Application Privilege Control

The Kaspersky Security functionality described in this section is available only if the application is installed on a virtual machine with a Windows desktop operating system.

Application Privilege Control prevents applications from performing actions that may be dangerous for the operating system, and ensures control over access to operating system resources and to personal data.

This component controls the activity of applications on the protected virtual machine, including their access to protected resources (such as files and folders, registry keys) by using application control rules. Application control rules are a set of restrictions that apply to various actions of applications in the operating system and to rights to access resources of the protected virtual machine.

The network activity of applications is monitored by the Firewall component.

Application startup may be initiated either by the user or by another running application. When application startup is initiated by another application, a startup sequence is created, which consists of parent and child processes.

When an application attempts to obtain access to a protected resource, Application Privilege Control analyzes all parent processes of the application to determine whether these processes have rights to access the protected resource. The minimum priority rule is then observed: when comparing the access rights of the application to those of the parent process, the access rights with a minimum priority are applied to the application's activity.

The priority of access rights is as follows:

1. Allow. This access right has the highest priority.
2. Block. This access right has the lowest priority.

This mechanism prevents a non-trusted application or an application with restricted rights from using a trusted application to perform actions that require certain privileges.

If the activity of an application is blocked due to the lack of rights that are granted to a parent process, you can edit these rights or disable the inheritance of restrictions from the parent process in local interface.

When an application is started on the protected virtual machine for the first time, Application Privilege Control scans the application and places it in one of the trust groups. A trust group defines the application control rules that Kaspersky Security application applies when controlling application activity.

For more efficient operation of Application Privilege Control, it is recommended to enable the use of Kaspersky Security Network in Kaspersky Security operation. Data that is obtained through Kaspersky Security Network allows you to sort applications into groups with more accuracy and to apply optimum application control rules.

The next time the application starts, Application Privilege Control verifies the integrity of the application. If the application is unchanged, the component applies the current application control rules to it. If the application has been modified, Application Privilege Control re-scans it as if it were being started for the first time.

This section describes how to configure Application Privilege Control settings using the Administration Console and the Light Agent for Windows local interface. You can also configure Application Privilege Control settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application Settings → Endpoint control → Application Privilege Control). Configuring application control rules using the Web Console is not supported.

Enabling and disabling Application Privilege Control

By default, Application Privilege Control is enabled, running in a mode that is recommended by Kaspersky experts. You can disable Application Privilege Control, if necessary.

To enable or disable Application Privilege Control in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the Application Privilege Control section in the list on the left.
6. In the right part of the window, do one of the following:
   • To enable Application Privilege Control component, select the Application Privilege Control check box.
   • To disable Application Privilege Control component, clear the Application Privilege Control check box.
7. Click the Apply button.

In the local interface of Light Agent for Windows, you can enable or disable a component in two ways:

• On the Protection and Control tab of the main application window.
• From the application settings window.

To enable or disable Application Privilege Control on the Protection and Control tab of the main application window:

1. On the protected virtual machine, open the main application window.
2. Select the Protection and Control tab.
3. Open the Endpoint control section.
4. Open the context menu of the Application Privilege Control item and perform one of the following actions:
   • To enable Application Privilege Control, select Enable.

     The component status icon, which is displayed on the left in the Application Privilege Control line, changes to the  icon.

   • To disable the Application Privilege Control component, select Disable.

     The component status icon, which is displayed on the left in the Application Privilege Control line, changes to the  icon.

   If this menu item is unavailable, this means that you cannot enable or disable this component because the policy-defined setting is applied to protected virtual machines within the administration group.

To enable or disable Application Privilege Control from the application settings window:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If component settings are unavailable, this means that you cannot enable or disable this component because the policy-defined setting is applied to protected virtual machines within the administration group.

3. Do one of the following:
   • To enable Application Privilege Control component, select the Enable Application Privilege Control check box.
   • To disable Application Privilege Control component, clear the Enable Application Privilege Control check box.
4. To save changes, click the Save button.

Managing trust groups

When an application is started on the protected virtual machine for the first time, Application Privilege Control scans the application and places it in one of the trust groups.

At the first stage of the application scan, Application Privilege Control searches the internal database of known applications for a matching entry and then sends a request to the Kaspersky Security Network database (if an Internet connection is available). If the application matches an entry in the Kaspersky Security Network database, the application is assigned to the trust group that is specified in the Kaspersky Security Network database. Each time the application is started, Application Privilege Control sends a new query to the KSN database and places the application into a different trust group if the reputation of the application in the KSN database has changed.

