046.12.5 - Kaspersky Next EDR Foundations - Student Guide. Unit 3 - InGLES
Uploaded by
aenciso046.12.5 - Kaspersky Next EDR Foundations - Student Guide. Unit 3 - InGLES
Uploaded by
aenciso14/2/25, 4:01 p.m. KL 046.12.5.
Kaspersky Next EDR Foundations
KL 046.12.5.
Kaspersky Next
EDR Foundations
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 1/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Unit III. Security
controls
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 2/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Table of contents
Unit III. Security controls
Glossary
1. General
1.1. Purpose of the control components
1.2. Licensing
1.3. Control components in the installation package
2. Application Control
2.1. Operating principles
2.2. Setting up the component
2.3. Applications on the local network
2.4. Start of executable files on the computers
2.5. Inventory task
2.6. Creating categories
Manually
Based on KL categories
Based on certificates
Based on a file path
Based on location on removable drives
From the list of executable files
From the applications registry
By manually specifying hash, metadata or certificate
From a file or MSI package
Exclusions
Based on a folder
Based on computers
KL category of an executable file
How to add a program to a category
2.7. Using Application Control
Enabling Application Control
Application Control mode
Application Control rules
2.8. How it works
Local notifications and user requests
Where do user requests go?
Application Control events
Report on prohibited applications
2.9. Default deny mode
3. Device Control
3.1. Why Device Control is necessary and how it can help
3.2. Configuring Device Control
Connection buses
Device types
Rules for data storage devices
3.3. Removable drive access log
Access to Wi-Fi networks
Anti-Bridging
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 3/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
3.4. How it works
Local notifications and user requests
Where do user requests go?
Temporary access to blocked devices
Trusted devices
Export and import of the list of trusted devices
Device Control events
Device Control reports
4. Web Control
4.1. Why Device Control is necessary and how it works
4.2. Configure Web Control
Web Control rules
Categories and data types
Exclusions
Rule diagnostics
4.3. How it works
If the user tries to open a blocked website
If the user opens an undesired website
Where do user requests go?
Notification template
Web Control events
Report on Web Control
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 4/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Glossary
KES
Kaspersky Endpoint Security
KSC
Kaspersky Security Center
KSN
Kaspersky Security Network
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 5/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
1. General
In this unit, we will study the control components of Kaspersky Next EDR Foundations and their
capabilities.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 6/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
1.1. Purpose of the control components
In addition to anti-malware protection, Kaspersky Next EDR Foundations contains control
components that restrict actions harmful to computers or the company in general.
Application Control monitors users’ attempts to start programs and regulates application
launches through rules configured by the administrator.
Device Control brings the use of various devices into compliance with corporate policy. This
component includes the Anti-Bridging module, which regulates switching between network
adapters and thereby helps prevent unauthorized connections.
Web Control limits access to websites depending on their content; you can also block
addresses by masks.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 7/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
1.2. Licensing
A Kaspersky Next EDR Foundations license lets you use the Application Control, Device Control,
and Web Control components. A Kaspersky Next EDR Optimum license provides the additional
capability of using the Adaptive Anomaly Control component.
Adaptive Anomaly Control can be installed only on Windows workstations.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 8/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
1.3. Control components in the installation package
Control components that are activated by a Kaspersky Next EDR Foundations license are enabled
by default in the properties of the Kaspersky Endpoint Security package that the Administration
Server Quick Start Wizard creates.
You just need to consider which components can be installed on workstations and which
components can be installed on server operating systems.
If some components are not installed on computers, you can add them without reinstalling
Kaspersky Endpoint Security.
Use the Change application components task of Kaspersky Endpoint Security. This task is
designed specifically for uninstalling or adding Kaspersky Endpoint Security components without
reinstalling the application. The task creates little traffic, as it reuses the MSI package of Kaspersky
Endpoint Security, which was saved on the client computer during the initial installation.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 9/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
In the task properties, you can select the components to be installed, just like in an installation
package. Complete the task creation wizard. Then open the task properties and choose the
necessary components.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 10/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2. Application Control
Application Control helps enforce the corporate security policy by restricting the launch of software
on endpoints. At the same time, Application Control also reduces the computer infection risk by
decreasing the attack surface.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 11/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.1. Operating principles
Application Control lets the administrator restrict which programs users can run on computers.
Permissions to start software are specified in special rules.
When a program starts, Application Control checks:
The category the program belongs to (categories are configured by the administrator)
The account under which the program was started
Whether the Kaspersky Endpoint Security policy contains any rules that regulate the start of this
program category for this account.
Kaspersky Endpoint Security then identifies the current operating mode of Application Control:
Denylist: everything is allowed by default. Only the programs that belong to categories that the
administrator prohibited in the Kaspersky Endpoint Security policy are blocked. Meaning, if
there is no matching blocking rule, the program will be permitted to start.
Allowlist: everything is prohibited by default. Only the programs that belong to categories that
the administrator allowed in the Kaspersky Endpoint Security policy are permitted to start. If
there is no matching allowing rule, the program will be blocked.
Allowlist mode is used in the Default Deny approach. It is described in the respective section of
this chapter. Also, refer to the KL 032 Default Deny course for further details.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 12/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.2. Setting up the component
Application Control is configured in two stages:
1. Create categories in Kaspersky Security Center.
For example, Web browsers, Games, Third-party messengers, Allowed programs, etc.
Add all programs that you want to control to these categories. We describe how to do this in
the next section.
Categories are configured for the whole Administration Server in a single location: Operations
| Third-Party Applications | Application categories.
2. Create rules in the Kaspersky Endpoint Security policy for these categories.
In the rules configured for each application category in the Kaspersky Endpoint Security policy,
you can specify the action to perform on the applications that belong to the category:
Allow
Block
Notify Kaspersky Security Center about each start
Categories are created on the Kaspersky Security Center Administration Server and are
transferred to client computers similarly to the way policies and tasks are transferred. Only changes
are sent during synchronization (rather than the complete list and contents of all categories).
Note that categories are specified for the whole Administration Server, but different rules may be
configured for different computer groups. For example, Skype can be prohibited for everybody
except certain individual users; additionally, marketers can be allowed to use it, with the
administrator receiving a corresponding notification every time it is started.
You can use each category only once in a Kaspersky Endpoint Security policy. In other words, if a
rule is already configured for a specific category, you will not be able to create another rule for this
category. Instead, you will have to create a new category.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 13/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Please keep in mind that the Application Control component does not work
without Kaspersky Security Center.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 14/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.3. Applications on the local network
Before you create categories, make sure that Kaspersky Security Center already has information
about the applications installed on the network and regularly receives this data.
Information about executable files is available in two sections:
Applications registry informs the administrator about software installed on client computers.
The administrator can see which programs are installed on which computers. For example, if an
old version of a web browser is detected in the network, the administrator can upgrade it on all
computers at once.
The list of programs installed on client computers is displayed in Operations | Third-party
Applications | Applications registry.
Network Agent gets this data from the registry branches used to create the list of Programs
and Features. Depending on whether the computer is running a 32-bit or 64-bit version of
Windows, the changes are monitored in the following branches:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersi
on\Uninstall
The Network Agent scans the registry branches at startup and tracks changes in real time.
