Managing policies (prevention rules)

When working in the application web interface, users with the Senior security officer role can manage prevention rules for files and processes on selected hosts. For example, you can prevent the running of applications that you consider unsafe to use on the selected host with the Endpoint Agent component. The application identifies files based on their hash by using the MD5 and SHA256 hashing algorithms. You can create, enable, disable, delete, and modify prevention rules. Additionally, you can click the link with the name of the hashing algorithm in the prevention rule table to find objects, events, or alerts that have triggered prevention rules, such as Find events, Find alerts, Find on TIP, or Find on virustotal.com.

In distributed solution and multitenancy mode, prevention rules can have the following types:

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

• Global—Created on the PCN. These prevention rules apply to hosts that are connected to this PCN server and to all SCN servers that are connected to this PCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.
• Local—Created on the SCN server. These prevention rules apply only to hosts that are connected to this SCN server. Prevention rules belong to the tenant which the user is managing in the program web interface.

Users with the Senior security officer role can create, edit, delete, enable, disable, and import prevention rules for tenants to whose data they have access.

Users with the Security officer role do not have access to policies.

Users with the Security auditor role can view the table of file run prevention rules and process run prevention rules, as well as information about the selected prevention rule, but they cannot edit the rules.

All changes to prevention rules are applied on hosts after an authorized connection is established with the selected hosts. If there is no connection with the hosts, the old prevention rules continue to be applied on the hosts. Changes to prevention rules do not affect processes that are already running.

Prevention rules can be created automatically based on preset politics (hereinafter also "presets") added by default. With presets turned on, a prevention rule is created based on a medium or high severity alert of the Sandbox component. The prevention rule thus created prevents running the file based on its MD5 hash. Users with the Senior security officer role can enable and disable presets.

Presets are not supported in distributed solution and multitenancy mode.

The same operations can be applied to automatically created or imported prevention rules as for manually created rules.

You can create only one prevention rule for each file hash.

The maximum supported number of prevention rules in the system is 50,000.

Prevention rules are enforced only if the Endpoint Agent component is running on the host. If an attempt to run a file is made before the component is started or after the component is shut down on a host, the file will not be blocked from running.

You can manage file and process running prevention rules on selected hosts using policies only if the Endpoint Agent component is integrated with the Central Node server; to do so, you must use the web interface of Kaspersky Anti Targeted Attack Platform.

If you are using Kaspersky Endpoint Security for Windows as the Endpoint Agent component, you must take into account that the application supports preventing from running office format files with certain extensions and certain script interpreters.