shmu26

Level 83
Verified
Trusted
Content Creator
If I block a process in application control, does that mean it is blocked from the very beginning, or only after kaspersky loads?
 
  • Like
Reactions: harlan4096

harlan4096

Level 63
Verified
Staff member
Malware Hunter
Check this, taken from online help of K2017:
Change trust group for applications started before startup of Kaspersky Total Security

Clicking this link opens the Trust group for applications started before startup of Kaspersky Total Security window. In this window, you can change the trust group for applications started before startup of Kaspersky Total Security. Network activity of applications started before the startup of Kaspersky Total Security is controlled according to rules of the selected trust group.

By default, applications started before the startup of Kaspersky Total Security are assigned to one of the trust groups based on the rules created by Kaspersky Lab.
 
  • Like
Reactions: shukla44 and shmu26

harlan4096

Level 63
Verified
Staff member
Malware Hunter
We all know that video of CruelSister... probably this is no a real scenario, we don't know really if She used a trusted file (no restrictions by default) to drop that malware, also She didn't modify the setting in Performance:
Release resources to the operating system when the computer starts

This check box controls the use of operating system resources by Kaspersky Total Security.

If this check box is selected, only critical protection components of Kaspersky Total Security are run at the startup of the operating system. Protection is completely enabled after the operating system loads.

If this check box is cleared, all protection components are run simultaneously when the operating system starts up.

This check box is selected by default.
Which is usually enabled by default but I have it disabled for better protection...
 
  • Like
Reactions: shukla44

SHvFl

Level 35
Verified
Trusted
Content Creator
We all know that video of CruelSister... probably this is no a real scenario, we don't know really if She used a trusted file (no restrictions by default) to drop that malware,
She changed the level of unknown application to untrusted and moved all settings to max . Check the video.
Now about the resources at startup maybe but until i see in my own eyes i personally consider it irrelevant. Maybe @shmu26 doesn't though so good that you mentioned it.
 

harlan4096

Level 63
Verified
Staff member
Malware Hunter
Even if She changed that levels to max, if the sample is digitally signed still has no restrictions, so those max settings are also irrelevant...
 
  • Like
Reactions: shukla44 and SHvFl

harlan4096

Level 63
Verified
Staff member
Malware Hunter
The issues blocking them by default probably would be even worse :D and would get many false positives or issues running many legal applications with restrictions, some others av firms also do the same, maybe the main problem is application digitally signing scheme in general...

Added: it seems some changes will come soon about managing signed files:

KJIM, WLEngine, HIPSDB, VLNS3, SystemWatcher modules update - Kaspersky Lab Forum
 
  • Like
Reactions: SHvFl

shmu26

Level 83
Verified
Trusted
Content Creator
getting back to my original question, the situation I am concerned with is like this:
you install a program or open a file that seems innocent, and in fact it doesn't show suspicious behavior, at least at first.
but at boot, the payload does its business, before your security softs have a chance to load.
This problem is not limited to Kaspersky, of course, but I thought that maybe Kaspersky had a solution for it.
Maybe Harlan's tweak of unticking Release resources to the operating system when the computer starts is the best protection, coupled with blocking script interpreters and powershell tools by means of Application Control
 

SHvFl

Level 35
Verified
Trusted
Content Creator
getting back to my original question, the situation I am concerned with is like this:
you install a program or open a file that seems innocent, and in fact it doesn't show suspicious behavior, at least at first.
but at boot, the payload does its business, before your security softs have a chance to load.
This problem is not limited to Kaspersky, of course, but I thought that maybe Kaspersky had a solution for it.
Maybe Harlan's tweak of unticking Release resources to the operating system when the computer starts is the best protection, coupled with blocking script interpreters and powershell tools by means of Application Control
You are missing the point. If you install and run something yourself it will be allowed. Only way to stop that is if your heuristic or signature program detects it and blocks it. You can't expect application control/anti exe etc to stop something you run yourself without detecting it.
Each program has it's ways to deal with that. Kaspersky tries with trusted levels, ReHips does it with isolated programs.
 

shmu26

Level 83
Verified
Trusted
Content Creator
You are missing the point. If you install and run something yourself it will be allowed. Only way to stop that is if your heuristic or signature program detects it and blocks it. You can't expect application control/anti exe etc to stop something you run yourself without detecting it.
Each program has it's ways to deal with that. Kaspersky tries with trusted levels, ReHips does it with isolated programs.
if you installed file X, and you allowed it, then it will run and will not be blocked.
But if you installed file X, and then it goes and installs file Z, and file Z tries to run a script, it should be blocked.
 

SHvFl

Level 35
Verified
Trusted
Content Creator
if you installed file X, and you allowed it, then it will run and will not be blocked.
But if you installed file X, and then it goes and installs file Z, and file Z tries to run a script, it should be blocked.
Sure and they all try to block that. Some do it better than others.
What is better though it be careful what you install. That is 100% protection from installed programs.
 

shmu26

Level 83
Verified
Trusted
Content Creator
Sure and they all try to block that. Some do it better than others.
What is better though it be careful what you install. That is 100% protection from installed programs.
good, so we are on the same page.
the thing is this: which one starts first, the security soft, or the payload that wants to run a script or load a driver?
You want to find a way that your security soft loads first, of course.
 

SHvFl

Level 35
Verified
Trusted
Content Creator
good, so we are on the same page.
the thing is this: which one starts first, the security soft, or the payload that wants to run a script or load a driver?
You want to find a way that your security soft loads first, of course.
You really can't. At least i don't know what each malware does to load really fast and if it will be faster than things i use. That's why you need to be careful of what you install. When you install something you lose protection the moment it happens. It might already started logging every key you press and send it to some server of a bad guy.
Boot protection is really trivial. It's not something bad to have but in reality if you are so far gone that it's needed you are in a bad shape.
 
  • Like
Reactions: shukla44