Application Control - Kaspersky Lab
Application Control - Kaspersky Lab
Application Control - Kaspersky Lab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Small Office Security 2<br />
<strong>Application</strong> <strong>Control</strong>
<strong>Kaspersky</strong> Small Office Security 2<br />
Table of content<br />
Table of content ............................................................................................................................... 1<br />
<strong>Application</strong> control ........................................................................................................................ 2<br />
What is <strong>Application</strong> <strong>Control</strong> ....................................................................................................... 2<br />
Enabling/Disabling <strong>Application</strong> <strong>Control</strong> ...................................................................................... 2<br />
Placing applications into groups ................................................................................................ 3<br />
Viewing activity of applications .................................................................................................. 7<br />
Modifying a trust group for an application .................................................................................. 8<br />
<strong>Application</strong> control rules .......................................................................................................... 10<br />
Changing the group rule ....................................................................................................... 10<br />
Editing application rules ....................................................................................................... 13<br />
Creating a network rule for an application (Firewall) ............................................................ 15<br />
Editing storage time for rules................................................................................................ 17<br />
Setting of restrictions of parental process ............................................................................ 19<br />
Configuring exclusions ......................................................................................................... 21<br />
Protecting personal data .......................................................................................................... 23<br />
1 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
<strong>Application</strong> control<br />
What is <strong>Application</strong> <strong>Control</strong><br />
KSOS 2 prevents applications from performing actions that may be dangerous for the system, and<br />
ensures control of access to operating system resources and your identity data with the help of the<br />
following tools:<br />
► <strong>Application</strong> <strong>Control</strong>. The component tracks actions in the system performed by<br />
applications installed on the computer, and regulates them based on the rules of<br />
<strong>Application</strong> <strong>Control</strong>. These rules regulate potentially dangerous activity, including<br />
applications' access to protected resources.<br />
► Protection of identity data and operating system resources. <strong>Application</strong> control<br />
monitors the rights of applications to perform actions with user’s identity data. The<br />
following objects refer to identity data: files, folders and registry keys which contain<br />
operation settings and vital data of the most frequently used applications, user’s files<br />
(the My Documents folder, cookies files, and data of the user activity).<br />
Enabling/Disabling <strong>Application</strong> <strong>Control</strong><br />
By default, <strong>Application</strong> <strong>Control</strong> is enabled, functioning in the mode developed by <strong>Kaspersky</strong><br />
<strong>Lab</strong> specialists. However, you can disable it, if required.<br />
To enable or disable <strong>Application</strong> <strong>Control</strong>, perform the following steps:<br />
1. Open the main application window.<br />
2. In the top part window select the Protection tab.<br />
3. In the right top part of the main application window click the Settings link.<br />
4. In the left part of the Settings window select the Security Zone component.<br />
5. In the right part of the window:<br />
• Uncheck the Enable Security Zone box, if you need to disable the component.<br />
• Check the Enable Security Zone box, if you need to enable the component.<br />
2 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
6. In the lower part of the Settings window click the Apply button.<br />
Placing applications into groups<br />
At the first startup of an application on the computer, the <strong>Application</strong> <strong>Control</strong> component verifies<br />
its safety and searches the internal database of known applications for a matching entry, and then<br />
sends a request to the <strong>Kaspersky</strong> Security Network 1 database or having a digital signature 2<br />
.<br />
After search <strong>Application</strong> <strong>Control</strong> places the application into one of the following trusted groups:<br />
► Trusted. Trusted applications are applications with digital signatures of trusted vendors and<br />
applications signatures of those are included to the trusted applications database.<br />
<strong>Application</strong>s of that group are allowed to perform any network activity. Activities of such<br />
applications are monitored by Proactive Defense and File Anti-Virus.<br />
► Low Restricted. Low restricted applications are applications which are without digital<br />
signatures of trusted vendors and which are not included to the trusted applications<br />
