Managing policies (prevention rules)

When working in the program web interface, users with the Senior security officer role can manage prevention rules for files and processes on selected hosts. For example, you can prevent the running of programs that you consider unsafe to use on the selected host with Kaspersky Endpoint Agent. The program identifies files based on their hash by using the MD5 and SHA256 hashing algorithms. You can create, enable, disable, delete, and modify prevention rules. Additionally, you can click the link with the name of the hashing algorithm in the prevention rule table to find objects, events, or alerts that have triggered prevention rules, such as Find events, Find alerts, Find on TIP, or Find on virustotal.com.

In distributed solution and multitenancy mode, prevention rules can have the following types:

Users with the Senior security officer role can create, edit, delete, enable, disable, and import prevention rules for tenants to whose data they have access.

Users with the Security officer role do not have access to policies.

Users with the Security auditor role can view the table of file run prevention rules and process run prevention rules, as well as information about the selected prevention rule, but they cannot edit the rules.

All changes to prevention rules are applied on hosts after an authorized connection is established with the selected hosts. If there is no connection with the hosts, the old prevention rules continue to be applied on the hosts. Changes to prevention rules do not affect processes that are already running.

Prevention rules can be created automatically based on preset politics (hereinafter also "presets") added by default. With presets turned on, a prevention rule is created based on a medium or high severity alert of the Sandbox component. The prevention rule thus created prevents running the file based on its MD5 hash. Users with the Senior security officer role can enable and disable presets.

Presets are not supported in distributed solution and multitenancy mode.

The same operations can be applied to automatically created or imported prevention rules as for manually created rules.

You can create only one prevention rule for each file hash.

The maximum supported number of prevention rules in the system is 50,000.

Prevention rules are enforced only when Kaspersky Endpoint Agent is running on the host. If an attempt is made to run a file before Kaspersky Endpoint Agent is started or after Kaspersky Endpoint Agent is shut down on a host, the file is not blocked from running.

You can manage file and process running prevention rules on selected hosts using policies if Kaspersky Endpoint Agent is integrated with the Central Node server; to do so, you must use the web interface of Kaspersky Anti Targeted Attack Platform.

In this section

Viewing the prevention rule table

Configuring prevention rule table display

Viewing a prevention rule

Creating a prevention rule

Importing prevention rules

Enabling and disabling a prevention rule

Enabling and disabling presets

Deleting prevention rules

Filtering prevention rules by name

Filtering prevention rules by type

Filtering prevention rules by file hash

Filtering prevention rules by server name

Clearing a prevention rule filter

Page top