New Update Prevention-First Kaspersky

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Welcome to this guide on how to put Kaspersky in high performance, Prevetion-First mode.
In this guide we will discuss:
  • What's Prevention-First Approach
  • How this approach differs from containment
  • Why it is recommended
  • How to enable it with Kaspersky
  • What's the performance impact of Kaspersky when using this mode
In addition to the forum rules that apply to each topic, I would kindly ask members not to engage in discussions related to speculations, geographical region/5,9,14 eyes and other topics not related to the technical specifications of Kaspersky.
If such comments are posted, I am kindly asking readers not to engage in any way (liking, quoting, replying). This thread must be purely technical.
Other products and technologies must be discussed only in relation to Kaspersky's protection abilities or performance impact.
No company, product, approach or defence can block 100% of all attacks at all times.
This guide contains tips related to system hardening. System hardening may in some situations cause issues. System hardening is to be deployed and managed by people who know how to react when problems arise.
This guide is not in any way incentivised by Kaspersky.
Performance impact is measured on a system with 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz 2.42 GHz, 16 GB DDR4 RAM, Average Samsung NVME SSD with read speed of 560MB. On other systems different metrics may be observed.
Some comments and views will be supported by evidence, for others, evidence may not be provided. You are responsible for Googling and double-checking any statements you believe may be false or inaccurate.
If certain setting groups are not mentioned in this guide, it means there is nothing to modify or mention there.
Cybersecurity is centread around the CIA triad - confidentiality, integrity and availability of information. Confidentiality manages who can access information. Integrity manages who can modify it. Availability ensures that information can be accessed when needed.
Any attempt that goes against the CIA triad is a threat and there are various technologies aimed at blocking threats.
Some of them are oriented towards identification of malicious code - antivirus scanning, behavioural blocking, machine learning, heuristics, generic detection and many others.
Another set of technologies such as sandboxing and default-deny are oriented towards preventon of dangerous actions, without anything in particular (such as ransomware) having being identified.
This guide is centred around permissions-managment and default-deny.
Whilst sandboxing is oriented towards virtualising resources (creating fake copies of operating system, hardware and files), Host-Based Intrusion Prevention systems such as Kaspersky Intrusion Prevention manage permissions to access, modify and delete real resources. This approach is lighter on performance and doesn't compromise security severely.
The end goal of mitigating damage from unknown, undetected malicious code is still maintained.
With so many criminals working non-stop to evade detection, methods oriented towards identification code can't keep up and can't cover all threats at all times. Attackers can easily obtain copies of pretty much any security product and via trial and error can discover vector that is poorly covered. Even methods such as cloud detonation have multiple evasion methods.
More information can be found on the CheckPoint Cloud Detonation Evasion Page. Majority of technologies and even gateways can be "fooled" just by putting a file in a password-protected archive.
Now we'll discuss how to decrease Kaspersky's standard antivirus and other non-core activities whilst boosting its prevention abilities.

First, we'll decrease the impact of standard antivirus. In this approach, we need antivirus only to detect known threats.
To do that, we will apply the following settings to standard antivirus:
We are enabling scan by extension and turning off heuristics. This removes the performance impact of the parser that must be used to detect the true file type and the emulator that will run instructions in a virtual environment.
Екранна снимка (33).png


Screenshot (25).png

We will configure scan only on-access as well.


Екранна снимка (34).png

Making sure scanning of office formats is enabled.
Under web antivirus, we will disable heuristics analysis as well.
Екранна снимка (36).png

We'll still leave antiphishing heuristics on though. These should detect attemts to impersonate companies/brands by checking the text for spelling mistakes, checking the logos and other logics. The prevention of damage from malicious code does not apply to phishing attacks and they continue being a problem.

A little bit further down the Safe browsing settings, we'll disable this:
Screenshot (14).png
Nothing to modify here but:
It is important to note that the default PowerShell 5.1 built-in to Windows 11 could be downgraded to a less secure version 2 that offers decreased scanning.
In the process of bypassing AMSI, attackers frequently call PowerShell 1.
Further on in the guide, we'll block the execution of PowerShell completely and will also prevent unknown code from launching child processes (they can easily drop portable powershell and launch an attack).

Installing the latest PowerShell can be performed via this command:
winget install --id Microsoft.Powershell --source winget
Users not in a need of executing complicated scripts (which is probably above 90%) can skip updating PowerShell.
We are turning this off, it is non-core module.
We are turning off the scanning of encrypted connections. I initially thought about turning off the injection of scripts, but it did not make any difference in terms of impact.

Screenshot (11).png
We are turning off few things here as they diverge from the core protection.
Screenshot (12).png

Screenshot (13).png
This is not needed, we will disable everything there.
This is not needed, we will disable it.
To reiterate again, this is Host-Based Intrusion Prevention or smart HIPS. It is not network-based intrusion prevention that inspects traffic for signs of bots, exploits, laterral movement and others. Kaspersky blocks connection to infected hosts via other components.

Intrusion Prevention assigns trust to every object (script, program) individually and does not suffer issues where trust is assigned to the script interpretor, and all scripts can do whatever they decide.
For example, 5 *.bat files and 5 *.vbs scripts will have individual trust levels, based on the reputation Kaspersky has assigned to them. I tried many different Intrusion Prevention settings but a lot of them generated a sheer number of alerts & events. The most quiet and acceptable setups are 2 and displayed below:

Complete default-deny:
Screenshot (15).png

In this setup, it is impossible to execute code that has not undergone prior checks.

High-Restricted:
Screenshot (16).png

In this setup, code that has not undergone prior checks will be severely restricted.

