App Review Kaspersky Internet Security - System Watcher only, no KSN - ransomware test

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
TheMalwareMaster

TheMalwareMaster

Level 21
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Evjl's Rain said:
yes I will test it for sure. I'm using avast and that will be implemented soon. I can't wait
But first I will test BD's ATC and norton's SONAR (online/offline)
Click to expand...
If one wanted to test now Avast Cybercapture, there is no way of disabling the signatures and letting CyberCapture active, right?
 
  • Like
Reactions: Deleted member 2913, Polygon, Der.Reisende and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Evjl's Rain said:
I applied a few things in this web
Protection against cryptoviruses in Kaspersky Internet Security
and something like this. Sorry I don't use Kaspersky anymore and I haven't tested these settings with legit applications, maybe it breaks legit apps also. This blocked all the ransomwares

please don't copy everything. Select the most important ones
maybe @Wave can suggest to us what to block in these screenshots

View attachment 132877 View attachment 132878 View attachment 132879 View attachment 132880
Click to expand...
will these tweaks stop scripts, or only exe files?
From what I understand, Application control only applies to exe files.
If you want to block scripts, you will also have to make block rules individually for each script interpreter.
 
  • Like
Reactions: Solarquest, Deleted member 2913, Polygon and 3 others
W

Wave

shmu26 said:
will these tweaks stop scripts, or only exe files?
From what I understand, Application control only applies to exe files.
If you want to block scripts, you will also have to make block rules individually for each script interpreter.
Click to expand...
It depends on the situation: is the executable running the script being restricted or not? If yes, then it'll apply to it too.

The script cannot just do things without using the Windows API, not possible. The script is interpreted and the contents of the script is used to determine the code for the execution of the actions, which then bonds down to using the Windows API -> NTAPI -> triggers any hooks from Kaspersky, kernel-mode callback notifications, and the such.

I believe Kaspersky work with MSR hooks with the hyper-visor on a system-wide level (virtualization but it allows them to bypass PatchGuard problems on x64 systems); they probably use user-mode hooking also with injection to the restricted programs, and device drivers for kernel-mode callbacks.

Enjoy the internals info, it should be right.
 
  • Like
Reactions: Solarquest, Deleted member 2913, kaerula3 and 8 others
E

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
shmu26 said:
will these tweaks stop scripts, or only exe files?
From what I understand, Application control only applies to exe files.
If you want to block scripts, you will also have to make block rules individually for each script interpreter.
Click to expand...
hi, it controls scripts and.bat also. Basically everything you can click on to execute
Windows 7-2017-01-19-18-40-25.png
 
  • Like
Reactions: Solarquest, Deleted member 2913, Polygon and 7 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Evjl's Rain said:
I applied a few things in this web
Protection against cryptoviruses in Kaspersky Internet Security
and something like this. Sorry I don't use Kaspersky anymore and I haven't tested these settings with legit applications, maybe it breaks legit apps also. This blocked all the ransomwares

please don't copy everything. Select the most important ones
maybe @Wave can suggest to us what to block in these screenshots

View attachment 132877 View attachment 132878 View attachment 132879 View attachment 132880
Click to expand...
there is a different approach, which solves the problem of your legit apps not working.
1 move all the apps you use to trusted
2 switch to interactive protection, in other words, untick "perform recommended actions automatically"
3 disable "trust digitally signed applications"
4 set trust level for unknown applications to "untrusted"

now you will get a prompt for every unknown that tries to run, like in a typical default/deny setup.

This method was mentioned by a user on this forum, I don't remember who it was, but it sounded very good to me

EDIT: but it has the disadvantage that recommended protections will not be applied, you will have to decide on your own when you see a prompt.
 
Last edited:
  • Like
Reactions: Solarquest, Deleted member 2913, Polygon and 3 others
W

Wave

Tairan said:
I heard it has better BB than Emsisoft too.
Click to expand...
They both work completely differently, you can't just compare the two. Kaspersky System Watcher works differently.

For example, Kaspersky have trust levels with rule sets for each trust level (restriction levels), and the rule sets support a lot of things. Whereas, Emsisoft have a cloud network for allowing through trusted objects only, and then perform monitoring to identify specific threat behavior or prevent specific activity occurring, as opposed to taking the trust restriction route.
 
  • Like
Reactions: shukla44, Solarquest, Deleted member 2913 and 5 others
erreale

erreale

Level 9
Verified
Content Creator
Malware Hunter
Well-known
Oct 22, 2016
409
Wave said:
They both work completely differently, you can't just compare the two. Kaspersky System Watcher works differently.

For example, Kaspersky have trust levels with rule sets for each trust level (restriction levels), and the rule sets support a lot of things. Whereas, Emsisoft have a cloud network for allowing through trusted objects only, and then perform monitoring to identify specific threat behavior or prevent specific activity occurring, as opposed to taking the trust restriction route.
Click to expand...

Great explanation
 
  • Like
Reactions: Solarquest, Deleted member 2913, Polygon and 3 others

Similar threads

Trident
    • Like
    • +Reputation
Kaspersky Releases Micro-Kernel Operating System
Replies
3
Views
557
Kaspersky
Trident
Trident
Shadowra
    • Like
    • +Reputation
    • Applause
App Review F-Secure vs Emsisoft vs Kaspersky Comparative Reviews
Replies
36
Views
5,043
Video Reviews - Security and Privacy
Alyssonn
A
Gandalf_The_Grey
    • Like
    • Hundred Points
    • +Reputation
AV-TEST ATP Test: Defending Against Data Stealers and Ransomware (October 2023)
Replies
4
Views
683
Security Statistics and Reports
SeriousHoax
SeriousHoax

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top