Kaspersky Policy Based Application Control

Status
Not open for further replies.

motox781

Level 10
Thread author
Verified
Well-known
Apr 1, 2015
483
Theoretically speaking, if different types of malware files where to penetrate past Kapsersky's protection and get placed into "Low Restricted", how much damage is possible under default settings?
 
  • Like
Reactions: shukla44

shukla44

Level 13
Verified
Top Poster
Well-known
Jan 14, 2016
601
Theoretically speaking, damage same as trusted group. Low restricted is basically trusted group in default settings (Automatic mode). Application control is for interactive mode, in which the prompts gets issued, then Low restricted is useful as much as the user knows.
 
  • Like
Reactions: frogboy
H

hjlbx

Theoretically speaking, if different types of malware files where to penetrate past Kapsersky's protection and get placed into "Low Restricted", how much damage is possible under default settings?

Here is a Kaspersky Enterprise KB regarding Application Control (which is the same for Kaspersky consumer products): Application Privilege Control

Even in Low Restricted malware can still mess with your system; the denied permissions are not strict enough.

If you know how to use Kaspersky, then you know to place any untrusted application into High Restricted with Interactive Mode enabled. However, you also need to be able to understand the HIPS alerts - because Kaspersky's HIPS doesn't tell you what to do - you have to decide for yourself what to do at each alert.

Unless one knows their OS quite well, one will be apt to make mistakes in responding to Kaspersky HIPS alerts. When in doubt - block - as you can always create allow rules after a file has been verified as safe.

In the evaluation of potentially malicious files, it is recommended to use a virtual machine, Sandboxie or Shadow Defender as opposed to using only Kaspersky's HIPS.

NOTE:

Sandboxie doesn't get along too well with Kaspersky and Kaspersky support officially states that Shadow Defender is incompatible with Kaspersky products (but I have used both together without any problems).
 
Last edited by a moderator:

motox781

Level 10
Thread author
Verified
Well-known
Apr 1, 2015
483
Thanks for the replies. I guess I should have clarified a bit more. I plan to install about 20 copies on different client PCs. Setting to Untrusted may work, but not Interactive due to these clients being normal users.

I was really just wondering about Low Restricted. It makes me wonder (if the protection is not that strong), why would Kaspersky implement it under default for unknowns if it does very little proactively and acts almost as Trusted.
 
Last edited:

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,001
Here is a Kaspersky Enterprise KB regarding Application Control (which is the same for Kaspersky consumer products): Application Privilege Control

Even in Low Restricted malware can still mess with your system; the denied permissions are not strict enough.

If you know how to use Kaspersky, then you know to place any untrusted application into High Restricted with Interactive Mode enabled. However, you also need to be able to understand the HIPS alerts - because Kaspersky's HIPS doesn't tell you what to do - you have to decide for yourself what to do at each alert.

Unless one knows their OS quite well, one will be apt to make mistakes in responding to Kaspersky HIPS alerts. When in doubt - block - as you can always create allow rules after a file has been verified as safe.

In the evaluation of potentially malicious files, it is recommended to use a virtual machine, Sandboxie or Shadow Defender as opposed to using only Kaspersky's HIPS.

NOTE:

Sandboxie doesn't get along too well with Kaspersky and Kaspersky support officially states that Shadow Defender is incompatible with Kaspersky products (but I have used both together without any problems).
I use Sandboxie with Kaspersky too, no problem no slow down :D
 
H

hjlbx

Thanks for the replies. I guess I should have clarified a bit more. I plan to install about 20 copies on different client PCs. Setting to Untrusted may work, but not Interactive due to these clients being normal users.

I was really just wondering about Low Restricted. It makes me wonder (if the protection is not that strong), why would Kaspersky implement it under default if it does very little proactively and acts almost as Trusted.

Kaspersky optimizes settings for what they believe to be the best for typical users.

I personally don't agree with Kaspersky's default settings: PUP detection disabled, HIPS move to Low Restricted, Trust digitally signed applications, etc.

NOTE: If you disable "Trust digitally signed applications" you might run into some Application Control issues on 64 bit systems.

You can ask @harlan4096 about this... as he is Kaspersky gold beta tester and a very long-time user.
 

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,001
"For Windows 8/8.1 & Win 10 -KS 2015 and 2016 is not compatible with Sandboxie. Kaspersky must NOT be installed, otherwise Sandboxie will not work."
I USE WIN8.1 + KIS 2016 AND IT WORK WELL :D
Untitled.png

i must call with SandBoxie and report this bug to them :D :D :D
 
  • Like
Reactions: harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Sandboxie 5.x with my W8.1 & W10 Pro x64 systems does not work almost at all!. Browsers sanboxed don't work, only some specific applications work sandboxed, in general SB 5.x is not supported and does not work with Kaspersky 2016...

About Kaspersky protection in Low Restricted group, You can check the daily dynamic testing of malware samples in section:

https://malwaretips.com/forums/virus-exchange-malware-samples.104/

and see Kaspersky performance in default settings (with some minor tweaks) ;)
 
D

Deleted member 2913

I dont know how effective is Kaspersky Application Control.

I use default settings. On my Win 10 64 system all the programs are in Trusted except 1 i.e HDSentinel...I know the program is safe but cannot transfer it to trusted. Its in Low Restricted & works fine. I transfer it to Trusted but on next start of HDSentinel, Kas again puts it in LR. Not a prob as programs work fine in LR.

I find LR not that strong i.e guess there are no strong restrictions i.e may be 1-2 low restriction that doesn't affect programs working & programs work fine.

YouTube tests I see, I rarely see Kas putting samples in HR or Untrusted, mostly programs are put in LR & I rarely see System Watcher detecting something too.

