Theoretically speaking, if different types of malware files where to penetrate past Kapsersky's protection and get placed into "Low Restricted", how much damage is possible under default settings?
Here is a Kaspersky Enterprise KB regarding Application Control (which is the same for Kaspersky consumer products): Application Privilege ControlTheoretically speaking, if different types of malware files where to penetrate past Kapsersky's protection and get placed into "Low Restricted", how much damage is possible under default settings?
I use Sandboxie with Kaspersky too, no problem no slow downHere is a Kaspersky Enterprise KB regarding Application Control (which is the same for Kaspersky consumer products): Application Privilege Control
Even in Low Restricted malware can still mess with your system; the denied permissions are not strict enough.
If you know how to use Kaspersky, then you know to place any untrusted application into High Restricted with Interactive Mode enabled. However, you also need to be able to understand the HIPS alerts - because Kaspersky's HIPS doesn't tell you what to do - you have to decide for yourself what to do at each alert.
Unless one knows their OS quite well, one will be apt to make mistakes in responding to Kaspersky HIPS alerts. When in doubt - block - as you can always create allow rules after a file has been verified as safe.
In the evaluation of potentially malicious files, it is recommended to use a virtual machine, Sandboxie or Shadow Defender as opposed to using only Kaspersky's HIPS.
Sandboxie doesn't get along too well with Kaspersky and Kaspersky support officially states that Shadow Defender is incompatible with Kaspersky products (but I have used both together without any problems).
Kaspersky optimizes settings for what they believe to be the best for typical users.Thanks for the replies. I guess I should have clarified a bit more. I plan to install about 20 copies on different client PCs. Setting to Untrusted may work, but not Interactive due to these clients being normal users.
I was really just wondering about Low Restricted. It makes me wonder (if the protection is not that strong), why would Kaspersky implement it under default if it does very little proactively and acts almost as Trusted.
It seems system dependent. Some users can get Sandboxie and Kaspersky to work together without issues, while others cannot get them to work at all together. On top of it, Sandboxie does not officially support Kaspersky: Sandboxie - Known ConflictsI use Sandboxie with Kaspersky too, no problem no slow down
Most of YouTube testings are on demands/static tests... SW only works on execution/dynamic testing and is activated when changes or suspicious activity/behavior malware in system are quite/hard enough... as I said in my previous posts, check many threads in MalWare Hub section of my testings and You will see SW in action, even with defaults settingsYouTube tests I see, I rarely see Kas putting samples in HR or Untrusted, mostly programs are put in LR & I rarely see System Watcher detecting something too.
About this issue, if You are using KES10, check whether there is also a duplicated entry of HDSentinel in Trusted group, because this is a GUI bug I already commented here in a different thread. You can't move it to Trusted group because it is already there, but still appears in Low Restricted.use default settings. On my Windows 10 64 system all the programs are in Trusted except 1 i.e HDSentinel...I know the program is safe but cannot transfer it to trusted. Its in Low Restricted & works fine. I transfer it to Trusted but on next start of HDSentinel, Kas again puts it in LR. Not a prob as programs work fine in LR.
Every time a dynamic malware is detected by "Dangerous Application Behavior" is SW in action, for example:Youtube tests I mean the dynamic testing part. Nowadays I do check Malware Hub threads, I see LR but dont see SW. And LR too, like apps was placed in LR, sometimes sample process running & sometime sample process not running...But these same things I notice for others too, like Norton, etc..., sometimes sample process running & sometime not. So dont know if the sample process got killed by security protection or by itself after sometime?
- Trusted—no limitations
- Low Restricted—everything is allowed except for building into operating system modules
- High Restricted—interaction with operating system modules and other programs are prohibited. A program is allowed to work only with its own segment of system memory
- Untrusted—a program is prohibited even from starting
- Trusted. Applications with a digital signature by trusted vendors, or applications which are recorded in the base of trusted applications. These applications have no restrictions applied on actions performed in the system. Those applications' activity is monitored by Proactive Defense and File Anti-Virus.
- Low Restricted. Applications that do not have a digital signature from a trusted vendor, and which are not listed in the base of trusted applications. However, these applications have received low value of the threat rating. They are allowed to perform some operations, such as access to other processes, system control, hidden network access. The user's permission is required for most operations.
- High Restricted. Applications without a digital signature and which are not listed in the base of trusted applications. These applications have a high value of the threat rating. The applications of this group require the user's permission for most actions which affect the system: some actions are not allowed for such applications.
- Untrusted. Applications without a digital signature and which are not listed in the base of trusted applications. These applications have received a very high value of the threat rating. Application Control blocks any actions performed by such applications
I agree, sometimes it's difficult to know, but the final target is to check whether the system was affected or not by those (not detected) malwares, that's why We also, after dynamic testing, check the system with different on demand scanners: ZAM, EEK, MBAM Free, AdwCleaner, etc. and restart the system to check whether the malware autoruns itself... and in most cases, They found anything else suspicious apart the original sample. So, we can conclude that system in clean and protected, I know, not with 100% but... I'm talking in general, not only about Kaspersky...sometimes sample process running & sometime not. So dont know if the sample process got killed by security protection or by itself after sometime?
KIS 2015/2016 is not compatible with SBIE. It's been noted on our known conflicts page for almost a year. Sandboxie - Known ConflictsSandboxie 5.x with my W8.1 & W10 Pro x64 systems does not work almost at all!. Browsers sanboxed don't work, only some specific applications work sandboxed, in general SB 5.x is not supported and does not work with Kaspersky 2016...
About Kaspersky protection in Low Restricted group, You can check the daily dynamic testing of malware samples in section:
and see Kaspersky performance in default settings (with some minor tweaks)