Managing applications and executable files on client devices

This section describes the features of Open Single Management Platform related to the management of applications and executable files run on client devices.

Using Application Control to manage executable files

You can use the Application Control component to allow or block startup of executable files on user devices. The Application Control component supports Windows-based and Linux-based operating systems.

For Linux-based operating systems, Application Control component is available starting from Kaspersky Endpoint Security 11.2 for Linux.

Prerequisites

• Open Single Management Platform is deployed in your organization.
• The policy of Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows is created and is active. The Application Control component is enabled in the policy.

Stages

The Application Control usage scenario proceeds in stages:

1. Forming and viewing the list of executable files on client devices

   This stage helps you find out what executable files are found on managed devices. View the list of executable files and compare it with the lists of allowed and prohibited executable files. The restrictions on executable files usage can be related to the information security polices in your organization.

   How-to instructions: Obtaining and viewing a list of executable files stored on client devices

2. Creating categories for executable files used in your organization

   Analyze the lists of executable files stored on managed devices. Based on the analysis, create categories for executable files. It is recommended to create a "Work applications" category that covers the standard set of executable files that are used at your organization. If different security groups use their own sets of executable files in their work, a separate category can be created for each security group.

   Startup of executable files whose settings do not match any of the Application Control rules is regulated by the selected operating mode of the component:

   • Denylist. The mode is used if you want to allow the startup of all executable files except those specified in block rules. This mode is selected by default.
   • Allowlist. The mode is used if you want to block the startup of all executable files except those specified in allow rules.

   The Application Control rules are implemented through categories for executable files. In Open Single Management Platform there are three types of categories for executable files:

   • Category with content added manually. You define conditions, for example, file metadata, file hashcode, file certificate, file path, to include executable files in the category.
   • Category that includes executable files from selected devices. You specify a device whose executable files are automatically included in the category.
   • Category that includes executable files from selected folder. You specify a folder from which executable files are automatically included in the category.
3. Configuring Application Control in the Kaspersky Endpoint Security policy

   Configure the Application Control component in Kaspersky Endpoint Security for Linux policy using the categories you have created on the previous stage.

   How-to instructions: Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

4. Turning on Application Control component in test mode

   To ensure that Application Control rules do not block executable files required for user's work, it is recommended to enable testing of Application Control rules and analyze their operation after creating new rules. When testing is enabled, Kaspersky Endpoint Security for Windows will not block executable files whose startup is forbidden by Application Control rules, but will instead send notifications about their startup to the Administration Server.

   When testing Application Control rules, it is recommended to perform the following actions:

   • Determine the testing period. Testing period can vary from several days to two months.
   • Examine the events resulting from testing the operation of Application Control.

   How-to instructions for OSMP Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and enable the Test Mode option in configuration process.

5. Changing the settings of Application Control component

   If necessary, make changes to the Application Control settings. Based on the test results, you can add executable files related to events of the Application Control component to a category with content added manually.

   How-to instructions: OSMP Console: Adding event-related executable files to the application category

6. Applying the rules of Application Control in operation mode

   After Application Control rules are tested and configuration of categories is complete, you can apply the rules of Application Control in operation mode.

   How-to instructions for OSMP Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and disable the Test Mode option in configuration process.

7. Verifying Application Control configuration

   Be sure that you have done the following:

   • Created categories for executable files.
   • Configured Application Control using the categories.
   • Applied the rules of Application Control in operation mode.

Results

When the scenario is complete, startup of executable files on managed devices is controlled. The users can run only those executable files that are allowed in your organization and cannot run executable files that are prohibited in your organization.

For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.

Application Control modes and categories

The Application Control component monitors users' attempts to start executable files. You can use Application Control rules to control the startup of executable files.

Application Control component is available for Kaspersky Endpoint Security 11.2 for Linux and later versions.

Startup of executable files whose settings do not match any of the Application Control rules is regulated by the selected operating mode of the component:

• Denylist. The mode is used if you want to allow the startup of all executable files except those specified in block rules. This mode is selected by default.
• Allowlist. The mode is used if you want to block the startup of all executable files except those specified in allow rules.

The Application Control rules are implemented through categories for executable files. In Open Single Management Platform there are three types of categories:

• Category with content added manually. You define conditions, for example, file metadata, file hashcode, file certificate, file path, to include executable files in the category.
• Category that includes executable files from selected devices. You specify a device whose executable files are automatically included in the category.
• Category that includes executable files from selected folder. You specify a folder from which executable files are automatically included in the category.

For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.

Obtaining and viewing a list of applications installed on client devices

Open Single Management Platform inventories all software installed on managed client devices running Linux and Windows.