Executable files provide the administrator with information about all executable files that
Kaspersky Endpoint Security has detected on any computers connected to this Administration
Server. This list can be huge.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 15/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
The list of executable files is displayed in Operations | Third-Party Applications | Executable
files. Data about executable files is gathered by:
Application Control
The Inventory task of Kaspersky Endpoint Security
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 16/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.4. Start of executable files on the computers
Immediately after installation, the list of executable files is empty on the Administration Server.
To ensure that data on executable files is forwarded to the Server, the Application Control
component must be enabled.
Application Control is disabled by default, which means data about executable
files will not be transferred to the Administration Server when applications start
on endpoints.
However, there is an option for sending information about started applications; it is enabled by
default. You can find it in the Kaspersky Endpoint Security policy in Application Settings |
General Settings | Reports and Storage. This checkbox enables sending information about
running applications, as well as the results of the Inventory task.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 17/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.5. Inventory task
This task gathers information about executable files from endpoints.
Although this is a Kaspersky Endpoint Security task, it is not created by default. This means that
the list of executable files will include only those files that have been started on computers where
the Application Control component is enabled. However, some files start very rarely. It may take
a very long time until all executable files are intercepted and reported to the Administration Server.
A faster way to detect files is to use an Inventory task.
The Inventory task may consume a substantial amount of resources, so we do not recommend
running the task on all computers connected to the Administration Server. Instead, you can run the
task on a few reference computers, especially if the workstations were deployed from the same
image.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 18/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
The Filled automatically from the selected devices method for filling a
category depends on the data that the Inventory task sends to the
Administration Server.
We recommend that you create a task for specific computers. With the standard settings, the task
searches for executable files in the following directories:
%SystemRoot%
%ProgramFiles%
%ProgramFiles(x86)%
The list of scanned folders is configurable. Information about the discovered files is sent to the
Administration Server and is available in the Web Console on the Operations | Third-Party
Applications | Executable Files page.
Unlike the monitoring components, this task can detect executable files within archives and
installation packages. To do so, enable the corresponding options: Scan archives and Scan
distribution packages.
When the task searches for executable files, it calculates their checksums, which may slow down
computers. To reduce resource consumption, you can use the Scan only new and changed files
option. Information about changes is obtained using iSwift technology, which performs minimal
calculations.
Alternatively, you can schedule the task to run during non-working time, or use the option that
suspends scheduled scans while the computer is being used and resumes them when the
screensaver is on or the computer is locked.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 19/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.6. Creating categories
After Kaspersky Security Center begins to receive information about executable files on network
computers, you can start creating categories.
An application category is a list of conditions and exclusions that identify a program or a group of
programs. The list is displayed in Operations | Third-Party Applications | Application
Categories and is empty by default. New categories are created using a special wizard. There are
three types of categories:
Filled manually — conditions are added and changed only manually. For example, all
programs whose names include “zombies”, or all programs signed with the specified certificate.
Filled automatically from a folder — the administrator selects a directory, which is scanned
for the following files: EXE, COM, DLL, SYS, BAT, PS1, CMD, JS, VBS, REG, MSI, MSC, CPL,
HTML, HTM, DRV, OCX, and SCR. The Administration Server will also check the contents of
this directory on a schedule, calculate checksums of executable files (SHA256), and update the
list of category criteria. A network folder where all prohibited or allowed programs are copied
may come in handy.
Filled automatically from the selected devices — the administrator selects one or more
managed computers, and the Administration Server automatically puts executable files found
on the computers into the category. Meaning, you can specify a reference computer where, for
example, all allowed programs are installed.
At the first step, the New Category Wizard prompts you for the category name and creation
method. If you are not satisfied with the resulting category contents and want to choose a different
method, you will have to re-create the category.
Manually
For a manually filled category, conditions for the programs are specified in the list; each condition
can contain several parameters. If a program matches at least one condition, it is included in the
category. Conditions can be set by various methods, but all of them can be boiled down to the
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 20/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
following general types:
KL category — Kaspersky experts form application categories according to a program’s
purpose. The catalog of categories helps understand what category an application or a file
belongs to. In most cases, Kaspersky Endpoint Security defines the category locally using the
signature database or requests it from Kaspersky Security Network.
Certificate — you can add certificates from the Administration Server storage to a category.
Files signed with these certificates will match the conditions of the category.
Application folder — all programs from the specified directory will be added to the category.
Removable drive — a special parameter that allows the administrator to create a separate
category for files started from a removable drive.
Hash, metadata, certificate — each application is characterized by one of three types of
conditions. The applications that populate this category based on these conditions can be
indicated in the following ways:
From the list of executable files in the Administration Server repository
From the applications registry on the Administration Server
By manually specifying the hash, certificate, and metadata
From the specified file, MSI package, or archive
Metadata means the file name, version, application name, and vendor. The
version does not have to be specified exactly. You can select all files older or
younger than the specified version.
Various file characteristics constitute a single condition, rather than several individual conditions.
When specifying metadata, you can allow only files signed with a valid certificate, or those for
which KSN returns the Trusted response.
We will separately examine each type of condition for filling categories. Some types of conditions
let you add a large group of applications to the category all at once. Other types of conditions are
more suited to working with individual applications, and each condition describes a particular
application.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 21/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Based on KL categories
In practice, it is often necessary to prohibit unknown programs, for example, all games, or all
browsers, except for one. In other words, a blocking rule needs to be applied to a certain group of
files that have a specific attribute in common. This is not easy to do.
The solution is to use KL categories. These categories define a program class or type: email
programs, web browsers, development tools, electronic payment systems, etc. KL category
means that the programs are categorized by Kaspersky experts.
Information about program categories is included in downloadable databases. That is why the
Download updates to the repository task must run at least once before you can create
conditions based on KL categories.
Programs started on each computer are independently scanned for compliance with the conditions,
and if different database versions are used on different computers, the Application Control rules
may produce different effects. Also, if KSN Usage is enabled on a computer, it will try to receive the
latest data about KL categories in real time.
Kaspersky experts cannot process and categorize all executable files that exist in the world. All
uncategorized files are automatically put in the Other Software category.
Based on certificates
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 22/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
You can add certificates from the Administration Server storage to a category. Files signed with
these certificates will match the conditions of the category.
Although this is a relatively reliable method, the Server repository may not contain all the necessary
certificates. If a certificate is missing, manually import it into the repository before configuring
Application Control.
Based on a file path
This condition type considers only the file location.
Application folder — defines the local path to the file. The administrator can, for example, prohibit
starting executable files from the desktop or from the whole user’s home directory.
Alternatively, the administrator can permit starting executable files from system folders
(C:\Windows, C:\Program Files) and prohibit from all other computer locations.
This condition is recursive, meaning that it applies to files in subfolders of the specified folder.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 23/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
You can use * and ? wildcards in file paths.
Based on location on removable drives
This is another condition type that considers only the file location.
Device type — only one value is allowed: Removable drive. Essentially, the purpose of this
condition type is to let the administrator prohibit running programs from removable drives using
Application Control rather than Device Control.
From the list of executable files
The administrator can create a condition based on the list of Executable files that have been
started on client computers or were detected by an Inventory task.
Information about started executable files will be transferred only after you
enable the Application Control component.
This list of files is displayed in Operations | Third-Party Applications | Executable files.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 24/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
You can add an executable file to a category based on one of the following conditions:
Hashsum (SHA256)
Metadata
Certificate
From the applications registry
The Applications registry contains programs installed on computers and displayed in their list of
Programs and Features. Network Agents gather names and attributes of these programs and
transfer them to the Administration Server. The gathered information about installed programs does
not contain data about the program executable files, so you can only use metadata to create a
condition.
