Q&A Kaspersky's Application Control: what is it, how it works

RoboMan

Level 32
Verified
Content Creator
Jun 24, 2016
2,175
I'm pretty sure you have heard about Kaspersky being recommended. Here, by friends, on the internet. But... why?

To start with, Kaspersky is a very complete and powerful suite, includes several modules that together can outsmart pretty much most malware if correctly configured. This thread is about a specific module: Application Control. What is it? How does it work? How to set it up?

1. Why Kaspersky?
Kaspersky is definitely a market leader, with huge experience in the cybersecurity area and innovation, winning multiple awards and prizes for the great protection it can offer.

2. Why should I need to set it up?
Many people often moan about how weak antivirus is on default settings. And as a matter of fact this may be true with Kaspersky too. Many HUB testers have proved that on default Kaspersky can fail. But it would be a pity to leave such a monster the way it came.

3. What's the objective of this thread?
Learn what Application Control (AC) is, how it works, the engineering that designed it and how to use it.

4. Wow you're such a great person, why aren't you super admin co-owner godlike in this forum?
I once stole Jack's kitty and he never forgave me.

EXPLAINING APPLICATION CONTROL

Applications installed on the computer can use the operating system resources as well as your personal data. Kaspersky features the Application Control component, which controls access of applications to the operating system files and your personal data.
When an application tries to access the operating system or personal data, Application Control allows or blocks access to the resource according to the rules or prompts to select an action.
If Application Control blocks the work of an important application, you can adjust the rights for it.

I CAN'T FIND THIS MODULE ON KASPERSKY

Application Control is only available in versions Internet Security and beyond. It is not present in Antivirus version.

HOW DOES IT DECIDE ABOUT FILES

Kaspersky divides all the applications installed on the computer are divided into the following groups:
  • Trusted. Applications that meet at least one of these criteria:
    • This application has a trusted vendor's signature.
    • This application is listed in the Kaspersky Lab trusted applications database .
    • These applications have no restrictions on their activity in the system.
  • Low Restricted. Applications that do not have a digital signature from a trusted vendor and are not listed in the Kaspersky Lab database of trusted applications.
    These applications have certain restrictions on accessing other processes, controlling the system, and accessing the network without user's consent. These applications will request permission for most actions from the user.
  • High Restricted. Applications that may pose a moderate threat: tools, adware, or auto-dialers.
    For most actions, these applications will require user's permission. Some actions are not allowed.
  • Untrusted. Malicious applications that pose a severe threat. This category includes applications that are blocked with File Anti-Virus.
    Application Control blocks all actions of these applications.
PROTECTED RESOURCES

Within this module, Kaspersky also protects:
  • System files and folders
  • Startup objects
  • User files and folders, including the My Documents folder
  • Cookie files
  • Data on your activity on the computer and the web
  • Registry files that contain settings and data from web browsers, file managers, mail clients, instant messengers, and payment system apps.
HOW TO CHANGE RESTRICTIONS FOR FILES
  1. In the main window of Kaspersky, click the gear button
    Image: the Settings button of Kaspersky
    .
Image: the main window of Kaspersky

  1. If you have problems opening the application window, see this guide.

  1. Got to the Protection section in the Settings window and select Application Control.
Image: the Settings window of Kaspersky

  1. In the Application Control settings view, click the Manage applications link.
Image: the Application Control window in Kaspersky

  1. In the Manage applications window, move the application to a different group: right-click the application, in the menu click Restrictions and select the category.
Image: selecting a group for an application in Kaspersky

  1. Configure custom restrictions: select the application, right-click it and select Details and rules from the menu.
Image: setting up restrictions for an application in Kaspersky

  1. Go to Application rules →Rights, select a category and set an action for it by clicking the icon on the right: Inherit, Allow, Deny, or Prompt for action.
  2. Click Save.
Image: the Application rules window of Kaspersky
HOW TO SET IT UP SAFELY
1. Open Application Control module
1570106487478.png


2. Untick "trust digitally signed applications" and make sure it stays like the picture below.
1570106697180.png


3. Visualize our two main options: "Change trust group for unknown applications" and "change trust group for applications started before Kaspersky".
Select UNSTRUSTED for unknown applications, so all strange applications/not signed are not able to be executed at all.
1570106583247.png

Select LOW RESTRICTED for all aplications launched before Kaspersky
1570106803939.png
I EXECUTED A FILE AND I GOT ERRORS/DOESN'T LAUNCH

Whenever Application Control blocks an application, moves it to Untrusted Group, or a restriction group. This means that most probably it will have no permissions to execute or elevate, hence why it gives random errors at launch. In order to execute it you will need to head to Kaspersky--Application Control module, and manually move it to the Trusted Group.
 
Last edited by a moderator:
9

93803123

I'm pretty sure you have heard about Kaspersky being recommended. Here, by friends, on the internet. But... why?