Network Agent compiles a list of applications installed on a device, and then transmits this list to Administration Server. It takes about 10-15 minutes for the Network Agent to update the application list.

For Windows-based client devices, Network Agent receives most of the information about installed applications from the Windows registry. For Linux-based client devices, package managers provide information about installed applications to Network Agent.

To view the list of applications installed on managed devices:

1. In the main menu, go to Operations → Third-party applications → Applications registry.

   The page displays a table with the applications that are installed on managed devices. Select the application to view its properties, for example, vendor name, version number, list of executable files, list of devices on which the application is installed, list of available software updates, and list of detected software vulnerabilities.

2. You can group and filter the data of the table with installed applications as follows:
   • Click the settings icon () in the upper-right corner of the table.

     In the invoked Columns settings menu, select the columns to be displayed in the table. To view the operating system type of the client devices on which the application is installed, select the Operating system type column.

   • Click the filter icon () in the upper-right corner of the table, and then specify and apply the filter criterion in the invoked menu.

     The filtered table of installed applications is displayed.

To view the list of applications installed on a specific managed device,

In the main menu, go to Devices → Managed devices → <device name> → Advanced → Applications registry. In this menu, you can export the list of applications to a CSV file or TXT file.

For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.

Obtaining and viewing a list of executable files stored on client devices

Whenever a user attempts to start an executable file, this file is automatically added to the Application Control's list. You can create an inventory task to obtain a list of executable files stored on managed devices. To inventory executable files, you must create an inventory task.

For Kaspersky Endpoint Security for Linux, the feature of inventorying executable files is available since no earlier that version 11.2.

You can reduce load on the database while obtaining a list of executable files. To do this, we recommend that you run an inventory task on reference devices on which a standard set of software is installed.

To create an inventory task for executable files on client devices:

1. In the main menu, go to Assets (Devices) → Tasks.

   The list of tasks is displayed.

2. Click the Add button.

   The New task wizard starts. Follow the steps of the wizard.

3. On the New task settings page, from the Application drop-down list, select Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows, depending on the operating system of the client devices.
4. From the Task type drop-down list, select Inventory.
5. On the Finish task creation page, click the Finish button.

After the New task wizard has finished, the Inventory task is created and configured. If you want, you can change the settings for the created task. The newly created task is displayed in the list of tasks.

For a detailed description of the inventory task, see the Kaspersky Endpoint Security for Linux Help and the Kaspersky Endpoint Security for Windows Help.

After the Inventory task is performed, the list of executable files stored on managed devices is formed, and you can view the list.

During inventory, executable files in the following formats are detected: MZ, COM, PE, NE, SYS, CMD, BAT, PS1, JS, VBS, REG, MSI, CPL, DLL, JAR, and HTML.

To view the list of executable files stored on client devices:

In the main menu, go to Operations → Third-party applications → Executable files.

The page displays the list of executable files stored on client devices.

Creating an application category with content added manually

Expand all | Collapse all

You can specify a set of criteria as a template of executable files for which you want to allow or block a start in your organization. On the basis of executable files corresponding to the criteria, you can create an application category and use it in the Application Control component configuration.

To create an application category with content added manually:

1. In the main menu, go to Operations → Third-party applications → Application categories.

   The page with a list of application categories is displayed.

2. Click the Add button.

   The New category wizard starts. Proceed through the wizard by using the Next button.

3. On the Select category creation method step, specify the application category name and select the Category with content added manually. Data of executable files is manually added to the category option.
4. On the Conditions step, click the Add button to add a condition criterion to include files in the creating category.
5. On the Condition criteria step, select a rule type for the creation of category from the list:
   • From KL category

     If this option is selected, you can specify a Kaspersky application category as the condition of adding applications to the user category. The applications from the specified Kaspersky category will be added to the user application category.

   • Select certificate from repository

     If this option is selected, you can specify certificates from the storage. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

   • Specify path to application (masks supported)

     If this option is selected, you can specify the path to the folder on the client device containing the executable files that are to be added to the user application category.

   • Removable drive

     If this option is selected, you can specify the type of the medium (any drive or removable drive) on which the application is run. Applications that have been run on the selected drive type are added to the user application category.

   • Hash, metadata, or certificate:
     • Select from list of executable files

       If this option is selected, you can use the list of executable files on the client device to select and add applications to the category.