database. Nevertheless, the low risk rating 3<br />
. is assigned to such applications. <strong>Application</strong>s<br />
of that group are allowed to perform some operations, to manage the system, hidden<br />
access to the network. Most operations require user authorization.<br />
► High Restricted. High restricted applications are applications without digital signatures and<br />
which are not included to the trusted applications database. The high risk rating is assigned<br />
to such applications. <strong>Application</strong>s of this group require user authorization for most activities<br />
in the system; some actions, however, are restricted for these applications.<br />
1 <strong>Kaspersky</strong> Security Network is a system which allows to get information about files opened by the user on the<br />
computer and thus tracks malicious objects and their spreading channels.<br />
2 Digital signature is an electronic security mark which carries the information about the software vendor and shows if<br />
the software was changed after the signing (i.e. after release). If software is signed by its vendor and the signature<br />
authenticity is verified by the certificate center, then you can be sure that the software is authentic and was not.<br />
16 Risk rating is an indicator of the application danger for the system. The risk rating is calculated based on definite<br />
criteria.<br />
3 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
► Untrusted. Untrusted applications are applications without digital signatures and which are<br />
not included to the trusted applications database. Very high risk rating is assigned to such<br />
applications. <strong>Application</strong> <strong>Control</strong> blocks any activity of such applications.<br />
To disable the automatic inclusion of applications into the Trusted group, perform the following<br />
actions:<br />
1. In the left part of the Settings window select the Security Zone component.<br />
2. In the right part of the window in the Trusted applications section uncheck the boxes<br />
<strong>Application</strong>s with digital signature and Trusted in <strong>Kaspersky</strong> Security Network<br />
database.<br />
3. In the Settings window click the Apply button.<br />
If an application record is not included into <strong>Kaspersky</strong> Security Network database and the<br />
application does not have a digital signature, then KSOS 2 uses the heuristic analysis 4<br />
. The<br />
analysis helps defining the threat rating of the application based on which it is included into a<br />
group.<br />
To use the heuristic analysis for distributing unknown applications by groups, perform the following<br />
actions:<br />
1. In the left part of the Settings window select the Security Zone component.<br />
2. In the right part of the window in the Trusted applications section select the Use heuristic<br />
analyzer to define the group option.<br />
3. Click the Apply button in the right bottom corner of the window.<br />
4 Heuristic analysis is analysis of objects activity in the system. If the activity is typical of malicious objects in this<br />
case the object under analysis will be defined as suspicious or malicious. Analysis of the object activity allows to<br />
detect a virus even if it has not been defined by virus analysts.<br />
4 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
Instead of using the heuristic analysis, you can specify a group into which KSOS 2 should<br />
automatically include all unknown applications. For this, perform the following actions:<br />
1. In the left part of the Settings window select the Security Zone component.<br />
2. In the Trusted applications section select the Automatically move to group option and in<br />
the drop-down menu select the necessary group:<br />
► Low Restricted<br />
► High Restricted<br />
► Untrusted<br />
3. Click the Apply button in the right bottom corner of the window.<br />
5 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
By default, <strong>Application</strong> <strong>Control</strong> analyzes an application for 30 seconds. If this time interval turns<br />
out to be insufficient for defining the threat rating, the application is included into the Low<br />
restricted group, while defining the threat rating continues in background mode. After that, the<br />
application is finally included into another group. If you are sure that all applications started on<br />
your computer do not pose any threat to its security, you can decrease the time spent on analysis.<br />
If, on the contrary, you are installing the software and are not sure that this is safe, you are<br />
advised to increase the time for analysis.<br />
To change the time allowed for calculation of the application group, perform the following actions:<br />
1. In the left part of the Settings window select the Security Zone component.<br />
2. In the Additional section edit the value of the Maximum time to define the application<br />
group setting.<br />
3. In the right bottom corner of the window click the Apply button.<br />
6 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
Viewing activity of applications<br />
You can view information about all applications being used on your computer and all processes<br />
being currently run. For this, perform the following actions:<br />
1. Open the main application window.<br />
2. In the main application window select the Security Zone tab.<br />
3. In the <strong>Application</strong> <strong>Control</strong> section in the right part of the window click the <strong>Application</strong>s<br />
Activity link.<br />
7 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
4. For the sake of convenience all applications are divided into categories: for example,<br />
