Execution prevention
Execution prevention allows managing the running of executable files and scripts, as well as opening office format files. In this way, you can, for example, prevent the execution of applications that you consider insecure. As a result, the spreading of the threat can be stopped. Execution prevention supports a set of office file extensions and a set of script interpreters.
Execution prevention supports the following script interpreters:
- AutoHotkey.exe
- AutoHotkeyA32.exe
- AutoHotkeyA64.exe
- AutoHotkeyU32.exe
- AutoHotkeyU64.exe
- InstallUtil.exe
- RegAsm.exe
- RegSvcs.exe
- autoit.exe
- cmd.exe
- control.exe
- cscript.exe
- hh.exe
- mmc.exe
- msbuild.exe
- mshta.exe
- msiexec.exe
- perl.exe
- powershell.exe
- python.exe
- reg.exe
- regedit.exe
- regedt32.exe
- regsvr32.exe
- ruby.exe
- rubyw.exe
- rundll32.exe
- runlegacycplelevated.exe
- wscript.exe
- wwahost.exe
Execution prevention supports working with Java applications in the Java runtime environment (java.exe and javaw.exe processes).
Kaspersky Industrial CyberSecurity for Nodes supports preventing the opening of office format files in certain applications. The information about supported file extensions and applications is listed in the following table.
Supported file extensions for Execution prevention
Application name
|
Executable file
|
File extension
|
Microsoft Word
|
winword.exe
|
rtf
doc
dot
docm
docx
dotx
dotm
docb
|
WordPad
|
wordpad.exe
|
docx
rtf
|
Microsoft Excel
|
excel.exe
|
xls
xlt
xlm
xlsx
xlsm
xltx
xltm
xlsb
xla
xlam
xll
xlw
|
Microsoft PowerPoint
|
powerpnt.exe
|
ppt
pot
pps
pptx
pptm
potx
potm
ppam
ppsx
ppsm
sldx
sldm
|
Adobe Acrobat
Foxit PDF Reader
STDU Viewer
Microsoft Edge
Google Chrome
Mozilla Firefox
Yandex Browser
Tor Browser
|
acrord32.exe
FoxitReader.exe
STDUViewerApp.exe
MicrosoftEdge.exe
chrome.exe
firefox.exe
browser.exe
tor.exe
|
pdf
|
Execution prevention rule
Execution prevention manages user access to files with execution prevention rules. Execution prevention rule is a set of criteria that the application takes into account when reacting to an object execution, for example when blocking object execution. The application identifies files by their paths or checksums calculated using MD5 and SHA256 hashing algorithms.
You can create Execution prevention rules:
You can also manage Execution prevention locally using the command line.
Disabling the Execution prevention component or displaying the current settings of the component, including the list of execution prevention rules.
To run the command, go to the folder where the kavshell.exe executable file is located. You can also add the executable file path to the %PATH% system variable and run the command without navigating to the application folder.
Command syntax
KAVSHELL prevention [/disable] [/show] [/login:<name of the current user account>] [/pwd:</login password or KLAdmin password if /login is not specified>]
Upon executing the KAVSHELL prevention /show command, you will get the following response:
prevention.enable=true|false
prevention.mode=audit|prevent
prevention.rules
id: <rule ID>
target: script|process|document
md5: <MD5 hash of the file>
sha256: <SHA256 hash of the file>
pattern: <path to the object>
case-sensitive: true|false
Command return values:
- -1: The command is not supported by the version of the application that is installed on the computer.
- 0: The command completed successfully.
- 1: A mandatory argument was not passed to the command.
- 2: General error.
- 4: Syntax error.
- 9: wrong operation (for example, an attempt to disable the component when it is already disabled).
Execution prevention has the following limitations:
- Prevention rules do not cover files on CDs or in ISO images. The application does not block execution or opening of these files.
- It is impossible to block the startup of system-critical objects (SCO). SCOs are files that the operating system and the Kaspersky Industrial CyberSecurity for Nodes application require to be able to run.
- It is not recommended to create more than 5000 run prevention rules, as this can cause system instability.
