When working in the program web interface, users with the Senior security officer role can manage prevention rules for files and processes on selected hosts. For example, you can prevent the running of programs that you consider unsafe to use on the selected host with Kaspersky Endpoint Agent. The program identifies files based on their hash by using the MD5 and SHA256 hashing algorithms. You can create, enable, disable, delete, and modify prevention rules. Additionally, you can click the link with the name of the hashing algorithm in the prevention rule table to find objects, events, or alerts that have triggered prevention rules, such as Find events, Find alerts, Find on KL TIP, or Find on virustotal.com.
Prevention rules can have the following types:
Users with the Senior security officer role can create, edit, delete, enable, disable, and import prevention rules for companies to whose data they have access.
Users with the Security officer role do not have access to policies.
Users with the Security auditor role can view the table of file run prevention rules and process run prevention rules, as well as information about the selected prevention rule, but they cannot edit the rules.
All changes to prevention rules are applied on hosts after an authorized connection is established with the selected hosts. If there is no connection with the hosts, the old prevention rules continue to be applied on the hosts. Changes to prevention rules do not affect processes that are already running.
Prevention rules can be created automatically based on preset politics (hereinafter also "presets") added by default. With presets turned on, a prevention rule is created based on a medium or high severity alert of the Sandbox component. The prevention rule thus created prevents running the file based on its MD5 hash. Users with the Senior security officer role can enable and disable presets.
Presets are not supported in distributed solution and multitenancy mode.
The same operations can be applied to automatically created or imported prevention rules as for manually created rules.
You can create only one prevention rule for each file hash.
The maximum supported number of prevention rules in the system is 50 000.
Prevention rules are enforced only when Kaspersky Endpoint Agent is running on the host. If an attempt is made to run a file before Kaspersky Endpoint Agent is started or after Kaspersky Endpoint Agent is shut down on a host, the file is not blocked from running.
You can manage file and process running prevention rules on selected hosts using policies if Kaspersky Endpoint Agent is integrated with the Central Node server; to do so, you must use the web interface of Kaspersky Anti Targeted Attack Platform.