Kaspersky Endpoint Security for Business
The leading multi-layered endpoint protection platform based on Next Gen cybersecurity technologies.
Traditional protection from cyberattacks is based on malware detection that checks any application against databases of known malware indicators before it's executed. In Kaspersky Lab products, this basic layer of threat protection in represented by KSN cloud detection, ML malware classification, Anti-Rootkit and other anti-malware technologies.
Another effective approach is to “enforce hygiene” of the attacked systems - even unknown threats could be blocked by hardening application access to critical system resources. Our main examples of resource-focused protection techniques are Application Control that either allows or blocks file execution according to local allowlisting / denylisting rules, and Host Intrusion Prevention System (HIPS) that limits application access to host resources (data, registry keys, process memory etc) based on application reputation.
To complete Kaspersky Lab's multi-layer endpoint security picture, we should also mention some next-layer execution control technologies: Behavior Detection, Exploit Prevention, Remediation Engine and Vulnerability Monitor, which are to be described in other TechnoWiki articles.
In Kaspersky Lab solutions, resource protection is based on assigning applications to trust categories and defining each category’s allowed operations, including:
Application privileges are defined by the trust category it falls into. Applications are automatically inventoried on a host and assigned to trust categories. In Kaspersky Endpoint Security for Business (KESB), application lists are delivered to administrators from user computers – enabling them to develop their own application control policies.
Application attribution to a trust category is based on its behavior, as assessed by the antimalware engine, reputation in KSN, electronic signature and application integrity check. Applications are assessed on first launch or in a group, following the installation of the anti-malware solution on the host.
The trust categories are:
After initial categorization, applications continue to be monitored by the antimalware solution. If they display malware traits, they are downgraded to a lower trust category, and their privileges are restricted. Application reputation is periodically re-confirmed via KSN, just in case its reputation has been recently downgraded in the cloud.
Operations of applications that do not fall into the “Trusted” category are logged by the Remediation Engine. If an application turns out to be malware, the engine rolls back the changes it made.
An application’s ability to start is defined by its trust category.
In Kaspersky Internet Security (for home users), users can fine-tune application blocking on their host and choose its mode:
In Kaspersky Endpoint Security for Business, administrators can configure startup blocking policies for applications, executable modules (PE-files, exe, scr, dll) and scripts executed via a variety of interpreters (com, bat, cmd, ps1, vbs, js, msi, msp, mst, ocx, appx, reg, jar, mmc, hta, sys). For this, the administrator inventories applications on user computers and receives their list with metadata (vendor, certificate, name, version, installation path etc.) If new applications appear on hosts later, these are also inventoried.
Applications are automatically grouped into hierarchical categories (for example, games, office applications, browsers). Categories help administrators to create groups of application startup policies. For user groups, administrators can block the startup of specific applications, application categories or applications that fall under certain conditions (e.g. with a low KSN cloud rating).
Application Control also provides several tools to simplify the initial configuration of allowlists rules, including a wizard to create rules based on inventory results, pre-defined rules recommended by Kaspersky Lab and dynamically updated allowlists rules based on Trusted Sources (file locations or reference computers).
Users can request administrator permission to start an application, via their KESB interface.
To avoid blocking a legitimate application, administrators can enable a blocking rule in test mode. Test rules don’t affect application startup, but administrators are notified of any triggers, enabling them to identify unwanted application startup blocks and to test proposed rules - or even the complete startup control feature - on their network.
In addition to controlling its’ ability to start, the application’s trust category defines its privileges: i.e. what an application can do in the host system. Privilege control is rule-based, with a pre-defined set of “out of the box” rules that can be modified by home users or a business solution’s administrator.
For each trust category, rules define an application’s ability to:
Each rule defines the application categories it affects, the action that it controls and its verdict: “allow” or “deny”. In the home user solution, the verdict can also be “ask user” - the user is prompted to make the decision, and such decisions are cached.
Using a special set of HIPS rules, any process could run in a secured container: access to this process is very limited, even for trusted applications. Additional restrictions provide screenshot blocking, clipboard protection and integrity control that protects the process from malicious injections. This way, all the application’s internal data (including user’s personal data) is kept safe. This HIPS technique is core to Safe Money (Safe Browser) mode.
At OS boot, all untrusted applications are completely blocked, and the rest are restricted (for instance, their network access is blocked). This reduces the possibility of an attack during computer boot.
Behavior Monitoring with Memory Protection provide the most efficient ways to protect against advanced threats and zero-day malware.
Exploit Prevention (EP) protects against malware that takes advantage of software vulnerabilities.
Safe Money technology protects online critical operations.
The Kaspersky Security Network (KSN) processes cybersecurity-related data and ensures fastest reaction time to new threats
Behavior Monitoring with Memory Protection provide the most efficient ways to protect against advanced threats and zero-day malware.
Exploit Prevention (EP) protects against malware that takes advantage of software vulnerabilities.
Safe Money technology protects online critical operations.
The Kaspersky Security Network (KSN) processes cybersecurity-related data and ensures fastest reaction time to new threats
Behavior Monitoring with Memory Protection provide the most efficient ways to protect against advanced threats and zero-day malware.
Exploit Prevention (EP) protects against malware that takes advantage of software vulnerabilities.
Safe Money technology protects online critical operations.
We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.