Kaspersky TAM and Application Control?

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Trusted Application Mode is not absolute default-deny. Programs can still be executed on the system based upon a local-cloud algorithm. Most of what can\cannot be executed is based upon the KSN lookup function. In short, TAM is restricted default-allow. The default restrictions are sufficient\insufficient based upon your point of view.
I would still say that TAM is default-deny, not "restricted default-allow". Yes, programs may be allowed to run, but only if it's on the cloud whitelist. The default behavior is still block. Only when the software is on the whitelist will it be allowed to run.

I think the behavior of TAM is:
Delay the execution of the program.
If it's whitelisted, allow.
If not or unknown, block.
 
5

509322

I would still say that TAM is default-deny, not "restricted default-allow". Yes, programs may be allowed to run, but only if it's on the cloud whitelist. The default behavior is still block. Only when the software is on the whitelist will it be allowed to run.

I think the behavior of TAM is:
Delay the execution of the program.
If it's whitelisted, allow.
If not or unknown, block.

That behavior is technically restricted default-allow; default-deny is blocked execution or run in an isolated environment.

Actually, default-deny is absolute blocking - and not even allowing to run isolated from physical system.

For example, AppGuard in default Protected mode is highly restricted default-allow for User Space; in Locked Down mode it is absolute default deny.
 
Last edited by a moderator:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
That behavior is technically restricted default-allow; default-deny is blocked execution or run in an isolated environment.

Actually, default-deny is absolute blocking - and not even allowing to run isolated from physical system.

For example, AppGuard in default Protected mode is highly restricted default-allow for User Space; in Locked Down mode it is absolute default deny.
TAM is default-deny because its default behavior is to block execution, until the program is found in the whitelist. It is, in this sense, absolute blocking.

It is not "restricted default-allow" because TAM doesn't allow things by default. It blocks by default. And It only restricts if the user manually allows the blocked program.

It does not block as many programs as AppGuard because TAM has a whitelist and AppGuard has none. And so, you would see many blocks from AppGuard, and not so much from Kaspersky's TAM.

Also, Kaspersky refers TAM as their default-deny protection model: Trusted Applications Mode Whitepaper :)

Anyway, if I had to choose between TAM and AppGuard's MemoryGuard, I would still choose AppGuard's. :D
 
Last edited:

SKG2016

Level 1
Verified
Dec 19, 2016
42
I don't recommend Kaspersky TAM unless you are a novice user. The beauty of Kaspersky is its customisability and requires a lot of tweaks and changes to its setting to bring maximum protection, that's why in a lot of professional tests Kaspersky seems to be inferior to Bitdefender but it is not because they test AV products most commonly at its default settings; Kaspersky is especially for the kind of people who knows clearly what level of protection they desire. Otherwise I strongly recommend Bitdefender if you want continuously automated and silent protection.
 

SKG2016

Level 1
Verified
Dec 19, 2016
42
TAM is default-deny because its default behavior is to block execution, until the program is found in the whitelist. It is, in this sense, absolute blocking.

It is not "restricted default-allow" because TAM doesn't allow things by default. It blocks by default. And It only restricts if the user manually allows the blocked program.

It does not block as many programs as AppGuard because TAM has a whitelist and AppGuard has none. And so, you would see many blocks from AppGuard, and not so much from Kaspersky's TAM.

Also, Kaspersky refers TAM as their default-deny protection model: Trusted Applications Mode Whitepaper :)

Anyway, if I had to choose between TAM and AppGuard's MemoryGuard, I would still choose AppGuard's. :D
Nice to learn that Dynamic Whitelisting technology can be applied to Kaspersky personal product, thanks for the explanation.
 
5

509322

TAM is default-deny because its default behavior is to block execution, until the program is found in the whitelist. It is, in this sense, absolute blocking.

It is not "restricted default-allow" because TAM doesn't allow things by default. It blocks by default. And It only restricts if the user manually allows the blocked program.

It does not block as many programs as AppGuard because TAM has a whitelist and AppGuard has none. And so, you would see many blocks from AppGuard, and not so much from Kaspersky's TAM.

Also, Kaspersky refers TAM as their default-deny protection model: Trusted Applications Mode Whitepaper :)

Anyway, if I had to choose between TAM and AppGuard's MemoryGuard, I would still choose AppGuard's. :D

They can call it whatever they wish, but the way that Kaspersky's TAM and Application control function together is restricted default-allow. Using a whitelist allows whatever is found on the whitelist while blocking programs not on the whitelist.

