Managing policies (prevention rules)

When working in the program web interface, users with the Senior security officer role can manage prevention rules for files and processes on selected hosts. For example, you can prevent the running of programs that you consider unsafe to use on the selected host with Kaspersky Endpoint Agent. The program identifies files based on their hash by using the MD5 and SHA256 hashing algorithms. You can create, enable, disable, delete, and modify prevention rules. Additionally, you can click the link with the name of the hashing algorithm in the prevention rule table to find objects, events, or alerts that have triggered prevention rules, such as Find events, Find alerts, Find on TIP, or Find on virustotal.com.

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

• Global—Created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
• Local—Created on the SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.

Users with the Senior security officer role can create, edit, delete, enable, disable, and import prevention rules for tenants to whose data they have access.

Users with the Security officer role do not have access to policies.

Users with the Security auditor role can view the table of file run prevention rules and process run prevention rules, as well as information about the selected prevention rule, but they cannot edit the rules.

All changes to prevention rules are applied on hosts after an authorized connection is established with the selected hosts. If there is no connection with the hosts, the old prevention rules continue to be applied on the hosts. Changes to prevention rules do not affect processes that are already running.

Prevention rules can be created automatically based on preset politics (hereinafter also "presets") added by default. With presets turned on, a prevention rule is created based on a medium or high severity alert of the Sandbox component. The prevention rule thus created prevents running the file based on its MD5 hash. Users with the Senior security officer role can enable and disable presets.

Presets are not supported in distributed solution and multitenancy mode.

The same operations can be applied to automatically created or imported prevention rules as for manually created rules.

You can create only one prevention rule for each file hash.

The maximum supported number of prevention rules in the system is 50,000.

Prevention rules are enforced only when Kaspersky Endpoint Agent is running on the host. If an attempt is made to run a file before Kaspersky Endpoint Agent is started or after Kaspersky Endpoint Agent is shut down on a host, the file is not blocked from running.

You can manage file and process running prevention rules on selected hosts using policies if Kaspersky Endpoint Agent is integrated with the Central Node server; to do so, you must use the web interface of Kaspersky Anti Targeted Attack Platform.

Viewing the prevention rule table

The table of prevention rules is in the Prevention section of the program web interface window.

The table contains the following information:

1. Type is the type of the rule depending on the program operating mode and the role of the server on which the rule was created:
   • Global—Created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
   • Local—Created on the SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
2. Name is the name of the prevention rule.
3. Servers are names of servers with the PCN or SCN role to which the prevention rule applies.

   This field is displayed only when you are using the distributed solution and multitenancy mode.

4. Hosts is the name of the server with the Central Node component to whose hosts the prevention rule is applied.

   This field is displayed only when you are using a standalone Central Node server.

5. File hash—Hashing algorithm applied to identify a file.

   A file can be identified based on one of the following hashing algorithms:

   • MD5.
   • SHA256.

   Clicking the link with the name of the hashing algorithm opens a list in which you can view the file hash and select one of the following actions:

   • Add to filter.
   • Exclude from filter.
   • Find on TIP

     Kaspersky information system Contains and displays reputation information for files and URL addresses.

     Kaspersky information system Contains and displays reputation information for files and URL addresses.

     .
   • Find on virustotal.com (for SHA256).
   • Find events.

     When this action is performed, the Threat Hunting section opens with events that are already filtered based on the hash you selected.

   • Find alerts.

     When this action is performed, the Alerts section opens with alerts that are already filtered based on the hash you selected.

   • Enable prevention rule.
   • Disable prevention rule.
   • Delete prevention rule.
   • Copy value to clipboard.
6. State is the current state of the prevention rule.

   A prevention rule can have one of the following states:

   • Enabled
   • Disabled

Configuring prevention rule table display

You can show or hide columns and change the order of columns in the prevention rule table.

To configure prevention rule table display:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. In the heading part of the table, click .

