How does Kaspersky deal with malware attacks that target vulnerabilities in installed applications?

N

nonamebob567

Level 1
Thread author
Apr 24, 2025
25
90
31
  • So far, I understand that. You can't do anything to prevent malware attacks that target Windows vulnerabilities or vulnerabilities in the antivirus programme itself.
  • What I want to know is how exactly Kaspersky protects against malicious attacks that specifically target an exploit in a program like WinRAR or VLC Media Player.
  • Let's just say you live under a rock and use an older WinRAR version that has known vulnerabilities, and you downloaded that shady-looking archive and unpacked it, not knowing that a malicious EXE file is about to get executed all by itself.
  • Or let's say your two-faced friend gave you an MP4 file, saying it's a good movie, while knowing that it has malware that executes the moment you play it with your older VLC player that has vulnerabilities.
  • What defence components does Kaspersky possess to handle a situation like this?
  • And please don't answer the question saying that the best way to prevent this is not to download shady files and to keep your applications updated because most sensible people already know it and are looking for an answer that explains the question.

Thank you for taking your time.
 
  • HaHa
  • Like
Reactions: Windroter and TuxTalk
nonamebob567 said:
  • So far, I understand that. You can't do anything to prevent malware attacks that target Windows vulnerabilities or vulnerabilities in the antivirus programme itself.
  • What I want to know is how exactly Kaspersky protects against malicious attacks that specifically target an exploit in a program like WinRAR or VLC Media Player.
  • Let's just say you live under a rock and use an older WinRAR version that has known vulnerabilities, and you downloaded that shady-looking archive and unpacked it, not knowing that a malicious EXE file is about to get executed all by itself.
  • Or let's say your two-faced friend gave you an MP4 file, saying it's a good movie, while knowing that it has malware that executes the moment you play it with your older VLC player that has vulnerabilities.
  • What defence components does Kaspersky possess to handle a situation like this?
  • And please don't answer the question saying that the best way to prevent this is not to download shady files and to keep your applications updated because most sensible people already know it and are looking for an answer that explains the question.

Thank you for taking your time.
Click to expand...
Hello nonamebob567,

Thank you for your detailed question. I appreciate you clarifying what you're looking for—I'll focus on the specific defense mechanisms in Kaspersky products that address exploits in third-party applications like WinRAR or VLC, without veering into general advice.

Kaspersky's security suite (such as Kaspersky Internet Security or Total Security) includes several layered components designed to detect and block exploit-based attacks. These work even if the vulnerable software itself isn't patched. Here's a breakdown of the key ones relevant to your scenarios:

  • Exploit Prevention Module: This is a dedicated feature that specifically targets exploits in popular software. It monitors for common exploit techniques (e.g., buffer overflows, heap spraying, or return-oriented programming) that attackers use to hijack vulnerable apps. For example:
    • In the WinRAR scenario: If a malicious archive exploits an old WinRAR vulnerability to auto-execute a payload during unpacking, Exploit Prevention can detect the abnormal memory manipulation or code injection attempts and block the process before it runs.
    • In the VLC scenario: If a malformed MP4 file tries to exploit a buffer overflow in an outdated VLC version upon playback, this module intervenes by recognizing the exploit pattern and preventing the malicious code from executing.
    It uses a combination of signature-based detection for known exploits and behavioral analysis to catch zero-day attempts.
  • System Watcher: This component provides proactive, behavior-based protection by monitoring system activities in real-time. It tracks changes like unauthorized file modifications, registry edits, or suspicious process launches. If an exploit succeeds in injecting code, System Watcher can detect the anomalous behavior (e.g., a WinRAR process suddenly trying to execute external code or a VLC playback leading to unusual system calls) and either block it or roll back the changes using its rollback feature.
  • File Anti-Virus and Real-Time Scanning: While not exploit-specific, this scans files as they're accessed or executed. In your examples, if the malicious EXE from the WinRAR archive or the payload from the MP4 is known malware, it gets flagged and quarantined immediately. For unknown threats, it integrates with heuristic analysis to identify suspicious patterns.
  • Application Control and Host-Based Intrusion Prevention System (HIPS): These restrict what applications can do. Application Control can limit untrusted programs from running, while HIPS monitors network and system interactions to block exploit delivery vectors, like if the exploit tries to download additional malware.
  • Kaspersky Security Network (KSN): This cloud-based reputation service provides real-time threat intelligence. If a file or behavior matches emerging exploit patterns reported by other users, it can block it preemptively.

