Configuring execution prevention for objects in the Web Console

Configuring Execution prevention for objects (EDR Expert (on-premise))

If integration with the Kaspersky Endpoint Detection and Response Expert (on-premise) solution or the Kaspersky Endpoint Detection and Response (KATA) component is enabled, you can enable or disable execution prevention for objects in the policy properties (Application settings → Built-in Agents Configuration → Endpoint Detection and Response Expert (on-premise)).

The Execution prevention toggle switch enables or disables EDR Expert (on-premise) rules for execution prevention for objects.

Configuring EDR Optimum execution prevention for objects.

If integration with Kaspersky Endpoint Detection and Response Optimum is enabled, you can enable or disable object execution prevention and configure object execution prevention rules of the EDR Optimum component:

• In the policy properties (Application settings → Built-in Agents Configuration → Endpoint Detection and Response).
• In the managed device properties (Assets (Devices) → Managed devices → <device name> link → Applications tab → <Kaspersky Endpoint Security application name> link → Application settings tab → Detection and Response → Endpoint Detection and Response Optimum).

Object execution prevention cannot be enabled or disabled in the device properties if a policy is applied to the device.

EDR Optimum execution prevention for objects settings in device properties

Setting	Description
Execution prevention for objects is enabled/disabled	Enables or disables EDR Optimum rules for execution prevention for objects. By default, rules are not applied.
Action when starting or opening an object	You can select the mode of object execution prevention: Block. In this mode, the application blocks the execution of objects or the opening of documents that satisfy the criteria of the prevention rules, and logs an event about attempts to run objects or open documents in the event log. Inform. In this mode, the application logs an event about attempts to run executable objects or open documents that satisfy the criteria of the prevention rules in the event log, but does not actually block their execution or opening. This mode is selected by default.
List of object execution prevention rules.	The Add link opens a window in which you can configure an object execution prevention rule of the EDR Optimum component. If necessary, you can delete a rule from the list using the Delete button.

To add a rule to the list of object execution prevention rules of the EDR Optimum component in device properties:

1. Click the Add button above the list of execution prevention rules.
2. This opens a window; in that window, enter the name of the execution prevention rule.
3. Specify the status of the execution prevention rule by setting the switch to the appropriate position:
   • Enabled means the rule is enabled, the application applies this rule.
   • Disabled means the rule is disabled and is not used by the application.

   You can enable or disable the created rule at any time.

4. In the Type drop-down list, select the type of object you want to block:
   • Executable file.
   • Script.
   • Office application files.

   If you select the wrong object type, the application will be unable to block the file or script.

5. To add an object, specify the path to the object and/or the checksum of the object.

   To specify a path to an object, select Use path and enter the path to the object.

   To specify an object checksum, select the SHA256 or MD5 option and enter the object checksum.

6. Click OK.

   The created rule is added to the list of rules in the Execution prevention for objects settings block.

Page top