Execution prevention

Execution prevention allows managing the running of executable files and scripts, as well as opening office format files. In this way, you can, for example, prevent the execution of applications that you consider insecure. As a result, the spreading of the threat can be stopped. Execution prevention supports a set of office file extensions and a set of script interpreters.

Execution prevention rule

Execution prevention manages user access to files with execution prevention rules. Execution prevention rule is a set of criteria that the application takes into account when reacting to an object execution, for example when blocking object execution. The application identifies files by their paths or checksums calculated using MD5 and SHA256 hashing algorithms.

You can create Execution prevention rules:

• In alert details (only for EDR Optimum).

  Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help and the Kaspersky Endpoint Detection and Response Expert Help.

• Using a group policy or local application settings.

  You must enter the file path or hash (SHA256 or MD5), or both the file path and the file hash.

You can also manage Execution prevention locally using the command line.

Execution prevention has the following limitations:

1. Prevention rules do not cover files on CDs or in ISO images. The application does not block execution or opening of these files.
2. It is impossible to block the startup of system-critical objects (SCO). SCOs are files that the operating system and the Kaspersky Endpoint Security for Windows application require to be able to run.
3. It is not recommended to create more than 5000 run prevention rules, as this can cause system instability.

Execution prevention rule modes

The Execution prevention component can work in two modes:

• Statistics only

  In this mode, Kaspersky Endpoint Security publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Windows event log and Kaspersky Security Center, but does not block the attempt to run or open the object or document. This mode is selected by default.

• Active

  In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Windows event log and Kaspersky Security Center event log.

Managing Execution prevention

You can configure the component settings only in the Web Console.

To prevent execution:

1. In the main window of the Web Console, select Devices → Policies & Profiles.
2. Click the name of the Kaspersky Endpoint Security policy.

   The policy properties window opens.

3. Select the Application settings tab.
4. Go to Detection and Response → Endpoint Detection and Response.
5. Turn on the Execution Prevention ENABLED toggle.
6. In the Action on execution or opening of forbidden object block, select the component operating mode:
   • Block and write to report. In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Windows event log and Kaspersky Security Center event log.
   • Log events only. In this mode, Kaspersky Endpoint Security publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Windows event log and Kaspersky Security Center, but does not block the attempt to run or open the object or document. This mode is selected by default.
7. Create a list of execution prevention rules:
   1. Click Add.
   2. This opens a window; in this window, enter the name of the execution prevention rule (for example, Application A).
   3. In the Type drop-down list, select the object that you want to block: Executable file, Script, Microsoft Office document.

      If you select a wrong object type, Kaspersky Endpoint Security does not block the file or script.

   4. To add the file, you must enter the hash of the file (SHA256 or MD5), the full path to the file, or both the hash and the path.

      If the file is located on a network drive, enter the file path starting with \\, and not the drive letter. For example, \\server\shared_folder\file.exe. If the file path contains a network drive letter, Kaspersky Endpoint Security does not block the file or script.

      Execution prevention supports a set of office file extensions and a set of script interpreters.

   5. Click OK.
8. Save your changes.

As a result, Kaspersky Endpoint Security blocks the execution of objects: running executable files and scripts, opening office format files. You can, however, for example, open a script file in a text editor even if running the script is prevented. When blocking the execution of an object, Kaspersky Endpoint Security displays a standard notification (see figure below) if notifications are enabled in application settings.

Execution prevention notification

Page top