Metadata means the file name, version, application name, and vendor. The
version does not have to be specified exactly. You can select all files older or
younger than the specified version.
By manually specifying hash, metadata or certificate
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 25/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
With this option, you can use one of the following conditions, but you will have to specify the value
manually:
File hash
Metadata
Certificate
From a file or MSI package
When selecting a file on the drive, the administrator can specify a simple SHA-256 condition for it,
or a more flexible condition based on metadata or a certificate.
A hashsum unambiguously identifies a file. This condition should be used when an exact match is
important. For example, hashsums are used in the automatically filled categories described earlier,
because it is important to permit starting the exact file versions installed on the reference computer
or included in an approved distribution. Any changes made to the file by malware or malevolent
users will change the hashsum, preventing the file from starting.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 26/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Hashsums are also convenient if you need to prohibit files from starting even if they have been
renamed. Renaming does not affect the hashsum, so a blocking rule will still work.
That said, you may need to include several application versions in a category. In this case, you
should create a condition based on file attributes, such as file name, author, and version number.
The condition can be based on an exact version number, or all versions greater than or less than
the specified value, or all versions starting from the specified value, etc. This lets you block old
program versions or recent releases that have not been approved yet.
Metadata-based conditions implicitly rely on digital signatures. When Kaspersky
Endpoint Security checks file metadata to determine if the condition applies, it
ignores files without digital signatures (certificates). Unsigned files will never
match a metadata-based condition. This applies to many open-source and
freeware tools. You may create a condition based on the file name and then be
surprised that a file with a matching name is not treated as allowed. This
probably means that the file has no digital signature.
+ In general, you should use metadata-based conditions for commercial software that is likely to be
digitally signed by the vendor’s certificate. To control open-source and freeware programs, use
other condition types.
If you specify an MSI package or archive in a condition, the Administration Server will automatically
unpack them into a temporary folder and include data about all executable files within the MSI
package or package in the category. Thus, if you specify an MSI distribution, the category will
include not only the installation file, but also the program files.
Exclusions
If you need to prohibit all programs that match the specified conditions except for one, add an
exclusion to the category. Exclusions can use the same types of conditions. The programs that
satisfy at least one of the specified conditions will be excluded from the category.
Based on a folder
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 27/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
The next way to create a category is to base it on a folder, which lets you dynamically change the
contents of the category. The contents of such a category are updated when the source folder
contents change (executable files are deleted or added). Also, you can make a category update on
a schedule.
This method of creating a category is useful if the company has a repository of program
distributions to be installed on corporate computers. These programs must be allowed to start. The
administrator may occasionally add programs to the list or replace them with newer versions.
To avoid manually updating category rules for allowed distributions, place them into a folder and
make the Administration Server automatically monitor changes and add the parameters of detected
files to the dedicated category. Afterwards, the administrator will only have to create one allowing
rule for this category in the policy to allow all the used programs to start.
If the specified folder contains archives or MSI packages, the Administration
Server will automatically unpack them (into a temporary folder) and include in
the category any data about the executable files within the archive or package.
You can also select Include dynamic-link libraries (.DLL) in this category. If this checkbox is
selected, Kaspersky Security Center will calculate checksums of DLL files and add them to the
category along with executable files.
It makes sense to pay attention to DLL files, because Windows permits starting processes from
them through the rundll32.exe utility. In general, some processes started from library files may be
allowed, while others may need to be blocked.
In this regard .dll files are similar to script files (*.js or *.vbs), which are not executable, but are
started via the cscript.exe (or wscript.exe) utility, and can also be allowed or blocked.
To include scripts in a category, select the Include script data in this category option.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 28/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
A folder-based category will include the found files; their SHA-256 checksums will serve as the
condition.
This method of creating a category does not let you add exclusions.
Based on computers
In addition to the repository of allowed program distributions, there may be a reference computer in
the organization where all the programs used in the company are installed. Such a reference
computer is usually necessary for creating images to be deployed on new workstations. Such a
deployment installs the operating system and all programs necessary for work on the computer,
and the whole process takes much less time than installing everything from distributions. The
administrator periodically upgrades programs on the reference computer and updates the image
accordingly.
With this approach, it makes sense to automatically allow all programs installed on the reference
computer. To do this, you need to scan the computer, add all programs to a category, and then
create an allowing rule for it in the policy. This is purpose of a category that gets automatically filled
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 29/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
with files from selected computers.
Sometimes it is necessary to split the files found on the reference computer into a few categories.
For example, by separating Windows files from the files found among Program Files. In this case,
you can configure a filter based on the folder where a file is located. The category will include only
the files located in the specified folder of the reference computer.
Unlike folder-based categories, where the changes are monitored by the Administration Server
itself, with a computer-based category, the Administration Server relies on the detection of
executable files by Kaspersky Endpoint Security. This means that a reference computer must have
Kaspersky Endpoint Security installed and the Application Control component enabled; the
Inventory task must also be run on the reference computer.
The administrator can specify the scanning interval in the same way as for a folder-based category.
A computer-based category will include the found files; their SHA-256 checksums will serve as the
condition.
This method of creating a category does not let you add exclusions.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 30/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
There is a list of executable files in the properties of each managed computer. These are the files
that will be added to the category based on the computer. The list of executable files is
supplemented by:
The Inventory task, which scans the client computers’ folders specified in its properties
Application Control which, when enabled, collects information about all executable files started
on client computers
Network Agent also gathers information from the Windows registry about software, but only about
installed applications.
The KL category is also indicated for each file.
KL category of an executable file
If the administrator wants to know which KL category includes a specific executable file, they can
find this information either in Kaspersky Endpoint Security interface on the client computer, or in the
Administration console. Local categories (which may vary slightly on different computers because
of different database versions) are available in the Application Activity Monitor window.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 31/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
The list of executable files that we can see on the Kaspersky Security Center Administration Server
consists of all executable files detected by Kaspersky Endpoint Security on all computers
connected to this Administration Server, so this list can be very long.
Information about executable files can be used for troubleshooting as well as for planning the rules.
The administrator can view the attributes and KL category of each file.
There can be a lot of files on the list, and the search and filter options come in very handy. You can
search for a file using a part of its name, or apply a filter and search by the values of various file
attributes.
Other useful file information is also available: the computers on which it was first detected and
when, when it performed network activity for the first time, and whether it is signed with a
certificate.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 32/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
The Advanced section displays checksum information and details of the certificate used to sign the
file.
How to add a program to a category
Suppose you notice something new when looking through the list of executable files detected on
computers connected to Kaspersky Security Center, and decide to add the program to a category.
You don’t need to memorize its name and go to program categories. You can simply select the
necessary executable file and perform the Assign to category command.
Then select whether to add the file to an existing category or a newly created one. Select whether
to add programs to a category or exclusion.
The program will be added based on the hashsum or certificate used to sign its executable file.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 33/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.7. Using Application Control
Enabling Application Control
Notice that Application Control is disabled by default. That is why the information about
executable files is not sent by default. The first thing the administrator needs to do before
configuring rules or even before creating categories is to simply enable the component with the
default settings.
