Serious Discussion Kaspersky trusted vs high restricted setting.

gfgtkitkat34

Level 1
Thread author
Aug 14, 2024
40
I changed my Kaspersky intrusion prevention settings to untrusted/untrusted after reading that that option provides the best possible protection.

My question is what would happen if I put a trusted application (trusted by KSN) into high restricted group manually.

Also, let's just assume that something like VLC Player decided to go rogue and plant malware on users with a new update. Will Kaspersky be able to stop that if we added it into high restricted category before the update?

I'm just curious how high restricted differs from trusted and how it works.

Thank you for any assistance.
 
  • Like
Reactions: simmerskool

Bot

AI-powered Bot
Apr 21, 2016
4,533
When you manually move a trusted application to the high restricted group, Kaspersky will monitor its actions more closely and may restrict some of its activities.

If VLC Player, for instance, were to go rogue, placing it in the high restricted category would indeed provide an additional layer of protection. Kaspersky would restrict its activities and alert you of any suspicious behavior.

High restricted differs from trusted in that it applies stricter rules and monitors the application's activities more closely, thus providing a higher level of security.
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,956
My question is what would happen if I put a trusted application (trusted by KSN) into high restricted group manually.

This is very easy to check, just move VLC manually to High Restricted or directly to UnTrusted.

In the last group, directly VLC won't run (will be blocked), and in High Restrict, probably will have some issues while being executing. It is very easy to check what restrictions will be applied:

1733655069297.png1733655110037.png

Go to Intrusion Prevention -> Manage Applications, then select High Redistricted group, right mouse button -> Details and Rules, and check every tab there: Files and System Registry, Rights and NetWork Rules.
 

partha_roy

Level 3
Well-known
Oct 16, 2022
145
Also, let's just assume that something like VLC Player decided to go rogue and plant malware on users with a new update. Will Kaspersky be able to stop that if we added it into high restricted category before the update?
I believe the best approach is to consult Kaspersky's technical support. This is a complex one to answer in a straightforward way. Ideally, every software update should have a unique digital signature due to the altered hash value.

However, if a malicious update is released or the developer's private key used to create the digital signature is compromised, I'm unsure if Kaspersky's system watcher would detect it, specifically if the software is categorized as trusted. If it is in the high restricted group, detection might be more likely.

Kaspersky's behavior blocker or antivirus database might identify suspicious activity, such as creating child processes; however, there are too many potential scenarios to be completely certain.

This uncertainty is one reason why I'm hesitant about solely relying on the concept of trusted software.
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,956
That's why I have a "Hybrid Default Deny" approach, not trusting in digitally signed apps, but doing so in KSN rules.

1733665317428.png
(KES 12.7 settings, but also working in K. home products).

I've already commented many times in this forum this approach it's quite restricted and may lead to block unsigned legit apps (or others app unknown or with low reputation in KSN, or even apps with status "Certificated Status Trusted but not Approved"), of course, during installation, but it's the line of defense, then You can find info online with other services and be sure that app is actually trusted, and then move it manually to Trusted group in Intrusion Prevention.
 

Vitali Ortzi

Level 27
Verified
Top Poster
Well-known
Dec 12, 2016
1,641
That's why I have a "Hybrid Default Deny" approach, not trusting in digitally signed apps, but doing so in KSN rules.

View attachment 286553
(KES 12.7 settings, but also working in K. home products).

I've already commented many times in this forum this approach it's quite restricted and may lead to block unsigned legit apps (or others app unknown or with low reputation in KSN, or even apps with status "Certificated Status Trusted but not Approved"), of course, during installation, but it's the line of defense, then You can find info online with other services and be sure that app is actually trusted, and then move it manually to Trusted group in Intrusion Prevention.
KSN is amazing they got the most accurate results and that method would have less false positives then comodo etc as Kaspersky has a far bigger userbase (although it lost a lot due to politics)

Anyway can anyone do something similar to eset ?
Using liveguard based default deny ?
I'm not sure we even have something similar
 

jamey910111

Level 2
Jun 7, 2024
97
That's why I have a "Hybrid Default Deny" approach, not trusting in digitally signed apps, but doing so in KSN rules.

View attachment 286553
(KES 12.7 settings, but also working in K. home products).

I've already commented many times in this forum this approach it's quite restricted and may lead to block unsigned legit apps (or others app unknown or with low reputation in KSN, or even apps with status "Certificated Status Trusted but not Approved"), of course, during installation, but it's the line of defense, then You can find info online with other services and be sure that app is actually trusted, and then move it manually to Trusted group in Intrusion Prevention.

The challenge i have with your approach is not that it blocks updates or an app from installing but that i have no effective way of allowing that install or update to happen if i find the app is legitimate and not dangerous, even if i whitelist the app Kaspersky will block it still usually which makes sense - the only workaround ive found is to change the whole category under intrusion prevention to more trust or to trust digitally signed apps so app installs and only then make settings more restricted again
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,956
Yes, You are right... as already told, this is a very strict approach...

We can find cases, for example, when updating to a new app version, the new version app is unknown, not signed or low reputation in KSN, so our K. moves it directly to Untrusted, disrupting the updating or the installing.

For such cases, I have a workaround that I already explained here in the past, but maybe not useful for all cases, and it is to create exclusions in Intrusion Prevention, for the services / exe responsible for doing (or triggering) the update.

For example, I have this type of exclusion for tools such as PatchMyPC, RuckZuck or even UpdateHub, why? Because sometimes some not signed or unknown files are installed coming from the updates, so I have this:


1733741300023.png
 

gfgtkitkat34

Level 1
Thread author
Aug 14, 2024
40
Anyway can anyone do something similar to eset ?
Using liveguard based default deny ?
I'm not sure we even have something similar
I noticed Eset Live Guard gets so much attention lately; in any case, Kaspersky is far more effective at stopping unknown malware than Eset is, so we have that.
 

gfgtkitkat34

Level 1
Thread author
Aug 14, 2024
40
I believe the best approach is to consult Kaspersky's technical support.
That's what I thought first; however, in my experience, Kaspersky support usually doesn't know about these things. They are there to assist you with basic things involving the software. Anything other than that, and they might move your request to a Kaspersky engineer or a technical expert, and that will take a hell of a long time to get an answer in return.
 

gfgtkitkat34

Level 1
Thread author
Aug 14, 2024
40
In the last group, directly VLC won't run (will be blocked), and in High Restrict, probably will have some issues while being executing. It is very easy to check what restrictions will be applied
So basically, apps in a highly restricted group won't be able to modify system files, shut down the OS, and intrude into other processes.


Can I make high restricted group more restrict by changing all rights to deny, except for start, like this?
 

Attachments

  • Screenshot (12).png
    Screenshot (12).png
    727.4 KB · Views: 40
  • Screenshot (13).png
    Screenshot (13).png
    744.3 KB · Views: 46

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top