     • Select from applications registry

       If this option is selected, application registry is displayed. You can select an application from the registry and specify the following file metadata:

       • File name.
       • File version. You can specify precise value of the version or describe a condition, for example "greater than 5.0".
       • Application name.
       • Application version. You can specify precise value of the version or describe a condition, for example "greater than 5.0".
       • Vendor.
     • Specify manually

       If this option is selected, you must specify file hash, or metadata, or certificate as the condition of adding applications to the user category.

       File Hash

       Depending on the version of the security application installed on devices on your network, you should select an algorithm for hash value computing by Open Single Management Platform for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

       SHA256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security for Linux supports SHA256 computing.

       Select either of the options of hash value computing by Open Single Management Platform for files in the category:

       • If all instances of security applications installed on your network are Kaspersky Endpoint Security for Linux, select the SHA256 check box.
       • Select the MD5 hash check box only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support the MD5 hash function.

       Metadata

       If this option is selected, you can specify file metadata as file name, file version, vendor. The metadata will be sent to Administration Server. Executable files that contain the same metadata will be added to the application category.

       Certificate

       If this option is selected, you can specify certificates from the storage. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

     • From archived folder

       If this option is selected, you can specify a file of an archived folder, and then select which condition you want to use to add applications to the user category. The archived folder is unpacked and the conditions that you select are applied to the files in the folder. As a condition, you can select one of the following criteria:

       • File Hash

         You select which hash function (MD5 or SHA256) you want to use to calculate hash values. The applications that have the same hash value as the files in the archived folder are added to the user application category.

         Select an MD5 hash function only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support the MD5 hash function.

       • Metadata

         You select which metadata you want to use as criteria. Executable files that contain the same metadata will be added to the user application category.

       • Certificate

         You select which certificate properties (certificate subject, fingerprint, or issuer) you want to use as criteria. Executable files that have been signed with the certificates that have the same properties will be added to the user category.

       If this option is selected, you can specify a file of an archived folder, and then select which condition you want to use to add applications to the user category. The archived folder is unpacked and the conditions that you select are applied to the files in the folder. As a condition, you can select one of the following criteria:

       • File Hash

         You select which hash function (MD5 or SHA256) you want to use to calculate hash values. The applications that have the same hash value as the files in the archived folder are added to the user application category.

         Select an MD5 hash function only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support the MD5 hash function.

       • Metadata

         You select which metadata you want to use as criteria. Executable files that contain the same metadata will be added to the user application category.

       • Certificate

         You select which certificate properties (certificate subject, fingerprint, or issuer) you want to use as criteria. Executable files that have been signed with the certificates that have the same properties will be added to the user category.

   The selected criterion is added to the list of conditions.

   You can add as many criteria for the creating application category as you need.

6. On the Exclusions step, click the Add button to add an exclusive condition criterion to exclude files from the category that is being created.
7. On the Condition criteria step, select a rule type from the list, in the same way that you selected a rule type for category creation.

When the wizard finishes, the application category is created. It is displayed in the list of application categories. You can use the created application category when you configure Application Control.

For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.

Creating an application category that includes executable files from selected devices

Expand all | Collapse all

You can use executable files from selected devices as a template of executable files that you want to allow or block. Based on executable files from selected devices, you can create an application category and use it in the Application Control component configuration.

Make sure that the following prerequisites are met:

• The Application Control component is enabled in the Kaspersky Endpoint Security policy.
• A list of executable files stored on managed devices has been obtained.

To create application category that includes executable files from selected devices:

1. In the main menu, go to Operations → Third-party applications → Application categories.

   The page with a list of categories of executable files is displayed.

2. Click the Add button.

   The New category wizard starts. Proceed through the wizard by using the Next button.

3. On the Select category creation method step, specify the category name and select the Category that includes executable files from selected devices. These executable files are processed automatically and their metrics are added to the category option.
4. Click Add.
5. In the window that opens, select a device or devices whose executable files will be used to create the application category.
6. Specify the following settings:
   • Hash value computing algorithm

     Depending on the version of the security application installed on devices on your network, you should select an algorithm for hash value computing by Open Single Management Platform for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

     SHA256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security for Linux supports SHA256 computing.

     Select either of the options of hash value computing by Open Single Management Platform for files in the category:

     • If all instances of security applications installed on your network are Kaspersky Endpoint Security for Linux, select the SHA256 check box.

     Select the MD5 hash check box only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support the MD5 hash function.

     The Calculate SHA256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions) check box is selected by default.

     The Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows) is cleared by default.

   • Synchronize data with Administration Server repository

     Select this option if you want that Administration Server periodically to check changes in the specified folder (or folders).

     By default, this option is disabled.

     If you enable this option, specify the period (in hours) to check changes in the specified folder (folders). By default, scan interval is 24 hours.

