Advice Request Kaspersky interactive mode and MS Word

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I put KIS 2018 in interactive mode, moved MS Word to "low restricted" category in Application Control, and allowed it to use network.
When I opened a Word doc, I got a number of prompts, which was to be expected.
But the thing that surprised me was I got no prompts at all when I used the "email" command and the "print" command, even though both of them execute external processes. What's up with that? Do I need to move Word to high restricted, if I want to monitor its activities?
 
5

509322

I put KIS 2018 in interactive mode, moved MS Word to "low restricted" category in Application Control, and allowed it to use network.
When I opened a Word doc, I got a number of prompts, which was to be expected.
But the thing that surprised me was I got no prompts at all when I used the "email" command and the "print" command, even though both of them execute external processes. What's up with that? Do I need to move Word to high restricted, if I want to monitor its activities?

Adding processes to Low and High Restricted will expose a number of annoying bugs. You can ask @harlan4096 because I submitted quite few through him to Kaspersky.

But go ahead, you should test and see for yourself.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Adding processes to Low and High Restricted will expose a number of annoying bugs. You can ask @harlan4096 because I submitted quite few through him to Kaspersky.

But go ahead, you should test and see for yourself.
I tried high restricted, and then Word prompted when I ran the email command.
Maybe I was spacing out, but I don't think it prompted me for the print command.

After looking more carefully into the settings, it seems that low restricted permits parent/child, so it makes sense that I did not see prompts for the actions I tried. High restricted looks like the way to go for control over exploitable apps.
I am looking forward to input from @harlan4096 .
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So it turns out that the print command is not seen by KIS as executing an external process, it is called "duplicate internal process handle" for explorer.exe
Whatever that means...
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Since there is not so much info about the different restrictions groups in Kaspersky Application Control, I mean, We don't have a complete list of privileges and services that are affected (allowed, denied, etc.) We may think that is the right conclusion:
How to configure the Applications restriction option of Application Control in Kaspersky Internet Security 2012? / Application Privilege Control
Low Restricted. Applications that do not have a digital signature from a trusted vendor, and which are not listed in the base of trusted applications. However, these applications have received low value of the threat rating. They are allowed to perform some operations, such as access to other processes, system control, hidden network access. The user's permission is required for most operations.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Since there is not so much info about the different restrictions groups in Kaspersky Application Control, I mean, We don't have a complete list of privileges and services that are affected (allowed, denied, etc.) We may think that is the right conclusion:
How to configure the Applications restriction option of Application Control in Kaspersky Internet Security 2012? / Application Privilege Control
Thanks.
Just playing around with it for a short while, but it looks like you can use high restricted to run Google Chrome, Internet Explorer, Foxit PDF Reader, as well as MS Word, Excel and Powerpoint.
But Outlook doesn't work. It needs low restricted.
 
5

509322

I tried high restricted, and then Word prompted when I ran the email command.
Maybe I was spacing out, but I don't think it prompted me for the print command.

After looking more carefully into the settings, it seems that low restricted permits parent/child, so it makes sense that I did not see prompts for the actions I tried. High restricted looks like the way to go for control over exploitable apps.
I am looking forward to input from @harlan4096 .

There is no network access in High Restricted. You might think there is because of the yellow question mark under the network column, but that is for inheritance. It is telling you that if a High Restricted process launches a child process, then the child process will be denied network access.

Prove it to yourself. Add a browser to the High Restricted group.

Enable Interactive Mode. Set your network to untrusted. Add all the usual programs to Low Restricted - browsers, Microsoft Office, video players, cmd, rundll32, regsvr32, etc - and run it like that for a week. I am willing to bet very heavily that you won't make it a week.
 