Application Control mode
By default, right after you enable Application Control, it will be in Test mode. We recommend that
you test rules first. Instead of blocking applications, the component will only send events to the
Administration Server: Application startup prohibited in test mode or Application startup
allowed in test mode. You can generate a report based on these events, analyze it, adjust the
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 34/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
rules if necessary, and then switch them to block mode. Later, to test new rules without interrupting
the existing rules, the administrator can add a rule with Test mode status. After you make sure the
new rules do not disrupt needed applications, Enable them.
Each rule (regardless of the selected mode: allowlist or denylist) can use one of the following three
statuses:
Block means that the Application Control component uses the rule.
Rule is disabled means that the Application Control component does not use the rule.
Test mode means that Kaspersky Endpoint Security will always permit the start of the
programs to which this rule applies, but will send information about starting these programs to
the Administration Server.
The Control DLL and drivers checkbox enables you to prevent the start of DLL libraries and
drivers, but this setting increases the load on the computer. We recommend using it only when
necessary, for example, with a strict Default Deny approach.
Application Control rules
You can have as many rules as you want. Blocking rules always have a higher priority. The denylist
and allowlist have different sets of rules. For example, if you first select the Denylist tab, add a rule,
and then switch to the Allowlist tab, your rule will not be there.
Each rule has the following settings:
Category — an application category created on the Administration Server beforehand. A policy
may contain only one rule for each category.
Users or groups is a list of local users and groups who are either allowed or denied the right to
start applications in the selected category.
Trusted updaters — consider all programs of this category to be trusted updaters (we will
describe them later).
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 35/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Blocking has a higher priority than allowing. For example, if a rule is configured to allow all users to
start a program but prohibit the user abc\Tom, this user will not be able to start the program
according to this rule.
In denylist mode, the list of rules is initially empty. In allowlist mode, it contains two system rules
that cannot be deleted:
Trusted updaters — if this rule is enabled, applications installed by trusted updaters will not be
blocked even if there are no allowing rules for them. It is a special KL category that includes
programs that download and install module updates, for example, Adobe Updater, Chrome
Component Updater, etc. The rule is enabled by default, meaning, trusted updaters are allowed.
Golden Image — contains the executable files necessary for the operating system, as well as
executable files supplied with the system (various standard utilities and applications); the
purpose is to prevent Kaspersky Endpoint Security from accidentally blocking files important for
the operating system.
The list lacks up and down buttons, because the order of the rules does not matter. When a
program starts on a computer, Kaspersky Endpoint Security analyzes all enabled rules together.
Different rules regulate start of different application categories; but some programs may belong to
several categories at once. If there is at least one rule according to which program start must be
prohibited, it will be prohibited regardless of what the other rules say.
If a program does not belong to any category, it will be allowed in denylist mode and blocked in
allowlist mode.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 36/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.8. How it works
Local notifications and user requests
When a program start is blocked on the client computer, Kaspersky Endpoint Security shows a
pop-up notification so that the user is not confused about the reason for the application behavior.
If the user needs this program for work, the pop-up notification permits sending the administrator a
request to allow the program to start. The user should click the Request access link in the
notification window and then click the Send button.
The text of the pop-up notification, as well as the request to allow a program to start, can be
modified in the Kaspersky Endpoint Security policy. You can use variables there to provide
information about a specific event, for example, the name of the blocked application, the computer
where the event was logged, etc.
Where do user requests go?
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 37/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
The standard User requests event selection contains the Application startup blockage
message to administrator events registered over the last 7 days.
The Application startup blockage message to administrator event is registered when a user
sends a request to allow a program to start. Such an event includes the request text along with the
information about the computer, username, and the program in question: complete information
necessary for the administrator to make a decision.
A user might need a program urgently. As a result, if the administrator rarely opens User requests,
it might be worthwhile to configure email notifications for the Application startup blockage
message to administrator event. This will let the administrator process the requests as soon as
possible.
Request events can be used to modify application categories. The event contains all relevant
information about the blocked file, including its SHA256 hash. The administrator can use the
Assign to category command to immediately add the blocked file to an existing or a new
category, either as an inclusion condition or as an exclusion.
Application Control events
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 38/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
The following event types pertain to Application Control:
Application startup allowed
Application startup prohibited
Application startup allowed in test mode
Application startup prohibited in test mode
Application startup blockage message to administrator
By default, all events except for Application startup allowed are transferred to the Administration
Server. If Test mode is used for rules, it might be worthwhile to create a selection for the
Application startup prohibited in test mode event.
Report on prohibited applications
Based on the Application startup prohibited event, Kaspersky Security Center generates a
report on prohibited applications, which shows the distribution of the number of blocked starts on
client computers by application. Switch to the Details tab to view information about all computers
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 39/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
and programs detected by Application Control.
You can also generate a report on application starts blocked in test mode. It will contain only events
about blocked starts, regardless of whether Denylist or Allowlist mode is selected.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 40/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
2.9. Default deny mode
Default Deny is a scenario when Application Control prohibits devices from running any programs
except those specified in allowing rules configured in the allowlist of Application Control.
The main difficulty when working in Default Deny mode (when the start of uncategorized programs
is prohibited by default) is that the operating system may stop working because system files that
are not explicitly allowed will be blocked along with other programs. That is why there is an allowing
rule for operating system files in the allowlist by default.
For example, you might have a policy for using programs on computers used as point-of-sale
(POS) terminals. Only special programs should be allowed to start on them, and all unknown
programs must be prohibited.
Various configurations of allowing rules are possible, but in any case, it will be necessary to create
one or more categories for system executable files and to configure allowing rules for them.
Categories can be created using one of the following methods:
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 41/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Use a reference computer with the operating system and allowed programs installed for
creating an automatically filled category.
Use a directory with distributions of allowed programs for creating an automatically filled
category.
Use KL categories.
For those programs for which allowing rules are configured not to be blocked after upgrades, use
the standard Trusted updaters rule. This rule exists by default in the list and cannot be deleted,
but it is disabled by default. When enabled, the programs downloaded and installed by applications
included in the Trusted updaters category will not be blocked even if no corresponding allowing
rules are configured.
The administrator can also manually select the Trusted updaters checkbox for a category in the
properties of an allowing rule.
For more details about configuring Kaspersky Endpoint Security to default deny, refer to the KL
032 course.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 42/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
3. Device Control
In this section, we examine the Device Control component, which lets us regulate the connection of
different types of devices to users' computers.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 43/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
3.1. Why Device Control is necessary and how it can
help
The main purpose of the Device Control component is clear from its name. It lets the
administrator monitor various devices in the corporate network and, if necessary, prohibit using
some of them.
The Device Control component allows the administrator to enforce corporate security standards
by specifying which devices can be used on computers, by whom, and when. Rules may be
applied to removable drives, printers, CD/DVD, non-corporate network connections, Wi-Fi, etc.
The most popular use case for this component is blocking USB flash drives. A user may bring an
infected file from home. Additionally, whether accidentally or deliberately, a user may carry away
files that are of commercial value for the company.
Restrictions help prevent such problems.
Different settings are available for different device types. Maximum flexibility is provided for the
following types of storage devices:
Hard drives
Removable drives
Floppy disks
CD/DVD drives
You can specify which accounts are allowed / prohibited to access the devices. You can permit only
the copying of information from devices and prohibit writing. You can also configure a schedule to
allow access to devices only during business hours.
Other device types can only be allowed or blocked, without any flexible settings.
