Kaspersky TAM and Application Control?

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
but I have used TAM extensively, and my non-KSN-recognized apps were just moved to low restricted. It is true that they were blocked from loading dlls, but they could do almost anything else they wanted.
I'm not sure of that, though. But as far as I have used it, and from its documentation, it should block execution. Although, I already witnessed it allowing Pale Moon to run, but its dlls blocked (a problem I have with TAM :D ).

I witnessed it block a malware one time because of a USB drive. It was unknown, according to KSN that time.

Kaspersky's documentation about TAM: http://media.kaspersky.com/pdf/kaspersky_lab_whitepaper_trusted_applications_mode.pdf
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I'm not sure of that, though. But as far as I have used it, and from its documentation, it should block execution. Although, I already witnessed it allowing Pale Moon to run, but its dlls blocked (a problem I have with TAM :D ).

I witnessed it block a malware one time because of a USB drive. It was unknown, according to KSN that time.

Kaspersky's documentation about TAM: http://media.kaspersky.com/pdf/kaspersky_lab_whitepaper_trusted_applications_mode.pdf
if a file has no digital sig, and it is not on KSN, and it also has some malicious properties, then you will get the blocking action, like you saw. But in my experience, an unknown file usually will fall somewhere in the middle, the majority of the time, unless it is real malware. It will be neither fully blocked nor fully allowed.
 
  • Like
Reactions: harlan4096

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
Unless You change App. Control settings for unknown applications manually to "High restricted" or "Untrusted".
That's exactly what I've done, set App control settings for unknown Applications to untrusted, plus unchecked 'Trust Digitally signed software' And left KSN enabled. All running great here too. I'm really enjoying KIS 2017 it's a fantastic product.

Edit to add: I also run Voodooshield alongside KIS.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
if a file has no digital sig, and it is not on KSN, and it also has some malicious properties, then you will get the blocking action, like you saw. But in my experience, an unknown file usually will fall somewhere in the middle, the majority of the time, unless it is real malware. It will be neither fully blocked nor fully allowed.
An "unknown" program is blocked in mine. This is safe. It's a game called Virtual U.

Untitled.png Untitled1.png
 
5

509322

Even AppGuard in Lockdown mode, I believe, would be "default-allow" if I follow what Jeff believes (default-deny is to block all programs in User Space) because AppGuard in that mode still allows, by default, MS-signed applications to run. Even system space applications are allowed by default to run.

If you block everything, then you might as well throw your system into the garbage because it will be a brick.

The default-deny policy has to be crafted in a way to allow the system to operate.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
If you block everything, then you might as well throw your system into the garbage because it will be a brick.

The default-deny policy has to be crafted in a way to allow the system to operate.
Yep, I know. :D

That's my point. Default-deny doesn't have to be very restrictive. If it blocks by default, it is default-deny to me. :D
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I guess TAM always trust KSN + Digitally signed applications... since TAM it's not a pure default deny (or anti-exe), it still checks KSN white listing and probably also if application is signed digitally... :unsure:
I am doing the same as you: TAM enabled + KSN enabled + Trust in digitally signed files disabled.
The only clear advantage I can see in "Trust in digitally signed files disabled" is when you manually unblock files that TAM did not allow. They will be assigned to an appropriate trust category without regard to their sig.

This also explains the lengthy misunderstanding that I had with other forum members in this thread over the function of TAM. They said that TAM causes files to be blocked totally, whereas I said that TAM often just assigns them to a lower trust category. I was talking about files that I manually allowed, either when I initially enabled TAM or later. Once you manually allow them, TAM ignores them, and the regular rules of Application Control apply instead. Please correct me if I am wrong.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
TAM it's not a pure default deny (or anti-exe), it still checks KSN white listing and probably also if application is signed digitally.
Personally, I don't see why that is so different from what Comodo firewall does, and they call themselves default-deny, even though they maintain a whitelist and also honor the sigs of about 10,000 vendors.
Also Avast "Hardened mode aggressive" maintains a massive whitelist, but people still seem to include it in the default-deny category.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I am doing the same as you: TAM enabled + KSN enabled + Trust in digitally signed files disabled.
The only clear advantage I can see in "Trust in digitally signed files disabled" is when you manually unblock files that TAM did not allow. They will be assigned to an appropriate trust category without regard to their sig.

