Kaspersky x64 bit Protection

Status
Not open for further replies.

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
I'm not sure, because the only tweak @CruelSister did to KIS2016 (if I remember well) was to change to High Restricted/UnTrusted new unknown applications in "Application Control", all the others settings by default...

There is an additional setting in Performance (by default is on) that CS left by default: Release resources to the operating when the operating system starts, which I disabled, to improve protection, but it seems it only affects/blocks networks attempts during Windows boot...

But don't know even whether with that strong settings would pass the CS test... I think KL developers took note of that attack, but We don't/can't know for now whether They fixed it yet or in the upcoming 2017.

Maybe with this stronger settings the sample CS ran before reboot in the test, would not have enough privileges to make changes in the system to get autorun during Windows boot system, but this is just an speculative thought :D
 
Last edited:
  • Like
Reactions: shukla44
H

hjlbx

Does AppGuard and WinAntiRansom Plus work with Kaspersky? But after cruelsister(s) it shows that even Kaspersky can fail on droppers that cause system reboots, it should be sent to Kaspersky to fix the issues and not ignore them. But, hey I'm sure Eugene really cares.

If you use AppGuard in Lock Down mode with Kaspersky, then you are covered.

I've never combo 'd the two, but I would bet there won't be any unfixable issue.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I'm not sure, because the only tweak CruelSister did to KIS2016 (if I remember well) was to change to High Restricted/UnTrusted new unknown applications in "Application Control", all the others settings by default...

There is an additional setting in Performance (by default is on) that CS left by default: Release resources to the operating when the operating system starts, which I disabled, to improve protection, but it seems it only affects/blocks networks attempts during Windows boot...

But don't know even whether with that strong settings would pass the CS test... I think KL developers took note of that attack, but We don't/can't know for now whether They fixed it yet or in the upcoming 2017.

Maybe with this stronger settings the sample CS ran before reboot in the test, would not have enough privileges to make changes in the system to get autorun during Windows boot system, but this is just an speculative thought :D
shouldn't TAM, even at its default settings, stop this kind of attack?
 
H

hjlbx

shouldn't TAM, even at its default settings, stop this kind of attack?

Not necessarily. Digitally signed malware is a problem if publisher is in KSN.

Lots of users mistakenly think TAM is absolute anti-executable configuration - but it is not at default settings.

You have to make other settings tweaks - that cause problems for a lot of users.

Ask @harlan4096 about not trusting digitally signed files...
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Yes, I'm sure that TAM probably with a high % would block that... but TAM is disabled by default :)

I work everyday with TAM enabled in my working system (see signature My Config) and I have no issues at all with it :)

And yes, as I commented before in others threads in this forum, sometimes TAM will block new 1st run application in system, sometimes even those which are legal but still not whitelisted by Kaspersky, but just allowing it to run once is enough here.
 
Last edited:

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Best bet is to disable Trust Digitally Signed Applications and change unknown applications to Low Restricted (as a minimum) in Application Control :)
 
Last edited:
  • Like
Reactions: shukla44

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
if you disable the trusting of digital signatures, is that going to interfere with windows updates, and other automatic program updates?
 
  • Like
Reactions: shukla44
H

hjlbx

if you disable the trusting of digital signatures, is that going to interfere with windows updates, and other automatic program updates?

There have been instances on some systems where making this tweak results in all Trusted applications being moved to the Blocked group - even after restoring all the files back to the Trusted group.

It did so on my 64 bit system and @Tony Cole's as well.

I'm not sure if Kaspersky has done anything about it, but it has been reported repeatedly.

@harlan4096 is lucky since he has only seen it with one or two files.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Not necessarily. Digitally signed malware is a problem if publisher is in KSN.

Lots of users mistakenly think TAM is absolute anti-executable configuration - but it is not at default settings.

You have to make other settings tweaks - that cause problems for a lot of users.

Ask @harlan4096 about not trusting digitally signed files...
So, signatures are still a problem with Kaspersky even with their database of trusted and untrusted certificates?

Why You Shouldn't Completely Trust Files Signed with Digital Certificates - Securelist
" 5. Use a trusted certificates database from a security software manufacturer.

  1. Some security software manufacturers, including Kaspersky Lab, include a database of trusted and untrusted certificates in their products; this database is updated on a regular basis along with the anti-virus databases. With this database, you will receive prompt updates about as-yet unrecalled certificates used to sign malware and/or potentially unwanted software. Files signed with untrusted certificates from this database require enhanced monitoring by the security product."
 
  • Like
Reactions: shukla44

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
I think it has nothing to be with "signatures" in general, and this is not only a problem of/for Kaspersky...
 
  • Like
Reactions: shukla44
H

hjlbx

So, signatures are still a problem with Kaspersky even with their database of trusted and untrusted certificates?

Why You Shouldn't Completely Trust Files Signed with Digital Certificates - Securelist
" 5. Use a trusted certificates database from a security software manufacturer.

  1. Some security software manufacturers, including Kaspersky Lab, include a database of trusted and untrusted certificates in their products; this database is updated on a regular basis along with the anti-virus databases. With this database, you will receive prompt updates about as-yet unrecalled certificates used to sign malware and/or potentially unwanted software. Files signed with untrusted certificates from this database require enhanced monitoring by the security product."

Despite KSN, there is still risk - particularly for PUPs\PUAs = riskware, scareware, etc. Some are digitally signed and allowed...
 

omidomi

Level 71
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,001
All Av have the same issue(risk of false detection), same as Emsisoft bb or avast or trend micro or symantec... :rolleyes:
but personaly i never see TAM bother me or my system(boot time or ram usage...or blocked my process)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I think I am going to turn off trust in SecureAPlus, rather than in Kaspersky, and see what happens.
 
  • Like
Reactions: shukla44

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Lots of user can't successfully combo Sandboxie
I am running KAV and Comodo free firewall on windows 10, and I discovered that I can run chrome in comodo sandbox. Not just in the Comodo Virtual Desktop, which is kind of limiting, but even as an isolated app. It seems to work pretty well.
This can be an alternative to Sandboxie, for Kaspersky users.

(The only thing I can't figure out is how to save downloaded files to the regular file system. If I compose a new message in gmail, running inside comodo sandbox, I can attach a file to it, from regular file system.
But if I download an attachment that I received, I can't figure out how to access it from regular file system. Workaround: click on the save to drive or save to dropbox button, in the gmail message.)

EDIT: all downloads are accessible from the regular file system, they are in C/VTRoot
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top