Kaspersky Application Control - KIS 2017 bug?

  • Thread starter Deleted member 2913
  • Start date
Status
Not open for further replies.
D

Deleted member 2913

Thread author
Win 10 64 Pro Anniversary Build Latest Update
Kaspersky Internet Security 2017 Latest Update
No other RealTime security software.

My portable programs SecurMyBit, VidCoder, etc... were under "Low Restricted" in Application Control.
I move them to "Trusted" in AC.
After couple of days, the programs rules are neither in "Trusted" or "Low Restricted".
When I run the programs, they appear under "Low Restricted" And I again move them to "Trusted" But after couple of days the same mentioned above i.e the programs rules are neither in "Trusted" or "Low Restricted".

Is it a bug or bug on Win 10 64 or bug in KIS 2017 or ............?

Any info?

Any Kaspersky users experience the above?
 

shukla44

Level 13
Verified
Top Poster
Well-known
Jan 14, 2016
601
Yes, this happens & not only in 2017 but in earlier versions as well.

I experience it as well, but not quite often as you are. Mine comes when i am disconnected from internet for a while & then connect again, then (i guess) KSN checks the app control rules again & places them (apps) as described in the KSN rule-set.

The problem come from the setting 'Load rule for applications from KSN' in application control, which is enabled by default.

This shouldn't be a problem if you are using default settings (Auto-mode) as Low restricted is basically Trusted in auto-mode. But if you use interactive mode, this causes a lot of prompts which can be quite annoying.
 
D

Deleted member 2913

Thread author
Also, those portable applications I guess don't have a valid digital signature (or don't have any), that's why are sent to Low Restricted as minimum...
But If I manually move them to Trusted, should be there in Trusted, ELSE whats the use of the option "Move to"?
 

Berny

Level 4
Verified
Well-known
Oct 14, 2016
190
Also , did you try on top : Additional > Threats and Exclusions
 

Cch123

Level 7
Verified
May 6, 2014
335
Am I right to say that you did not use these apps for these few days?

What is happening here is that Kaspersky removes unused applications from the list periodically. It makes sense from their viewpoint; unusued applications may very well mean they are no longer on the system, and if not purged periodically the database will only grow bigger. Then when you use the applications again, Kaspersky loads up its rules from its servers, thus they are classified under low restricted again.
 
D

Deleted member 2913

Thread author
Am I right to say that you did not use these apps for these few days?

What is happening here is that Kaspersky removes unused applications from the list periodically. It makes sense from their viewpoint; unusued applications may very well mean they are no longer on the system, and if not purged periodically the database will only grow bigger. Then when you use the applications again, Kaspersky loads up its rules from its servers, thus they are classified under low restricted again.
I use those programs once a week or 10 days, etc...not very long gap.

Current experience...if I check after 4-6 days, rules are not there.
 
D

Deleted member 2913

Thread author
Right, I would not disable rules of KSN... what if You disable Auto Mode and change to Interactive Mode?
Interactive Mode would be a hassle for my family...its a shared laptop of my family.

Its not a major prob yet...just wanted to know if its a bug in Kaspersky or something?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Right, I would not disable rules of KSN... what if You disable Auto Mode and change to Interactive Mode?

I would have to try that out and see if I can live with it. Interactive makes a lot of prompts, sort of like COMODO HIPS.

Question: what is a good setting for unknown files? It sounds like the default "low restricted" is not limiting enough to stop malware.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,634
Sometimes "Low Restricted" is not enough to stop but probably the sensible system areas are protected:
Low Restricted. Applications that do not have a digital signature from a trusted vendor and are not listed in the Kaspersky Lab database of trusted applications. These applications have certain restrictions on accessing other processes, controlling the system, and accessing the network without notifying the user. However, the user's permission is required for most operations.
Next step would be "High Restricted":
This group includes applications that are not listed in the base of trusted applications and do not have a digital signature. The applications from this group require user's permission for most actions affecting the system; some actions are not allowed to such applications.
So many times some malware may stay running in the system but without damaging it...

Better explained infos:
  • Trusted—no limitations
  • Low Restricted—everything is allowed except for building into operating system modules
  • High Restricted—interaction with operating system modules and other programs are prohibited. A program is allowed to work only with its own segment of system memory
  • Untrusted—a program is prohibited even from starting
And:
  • Trusted. Applications with a digital signature by trusted vendors, or applications which are recorded in the base of trusted applications. These applications have no restrictions applied on actions performed in the system. Those applications' activity is monitored by File Anti-Virus.
  • Low Restricted. Applications that do not have a digital signature from a trusted vendor, and which are not listed in the base of trusted applications. However, these applications have received low value of the threat rating. They are allowed to perform some operations, such as access to other processes, system control, hidden network access. The user's permission is required for most operations.
  • High Restricted. Applications without a digital signature and which are not listed in the base of trusted applications. These applications have a high value of the threat rating. The applications of this group require the user's permission for most actions which affect the system: some actions are not allowed for such applications.
  • Untrusted. Applications without a digital signature and which are not listed in the base of trusted applications. These applications have received a very high value of the threat rating. Application Control blocks any actions performed by such applications.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Sometimes "Low Restricted" is not enough to stop but probably the sensible system areas are protected:

Next step would be "High Restricted":

So many times some malware may stay running in the system but without damaging it...

Better explained infos:
It sounds to me like some forms of ransomware would be able to encrypt files, at the low restricted level. On the other hand, it is not very likely that the ransomware would have a sig from the trusted vendors list, so it would fall into the high restricted category.
So all in all, the system does seem to make a lot of sense.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
let's say I turn on interactive mode.
I go to a website and click on an ad, and my browser gets exploited.
The exploit wants to run powershell or some other sensitive Windows process.
Will I get a prompt for that, even though my browser is a trusted app?
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,634
This is not easy to answer, since depending of the activity of the Exploit, probably yes or probably not... Kaspersky may detect something suspicious with some of its protection layers/modules...

The fact that Your browser is in Trusted does not mean a suspicious activity will not be detected. For instance, this is a detection of an URL I tested today (in a different forum), I even didn't click on anything, just visited it (I didn't click and downloaded anything manually):
10a.png 10b.png 10c.png
Added: in Interactive Mode, I would had been asked about that detection.

My FireFox is in Trusted, of course, but KTS2017 in defaults settings detected malicious activity automatically ... this time was by Heur, but could be by signature, by System Watcher (behaviour or anti-exploit), etc... even depending on the activity of the process may get some warnings from Application Control.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
This is not easy to answer, since depending of the activity of the Exploit, probably yes or probably not... Kaspersky may detect something suspicious with some of its protection layers/modules...

The fact that Your browser is in Trusted does not mean a suspicious activity will not be detected. For instance, this is a detection of an URL I tested today (in a different forum), I even didn't click on anything, just visited it (I didn't click and downloaded anything manually):
Added: in Interactive Mode, I would had been asked about that detection.

My FireFox is in Trusted, of course, but KTS2017 in defaults settings detected malicious activity automatically ... this time was by Heur, but could be by signature, by System Watcher (behaviour or anti-exploit), etc... even depending on the activity of the process may get some warnings from Application Control.
what about setting the browser and PDF reader to low restricted? Will that help to prevent exploits, without interfering too much with the app's functionality?
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top