To start with, Kaspersky is a very complete and powerful suite, includes several modules that together can outsmart pretty much most malware if correctly configured. This thread is about a specific module: Application Control. What is it? How does it work? How to set it up?

1. Why Kaspersky?
Kaspersky is definitely a market leader, with huge experience in the cybersecurity area and innovation, winning multiple awards and prizes for the great protection it can offer.

2. Why should I need to set it up?
Many people often moan about how weak antivirus is on default settings. And as a matter of fact this may be true with Kaspersky too. Many HUB testers have proved that on default Kaspersky can fail. But it would be a pity to leave such a monster the way it came.

3. What's the objective of this thread?
Learn what Application Control (AC) is, how it works, the engineering that designed it and how to use it.

4. Wow you're such a great person, why aren't you super admin co-owner godlike in this forum?
I once stole Jack's kitty and he never forgave me.

EXPLAINING APPLICATION CONTROL

Applications installed on the computer can use the operating system resources as well as your personal data. Kaspersky features the Application Control component, which controls access of applications to the operating system files and your personal data.
When an application tries to access the operating system or personal data, Application Control allows or blocks access to the resource according to the rules or prompts to select an action.
If Application Control blocks the work of an important application, you can adjust the rights for it.

I CAN'T FIND THIS MODULE ON KASPERSKY

Application Control is only available in versions Internet Security and beyond. It is not present in Antivirus version.

HOW DOES IT DECIDE ABOUT FILES

Kaspersky divides all the applications installed on the computer are divided into the following groups:
  • Trusted. Applications that meet at least one of these criteria:
    • This application has a trusted vendor's signature.
    • This application is listed in the Kaspersky Lab trusted applications database .
    • These applications have no restrictions on their activity in the system.
  • Low Restricted. Applications that do not have a digital signature from a trusted vendor and are not listed in the Kaspersky Lab database of trusted applications.
    These applications have certain restrictions on accessing other processes, controlling the system, and accessing the network without user's consent. These applications will request permission for most actions from the user.
  • High Restricted. Applications that may pose a moderate threat: tools, adware, or auto-dialers.
    For most actions, these applications will require user's permission. Some actions are not allowed.
  • Untrusted. Malicious applications that pose a severe threat. This category includes applications that are blocked with File Anti-Virus.
    Application Control blocks all actions of these applications.
PROTECTED RESOURCES

Within this module, Kaspersky also protects:
  • System files and folders
  • Startup objects
  • User files and folders, including the My Documents folder
  • Cookie files
  • Data on your activity on the computer and the web
  • Registry files that contain settings and data from web browsers, file managers, mail clients, instant messengers, and payment system apps.
HOW TO CHANGE RESTRICTIONS FOR FILES
  1. In the main window of Kaspersky, click the gear button
    Image: the Settings button of Kaspersky
    .
Image: the main window of Kaspersky

  1. If you have problems opening the application window, see this guide.

  1. Got to the Protection section in the Settings window and select Application Control.
Image: the Settings window of Kaspersky

  1. In the Application Control settings view, click the Manage applications link.
Image: the Application Control window in Kaspersky

  1. In the Manage applications window, move the application to a different group: right-click the application, in the menu click Restrictions and select the category.
Image: selecting a group for an application in Kaspersky

  1. Configure custom restrictions: select the application, right-click it and select Details and rules from the menu.
Image: setting up restrictions for an application in Kaspersky

  1. Go to Application rules →Rights, select a category and set an action for it by clicking the icon on the right: Inherit, Allow, Deny, or Prompt for action.
  2. Click Save.
Image: the Application rules window of Kaspersky
HOW TO SET IT UP SAFELY
1. Open Application Control module
View attachment 226462

2. Untick "trust digitally signed applications" and make sure it stays like the picture below.
View attachment 226465

3. Visualize our two main options: "Change trust group for unknown applications" and "change trust group for applications started before Kaspersky".
Select UNSTRUSTED for unknown applications, so all strange applications/not signed are not able to be executed at all.
View attachment 226463
Select LOW RESTRICTED for all aplications launched before Kaspersky
View attachment 226466
I EXECUTED A FILE AND I GOT ERRORS/DOESN'T LAUNCH

Whenever Application Control blocks an application, moves it to Untrusted Group, or a restriction group. This means that most probably it will have no permissions to execute or elevate, hence why it gives random errors at launch. In order to execute it you will need to head to Kaspersky--Application Control module, and manually move it to the Trusted Group.

Application Control is a reputation-based software restriction policy.

To fully protect a system, Application Control must be customized.
 

rndmblk

Level 3
Nov 18, 2020
90
Thanks @RoboMan - I just followed this today on KIS 21.2

The screens look a little different but otherwise the instructions were all the same. One thing I did notice is 'Select trust group automaitcally' is no longer an option for Unknown applications. i.e. it only lets you select an option manually - probably a sensible change and not one that affects this setup.
 

rndmblk

Level 3
Nov 18, 2020
90
I reinstalled KIS 21.3.10.391 today and configured it according to @RoboMan 's guide. I thought I'd share the screenshots from this version which has very minor wording differences.

