McMcbrad
Level 23
- Oct 16, 2020
- 1,252
Kaspersky protection is centred around the HuMachine concept. More on that can be learned here:
www.kaspersky.com
What is HuMachine?
The essence of the HuMachine concept is a fusion of big data, machine learning, and our analysts’ expertise. But what is behind these words?
www.kaspersky.com
The results I saw on my Kaspersky tests can't be matched with any other vendor.
Kaspersky Total Security includes the powerful module Application Control.
Depending on the configuration, this module can provide:
This is the default configuration:
And that's how it should be to activate deny-by-default approach.
This approach perfect for average users and happy clickers and is guaranteed to block all threats affecting home users environment.
If this approach is not for you due to risk of false positives (though I didn't see many), additional folders can be added as protected resources.
Some suggestions of how it can be configured:
Threats can inject code in other processes space. This way, it will look like a very trusted app is trying to access crucial information.
Fortunately, Kaspersky is configured to issue a prompt when not-so-trusted application tries to perform this action. Advanced users can still send untrusted code to "Low Restricted" group and answer the prompts in an informed way.
Depending on the configuration, this module can provide:
- Default-deny protection against executables, java apps, scripts and installers.
- Ransomware protection
- Credentials stealing/exfiltration protection.
This is the default configuration:
And that's how it should be to activate deny-by-default approach.
This approach perfect for average users and happy clickers and is guaranteed to block all threats affecting home users environment.
If this approach is not for you due to risk of false positives (though I didn't see many), additional folders can be added as protected resources.
Some suggestions of how it can be configured:
- A group named "Sensitive Data" can be created under "Manage Resources". This can be set to block reading, writing, creating and deletion of files from apps placed in Low Restricted, High Restricted and Untrusted group. This will protect sensitive data from sensitive files exfiltration. The setup should look like bellow:
- A group named "Browser Repositories" might be created. Browser repositories are located in %userprofile%\appdata\local\<BrowserName>. E.g C:\users\kikimora\AppData\Local\Microsoft Edge. This group can have the same settings, as access is only necessary through the browser executable, which is signed and will always be trusted. Low Restricted, High Restricted and Untrusted can be blocked from access completely. This will prevent browser history, cookies and credentials stealing.
- A group named "Ransomware Protected" might be created. Here you can place folders that contain photos, documents and other files that are not that sensitive, but their integrity is crucial. I personally would keep the same setup as above as it's the most secure, but depending on the apps you work with, you might need to tweak that. For example, you might allow Low-Restricted processes to read data, without being able to write, delete or create. This still prevents ransomware from working properly.
Threats can inject code in other processes space. This way, it will look like a very trusted app is trying to access crucial information.
Fortunately, Kaspersky is configured to issue a prompt when not-so-trusted application tries to perform this action. Advanced users can still send untrusted code to "Low Restricted" group and answer the prompts in an informed way.
If you are a user of Kaspersky Security Cloud Free, which doesn't include Application Control or the whole concept just doesn't fit your preferences for any reason, there are many other layers of protection, which have all proven to be very effective.
The methodology of the test is as with other reviews:
I increased Kaspersky's heuristic sensitivity to MAX level, as this is a cloud-reputation enhanced product with a large user base and can't produce too many false positives. In the same time, highest level of protection will detect packing, obfuscation and other methods used to evade detection.
Kaspersky Total Security is only product that blocked all malware I could find and download, including scripts, ransomware, fileless credential stealers. Phishing protection was impressive with only one link from my email inbox being missed. What's interesting here is that Kaspersky also employs a database of remote access software websites, such as helpme(.)net. These websites are not malicious, but scammers use them to trick victims into downloading remote control software, which is then used to convince the victim that problems exist and payment to fix them is needed.
Elderly people are especially vulnerable to this whole scheme and this protection is an absolute must. I am not aware of any other product besides Malwarebytes Browser Guard and McAfee Web Advisor that blocks/warns against these websites. Kaspersky's Web Antivirus features various heuristics that block scam-webpages boosted with hijacking and locking capabilities. I couldn't find a page with undetected script and this largely due to scammers using years-old Java Scripts.
In case you are not using Application Control and all methods of detection have failed (very unlikely), there is another layer of defence that rolls-back actions in a time-machine sort of way.
I tested Kaspersky System Watcher against 4 different C++ custom ransomware(s) that I have created. I turned Application Control off, as it automatically restricts them.