running, started at system startup, network and etc. In the Category drop-down list select<br />
the necessary category 5<br />
.<br />
5. To show the processes launched by KSOS 2, check the Show <strong>Kaspersky</strong> Small Office<br />
Security processes box.<br />
6. To show system processes in the list, check the Show system processes box.<br />
Modifying a trust group for an application<br />
In the <strong>Application</strong> <strong>Control</strong> window the Group column shows the group to which an application<br />
belongs.<br />
If necessary, you can move the application to another group manually.<br />
<strong>Kaspersky</strong> <strong>Lab</strong> specialists recommend that you avoid moving applications from default groups.<br />
To do it, perform the following actions:<br />
1. In the <strong>Application</strong> activity window in the Category list select the required category of<br />
applications.<br />
2. Right-click the required application and in the context menu select Move to group and<br />
select the necessary group: Trusted, Low restricted, High restricted or Untrusted.<br />
3. In the right bottom corner of the window click the OK button.<br />
5 The Network category only displays applications with the opened connections and/or opened ports.<br />
8 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
To move the application to the default group, do the following:<br />
1. In the main application window click on the tab Security Zone.<br />
2. On the Security Zone tab in the right part of the window click the <strong>Application</strong>s Activity<br />
link.<br />
3. In the <strong>Application</strong> activity window in the Category list select the required category of<br />
applications.<br />
4. Right-click the required application and in the context menu select Move to group -><br />
Restore default group.<br />
5. In the <strong>Application</strong> activity window click the Close button.<br />
9 | 28
<strong>Kaspersky</strong> Small Office Security 2<br />
<strong>Application</strong> control rules<br />
Rules of <strong>Application</strong> <strong>Control</strong> is a set of rights of access to the computer resources and<br />
restrictions posed on various actions being performed by applications on the computer.<br />
By default, an application is controlled according to the rules of the trust group into which KSOS 2<br />
included the application when it was run for the first time.<br />
A rule is a set of <strong>Application</strong> <strong>Control</strong> reactions over application’s activity upon access to<br />
controlled resources. The following component reactions are possible:<br />
► Inherit. <strong>Application</strong> or group inherits the reaction from the parent group. This is a default<br />
reaction.<br />
► Allow. <strong>Application</strong> is allowed to perform an action with the resource.<br />
► Deny. <strong>Application</strong> is not allowed to perform an action with the resource.<br />
► Prompt for action. <strong>Application</strong> <strong>Control</strong> prompts the user for granting access to the<br />
resource for an application.<br />
► Log events. In addition to the specified reaction, <strong>Application</strong> <strong>Control</strong> records in the report<br />
information about the application's attempts to access the resource.<br />
Changing the group rule<br />
To change the preset group rule, do the following:<br />
1. Open the main application window.<br />
2. Go to the Protection Center tab.<br />
3. In the top right corner of the main application window click the Settings link.<br />
10 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
4. In the left part of the Settings window select the Security Zone component.<br />
5. In the right part of the window click the Configure rules button.<br />
6. In the Rules for a group of applications window select the required group and left-click it.<br />
11 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
7. In the Rules for a group of applications window on the Rules tab edit access rights for<br />
the required category of resources, by right-clicking the icon in the Permission column:<br />
Read, Write, Delete, Create.<br />
8. In the Rules for a group of applications window click the OK button.<br />
If necessary, you can configure these rules for one particular application.<br />
12 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
Editing application rules<br />
<strong>Application</strong> <strong>Control</strong> logs the actions performed by this application in the system, and manages<br />
its activity based on which group it belongs to. When an application accesses a resource, the<br />
component checks if the application has the required access rights, and performs the action<br />
determined by the rule.<br />
To edit application rules, perform the following actions:<br />
1. In the main application window go to the Security Zone tab.<br />
2. In the right part of the window in the <strong>Application</strong> <strong>Control</strong> section click the <strong>Application</strong><br />
Activity link.<br />
3. In the <strong>Application</strong> Activity window in the Category list select the required category of<br />
applications.<br />
4. In the Group column, left-click the link with the name of the group for the required<br />
application.<br />
5. In the context menu select Move to groupCustom settings.<br />
13 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
6. In the Rules for application window on the Rules tab edit the access rules for the required<br />
resource category. For this, right-click the icon in the Permission column: Read, Write,<br />
Delete, Create.<br />
7. In the Rules for application window click OK.<br />
<strong>Application</strong> rules have a higher priority than group rules.<br />
