Host Intrusion Prevention

The Host Intrusion Prevention component prevents applications from performing actions that may be dangerous for the operating system, and ensures control over access to operating system resources and personal data. The component provides computer protection with the help of anti-virus databases and the Kaspersky Security Network cloud service.

The component controls the operation of applications by using application rights. Application rights include the following access parameters:

Network activity of applications is controlled by the Firewall using network rules.

During the first startup of the application, the Host Intrusion Prevention component performs the following actions:

  1. Checks the security of the application using downloaded anti-virus databases.
  2. Checks the security of the application in Kaspersky Security Network.

    You are advised to participate in Kaspersky Security Network to help the Host Intrusion Prevention component work more effectively.

  3. Places the application in one of the trust groups: Trusted, Low Restricted, High Restricted, Untrusted.

    A trust group defines the rights that Kaspersky Endpoint Security refers to when controlling application activity. Kaspersky Endpoint Security places an application in a trust group depending on the level of danger that this application may pose to the computer.

    Kaspersky Endpoint Security places an application in a trust group for the Firewall and Host Intrusion Prevention components. You cannot change the trust group only for the Firewall or Host Intrusion Prevention.

    If you refused to participate in KSN or there is no network, Kaspersky Endpoint Security places the application in a trust group depending on the settings of the Host Intrusion Prevention component. After receiving the reputation of the application from KSN, the trust group can be changed automatically.

  4. Blocks application actions depending on the trust group. For example, applications from the High Restricted trust group are denied access to the operating system modules.

The next time the application is started, Kaspersky Endpoint Security checks the integrity of the application. If the application is unchanged, the component uses the current application rights for it. If the application has been modified, Kaspersky Endpoint Security analyzes the application as if it were being started for the first time.

Host Intrusion Prevention component settings

Parameter

Description

Application rights

Table of applications that are monitored by the Host Intrusion Prevention component. Applications are assigned to trust groups. A trust group defines the rights that Kaspersky Endpoint Security refers to when controlling application activity.

You can select an application from a single list of all applications installed on computers under the influence of a policy and add the application to a trust group.

Application access rights are presented in the following tables:

  • Files and system registry. This table contains the rights of applications within a trust group to access operating system resources and personal data.
  • Rights. This table contains the rights of applications in a trust group to access processes and resources of the operating system.
  • Network rules. Table of network rules for applications that are part of a trust group. In accordance with these rules, Firewall regulates the network activity of applications. The table displays the predefined network rules that are recommended by Kaspersky experts. These network rules have been added to optimally protect the network traffic of computers running Windows operating systems. It is not possible to delete the predefined network rules.

Protected resources

The table contains categorized computer resources. The Host Intrusion Prevention component monitors attempts by other applications to access resources in the table.

A resource can be a registry category, file or folder, or registry key.

Trust group for applications launched before Kaspersky Endpoint Security for Windows starts working

A trust group in which Kaspersky Endpoint Security will place applications that are started before Kaspersky Endpoint Security.

Update rules for previously unknown applications from KSN

If the check box is selected, the Host Intrusion Prevention component updates rights for previously unknown applications by using the Kaspersky Security Network database.

Trust digitally signed applications

If this check box is selected, the Host Intrusion Prevention component places the applications with the digital signature of trusted vendors in the Trusted group.

Trusted vendors are those software vendors that are trusted by Kaspersky. You can also add vendor certificate to the trusted certificate store manually.

If this check box is cleared, the Host Intrusion Prevention component does not consider such applications to be trusted, and uses other parameters to determine their trust group.

Delete rules for applications that have not been started for longer than N days (from 1 to 90)

If the check box is selected, Kaspersky Endpoint Security automatically deletes information about the application (trust group and access rights) if the following conditions are met:

  • You manually put the application into a trust group or configured its access rights.
  • The application has not started within the defined period of time.

If the trust group and rights of an application were determined automatically, Kaspersky Endpoint Security deletes information about this application after 30 days. It is not possible to change the storage term for application information or turn off automatic deletion.

The next time you start this application, Kaspersky Endpoint Security analyzes the application as if it were starting for the first time.

Trust group for applications that could not be added to existing groups

Items in this drop-down list determine to which trust group Kaspersky Endpoint Security will assign an unknown application.

You can choose one of the following items:

  • Low Restricted.
  • High Restricted.
  • Untrusted.

See also: Managing the application via the local interface

Protecting access to audio and video

Enabling and disabling Host Intrusion Prevention

Managing application trust groups

Managing application rights

Protecting operating system resources and personal data

Page top