System Watcher was able to block all 4 of them and roll-back the encryption of my files. It was very difficult to test it against already available commercial ransomware, as it always triggers one sort of heuristic detection or another.
System Watcher is very aggressive towards programs and scripts that initiate connections to known C&C servers and starts removal/termination immediately. It starts removal immediately if a program downloads/drops a file that is detected by standard antivirus or behavioural blocking. This was proven when I tested the products with the fileless Tesla scripts.
That being said, Kaspersky's removal is also best I've seen. I disabled Kaspersky entirely and executed threats already pre-analysed in sandbox, whose files and registry entries were known. As soon as Kaspersky was enabled, removal of all registry entries, files, folders and scheduled tasks was initiated. To further test the removal, I set a custom ransomware to also create a folder AppData\BrowserServiceHost and then register this as a service and scheduled task and create a shortcut to this file on the desktop. All actions were undone.
Due to Kaspersky's heuristics, reputation detection, advanced malware removal and spotless behavioural blocker with rollback abilities, this product deserves the highest score in protection.
The methodology of the test is as with other reviews:
I increased Kaspersky's heuristic sensitivity to MAX level, as this is a cloud-reputation enhanced product with a large user base and can't produce too many false positives. In the same time, highest level of protection will detect packing, obfuscation and other methods used to evade detection.
Kaspersky Total Security is only product that blocked all malware I could find and download, including scripts, ransomware, fileless credential stealers. Phishing protection was impressive with only one link from my email inbox being missed. What's interesting here is that Kaspersky also employs a database of remote access software websites, such as helpme(.)net. These websites are not malicious, but scammers use them to trick victims into downloading remote control software, which is then used to convince the victim that problems exist and payment to fix them is needed.
Elderly people are especially vulnerable to this whole scheme and this protection is an absolute must. I am not aware of any other product besides Malwarebytes Browser Guard and McAfee Web Advisor that blocks/warns against these websites. Kaspersky's Web Antivirus features various heuristics that block scam-webpages boosted with hijacking and locking capabilities. I couldn't find a page with undetected script and this largely due to scammers using years-old Java Scripts.
In case you are not using Application Control and all methods of detection have failed (very unlikely), there is another layer of defence that rolls-back actions in a time-machine sort of way.
I tested Kaspersky System Watcher against 4 different C++ custom ransomware(s) that I have created. I turned Application Control off, as it automatically restricts them.
System Watcher was able to block all 4 of them and roll-back the encryption of my files. It was very difficult to test it against already available commercial ransomware, as it always triggers one sort of heuristic detection or another.
System Watcher is very aggressive towards programs and scripts that initiate connections to known C&C servers and starts removal/termination immediately. It starts removal immediately if a program downloads/drops a file that is detected by standard antivirus or behavioural blocking. This was proven when I tested the products with the fileless Tesla scripts.
That being said, Kaspersky's removal is also best I've seen. I disabled Kaspersky entirely and executed threats already pre-analysed in sandbox, whose files and registry entries were known. As soon as Kaspersky was enabled, removal of all registry entries, files, folders and scheduled tasks was initiated. To further test the removal, I set a custom ransomware to also create a folder AppData\BrowserServiceHost and then register this as a service and scheduled task and create a shortcut to this file on the desktop. All actions were undone.
Due to Kaspersky's heuristics, reputation detection, advanced malware removal and spotless behavioural blocker with rollback abilities, this product deserves the highest score in protection.
Nobody likes to wait and great protection that comes with an unneglectable performance hit is bound to be uninstalled/disabled.
Kaspersky however is light and all system activities feel speedy and smooth.
During Idle:
During Scan:
During browsing it goes up to 4%, which is tolerable.
Kaspersky settings can be further tweaked to increase performance, though this is not recommended.
Kaspersky however is light and all system activities feel speedy and smooth.
During Idle:
During Scan:
During browsing it goes up to 4%, which is tolerable.
Kaspersky settings can be further tweaked to increase performance, though this is not recommended.
One of the most notable features is Kaspersky's ability to block ads, trackers and other annoyances.
Webcam Protection is a spin-off of application control and blocks untrusted apps from engaging in spyware activities. Webcam Protection can never be fully implemented in any product and using NJRAT and Orcus server I was able to bypass it, once the RAT is running. However, these are very well blocked by every layer of defence and this feature borders with gimmicky.
Safe Money is Kaspersky's secure browser where online shopping and banking activities are to be carried out, away of suspicious extensions and process hooks.