14 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
For example, if an application rule allows the Internet access, and in the rules of the group, into<br />
which the application is included, the Internet access is denied, in this case the application will get<br />
access to the system resources.<br />
Creating a network rule for an application (Firewall)<br />
If an application during its work accesses the network resources, in this case Firewall rules are<br />
applied to it. Access settings to network recourses can be configured in the <strong>Application</strong> activity<br />
window. For this perform the following actions:<br />
1. In the main application window go to the Security Zone tab.<br />
2. In the right part of the window in the <strong>Application</strong> <strong>Control</strong> section click the <strong>Application</strong>s<br />
Activity link.<br />
3. In the <strong>Application</strong> activity window in the Category list select the required category of<br />
applications.<br />
4. In the Group column, left-click the link with the name of the group for the required<br />
application.<br />
5. In the context menu select Move to groupCustom settings.<br />
6. In the Rules for application window on the Rules tab in the drop-down list select the<br />
Network rules category and click the Add link in the left bottom corner of the window.<br />
15 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
7. In the Network rule window specify the settings for a network rule.<br />
8. Assign a priority to the new rule and move it up or down the list by clicking the Move up or<br />
Move down buttons.<br />
16 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
Once you have created the rule, you can modify its settings or delete it using buttons in the bottom<br />
part of the tab. To disable the rule, uncheck the box next to the rule's name<br />
9. In the window Rules for application click OK.<br />
Editing storage time for rules<br />
By default, the rules for applications which have not been started for the 60 days are deleted<br />
automatically.<br />
You can modify the storage time for rules for unused applications, or disable rules' automatic<br />
removal.<br />
To set the storage time for application rules, perform the following actions:<br />
1. Open the main application window.<br />
2. Go to the Protection Center tab.<br />
3. In the top right corner of the main application window click the Settings link.<br />
4. In the left part of the Settings window select the Security Zone component.<br />
5. In the Additional section check the Delete rules for applications remaining inactive for<br />
more than box and specify the necessary number of days.<br />
17 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
6. In the Settings window click the Apply button.<br />
To disable the automatic removal of the rules for unused applications, do the following:<br />
1. In the Additional section uncheck the Delete rules for applications remaining inactive<br />
for more than box.<br />
2. In the Settings window click the Apply button.<br />
18 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
Setting of restrictions of parental process<br />
<strong>Application</strong> startup may be initiated either by the user or by another application running. If the<br />
startup is initiated by another application, it results in creating a startup procedure including parent<br />
and child programs.<br />
Parent program is the program which initiated another program.<br />
Child program is a program started by another program.<br />
When an application attempts to obtain access to a protected resource, <strong>Application</strong> <strong>Control</strong><br />
analyzes the rights of all parent processes of this application, and compares them to the rights<br />
required to access this resource.<br />
Access right priority:<br />
• Allow. A program or a group obtains access to a resource. Access right data have the<br />
highest priority.<br />
• Prompt user.<br />
• Block. Access to a resource is denied for a program or a group. Access right data have the<br />
lowest priority.<br />
If the application's activities are blocked due to insufficient rights of a parent process, you can edit<br />
the rules or disable inheritance of restrictions from the parent process.<br />
The applications run sequence can be viewed in the <strong>Application</strong> activity window the following<br />
way:<br />
1. Open the main application window.<br />
2. In the main application window go to the Security Zone tab.<br />
3. In the <strong>Application</strong> <strong>Control</strong> section, click the <strong>Application</strong>s Activity link.<br />
4. In the <strong>Application</strong> activity window in the Category list select the necessary category of<br />
applications.<br />
5. In the Run sequence column you can see what applications are parent for the launched<br />
application.<br />
You should modify the rights of a parent process only if you are absolutely certain that the process'<br />
activities do not threaten the system's security.<br />
19 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
To disable inheritance of restrictions from the parent process, perform the following steps:<br />
1. On the Security Zone tab in the <strong>Application</strong> <strong>Control</strong> section click the <strong>Application</strong>s<br />
Activity link.<br />
2. In the <strong>Application</strong> activity window in the Category list select the necessary category of<br />
applications.<br />
3. For the necessary application in the Group column left-click the application name.<br />
4. In the context menu select Custom settings.<br />
5. In the Rules of application window on the Rules tab uncheck the Inherit restrictions of<br />