More globally, Device Control can block a connection bus completely, meaning that any devices
connected to a specific physical port of the computer will be inaccessible.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 44/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Keyboards and mice cannot be blocked, since they are not subject to Device
Control rules. To protect against attacks when an infected USB flash drive
pretends to be a keyboard, install and use the BadUSB Attack Prevention
component.
Device Control permits you to draw up a list of trusted devices that will always be accessible,
regardless of the rules. Plus, you can specify which users will be allowed to work with each specific
trusted device.
Also, the administrator will be able to grant temporary access to a prohibited device if a user needs
to work with it.
Device Control can also manage Wi-Fi access.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 45/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
3.2. Configuring Device Control
Device Control is configured in the Kaspersky Endpoint Security policy. From the component
properties, you can open the rules for device types, connection bus settings, or the list of trusted
devices, or configure Anti-Bridging.
Connection buses
Kaspersky Endpoint Security permits blocking connected devices by interface type (bus):
USB
FireWire
Infrared port
Serial port
Parallel port
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 46/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
PCMCIA
The administrator can block, for example, all USB devices, and then configure rules to allow
devices of some type.
Device types
Rules for devices have a higher priority. If the USB bus is prohibited but removable drives are
allowed, USB flash drives will work.
By default, rules for devices work with the Depends on connection bus
action. In other words, if the bus is prohibited, the device will be prohibited. To
allow the connection of a device whose bus is prohibited, you can simply
change the rule’s action to Allow.
Kaspersky Endpoint Security permits blocking only those types of devices that are included in the
list. You cannot add new device types to this list.
For data storage devices, you can use rules to define flexible conditions for accessing the device.
For example, you can explicitly define the list of users, type of operation (read/write), and usage
time. You can do that for:
Hard drives
Removable drives
Floppy disks
CD/DVD drives
Portable devices (MTP)
All other external devices can either be allowed or disabled completely.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 47/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Mobile phones, tablets, media players, and other portable devices may be
treated either as portable devices (MTP) or as removable drives when
connected as external data carriers.
Access to Wi-Fi networks is a special case that we will describe later.
Rules for data storage devices
For data storage devices, you can create access rules and specify the following parameters in a
rule:
Users and/or user groups that are allowed to use the devices. You can select accounts from
the domain to which the computer where the Administration Console is started belongs, or
among local users if there is no domain. The rule will work on any computer where the policy is
enforced. The Everyone universal account is always available.
Access schedule and Operation type — when access is allowed and when it is prohibited.
You can manage Read and Write permissions independently. The schedule is specified by
hours and days of the week. For example, you can allow Read operations for removable drives
each workday from 8:00 AM to 9:00 PM for Everyone, but Write operations only for
Administrators and only during business hours.
If several rules match a user, the rule priority is taken into account. If rule priorities are equal, the
most restrictive rule will be applied.
You can combine the rules. For example, you can prohibit all removable drives, but make an
exclusion for administrators, allowing them to use USB flash drives during business hours.
The changed policy comes into operation as soon as it is enforced. For example, if removable data
carriers become blocked while a user is copying something to a connected USB flash drive, it will
become unavailable as soon as the policy is enforced and the next operation will be blocked.
If a device type is Allowed, the meaning is ‘always allow everyone to perform
any operation.’
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 48/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
3.3. Removable drive access log
If removable drives are allowed but not welcome at the company, you can configure logging events
each time they are accessed. Then for each of the selected operations, a corresponding event will
be sent to the Administration Server, File operation performed. This event will indicate who tried
to access which specific file. Write and delete operations are logged.
By default, attempts to access removable drives are not logged. If you enable this logging, you can
select which operations should be logged, for which file formats, and for which user accounts.
The following file formats are available:
Text files
Video files
Audio files
Graphic files
Executable files
Office files
Databases
Archives
File operation performed events are not generated by default. You can enable
them in the Kaspersky Endpoint Security policy, in General Settings |
Interface | Notification Settings.
Access to Wi-Fi networks
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 49/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Device Control permits you to regulate access to Wi-Fi networks. Three actions can be taken when
a device connects to a network:
Allow
Block
Block with exceptions — this option contains additional settings that let you create a list of
trusted Wi-Fi networks based on:
Network name
Authentication type
Encryption type
A network is considered trusted only if all the specified parameters match. If the network
name is not specified, it may vary.
Connecting corporate laptops to public Wi-Fi networks is not always desired. You can use Device
control to disable Wi-Fi. However, for laptops, which users may take home, this is not the best
solution. It makes more sense to use the Block with exceptions option and specify the trusted
networks, i.e. the corporate and home networks.
Anti-Bridging
Device Control includes the Anti-Bridging component, which lets the administrator prohibit users
from using two network adapters simultaneously to prevent unauthorized bridges to the internal
network that bypass perimeter protection.
For example, suppose a user’s computer is connected to the corporate network. The user has
connected a Wi-Fi adapter to the computer and configured it to act as a wireless access point. This
access point may be used by people for whom it was not created—criminals who may exploit
vulnerabilities in the adapter, brute-force the username and password, or employ other methods to
bypass protection. As a result, the user’s computer will be compromised, and criminals will have a
stepping stone to further develop the attack vector. In this case, Anti-Bridging is a part of
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 50/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
protection that stops criminals from gaining access to the internal network, because as soon as the
user turns on the Wi-Fi adapter, Anti-Bridging automatically disrupts all network connections,
including access to the local network: only the Wi-Fi network will be active.
In both cases, there are two networks — local and Wi-Fi — on the user’s computer, which is
connected to the organization’s network. To eliminate simultaneous operation of the two networks
and give preference, for example, to a wired connection, the administrator needs to turn On all
types of devices in the Anti-Bridging settings and give maximum priority to the network adapter. In
this case, the user will not be able to turn on a Wi-Fi network on a computer unless the wired
network is disabled.
Anti-Bridging is installed only on workstations. This component is absent in
the Kaspersky Endpoint Security interface on server operating systems.
The Anti-Bridging component is disabled by default. To enable it, in the Device Control
properties, click the corresponding link and Enable Anti-Bridging in the window that opens. After
Anti-Bridging is enabled, Kaspersky Endpoint Security will block already established connections
according to the connection rules. The higher the rule on the list, the higher its priority. Anti-
Bridging can block all connections except the one that has maximum priority. To do this, in the
Anti-Bridging window, turn On all adapter types and arrange them in the order of priority. The
default order is as follows:
1. Network adapter
2. Wi-Fi
3. Modem
If several wired connections are set up, only one of them will be allowed
(arbitrarily selected). If the Wi-Fi adapter is not connected to a network, it will
not be blocked until the user tries to connect.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 51/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
3.4. How it works
Local notifications and user requests
When the user attempts to connect a prohibited device, a pop-up notification is displayed.
If notifications are disabled, the user might think that there is a hardware problem, contact technical
support, or try to ‘fix’ it without assistance, potentially aggravating the situation. The administrator
can modify the notification text, for example, adding the contact information of the specialist or
department responsible for endpoint protection.
Notification templates are available in the Kaspersky Endpoint Security policy, in the Device Control
settings.
If pop-up notifications about blocking are enabled, they will contain a Request access link, which
can be neither disabled nor hidden.
Where do user requests go?
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 52/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
If the user sends a request, it will be sent to the Administration Server as an event with the
Warning severity level. Similar to the other control components, requests are displayed in a special
selection named User requests. The administrator does not have to react to a request. However, if
they want to, they can, for example, configure corresponding email notifications in the Kaspersky
Endpoint Security policy.