Even for standard browser processes, Kaspersky Total Security provides effective keylogging protection.
More about this feature can be learned here:
support.kaspersky.com
Backup and restore module is included and supports various cloud-storage spaces, specially if the service has a user agent with drive mount capabilities.
Since the product can protect against ransomware but can't stop HDD/SSD failure, usage of this feature is highly recommended.
Software Updater, Encryption Vaults, Vulnerability Scan and File Shredder are all included for users who need them.
Network monitor might be useful to for advanced users to track what's going on with their apps and system.
Network Attack Blocker is also included to block common vulnerabilities from being exploited, though I didn't manage to trigger this feature.
Very detailed reports on every activity are generated and stored and can be accessed by clicking on Tools -> Reports.
Password Manager and VPN are included as well, though VPN is very limited (200 MB/day) and serves more for marketing than anything else. It might be enough to carry out one quick banking or shopping session.
Webcam Protection is a spin-off of application control and blocks untrusted apps from engaging in spyware activities. Webcam Protection can never be fully implemented in any product and using NJRAT and Orcus server I was able to bypass it, once the RAT is running. However, these are very well blocked by every layer of defence and this feature borders with gimmicky.
Safe Money is Kaspersky's secure browser where online shopping and banking activities are to be carried out, away of suspicious extensions and process hooks.
Even for standard browser processes, Kaspersky Total Security provides effective keylogging protection.
More about this feature can be learned here:
About protection of data entered on the computer keyboard
support.kaspersky.com
Backup and restore module is included and supports various cloud-storage spaces, specially if the service has a user agent with drive mount capabilities.
Since the product can protect against ransomware but can't stop HDD/SSD failure, usage of this feature is highly recommended.
Software Updater, Encryption Vaults, Vulnerability Scan and File Shredder are all included for users who need them.
Network monitor might be useful to for advanced users to track what's going on with their apps and system.
Network Attack Blocker is also included to block common vulnerabilities from being exploited, though I didn't manage to trigger this feature.
Very detailed reports on every activity are generated and stored and can be accessed by clicking on Tools -> Reports.
Password Manager and VPN are included as well, though VPN is very limited (200 MB/day) and serves more for marketing than anything else. It might be enough to carry out one quick banking or shopping session.
Kaspersky's alerts are unobtrusive and infrequent (if standard trial nags are not counted).
One thing I disliked it is that malware removal generates an individual alert for each deleted object. E.g Heur:Trojan.Agent has created 10 files and 10 registry entries - Kaspersky will in that case display 20 "Object Deleted" alerts + prompts whether or not it should reboot the system. This might case panic in individual users, but given the product's high prevention abilities, they may never see this sort of alert.
That behaviour aside, the product will hardly ever be noticed or in a need of a user interaction.
One thing I disliked it is that malware removal generates an individual alert for each deleted object. E.g Heur:Trojan.Agent has created 10 files and 10 registry entries - Kaspersky will in that case display 20 "Object Deleted" alerts + prompts whether or not it should reboot the system. This might case panic in individual users, but given the product's high prevention abilities, they may never see this sort of alert.
That behaviour aside, the product will hardly ever be noticed or in a need of a user interaction.
After all my tests an reviews of last year's products, I am ready to give some of them an improvised award.
The first category is Best Free Protection.
Awarded are:
1. Microsoft Defender + ASR rules
This configuration not only provides free protection with no alerts and nags, but also features very effective behavioural-based/ML detection, quick reaction to new threats and reduces the attack surface to a minimum (in a home environment). It can easily be coupled with tools such as Malwarebytes Browser Guard or Bitdefender TrafficLight to reduce exposure to phishing and other malicious URLs.
The ASR rules can be enabled via @Andy Ful Configure_Defender.
2. Kaspersky Security Cloud Free
Kaspersky Security Cloud Free provides excellent protection at no cost and is quiet, with no alerts and nags. Though attack surface reduction is not available, effective detection and web antivirus will be sufficient to most users. Quick reaction time to new threats, large user and cloud base and vast amount of innovation behind every layer of defence make this product an excellent choice.
3. AVG Antivirus Free
The free AVG antivirus includes effective Web-Blocker (Web Shield), ransomware protection shield, Cyber-Capture and hardened mode to protect against unknown executables. However, the product displays more alerts than usual and this makes Microsoft Defender, and Kaspersky Security Cloud Free a much better choice.
