Creating a prevention rule

To create a prevention rule:

1. Select the Prevention section in the application web interface window.

   This opens the prevention rule table

2. Click Add.
3. Select Create rule.

   This opens the prevention rule creation window.

4. Configure the following settings:
   1. State is the state of the prevention rule:
      • If you want to enable the prevention rule, set the toggle switch to On.
      • If you want to disable the prevention rule, set the toggle switch to Off.
   2. MD5/SHA256—MD5- or SHA256 hash of the file or data stream that you want to prevent from starting.

      Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

      Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

      Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

   3. Name is the name of the prevention rule.
   4. If you want the application to display a notification about prevention rule triggering to the user of the computer on which the prevention is applied, select the Notify user about blocking file execution check box.

      If you selected the Notify user about blocking file execution check box and an attempt is made to execute a file prevented from running, the user is notified that an execution prevention rule was triggered by this file.

   5. Prevent on is the prevention rule scope:
      • If you want to apply the prevention rule on all hosts of all servers, select All hosts.
      • If you want to apply the prevention rule on selected servers, select the Specified servers option and on the right of the Servers parameter name select the check boxes next to the names of the servers on which you want to apply the prevention rule.

        This option is available only when distributed solution and multitenancy mode is enabled.

        

        Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

        

        Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

      • If you want to apply the prevention rule on selected hosts, select the Specified hosts option and list these hosts in the Hosts field.

      If you are using Kaspersky Endpoint Agent for Linux or Kaspersky Endpoint Security for Linux in the role of the Endpoint Agent component, the prevention rule creation functionality is not available. When creating a prevention rule, if you select a host with Kaspersky Endpoint Agent for Linux, Kaspersky Endpoint Security for Linux or all hosts as the scope of the rule, the rule is not applied or is only applied to hosts with Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows.

5. Click Add.

The file startup prevention will be created.

You can also import prevention rules.

Users with the Security auditor role cannot create file launch prevention rules.

Users with the Security officer role cannot access prevention rules.