Advice Request Kaspersky Application Control and Bootup

Please provide comments and solutions that are helpful to the author of this topic.
Status
Not open for further replies.
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Jul 3, 2015
8,148
1
31,237
8,388
Middle Earth
If I block a process in application control, does that mean it is blocked from the very beginning, or only after kaspersky loads?
 
  • Like
Reactions: harlan4096
Check this, taken from online help of K2017:
Change trust group for applications started before startup of Kaspersky Total Security

Clicking this link opens the Trust group for applications started before startup of Kaspersky Total Security window. In this window, you can change the trust group for applications started before startup of Kaspersky Total Security. Network activity of applications started before the startup of Kaspersky Total Security is controlled according to rules of the selected trust group.

By default, applications started before the startup of Kaspersky Total Security are assigned to one of the trust groups based on the rules created by Kaspersky Lab.
Click to expand...
 
  • Like
Reactions: shukla44 and shmu26
We all know that video of CruelSister... probably this is no a real scenario, we don't know really if She used a trusted file (no restrictions by default) to drop that malware, also She didn't modify the setting in Performance:
Release resources to the operating system when the computer starts

This check box controls the use of operating system resources by Kaspersky Total Security.

If this check box is selected, only critical protection components of Kaspersky Total Security are run at the startup of the operating system. Protection is completely enabled after the operating system loads.

If this check box is cleared, all protection components are run simultaneously when the operating system starts up.

This check box is selected by default.
Click to expand...
Which is usually enabled by default but I have it disabled for better protection...
 
  • Like
Reactions: shukla44
harlan4096 said:
We all know that video of CruelSister... probably this is no a real scenario, we don't know really if She used a trusted file (no restrictions by default) to drop that malware,
Click to expand...
She changed the level of unknown application to untrusted and moved all settings to max . Check the video.
Now about the resources at startup maybe but until i see in my own eyes i personally consider it irrelevant. Maybe @shmu26 doesn't though so good that you mentioned it.
 
  • Like
Reactions: shukla44 and harlan4096
Even if She changed that levels to max, if the sample is digitally signed still has no restrictions, so those max settings are also irrelevant...
 
  • Like
Reactions: shukla44 and SHvFl
harlan4096 said:
Even if She changed that levels to max, if the sample is digitally signed still has no restrictions, so those max settings are also irrelevant...
Click to expand...
Sure. Do you personally consider that a flaw of Kaspersky that it doesn't restrict unknown digitally signed files?
 
  • Like
Reactions: shukla44 and harlan4096
The issues blocking them by default probably would be even worse :D and would get many false positives or issues running many legal applications with restrictions, some others av firms also do the same, maybe the main problem is application digitally signing scheme in general...

Added: it seems some changes will come soon about managing signed files:

KJIM, WLEngine, HIPSDB, VLNS3, SystemWatcher modules update - Kaspersky Lab Forum
 
  • Like
Reactions: SHvFl
getting back to my original question, the situation I am concerned with is like this:
you install a program or open a file that seems innocent, and in fact it doesn't show suspicious behavior, at least at first.
but at boot, the payload does its business, before your security softs have a chance to load.
This problem is not limited to Kaspersky, of course, but I thought that maybe Kaspersky had a solution for it.
Maybe Harlan's tweak of unticking Release resources to the operating system when the computer starts is the best protection, coupled with blocking script interpreters and powershell tools by means of Application Control
 
  • Like
Reactions: shukla44 and harlan4096
shmu26 said:
getting back to my original question, the situation I am concerned with is like this:
you install a program or open a file that seems innocent, and in fact it doesn't show suspicious behavior, at least at first.
but at boot, the payload does its business, before your security softs have a chance to load.
This problem is not limited to Kaspersky, of course, but I thought that maybe Kaspersky had a solution for it.
Maybe Harlan's tweak of unticking Release resources to the operating system when the computer starts is the best protection, coupled with blocking script interpreters and powershell tools by means of Application Control
Click to expand...
You are missing the point. If you install and run something yourself it will be allowed. Only way to stop that is if your heuristic or signature program detects it and blocks it. You can't expect application control/anti exe etc to stop something you run yourself without detecting it.
Each program has it's ways to deal with that. Kaspersky tries with trusted levels, ReHips does it with isolated programs.
 
  • Like
Reactions: shukla44 and harlan4096
SHvFl said:
You are missing the point. If you install and run something yourself it will be allowed. Only way to stop that is if your heuristic or signature program detects it and blocks it. You can't expect application control/anti exe etc to stop something you run yourself without detecting it.
Each program has it's ways to deal with that. Kaspersky tries with trusted levels, ReHips does it with isolated programs.
Click to expand...
if you installed file X, and you allowed it, then it will run and will not be blocked.
But if you installed file X, and then it goes and installs file Z, and file Z tries to run a script, it should be blocked.
 
  • Like
Reactions: shukla44 and harlan4096
shmu26 said:
if you installed file X, and you allowed it, then it will run and will not be blocked.
But if you installed file X, and then it goes and installs file Z, and file Z tries to run a script, it should be blocked.
Click to expand...
Sure and they all try to block that. Some do it better than others.
What is better though it be careful what you install. That is 100% protection from installed programs.
 
  • Like
Reactions: shukla44 and harlan4096
SHvFl said:
Sure and they all try to block that. Some do it better than others.
What is better though it be careful what you install. That is 100% protection from installed programs.
Click to expand...
good, so we are on the same page.
the thing is this: which one starts first, the security soft, or the payload that wants to run a script or load a driver?
You want to find a way that your security soft loads first, of course.
 
  • Like
Reactions: shukla44, harlan4096 and SHvFl
shmu26 said:
good, so we are on the same page.
the thing is this: which one starts first, the security soft, or the payload that wants to run a script or load a driver?
You want to find a way that your security soft loads first, of course.
Click to expand...
You really can't. At least i don't know what each malware does to load really fast and if it will be faster than things i use. That's why you need to be careful of what you install. When you install something you lose protection the moment it happens. It might already started logging every key you press and send it to some server of a bad guy.
Boot protection is really trivial. It's not something bad to have but in reality if you are so far gone that it's needed you are in a bad shape.
 
  • Like
Reactions: shukla44
Status
Not open for further replies.

You may also like...