Support

Support for business applications

Kaspersky Endpoint Security 12 for Mac

Advanced configuration of the application

Endpoint Detection and Response Optimum

Execution prevention

Kaspersky Endpoint Security 12 for Mac
Нет результатов
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ Download Buy Renew Forum Contact support Recovery tools

Execution prevention

July 2, 2024

ID 276391

Execution prevention allows managing the running of executable files and scripts, as well as opening office format files. In this way, you can, for example, prevent the execution of applications that you consider insecure. As a result, the spreading of the threat can be stopped. Execution prevention supports a set of script interpreters.

Execution prevention rule

Execution prevention manages user access to files with execution prevention rules. Execution prevention rule is a set of criteria that the application takes into account when reacting to an object execution, for example when blocking object execution. The application identifies files by their paths or checksums calculated using MD5 and SHA256 hashing algorithms.

You can create Execution prevention rules:

  • In alert details (only for EDR Optimum).

    Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help.

  • Using a group policy or local application settings. You must enter the file path or hash (SHA256 or MD5), or both the file path and the file hash.

You can also manage Execution prevention locally using the command line.

Note: It is impossible to block the startup of system-critical objects (SCO). SCOs are files that the operating system and the Kaspersky Endpoint Security for Mac application require to be able to run.

Execution prevention rule modes

The Execution prevention component can work in two modes:

  • Statistics only

    In this mode, Kaspersky Endpoint Security publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Kaspersky Security Center event log and the unified logging system, but does not block the attempt to run or open the object or document. This mode is selected by default.

  • Active

    In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Kaspersky Security Center event log and the unified logging system.

Managing Execution prevention

Important: You can configure the component settings only in the Web Console.

To prevent execution:

  1. In the main window of the Web Console, select Devices > Policies and profiles.
  2. Click the name of the Kaspersky Endpoint Security for Mac policy.

    The policy properties window opens.

  3. Select Application settings tab.
  4. Go to Detection and Response > Endpoint Detection and Response.
  5. Turn on the Execution Prevention ENABLED toggle switch.
  6. In the Action on execution or opening of forbidden object block, select the component operating mode:
    • Block and write to report. In this mode, the application blocks the execution of objects or opening of documents that match prevention rule criteria. The application also publishes an event about attempts to execute objects or open documents to the Kaspersky Security Center event log and the unified logging system.
    • Log events only. In this mode, Kaspersky Endpoint Security publishes an event about attempts to run executable objects or open documents that match prevention rule criteria to the Kaspersky Security Center event log and the unified logging system, but does not block the attempt to run or open the object or document. This mode is selected by default.
  7. Create a list of execution prevention rules:
    1. Click Add.
    2. In the dialog that opens, enter the name of the execution prevention rule (for example, Application A).
    3. In the Type drop-down list, select the object that you want to block: Application, Script, Document.

      If you select a wrong object type, Kaspersky Endpoint Security does not block the file or script.

    4. To add the file, you must enter the hash of the file (SHA256 or MD5), the full path to the file, or both the hash and the path.

    Note: If the file is located on a network drive, enter the file path in the following way: /Volumes/shared_folder_name/filename. If the file path contains a network drive letter, Kaspersky Endpoint Security does not block the file or script.

    1. Click OK.
  8. Save your changes.

As a result, Kaspersky Endpoint Security blocks the execution of objects: running executable files and scripts, opening office format files. You can, however, for example, open a script file in a text editor even if running the script is prevented. When blocking the execution of an object, Kaspersky Endpoint Security displays a standard notification if notifications are enabled in application settings.

Kaspersky Endpoint Security for Mac: Convenient management via a single console
High-performance protection of your data and business continuity. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.