motox781

Level 8
Verified
If I enable TAM and allow a file to run (add an exception), I notice the file is added to the Low Restricted category on Application Control. Does this mean that not only does Kaspersky TAM act as a default deny, but also places exception unknowns with restricted rights in Application Control too? If so, pretty cool stuff.

Thanks!
 
Last edited:

motox781

Level 8
Verified
Another question:

If the file is added to the exclusions in TAM, then placed in a category within Application Control...does Kaspersky still monitor the file for bad behavior (heuristics, app changes control, etc)?

Reason why I am asking this is b/c I believe Avast doesn't do that with Hardened Mode. Once you add the file to exclusions in Avast, the file is trusted 100% until you remove it from exclusions.
 

venustus

Level 46
Verified
Trusted
Content Creator
Another question:

If the file is added to the exclusions in TAM, then placed in a category within Application Control...does Kaspersky still monitor the file for bad behavior (heuristics, app changes control, etc)?

Reason why I am asking this is b/c I believe Avast doesn't do that with Hardened Mode. Once you add the file to exclusions in Avast, the file is trusted 100% until you remove it from exclusions.
Good question!
If it is placed in trusted then I don't think it does.
If, on the other hand it is placed in one of the lower trusted categories then it will be monitored.
I could be wrong though, so maybe harlan4096 could chime in!
 

motox781

Level 8
Verified
Good question!
If it is placed in trusted then I don't think it does.
If, on the other hand it is placed in one of the lower trusted categories then it will be monitored.
I could be wrong though, so maybe harlan4096 could chime in!
I'm assuming that if a file is blocked by TAM , then it is not located on KSN of white-listed files and it will probably never be placed in the Trusted category. So it should have restrictions, plus monitoring for malicious activity ...etc...but would like confirmation ;P

If the above is correct, then TAM would act as an extra layer above everything else ;P
 

harlan4096

Level 63
Verified
Staff member
Malware Hunter
There is no "exclusions" in TAM, You just let (unblock) or not (block) the execution/start of the application... after that, Your get all the others features of protection modules...

To create a valid exclusion You have to go to Settings -> Additional -> Threats & Exclusions -> manage Exclusions or Specify Trusted Applications.
 

shmu26

Level 83
Verified
Trusted
Content Creator
TAM usually does not block exe files completely, it rather categories them according to their risk level, and restricts them accordingly.

Low restricted, for instance, still gives enough permissions for many programs to run properly.
But high restricted will probably interfere with a program's functioning.

So TAM not really default/deny, because usually does not give a black-and-white response.
 

shmu26

Level 83
Verified
Trusted
Content Creator
Thanks for the reply. I don't understand this part. I was under the assumption that TAM completely blocks an exe from running with full restrictions (similar to an anti-exe full block). Could you elaborate?
Harlan understands it better than me, but basically, the file is analysed to see:
1 if it has a digital sig
2 is it on the KSN whitelist
3 is it free of malicious characteristics

If it gets a clean score, it will be completely allowed.
If it gets a relatively clean score, it will have light restrictions, and will be watched carefully
If it looks suspicious, it will have heavy restrictions
 
5

509322

Application Control has changed from 2016 version.

Trusted Application Mode is not absolute default-deny. Programs can still be executed on the system based upon a local-cloud algorithm. Most of what can\cannot be executed is based upon the KSN lookup function. In short, TAM is restricted default-allow. The default restrictions are sufficient\insufficient based upon your point of view.

You can modify the default Low Restricted policies to much more strict.

Implicit in the way Kaspersky products work, if you don't want programs to be installed or run on the system, then don't download them and install\execute them. That's essentially implicit in any default-allow protection model. Default-allow is not going to protect a user 100 % - who is willing to gamble their system security by executing unknown\untrusted files on their system.

In KIS 2016, the user could define to which File Group an unknown\untrusted file would be assigned. For example, Untrusted. It was almost default-deny, except for digitally signed files.

In KIS 2017, the file is auto-assigned to a File Group based upon a local-cloud (KSN) algorithm.

The handling of scripts has changed as well. For example, powershell scripts (*.ps1) used to be blocked based upon configuration, but now they are not.

To stop KIS from auto-assigning files to groups - if I recall correctly, you can disable KSN cloud lookup - and assign files manually to file groups. You can ask @harlan4096 to confirm, but disabling "Trust digitally signed files" and disabling KSN lookup can result in some unpleasant, unexpected behaviors.

Any known safe files that are assigned to Low or High Restricted file group should be moved to the Trusted group - otherwise, if the user disables "Make decisions automatically" (= interactive mode) - it will create a flurry of HIPS alerts for any Low Restricted group program upon execution.

Obviously, any know safe files that are assigned to the Untrusted group will be blocked - and the user will need to assign to a group with execution rights. If you know it is safe, then add it to Trusted.
 
Last edited by a moderator:

harlan4096

Level 63
Verified
Staff member
Malware Hunter
I usually use a mixed approach: TAM enabled + KSN enabled + Trust in digitally signed files disabled...

Even with it, We can get some "legit" applications blocked by TAM and/or moved to a restricted group, but We still have KSN info to reduce the number of applications that will be blocked, in those cases We can always move them manually to trusted group.
 
5

509322

I usually use a mixed approach: TAM enabled + KSN enabled + Trust in digitally signed files disabled...

Even with it, We can get some "legit" applications blocked by TAM and/or moved to a restricted group, but We still have KSN info to reduce the number of applications that will be blocked, in those cases We can always move them manually to trusted group.
I still see that on 64-bit, if a user disables "Trust digitally signed files," then at some point Application Control will move EVERYTHING from the Trusted to the Low Restricted group.

Even if a user moves all those programs back to the Trusted group, Application Control will keep moving them back to the Low Restricted group.
 
5

509322

Some users complained about something similar but think that ocrrurs in cases when there is no InterNet connection, so KSN and white listing info available...
I observe it on a test system with active network connection.

Even if it were only to happen because of a dropped network connection, it is a serious problem. That's because network connections are unreliable and get dropped all the time. The user has no control over it.

I have tried to get them to fix this issue for years to no avail. After so many sincere attempts you just give up.