Kaspersky Policy Based Application Control
- Thread starter motox781
- Start date
- Status
- Jan 14, 2016
- 601
Here is a Kaspersky Enterprise KB regarding Application Control (which is the same for Kaspersky consumer products): Application Privilege Control
Even in Low Restricted malware can still mess with your system; the denied permissions are not strict enough.
If you know how to use Kaspersky, then you know to place any untrusted application into High Restricted with Interactive Mode enabled. However, you also need to be able to understand the HIPS alerts - because Kaspersky's HIPS doesn't tell you what to do - you have to decide for yourself what to do at each alert.
Unless one knows their OS quite well, one will be apt to make mistakes in responding to Kaspersky HIPS alerts. When in doubt - block - as you can always create allow rules after a file has been verified as safe.
In the evaluation of potentially malicious files, it is recommended to use a virtual machine, Sandboxie or Shadow Defender as opposed to using only Kaspersky's HIPS.
NOTE:
Sandboxie doesn't get along too well with Kaspersky and Kaspersky support officially states that Shadow Defender is incompatible with Kaspersky products (but I have used both together without any problems).
Last edited by a moderator:
- Apr 1, 2015
- 483
Thanks for the replies. I guess I should have clarified a bit more. I plan to install about 20 copies on different client PCs. Setting to Untrusted may work, but not Interactive due to these clients being normal users.
I was really just wondering about Low Restricted. It makes me wonder (if the protection is not that strong), why would Kaspersky implement it under default for unknowns if it does very little proactively and acts almost as Trusted.
I was really just wondering about Low Restricted. It makes me wonder (if the protection is not that strong), why would Kaspersky implement it under default for unknowns if it does very little proactively and acts almost as Trusted.
Last edited:
- Apr 5, 2014
- 6,010
I use Sandboxie with Kaspersky too, no problem no slow down
Kaspersky optimizes settings for what they believe to be the best for typical users.
I personally don't agree with Kaspersky's default settings: PUP detection disabled, HIPS move to Low Restricted, Trust digitally signed applications, etc.
NOTE: If you disable "Trust digitally signed applications" you might run into some Application Control issues on 64 bit systems.
You can ask @harlan4096 about this... as he is Kaspersky gold beta tester and a very long-time user.
I use Sandboxie with Kaspersky too, no problem no slow down
It seems system dependent. Some users can get Sandboxie and Kaspersky to work together without issues, while others cannot get them to work at all together. On top of it, Sandboxie does not officially support Kaspersky: Sandboxie - Known Conflicts
- Apr 5, 2014
- 6,010
"For Windows 8/8.1 & Win 10 -KS 2015 and 2016 is not compatible with Sandboxie. Kaspersky must NOT be installed, otherwise Sandboxie will not work."
I USE WIN8.1 + KIS 2016 AND IT WORK WELL
i must call with SandBoxie and report this bug to them
I USE WIN8.1 + KIS 2016 AND IT WORK WELL
i must call with SandBoxie and report this bug to them
- Apr 28, 2015
- 9,039
Sandboxie 5.x with my W8.1 & W10 Pro x64 systems does not work almost at all!. Browsers sanboxed don't work, only some specific applications work sandboxed, in general SB 5.x is not supported and does not work with Kaspersky 2016...
About Kaspersky protection in Low Restricted group, You can check the daily dynamic testing of malware samples in section:
https://malwaretips.com/forums/virus-exchange-malware-samples.104/
and see Kaspersky performance in default settings (with some minor tweaks)
About Kaspersky protection in Low Restricted group, You can check the daily dynamic testing of malware samples in section:
https://malwaretips.com/forums/virus-exchange-malware-samples.104/
and see Kaspersky performance in default settings (with some minor tweaks)
I dont know how effective is Kaspersky Application Control.
I use default settings. On my Win 10 64 system all the programs are in Trusted except 1 i.e HDSentinel...I know the program is safe but cannot transfer it to trusted. Its in Low Restricted & works fine. I transfer it to Trusted but on next start of HDSentinel, Kas again puts it in LR. Not a prob as programs work fine in LR.
I find LR not that strong i.e guess there are no strong restrictions i.e may be 1-2 low restriction that doesn't affect programs working & programs work fine.
YouTube tests I see, I rarely see Kas putting samples in HR or Untrusted, mostly programs are put in LR & I rarely see System Watcher detecting something too.
I kind of think & find Kaspersky in default settings is like signs + cloud only with weak proactive protection i.e Application Control & System Watcher.
Custom or Advanced settings...Kas proactive may be effective but default settings as mentioned above is like signs + cloud only.
I use default settings. On my Win 10 64 system all the programs are in Trusted except 1 i.e HDSentinel...I know the program is safe but cannot transfer it to trusted. Its in Low Restricted & works fine. I transfer it to Trusted but on next start of HDSentinel, Kas again puts it in LR. Not a prob as programs work fine in LR.
