I don't understand the "Perform actions automatically" part

S

Studynxx

Level 1
Thread author
Jan 20, 2023
41
I followed Harlan's guide to put all apps that couldn't be categorized to High Restricted, as well as apps that start before KTS, also do not trust digitally signed apps

However, when I run some questionable exe from a torrent site in a VM as part of a test, they still run just fine. Why? I double checked and they ARE in the High Restricted group
 
  • Like
Reactions: Jack
Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,477
"High Restricted" doesn't mean the apps are completely blocked. It means Kaspersky will monitor them closely for suspicious activities. If you want to completely block an application, you should move it to the "Untrusted" category.
 
  • Like
Reactions: TairikuOkami, Trident and Jack
harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,677
I usually move unknown apps to Untrusted, not High Restricted, there is a difference, in Untrusted an app won't run :) but in High Restricted, still could run but with very low rights to perform its activities...

But lately I have the IP settings like this:

1712991158645.png
 
  • Like
  • +Reputation
Reactions: oldschool, Berny, LennyFox and 1 other person
harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,677
What says KSN about that questionable exe running in High Restricted? Show a picture of the info in the Intrusion Prevention, example:

1712991378385.png
 
  • Like
Reactions: Berny and Trident
S

Studynxx

Level 1
Thread author
Jan 20, 2023
41
Bot said:
"High Restricted" doesn't mean the apps are completely blocked. It means Kaspersky will monitor them closely for suspicious activities. If you want to completely block an application, you should move it to the "Untrusted" category.
Click to expand...
So Kaspersky will first run the app or program in a sandbox and depending on its behavior (ie what registry changes does it try to make, what files does it try to read, what DNS records does it try to resolve, what IP addresses does it try to talk to, etc) it will either allow it to run or not? Since I have the "Perform actions automatically" ticked

harlan4096 said:
What says KSN about that questionable exe running in High Restricted? Show a picture of the info in the Intrusion Prevention, example:

View attachment 282773
Click to expand...
1712995196366.png


Mind you, this is NOT the official Macrium but a torrented version for the sake of testing KTS. Not a fan of pirating either, but as mentioned before, I'm testing KTS using these pirated things
 
S

Studynxx

Level 1
Thread author
Jan 20, 2023
41
Bot said:
"High Restricted" doesn't mean the apps are completely blocked. It means Kaspersky will monitor them closely for suspicious activities. If you want to completely block an application, you should move it to the "Untrusted" category.
Click to expand...
Btw does KTS monitor apps in the High Restricted group much more closely, strictly than it does apps in the Low Restricted group?
 
Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,477
Studynxx said:
So Kaspersky will first run the app or program in a sandbox and depending on its behavior (ie what registry changes does it try to make, what files does it try to read, what DNS records does it try to resolve, what IP addresses does it try to talk to, etc) it will either allow it to run or not? Since I have the "Perform actions automatically" ticked
Click to expand...
Yes, Kaspersky analyzes the behavior of the app in a secure environment ("sandbox"). If the app shows suspicious behavior, Kaspersky takes appropriate action. With "Perform actions automatically" enabled, Kaspersky decides what action to take without asking you.
 
Bot

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,477
Studynxx said:
Btw does KTS monitor apps in the High Restricted group much more closely, strictly than it does apps in the Low Restricted group?
Click to expand...
Yes, Kaspersky Total Security (KTS) monitors applications in the "High Restricted" group more closely than those in the "Low Restricted" group. The higher the restriction level, the more strict the monitoring is.
 
harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,677
There is no sandbox pre-execution in Intrusion Prevention, it just follows the rules We have set, in my case: if unknown in KSN -> Untrusted, if issues in certificate -> Untrusted.

You can see this:

1712996004070.png


Why are You checking KTS? and not any of the new product line such as K. Standard or Plus?
 
  • Like
Reactions: Berny and Trident
harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,677
If You want to check what is monitored (default rules/rights) in any of the groups, for example in High Restricted, just go to Intrusion Prevention -> Manage Applications, select High Restricted main line -> 1 right mouse click -> Details and Rules, check tabs: Files and System registry, Rights, Network rules.

Of course, We can change or add rules to those default ones of any group.
 
  • Like
Reactions: Berny and Trident
S

Studynxx

Level 1
Thread author
Jan 20, 2023
41
harlan4096 said:
If You want to check what is monitored (default rules/rights) in any of the groups, for example in High Restricted, just go to Intrusion Prevention -> Manage Applications, select High Restricted main line -> 1 right mouse click -> Details and Rules, check tabs: Files and System registry, Rights, Network rules.

Of course, We can change or add rules to those default ones of any group.
Click to expand...
Wait, wait, what I don't understand is how come if it's in High Restricted and I for example backup a folder and its files to another location, merely as a test so nothing actually worthy to me, it can still do that? I thought High Restricted barely had any read access, let alone write access... I left all of its privileges on default.
 
harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,677
Those rules are applied in case that app is executed and its activities while running, but not when You copy or move it in the system.
 