By default, Kaspersky Security uses the heuristic analysis to assign unknown applications (those not included in the KSN database and lacking the signature of a trusted vendor) to trust groups. During heuristic analysis, Kaspersky Security determines the threat level of an application and puts the application into a specific trust group based on that threat level. Instead of using heuristic analysis, you can specify a trust group to which Kaspersky Security automatically assigns all unknown applications.

By default, Application Privilege Control scans an application for 30 seconds. If the threat level of the application has not been determined after this time, Application Privilege Control assigns the application to the Low Restriction group and continues its attempt to determine the threat level of the application in background mode. Application Privilege Control then assigns the application to the appropriate trust group. You can change the amount of time that is allocated for determining the threat level of applications that are started. If you are certain that all applications that are launched on the protected virtual machine do not pose a threat to security, you can reduce the amount of time that is allocated for determining the threat level of applications. If you install applications whose safety is questionable on the protected virtual machine, you are advised to increase the amount of time that is allocated for determining the threat level of applications.

If an application has a high threat level, Kaspersky Security notifies the user, prompting you to choose a trust group to which this application is to be assigned. This notification contains statistics about use of the application by Kaspersky Security Network participants. Based on these statistics and knowing how the application appeared on the virtual machine, you can make an objective choice on which trust group to place the application in.

Placing applications into groups

To configure distribution of applications by trust groups in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the Application Privilege Control section in the list on the left.
6. To automatically place digitally signed applications in the Trusted group, select the Trust applications with a digital signature check box.
7. Choose the way in which unknown applications are to be assigned to trust groups:
   • To use heuristic analysis for assigning unknown applications to trust groups, select Use heuristic analysis to assign group and specify the amount of time allocated for scanning the application that is launched in the Maximum time to assign group field.
   • If you want to assign all unknown applications to a specified trust group, select the option Automatically move to group and select the appropriate trust group in the drop-down list.
8. Click the Apply button.

To configure distribution of applications by trust groups in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Complete steps 6–7 of the previous instructions.
4. To save changes, click the Save button.

Moving an application to a trust group in a local interface

When the application is first started, Application Privilege Control automatically places the application in a trust group. If necessary, you can manually move the application to another trust group in the local interface.

Kaspersky experts do not recommend moving applications from the automatically assigned trust group to a different trust group. Instead, you can edit a control rule for an individual application if necessary.

To move an application to a trust group in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Click the Applications button.
4. The Applications window opens on the Application Privilege Control rules tab.
5. In the list of applications, select the relevant application and perform one of the following actions:
   • Open the context menu of the application and select Move to group / <Group name>.
   • Click the Trusted / Low Restriction / High Restriction / Untrusted link in the bottom-left corner of the Application control rules tab to open the context menu and select the necessary trust group.
6. In the Applications window, click OK.
7. To save changes, click the Save button.

Working with application control rules

By default, application activity is controlled by application control rules that are defined for the trust group to which Application Privilege Control component assigned the application on first launch. If necessary, you can edit the application control rules for an entire trust group, for an individual application, or a group of applications that are within a trust group.

Application control rules that are defined for individual applications or groups of applications within a trust group have a higher priority than application control rules that are defined for a trust group. In other words, if the settings of the application control rules for an individual application or a group of applications within a trust group differ from the settings of application control rules for the trust group, the Application Privilege Control component controls the activity of the application or the group of applications within the trust group according to the application control rules that are for the application or the group of applications.

Changing application control rules for trust groups and groups of applications

The optimal application control rules for different trust groups are created by default. The settings of rules for application group control inherit values from the settings of trust group application control rules. You can change predefined application control rules for trust groups and groups of applications.

To change the application control rules for a trust group or an application group in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the Application Privilege Control section in the list on the left.
6. In the right part of the window, in the Application rules section, click the Settings button located in the upper part of the section.
7. In the Applications window that opens, on the Application Privilege Control rules tab, in the list of applications, select the trust group or application group for which you want to change an application control rule.
8. Click the Edit button or open the context menu and select the Group rules item.
9. In the Application group control rule window that opens, perform one of the following actions:
   • To edit trust group control rules or rules for application group control that govern the rights of the trust group or application group to access the operating system registry, user files, and application settings, select the Files and system registry tab.
   • To edit trust group control rules or rules for application group control that govern the rights of the trust group or application group to access operating system processes and objects, select the Rights tab.
10. For the relevant resource, in the column of the corresponding action, open the context menu and select the necessary item:
    • Inherit.
    • Allow.
    • Block.
    • Log events.

    If you are editing trust group control rules, the Inherit item is not available.

11. In the Application group control rules window, click OK.
12. In the Applications window, click OK.
13. Click the Apply button.

