Configuring execution prevention for objects in the Web Console

Configuring object execution prevention when integrated with the Kaspersky Industrial CyberSecurity for Networks component

When integrated with Kaspersky Industrial CyberSecurity for Networks, you can enable or disable object execution prevention in the policy properties (Application settings → Detection and Response → Integration with KICS for Networks).

The Execution prevention for objects switch in the Execution prevention settings block enables or disables the enforcement of KICS for Networks object execution prevention rules.

You can enable the enforcement of KICS for Networks object execution prevention rules only if integration with Kaspersky Industrial CyberSecurity for Networks is enabled.

Configuring object execution prevention when integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response

When integrated with the Kaspersky Industrial CyberSecurity Endpoint Detection and Response component, you can enable and disable object execution prevention and configure execution prevention rules for ICS EDR objects:

In the policy properties (Application settings → Detection and Response → Industrial CyberSecurity Endpoint Detection and Response)
In the device properties (Assets (Devices) → Managed devices → <device name> link → Applications → <Kaspersky Industrial CyberSecurity for Linux Nodes> application name> link → Application settings → Detection and Response → Industrial CyberSecurity Endpoint Detection and Response)

Object execution prevention cannot be enabled or disabled in the device properties if a policy is applied to the device.

Object execution prevention settings when integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response

Setting	Description
Execution prevention for objects is enabled/disabled	Enables or disables the enforcement of execution prevention rules for ICS EDR objects. By default, rules are not applied.
Action when starting or opening an object	You can select the mode of object execution prevention: Block. In this mode, the application blocks the execution of objects or the opening of documents that satisfy the criteria of the prevention rules, and logs an event about attempts to run objects or open documents in the event log. Inform. In this mode, the application logs an event about attempts to run executable objects or open documents that satisfy the criteria of the prevention rules in the event log, but does not actually block their execution or opening. This mode is selected by default.
List of execution prevention rules for ICS EDR objects	The Add link opens a window where you can configure an execution prevention rule for ICS EDR objects. If necessary, you can delete a rule from the list using the Delete button.

Setting

Description

Execution prevention for objects is enabled/disabled

Enables or disables the enforcement of execution prevention rules for ICS EDR objects.

By default, rules are not applied.

Action when starting or opening an object

You can select the mode of object execution prevention:

Block. In this mode, the application blocks the execution of objects or the opening of documents that satisfy the criteria of the prevention rules, and logs an event about attempts to run objects or open documents in the event log.
Inform. In this mode, the application logs an event about attempts to run executable objects or open documents that satisfy the criteria of the prevention rules in the event log, but does not actually block their execution or opening. This mode is selected by default.

List of execution prevention rules for ICS EDR objects

The Add link opens a window where you can configure an execution prevention rule for ICS EDR objects.

If necessary, you can delete a rule from the list using the Delete button.

To add an ICS EDR object execution prevention rule to the list:

Click the Add button located above the list of ICS EDR object execution prevention rules.
In the window that opens, enter the name of the ICS EDR object execution prevention rule.
Specify the status of the ICS EDR object execution prevention rule by setting the switch to the appropriate position:
- Enabled means the rule is enabled, the application applies this rule.
- Disabled means the rule is disabled and is not used by the application.
You can enable or disable the created rule at any time.
In the Type drop-down list, select the type of object you want to block:
- Executable file.
- Script.
- Office application files.
If you select the wrong object type, the application will be unable to block the file or script.
To add an object, specify the path to the object and/or the checksum of the object.
To specify a path to an object, select Use path and enter the path to the object.

To specify an object checksum, select the SHA256 or MD5 option and enter the object checksum.
Click OK.
The created rule is added to the list of execution prevention rules for ICS EDR objects in the Execution prevention settings block.

Page top