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Thanks.
Just playing around with it for a short while, but it looks like you can use high restricted to run Google Chrome, Internet Explorer, Foxit PDF Reader, as well as MS Word, Excel and Powerpoint.
But Outlook doesn't work. It needs low restricted.
DFX Audio Enhancer (paid version) does not audio stream when it is in "Low Restricted" mode which KSN automatically assigns it to.You have to manually add it to "Trusted" for it to work properly!
I have sent a support ticket to Kaspersky regarding this!:)
 
5

509322

Different Kaspersky support personnel say conflicting things about a user adding "trusted" processes to Low or High Restricted. One says Low and High Restricted are not meant for "trusted" programs - and moving any there is product mis-use. Another acknowledges it can be done and yes, it does reveal hidden bugs. Anyway, Kaspersky development has accepted at least some of the bugs that were submitted via @harlan4096.
 

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Different Kaspersky support personnel say conflicting things about a user adding "trusted" processes to Low or High Restricted. One says Low and High Restricted are not meant for "trusted" programs - and moving any there is product mis-use. Another acknowledges it can be done and yes, it does reveal hidden bugs. Anyway, Kaspersky development has accepted at least some of the bugs that were submitted via @harlan4096.
Indeed there is a bug somewhere in terms of how KSN rates a particular program,but I see no issue in assigning a "known" program to the "Trusted" group if it is indeed safe to run!:)
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
There is no network access in High Restricted. You might think there is because of the yellow question mark under the network column, but that is for inheritance. It is telling you that if a High Restricted process launches a child process, then the child process will be denied network access.

Prove it to yourself. Add a browser to the High Restricted group.

Enable Interactive Mode. Set your network to untrusted. Add all the usual programs to Low Restricted - browsers, Microsoft Office, video players, cmd, rundll32, regsvr32, etc - and run it like that for a week. I am willing to bet very heavily that you won't make it a week.
Right. I forgot to say that I manually allowed network for the apps I mentioned.
 
5

509322

Indeed there is a bug somewhere in terms of how KSN rates a particular program,but I see no issue in assigning a "known" program to the "Trusted" group if it is indeed safe to run!:)

Given that support personnel are not always on the same page, the conflicting answers are no surprise. On top of it, there are very few sources where a user can obtain a definitively accurate answer.

Move programs to Low and High Restricted with full interactive mode and a public network profile. Then start to modify the individual program policies in the editor. And voila ! All sorts of things begin to happen.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Indeed there is a bug somewhere in terms of how KSN rates a particular program,but I see no issue in assigning a "known" program to the "Trusted" group if it is indeed safe to run!:)
Right. The question is whether it is wise to do the opposite: assign a trusted program to a restricted group, like I just did. I guess time will tell.
I don't know if there is really a "bug" in how KSN rates things -- it just depends how many Kaspersky users install the program. It is "crowd" rating.
 

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Right. The question is whether it is wise to do the opposite: assign a trusted program to a restricted group, like I just did. I guess time will tell.

Eventually it will be assigned to the "trusted" group unless you keep changing the trust level manually![:)
 
  • Like
Reactions: shmu26 and frogboy

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Eventually it will be assigned to the "trusted" group unless you keep changing the trust level manually![:)
Usually it stays in its group, if you are in interactive mode.
 
  • Like
Reactions: Venustus

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Add all the usual programs to Low Restricted - browsers, Microsoft Office, video players, cmd, rundll32, regsvr32, etc - and run it like that for a week. I am willing to bet very heavily that you won't make it a week.
I don't think it is a good idea to add heavy lifters like rundll32, for the reasons you mentioned. It's just not designed for that. But I am giving it a try with browsers and office apps, and I am throwing cmd.exe in there, too.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Given that support personnel are not always on the same page, the conflicting answers are no surprise. On top of it, there are very few sources where a user can obtain a definitively accurate answer.

Move programs to Low and High Restricted with full interactive mode and a public network profile. Then start to modify the individual program policies in the editor. And voila ! All sorts of things begin to happen.
I am afraid you're right. The rules get buggy once you start modifying them.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
While on the subject of configuring Application Control: it is best not to modify it any more than necessary, but I do think it's good to move the 4 powershell processes to Untrusted. That way, even if they get launched via dll or other tricks, they still will not be able to do anything.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top