To change application control rules for a trust group or an application group in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Click the Applications button.

   The Applications window opens on the Application Privilege Control rules tab.

4. Complete steps 7–12 of the previous instructions.
5. To save changes, click the Save button.

Editing an application control rule in a local interface

By default, the settings of application control rules of applications that belong to an application group or trust group inherit the values of settings of trust group control rules. If necessary, you can change the settings of an application control rule in the local interface.

To change an application control rule:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Click the Applications button.
4. In the Applications window that opens, on the Application control rules tab in the list of applications, select the required application.
5. Do one of the following:
   • Click the Edit button located above the application list.
   • Open the application context menu and select Application rules.
   • Click the Additional button in the lower-right corner of the Application control rules tab.
6. In the Application control rules window that opens, perform one of the following actions:
   • To edit application control rules that govern the rights of the application to access the operating system registry, user files, and application settings, select the Files and system registry tab.
   • To edit application control rules that govern the rights of the application to access operating system processes and objects, select the Rights tab.
7. For the relevant resource, in the column of the corresponding action, open the context menu and select the necessary item:
   • Inherit.
   • Allow.
   • Block.
   • Log events.
8. In the Application control rules window, click OK.
9. In the Applications window, click OK.
10. To save changes, click the Save button.

Disabling downloads and updates of application control rules from the Kaspersky Security Network database

By default, applications that are in the Kaspersky Security Network database are processed according to the application control rules that are loaded from this database. If an application was not in the Kaspersky Security Network database when started for the first time, but information about it was added to the database later, by default Kaspersky Security automatically updates the control rules for this application. You can disable downloads of application control rules from the Kaspersky Security Network database and automatic updates of control rules for previously unknown applications.

To disable downloads and updates of application control rules from the Kaspersky Security Network database using Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the Application Privilege Control section in the list on the left.
6. In the right part of the window, clear the Update control rules for previously unknown applications from KSN databases check box.
7. Click the Apply button.

To disable downloads and updates of the application control rules from the Kaspersky Security Network database in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Clear the Update control rules for previously unknown applications from KSN databases check box.
4. To save changes, click the Save button.

Disabling inheritance of restrictions from the parent process in a local interface

If the activity of an application is blocked due to the lack of rights that are granted to a parent process, you can edit these rights or disable the inheritance of restrictions from the parent process in the local interface.

To disable the inheritance of restrictions from the parent process:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Click the Applications button.

   The Applications window opens on the Application Privilege Control rules tab.

4. In the list of applications, select the desired application.
5. Open the application context menu and select Application rules.

   The Application control rules window opens.

6. Select the Exclusions tab.
7. Select the Do not inherit restrictions of the parent process (application) check box.
8. In the Application control rules window, click OK.
9. In the Applications window, click OK.
10. To save changes, click the Save button.

Excluding specific application actions from application control rules in a local interface

To exclude specific application actions from application control rules:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Click the Applications button.

   The Applications window opens on the Application Privilege Control rules tab.

4. In the list of applications, select the desired application.
5. Open the application context menu and select Application rules.

   The Application control rules window opens.

6. Select the Exclusions tab.
7. Select the check boxes next to application actions that do not need to be monitored or that need to be allowed:
   • Do not scan opened files.
   • Do not monitor application activity.
   • Do not inherit restrictions of the parent process (application).
   • Do not monitor child application activity.
   • Allow interaction with application interface.
   • Do not scan network traffic.

   If you selected the Do not scan network traffic check box, you can use the links in the lower part of the window to configure the following settings for scanning traffic transmitted for this application:

   • Exclude all traffic or only encrypted traffic from scans.
   • Exclude from scans the traffic transmitted for this application from any IP address or only from specified IP addresses.
   • Exclude from scans the traffic transmitted for this application from any or only from specified ports.

   You can modify these settings by clicking the link.

8. In the Application control rules window, click OK.
9. In the Applications window, click OK.
10. To save changes, click the Save button.

Configuring storage settings for control rules that govern unused applications

By default, control rules for applications that have not been started in 60 days are deleted automatically. You can change the storage duration for control rules for unused applications or disable the automatic deletion of rules.

To configure storage settings for unused application control rules in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the Application Privilege Control section in the list on the left.
6. In the right part of the window, do one of the following:
   • If you want Kaspersky Security to delete control rules of unused applications after a specified amount of time, select the Delete rules for applications that are not started for more than check box and, in the field to the right, specify the amount of time (in days) to store control rules of unused applications.
   • If you want to disable automatic deletion of control rules for unused applications, clear the Delete rules for applications that are not started for more than check box.
7. Click the Apply button.