Temporary access to blocked devices
Kaspersky Endpoint Security lets users request temporary access to blocked devices. The
procedure is as follows:
1. The user generates a file with a request key in the local interface of Kaspersky Endpoint
Security.
2. The user sends the request access file to the administrator (for example, by email).
3. The administrator reviews the request and, if the answer is affirmative, creates a special
access key file.
4. The administrator sends this file to the user.
5. The user activates the file using the access key.
After this, the selected device (and only that device) becomes accessible for the time span
specified by the administrator. The user cannot pause temporary access to use it later; and the
administrator cannot remotely revoke temporary access.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 53/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
It goes without saying that many users may believe that their devices are blocked by mistake, and
will ask the administrator for temporary access. To avoid numerous requests, you can disable this
ability: in the Kaspersky Endpoint Security policy, on the Device Control tab, clear the Allow
request for temporary access checkbox.
You can request temporary access directly from the blocked access pop-up message, or from the
local interface of Kaspersky Endpoint Security using the Request access to device button in the
properties of the Device Control component.
The window that opens by default lists the currently connected devices, including blocked ones (to
display all devices that ever connected to the computer, apply the For the entire runtime filter).
Select the device to which you want to receive temporary access and click the Generate request
access file button. Specify how long you will need to access the device (by default, 24 hours), click
the Save button, and send the *.akey file to the administrator.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 54/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
If the administrator prohibits requesting temporary access, the Request access
button appears dimmed.
Temporary access is granted to a specific user for the specified device on the specified computer.
That is why the access key file is generated using the client computer’s shortcut menu, not in the
policy or group properties.
Find the necessary client computer and, on its shortcut menu, select Grant access in offline
mode.
In the window that opens, switch to the Device Control tab and click the Browse button to select
the .akey file received from the user.
The Administration Server checks the file integrity and whether the file is for the selected computer,
and then displays the request. If necessary, the administrator can change the access duration and
activation window. Both periods cannot be less than an hour or more than 999 hours. The default
value for both is 24 hours.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 55/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Then save the generated access key to an *.acode file, and send it to the user.
Thus, the key is generated for a specific device and the computer from which the user generated
the request access file. Other devices will still be blocked, and the device for which the access was
granted will be blocked on other computers.
The key is also bound to the username. Another user will not be able to access the same device on
the same computer using this access key. If temporary access is activated by the user who
requested it and another user logs on to the computer during the allowed period, they will not be
able to use the device.
In the same window where the request key was generated, the user clicks the Activate access
key button and specifies the received .acode file. The device can be used immediately. Neither
restart nor synchronization with the Administration Server is necessary.
The key must be activated before the specified activation window expires, and the access duration
countdown starts at the moment of activation. The device may be connected at any time (or even
several times) during this period, or not connected at all. The access countdown cannot be paused.
Kaspersky Endpoint Security has an event named Temporary access to device activated with
the Warning severity level. However, this event is not forwarded to the Administration Server by
default. You can enable forwarding of this type of event in the Kaspersky Endpoint Security policy
under Events.
Trusted devices
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 56/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
If the company has removable drives that must be allowed always and everywhere, it might be
worthwhile to make them trusted.
Trusted devices are specified in the Kaspersky Endpoint Security policy, in Device Control |
Trusted devices.
To make information about a device accessible in a policy, first connect the device to a computer
where Kaspersky Endpoint Security is installed with the Device Control component enabled; then
wait for the connection event to reach the Administration Server.
A trusted device can be specified by:
Device ID
Device model
Mask of device ID
Mask of device model
The first two options let you select the device that you want to make trusted. Its ID or model will be
added to the list. The Administration Server must have the device in its database. If the
Administration Server is unaware of this particular device, you can’t make it trusted.
You can also specify the ID or model of a device using a mask with the '*' or '?' wildcards. In this
case, it doesn’t matter if the device is known to the Administration Server as long as the
administrator knows about it. You can find the Device ID in the Windows Device Manager in the
device properties. It looks will look something like this:
'USBSTOR\DISK&VEN_&PROD_USB_FLASH_DRIVE&REV_1.01\574B17001160&0'
When adding a mask, you can replace a part of the ID with '*' or '?' to make it applicable to multiple
devices. This helps when a company has a lot of devices with similar IDs that should be trusted.
Adding a device by model can also help in this case if all devices are from the same vendor and of
the same type.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 57/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
A device is added in two steps:
First, select the device. To conveniently search for a device, you can use the search field, or
filter devices by type and view the filter results on the fly.
Then specify which user accounts are allowed to work with this device.
There is also a Comment field that you can fill in, for example, to describe why this device (or a
group of devices) needs to be trusted.
Export and import of the list of trusted devices
You can also export/import the list of trusted devices in XML format. This capability may come in
handy, for example, when you need to edit the name of a trusted device displayed in the Kaspersky
Security Center interface, add many similar devices, save a backup copy of the list of trusted
devices, or move the list to another Administration Server.
Device Control events
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 58/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Device Control has several types of events:
Network connection blocked (Critical) — this is an Anti-Bridging event.
Operation with the device prohibited (Critical).
Device connection blocked (Warning).
Temporary access to the device activated (Warning) — this is not sent to the Server by default.
Device access blockage message to administrator (Warning).
Device is disconnected (Info).
Device is connected (Info).
Operation with the device allowed (Info) — this is disabled by default, which means that it is not
generated even locally.
File operation performed (Info) — this is disabled by default, which means that it is not
generated even locally.
Every time a user attempts to connect a blocked device, an event is sent to the Administration
Server. It contains the time, computer name, bus or device type, the device ID, operation, and
account.
The event is named Operation with the device prohibited. It is Critical and is displayed in the
Critical events selection. If necessary, the administrator can make a separate selection for
blocked device access attempts.
An Operation with the device allowed event, which has the Info severity, will be sent if a non-
prohibited device is connected. The number of such events shows the frequency of use of USB
flash drives, local printers, scanners, removable drives, etc.
All events, including user requests, are stored on the server for 30 days by default.
Device Control reports
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 59/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
The Report on Device Control events provides a general view of Device Control operation. It
displays a chart with the distribution of its responses by usernames. By default, the report includes
all actions—device connection, disconnection, and blocking. To generate a report about device
blocking only, leave only the Device connection blocked checkbox selected in the Settings
section of the report properties.
If necessary, you can configure receiving daily email report about who and when tried to connect,
for example, USB flash drives. This is accomplished using the Deliver reports task, which is
described in Unit IV. Management.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 60/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
4. Web Control
In this section, we examine the Web Control component, which lets us regulate user access to
resources on the internet.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 61/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
4.1. Why Device Control is necessary and how it works
The purpose of Web Control is to filter internet access according to the internal policy of the
company. It is typically used to block social networks, music, video, non-corporate web email, etc.
during business hours. If a user tries to open such a site, either a notification that the access is
blocked or a warning about an undesired site can be displayed, depending on the settings in the
policy.
Web Control operates similarly to various control systems. The administrator creates a set of
blocking and allowing rules. The rule properties include addresses or content type, user accounts,
schedule, and the action.
HTTP and HTTPS traffic is scanned.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 62/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
4.2. Configure Web Control
Web Control is configured in the Kaspersky Endpoint Security policy. Order matters: the first
matching rule is applied. There are two default rules, which are applied depending on the selected
operation mode:
Allow all except the rules list — Denylist mode.
