Execution prevention for objects

When integrated with Detection and Response solutions, as part of a threat response action, Kaspersky Endpoint Security can control the execution of executable files and scripts, as well as the opening of office application files on the device. Execution prevention for objects supports a certain set of file extensions for office applications and a certain set of script interpreters. By blocking the launch of objects, you can stop the spread of a threat.

Object execution prevention is based on the execution prevention rules. An execution prevention rule is a set of criteria that the Kaspersky Endpoint Security application takes into account when responding to the execution of an object. The application blocks the execution of an object only if the object satisfies all criteria of an execution prevention rule. The application identifies files by their path or MD5 or SHA256 checksum.

The execution prevention functionality is available in the Kaspersky Endpoint Security application if one of the following conditions is satisfied:

• Integration of Kaspersky Endpoint Security with the Kaspersky Endpoint Detection and Response (KATA) component is enabled and the Kaspersky Anti Targeted Attack Platform solution is activated.
• Integration of Kaspersky Endpoint Security with the Kaspersky Endpoint Detection and Response Optimum solution is enabled and the EDR Optimum component is activated.

Execution prevention for objects is disabled by default.

Enabling execution prevention for objects may affect the startup speed of applications in the operating system.

For object execution prevention to work, you need to enable execution prevention rules.

Special considerations for object execution prevention when integrated with Kaspersky Endpoint Detection and Response (KATA)

When Kaspersky Endpoint Security is integrated with the Kaspersky Endpoint Detection and Response (KATA) component, the application uses object execution prevention rules of the EDR (KATA) component. The application gets these rules from Kaspersky Endpoint Detection and Response (KATA).

When integrated with the Kaspersky Endpoint Detection and Response (KATA) component, you can:

• Enable or disable the application of object execution prevention rules of the EDR (KATA) component in the Web Console, the Administration Console, or on the command line.

  When execution prevention rules are triggered, Kaspersky Endpoint Security sends a report to Kaspersky Anti Targeted Attack Platform.

• View the list of object execution prevention rules of the EDR (KATA) component on the command line.

Special considerations for object execution prevention when integrated with Kaspersky Endpoint Detection and Response Optimum

When Kaspersky Endpoint Security is integrated with the Kaspersky Endpoint Detection and Response Optimum solution, the application uses object execution prevention rules of the EDR Optimum component. You can create these rules manually in the Web Console. You can also create execution prevention rules automatically in the alert details window.

When integrated with Kaspersky Endpoint Detection and Response Optimum, you can:

• Enable or disable the application of object execution prevention rules of the EDR Optimum component in the Web Console or on the command line.
• Create and configure EDR Optimum execution prevention rules for objects in the Web Console.

  You can also automatically create an execution prevention rule for an object by preventing the execution of a file in the alert details window. The execution prevention rule is added to the policy for the administration group that the device belongs to.

  You can prevent the execution of files in the alert details window only if a policy is applied to the device.

• View the list of object execution prevention rules of the EDR Optimum component on the command line.

When integrated with Kaspersky Endpoint Detection and Response Optimum, object execution prevention can work in one of two modes:

• Block. In this mode, the application blocks the execution of objects or the opening of documents that satisfy the criteria of the prevention rules, and logs an event about attempts to run objects or open documents.

  The Kaspersky Endpoint Security application blocks execution of a script that is prohibited by a run prevention rule, even if that script is imported by an allowed script.

• Inform. In this mode, the application logs an event about attempts to run executable objects or open documents that satisfy the criteria of the prevention rules, but does not actually block their execution or opening. This mode is selected by default.

Limitations of execution prevention for objects

The following limitations apply to object execution prevention rules:

• The Kaspersky Endpoint Security application does not block objects specified in the execution prevention rules until the application is started.
• The Kaspersky Endpoint Security application does not block files that are opened before a prevention rule is created or modified.
• The Kaspersky Endpoint Security application does not block objects covered by an execution prevention rule that were executed before the execution prevention rule was created or modified to cover these objects.
• Some files can be critically important for the operation of the operating system and the application. Preventing the execution of such files may disrupt the operation of the system.
• We do not recommend creating more than 50000 execution prevention rules because as this may lead to system instability.

In this section Configuring execution prevention for objects in the Web Console Configuring object execution prevention in the Administration Console Managing execution prevention for objects on the command line

Page top