   • File type

     In this section, you can specify file type that is used to create the application category.

     All files. All files are taken into consideration when creating the category. By default, this option is selected.

     Only files outside the application categories. Only files outside the application categories are taken into consideration when creating the category.

   • Folders

     In this section you can specify which folders from the selected device (devices) contain files that are used to create the application category.

     All folders. All folders are taken into consideration for the creating category. By default, this option is selected.

     Specified folder. Only specified folder is taken into consideration for the creating category. If you select this option you must specify path to the folder.

When the wizard finishes, the category of executable files is created. It is displayed in the list of categories. You can use the created category when you configure Application Control.

Creating an application category that includes executable files from selected folder

Expand all | Collapse all

You can use executable files from a selected folder as a standard of executable files that you want to allow or block in your organization. On the basis of executable files from the selected folder, you can create an application category and use it in the Application Control component configuration.

To create a category that includes executable files from the selected folder:

1. In the main menu, go to Operations → Third-party applications → Application categories.

   The page with a list of categories is displayed.

2. Click the Add button.

   The New category wizard starts. Proceed through the wizard by using the Next button.

3. On the Select category creation method step, specify the category name and select the Category that includes executable files from a specific folder. Executable files of applications copied to the specified folder are automatically processed and their metrics are added to the category option.
4. Specify the folder whose executable files will be used to create the category.
5. Define the following settings:
   • Include dynamic-link libraries (DLL) in this category

     The application category includes dynamic-link libraries (files in DLL format), and the Application Control component logs the actions of such libraries running in the system. Including DLL files in the category may lower the performance of Open Single Management Platform.

     By default, this check box is cleared.

   • Include script data in this category

     The application category includes data on scripts, and scripts are not blocked by Web Threat Protection. Including the script data in the category may lower the performance of Open Single Management Platform.

     By default, this check box is cleared.

   • Hash value computing algorithm: Calculate SHA256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions) / Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows)

     Depending on the version of the security application installed on devices on your network, you should select an algorithm for hash value computing by Open Single Management Platform for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

     SHA256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security for Linux supports SHA256 computing.

     Select either of the options of hash value computing by Open Single Management Platform for files in the category:

     • If all instances of security applications installed on your network are Kaspersky Endpoint Security for Linux, select the SHA256 check box.

     Select the MD5 hash check box only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support the MD5 hash function.

     The Calculate SHA256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions) check box is selected by default.

     The Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows) is cleared by default.

   • Force folder scan for changes

     If this option is enabled, the application regularly checks the folder of category content addition for changes. You can specify the frequency of checks (in hours) in the entry field next to the check box. By default, the time interval between forced checks is 24 hours.

     If this option is disabled, the application does not force any checks of the folder. The Server attempts to access files if they have been modified, added, or deleted.

     By default, this option is disabled.

When the wizard finishes, the category of executable files is created. It is displayed in the list of categories. You can use the category at Application Control configuration.

For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.

Viewing the list of application categories

You can view the list of configured categories of executable files and the settings of each category.

To view the list of application categories,

In the main menu, go to Operations → Third-party applications → Application categories.

The page with a list of categories is displayed.

To view properties of an application category,

Click the name of the category.

The properties window of the category is displayed. The properties are grouped on several tabs.

Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

After you create Application Control categories, you can use them for configuring Application Control in Kaspersky Endpoint Security for Windows policies.

To configure Application Control in the Kaspersky Endpoint Security for Windows policy:

1. In the main menu, go to Assets (Devices) → Policies & profiles.

   A page with a list of policies is displayed.

2. Click the Kaspersky Endpoint Security for Windows policy.

   The policy settings window opens.

3. Go to Application settings → Security Controls → Application Control.

   The Application Control window with Application Control settings is displayed.

4. The Application Control option is enabled by default. Switch the toggle button Application Control DISABLED to disable the option.
5. In the Application Control Settings block settings, enable the operation mode to apply the Application Control rules and allow Kaspersky Endpoint Security for Windows to block startup of applications.

   If you want to test the Application Control rules, in the Application Control Settings section, enable the test mode. In the test mode, Kaspersky Endpoint Security for Windows does not block startup of applications, but logs information about triggered rules in the report. Click the View report link to view this information.

6. Enable the Control DLL modules load option if you want Kaspersky Endpoint Security for Windows to monitor the loading of DLL modules when applications are started by users.

   Information about the module and the application that loaded the module will be saved to a report.