Deny everything except the rules list — Allowlist mode.
By default, the Allow all universal rule is used and nothing is blocked.
Web Control rules
Each rule has a name and the following attributes:
Rule status:
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 63/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Active
Inactive
For example, a rule can be created for testing purposes. If the rule is not currently being
used, you can disable it instead of deleting it.
Action:
Allow
Block
Warn
Filter type:
By content categories
By types of data
Optional parameter. You can also use predefined categories created by Kaspersky experts.
List of addresses:
Apply to all addresses
Apply to individual addresses and/or groups
Users:
Apply to all users
Apply to individual users and/or groups
You can flexibly configure various rules for different users. For example, HR can visit
LinkedIn, but all other employees cannot.
Schedule: you can specify the time period when the rule is applied, for example, working hours
only.
Categories and data types
Access can be denied or allowed by site address. The administrator can explicitly specify the URLs
to be blocked or use the * wildcard to block sites by address masks—for example, *.fm or \*shop\*.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 64/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Rules for creating masks are described in the official documentation
(https://support.kaspersky.com/KESWin/12.5/en-US/128056.htm).
Categories and data types are auxiliary parameters. Kaspersky Endpoint Security can
independently analyze contents of webpages and classify pages to the following categories:
Video
Audio
Office files
Executable files
Archives
Graphic files
Scripts
For details about web site categories, refer to the product documentation
(https://support.kaspersky.com/Legal/WebCategories/en-us/206917.htm).
The administrator can restrict access to any category or data type but cannot edit or add lists of
categories or data types; this is performed on the Kaspersky side.
Filtering by category and type can be combined within a rule: for example, you can block office files
and archives received by web mail.
Sites are categorized using a database of known addresses as well as heuristic analysis of page
content. Page reputation can also be requested from Kaspersky Security Network.
Data types are hardcoded in Kaspersky Endpoint Security and include the following file types:
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 65/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Category Category contents
Executable Win32 PE—exe, dll, ocx, scr, drv, vdx and other extensions of Win32 PE files
files Microsoft Installer Archive—msi
Video Adobe Flash Video—flv, f4v
Audio/Video Interleave—avi
MPEG4 ISO format—3gp, 3g2, 3gp2, 3p2
MPEG4—divx, mp4, m4a
Matroska—mkv
Apple Quicktime—mov, qt
Microsoft Container—asf, wma, wmv
RealMedia CB/VB—rm, rmvb
MPEG2 (DVD) format—vob
VCD (MPEG 1)—dat, mpg
Bink Video—bik
Sound MPEG-1 Layer 3—mp3
Lossless Audio—flac, ape
OGG Vorbis Audio—ogg
Advanced Audio Coding—aac
Windows Media Audio — wma
AC3 multichannel audio—ac3
Microsoft Wave—wav
Matroska Audio—mka
RealAudio—rm, ra, ravb
MIDI—mid, midi
CD digital Audio—cdr, cda
Office files Open XML documents—docx, xlsx, pptx, dotx, potx and others
Office 2007 macro enabled docs—docm, xlsm, pptm, dotm
MS Office documents—doc, xls, ppt, dot, pot
Adobe Acrobat—pdf
Archives ZIP archive—zip, g-zip
7-zip archive—7z, 7-z
RAR archive—rar
ISO-9660 CD Disk—iso
Windows Cabinet—cab
Java (ZIP) archive—jar
BZIP2 archive—bzip2, bz
Graphic files JPEG/JFIF—jpg, jpe, jpeg, jff
GIF—gif
Portable Graphics—png
Windows Bitmap (DIB)—bmp
Targa Image File Format—tif, tiff
Windows Meta-File—emf, wmf
Post-Script Format—eps
Adobe Photoshop—psd
Corel Draw—cdr
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 66/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Let’s mention some specifics of Kaspersky Endpoint Security types and categories:
The type is defined by the file format rather than extension.
Data types inside archives are not checked — if Executable files are prohibited but archives
are not, archived executable files will be allowed.
PDF documents are included in the Office files category. Therefore, if this category is blocked,
some sites that use PDFs may display incorrectly.
Flash videos in SWF format can be blocked only by an extension mask, usually *.swf.
Exclusions
Sometimes a site can be blocked by mistake. For example, a corporate portal may be recognized
as a social network, or online training can be blocked because of video files. In this case, you need
to create an allowing rule in Web Control. You can configure an allowing rule giving access to some
categories or data types located on the specified resources.
To have such a rule applied before the blocking rules, place it higher on the list.
For example, the corporate policy can prohibit internet use during business hours and allow only
the corporate site. An exclusion can be made for the IT department. In this case, the administrator
creates a general rule: during business hours, deny everybody everything. Two allowing rules are
then added above it: one allowing any content to IT department employees, and the other allowing
everybody access the corporate site.
Rule diagnostics
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 67/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
When there are many rules, it is sometimes difficult to monitor which of them were applied and
why. Accordingly, Kaspersky Endpoint Security has an offline rule diagnostics tool for Web Control.
Rule diagnostics is available in the local interface of Kaspersky Endpoint Security: open the Web
Control and click Rules diagnostics. It opens a window where you can specify the conditions of a
test request:
Type the site address (the * wildcard is allowed)
Specify an account
Select categories and data types
Specify the day and time
Then click Scan and you will see if Web Control blocks this address. The list of rules applicable to
the test request will also be displayed in the order of application.
For example, the administrator can check whether access to an employee’s personal home mail
server is blocked by the rule that blocks web mail. Or if users complain that they cannot access an
allowed site, you can find out which rule is working incorrectly.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 68/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
4.3. How it works
If the user tries to open a blocked website
If Web Control blocked only part of a web page, the user might not notice. If a page is completely
forbidden, a replacement page with a Web Control message will be displayed: either an indication
that access is blocked or a warning about an undesired site.
If a website is blocked (using the Block action configured in a rule), access will be denied.
However, if users disagree with the policy and still want to access the web resource, they can use
the Request access link in the Web Control message.
The user can edit the text of the request and send it to the administrator. Requests are sent to the
Administration Server as events and end up in the User requests selection.
If the user opens an undesired website
If the administrator creates a rule with the Warn action for certain web resources, meaning that
access to the website is not explicitly prohibited but is merely not advised, the user can ignore the
message and proceed to the website. To do so, the user can simply follow one of the links in the
warning message:
Link to the page that the user attempted to open
Link allowing access to all pages on the website
Link allowing access to the entire website and its subdomains
To monitor situations when a user ignores the warning about undesired access and opens the site,
enable sending the Undesirable content was accessed after a warning event that has the
Warning severity. These events are not sent to the Administration Server by default.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 69/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Where do user requests go?
If a user sends a request, it will be transferred to the server as a Warning event. As with the other
control components, requests are displayed in a special selection named User requests. The
administrator does not have to react to a request. However, if they want to, they can, for example,
configure the corresponding email notifications in the Kaspersky Endpoint Security policy.
In both cases, an event contains the access time, site URL, applied rule, computer name, user
account and Web Control action. If the rule was created for a category or data type, they are also
specified.
Notification template
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 70/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Notification templates are available in the Kaspersky Endpoint Security policy, in the Web Control
settings. You can use variables.
Web Control events
Web Control has several types of events:
Access denied (local bases) — Critical.
Access denied (KSN) — Critical.
