- Jul 3, 2015
- 8,153
If I block a process in application control, does that mean it is blocked from the very beginning, or only after kaspersky loads?
Kaspersky Application Control and Bootup
- Thread starter shmu26
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Status
- Apr 28, 2015
- 9,037
- Nov 19, 2014
- 2,350
- Apr 28, 2015
- 9,037
We all know that video of CruelSister... probably this is no a real scenario, we don't know really if She used a trusted file (no restrictions by default) to drop that malware, also She didn't modify the setting in Performance:
Which is usually enabled by default but I have it disabled for better protection...
- Nov 19, 2014
- 2,350
She changed the level of unknown application to untrusted and moved all settings to max . Check the video.
Now about the resources at startup maybe but until i see in my own eyes i personally consider it irrelevant. Maybe @shmu26 doesn't though so good that you mentioned it.
- Apr 28, 2015
- 9,037
Even if She changed that levels to max, if the sample is digitally signed still has no restrictions, so those max settings are also irrelevant...
- Nov 19, 2014
- 2,350
Sure. Do you personally consider that a flaw of Kaspersky that it doesn't restrict unknown digitally signed files?
- Apr 28, 2015
- 9,037
The issues blocking them by default probably would be even worse 
and would get many false positives or issues running many legal applications with restrictions, some others av firms also do the same, maybe the main problem is application digitally signing scheme in general...
Added: it seems some changes will come soon about managing signed files:
KJIM, WLEngine, HIPSDB, VLNS3, SystemWatcher modules update - Kaspersky Lab Forum
and would get many false positives or issues running many legal applications with restrictions, some others av firms also do the same, maybe the main problem is application digitally signing scheme in general...Added: it seems some changes will come soon about managing signed files:
KJIM, WLEngine, HIPSDB, VLNS3, SystemWatcher modules update - Kaspersky Lab Forum
- Jul 3, 2015
- 8,153
getting back to my original question, the situation I am concerned with is like this:
you install a program or open a file that seems innocent, and in fact it doesn't show suspicious behavior, at least at first.
but at boot, the payload does its business, before your security softs have a chance to load.
This problem is not limited to Kaspersky, of course, but I thought that maybe Kaspersky had a solution for it.
Maybe Harlan's tweak of unticking Release resources to the operating system when the computer starts is the best protection, coupled with blocking script interpreters and powershell tools by means of Application Control
you install a program or open a file that seems innocent, and in fact it doesn't show suspicious behavior, at least at first.
but at boot, the payload does its business, before your security softs have a chance to load.
This problem is not limited to Kaspersky, of course, but I thought that maybe Kaspersky had a solution for it.
Maybe Harlan's tweak of unticking Release resources to the operating system when the computer starts is the best protection, coupled with blocking script interpreters and powershell tools by means of Application Control
- Nov 19, 2014
- 2,350
You are missing the point. If you install and run something yourself it will be allowed. Only way to stop that is if your heuristic or signature program detects it and blocks it. You can't expect application control/anti exe etc to stop something you run yourself without detecting it.
Each program has it's ways to deal with that. Kaspersky tries with trusted levels, ReHips does it with isolated programs.
- Jul 3, 2015
- 8,153
if you installed file X, and you allowed it, then it will run and will not be blocked.
But if you installed file X, and then it goes and installs file Z, and file Z tries to run a script, it should be blocked.
- Nov 19, 2014
- 2,350
Sure and they all try to block that. Some do it better than others.
What is better though it be careful what you install. That is 100% protection from installed programs.
- Jul 3, 2015
- 8,153
good, so we are on the same page.
the thing is this: which one starts first, the security soft, or the payload that wants to run a script or load a driver?
You want to find a way that your security soft loads first, of course.
- Nov 19, 2014
- 2,350
You really can't. At least i don't know what each malware does to load really fast and if it will be faster than things i use. That's why you need to be careful of what you install. When you install something you lose protection the moment it happens. It might already started logging every key you press and send it to some server of a bad guy.
Boot protection is really trivial. It's not something bad to have but in reality if you are so far gone that it's needed you are in a bad shape.
- Status