1. Under Settings, open Application Control
1.png


2. Untick ‘trust digitally signed applications’ (due to possibility of stolen/bad certs)
2.png


3. Set ‘Trust group for applications that could not be added to existing groups’ to Untrusted
3.png


4. Set ‘Trust group for applications started before startup of Kaspersky’ to Low Restricted
4.png
 

RoboMan

Level 32
Verified
Content Creator
Jun 24, 2016
2,175
Isn't this basically the same as Avast/AVG's Hardened Mode, that is present in their free version?
Is Application Control also cloud based?
Kaspersky Application Control and Avast Hardened mode aim for the same concept, but work different.

While Kaspersky relies on their Trusted Vendor List to determine wether a file will be executed or blocked, Avast (or AVG) relies on a Cloud White List.

How it works?

Scenario #1

File 1.exe is executed on the local system.

KASPERSKY -- checks for a digital signature, if found and the user configured AC as "allow if digital signature exists", file will be allowed to execute; if not found file will be blocked; if found but user configured AC as "do not trust only because digital signature exists", Kaspersky will compare the signature with all Trusted Vendors Signatures, where if a coincidence exists file will be allowed, else it will be blocked.

AVAST -- MODERATE - blocks the file if it's detected as suspicious by an initial scan or a DeepScreen scan, else it will be allowed to execute, relies on the module to decide your fate.
AVAST -- AGRESSIVE - consults the Cloud White List and looks for the file's hash, if the file itself isn't on the whitelist, execution is blocked (else it's allowed); this mode pretty much blocks everything, which may lead to lots of false positives but will also be incredibly secure (compromising usability)
 

Templarware

Level 5
Mar 13, 2021
249
Avast removed Moderate a while ago, Hardened Mode is only Aggressive now. I never had a false positive using it, their cloud is one of the biggest in the world, due to so many users. Windows Defender has more false positives, sometimes I miss Avast.
 

Evjl's Rain

Level 46
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,550
Isn't this basically the same as Avast/AVG's Hardened Mode, that is present in their free version?
Is Application Control also cloud based?
the main difference is Kaspersky supports many more extensions while avast's HM only supports exe => Kaspersky is obviously safer but with much less usability
Kaspersky has many more issues with FPs especially when there is no internet or the connection is unstable
Sometimes, we have to whitelist a number of files because they are blocked by app. control (game updates,...). Avast only blocks the exe so it's much easier to whitelist 1-2 files
by the way, I dislike app. control due to the work to I have to interact with it + it's slower than using Kaspersky without app. control
Avast's HM doesn't interfere with my daily usage
 

RoboMan

Level 32
Verified
Content Creator
Jun 24, 2016
2,175
Avast removed Moderate a while ago, Hardened Mode is only Aggressive now. I never had a false positive using it, their cloud is one of the biggest in the world, due to so many users. Windows Defender has more false positives, sometimes I miss Avast.
Interesting, I didn't know that! Thanks for the info!

Aforementioned by @Evjl's Rain Kaspersky with AC can get a bit unusable. I've made a couple of threads here in this forums because of that, some programs like Blitz that despite being manually whitelisted still their update executables blocked. Also, many programs that try to update will find theirselves being blocked from doing such thing, sometimes because the parent executable that commands the operation is not signed. And it can get really painful when you automate application updating so you don't need to interact, but Kaspersky blocks many of them.
 

rndmblk

Level 3
Nov 18, 2020
90
Do you tick "allow if file is signed" or something configuration? Like trust all signed files
<spy mode>
Stolen from @harlan4096's computer security config:

* Application Control Settings:
  • Trust Digitally Signed Application -> Disabled
  • Unknown Applications -> UnTrusted
  • Application Started Before KTS -> High Restricted
So the difference I spot is setting apps that start before KTS/KIS to high restricted

From the Application Control side of things harlan4096 is also using protected folders.
</spy mode>
 

Game Of Thrones

Level 5
Verified
Jun 5, 2014
215
I had many problems with this module in KTS , had to go back to Bitdefender. it blocked many of my laptop files
(ASUS programs for the laptop) and caused some strange behaviors . if they improve it somehow it is a useful and sophisticated security module. many strange dat files was restricted most were coming from legitimate sources(asus and ...)
 
  • Wow
  • Like
Reactions: venustus and Nevi

Guilhermesene

Level 2
Jun 1, 2019
84
@harlan4096 I like this method and use it on my pc whenever I install Kaspersky. Can you tell me how I can make it not block the programs that are developed by me? Let's say when I make some program in C++ or Python for example, whenever the program is compiled it blocks its execution (of course, it's the case of a different hash at each compilation), but how do I not block my .exe files that are generated on compilation? I know I can manually put it in the trusted group, but that's not very viable because every code change is a new build and a new hash, so it's locked again. Thanks 😉
 
Top