  • Like
  • Applause
Reactions: Berny and Trident
S

Studynxx

Level 1
Thread author
Jan 20, 2023
41
harlan4096 said:
Those rules are applied in case that app is executed and its activities while running, but not when You copy or move it in the system.
Click to expand...
Wdym not when I copy or mvoe it in the system? I didn't change its default location, I just installed it
 
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,739
What Harlan is saying is these restrictions apply to the apps and processes that have been put in the relevant group. It does not apply to any actions you or other users perform in folders, as these actions are done via the trusted explorer.exe. To restrict other users from accessing, changing and deleting files, you will have to create user accounts for them and manage the folder permissions in explorer accordingly.

If some ransomware script or executable wants to access or change resources (folders) you’ve added as protected, this will be blocked.

Also, you can see restrictions as Harlan explained or by accessing this:

Controlling application activity on the computer and on the network

support.kaspersky.com support.kaspersky.com

There is no sandboxing, ignore the bot.
Kaspersky uses dynamic emulator (like many other AVs if not all) to execute instructions of interest and monitor how the app behaves before you execute it.
This allows for more efficient detection of packers and obfuscated malware.
The higher the heuristic aggressiveness level, the more instructions are emulated, according to Kaspersky documentation.
Dynamic emulator is not related to Intrusion Detection.
 
Last edited:
  • +Reputation
  • Like
Reactions: oldschool, harlan4096 and likeastar20
L

likeastar20

Level 8
Verified
Mar 24, 2016
362
Trident said:
What Harlan is saying is these restrictions apply to the apps and processes that have been put in the relevant group. It does not apply to any actions you or other users perform in folders, as these actions are done via the trusted explorer.exe. To restrict other users from accessing, changing and deleting files, you will have to create user accounts for them and manage the folder permissions in explorer accordingly.

If some ransomware script or executable wants to access or change resources (folders) you’ve added as protected, this will be blocked.

Also, you can see restrictions as Harlan explained or by accessing this:

Controlling application activity on the computer and on the network

support.kaspersky.com support.kaspersky.com

There is no sandboxing, ignore the bot.
Kaspersky uses dynamic emulator (like many other AVs if not all) to execute instructions of interest and monitor how the app behaves before you execute it.
This allows for more efficient detection of packers and obfuscated malware.
The higher the heuristic aggressiveness level, the more instructions are emulated, according to Kaspersky documentation.
Dynamic emulator is not related to Intrusion Detection.
Click to expand...
Can you link the documentation ?
 
  • Like
Reactions: Trident
harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,677
Then only "sandbox" Kaspersky has now is for supported browsers in Safe Money sessions.

Many years ago, I recall, probably in 2011 🤔, Kaspersky tried only during a while, a full desktop mode sandboxed, but it consumed too many resources, and was removed, so They only kept sandbox for browser.

Aaaah what times those were... nostalgia surrounds me:
1713000007489.png


1713000083005.png

1713000108830.png

Source
 
  • +Reputation
  • Like
Reactions: oldschool, Trident, Shadowra and 2 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,739
likeastar20 said:
Do you have any info on VHO? What exactly is VHO: ?
Click to expand...
To be honest I have no information. Bot called it Verifiable Heuristic Object, @harlan4096 says it means Very Harmful Object, another user has claimed it’s Vis Hash Online. To me it looks like you are right, most likely VHO is the equivalent of some cloud-verified heuristics, such as the McAfee JTI (Joint Threat Intelligence) that combines heuristics with Artemis reputation.
And like the Defender and Avast ML.

Can you put this file on another system, disconnect it from the web and check whether it will still be detected by Kaspersky?
 
  • Like
  • +Reputation
Reactions: likeastar20 and harlan4096
Practical Response

Practical Response

Level 8
Mar 10, 2024
363
Trident said:
To be honest I have no information. Bot called it Verifiable Heuristic Object, @harlan4096 says it means Very Harmful Object, another user has claimed it’s Vis Hash Online. To me it looks like you are right, most likely VHO is the equivalent of some cloud-verified heuristics, such as the McAfee JTI (Joint Threat Intelligence) that combines heuristics with Artemis reputation.
And like the Defender and Avast ML.

Can you put this file on another system, disconnect it from the web and check whether it will still be detected by Kaspersky?
Click to expand...
It's part of the heuristic scans and is a detection category indicating a "very harmful object".
 
  • Like
Reactions: likeastar20, harlan4096 and Trident

Similar threads

S
    • Like
  • Locked
How could I get malware with KTS Hardened?
Replies
6
Views
479
Kaspersky
mlnevese
mlnevese
Guilhermesene
    • Like
    • Applause
Hot Take [Tutorial] Update Kaspersky when starting the system automatically
Replies
9
Views
756
Kaspersky
Jonny Quest
Jonny Quest
jv16
    • Like
    • Thanks
    • Applause
Serious Discussion Uninstalr: Or how I tested all the Windows uninstallers and ended up making a new one
Replies
158
Views
14,188
System utilities
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top