Configuring execution prevention

You can define settings according to which Kaspersky Endpoint Security for Windows prevents the execution of certain objects (executable files and scripts) or the opening of Microsoft Office documents on your users' devices.

Later, when analyzing Endpoint Detection and Response alerts, you may want to add a detected object to the list of execution prevention rules, to prevent it from being executed in the future on the same and other devices.

Execution prevention has the following limitations:

• Prevention rules do not cover files on CDs, DVDs, or in ISO images. Kaspersky Endpoint Security for Windows does not block the execution or opening of these files.
• It is impossible to block the startup of a system-critical object (SCO). SCOs are files that the operating system and Kaspersky Endpoint Security for Windows require to be able to run.
• You can add up to 1000 execution prevention rules.

To configure execution prevention:

1. Open Kaspersky Endpoint Security Cloud Management Console.
2. Select the Security management → Endpoint Detection and Response section.
3. Click Response settings → Execution prevention.
4. Switch the toggle button to Execution prevention is enabled.
5. Under Action, select the action to be taken when the user tries to execute or open one of the specified unwanted objects:
   • Block and add to Event log (by default)

     The information about the detection is added to the Event log. The execution or opening of the object is blocked.

   • Add to Event log only

     The information about the detection is added to the Event log. No other actions are taken.

6. Under Execution prevention rules, specify the list of objects that are controlled by Execution prevention.

   Do any of the following:

   • To add an execution prevention rule:
     1. Click the Add button.
     2. In the Add an execution prevention rule window that opens, define the rule settings, as described later in this section.
     3. Click Save to close the Add an execution prevention rule window.
   • To enable or disable an added execution prevention rule, switch the toggle button next to that rule to the desired state:
     • If the toggle button is green, the rule is enabled. The execution or opening of the object specified in the rule settings is detected.

       By default, a newly added rule is enabled.

     • If the toggle button is gray, the rule is disabled. The execution or opening of the object specified in the rule settings is ignored.
   • To edit an added execution prevention rule:
     1. Select the check box next to the required rule.
     2. Click the Modify button.
     3. In the Edit an execution prevention rule window that opens, define the new settings of the rule, as described later in this section.
     4. Click Save to close the Edit an execution prevention rule window.
   • To delete execution prevention rules that were added:
     1. Select the check boxes next to the required rules.
     2. Click the Delete button.
7. Click Save to save the changes.

The list of execution prevention rules is updated.

To define the settings of an execution prevention rule:

1. Start adding or editing a rule, as described earlier in this section.
2. In the Rule name field, enter the name of the rule.
3. Select the criteria according to which you want to specify the required object.

   You can specify either of the following criteria:

   • Path to object

     If you want to specify the object by its path, select Use in the list, and then enter the value.

   • Object checksum

     If you want to specify the object by its MD5 or SHA256 checksum, select the required value in the list, and then enter the checksum value.

   If you specify both criteria, the rule will be applied to objects that match both of them simultaneously.

4. Click Save to save the changes.

The defined settings are saved.