When working in the program web interface, users with the Senior security officer role can manage prevention rules for files and processes on selected hosts. For example, you can prevent the running of programs that you consider unsafe to use on the selected host with Kaspersky Endpoint Agent. The program identifies files based on their hash by using the MD5 and SHA256 hashing algorithms. You can create, enable, disable, delete, and modify prevention rules. Additionally, you can click the link with the name of the hashing algorithm in the prevention rule table to find objects, events, or alerts that have triggered prevention rules, for example, Find events, Find alerts, Find on KL TIP, or Find on virustotal.com.
Prevention rules can have the following types:
Users with the Senior security officer role can create, edit, delete, enable and disable prevention rules for the organizations whose data they can access.
Users with the Security officer role cannot access prevention rules.
All changes to prevention rules are applied on hosts after an authorized connection is established with the selected hosts. If there is no connection with the hosts, the old prevention rules continue to be applied on the hosts. Changes to prevention rules do not affect processes that are already running.
You can create only one prevention rule for each file hash.
Prevention rules are enforced only when Kaspersky Endpoint Agent is running on the host.
If an attempt is made to run a file before Kaspersky Endpoint Agent is started or after Kaspersky Endpoint Agent is shut down on a host, the file is not blocked from running.
You can manage file and process running prevention rules on selected hosts using policies only if Kaspersky Endpoint Agent is integrated with the Central Node server; to do so, you must use the web interface of Kaspersky Anti Targeted Attack Platform.