Guide | How To Hardening the Low Restricted Group

The associated guide may contain user-generated or external content.
harlan4096

harlan4096

Super Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Forum Veteran
Apr 28, 2015
9,398
1
84,820
8,389
Recently I created a new small guide about how to harden the Low Restricted settings (Intrusion Prevention module), where are moved all the unknown apps by default.

These tweaks are less aggressive than my previous ones in Default Deny guide.

Here You are the link located at Kaspersky Community:

forum.kaspersky.com

HARDENING THE LOW RESTRICTED GROUP

Hi guys! I'm back with a new guide, this time giving some tips of how to harden Low Restricted group. Without further delay, these are the steps to follow: 1.- Go to Settings -> Security Settings -> Advanced Protection -> Intrusion Prevention, and set: This may be a bit aggressive, so fo...
forum.kaspersky.com forum.kaspersky.com
 
  • Like
  • +Reputation
  • Thanks
Reactions: jamey910111, carl fish, Moonhorse and 14 others
Hey I have a question. I did your Hardening KTS - High Restricted for apps that couldn't be put in a category and High Restricted for app that loaded prior to KTS and Do Not Trust Digitally Signed Programs... otherwise all left on default. I re-installed NFS Unbound from the original EA app and it was put in High Restricted, how come? I had to put it to Trusted so I could play
 
  • Like
Reactions: harlan4096 and Khushal
It can happen if the installer or the exe: it is not known in KSN, has a non properly digitally signed or certificate issue. Check in Intrusion Prevention -> Manage Applications, his KSN info, example for FireFox:

1714199460636.png
 
  • Like
Reactions: B-boy/StyLe/, Berny, silversurfer and 1 other person
I apply @harlan4096 's KTS hardening by default via a script. However, I'm still not sure I understand what apps in Low Restricted and High Restricted group can do on the system. I've been googling this but I can't find a clear documentation on this from Kaspersky.

From experience, I know that if it's in High Restricted, it can't access the network, can't resolve DNS, etc. If it's in the Low Restricted group, it can do that.

Can someone shed light on what apps can do and cannot do if they're in Low Restricted or in High Restricted group?
 
Ask chatgpt, the stuff is documented on the web, chat will find it. For example I asked "Whats the difference between Kaspersky's Low Restricted and High Restricted group ?"

And it gave me :

--------------------

Verified breakdown of Kaspersky trust-groups​


AspectLow RestrictedHigh RestrictedWhy it matters
How KES classifies an app• Unsigned / not in KSN, but evaluated as low-risk by reputation heuristics – “minimal restrictions”Kaspersky Support• Unsigned / not in KSN and judged medium-risk“high restrictions”Kaspersky SupportSame build conditions, different risk score.
Network access (pre-defined Firewall rules)Allowed in all network zones (Public / Local / Trusted)Kaspersky SupportBlocked in every zone until an admin creates an explicit ruleKaspersky SupportKaspersky SupportThe biggest practical difference: High Restricted apps cannot talk to the network out-of-the-box.
Typical OS-level rights (HIPS/Application Control)Can perform many common actions—e.g., read/write user files, access other processes, use hidden network channels—but prompts for most sensitive operations (“user permission required for most operations”)Kaspersky SupportNearly all sensitive actions trigger a prompt; attempts to touch core OS modules are outright deniedKaspersky SupportLow Restricted = “nag & log”; High Restricted = “assume deny”.
Threat rating shown in console/UILowMediumKaspersky SupportHelps admins filter incident lists.
When you’d use itPortable utilities, in-house tools that need the Internet but shouldn’t rewrite the OS.PUPs, ad-installers, PoCs you want to run but cage, or anything you suspect could break out.
 
Last edited:
  • Like
Reactions: piquiteco, harlan4096 and Trident
What controls does each group have ?

-------------------------

Factory-default controls applied to each Kaspersky trust-group​

Control categoryLow RestrictedHigh RestrictedKey docs
Network activity (all zones)Allowed – Firewall lets the app open inbound & outbound connections in Trusted, Local and Public networks.Blocked – no network traffic until an admin adds an explicit application rule.Kaspersky Support
General OS accessMinimal restrictions on access to operating-system resources.”High restrictions on access to operating-system resources.”Kaspersky Support
Typical privileged actions (examples: manage other processes, hidden channels, system management APIs)Permitted only after a user/administrator decision. Kaspersky says these apps “are allowed to perform specific operations … User permission is required for most operations.The same operations still need permission, but the baseline is stricter; almost every sensitive call is stopped until authorised.Kaspersky Support
File / registry writes in Windows system areasPrompt (“Ask”).Block by default.Derived from the minimal- vs high-restriction definitions above.
Reads of user data & system filesAllowedAllowed(Neither group blocks simple read operations.)

How the controls are enforced​

  1. Files & System Registry tab – four per-path rights (Read, Write, Create, Delete).
  2. Rights tab – dozens of granular OS actions (service install, driver load, terminate / inject into other processes, screen-capture, power control, etc.), each set to Allow / Ask / Block.
  3. Network rules tab (Firewall) – an uneditable built-in rule that is Allow for Trusted & Low Restricted, Block for High Restricted & Untrusted. Kaspersky Support
Bottom line:
Low Restricted runs almost like a normal program but asks before it makes system-level changes; High Restricted is quarantined from the network and is denied most write-level or privileged actions unless you deliberately loosen them.
Click to expand...
 
  • Like
Reactions: piquiteco and harlan4096

You may also like...