Serious Discussion Kaspersky trusted vs high restricted setting.

[gfgtkitkat34]

I changed my Kaspersky intrusion prevention settings to untrusted/untrusted after reading that that option provides the best possible protection.

My question is what would happen if I put a trusted application (trusted by KSN) into high restricted group manually.

Also, let's just assume that something like VLC Player decided to go rogue and plant malware on users with a new update. Will Kaspersky be able to stop that if we added it into high restricted category before the update?

I'm just curious how high restricted differs from trusted and how it works.

Thank you for any assistance.

 

[Bot]

When you manually move a trusted application to the high restricted group, Kaspersky will monitor its actions more closely and may restrict some of its activities.

If VLC Player, for instance, were to go rogue, placing it in the high restricted category would indeed provide an additional layer of protection. Kaspersky would restrict its activities and alert you of any suspicious behavior.

High restricted differs from trusted in that it applies stricter rules and monitors the application's activities more closely, thus providing a higher level of security.

 

[harlan4096]

My question is what would happen if I put a trusted application (trusted by KSN) into high restricted group manually.

This is very easy to check, just move VLC manually to High Restricted or directly to UnTrusted.

In the last group, directly VLC won't run (will be blocked), and in High Restrict, probably will have some issues while being executing. It is very easy to check what restrictions will be applied:



Go to Intrusion Prevention -> Manage Applications, then select High Redistricted group, right mouse button -> Details and Rules, and check every tab there: Files and System Registry, Rights and NetWork Rules.

 

[partha_roy]

Also, let's just assume that something like VLC Player decided to go rogue and plant malware on users with a new update. Will Kaspersky be able to stop that if we added it into high restricted category before the update?

I believe the best approach is to consult Kaspersky's technical support. This is a complex one to answer in a straightforward way. Ideally, every software update should have a unique digital signature due to the altered hash value.

However, if a malicious update is released or the developer's private key used to create the digital signature is compromised, I'm unsure if Kaspersky's system watcher would detect it, specifically if the software is categorized as trusted. If it is in the high restricted group, detection might be more likely.

Kaspersky's behavior blocker or antivirus database might identify suspicious activity, such as creating child processes; however, there are too many potential scenarios to be completely certain.

This uncertainty is one reason why I'm hesitant about solely relying on the concept of trusted software.

 

[harlan4096]

That's why I have a "Hybrid Default Deny" approach, not trusting in digitally signed apps, but doing so in KSN rules.


(KES 12.7 settings, but also working in K. home products).

I've already commented many times in this forum this approach it's quite restricted and may lead to block unsigned legit apps (or others app unknown or with low reputation in KSN, or even apps with status "Certificated Status Trusted but not Approved"), of course, during installation, but it's the line of defense, then You can find info online with other services and be sure that app is actually trusted, and then move it manually to Trusted group in Intrusion Prevention.

 

[Captain Awesome]

That's why I have a "Hybrid Default Deny" approach, not trusting in digitally signed apps, but doing so in KSN rules.

I have too... never trust fully on digitally signed application.

 

[Vitali Ortzi]

That's why I have a "Hybrid Default Deny" approach, not trusting in digitally signed apps, but doing so in KSN rules.

View attachment 286553
(KES 12.7 settings, but also working in K. home products).

I've already commented many times in this forum this approach it's quite restricted and may lead to block unsigned legit apps (or others app unknown or with low reputation in KSN, or even apps with status "Certificated Status Trusted but not Approved"), of course, during installation, but it's the line of defense, then You can find info online with other services and be sure that app is actually trusted, and then move it manually to Trusted group in Intrusion Prevention.

KSN is amazing they got the most accurate results and that method would have less false positives then comodo etc as Kaspersky has a far bigger userbase (although it lost a lot due to politics)

Anyway can anyone do something similar to eset ?
Using liveguard based default deny ?
I'm not sure we even have something similar

 

[jamey910111]

That's why I have a "Hybrid Default Deny" approach, not trusting in digitally signed apps, but doing so in KSN rules.

View attachment 286553
(KES 12.7 settings, but also working in K. home products).

I've already commented many times in this forum this approach it's quite restricted and may lead to block unsigned legit apps (or others app unknown or with low reputation in KSN, or even apps with status "Certificated Status Trusted but not Approved"), of course, during installation, but it's the line of defense, then You can find info online with other services and be sure that app is actually trusted, and then move it manually to Trusted group in Intrusion Prevention.

The challenge i have with your approach is not that it blocks updates or an app from installing but that i have no effective way of allowing that install or update to happen if i find the app is legitimate and not dangerous, even if i whitelist the app Kaspersky will block it still usually which makes sense - the only workaround ive found is to change the whole category under intrusion prevention to more trust or to trust digitally signed apps so app installs and only then make settings more restricted again

 

[harlan4096]

Yes, You are right... as already told, this is a very strict approach...

We can find cases, for example, when updating to a new app version, the new version app is unknown, not signed or low reputation in KSN, so our K. moves it directly to Untrusted, disrupting the updating or the installing.

For such cases, I have a workaround that I already explained here in the past, but maybe not useful for all cases, and it is to create exclusions in Intrusion Prevention, for the services / exe responsible for doing (or triggering) the update.

For example, I have this type of exclusion for tools such as PatchMyPC, RuckZuck or even UpdateHub, why? Because sometimes some not signed or unknown files are installed coming from the updates, so I have this:

 

[gfgtkitkat34]

Anyway can anyone do something similar to eset ?
Using liveguard based default deny ?
I'm not sure we even have something similar

I noticed Eset Live Guard gets so much attention lately; in any case, Kaspersky is far more effective at stopping unknown malware than Eset is, so we have that.

 

[gfgtkitkat34]

I believe the best approach is to consult Kaspersky's technical support.

That's what I thought first; however, in my experience, Kaspersky support usually doesn't know about these things. They are there to assist you with basic things involving the software. Anything other than that, and they might move your request to a Kaspersky engineer or a technical expert, and that will take a hell of a long time to get an answer in return.

 

[gfgtkitkat34]

In the last group, directly VLC won't run (will be blocked), and in High Restrict, probably will have some issues while being executing. It is very easy to check what restrictions will be applied

So basically, apps in a highly restricted group won't be able to modify system files, shut down the OS, and intrude into other processes.


Can I make high restricted group more restrict by changing all rights to deny, except for start, like this?

 

[harlan4096]

Yes, you can modify rights of any group with Your own rights...