Warning about undesirable content (local databases) — Warning.
Warning about undesirable content (KSN) — Warning.
Temporary access to the unwanted content after warning activated — Warning; this is not sent
to the Administration Server by default.
Application activity blockage message to administrator — Warning.
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 71/72
14/2/25, 4:01 p.m. KL 046.12.5. Kaspersky Next EDR Foundations
Web Control independently processes each object that comprises a site. That is
why, for example, when graphic files are prohibited, a separate even is created
for each little image that is blocked. An attempt to access a forbidden site can
result in sending hundreds of events, which does not necessarily signify that the
user is browsing the internet day and night.
Report on Web Control
Reports come in handy for regular control and general information. The Report on Web Control
shows how often each rule was matched, and in which mode.
The Details tab provides detailed information about each instance when a rule was triggered.
Allowing rules are not included in the report.
Last updated 2024-07-29 11:45:30 UTC
https://partners.kaspersky.com/upload/courses-materials/046.12.5/en/unit 3/index.html 72/72
You might also like
- Kaspersky NEXT EDR Foundations and Optimum For Windows 1.0 PoC Guide 0324 enNo ratings yetKaspersky NEXT EDR Foundations and Optimum For Windows 1.0 PoC Guide 0324 en75 pages
- KL 002.12.1 KSC Kes Student Guide Unit3 en v0.7.1No ratings yetKL 002.12.1 KSC Kes Student Guide Unit3 en v0.7.180 pages
- KL 002.12.1 KSC Kes Student Guide Unit4 en v0.6No ratings yetKL 002.12.1 KSC Kes Student Guide Unit4 en v0.643 pages
- KL 002.12.1 KSC Kes Student Guide Unit3 en v0.7100% (1)KL 002.12.1 KSC Kes Student Guide Unit3 en v0.781 pages
- Kaspersky Next EDR Optimum Feature List 0824 ENNo ratings yetKaspersky Next EDR Optimum Feature List 0824 EN15 pages
- KL 046.12.5 Kaspersky Next EDR FoundationsNo ratings yetKL 046.12.5 Kaspersky Next EDR Foundations2 pages
- KL 002.12.1 KSC Kes Student Guide Unit2 en v1.9.2No ratings yetKL 002.12.1 KSC Kes Student Guide Unit2 en v1.9.282 pages
- KL 002.12.1 KSC Kes Student Guide Unit5 en v1.2.1No ratings yetKL 002.12.1 KSC Kes Student Guide Unit5 en v1.2.176 pages
- Kaspersky KATA 7.0 Complete Study GuideNo ratings yetKaspersky KATA 7.0 Complete Study Guide268 pages
- MB Actros Parameterizable Special Module (PSM) Function Description and Parameterization100% (11)MB Actros Parameterizable Special Module (PSM) Function Description and Parameterization182 pages
- Department of Electrical Engineering and Computer Science Fall 2020 Quiz EEE 141L.12No ratings yetDepartment of Electrical Engineering and Computer Science Fall 2020 Quiz EEE 141L.122 pages
- Vestibular Neuritis and Labyrinthitis - UpToDate PDFNo ratings yetVestibular Neuritis and Labyrinthitis - UpToDate PDF18 pages
- Group 1 - CJR PSYCHOLINGUITICS - DIK 19 B-1No ratings yetGroup 1 - CJR PSYCHOLINGUITICS - DIK 19 B-14 pages
- 01.kaspersky KES10 Enpoint Control V3 5No ratings yet01.kaspersky KES10 Enpoint Control V3 522 pages
- Certified Professional Kaspersky Next XDR Expert (048.1.1)No ratings yetCertified Professional Kaspersky Next XDR Expert (048.1.1)22 pages
- Kaspersky Unified Monitoring and Analysis (KUMA) 3.2.1 PoC Guide 0924 enNo ratings yetKaspersky Unified Monitoring and Analysis (KUMA) 3.2.1 PoC Guide 0924 en223 pages
- Kaspersky Embedded System Security PoC GuideNo ratings yetKaspersky Embedded System Security PoC Guide69 pages
- Kaspersky Endpoint Security and Management. Scaling: KSC Installation On A Failover Cluster100% (1)Kaspersky Endpoint Security and Management. Scaling: KSC Installation On A Failover Cluster37 pages
- 002.11.6: Kaspersky Endpoint Security and Management. Unit III. Endpoint ControlNo ratings yet002.11.6: Kaspersky Endpoint Security and Management. Unit III. Endpoint Control69 pages
- KL 302.11 Labs Module1 Managing Multiple Servers v1.6 en PDF100% (1)KL 302.11 Labs Module1 Managing Multiple Servers v1.6 en PDF40 pages
- Kaspersky Lab Comparison Business ProductsNo ratings yetKaspersky Lab Comparison Business Products1 page
- Kaspersky Endpoint Security and Management: Technical TrainingNo ratings yetKaspersky Endpoint Security and Management: Technical Training145 pages
- 001 KSC13 - Preparative - Procedures - 2.01No ratings yet001 KSC13 - Preparative - Procedures - 2.0132 pages
- Kaspersky Anti Targeted Attack With Kaspersky EDR Expert v6.0 PoC GuideNo ratings yetKaspersky Anti Targeted Attack With Kaspersky EDR Expert v6.0 PoC Guide87 pages
- KL 002.12.1 KSC Kes Student Guide Unit1 en v1.1.1No ratings yetKL 002.12.1 KSC Kes Student Guide Unit1 en v1.1.1140 pages
- Kaspersky EDR Expert Comparison Vs Crowdstrike 0322 ENNo ratings yetKaspersky EDR Expert Comparison Vs Crowdstrike 0322 EN2 pages
- 302.11+ +KSC+Installation+on+a+Failover+ClusterNo ratings yet302.11+ +KSC+Installation+on+a+Failover+Cluster22 pages
- What Kaspersky Security Center Cloud Console IsNo ratings yetWhat Kaspersky Security Center Cloud Console Is18 pages
- Splunk Enterprise Security Installation and Upgrade Manual 6.0.0No ratings yetSplunk Enterprise Security Installation and Upgrade Manual 6.0.041 pages
- FireEye Endpoint Deployment Quick Start GuideNo ratings yetFireEye Endpoint Deployment Quick Start Guide9 pages
- 002.11.6: Kaspersky Endpoint Security and Management. Unit IV. MaintenanceNo ratings yet002.11.6: Kaspersky Endpoint Security and Management. Unit IV. Maintenance61 pages
- Qualys Multi-Vector EDR: Lab Tutorial SupplementNo ratings yetQualys Multi-Vector EDR: Lab Tutorial Supplement24 pages
- Total Time To Complete This Test Is 35 Minutes, You Have 35 Minutes Remaining Question 1No ratings yetTotal Time To Complete This Test Is 35 Minutes, You Have 35 Minutes Remaining Question 16 pages
- Kaspersky Endpoint Security Cloud Course Presentation With Notes PDFNo ratings yetKaspersky Endpoint Security Cloud Course Presentation With Notes PDF53 pages
- SandBlast Network PTK Training Labs-V7.12 CloudShareNo ratings yetSandBlast Network PTK Training Labs-V7.12 CloudShare60 pages
- Actual Dumps: Provide You With The Latest Actual Exam Dumps, and Help You SucceedNo ratings yetActual Dumps: Provide You With The Latest Actual Exam Dumps, and Help You Succeed3 pages