This also explains the lengthy misunderstanding that I had with other forum members in this thread over the function of TAM. They said that TAM causes files to be blocked totally, whereas I said that TAM often just assigns them to a lower trust category. I was talking about files that I manually allowed, either when I initially enabled TAM or later. Once you manually allow them, TAM ignores them, and the regular rules of Application Control apply instead. Please correct me if I am wrong.
As far as I remember in my experience with TAM, if the system is offline (no internet connection), TAM would usually block apps I already manually allowed.

For example:
1. I launch Pale Moon.
2. TAM (w/ internet connection) blocks Pale Moon's .dll.
3. Pale Moon is crippled (can't work properly).
4. I manually allow Pale Moon's .dll.
5. Pale Moon now launches/works okay.
6. I disable the internet (or a blackout happens).
7. I launch Pale Moon.
8. TAM blocks Pale Moon's .dll.
9. Pale Moon is crippled again.

This happened 90% of the time.
This was not limited to Pale Moon. I remember 7zip being blocked also.
But this seems to be non-reproducible by others. I think I'm the only one with this problem in the past.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Guys, I had the same problem. So, I made a quick test (in Shadow Defender) and I noticed that the difference is for files from the TAM snapshot. When TAM is activated, it makes a snapshot of executables by path. Those paths are excluded from reputation checking. If you copy the executable to the new location it will be checked by TAM. Also, all new executables are checked by TAM. For new executables, TAM works as default-deny if the file is not on the Kaspersky TAM whitelist.

For example, all executables from yet unpublished version of Hard_Configurator installed in my system, were automatically excluded from TAM, but recognized as Untrusted. I could run any of them. After copying to another folder, all of them were blocked by TAM.:giggle:(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
We can call TAM as a smart Default Deny (similarly to H_C). To avoid false positives TAM uses:
  1. 'Dynamic Whitelisting'.
  2. 'Trusted chain' of an application.
  3. ‘Security corridor’ system to control individual applications (kind of anti-exploit).
It looks like TAM is based on similar reputation techniques as Windows SmartScreen with addition of ASR and Windows Exploit Guard. Yet, the rules for the vulnerable applications are predefined by Kaspersky and TAM is real-time (SmartScreen is on demand and only support files downloaded from the Internet).

Dynamic Whitelisting is the main protection component based on the Default Deny method. Essentially, it is an extensive and constantly updated knowledge base of existing applications. The database contains information on about one billion unique files, covering the overwhelming majority of popular applications, such as office packages, browsers, image viewers etc.

Trusted chain is a set of mechanisms that confirm or refute the legitimacy of an application based on certain characteristics, such as its compliance with application trust inheritance rules, the authenticity of the file’s digital signature and whether the file was downloaded from a trusted source.

For example:
  • if an application was created and launched by a trusted program, it is regarded as trusted.
  • The new version of the trusted application is considered trusted if it is digitally signed with a reputable digital signature. The compromised signatures are immediately removed from the database, even if the OS still regards them as trusted.
  • If the domain of the website from the application was downloaded is on the list of trusted domains (in most cases, these are domains of well-known software vendors), the object being downloaded is also deemed legitimate.
Security corridor.
It applies several protection mechanisms that monitor the operation of potentially vulnerable applications (document editors, web browsers, etc.) allowing only those operations which were implemented by the applications’ developers, making it virtually impossible to exploit vulnerabilities in these applications. In simpler words, Kaspersky Lab technologies are fully ‘aware’ of what a program should or shouldn’t do, making it operate in a kind of ‘secure corridor’, performing only a restricted range of functions.

 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
TAM can also handle the most dangerous file types blocked by SRP:
.bat, .cmd, .com, .exe, .js, .jse, .msc, .msi, .msp, .pif, .ps1, .reg, .scr, settingcontent-ms, .vbe, .vbs, .wsf, .wsh, (maybe also .dll and some more). Yet, it does not support a few dangerous file types, like: .chm, .hta, .lnk .
So, in the home environment with Windows 10, Kaspersky with activated TAM is probably very similar in preventing malware infections as WD + H_C. The second solution can be slightly more restrictive for programs initiated with standard rights. But, in the enterprises, the first has an advantage over the second when the attack comes from the local network with administrator privileges. (y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Does application control turned on make using a program like Voodoshield totally unnecessary to run along side KIS?
On Windows 10, VoodooShield is here in the role of a lover in the eternal triangle. Even without a lover, this marriage (Windows 10 + KIS) is not perfectly stable. However, in many cases (without a lover), such a marriage is known to be successful. There are also some happy triangles, so I do not want to discourage anybody. :giggle:
Anyway, If one likes VoodooShield, I would suggest a more stable relationship with Windows Defender. It is also very probable that VS can give WD more than it could give KIS.(y)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top