Configuring Application Control in the command line

In the command line, you can manage Application Control by using the Application Control predefined task (Application_Control).

By default, the Application Control task does not run. You can start and stop the task manually.

You can configure Application Control on a device by editing the settings of the Application Control predefined task.

If you change the list of allowed applications or prohibit the launch of all applications or applications affecting Kaspersky Embedded Systems Security's operation, then when modifying the task settings using the configuration file or using command line options, run the kess-control --set-settings command with the --accept flag.

You can also configure Application Control using Application Control commands:

• Create and edit lists of categories.
• View the list of categories created in the application.
• Configure the list of application control rules.
• Configure the list of certificates trusted by Application Control.

Application Control task settings

The table describes all available values and the default values of all the settings that you can specify for the Application Control task.

Application Control task settings

Page top

Creating and editing a list of categories

You can create a new category in two ways:

• Using the "kess --set-settings" command and the Application Control task settings configuration file (Application_Control)
• Using the "kess --set-categories" command and the category settings configuration file

To create application categories, run the following command:

kess-control --set-categories --file <path to configuration file>

where:

--file <path to configuration file> – path to the configuration file with the category settings.

The file with category settings must have the following structure:

[

{

"Exclude" : [ "(FilePath like <full path to the executable file>)", "(FileHash == <executable file hash>)" ],

"GUID" : "<unique category ID>",

"Include" : [ "(FilePath like <full path to executable file>)", "(FileHash == <executable file hash>)" ],

"Name" : "<name of category 1>"

},

{

"Exclude" : [ "(FilePath like <full path to the executable file>)", "(FileHash == <executable file hash>)" ],

"GUID" : "<unique category ID>",

"Include" : [ "(FilePath like <full path to executable file>)", "(FileHash == <executable file hash>)" ],

"Name" : "<name of category 2>"

}

]

To specify the file name in the Exclude and Include fields, you can use masks.

The Name setting is required. If you do not specify the name of the category, it will not be created or will be deleted. The GUID setting is also required. If you do not specify it, an error message is displayed and the category is not created. The GUID setting must be specified without hyphens.

To edit the list of created application categories, run the following command:

kess-control --set-categories [--names <name of category 1> <name of category 2> ... <name of category N>] --file <path to configuration file>

where:

• <name of category 1> <name of category 2> ... <name of category N> – names of the categories whose information you want to change. If you want to change information about several categories, specify the names of the categories, separated by a space. If you do not specify a category name, existing categories are deleted and new categories are created from the specified file.
• --file <path to configuration file> – path to the configuration file with the category settings.

Page top

Viewing the list of created categories

In the command line, you can view the list of created application categories using the Application Control administration command.

The list of created categories contains the following categories:

• Categories created in Kaspersky Security Center.
• Categories added in the Application Control task settings using the command line.
• The "GoldenImage" category created using the Inventory task (in Kaspersky Security Center or using the command line).

To view the list of all created application categories, run the following command:

kess-control --get-categories [--file <path to configuration file>] [--json]

where:

• --file <path to configuration file> – full path to the JSON configuration file to which the settings will be output.
• --json is specified to output the settings in JSON format. If the --json option is omitted, the settings are output in the INI format.

Kaspersky Embedded Systems Security displays the following information about each application category:

• Unique identifier (GUID) of the category
• Category name
• list of inclusive conditions to trigger the rule
• list of exclusive conditions to trigger the rule

To view the list of created application categories, execute the following command:

kess-control --get-categories [--names <name of category 1> <name of category 2> ... <name of category N>] [--file <path to configuration file>] [--json]

where:

• <name of category 1> <name of category 2> ... <name of category N> – names of the categories whose information you want to view. If you want to view information about several categories, specify the names of the categories, separated by a space.
• --file <path to configuration file> – full path to the JSON configuration file to which the category list will be exported.
• --json is specified to output the settings in JSON format. If the --json option is omitted, the settings are output in the INI format.

If in the Application Control task settings, in the [Categories.item_#] section for inclusive or exclusive conditions for triggering a rule, you specify symbolic links to an application file or directory with executable files, then when viewing the list of categories for these conditions, the source path to which the symbolic link points is displayed.

Page top

Configuring the Application Control rule list

To view the list of Application Control rules, run the following command:

kess-control --get-settings 21 [--file <path to configuration file>] [--json]

where:

• --file <path to configuration file> – full path to the configuration file to which the settings will be exported.
• --json: output data in JSON format.

Kaspersky Embedded Systems Security displays the following information about Application Control rules:

• Application Control task operation mode;
• the action that Application Control takes upon detecting an attempt to launch an application that matches the configured rule;
• Description of the Application Control rule (if any);
• Operation status of the Application Control rule;
• Name of the application category the rule applies to;
• Access type assigned to a user or user group;
• User or user group to which the Application Control rule applies.

To edit the list of application categories and Application Control rules, run the following command:

kess-control --get-settings 21 [--file <path to configuration file>] [--json]

where:

• --file <path to configuration file> – full path to the configuration file from which the settings will be imported.
• --json – import data from a JSON file.

To delete the list of application categories and Application Control rules, run the following command:

kess-control --set-settings 21 --set-to-default

Managing the list of trusted certificates of Application Control

To add a certificate to the trusted certificate list for Application Control, run the following command:

kess-control --add-app-control-trust-certificates path to certificate >

where:

<path to certificate> is the path to the certificate file that you want to add (PEM or DER format).

To remove a certificate from Application Control's trusted certificate list, run the following command:

kess-control --remove-app-control-trust-certificates < certificate serial number >

To view Application Control's list of trusted certificates, run the following command:

kess-control --query-app-control-trust-certificates

The following information is displayed for each certificate:

• certificate subject
• serial number
• certificate issuer
• certificate start date
• certificate expiration date
• SHA256 certificate fingerprint