When integrated with Detection and Response solutions, as part of a threat response action, Kaspersky Industrial CyberSecurity for Linux Nodes can control the execution of executable files and scripts, as well as the opening of office application files on the device. Execution prevention for objects supports certain office applications and script interpreters. By blocking the launch of objects, you can stop the spread of a threat.
Object execution prevention is based on the execution prevention rules. An execution prevention rule is a set of criteria that the Kaspersky Industrial CyberSecurity for Linux Nodes application takes into account when responding to the execution of an object. The application blocks the execution of an object only if the object satisfies all criteria of an execution prevention rule. The application identifies files by their path or MD5 or SHA256 checksum.
For the object execution prevention functionality to work, the following conditions must be satisfied:
If the blocking mode of file operation interception is not enabled, execution prevention works in inform mode, regardless of the configured operating mode.
Execution prevention for objects is disabled by default.
Enabling execution prevention for objects may affect the startup speed of applications in the operating system.
For object execution prevention to work, you need to enable execution prevention rules.
If execution prevention rules are enabled both in the Kaspersky Industrial CyberSecurity Endpoint Detection and Response integration settings, and in the Kaspersky Industrial CyberSecurity for Networks integration settings, then all rules are applied with the OR operator with the blocking execution prevention rules having priority. For example, if the settings of the object being started are subject to an execution prevention rule with the Block action and an execution prevention rule with the Inform action, the object is blocked.
Special considerations for object execution prevention when integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response
When integrating the Kaspersky Industrial CyberSecurity for Linux Nodes application with the Kaspersky Industrial CyberSecurity Endpoint Detection and Response solution, the application uses ICS EDR execution prevention rules for objects. You can create these rules manually in the Web Console. You can also create execution prevention rules automatically in the alert details window.
When integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response, you can:
You can also create an ICS EDR object execution prevention rule automatically by prohibiting the file from running in the alert details window. The ICS EDR execution prevention rule will be added to the policy for the administration group that the device belongs to.
You can prevent the execution of files in the alert details window only if a policy is applied to the device.
When integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response, object execution prevention can operate in one of two modes:
The Kaspersky Industrial CyberSecurity for Linux Nodes application blocks execution of a script that is prohibited by a run prevention rule, even if that script is imported by an allowed script.
Special considerations for object execution prevention when integrated with Kaspersky Industrial CyberSecurity for Networks
When integrating the Kaspersky Industrial CyberSecurity for Linux Nodes application with Kaspersky Industrial CyberSecurity for Networks, the application uses KICS for Networks execution prevention rules for objects. The application gets these rules from Kaspersky Industrial CyberSecurity for Networks.
When integrated with Kaspersky Industrial CyberSecurity for Networks, you can:
When KICS for Networks execution prevention rules are triggered, the Kaspersky Industrial CyberSecurity for Linux Nodes application sends a report to Kaspersky Industrial CyberSecurity for Networks.
Limitations of execution prevention for objects