the parent process (application) box.<br />
20 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
6. In the window Rules for application click the OK button.<br />
Configuring exclusions<br />
When you create a default application rule, KSOS 2 will monitor any of the user application's<br />
actions, including: access to files and folders, access to the execution environment, and network<br />
access. You can exclude certain actions of a user application from the scan the following way:<br />
1. On the Security Zone tab in the <strong>Application</strong> <strong>Control</strong> section click the <strong>Application</strong>s<br />
Activity link.<br />
2. In the <strong>Application</strong> activity window in the Category list select the necessary category of<br />
applications.<br />
21 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
3. For the necessary application in the Group column left-click the application name.<br />
4. In the context menu select Custom settings.<br />
5. In the Rules of application window on the Exclusions tab check the boxes that match the<br />
actions you wish to exclude.<br />
6. In the Rules for application window click OK.<br />
22 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
When excluding from scan network traffic of an application, you can configure additional exclusion<br />
settings, such as remote IP-addresses and network ports.<br />
Protecting personal data<br />
<strong>Application</strong> <strong>Control</strong> manages the applications' rights to take actions on various resource<br />
categories. Two categories of resources were distinguished in KSOS 2: the operating system and<br />
identity data.<br />
The Operating system category includes the following system resources:<br />
► registry keys with autorun parameters;<br />
► registry keys with parameters of work on the Internet;<br />
► registry keys which influence system security;<br />
► system files and folders;<br />
► autorun folders.<br />
Registry is a hierarchical settings database in most Microsoft Windows operating systems.<br />
The Identity data category includes the following resources:<br />
► user’s files (the folder My Documents, files cookies, data about user’s activity);<br />
► files, folders and registry keys which contain working parameters and important data of the<br />
most frequently used applications: Internet-browser, file managers, mail clients, Internetpagers<br />
and electronic purses.<br />
Cookies files are files saved on the user’s computer. These files store personal data of the user<br />
(for example, password and login) used during the visit of various sites or when returning to the<br />
site after some time. Each site has its own cookie file.<br />
You cannot delete this list. However, you can disable their protection by unchecking a box next to<br />
a category.<br />
You can also expand this list by adding user categories and / or individual resources.<br />
23 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
To expand the list of system resources for the Operating system category, perform the following<br />
actions:<br />
1. Open the main application window.<br />
2. Go to Protection Center tab.<br />
3. In the top right corner of the main application window click the Settings link.<br />
4. In the left part of the Settings window select the Security Zone component.<br />
5. In the right part of the window click the Settings button.<br />
6. In the Digital Identity Protection window on the Operating system tab in the drop-down<br />
menu in the Category section select a category:<br />
7. Click the Add link to add an additional resource to the selected category.<br />
24 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
8. In the User resource window, which opens after you have selected one of the items in the<br />
drop-down menu, click the Browse button.<br />
9. In the Select file or folder window select a resource, and then click the OK button.<br />
10. In the User resource window click the OK button.<br />
11. A newly added resource will be displayed in the Digital Identity Protection window.<br />
25 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
After you add a resource, you can edit or remove it using the respective buttons in the top<br />
part of the tab. To disable the control of a resource or category, uncheck the box next to it.<br />
12. In the Digital Identity Protection window click the OK button.<br />
To expand the list of system resources for the Identity Data category, perform the following<br />
actions:<br />
1. In the left part of the Settings window choose Security Zone.<br />
2. In the right part of the window click the Settings button.<br />
3. In the Digital Identity Protection window on the Identity Data tab in the drop-down menu<br />
in the Category section select a category:<br />
26 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
4. Click the Add category link to add a new category of resources.<br />
5. In the Identity data category window enter the name of a new group and click the OK<br />
button.<br />
6. Click the Add link to add an additional resource to the selected or added category.<br />
27 | 2 8
<strong>Kaspersky</strong> Small Office Security 2<br />
7. In the User resource window click the Browse button.<br />
8. In the Select file or folder window choose the path and click OK.<br />
9. In the User resource window click OK.<br />
10. A newly added resource will be displayed in the Digital Identity Protection window. After<br />
you add a resource, you can edit or remove it using the respective buttons in the top part of<br />
the tab. To disable the control of a resource or category, uncheck the box next to it.<br />
11. In the Digital Identity Protection window click the OK button.<br />
12. In the Settings window click the OK button.<br />
28 | 2 8