When integrated with Detection and Response solutions, as part of a threat response action, Kaspersky Endpoint Security can control the execution of executable files and scripts, as well as the opening of office application files on the device. Execution prevention for objects supports a certain set of file extensions for office applications and a certain set of script interpreters. By blocking the launch of objects, you can stop the spread of a threat.
Object execution prevention is based on the execution prevention rules. An execution prevention rule is a set of criteria that the Kaspersky Endpoint Security application takes into account when responding to the execution of an object. The application blocks the execution of an object only if the object satisfies all criteria of an execution prevention rule. The application identifies files by their path or MD5 or SHA256 checksum.
The execution prevention functionality is available in the Kaspersky Endpoint Security application if one of the following conditions is satisfied:
Execution prevention for objects is disabled by default.
Enabling execution prevention for objects may affect the startup speed of applications in the operating system.
For object execution prevention to work, you need to enable execution prevention rules.
Special considerations for object execution prevention when integrated with Kaspersky Endpoint Detection and Response (KATA)
When Kaspersky Endpoint Security is integrated with the Kaspersky Endpoint Detection and Response (KATA) component, the application uses object execution prevention rules of the EDR (KATA) component. The application gets these rules from Kaspersky Endpoint Detection and Response (KATA).
When integrated with the Kaspersky Endpoint Detection and Response (KATA) component, you can:
When execution prevention rules are triggered, Kaspersky Endpoint Security sends a report to Kaspersky Anti Targeted Attack Platform.
Special considerations for object execution prevention when integrated with Kaspersky Endpoint Detection and Response Optimum
When Kaspersky Endpoint Security is integrated with the Kaspersky Endpoint Detection and Response Optimum solution, the application uses object execution prevention rules of the EDR Optimum component. You can create these rules manually in the Web Console. You can also create execution prevention rules automatically in the alert details window.
When integrated with Kaspersky Endpoint Detection and Response Optimum, you can:
You can also automatically create an execution prevention rule for an object by preventing the execution of a file in the alert details window. The execution prevention rule is added to the policy for the administration group that the device belongs to.
You can prevent the execution of files in the alert details window only if a policy is applied to the device.
When integrated with Kaspersky Endpoint Detection and Response Optimum, object execution prevention can work in one of two modes:
The Kaspersky Endpoint Security application blocks execution of a script that is prohibited by a run prevention rule, even if that script is imported by an allowed script.
Limitations of execution prevention for objects
The following limitations apply to object execution prevention rules: