Kaspersky x64 bit Protection

[harlan4096]

I'm not sure, because the only tweak @CruelSister did to KIS2016 (if I remember well) was to change to High Restricted/UnTrusted new unknown applications in "Application Control", all the others settings by default...

There is an additional setting in Performance (by default is on) that CS left by default: Release resources to the operating when the operating system starts, which I disabled, to improve protection, but it seems it only affects/blocks networks attempts during Windows boot...

But don't know even whether with that strong settings would pass the CS test... I think KL developers took note of that attack, but We don't/can't know for now whether They fixed it yet or in the upcoming 2017.

Maybe with this stronger settings the sample CS ran before reboot in the test, would not have enough privileges to make changes in the system to get autorun during Windows boot system, but this is just an speculative thought

 

[hjlbx]

Does AppGuard and WinAntiRansom Plus work with Kaspersky? But after cruelsister(s) it shows that even Kaspersky can fail on droppers that cause system reboots, it should be sent to Kaspersky to fix the issues and not ignore them. But, hey I'm sure Eugene really cares.

If you use AppGuard in Lock Down mode with Kaspersky, then you are covered.

I've never combo 'd the two, but I would bet there won't be any unfixable issue.

 

[shmu26]

I'm not sure, because the only tweak CruelSister did to KIS2016 (if I remember well) was to change to High Restricted/UnTrusted new unknown applications in "Application Control", all the others settings by default...

There is an additional setting in Performance (by default is on) that CS left by default: Release resources to the operating when the operating system starts, which I disabled, to improve protection, but it seems it only affects/blocks networks attempts during Windows boot...

But don't know even whether with that strong settings would pass the CS test... I think KL developers took note of that attack, but We don't/can't know for now whether They fixed it yet or in the upcoming 2017.

Maybe with this stronger settings the sample CS ran before reboot in the test, would not have enough privileges to make changes in the system to get autorun during Windows boot system, but this is just an speculative thought

shouldn't TAM, even at its default settings, stop this kind of attack?

 

[hjlbx]

shouldn't TAM, even at its default settings, stop this kind of attack?

Not necessarily. Digitally signed malware is a problem if publisher is in KSN.

Lots of users mistakenly think TAM is absolute anti-executable configuration - but it is not at default settings.

You have to make other settings tweaks - that cause problems for a lot of users.

Ask @harlan4096 about not trusting digitally signed files...

 

[harlan4096]

Yes, I'm sure that TAM probably with a high % would block that... but TAM is disabled by default

I work everyday with TAM enabled in my working system (see signature My Config) and I have no issues at all with it

And yes, as I commented before in others threads in this forum, sometimes TAM will block new 1st run application in system, sometimes even those which are legal but still not whitelisted by Kaspersky, but just allowing it to run once is enough here.

 

[harlan4096]

Best bet is to disable Trust Digitally Signed Applications and change unknown applications to Low Restricted (as a minimum) in Application Control

 

[shmu26]

if you disable the trusting of digital signatures, is that going to interfere with windows updates, and other automatic program updates?

 

[harlan4096]

I'm not getting (and never got) any issue with that in any of my systems...

 

[hjlbx]

if you disable the trusting of digital signatures, is that going to interfere with windows updates, and other automatic program updates?

There have been instances on some systems where making this tweak results in all Trusted applications being moved to the Blocked group - even after restoring all the files back to the Trusted group.

It did so on my 64 bit system and @Tony Cole's as well.

I'm not sure if Kaspersky has done anything about it, but it has been reported repeatedly.

@harlan4096 is lucky since he has only seen it with one or two files.

 

[Azure]

Not necessarily. Digitally signed malware is a problem if publisher is in KSN.

Lots of users mistakenly think TAM is absolute anti-executable configuration - but it is not at default settings.

You have to make other settings tweaks - that cause problems for a lot of users.

Ask @harlan4096 about not trusting digitally signed files...

So, signatures are still a problem with Kaspersky even with their database of trusted and untrusted certificates?

Why You Shouldn't Completely Trust Files Signed with Digital Certificates - Securelist
" 5. Use a trusted certificates database from a security software manufacturer.

1. 
   Some security software manufacturers, including Kaspersky Lab, include a database of trusted and untrusted certificates in their products; this database is updated on a regular basis along with the anti-virus databases. With this database, you will receive prompt updates about as-yet unrecalled certificates used to sign malware and/or potentially unwanted software. Files signed with untrusted certificates from this database require enhanced monitoring by the security product."
   

 

[harlan4096]

I think it has nothing to be with "signatures" in general, and this is not only a problem of/for Kaspersky...

 

[hjlbx]

So, signatures are still a problem with Kaspersky even with their database of trusted and untrusted certificates?

Why You Shouldn't Completely Trust Files Signed with Digital Certificates - Securelist
" 5. Use a trusted certificates database from a security software manufacturer.

1. 
   Some security software manufacturers, including Kaspersky Lab, include a database of trusted and untrusted certificates in their products; this database is updated on a regular basis along with the anti-virus databases. With this database, you will receive prompt updates about as-yet unrecalled certificates used to sign malware and/or potentially unwanted software. Files signed with untrusted certificates from this database require enhanced monitoring by the security product."

Despite KSN, there is still risk - particularly for PUPs\PUAs = riskware, scareware, etc. Some are digitally signed and allowed...

 

[omidomi]

All Av have the same issue(risk of false detection), same as Emsisoft bb or avast or trend micro or symantec...
but personaly i never see TAM bother me or my system(boot time or ram usage...or blocked my process)

 

[shmu26]

I think I am going to turn off trust in SecureAPlus, rather than in Kaspersky, and see what happens.

 

[shmu26]

Lots of user can't successfully combo Sandboxie

I am running KAV and Comodo free firewall on windows 10, and I discovered that I can run chrome in comodo sandbox. Not just in the Comodo Virtual Desktop, which is kind of limiting, but even as an isolated app. It seems to work pretty well.
This can be an alternative to Sandboxie, for Kaspersky users.

(The only thing I can't figure out is how to save downloaded files to the regular file system. If I compose a new message in gmail, running inside comodo sandbox, I can attach a file to it, from regular file system.
But if I download an attachment that I received, I can't figure out how to access it from regular file system. Workaround: click on the save to drive or save to dropbox button, in the gmail message.)

EDIT: all downloads are accessible from the regular file system, they are in C/VTRoot