Kaspersky Trusted Application Mode (TAM): Maximum Settings

[hjlbx]

Kaspersky's Trusted Application Mode (TAM) at maximum settings will protect the system.

Technical infos:

Basically,

Trusted Application Mode performs a system scan and, after a user review of the scan results, "white-lists" (= Allows) only those applications and scripts on the system that are included in the Kaspersky databases or approved by the user.

Any unknown files are by default blocked by TAM from start-up unless the user creates an exception allowing the file to run. In other words, TAM "black-lists" all unknown files except unrecognized system critical files (which require user verification and permission to run).

For best security...

The Trusted Application Mode scan must be run on a clean\dis-infected system; a completely clean system is critical for default-deny to work. A complete PC reset is the most reliable method to ensure an absolutely clean system. Then install Kaspersky and enable TAM.

1. The user must carefully review the TAM scan results to confirm no unwanted\malicious files\scripts are allowed on system.
2. User must configure Application Control, after the TAM scan, with the following settings:

• Automatically move unknown applications to "Untrusted."
• Dis-able "Trust digitally singed applications."
• Dis-able "Load rules for applications from Kaspersky Security Network (KSN)."

System "Lock-Down":

Using the above settings will block the installation\execution of any file\script - Trusted, Untrusted and Unknown - that was not already on the system prior to enabling TAM and permitted to run by the user during TAM's final configuration. That is how Default-Deny works in a nutshell.

The above settings "lock-down" the system. Password protect Kaspersky and no one can install anything on the system except the Kaspersky Administrator.

For best protection, it is recommended that the user completely finalize the custom configuration of their system prior to enabling Trusted Application Mode using maximum settings.

To Install Trustworthy Applications while Trusted Application Mode is Enabled:

To install a widely-used (> 10,000 users) application from a well-known, reputable software vendor, enable "Load application rules from Kaspersky Security Network (KSN)." Install the application. Open the app's interface and thoroughly review its functionality and configure its settings and enable components. This step is necessary to activate any modules not automatically loaded during initial installation and, most importantly, permits Kaspersky to create rules for those modules. When finished close the app, then re-disable the "Load application rules from Security Network (KSN)."

WARNING !

Using any other Trusted Application Mode settings will very likely allow the installation of malware.

Brief explanation...

The Kaspersky Security Network (KSN) is not infallible. Its database includes riskware, adware, scareware, spyware, etc. [All AV vendor file-rating databases include them due to a number of extremely difficult to overcome limitations.]

This is a limitation of file-rating databases generally and not negligence on Kaspersky's part in any way. In fact, Kaspersky does a solid job of screening and rating applications... but that process takes time.

A few factors that negatively impact Kaspersky Security Network application rules:

• A significant fraction of riskware\malware is digitally-singed with a valid certificate.
• Kaspersky users who do not know any better allow, as yet, unclassified malware\riskware to run on their systems; those allow rules are shared with KSN by opt-in users and generally KSN mimics those rules until the file is eventually rated as "Known Bad" via various means.
• The sheer volume of new applications compounds the above issue as well as slows down the speed of more sophisticated screening and/or more accurate group file-ratings.
• A particular application may have an extremely small number of users (< 1,000) which makes accurate assessment of the file a challenge.

The above factors apply to all AV vendors that reply upon user data to rate files and to automate the creation of app rules in their software.

My best advice - download an application's installer but do not install it immediately. Scan it at the end of at least two weeks of Quarantine (or better yet, if your AV has this capability - manually add it to Quarantine and allow your AV to re-scan it for a few weeks). If, at the end of Quarantine period, there is no signature detection then it will significantly reduce the probability of a serious system infection.

 

[Tony Cole]

Will Kaspersky block everything if I disable trust digitally signed applications? I have run all my applications all are trusted in Virus Total, but I had to add Samsung (god knows why!) portable SSD applications and Tweaking.com Windows repair. What I did find funny, on my old laptop Kaspersky blocked a few files from Office 365. I have gone back to Kaspersky on my new laptop, it kept blocking the NHS software I had to install, plus any Windows Metro app I brought.

 

[hjlbx]

Tony, added infos to OP.

 

[hjlbx]

No. It will still allow installation of files. I would use import rules from KSN.

Digital certificates are a crock. Lots of riskware has valid, paid-for certificates. Some malware has stolen, faked certificates. Meaning... digitally signed files are not absolutely trustworthy. Any app that is to be allowed to run on the system should receive at least some basic scrutiny... digitally signed or not.

Allowing the installation of digitally signed apps as a matter of policy is a very bad idea.

Kaspersky Engineers meant for that setting to be used judiciously.

In other words, you would use it only with signed installers from reputable vendor, reliable download sources, verified reputation of file in KSN, and maybe go so far as upload installer to VT for verification.

 

[Tony Cole]

Thanks, I have changed the setting. So if it's trusted, will application control give you a warning for each piece of software you try to install? I used Microsoft Autoruns with virus total enabled to check for untrusted applications.

 

[hjlbx]

Thanks, I have changed the setting. So if it's trusted, will application control give you a warning for each piece of software you try to install?

I used Microsoft Autoruns with virus total enabled to check for untrusted applications.

No alert. It just blocks everything and assigns it an "Untrusted" rule. However, you can always go to that rule and change it to "Allow, Low Restricted, or High Restricted" as you see fit. That is one way to do it.

or

You can delete the Untrusted rule. Change the Application Control setting to "Load rules from KSN" and then re-install the app.

The second method is better ... carefully re-read "How to install trusted apps with TAM at max setting" section in OP.