   Kaspersky Endpoint Security for Windows monitors only the DLL modules and drivers loaded after the Control DLL modules load option is selected. Restart the computer after selecting the Control DLL modules load option if you want Kaspersky Endpoint Security for Windows to monitor all DLL modules and drivers, including those loaded before Kaspersky Endpoint Security for Windows is started.

7. (Optional) In the Message templates block, change the template of the message that is displayed when an application is blocked from starting and the template of the email message that is sent to you.
8. In the Application Control Mode block settings, select the Denylist or Allowlist mode.

   By default, the Denylist mode is selected.

9. Click the Rules Lists Settings link.

   The Denylists and allowlists window opens to let you add an application category. By default, the Denylist tab is selected if the Denylist mode is selected, and the Allowlist tab is selected if the Allowlist mode is selected.

10. In the Denylists and allowlists window, click the Add button.

    The Application Control rule window opens.

11. Click the Please choose a category link.

    The Application Category window opens.

12. Add the application category (or categories) that you created earlier.

    You can edit the settings of a created category by clicking the Edit button.

    You can create a new category by clicking the Add button.

    You can delete a category from the list by clicking the Delete button.

13. After the list of application categories is complete, click the OK button.

    The Application Category window closes.

14. In the Application Control rule window, in the Subjects and their rights section, create a list of users and groups of users to apply the Application Control rule.
15. Click the OK button to save the settings and to close the Application Control rule window.
16. Click the OK button to save the settings and to close the Denylists and allowlists window.
17. Click the OK button to save the settings and to close the Application Control window.
18. Close the window with the Kaspersky Endpoint Security for Windows policy settings.

Application Control is configured. After the policy is propagated to the client devices, the startup of executable files is managed.

For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.

Adding event-related executable files to the application category

Expand all | Collapse all

After you configure Application Control in the Kaspersky Endpoint Security policies, the following events will be displayed in the list of events:

• Application startup prohibited (Critical event). This event is displayed if you have configured Application Control to apply rules.
• Application startup prohibited in test mode (Info event). This event is displayed if you have configured Application Control to test rules.
• Message to administrator about application startup prohibition (Warning event). This event is displayed if you have configured Application Control to apply rules and a user has requested access to the application that is blocked at startup.

It is recommended to create event selections to view events related to Application Control operation.

You can add executable files related to Application Control events to an existing application category or to a new application category. You can add executable files only to an application category with content added manually.

To add executable files related to Application Control events to an application category:

1. In the main menu, go to Monitoring & reporting → Event selections.

   The list of event selections is displayed.

2. Select the event selection to view events related to Application Control and start this event selection.

   If you have not created event selection related to Application Control, you can select and start a predefined selection, for example, Recent events.

   The list of events is displayed.

3. Select the events whose associated executable files you want to add to the application category, and then click the Assign to category button.

   The New category wizard starts. Proceed through the wizard by using the Next button.

4. On the wizard page, specify the relevant settings:
   • In the Action on executable file related to the event section, select one of the following options:
     • Add to a new application category

       Select this option if you want to create a new application category based on event-related executable files.

       By default, this option is selected.

       If you have selected this option, specify a new category name.

     • Add to an existing application category

       Select this option if you want to add event-related executable files to an existing application category.

       By default, this option is not selected.

       If you have selected this option, select the application category with content added manually to which you want to add executable files.

   • In the Rule type section, select one of the following options:
     • Rules for adding to inclusions
     • Rules for adding to exclusions
   • In the Parameter used as a condition section, select one of the following options:
     • Certificate details (or SHA256 hashes for files without a certificate)

       Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

       Each file has its own unique SHA256 hash function. When you select an SHA256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

       Select this option if you want to add to the category rules the certificate details of an executable file (or the SHA256 hash function for files without a certificate).

       By default, this option is selected.

     • Certificate details (files without a certificate will be skipped)

       Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

       Select this option if you want to add the certificate details of an executable file to the category rules. If the executable file has no certificate, this file will be skipped. No information about this file will be added to the category.

     • Only SHA256 (files without a hash will be skipped)

       Each file has its own unique SHA256 hash function. When you select an SHA256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

       Select this option if you want to add only the details of the SHA256 hash function of the executable file.

     • Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version)

       Select this option only if you use Kaspersky Endpoint Security for Windows. Kaspersky Endpoint Security for Linux does not support an MD5 hash function.

       Each file has its own unique MD5 hash function. When you select an MD5 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

5. Click OK.

When the wizard finishes, executable files related to the Application Control events are added to the existing application category or to a new application category. You can view settings of the application category that you have modified or created.

For detailed information about Application Control, refer to the Kaspersky Endpoint Security for Linux Help and Kaspersky Endpoint Security for Windows Help.