Kaspersky x64 bit Protection

[jamescv7]

In the record well Kaspersky may have a limitations in x64 protection capabilities but its not totally a big failure, rather its a design for yourself and other users who using that common sense and knowledge on reading manuals will take you on much safer/awareness that happened and don't take too much depend on AV protection.

 

[hjlbx]

In the record well Kaspersky may have a limitations in x64 protection capabilities but its not totally a big failure, rather its a design for yourself and other users who using that common sense and knowledge on reading manuals will take you on much safer/awareness that happened and don't take too much depend on AV protection.

Very well said...

 

[nsm0220]

Guys get a sandbox and then be done with it, end of story.

 

[Tony Cole]

Ready for the official (yeah right) Kaspersky tech answer:

"Tony we thank you for contacting Kaspersky support and understand your concerns. I would like to point you to the following Kaspersky support website section (web link below) which details our software’s compatibility with Windows 32 and 64bit architecture. I would like to assure you that you are no less protected than any other Kaspersky Labs user" http://support.kaspersky.com/general/products/495
Many thanks, Kaspersky Support.

I put the quotes in. So there we have their answer. Only took them a week to reply.

 

[hjlbx]

Even for paying customers, Kaspersky Technical Support can be really slow.

The only way you're going to get super-fast service out of Kaspersky is to purchase Enterprise version + Tech Support (additional $) priority.

It's best not to expect too much out of tech support - it is difficult situation all the way around - for both the vendor and the client.

Ideally, learn how to fix stuff yourself... if I can't get something to work after trying hard to fix it, then I've learned it is best to try some other product.... no matter how much I wanted it to work.

 

[Tony Cole]

Hi hjlbx if you had to choose, Kaspersky or Emsisoft, which one? I have tried their Enterprise version, but I hate the interface, but when you own a company you only care about the protection, not the fancy interface. I have tried, but the TAM still moves trusted files and blocks them

 

[hjlbx]

Hi hjlbx if you had to choose, Kaspersky or Emsisoft, which one? I have tried their Enterprise version, but I hate the interface, but when you own a company you only care about the protection, not the fancy interface. I have tried, but the TAM still moves trusted files and blocks them

If I had to use Kaspersky, then I would not use TAM or other Kaspersky settings to lock system down.

I like Emsisoft Internet Security better - but it doesn't have some of Kaspersky's advanced protections; for typical use Emsisoft is enough.

In either case, I would use an anti-executable to lock system down and anti-exploit to protect at least the browser.

Given the choice, I choose Emsisoft...

 

[Tony Cole]

Thanks hjlbx for the help/advice. What is the best anti-executable. I am using Malwarebytes anti-exploit pro and HitmanPro.Alert, plus CryptoPrevent and Malwarebytes anti-malware pro but never know whether this is enough, especially against the newer Cryptolockers? http://malwaretips.com/members/hjlbx.32691/

 

[Deleted member 21043]

As it has been said before in this thread, not fully x64 protection in Kaspersky because of Microsoft Windows Kernel Patch Guard... Kaspersky in general usually follows all the Microsoft security considerations about their products. I think Kaspersky is enough clear warning about it in their products manual.

Even SandBoxie has the same limitations in x64:

http://www.sandboxie.com/index.php?NotesAbout64BitEdition
http://www.sandboxie.com/index.php?ExperimentalProtection

Don't know whether the other security suites follow Microsoft considerations about Kernel Patch Guard and/or warn in their products manuals about these limitations because of Microsoft x64 systems...

Which is why Kaspersky may use other techniques like DLL injection. (They can use this for e.g. Import Address Table hooking).

PatchGuard prevents SSDT hooking & unsigned drivers loaded on 64-bit systems. However there are ways to do SSDT hooking on 64-bit regardless, but no security vendor would do so as it would be bad to do it.

 

[hjlbx]

Thanks hjlbx for the help/advice. What is the best anti-executable. I am using Malwarebytes anti-exploit pro and HitmanPro.Alert, plus CryptoPrevent and Malwarebytes anti-malware pro but never know whether this is enough, especially against the newer Cryptolockers?

Basically there are three options: AppGuard, NoVirusThanks Exe Radar Pro and VooDooShield.

VDS is currently in beta - but betas have been fairly good.