I find LR not that strong i.e guess there are no strong restrictions i.e may be 1-2 low restriction that doesn't affect programs working & programs work fine.
YouTube tests I see, I rarely see Kas putting samples in HR or Untrusted, mostly programs are put in LR & I rarely see System Watcher detecting something too.
I kind of think & find Kaspersky in default settings is like signs + cloud only with weak proactive protection i.e Application Control & System Watcher.
Custom or Advanced settings...Kas proactive may be effective but default settings as mentioned above is like signs + cloud only.
- Apr 28, 2015
- 9,039
Most of YouTube testings are on demands/static tests... SW only works on execution/dynamic testing and is activated when changes or suspicious activity/behavior malware in system are quite/hard enough... as I said in my previous posts, check many threads in MalWare Hub section of my testings and You will see SW in action, even with defaults settings
It's so difficult to change/strengthen Low Restriction settings/restrictions because then users would have problems on execution with many applications, so They set the minimum restrictions on system to better protect and assure applications will run without issues.
About this issue, if You are using KES10, check whether there is also a duplicated entry of HDSentinel in Trusted group, because this is a GUI bug I already commented here in a different thread. You can't move it to Trusted group because it is already there, but still appears in Low Restricted.
harlan,
Youtube tests I mean the dynamic testing part. Nowadays I do check Malware Hub threads, I see LR but dont see SW. And LR too, like apps was placed in LR, sometimes sample process running & sometime sample process not running...But these same things I notice for others too, like Norton, etc..., sometimes sample process running & sometime not. So dont know if the sample process got killed by security protection or by itself after sometime?
Yes, LR restrictions increased can create probs too.
About HDSentinel - No duplicate entry in Trusted. Every other program I transfered worked fine. But HDSentinel I transfer & it appears in Trusted but on next run it is again transfered to LR. The HDSentinel entry is .vbs one.
Youtube tests I mean the dynamic testing part. Nowadays I do check Malware Hub threads, I see LR but dont see SW. And LR too, like apps was placed in LR, sometimes sample process running & sometime sample process not running...But these same things I notice for others too, like Norton, etc..., sometimes sample process running & sometime not. So dont know if the sample process got killed by security protection or by itself after sometime?
Yes, LR restrictions increased can create probs too.
About HDSentinel - No duplicate entry in Trusted. Every other program I transfered worked fine. But HDSentinel I transfer & it appears in Trusted but on next run it is again transfered to LR. The HDSentinel entry is .vbs one.
- Apr 28, 2015
- 9,039
Every time a dynamic malware is detected by "Dangerous Application Behavior" is SW in action, for example:
https://malwaretips.com/threads/malware-9.57149/ post #2.
When a sample is running in LW in system (but SW is not activated) these restrictions are applied:
I agree, sometimes it's difficult to know, but the final target is to check whether the system was affected or not by those (not detected) malwares, that's why We also, after dynamic testing, check the system with different on demand scanners: ZAM, EEK, MBAM Free, AdwCleaner, etc. and restart the system to check whether the malware autoruns itself... and in most cases, They found anything else suspicious apart the original sample. So, we can conclude that system in clean and protected, I know, not with 100% but... I'm talking in general, not only about Kaspersky
harlan,
You mean "Dangerous Application Behavior" detection is SW in action...So is this different from "Rollback"? Rollback too is SW in action, right?
Low Restricted—everything is allowed except for building into operating system modules
What does the bold above means?
You mean "Dangerous Application Behavior" detection is SW in action...So is this different from "Rollback"? Rollback too is SW in action, right?
Low Restricted—everything is allowed except for building into operating system modules
What does the bold above means?
- Apr 28, 2015
- 9,039
RollBack is one of the features of SW, but its main function is proactive defense... in fact in older versions of Kaspersky there was a module called Proactive Defense, but some of this functions and others were implemented/re-unified some years ago in a new module called System Watcher.
Although this link is a bit old, it explains quite clearly how SW works:
What is the System Watcher component in Kaspersky Anti-Virus/Kaspersky Internet Security 2012?
Updated info:
https://support.kaspersky.com/12044#block1
Although this link is a bit old, it explains quite clearly how SW works:
What is the System Watcher component in Kaspersky Anti-Virus/Kaspersky Internet Security 2012?
Updated info:
https://support.kaspersky.com/12044#block1
- Feb 26, 2016
- 23
Sandboxie 5.x with my W8.1 & W10 Pro x64 systems does not work almost at all!. Browsers sanboxed don't work, only some specific applications work sandboxed, in general SB 5.x is not supported and does not work with Kaspersky 2016...
About Kaspersky protection in Low Restricted group, You can check the daily dynamic testing of malware samples in section:
https://malwaretips.com/forums/virus-exchange-malware-samples.104/
and see Kaspersky performance in default settings (with some minor tweaks)
KIS 2015/2016 is not compatible with SBIE. It's been noted on our known conflicts page for almost a year. Sandboxie - Known Conflicts
- Apr 28, 2015
- 9,039
- Status
