Creating a prevention rule

To create a prevention rule:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table

2. Click Add.
3. Select Create rule.

   This opens the prevention rule creation window.

4. Configure the following settings:
   1. State is the state of the prevention rule:
      • If you want to enable the prevention rule, set the toggle switch to On.
      • If you want to disable the prevention rule, set the toggle switch to Off.
   2. MD5/SHA256—MD5- or SHA256 hash of the file or data stream that you want to prevent from starting.

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

   3. Name is the name of the prevention rule.
   4. If you want the program to display a notification about prevention rule triggering to the user of the computer on which the prevention is applied, select the Notify user about blocking file execution check box.

      If you selected the Notify user about blocking file execution check box and an attempt is made to execute a file prevented from running, the user is notified that an execution prevention rule was triggered by this file.

   5. Prevent on is the prevention rule scope:
      • If you want to apply the prevention rule on all hosts of all servers, select All hosts.
      • If you want to apply the prevention rule on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to apply the prevention rule.

        This option is available only when distributed solution and multitenancy mode is enabled.

        Operation mode in which the program can be used to protect the infrastructure of several organizations simultaneously.

      • If you want to apply the prevention rule on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.

      Prevention rules cannot be created for hosts with the Kaspersky Endpoint Agent for Linux program. When creating a prevention rule, if you select a host with Kaspersky Endpoint Agent for Linux or all hosts as the scope of the rule, the rule is not applied or is only applied to hosts with Kaspersky Endpoint Agent for Windows.

5. Click Add.

The file startup prevention will be created.

You can also import prevention rules.

Users with the Security auditor role cannot create file launch prevention rules.

Users with the Security officer role cannot access prevention rules.

See also Managing policies (prevention rules) Viewing the prevention rule table Configuring prevention rule table display Viewing a prevention rule Importing prevention rules Enabling and disabling a prevention rule Enabling and disabling presets Deleting prevention rules Filtering prevention rules by name Filtering prevention rules by type Filtering prevention rules by file hash Filtering prevention rules by server name Clearing a prevention rule filter

Page top