In this SMB Redirect Kaspersky TAM should theoretically block the install of any Unknown, Untrusted files (the worm file). If the user over-rides the install then Application Control would assign the file to Low or High Restricted - dependent upon how user's have rated the file in the Kaspersky Security Network. Only High Restricted blocks all firewall activity for an app.
Like I always say... with TAM it is best to disable "Trust digitally signed installers" and "Load application rules from KSN." IF Application Control works on your system with these settings then it is an anti-executable\default-deny configuration.
The least complicated, most direct solution is block rules for ports 139 and 445.
I am completely unsure if Kaspersky's Web Shield would identify the original attack as does Trend Micro.
One needs to realize that programs like Kaspersky Internet Security, ESET Internet Security, and most other Internet security all in one packages are designed for the general public and more importantly home users.
And as such KSN rules, or TDS (Trust Digital Signed check systems) are mostly tuned towards home user environments.
Which means that the Internet Security solution from most vendors are configured to combat dangers that affect home users the most.
So that means that highly advanced attacks, or targeted attacks or any other attack that is slightly more advanced then the average drive by malware usually go pretty much unnoticed until you get infected or in some cases that the Internet Security config only catches a small part of the actual infection (Usually the decoy before the real payload is dropped)
Now while the home environment and industrial environment are exactly the same it does have a few significant differences that should be noted in order to understand why home user programs and industrial user programs are so different.
Its all about user interaction, and the dangers that directly target users.
A average home user will NEVER have the same routine as for example a office worker at some firm.
At home you can do whatever you like ...who cares, so your AV/IS program is designed more to combat user stupidity then actual malware.
(Yes i know this sounds funny but the raw fact is that 6 out of 10 users infected their own computer just by making wrong choices, not reading or just clicking for the sake of clicking) In the end of the day you are the one that downloaded that new flashplayer right?
But ask your self how many people here on MT do actually check if they got the flashplayer directly from adobe? just a small example.
It might not be a big issue, but keep in mind that if people do not track their behavior and do not monitor their actions then getting a infection is so much easier because you basically opened up the door, you are the one downloading, clicking/allowing what ever the program is going to do. If its just installing your new flashplayer then great, but if this installs a whole bunch of adware, and other ##### then who is the blame? your AV that did not give you a alert, or was it you that gave your approval when you did hit OPEN after download finishes in lets say google chrome which will trigger UAC and when you allow it even if your AV would see whats going on... your program just got admin rights... and can potentially send your Kaspersky (Or whatever brand you have) packing.
So internet Security software is mostly made for home users, and why? because industrial users do not have much use for it.
Within the industry using a computer is a science on its own, as the IT department has set a whole array of rules and protocols. That if done properly do not allow you to make "home" mistakes in the first place, and if set like at our company then a virus infection is not even possible as the very config required to infect a computer is not present on the client pc. (Afteral you are working with sessions)
And this all is being monitored by servers and control stations that focus 80% of their total security outwards, to combat the more advanced dangers. Because the network itself is unsuitable for mass infections.
So to summarize it :
Home packages are more tuned to combat user based infections and is tuned to block the most common malware, so what they do is keeping away the majority of the malware knowing that a typical home user never gets into the dangerous environment that industrial counterparts get themselves into.
Industrial packages have different objectives, making the most common attacks impossible, and logging the more advanced attacks (As they are usually unstoppable) so logging and damage control is the next best thing.
Continuity is the right word here saving money is the next best word and logging / repair options is the closing word here.
I know this is raw info obviously its more complex then this, but between the lines this is the easiest way i can explain it.
That said SMB attacks and other security flaws that are being targeted are in 8 out of 10 times, hacks that have been engineered.
During big hacker and security conferences and international meetings hacking a program has become big money.
Microsoft and others pay good money for people pointing out bug and hacks. So when a new hack is being revealed, or a old hack seems to be still working after a decade, or a old hack get engineered to overcome new security models and such then this makes big news.
Hack X leaves millions potentially unprotected. I say TRUE and Bullshit at the same time.
Yes hack X does provide attackers with a way to break your system, yet and here is where the BS enters the story.
BUT out of the 8 hacks that have been found at least 70% happens from within the OS itself. Which technically means that without sitting physically behind the victims pc, and without a vast array of hacking tools and the needed resources & knowledge this particular hack cannot happen in the first place as its a technical requirement to target the OS from the inside out.
Sure there are programs that can be packed with very nasty yet brilliant malware that do a large part of the work for you, but with the introduction of routers and security software deployed by most western ISP companies it becomes a whole different story to being able to target a machine directly like that. My point is that these hacks require hands on.
And to close this most home internet security software is just not up to the task or does not offer the needed configuration abilities to combat such attacks properly. One could say well Nico so you are saying Industrial software is better? No what i am saying is that Home software does the thinking for you in most cases or allows you to make a choice predefined by its config (Usually the lesser of 2 evils)
While industry software requires you to set the rules.
So hey nico why not hire a Admin that installs such software at home and sets it for me?
That would work only if you have a attitude change yourself. because Home software thinks for you right? Well industrial software does strictly what you tell it to do. And you deffo want to make sure that you just told it to do the right thing. Ones you have enforced a rule, it will be as foolproof as you allows it to be. Which means that if the system tells you you cannot do that due rule X..then this means you CAN't do it.
Or you might be responsible for that frontpage news article that tells the world that your company was victim of the largest hack in history.
Simple moral and habits nothing more.
At home when you stick your USB drive into the PC and your AV starts yelling you can't do that then people are like.
<facepalm> really? F windows, Slow pc F*ck this i am in control <hit ignore & allow> and still run the drive despite their security telling them not to or do a certain action first. Your security will in most cases respect your choice and move to a different config based upon the scenario you just created to counter act your stupid acts and tries to keep you as safe as possible keeping in mind that you ignored most of its protection.
Try that on a company network, if your supervisor does not murder you then your IT admin will.
No industrial software is NO better then home software, yet home software is using the lesser of multiple evils rule handling and leaving room for compromises.
Industrial software does not. It enforces rules strict, and NO change unless manually configured by the right people.
Company networks are often subject to a whole bible of rules. And while most of these rules are far fetched one needs to realize that due to the very same rules client mistakes are being made irrelevant and allows a company to focus on the outside
Most people do not know it but Kasperky is optimized to combat user action infections. It literally means that AV vendors fear your actions MORE then that occasional "real" infection you get.
And the plain and simple reason is user habit.. because if those habits are sound then getting a infection is pretty much impossible would be the wrong word, but ask your self the question you are using the pc lets say for 3 things: Watching Netflix, reading CNN and bank (I leave social media out of this for a second) then how many infections did you get from those 3 sites? Exactly ZERO.
Social media i will not mention here as the complexity of social media based infections and hacking goes way beyond the scope of this discussion and the capabilities of most internet security packages.
One other reason i am writing this, is because sifting trough the user comments it seems like people do have the wrong idea about KAV, NOD32 and other "favo" brands. Blocking within your IS package is not as secure as you might think, because it still is going to allow legit traffic (soft block) (And i mean fake legit) while blocking on industry level means literally BLOCK (Hard block)
And imo programs like CIS and Kasperky, Nod32, Qihoo they do not even offer hardblock options ask any computer tech here on the forum they all can tell you the difference between Softblock (Aka program makes the choice for you based upon the most favorable outcome or the lesser of multiple evils) Hardblock disregards everything. Block means block period. It does not think, it does not make a favorable tradeoff it does one thing (Within the firewalls mind or security applications mind) : Boss tells me to block protocol X, I will block protocol X or ill crash trying.
(Maybe this should be a different discussion MOD make this a topic if you think its worth it)