I kind of think & find Kaspersky in default settings is like signs + cloud only with weak proactive protection i.e Application Control & System Watcher.

Custom or Advanced settings...Kas proactive may be effective but default settings as mentioned above is like signs + cloud only.
 
  • Like
Reactions: harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
YouTube tests I see, I rarely see Kas putting samples in HR or Untrusted, mostly programs are put in LR & I rarely see System Watcher detecting something too.

Most of YouTube testings are on demands/static tests... SW only works on execution/dynamic testing and is activated when changes or suspicious activity/behavior malware in system are quite/hard enough... as I said in my previous posts, check many threads in MalWare Hub section of my testings and You will see SW in action, even with defaults settings :)

It's so difficult to change/strengthen Low Restriction settings/restrictions because then users would have problems on execution with many applications, so They set the minimum restrictions on system to better protect and assure applications will run without issues.

use default settings. On my Win 10 64 system all the programs are in Trusted except 1 i.e HDSentinel...I know the program is safe but cannot transfer it to trusted. Its in Low Restricted & works fine. I transfer it to Trusted but on next start of HDSentinel, Kas again puts it in LR. Not a prob as programs work fine in LR.

About this issue, if You are using KES10, check whether there is also a duplicated entry of HDSentinel in Trusted group, because this is a GUI bug I already commented here in a different thread. You can't move it to Trusted group because it is already there, but still appears in Low Restricted.
 
D

Deleted member 2913

harlan,

Youtube tests I mean the dynamic testing part. Nowadays I do check Malware Hub threads, I see LR but dont see SW. And LR too, like apps was placed in LR, sometimes sample process running & sometime sample process not running...But these same things I notice for others too, like Norton, etc..., sometimes sample process running & sometime not. So dont know if the sample process got killed by security protection or by itself after sometime?

Yes, LR restrictions increased can create probs too.

About HDSentinel - No duplicate entry in Trusted. Every other program I transfered worked fine. But HDSentinel I transfer & it appears in Trusted but on next run it is again transfered to LR. The HDSentinel entry is .vbs one.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Youtube tests I mean the dynamic testing part. Nowadays I do check Malware Hub threads, I see LR but dont see SW. And LR too, like apps was placed in LR, sometimes sample process running & sometime sample process not running...But these same things I notice for others too, like Norton, etc..., sometimes sample process running & sometime not. So dont know if the sample process got killed by security protection or by itself after sometime?

Every time a dynamic malware is detected by "Dangerous Application Behavior" is SW in action, for example:

https://malwaretips.com/threads/malware-9.57149/ post #2.

When a sample is running in LW in system (but SW is not activated) these restrictions are applied:
  • Trusted—no limitations
  • Low Restricted—everything is allowed except for building into operating system modules
  • High Restricted—interaction with operating system modules and other programs are prohibited. A program is allowed to work only with its own segment of system memory
  • Untrusted—a program is prohibited even from starting
------------
  • Trusted. Applications with a digital signature by trusted vendors, or applications which are recorded in the base of trusted applications. These applications have no restrictions applied on actions performed in the system. Those applications' activity is monitored by Proactive Defense and File Anti-Virus.
  • Low Restricted. Applications that do not have a digital signature from a trusted vendor, and which are not listed in the base of trusted applications. However, these applications have received low value of the threat rating. They are allowed to perform some operations, such as access to other processes, system control, hidden network access. The user's permission is required for most operations.
  • High Restricted. Applications without a digital signature and which are not listed in the base of trusted applications. These applications have a high value of the threat rating. The applications of this group require the user's permission for most actions which affect the system: some actions are not allowed for such applications.
  • Untrusted. Applications without a digital signature and which are not listed in the base of trusted applications. These applications have received a very high value of the threat rating. Application Control blocks any actions performed by such applications

...sometimes sample process running & sometime not. So dont know if the sample process got killed by security protection or by itself after sometime?

I agree, sometimes it's difficult to know, but the final target is to check whether the system was affected or not by those (not detected) malwares, that's why We also, after dynamic testing, check the system with different on demand scanners: ZAM, EEK, MBAM Free, AdwCleaner, etc. and restart the system to check whether the malware autoruns itself... and in most cases, They found anything else suspicious apart the original sample. So, we can conclude that system in clean and protected, I know, not with 100% but... I'm talking in general, not only about Kaspersky :)
 
D

Deleted member 2913

harlan,

You mean "Dangerous Application Behavior" detection is SW in action...So is this different from "Rollback"? Rollback too is SW in action, right?

Low Restricted—everything is allowed except for building into operating system modules
What does the bold above means?
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
RollBack is one of the features of SW, but its main function is proactive defense... in fact in older versions of Kaspersky there was a module called Proactive Defense, but some of this functions and others were implemented/re-unified some years ago in a new module called System Watcher.

Although this link is a bit old, it explains quite clearly how SW works:

What is the System Watcher component in Kaspersky Anti-Virus/Kaspersky Internet Security 2012?

Updated info:

https://support.kaspersky.com/12044#block1
 

Sandboxie Help

From Sandboxie
Verified
Developer
Feb 26, 2016
23
Sandboxie 5.x with my W8.1 & W10 Pro x64 systems does not work almost at all!. Browsers sanboxed don't work, only some specific applications work sandboxed, in general SB 5.x is not supported and does not work with Kaspersky 2016...

About Kaspersky protection in Low Restricted group, You can check the daily dynamic testing of malware samples in section:

https://malwaretips.com/forums/virus-exchange-malware-samples.104/

and see Kaspersky performance in default settings (with some minor tweaks) ;)

KIS 2015/2016 is not compatible with SBIE. It's been noted on our known conflicts page for almost a year. Sandboxie - Known Conflicts
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top