Execution prevention allows managing the running of executable files and scripts, as well as opening office format files. In this way, you can, for example, prevent the execution of applications that you consider insecure. Execution prevention supports a set of office file extensions and a set of script interpreters.
Execution prevention rule
Execution prevention manages user access to files with execution prevention rules. An execution prevention rule is a set of criteria that are considered when blocking. The application identifies files by their paths or checksums calculated using MD5 and SHA256 hashing algorithms.
You can create Execution prevention rules:
Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help and the Kaspersky Endpoint Detection and Response Expert Help.
You must enter the file path or hash (SHA256 or MD5), or both the file path and the file hash.
You can also manage Execution prevention locally using the command line.
It is not recommended to create more than 5000 run prevention rules, as this can cause system instability.
Prevention rules do not cover files on CDs or in ISO images. The application does not block execution or opening of these files.
Execution prevention rule modes
The Execution prevention component can work in two modes:
In this mode, Kaspersky Endpoint Security publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Windows event log and Kaspersky Security Center, but does not block the attempt to run or open the object or document. This mode is selected by default.
In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Windows event log and Kaspersky Security Center event log.
Managing Execution prevention
You can configure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR Expert are available only in Cloud Console.
To prevent execution:
The policy properties window opens.
If you select a wrong object type, Kaspersky Endpoint Security does not block the file or script.
If the file is located on a network drive, enter the file path starting with \\
, and not the drive letter. For example, \\server\shared_folder\file.exe
. If the file path contains a network drive letter, Kaspersky Endpoint Security does not block the file or script.
Execution prevention supports a set of office file extensions and a set of script interpreters.
As a result, Kaspersky Endpoint Security blocks the execution of objects: running executable files and scripts, opening office format files. You can, however, for example, open a script file in a text editor even if running the script is prevented. When blocking the execution of an object, Kaspersky Endpoint Security displays a standard notification (see figure below) if notifications are enabled in application settings.
Execution prevention notification
Page top