First of all, the KSN cloud data is used to classify applications into the 4 trust groups (if you've kept that option of auto-classification in settings selected). You cannot expect that data to be correct 100% of times, yet the chances of incorrect classification based on the parameters KSN uses is rare. Even other vendors have some sort of vulnerability in such cases. For eg. trusting a valid digitally signed file
completely.
For example: suppose that, for my documents folder, I have denied write, create, and delete permissions for all restricted groups (LR and HR). Is it possible that an unknown ransomware, undetected by Kaspersky, can encrypt my files? (Considering that the ransomware was moved to one of the restricted groups).
You could have either set Write/Delete access to "deny" or "prompt for action". Suppose that you've denied write access to XYZ folders for the Low-restricted and the High-restricted applications, these apps will surely not be able to modify those XYZ folder files.
Also, be it in trusted or in lower groups, the "System Watcher" ie. the behavior blocker will monitor the all of the running processes (except those for which you've manually set "exclusions") for any malicious activities by computing a threat score for the set of actions performed by the running processes. A threshold reached and the activity is alerted about!
Hence any encryption activity should potentially be blocked by the System Watcher and a rollback will be available if there was enough free space in your system "Temp" directory.
I mean, even if Kaspersky consider it as a safe program, App control would still deny any changes. Is that correct?
I think this is partially answered above.
Also, if a malicious app is set to 'Trusted' by Kaspersky (very rare chances) or by you, certain activities by that app like code injection into other process like firefox or possibly svchost or msiexec.exe ...will be allowed (you can find the actions and access allowed for trusted apps in-app) and it may not be possible to distinguish between good and bad injection since some good apps perform it too. However, the System Watcher and other components like Firewall and Web protection might defeat the malicious actions that follow the process injection. Svchost is now monitored by Kaspersky though it was set to exclusions sometime long back.
If some malicious payload is downloaded via the injected process, you know it can be handled in usual ways. If the injected app is transmitting some personal data to remote servers, I doubt if we can do much in that case unless Kaspersky identifies the malicious server or a malicious pattern in the process.
You know you've the option to select the trust group for 'unknown applications' and for 'the ones that start before Kaspersky'. Set both to 'High Restricted' unless the latter creates some notable issues.
KIS 2018 is available and you can switch to it to get a boot time protection recently added.