   This opens the Customize table window.

3. If you want to show a column in the table, select the check box next to the name of the parameter that you want displayed in the table.

   If you want to hide a parameter in the table, clear the check box.

   At least one check box must be selected.

4. If you want to change the order of columns in the table, move the mouse cursor to the row with the relevant parameter, click and move the row to its new place.
5. If you want to restore default table display settings, click Default.
6. Click Apply.

The prevention rule table display is configured.

Viewing a prevention rule

To view a prevention rule:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Select the prevention rule that you want to view.

A prevention rule contains the following information:

• The Events link opens the Threat Hunting section with the search condition containing your selected prevention rule.
• State is the current state of the prevention rule.

  A prevention rule can have one of the following states:

  • Enabled
  • Disabled
• The Details tab contains the following information:
  • MD5/SHA256 is the hash of the file prevented from running.

    Clicking the MD5/SHA256 link opens a list in which you can select one of the following actions:

    • Find on TIP.
    • Find events.
    • Find alerts.
    • Copy value to clipboard.
  • Name is the name of the prevention rule or file prevented from running.
  • Type is the type of the rule depending on the program operating mode and the role of the server on which the rule was created:
    • Global—Created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
    • Local—Created on the SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
  • Notification is the state of the Notify user about blocking file execution setting.
  • Prevent on is the list of hosts on which the prevention rule is applied.

    If the prevention is in effect on all hosts, the All hosts section is displayed.

• The Change log tab contains a list of changes made to the prevention: time of the change, name of the user that changed the prevention, and actions taken on the prevention.

Creating a prevention rule

To create a prevention rule:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Click Add.
3. Select Create rule.

   This opens the prevention rule creation window.

4. Configure the following settings:
   1. State is the state of the prevention rule:
      • If you want to enable the prevention rule, set the toggle switch to On.
      • If you want to disable the prevention rule, set the toggle switch to Off.
   2. MD5/SHA256—MD5- or SHA256 hash of the file or
      data stream

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

      that you want to prevent from starting.
   3. Name is the name of the prevention rule.
   4. If you want the program to display a notification about prevention rule triggering to the user of the computer on which the prevention is applied, select the Notify user about blocking file execution check box.

      If you selected the Notify user about blocking file execution check box and an attempt is made to execute a file prevented from running, the user is notified that an execution prevention rule was triggered by this file.

   5. Prevent on is the prevention rule scope:
      • If you want to apply the prevention rule on all hosts of all servers, select All hosts.
      • If you want to apply the prevention rule on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to apply the prevention rule.

        This option is available only when distributed solution and multitenancy mode is enabled.

      • If you want to apply the prevention rule on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.

      Prevention rules cannot be created for hosts with the Kaspersky Endpoint Agent for Linux program. When creating a prevention rule, if you select a host with Kaspersky Endpoint Agent for Linux or all hosts as the scope of the rule, the rule is not applied or is only applied to hosts with Kaspersky Endpoint Agent for Windows.

5. Click Add.

The file startup prevention will be created.

You can also import prevention rules.

Users with the Security auditor role cannot create file launch prevention rules.

Users with the Security officer role cannot access prevention rules.

Importing prevention rules

You can import a file with MD5 and SHA256 hashes for files that you want to prevent from running. For each hash, Kaspersky Anti Targeted Attack Platform creates a separate prevention rule.

The maximum size of the imported file is 10 MB. Only one hash per line is allowed.

To import prevention rules:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Click Add.
3. Select Import rules.

   This opens the prevention rule import window.

4. Configure the following settings:
   1. State is the state of the prevention rule:
      • If you want to enable all imported prevention rules, set the toggle switch to On.
      • If you want to disable all imported prevention rules, set the toggle switch to Off.
   2. If you want the program to display a notification about prevention rules triggering to the user of the computer on which the prevention is applied, select the Notify user about blocking file execution check box.

