MSI, CPL, DLL, JAR, and HTML files.

Viewing information about executable files

To view a list of all executable files detected on client devices,

In the Application management folder of the console tree, select the Executable files subfolder.

The workspace of the Executable files folder displays a list of executable files that have been run on devices since the installation of the operating system or have been detected while running the inventory task of Kaspersky Endpoint Security for Windows.

To view details of executable files that match specific criteria, you can use filtering.

To view the properties of an executable file,

From the context menu of the file, select Properties.

A window opens displaying information about the executable file and a list of devices on which this executable file can be found.