Execution prevention rule modes
The Execution prevention component can work in two modes:
- Log only
In this mode, Kaspersky Industrial CyberSecurity for Nodes publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Windows event log and Kaspersky Security Center, but does not block the attempt to run or open the object or document. The mode is selected by default.
- Block and write to report
In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Windows event log and Kaspersky Security Center event log.
Managing Execution prevention
You can configure component settings only in the Kaspersky Security Center Web Console.
How to prevent object execution in the Kaspersky Security Center Web Console
- In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
- Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Telemetry collection servers → Endpoint Detection and Response (Industrial CyberSecurity) and click Configure.
- Select the Enable Execution prevention check box.
- In the Action on execution or opening of forbidden object block, select the component operating mode:
- Block. In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Windows event log and Kaspersky Security Center event log.
- Inform. In this mode, Kaspersky Industrial CyberSecurity for Nodes publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Windows event log and Kaspersky Security Center, but does not block the attempt to run or open the object or document. The mode is selected by default.
- Create a list of execution prevention rules:
- Click Add.
- This opens a window; in this window, enter the name of the execution prevention rule.
- In the Type drop-down list, select the object that you want to block: Executable file, Script, Microsoft Office document.
If you select a wrong object type, Kaspersky Industrial CyberSecurity for Nodes does not block the file or script.
- To add the file, you must enter the hash of the file (SHA256 or MD5), the full path to the file, or both the hash and the path.
If the file is located on a network drive, enter the file path starting with \\, and not the drive letter. For example, \\server\shared_folder\file.exe. If the file path contains a network drive letter, Kaspersky Industrial CyberSecurity for Nodes does not block the file or script.
- Execution prevention supports a set of office file extensions and a set of script interpreters.
Execution prevention supports the following script interpreters:
- AutoHotkey.exe
- AutoHotkeyA32.exe
- AutoHotkeyA64.exe
- AutoHotkeyU32.exe
- AutoHotkeyU64.exe
- InstallUtil.exe
- RegAsm.exe
- RegSvcs.exe
- autoit.exe
- cmd.exe
- control.exe
- cscript.exe
- hh.exe
- mmc.exe
- msbuild.exe
- mshta.exe
- msiexec.exe
- perl.exe
- powershell.exe
- python.exe
- reg.exe
- regedit.exe
- regedt32.exe
- regsvr32.exe
- ruby.exe
- rubyw.exe
- rundll32.exe
- runlegacycplelevated.exe
- wscript.exe
- wwahost.exe
Execution prevention supports working with Java applications in the Java runtime environment (java.exe and javaw.exe processes).
Kaspersky Industrial CyberSecurity for Nodes supports preventing the opening of office format files in certain applications. The information about supported file extensions and applications is listed in the following table.
Supported file extensions for Execution prevention
Application name
|
Executable file
|
File extension
|
Microsoft Word
|
winword.exe
|
rtf
doc
dot
docm
docx
dotx
dotm
docb
|
WordPad
|
wordpad.exe
|
docx
rtf
|
Microsoft Excel
|
excel.exe
|
xls
xlt
xlm
xlsx
xlsm
xltx
xltm
xlsb
xla
xlam
xll
xlw
|
Microsoft PowerPoint
|
powerpnt.exe
|
ppt
pot
pps
pptx
pptm
potx
potm
ppam
ppsx
ppsm
sldx
sldm
|
Adobe Acrobat
Foxit PDF Reader
STDU Viewer
Microsoft Edge
Google Chrome
Mozilla Firefox
Yandex Browser
Tor Browser
|
acrord32.exe
FoxitReader.exe
STDUViewerApp.exe
MicrosoftEdge.exe
chrome.exe
firefox.exe
browser.exe
tor.exe
|
pdf
|
- Click OK.
- Save your changes.
As a result, Kaspersky Industrial CyberSecurity for Nodes blocks the execution of objects: running executable files and scripts, opening office format files. You can, however, for example, open a script file in a text editor even if running the script is prevented. When blocking the execution of an object, Kaspersky Industrial CyberSecurity for Nodes displays a standard notification if notifications are enabled in application settings.