These components work together in a multi-layered approach: prevention at the exploit stage, detection during execution, and mitigation if something slips through. Keep in mind that no security software is 100% foolproof against zero-day exploits, but Kaspersky's tools are particularly strong in this area due to their focus on behavioral and exploit-specific defenses.

If you have more details about a specific Kaspersky version or scenario, I can refine this further. What edition of Kaspersky are you using?

Best regards,
Your MalwareTips Assistant
 
  • Like
Reactions: nonamebob567, Windroter, Jack and 1 other person
Windows already has plenty of anti-exploit features, many of them enabled by default.

For any antivirus, the best way to stop exploits would be first on a network level, by blocking the associated websites/traffic and then at runtime.

At runtime, AVs redirect calls to themselves first (much like sandboxes and other software). This allows then to detect attempts for access to resources that require elevation (such as C:\Windows\System32), they can detect when a process is elevated or not and they can detect whether there was a prompt or not (by hooking EVENT_SYSTEM_DESKTOP_SWITCH/consent.exe). At this point the AV would analyse the parent-process relationships, what caused the elevation and so on. If there is no UAC prompt/event but the process integrity is going from medium to high, these are very sure indicators of UAC bypass.

Additional API calls related to injection from 2 processes not from the same family, opening handles to very secure processes and more.

And then on a very low level there are heap/stack monitoring, memory allocation/deallocation, memory scanning and so on.

Since you don’t want basic explanations…
 
  • Like
  • +Reputation
  • Thanks
Reactions: Divine_Barakah, Windroter, roger_m and 7 others
The "Nightclub Security" Analogy

Think of the vulnerable application (like WinRAR or VLC) as a nightclub. The security software's job is to act as the club's security team, watching for trouble without knowing exactly what form it will take.

Exploit Prevention (The Bouncer at the Door)

This is like a bouncer checking IDs. It has a list of known troublemakers (signatures for known exploits) and also looks for suspicious entry techniques, like someone trying to sneak in through a back window (a buffer overflow) or using a fake ID (return-oriented programming). If it sees a known bad technique, it stops the threat before it even gets inside the club.

System Watcher & HIPS (The Floor Security)

Once inside the club, this is the security team roaming the floor, watching how people behave. They don't know every person, but they know what suspicious behavior looks like.

Unusual Process Activity

A patron suddenly trying to get behind the bar (WinRAR.exe trying to access protected system files) or a waiter trying to enter the manager's office (VLC.exe attempting to modify registry keys) is immediately suspicious.

Privilege Escalation

This is like a regular guest suddenly trying to act like a staff member with keys to every room. The user @Trident explained this well by mentioning the monitoring of process integrity going from medium to high without a proper UAC prompt. System Watcher flags this as a classic sign of an exploit.

Memory Manipulation

The security team also watches for someone trying to slip something into another person's drink. This is analogous to heap spraying or memory injection, where the exploit tries to place malicious code into the memory space of a legitimate process. This is a high-confidence indicator of an attack.

Kaspersky Security Network (The Security Network)

This is the security team's radio network connecting them to bouncers at every other club in the city. The moment a new type of trouble starts at one club, a description is shared with everyone. If a file or a sequence of behaviors on your system matches a brand-new threat seen anywhere else in the world, KSN provides the intelligence to shut it down instantly, even if your local "bouncer" hasn't seen it before.

The key takeaway from these replies, is that modern security relies on a defense-in-depth strategy. It assumes a threat might get past the first layer, so it has multiple, different types of security watching at every subsequent stage. The answers provided cover this concept thoroughly.
 
  • Like
  • +Reputation
  • Applause
Reactions: Divine_Barakah, Windroter, Vimaro and 6 others
Trident said:
Windows already has plenty of anti-exploit features, many of them enabled by default.

For any antivirus, the best way to stop exploits would be first on a network level, by blocking the associated websites/traffic and then at runtime.

At runtime, AVs redirect calls to themselves first (much like sandboxes and other software). This allows then to detect attempts for access to resources that require elevation (such as C:\Windows\System32), they can detect when a process is elevated or not and they can detect whether there was a prompt or not (by hooking EVENT_SYSTEM_DESKTOP_SWITCH/consent.exe). At this point the AV would analyse the parent-process relationships, what caused the elevation and so on. If there is no UAC prompt/event but the process integrity is going from medium to high, these are very sure indicators of UAC bypass.

Additional API calls related to injection from 2 processes not from the same family, opening handles to very secure processes and more.

And then on a very low level there are heap/stack monitoring, memory allocation/deallocation, memory scanning and so on.

Since you don’t want basic explanations…
Click to expand...
Furthermore, does the default deny approach in the intrusion prevention component help further mitigate this type of attack?
 
Last edited:

You may also like...