Second category is Best Paid Protection:
Awards go to:
1. Kaspersky Internet/Total Security or Kaspersky Security Cloud
Kaspersky offers an unmatched level of protection coupled with high performance and ease-of-use. No area has been overlooked/over-developed on the account of others and this makes Kaspersky the perfect all-rounder.
Overall Rating: 5/5
2. AVG Internet Security
Together with the high detection already included in the free version, Internet Security features Password Protection Shield, Remote Connection Shield, Webcam Shield and Fake Wesbites Shield.
Though some of these are gimmicky, others like Password Protection and Sensitive Data protection can reduce the risk of exfiltration in the event of malware evading other layers. Very effective behavioural blocking, quick reaction time and above-average scripting protection render this product sufficient to protect a home user.
Overall Rating: 4/5
3. Bitdefender Total Security
The product shines with great performance and protection and large array of features. However, slower reaction to new threats than the other two opponents + hit and miss performance of ransomware remediation, place this product last with the lowest rating.
Overall Rating: 3.5/5
Most Progressive & Loved for 2020:
1. F-Secure Safe
No bloatware, no hassle, huge improvements in performance area and privacy consciousness ensure this product the first place in this category.
2. ESET Smart Security
This is another product with no bloatware, great web-filtering , light on system resources. Effective signatures and machine learning keep ESET tough on threats and easy on users.
3. Trend Micro Maximum Security
Not too popular amongst users, but Trend Micro has greatly improved the performance of their products in the 2021 edition. The product is very easy to use, rarely shows any alerts and when it does, they don't require an action. There are not too many features that divert from the main purpose of protecting Confidentiality, Integrity and Availability of data and Web-Protection is highly-effective.
The first category is Best Free Protection.
Awarded are:
1. Microsoft Defender + ASR rules
This configuration not only provides free protection with no alerts and nags, but also features very effective behavioural-based/ML detection, quick reaction to new threats and reduces the attack surface to a minimum (in a home environment). It can easily be coupled with tools such as Malwarebytes Browser Guard or Bitdefender TrafficLight to reduce exposure to phishing and other malicious URLs.
The ASR rules can be enabled via @Andy Ful Configure_Defender.
2. Kaspersky Security Cloud Free
Kaspersky Security Cloud Free provides excellent protection at no cost and is quiet, with no alerts and nags. Though attack surface reduction is not available, effective detection and web antivirus will be sufficient to most users. Quick reaction time to new threats, large user and cloud base and vast amount of innovation behind every layer of defence make this product an excellent choice.
3. AVG Antivirus Free
The free AVG antivirus includes effective Web-Blocker (Web Shield), ransomware protection shield, Cyber-Capture and hardened mode to protect against unknown executables. However, the product displays more alerts than usual and this makes Microsoft Defender, and Kaspersky Security Cloud Free a much better choice.
Second category is Best Paid Protection:
Awards go to:
1. Kaspersky Internet/Total Security or Kaspersky Security Cloud
Kaspersky offers an unmatched level of protection coupled with high performance and ease-of-use. No area has been overlooked/over-developed on the account of others and this makes Kaspersky the perfect all-rounder.
Overall Rating: 5/5
2. AVG Internet Security
Together with the high detection already included in the free version, Internet Security features Password Protection Shield, Remote Connection Shield, Webcam Shield and Fake Wesbites Shield.
Though some of these are gimmicky, others like Password Protection and Sensitive Data protection can reduce the risk of exfiltration in the event of malware evading other layers. Very effective behavioural blocking, quick reaction time and above-average scripting protection render this product sufficient to protect a home user.
Overall Rating: 4/5
3. Bitdefender Total Security
The product shines with great performance and protection and large array of features. However, slower reaction to new threats than the other two opponents + hit and miss performance of ransomware remediation, place this product last with the lowest rating.
Overall Rating: 3.5/5
Most Progressive & Loved for 2020:
1. F-Secure Safe
No bloatware, no hassle, huge improvements in performance area and privacy consciousness ensure this product the first place in this category.
2. ESET Smart Security
This is another product with no bloatware, great web-filtering , light on system resources. Effective signatures and machine learning keep ESET tough on threats and easy on users.
3. Trend Micro Maximum Security
Not too popular amongst users, but Trend Micro has greatly improved the performance of their products in the 2021 edition. The product is very easy to use, rarely shows any alerts and when it does, they don't require an action. There are not too many features that divert from the main purpose of protecting Confidentiality, Integrity and Availability of data and Web-Protection is highly-effective.
Last edited:
