Question Intrusion prevention not working as expected

Please provide comments and solutions that are helpful to the author of this topic.

Razza

Level 4
Thread author
Verified
Well-known
Aug 12, 2014
163
Hi, am trying to config Intrusion prevention so only Google Chrome can access the browser data C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\*, the way I've set it up is added ever Chorme exe to a sub group of trusted and on manage resources set ever other group of deny but set the sub group containing Chorme executable to allow but its not working since Kaspersky seem to be ignoring the allow and using the setting of deny for the trusted group.

Here the log entry for it .

12/07/2023 16:05:54;We applied the rule created by you to control activity of the application;Google Chrome;chrome.exe;C:\Program Files\Google\Chrome\Application;5164;DESKTOP-*****\Ryan;Initiator;Modify;Blocked;Blocked;Personal data;File access;High;;settings.dat;C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Crashpad;File;Personal data

That application is set to allow
chrome 1.JPG
chrome 2.JPG
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,693
Can you post also the rule of the folder, and where did You place the rule?

Anyway, I already posted in a different thread some weeks ago, that this kind of so strict rules may cause some issues. Since probably some system services also need access to that folder, so You can't BLOCK EVERYTHING IN THE SYSTEM except Chrome to access there...
 
Last edited:

Razza

Level 4
Thread author
Verified
Well-known
Aug 12, 2014
163
Can you post also the rule of the folder, and where did You place the rule?

Anyway, I already posted in a different thread some weeks ago, that this kind of so strict rules may cause some issues. Since probably some system services also need access to that folder, so You can't BLOCK EVERYTHING IN THE SYSTEM except Chrome to access there...
The rule is placed under user files, I've edited to be less restrictive to only allow trusted, Google chrome is trusted, ever system file should also be trusted, still the same same message in the logs Today, 12/07/2023 18:24:54;We applied the rule created by you to control activity of the application;Google Chrome;.exe;C:\Program Files\Google\Chrome\Application;8792;DESKTOP-XXXX\Ryan;Initiator;Modify;Blocked;Blocked;Personal data;File access;High;;settings.dat;C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Crashpad;File;Personal data if Kaspersky was actually applying the rule i created then It should of allow chrome.exe not block it
1689182810579.png

1689183174558.png
 

Razza

Level 4
Thread author
Verified
Well-known
Aug 12, 2014
163
Having trusted set to deny and allowing Google and Microsoft group works, I've might try later too see what Microsoft executables are needed I've try just explorer that not enough.

A minor annoyance the rules don't see to get updated unless I reboot the system.
 

Razza

Level 4
Thread author
Verified
Well-known
Aug 12, 2014
163
I try just restricting just the folder that actual stores the profile C:\Users\Ryan\AppData\Local\Google\Chrome\User Data\Default\* to just chrome its did open but resulted in a profile load error adding Microsoft fixed it

I think the best am going to get is limiting it to Chrome and Microsoft that works without issue, the other option I allow each MS process one by one until I find the needed one but don't think am going to waste my time finding it , thank for trying to debug the issue @harlan4096 .
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top