Of course a user can modify the settings to make it all work as true default-deny.

Blocking only digitally unsigned files is not strict default-deny, but rather restricted default-allow. Because you are allowing digitally signed files to execute. That is how AppGuard's Protected mode currently works - but we're working on making it selectively block even digitally signed files to increase system protection to maximum extent possible for that protection mode.

Absolute blocking is only what is found in AppGuard's Locked Down mode or other SRP softs - where a files origin, certificate, or anything else does not matter - the file is strictly blocked.

Strict blocking (true default-deny) prevents the installation and execution of new programs from User Space. With TAM and Application Control enabled programs can still be installed and executed on the system as well as scripts (mostly assigned to Low Restricted, except for powershell scripts which are not restricted) - and that includes a lot of PUPs\PUAs in the KSN whitelist.

The last statement is not a bash of KSN. It is just Kaspersky's approach to avoid legal problems with vendors that publish questionable, digitally signed programs. Other vendors likewise adopt such an attitude towards digitally signed PUPs\PUAs. It's a challenging problem for them to solve with everyone's best interests in mind.
 
Last edited by a moderator:

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
but we're working on making it selectively block even digitally signed files to increase system protection to maximum extent possible for that protection mode.
And this will be implemented on AppGuard 5, and not on AppGuard 4. :(


Anyway, I still disagree with you about TAM. :p
From the word "default-deny" it should be understood that TAM blocks by default (that's why it is default-deny). It blocks, until what it blocks is found in the whitelist. :)

I think our disagreement is how we understand the term "default-deny". But who am I to question your wisdom, Jeff? :D
 
5

509322

And this will be implemented on AppGuard 5, and not on AppGuard 4. :(


Anyway, I still disagree with you about TAM. :p
From the word "default-deny" it should be understood that TAM blocks by default (that's why it is default-deny). It blocks, until what it blocks is found in the whitelist. :)

I think our disagreement is how we understand the term "default-deny". But who am I to question your wisdom, Jeff? :D

It ain't wisdom, but just differing perspectives\definitions of default deny.

There is strict (absolute) blocking and conditional blocking. Two different levels of default deny.

Depending upon the conditional policies, it might or might not result in a massacred system.

Not all conditional default deny are created equally. Some are more or less restricted default allow.

From Security Software Engineering:

1. Default deny - "Everything, not explicitly permitted, is forbidden"
Improves security at a cost in functionality.
This is a good approach if you have lots of security threats.
2. Default permit - "Everything, not explicitly forbidden, is permitted"
Allows greater functionality by sacrificing security.
This is only a good approach in an environment where security threats are non-existent or negligible.
 
Last edited by a moderator:

SKG2016

Level 1
Verified
Dec 19, 2016
42
It ain't wisdom, but just differing perspectives\definitions of default deny.

There is strict (absolute) blocking and conditional blocking. Two different levels of default deny.

Depending upon the conditional policies, it might or might not result in a massacred system.

Not all conditional default deny are created equally. Some are more or less restricted default allow.

From Security Software Engineering:

1. Default deny - "Everything, not explicitly permitted, is forbidden"
Improves security at a cost in functionality.
This is a good approach if you have lots of security threats.
2. Default permit - "Everything, not explicitly forbidden, is permitted"
Allows greater functionality by sacrificing security.
This is only a good approach in an environment where security threats are non-existent or negligible.
Here's a question, since TAM relies on App Control to function, if I uncheck the "Trust digitally signed application" setting box while leaving the "load application rule from KSN" checked, would this be a default permit for all KSN trusted applications and a deny for all other ones even if it has a digital signature?
 
5

509322

Here's a question, since TAM relies on App Control to function, if I uncheck the "Trust digitally signed application" setting box while leaving the "load application rule from KSN" checked, would this be a default permit for all KSN trusted applications and a deny for all other ones even if it has a digital signature?

I haven't tested it with those settings modifications recently; my recent testing was for AppGuard compatibility, bug discovery and submission. Kaspersky made some changes to TAM and AC. I suggest asking @harlan4096 since he is a very long time Kaspersky user and official beta tester.

Of course you can try it yourself and see what happens.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Here's a question, since TAM relies on App Control to function, if I uncheck the "Trust digitally signed application" setting box while leaving the "load application rule from KSN" checked, would this be a default permit for all KSN trusted applications and a deny for all other ones even if it has a digital signature?
what you are suggesting is actually harlan's recommended config. I have used it. It will move non-KSN apps to light restricted, and they will probably still function properly. It will not produce the default/deny that you are seeking.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
what you are suggesting is actually harlan's recommended config. I have used it. It will move non-KSN apps to light restricted, and they will probably still function properly. It will not produce the default/deny that you are seeking.
Unless You change App. Control settings for unknown applications manually to "High restricted" or "Untrusted".
 

