About Intrusion Prevention
October 3, 2023
Available only in Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium.
The Intrusion Prevention component prevents applications from performing actions that may be dangerous for the operating system, and controls access to operating system resources (including file resources located on remote computers) and your personal data.
Intrusion Prevention tracks actions performed in the operating system by applications installed on the computer and regulates them based on rules. These rules restrict suspicious activity of applications, including access by applications to protected resources, such as files and folders, registry keys, and network addresses.
On 64-bit operating systems, applications' rights for the following actions cannot be configured:
- Direct access to physical memory
- Managing printer driver
- Service creation
- Service reading
- Service editing
- Service reconfiguration
- Service management
- Service start
- Service removal
- Access to internal browser data
- Access to critical objects of the operating system
- Access to password storage
- Setting debug privileges
- Use of program interfaces of the operating system
- Use of program interfaces of the operating system (DNS)
- Use of program interfaces of other applications
- Change system modules (KnownDlls)
- Start drivers
On 64-bit Microsoft Windows 8 and Microsoft Windows 10, applications' rights for the following actions cannot be configured:
- Sending windows messages to other processes
- Suspicious operations
- Installation of keyloggers
- Interception of inbound stream events
- Making of screenshots
Applications' network activity is controlled by the Firewall component.
When an application is started on the computer for the first time, Intrusion Prevention checks the safety of the application and assigns it to a group (Trusted, Untrusted, High Restricted, or Low Restricted). The group defines the rules that Kaspersky applies for controlling the activity of the application.
Kaspersky application assigns applications to trust groups (Trusted, Untrusted, High Restricted, or Low Restricted) only if Intrusion Prevention or Firewall is enabled, and also when both these components are enabled. If both these components are disabled, the functionality that assigns applications to trust groups does not work.
You can edit application control rules manually.
The rules you create for applications are inherited by child applications. For example, if you deny all network activity for cmd.exe, that activity will also be denied for notepad.exe when it is started using cmd.exe. When an application is not a child of the application it runs from, rules are not inherited.