Application Control Events

To activate sending the information for the Application Control events from the stations

1.In the Anti-virus network section, in the network tree select stations and station groups with Application Control installed from which you want to receive information on applications launch.

3.On the General tab, set the Track Application Control events flag to track processes activity at stations detected by Application Control and send events to Dr.Web Server. If there is no connection with Dr.Web Server, events are collected and sent upon connect. If the flag is cleared, processes activity is ignored.

To activate collecting the information for the Application Control events at Dr.Web Server

1.In the Administration → Dr.Web Server configuration section, go to the Statistics tab.

•Application Control statistics on processes activity to receive and write information on any activity of all processes: either allowed or prohibited to launch by Application Control. Setting this option will enable registration of applications in the catalog, as long as at least one profile is created and assigned, with one or several categories of functional analysis criteria selected.
Before creating the profiles and assigning them to stations of anti-virus network, all applications are allowed to be launched.

•Application Control statistics on processes blocking to receive and write information on activity of all processes prohibited to launch by Application Control. For this option, applications will be written to the catalog only after creating profiles by the settings of which application launch will be blocked, and assigning these profiles on stations of anti-virus network.

5.After restarting, Dr.Web Server starts collecting statistics on applications launch received from all stations with Application Control installed.

2.In the control menu select Application Control events item from the Statistics section.

3.The window containing the list of applications which were prohibited or allowed to run at the selected stations will be opened.

4.The statistics for last 24 hours are displayed by default. To view the data for certain time period, specify the certain time period relatively today in the drop-down list, or select the arbitrary date range on the toolbar. To select the arbitrary date range, enter required dates or click the calendar icons next to the date fields. To load data, click Refresh. The tables with statistics will be loaded. The table below contains the description of the table columns.

Column Name	Description
Identifier	Station identifier
Station	Station name
Station address	Station address
Security identifier	Security identifier of the user account
User	Station user
Event type	Type of event detected on the station
Applied action	Action applied to the application launched on the station
Functional analysis criterion	Criterion for allowing or blocking application at the station
Functional analysis mask	Parameter of the functional analysis criterion. This parameter determines whether the application is allowed to run on the station or not.
Profile ID	Profile identifier
Profile name	Profile name
Rule ID	Rule identifier
Rule name	Rule name
Operation mode	Operation mode of the rule
Process file path	Process file path
Process	A process that is allowed or prohibited to launch on the station
Bulletin with process hash	Bulletin containing the hash of the launched process file
Script file path	Script file path
Script	Script file
Bulletin with script hash	Bulletin containing the hash of the launched script file
Event occurrence	Date and time when the event occurred
Event notification	Date and time of event notification
File hash (SHA-256)	The hash value of the file (SHA-256 algorithm)
File description	File description
Publisher	Publisher of the file
Certificate issuer	Certification authority that issued the certificate
Certificate hash (SHA-1)	The hash value of the certificate (SHA-1 algorithm)
Certificate start date	Certificate start date
Certificate end date	Certificate end date

5.To save the table for printing or future processing, click one of the following buttons:

1.In the Statistics → Application Control events section, select a row with the event in the attempt to launch an application for which you want to create the rule for controlling the launch.

4.The window for creation of a new rule will be opened. Specify the following settings:

a)In the Profile name drop-down list, select the Application Control profile for which the rule will be created.

d)For the Operation mode option, select the operation mode of the creating rule (corresponds the Switch rule to test mode flag at rule creation in a profile):
If you want to check the rule operation, select the Test option. Applications will not be blocked at stations, but the activity log will be written as for enabled settings. Application launch and block results based on a rule in test mode will be displayed in the Application Control Events section.
With the Active option, the rule operates in active mode and blocks applications at stations by specified rule settings (see also modes of profiles operation).

e)In the Prohibit the launch of applications on the following criteria/Allow the launch of applications on the following criteria section (depending on the rule type selected on step 4b), the fields will be automatically specified in accordance with the applications on the base of which the rule is creating. If necessary, you can edit the settings.

5.Click Save. The rule will be created in the specified profile of the Application Control.