SKG2016

Level 1
Verified
Dec 19, 2016
42
I don't use TAM, I simply leave the "trust digitally signed application" and "select action automatically" unchecked, so any unknown application will be moved to low restricted and any activity they do will catch my attention. It is IMO the best solution but it requires some extensive knowledge when it comes to making the decision on allow or deny, and if some App you trust is not enlisted in KSN then I will have to manually move it to Trusted otherwise millions of prompts will pop up :( .
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I don't use TAM, I simply leave the "trust digitally signed application" and "select action automatically" unchecked, so any unknown application will be moved to low restricted and any activity they do will catch my attention. It is IMO the best solution but it requires some extensive knowledge when it comes to making the decision on allow or deny, and if some App you trust is not enlisted in KSN then I will have to manually move it to Trusted otherwise millions of prompts will pop up :( .
sounds like you figured out a way to get default/deny. very interesting. I don't think you have the dll protection that TAM provides, but maybe that doesn't matter in this setup.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
But I agree that probably TAM is not really a "pure Default Deny", and I think both @Jeff_T - Testing Group & @XhenEd are right in some of the words They say :)
I would still say it is pure default-deny. :p It's just a matter of being restrictive or not too restrictive. :D

I think the term for TAM is "not-too-restrictive default-deny". It blocks by default (which by the way is what makes me believe it is default-deny), but it has a whitelist to allow programs. As what the Kaspersky TAM Whitepaper states, defualt-deny is blocking what is not explicitly allowed.

COMODO, for example, markets their products as default-deny solutions. But don't they have whitelist? Yes, they have. Even AppGuard in Lockdown mode, I believe, would be "default-allow" if I follow what Jeff believes (default-deny is to block all programs in User Space) because AppGuard in that mode still allows, by default, MS-signed applications to run. Even system space applications are allowed by default to run.

That's why I believe we only differ in our understanding of the term default-deny. :D Some applications are default-deny, but are not too restrictive. Kaspersky's TAM falls into this. Some applications are default-deny, and are very restrictive. AppGuard's Lockdown mode falls into this.

Jeff believes that default-deny means always restrictive (no whitelist, if possible). But for me, default deny means blocking immediately any program, until it is allowed (by a whitelist or the user).
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I would still say it is pure default-deny. :p It's just a matter of being restrictive or not too restrictive. :D

I think the term for TAM is "not-too-restrictive default-deny". It blocks by default (which by the way is what makes me believe it is default-deny), but it has a whitelist to allow programs. As what the Kaspersky TAM Whitepaper states, defualt-deny is blocking what is not explicitly allowed.

COMODO, for example, markets their products as default-deny solutions. But don't they have whitelist? Yes, they have. Even AppGuard in Lockdown mode, I believe, would be "default-allow" if I follow what Jeff believes (default-deny is to block all programs in User Space) because AppGuard in that mode still allows, by default, MS-signed applications to run. Even system space applications are allowed by default to run.

That's why I believe we only differ in our understanding of the term default-deny. :D Some applications are default-deny, but are not too restrictive. Kaspersky's TAM falls into this. Some applications are default-deny, and are very restrictive. AppGuard's Lockdown mode falls into this.

Jeff believes that default-deny means always restrictive (no whitelist, if possible). But for me, default deny means blocking immediately aby program, until it is allowed (by a whitelist or the user).
okay, but TAM doesn't actually block everything that is absent from the whitelist. If it did, there would be no question about it. TAM just puts an unknown file into low restricted, which "denies" from it only a few high-level privileges. It can still open files, download files, modify files, etc.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
okay, but TAM doesn't actually block everything that is absent from the whitelist. If it did, there would be no question about it. TAM just puts an unknown file into low restricted, which "denies" from it only a few high-level privileges. It can still open files, download files, modify files, etc.
No, that is not TAM. TAM blocks execution, by default. :D
 
  • Like
Reactions: harlan4096

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
No, that is not TAM. TAM blocks execution, by default. :D
but I have used TAM extensively, and my non-KSN-recognized apps were just moved to low restricted. It is true that they were blocked from loading dlls, but they could do almost anything else they wanted.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top