Configuring execution prevention for objects in the Web Console

Configuring object execution prevention when integrated with the Kaspersky Endpoint Detection and Response (KATA) component:

When integrated with the Kaspersky Endpoint Detection and Response (KATA) component, you can enable or disable object execution prevention in the policy properties (Application settings → Detection and Response → Endpoint Detection and Response (KATA)).

The Execution prevention toggle switch under Execution prevention enables or disables execution prevention rules of the EDR (KATA) component.

You can enable execution prevention rules only if integration with Kaspersky Endpoint Detection and Response (KATA) is enabled.

Configuring object execution prevention when integrated with Kaspersky Endpoint Detection and Response Optimum

When integrated with the Kaspersky Endpoint Detection and Response Optimum component, you can enable or disable object execution prevention and configure object execution prevention rules of the EDR (KATA) component:

• In the policy properties (Application settings → Detection and Response → Endpoint Detection and Response Optimum)
• In the device properties (Assets (Devices) → Managed devices → <device name> link → Applications → <Kaspersky Endpoint Security application name> link → Application settings → Detection and Response → Endpoint Detection and Response Optimum)

Object execution prevention cannot be enabled or disabled in the device properties if a policy is applied to the device.

Object execution prevention settings when integrated with Kaspersky Endpoint Detection and Response Optimum

Setting	Description
Execution prevention for objects is enabled/disabled	Enables or disables EDR Optimum rules for execution prevention for objects. By default, rules are not applied. You can enable execution prevention rules only if integration with Kaspersky Endpoint Detection and Response Optimum is enabled.
Action when starting or opening an object	You can select the mode of object execution prevention: Block. In this mode, the application blocks the execution of objects or the opening of documents that satisfy the criteria of the prevention rules, and logs an event about attempts to run objects or open documents in the event log. Inform. In this mode, the application logs an event about attempts to run executable objects or open documents that satisfy the criteria of the prevention rules in the event log, but does not actually block their execution or opening. This mode is selected by default.
List of object execution prevention rules.	The Add link opens a window in which you can configure an object execution prevention rule of the EDR Optimum component. If necessary, you can remove a rule from the list by clicking the Delete button.

To add a rule to the list of object execution prevention rules of the EDR Optimum component:

1. Click the Add button above the list of execution prevention rules.
2. This opens a window; in that window, enter the name of the execution prevention rule.
3. Specify the status of the execution prevention rule by setting the switch to the appropriate position:
   • Enabled means the rule is enabled, the application applies this rule.
   • Disabled means the rule is disabled and is not used by the application.

   You can enable or disable the created rule at any time.

4. In the Type drop-down list, select the type of object you want to block:
   • Executable file.
   • Script.
   • Office application files.

   If you select the wrong object type, the application will be unable to block the file or script.

5. To add an object, specify the path to the object and/or the checksum of the object.

   To specify a path to an object, select Use path and enter the path to the object.

   To specify an object checksum, select the SHA256 or MD5 option and enter the object checksum.

6. Click OK.

   The created rule is added to the list of rules in the Execution prevention for objects settings block.

Page top