To configure storage settings for unused application control rules in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Do one of the following:
   • If you want Kaspersky Security to delete control rules of unused applications after a specified amount of time, select the Delete rules for applications that are not started for more than check box and, in the field to the right, specify the amount of time (in days) to store control rules of unused applications.
   • If you want to disable automatic deletion of control rules for unused applications, clear the Delete rules for applications that are not started for more than check box.
4. To save changes, click the Save button.

Protecting operating system resources and personal data

Application Privilege Control manages application rights to take actions on various categories of operating system resources and of personal data.

Kaspersky experts have established preset categories of protected resources. You cannot edit or delete the preset categories of protected resources or the protected resources that are within these categories.

You can perform the following actions:

• Create a new category of protected resources.
• Create a new protected resource.
• Exclude a resource from protection.

Creating a category of protected resources

To create a category of protected resources using Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the Application Privilege Control section in the list on the left.
6. In right part of the window, the Application rules section, click the Settings button located in the lower part of the section.
7. In the Applications window that opens, in the left part of the Protected resources tab, select the section or category of protected resources to which you want to add a new category of protected resources.
8. In the upper-left part of the Protected resources tab, open the context menu of the Add button and select Category from the menu.
9. In the Category of protected resources window that opens, enter the name for the new category of protected resources.
10. In the Category of protected resources window, click OK.

    A new item appears in the list of categories of protected resources.

11. In the Applications window, click OK.
12. Click the Apply button.

To create a category of protected resources in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

3. Click the Resources button.

   The Applications window opens on the Protected resources tab.

4. Complete steps 7–11 of the previous instructions.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

5. To save changes, click the Save button.

After you create a category of protected resources, you can edit or remove it by clicking the Edit or Delete buttons in the upper-left part of the Protected resources tab.

Creating a protected resource

To create a protected resource in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the Application Privilege Control section in the list on the left.
6. In right part of the window, the Application rules section, click the Settings button located in the lower part of the section.
7. In the Applications window that opens, in the left part of the Protected resources tab, select a section or category of protected resources to which you want to add a new protected resource.
8. In the upper-left part of the Protected resources tab, open the context menu of the Add button and select the type of resource that you want to add: File or folder or Registry key.
9. In the Protected resource window that opens, in the Name field, enter a name for the protected resource.
10. Click the Browse button.
11. In the window that opens, specify the necessary settings depending on the type of protected resource that you want to add and click OK.
12. In the Protected resource window, click OK.

    A new item appears in the list of protected resources of the selected category on the Protected resources tab.

13. In the Applications window, click OK.
14. Click the Apply button.

To create a protected resource in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

3. Click the Resources button.

   The Applications window opens on the Protected resources tab.

4. Complete steps 7–13 of the previous instructions.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

5. To save changes, click the Save button.

After you add a protected resource, you can edit or remove it by clicking the Edit or Delete buttons in the upper-left part of the Protected resources tab.

Excluding a resource from protection

To exclude a resource from the protection scope in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the Application Privilege Control section in the list on the left.
6. In right part of the window, the Application rules section, click the Settings button located in the lower part of the section.
7. In the Applications window that opens, on the Protected resources tab, exclude the resource from the protection scope in one of the following ways:
   • Disable protection of a resource. To do so, in the left part of the tab, in the list of protected resources, select the resource for which you want to disable protection and clear the check box next to its name.
   • Add the resource to the list of exclusions from protection by the Application Privilege Control component. To do this, perform the following actions:
     1. Click the Exclusions button in the upper-right part of the Protected resources tab.
     2. In the Exclusions window that opens, open the context menu of the Add button and select the type of resource that you want to add to the list of exclusions from the protection provided by the Application Privilege Control component: File or folder or Registry key.
     3. In the Protected resource window that opens, in the Name field, enter a name for the protected resource.
     4. Click the Browse button.
     5. In the window that opens, specify the necessary settings depending on the type of protected resource added to the list of exclusions from the protection provided by the Application Privilege Control component, and click OK.
     6. In the Protected resource window, click OK.

        A new element appears in the list of resources that are excluded from protection by the Application Privilege Control component.

     7. Click OK in the Exclusions window.
8. In the Applications window, click OK.
9. Click the Apply button.

To exclude a resource from the protection scope in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select Application Privilege Control.

   In the right part of the window, the Application Privilege Control component's settings are displayed.

3. Click the Resources button.

   The Applications window opens on the Protected resources tab.

4. Complete steps 7–8 of the previous instructions.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

5. To save changes, click the Save button.