NVT EXP - also in beta, but betas are essentially unproblematic.

AppGuard - has best protections, but configuration for Lock-Down mode is a hassle; Medium Mode will work fine.

In this category it is a difficult choice as they are all good and each one has features I like.

If your system is configured and you will not change it very often then AG or NVT ERP.

If you change configuration on a frequent basis then VDS.

I use all 3... each one on a different system.

Some people use AppGuard and ERP or VDS... to me that is just plain unnecessary\super-overkill.

 

[Tony Cole]

Got another reply form senior tech:

Thank you for your patience.

Our experts have contacted us and have provided us with the following:

Kaspersky does indeed have HIPS restrictions for x64 operating systems. These restrictions are mentioned in the product’s user guide, which is available for all our customers and can be found here: http://docs.kaspersky-labs.com/english/kis2015_userguide_en.pdf (pages 69-70).

But apart from HIPS, there are other components which provide security in this case - File-Anti-Virus, Heuristics, System Watcher, the Kaspersky Firewall.

With regards to FinFisher, we do indeed detect FinFisher despite the company developing this program legally.

Please do not hesitate to contact us if you have any further questions.

 

[hjlbx]

Kaspersky detects FinFisher now, but it couldn't and didn't - back when it was released to WikiLeaks...

 

[Maxxx58]

In totally, is there any way to improve protection x64 machine using Kaspersky?

 

[jamescv7]

In totally, is there any way to improve protection x64 machine using Kaspersky?

As far as concern, Application Control Privilege will be your resort option to enhance the configuration; it needs a little bit effort any analysis to came up with good result.

 

[Tony Cole]

I don't know, he just told me that there are other functions built in to the application i.e., File-Anti-Virus, Heuristics, System Watcher, the Kaspersky Firewall so if you configure these to max settings, I have system watcher exploit protection set to blocked, application activity control select action automatically rollback malware action set rollback. Trusted applications mode really does not work, applications which are whitelisted suddenly move to untrusted.

 

[Cch123]

Kaspersky does have limitations on x64 platforms, but so do any other security vendor. When they don't mention their limitations, it doesn't mean that they don't exist. In fact, several vendors have complained about patchguard limiting their AV, which includes big names like Symantec and McAfee.

Anyway, I have personally seen Kaspersky utilising extremely interesting techniques to work around many of the limitations imposed by patchguard. I don't think you have a need to worry.

 

[Tony Cole]

I found this:

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel.[citation needed] Additionally, anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows.[15] This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.[16] Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by trusted companies such as themselves.[3]

Interestingly, Symantec's corporate antivirus software[17] and Norton 2010 range and beyond [18] does work on x64 editions of Windows despite KPP's restrictions, although with less ability to provide protection against zero-day malware. Antivirus software made by competitors ESET,[19] Trend Micro,[20] Grisoft AVG,[21] avast!, Avira Anti-Vir and Sophos do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled.

I wonder how Sandboxie was able to deal with this problem?

 

[Deleted member 178]

Be aware that when a software manipulate the kernel by creating hooks, it then create a vulnerability that can be exploited; the security software hooks will be the vector of the attack. Many security softs are bugged and not as safe as they should be.

 

[Cch123]

I found this:

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel.[citation needed] Additionally, anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows.[15] This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.[16] Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by trusted companies such as themselves.[3]

Interestingly, Symantec's corporate antivirus software[17] and Norton 2010 range and beyond [18] does work on x64 editions of Windows despite KPP's restrictions, although with less ability to provide protection against zero-day malware. Antivirus software made by competitors ESET,[19] Trend Micro,[20] Grisoft AVG,[21] avast!, Avira Anti-Vir and Sophos do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled.

I wonder how Sandboxie was able to deal with this problem?

Sandboxie works by using windows integrity levels. It basically runs sandboxed programs as "Untrusted", and all its actions are controlled by the sandboxie driver. Basically, it uses the same technique as Chrome's sandbox, just that it is enforced by a kernel driver and implements some other security feature.

 

[Tony Cole]

I’ve heard that Kaspersky buries deep within the system, is that a good thing? Nico@FMA seems to think so. You must have to implement such counter measures to stop advanced threats i.e., rootkits and ransomware.