   The Prevent on field cannot be edited. By default, prevention rules created on a PCN server are applied on all hosts connected to that PCN server and all SCN servers connected to that PCN server (if you are using the distributed solution and multitenancy mode).

5. Click Browse to upload the file containing hashes of files for which you want to create prevention rules.

   This opens the file selection window.

6. Select the file that you want to upload and click Open.

   This closes the file selection window.

7. Click Add.

The rules are imported.

Users with the Security auditor role cannot import file launch prevention rules.

Users with the Security officer role cannot access prevention rules.

Enabling and disabling a prevention rule

To enable or disable a prevention rule:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. In the row containing the prevention rule that you want to enable or disable, in the State column, perform one of the following actions:
   • If you want to enable the prevention rule, set the toggle switch to Enabled.

     The prevention rule you selected will be enabled.

   • If you want to disable the prevention rule, set the toggle switch to Disabled.

     The prevention rule you selected will be disabled.

Users with the Security auditor role cannot enable or disable prevention rules.

Users with the Security officer role do not have access to the prevention rules for launching files and processes on selected hosts using policies.

Enabling and disabling presets

To enable or disable presets:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Select the Presets tab.
3. In the row of the preset that you want to enable or disable, in the State column, set the toggle switch to Enabled or Disabled.

The preset is enabled or disabled. When a preset is disabled, all prevention rules that were previously automatically created are not removed.

Deleting prevention rules

You can delete a single prevention rule or multiple prevention rules, or all prevention rules at the same time.

To delete a single prevention rule:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Click the prevention rule that you want to delete.

   This opens the prevention rule details window.

3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The prevention rule will be deleted.

To delete all or multiple prevention rules:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Select check boxes next to prevention rules that you want to delete.

   You can select all prevention rules by selecting the check box in the row containing the headers of columns.

3. In the pane that appears in the lower part of the window, click Delete.

   This opens the action confirmation window.

4. Click Yes.

The selected prevention rules are deleted.

Users with the Security auditor role cannot delete prevention rules.

Users with the Security officer role do not have access to the prevention rules for launching files and processes on selected hosts using policies.

Filtering prevention rules by name

To filter prevention rules by name:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Click the Name link to open the prevention filtering menu.
3. In the drop-down list, select one of the following prevention filtering operators:
   • Contains
   • Does not contain
4. In the text box, enter one or more characters of the prevention rule name.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The prevention rules table displays only the prevention rules that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering prevention rules by type

If you are using distributed solution and multitenancy mode, you can filter prevention rules by their type.

To filter prevention rules by type:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Click the Type link to open the prevention rule filtering menu.
3. Select one of the following options for displaying prevention rules:
   • All, if you want to display all prevention rules regardless of their type.
   • Global, if you want to display only the prevention rules that were created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
   • Local, if you want to display only prevention rules that were created on a SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.

The prevention rules table displays only the prevention rules that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering prevention rules by file hash

To filter prevention rules by file hash:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Click the File hash link to open the prevention rule filtering menu.
3. In the drop-down list, select one of the following prevention filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the file hash.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The prevention rules table displays only the prevention rules that match the filter criteria you have set.

You can use multiple filters at the same time.

Filtering prevention rules by server name

If you are using the distributed solution and multitenancy mode, you can filter prevention rules based on the servers to which the prevention rules apply.

To filter prevention rules by server name:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Click the Servers link to open the prevention rule filtering menu.
3. Select the check boxes next to those servers by which you want to filter the prevention rules.
4. Click Apply.

The prevention rules table displays only the prevention rules that match the filter criteria you have set.

You can use multiple filters at the same time.

Clearing a prevention rule filter

To clear the prevention rule filter for one or more filtering criteria:

1. Select the Prevention section in the program web interface window.

   This opens the prevention rule table.

2. Click to the right of the header of the column of the prevention rule table for which you want to clear the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The prevention rules table displays only the prevention rules that match the filter criteria you have set.