The hard part is remembering to re-disable "Load app rules from KSN."

When an application is installed, the installer typically utilizes the Temp folder. Kaspersky will typically assign any temp files to the Low Restricted. As the installation proceeds you will be bombarded by HIPS alerts... and likely have no clue what they mean.

The method I suggest averts this situation in most cases. However, in a case where KSN assigns a module to the Low or High Restricted then the user will either have a choice - proceed through all the HIPS alerts or Trust the application. Just because a module is assigned to the Low or High restricted zones does not automatically mean the file is malicious.

For example, a legitimate, highly regarded security app from Quarri is used by fewer than 20 Kaspersky users - as indicated by a KSN query. KSN assigns a couple of the modules to Low Restricted. I just move to Trusted zone. That's it.

Kaspersky is a complex piece of software... and the more alerts\techniques to accomplish tasks creates nothing but confusion and frustration for typical unknowledgeable, inexperienced user. But Kaspersky HIPS is better than most... in some ways it is the best and in others not so good (the HIPS alerts infos are indecipherable except to most skilled users).

There's a lot of ways for users to make mistakes with Kaspersky, but using the suggested settings with discipline protects the system. Although, I screw up and forget I changed the settings and have to redo an install or move an app from one zone to another.

TAM lock-down mode is high security.

 

[hjlbx]

For TAM... there should be a single radio button\tick-box "Allow softs installation" - On or Off.

Much more simple I think for their target customer = family.

 

[Tony Cole]

So I should also disable Load app rules from KSN, why is that? I'm just a little worried about when my graphics card updates as Kaspersky always adds it to untrusted, even though Nvidia is well known.

 

[hjlbx]

I used Microsoft Autoruns with virus total enabled to check for untrusted applications.

Do Google search for "VirusTotal Uploader." It's a plugin for FireFox and for others a tiny upload app so you can verify files on VT.

Plus can use VT Upload app to access download link directly and it uploads file without it ever being downloaded to your system.

 

[Tony Cole]

Is there any firewall settings I should change, i.e., packet rules?

 

[hjlbx]

So I should also disable Load app rules from KSN, why is that? I'm just a little worried about when my graphics card updates as Kaspersky always adds it to untrusted, even though Nvidia is well known.

For less known, less reputable files KSN might have "Allow" rule for reasons explained at bottom of OP.

As long as the graphics software is in the Trusted zone - which it should be since its from NVidia, AMD, etc - since they are all well-known, reputable software vendors - it will update normally.

It's all a bit of a rigmarole at first, but you will get used to it and do everything required without thought.

 

[hjlbx]

Is there any firewall settings I should change, i.e., packet rules?

http://malwaretips.com/threads/simp...ws-os-interpreter-security.43840/#post-363465

Do not mess about with the built-in firewall packet rules !

 

[Tony Cole]

I never understood how can KSN say it's trusted when only 10 people have used it, all very confusing?

 

[Tony Cole]

How do I add cmd.exe and the other rules to Kaspersky firewall?

 

[hjlbx]

I never understood how can KSN say it's trusted when only 10 people have used it, all very confusing?

If it's not trustworthy software, eventually it will get re-rated as more users restrict/block it and/or Kaspersky rates it as "Known Bad."

There is a complex algorithm that Kaspersky uses in rating files and assignment of rules that includes:

Number of users
What zone they assigned it to - Trusted, Low Restricted, High Restricted, Untrusted
Software vendor
Digital Certificate
Download source

There's probably a lot more to it than that, but that covers the most important.

The problem is valid digital certificates. As a practical matter blindly trusting digital certificates as an indicator that a file is trustworthy continues to be the way things work... but as you well know nowadays it's a really bad idea\practice for the end-user.

Yeah... it seems that to Kaspersky "Unknown" = 0 users, but really it means that the file is not in the KSN database which could mean if it was in there Kaspersky removed it or it was never in there to begin with (which is the same as 0 Kaspersky user data reported it).

 

[yigido]

It reminds me Comodo's Default Deny Great for Kaspersky Users, one of the best paid tool on the market.

 

[hjlbx]

How do I add cmd.exe and the other rules to Kaspersky firewall?

Open Windows Explorer. (Faster way is to use file search in CCleaner, Wise Care, Glary, etc if you use one of them).

In the search field enter each file name: e.g. java.exe (if you don't have java installed a search will return no result... you don't need it.)

After the search is complete, locate the app with these file paths:

C:\Windows\System32\java.exe - cmd.exe, wscript.exe, etc, etc

C:\Windows\SysWOW64\java.exe - cmd.exe, wscript.exe, etc, etc

Launch each app in both locations by double-clicking on it... this will create a trusted rule in Kaspersky.

Go to the Application Control management window.

In the search field enter each file name: e.g. java.exe

On each rule go over to Network and change from Inherit (light-green check) to Prompt (Gold question mark).

That's the rigmarole.

 

[hjlbx]

It reminds me Comodo's Default Deny Great for Kaspersky Users, one of the best paid tool on the market.

Hey Yigido...

Comodo and Kaspersky only ones that offer it in a suite.

Default-Deny is the only way to go nowadays... IMHO.

Best way to stop user from making bad choices ... whether deliberate or not.

Particularly good for family suite... kids.

 

[Tony Cole]

Will this block windows updates etc.,?

 

[hjlbx]

Will this block windows updates etc.,?

It should not.

Remember, anything that was on your system prior to the TAM scan is "white-listed"\trusted ... so no restrictions or blocks should be placed on those components.

Everything that was on your system prior to the TAM scan should be able to update as normal.