Site of promotion
https://www.appguard.us/solo/
Starts on
Mar 18, 2020
Instructions

buy!

shmu26

Level 85
Verified
Trusted
Content Creator
Just to inform you:
Trusted Application Mode (TAM) has been removed in the upcoming Kaspersky 2021, according to @harlan4096
Wow, that's a big change!
 

jetman

Level 7
Verified
Just to inform you:
Trusted Application Mode (TAM) has been removed in the upcoming Kaspersky 2021, according to @harlan4096

I wonder what the reason for that is ?
It might shift me more towards using Norton (....drifting into an entirely different topic here).
 
The problem with TAM as I see it is that once a app is added to the trusted list it is TRUSTED. Terrible idea in the first place. You can not have apps 100% trusted on Windows without rules to stop bad behavior such as LOLbins. Hashes can be forged, there is a recent CVE for forging. Kaspersky knows that whitelisting files based on hash is a very bad idea, very bad. Kaspersky above all other virus vendors knows that current threat actors are more complex and more advanced than ever before, threats are moving into the memory space to live and I bet we will see memory scanning become big business.
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
The problem with TAM as I see it is that once a app is added to the trusted list it is TRUSTED. Terrible idea in the first place. You can not have apps 100% trusted on Windows without rules to stop bad behavior such as LOLbins. Hashes can be forged, there is a recent CVE for forging. Kaspersky knows that whitelisting files based on hash is a very bad idea, very bad. Kaspersky above all other virus vendors knows that current threat actors are more complex and more advanced than ever before, threats are moving into the memory space to live and I bet we will see memory scanning become big business.
This is a very valid concern even I have and I'm sure many others here will. There should be no blindfold when it comes to trusted apps.
First of all, KIS uses multiple params like Application Trust Inheritance principle, Digital signature, source etc. to form a trust chain for categorizing files.

If you read the "security corridor" aspect of Application Control (the pillar of TAM) in their whitepaper, they do monitor the trusted apps for suspicious actions they are not meant to perform. While we do not know well the scope of their monitoring (not talking about the options in AC), it is true that they do not blindly trust the trusted applications.

A year back when i was installing Windows pre-installation environment through Macrium Reflect, KIS intervened saying a suspicious action has been blocked. That was the System Watcher, that along with File AV and AC, is a part of TAM. KIS hence had a watch on the trusted Macrium app. Possibly KIS didn't have info that this is a common action for Macrium Reflect.
It apparently monitors common apps for unexpected actions and other allowed programs for suspicious actions. Just the threshold may vary.

Design limitations or a higher threshold set to reduce FPs might lead to TAM missing some malicious action by a trusted file that otherwise should have been blocked. That can be expected of any such consumer program.
If I recollect well, Kaspersky's memory scanning had protected systems during a considerable malware outbreak in the recent past. They just need to keep progressing.
Anyway, TAM is off the cards now and as @harlan4096 said, AC can be better tweaked to simulate a flexible TAM.
 
Last edited:

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Also, even being in Trusted group, for every app there You have this:

1584865142199.png
 

shmu26

Level 85
Verified
Trusted
Content Creator
If you want your trusted apps to be seriously guarded and contained, the best solution for that is ReHIPS or Sandboxie. OSArmor also offers some limited protection in that area.
But IMHO most of the time this is overkill and makes life difficult. Just apply proper system hardening, such as that offered in Hard_Configurator, and stop fretting over exotic attacks that are less likely than being struck by lightning.
 
I would more worried about supply chain attacks, harden all you like but you can not stop trusted programs doing funky stuff unless you have meassures in place to observe and watch what it is doing, you trust the source so you install without thinking. But what if a exploit is shipped within that installer so you get hosed. AV/AM won't be able to stop that, it's debatable if AppGuard/ReHips/OSArmour can even protect you because to run that installer you have allow it's install behavior and protection from those programs is rendered useless. Getting struck by lightning is not nice btw :p

I think Kaspersky is the best of the bunch, but it's firewall/network protection and trusted apps leave holes. I know they do this for usability because most users would go bonkers with so many alerts so you need to automate them. But I am at that stage where I want those alerts.
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
I would more worried about supply chain attacks, harden all you like but you can not stop trusted programs doing funky stuff unless you have meassures in place to observe and watch what it is doing, you trust the source so you install without thinking. But what if a exploit is shipped within that installer so you get hosed. AV/AM won't be able to stop that, it's debatable if AppGuard/ReHips/OSArmour can even protect you because to run that installer you have allow it's install behavior and protection from those programs is rendered useless. Getting struck by lightning is not nice btw :p
Well if you keep expanding your scope of paranoia, I am afraid nothing but madness or ignorance to these things can help!
Moreover, the chances of such encounters are very less for home users and minimizing your systems usability for that doesn't seem to be a good idea.
When we talked about KIS monitoring (or not) trusted programs, it does, but within its limitations and threshold.
Supply chain attacks are probably the most deceptive and there's little you can do to reduce the chances
  • having firewall with reverse DNS lookup. Block any unknown IP or host connections for most programs (ESET, Sphinx FW control has it). I usually allow program connections only for the app-related hostname. You could also whitelist a subnet of IP addresses
  • in the rare circumstance that even the server of program X is infected, then there's no benefit of blocking other domains in that very case, as you're allowing connection to the compromised domain of the program X
  • the compromised X might not itself connect to a malicious domain but modify system or browser processes for example. In that case, if you've manually hardened against such an attack vector or if your AV could detect this hollowing/injection, perhaps you could block the attack at a point. There are other scenarios we could keep talking about
  • one can wait for a while before installing newer versions of programs (there will be a counter debate for sure that you'll be delaying security updates, hence not recommended). But I've seen this talk on forums. Some compromises get revealed in few weeks or months
  • using a DNS like Quad9 that gathers shared intelligence from 19 global providers like IBM X-force. If these systems have identified any malicious domains used in such attacks (like Cisco had identified in CCleaner), you might benefit from it
  • some people use portable version of apps and don't update often. This may reduce the likelihood of an SCA ...
If you're a corporate, one of the best things to do among the recommended set of protocols is to evaulate security and privacy policy of 3rd party software providers you use and only trust if deemed secure and reliable by audit. Good supplier relation counts here.
The software SCA are often an indirect way to target entities and I wonder at what level of interest the data of average users like us can be for any such attacker group. Take CCleaner for eg. their later stages were used to narrow down on various corporations.

There are chances that good Restriction Policies would block the unidentified/non-whitelisted new files spawned by the compromised program. If not, ....
other hardening policies like vlocking vulnerable process sequences unless whitelisted, audit policies and post-breach analysis tools their IT teams use (the good ones) can help them identify early Indicators of Compromise and attempt remediation.
However still if the scattered pieces of puzzle don't make it to one, anyways the entity gets screwed.
Talking about this paranoia, there's also hardware supply chain attack beside the software and firmware ones.

WRT the likes of OSArmor, I check what things get blocked (happens very less often) when installing my go-to apps and next time they install, if something new is blocked, I might as well have a look at it. For most of the times, if your reputed program fails to carry out a basic function (or if I know that the sequence is safe), then only I would unblock what got blocked. Otherwise the block is not to be bothered about.

I think Kaspersky is the best of the bunch, but it's firewall/network protection and trusted apps leave holes. I know they do this for usability because most users would go bonkers with so many alerts so you need to automate them. But I am at that stage where I want those alerts.
Among other fortifications, one thing you could do if you really want such control is to enable Interactive Mode in Kaspersky. And you'll be happily overwhelmed by the number of informative alerts you get for all actions performed on your system :)
 

shmu26

Level 85
Verified
Trusted
Content Creator
Well if you keep expanding your scope of paranoia, I am afraid nothing but madness or ignorance to these things can help!
Moreover, the chances of such encounters are very less for home users and minimizing your systems usability for that doesn't seem to be a good idea.
When we talked about KIS monitoring (or not) trusted programs, it does, but within its limitations and threshold.
Supply chain attacks are probably the most deceptive and there's little you can do to reduce the chances
  • having firewall with reverse DNS lookup. Block any unknown IP or host connections for most programs (ESET, Sphinx FW control has it). I usually allow program connections only for the app-related hostname. You could also whitelist a subnet of IP addresses
  • in the rare circumstance that even the server of program X is infected, then there's no benefit of blocking other domains in that very case, as you're allowing connection to the compromised domain of the program X
  • the compromised X might not itself connect to a malicious domain but modify system or browser processes for example. In that case, if you've manually hardened against such an attack vector or if your AV could detect this hollowing/injection, perhaps you could block the attack at a point. There are other scenarios we could keep talking about
  • one can wait for a while before installing newer versions of programs (there will be a counter debate for sure that you'll be delaying security updates, hence not recommended). But I've seen this talk on forums. Some compromises get revealed in few weeks or months
  • using a DNS like Quad9 that gathers shared intelligence from 19 global providers like IBM X-force. If these systems have identified any malicious domains used in such attacks (like Cisco had identified in CCleaner), you might benefit from it
  • some people use portable version of apps and don't update often. This may reduce the likelihood of an SCA ...
If you're a corporate, one of the best things to do among the recommended set of protocols is to evaulate security and privacy policy of 3rd party software providers you use and only trust if deemed secure and reliable by audit. Good supplier relation counts here.
The software SCA are often an indirect way to target entities and I wonder at what level of interest the data of average users like us can be for any such attacker group. Take CCleaner for eg. their later stages were used to narrow down on various corporations.

There are chances that good Restriction Policies would block the unidentified/non-whitelisted new files spawned by the compromised program. If not, ....
other hardening policies like vlocking vulnerable process sequences unless whitelisted, audit policies and post-breach analysis tools their IT teams use (the good ones) can help them identify early Indicators of Compromise and attempt remediation.
However still if the scattered pieces of puzzle don't make it to one, anyways the entity gets screwed.
Talking about this paranoia, there's also hardware supply chain attack beside the software and firmware ones.

WRT the likes of OSArmor, I check what things get blocked (happens very less often) when installing my go-to apps and next time they install, if something new is blocked, I might as well have a look at it. For most of the times, if your reputed program fails to carry out a basic function (or if I know that the sequence is safe), then only I would unblock what got blocked. Otherwise the block is not to be bothered about.


Among other fortifications, one thing you could do if you really want such control is to enable Interactive Mode in Kaspersky. And you'll be happily overwhelmed by the number of informative alerts you get for all actions performed on your system :)
I agree that there is almost no effective protection against supply-chain attacks, and that they are not a credible threat to home users.
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
I agree that there is almost no effective protection against supply-chain attacks, and that they are not a credible threat to home users.
Many educational articles and publications are available that get software developers started with basics of securing their entire supply chain. And these include efforts at technical and business levels. The security vendors and committees must push hard to reach out to more developers especially developing kinds of software that would be vastly used in the market.
Training all responsible members of the team in this aspect is equally important for the companies as their regular technical trainings are.
Then the seriousness, readiness and their skills would make the call of how easily would their system allow such compromises.
Allow me to conclude these discussions so that the thread no more deviates from the main topic.
 

The Cog in the Machine

Level 23
Verified
As already said many times, TAM behaviour can be "emulated" tweaking Application Control...
Would it be with the same ease? TAM was 2 or three mouse clicks away and you're done (assuming you do not have unknown files which need to be reviewed which is also not a big deal). It would be nice if you create a guide here since you're Kaspersky ambassador here :)
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
It would be nice if you create a guide here since you're Kaspersky ambassador here
I'm already on it (createing a guide) ... anyway I already post a few months ago some interesting tweaks:

 

Vitali Ortzi

Level 20
Verified
Ha, ha. Fortunately, they do not compete with each other. The H_C is suited/intended only for the home environment and AG is intended for businesses (although it can be used in the home environment too). :)
If one likes the H_C approach, then he/she probably will also like the AppGuard in his/her business firm.
Don't IT guys just use applocker and grup policy ?
 
Top