Notice in both setups, I have unchecked "Trust digitally signed applications".
This will prevent code signing abuse
For more information on signed malware, I recommend looking here:

Moving on, we will protect browser passwords and more crucially, session cookies from being accessed by anything else, apart from the browser itself.
For example, only Edge will have access to the Edge data folder.
To do this, we'll create a subgroup of trusted (under manage applications)
Screenshot (17).png


Under this group, we'll add the following:
Screenshot (19).png


Next, we under resources to add the Edge repository located at:
C:\Users\<AccountName>\AppData\Local\Microsoft\Edge\User Data
Screenshot (20).png

As shown above, we allow access to this directory for the Edge executables and block access by anything else, even if it is trusted.
This may prevent cleaners from accessing/deleting history and cookies. I advise against the usage of such software, browsers have cleaning abilities built-in.
Frequently, the space cleaned by such apps is less than the space they occupied and the data cleaned will be regenerated in a matter of hours.\

Similar steps can be taken for all apps that hold sensitive information (other browsers, password managers, crypto wallets).

We will then make sure important files are safe from ransomware.
Under resources, we'll add folders containing sensitive information.
Screenshot (22).png

We'll make sure High Restricted apps and scripts don't have access to read or modify.
If they can't modify, they can't encrypt them either.

But what is an app/script performs code injection in a trusted process? We can block that too. Under Manage Applications, we can modify the rules:
Screenshot (23).png


I highly recommend that in the same window, starting processes is disabled as well.

Next, we'll block execution of PowerShell 1.0 and Java. Java Runtime Environment must be installed prior to that.
For users who may wish to use some Java apps, various restrictions, such as disabling connection to the internet can be implemented.
1682259135158.png

Under Untrusted, we'll add
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe"
This setup will need to be monitored for errors. As mentioned above, less error-prone setting will be to just block the connection (which won't prevent droppers). To prevent droppers as well, I suggest starting of processes, code injection and modification of startup settings are all blocked for these apps.
Watch the videos to see the performance impact and see a test of few cases handled by Intrustion Prevention.





I did a GeekBench 6 with Kaspersky enabled and disabled.

These are the results:
Screenshot (1).png

Enabled

Screenshot (2).png

Disabled
 
Last edited:

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,132
I absolutely agree with your spoiler disclaimer. In my just scrolling through your amazing work, and checking out the impact video on browsing, I was impressed with the speed of the webpage links and loading. I will sit with my laptop on this page and go step by step on my desktop PC and configure it as you have, and run some benchmarks pre-tweaking and post.

Let alone I need to read all of your insightful descriptions and links. This is almost an IT study... do you give out continuing education IT credits? :) Well done, Trident.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I absolutely agree with your spoiler disclaimer. In my just scrolling through your amazing work, and checking out the impact video on browsing, I was impressed with the speed of the webpage links and loading. I will sit with my laptop on this page and go step by step on my desktop PC and configure it as you have, and run some benchmarks pre-tweaking and post.

Let alone I need to read all of your insightful descriptions and links. This is almost an IT study... do you give out continuing education IT credits? :) Well done, Trident.
Performance impact in this setup is very low indeed and pages open instantly. In addition to that, to reduce impact on app launch, I advise users to turn Smart Sceeen filter off - this is provided by Kaspersky and there is no need for 2 guys to do the same.

Exploit prevention will be provided by Kaspersky System Watcher, but I advise users to add media players (such as VLC) as well as archiving utilities to the Low Restricted group to reduce damage if they are being exploited. In addition, if PDF readers like Adobe Acrobat Reader are installed, users can disable code injection and startup settings creation for them. This way, in the event of an exploit, they won't be able to do much.

You may be certified by Trident Academy :D:p
 

brambedkar59

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,115
It is important to note that the default PowerShell 1.0 built-in even to Windows 11 does not support AMSI scanning (requires at least PowerShell 2.0).

MS says PS 5.1 is installed by default in Win 11


1682271724666.png
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
MS says PS 5.1 is installed by default in Win 11

It’s very controversial that one. Under add/remove features, it is listed as PowerShell 2.0 on Windows 11 and the folder says 1.0. Security companies talk about bypasses by calling PowerShell 1.0. Regardless of the version, disabling it is official recommendation by companies like Sophos and it breaks the chain of vast number of attacks.


Look under “Downgrade Attacks”.
 

brambedkar59

Level 32
Verified
Top Poster
Well-known
Apr 16, 2017
2,115
It’s very controversial that one. Under add/remove features, it is listed as PowerShell 2.0 on Windows 11 and the folder says 1.0. Security companies talk about bypasses by calling PowerShell 1.0. Regardless of the version, disabling it is official recommendation by companies like Sophos and it breaks the chain of vast number of attacks.


Look under “Downgrade Attacks”.
I am not seeing "Powershell 1.0" in optional features only 2.0.
1682272120388.png

Edit: PM sent don't wanna clutter main thread
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
It is important to note that the default PowerShell 1.0 built-in even to Windows 11 does not support AMSI scanning (requires at least PowerShell 2.0).
In the process of bypassing AMSI, attackers frequently call PowerShell 1.
Further on in the guide, we'll block the execution of PowerShell 1.0 and will also prevent unknown code from launching child processes (they can easily drop portable powershell 1.0 and launch an attack).

It is not PowerShell ver. 1.0.
From Windows 7, all preinstalled versions of PowerShell (ver 3.0 and higher) are by default in the same folder:
c:\Windows\System32\WindowsPowerShell\v1.0\
PowerShell 1.0 and 2.0 could be installed on Windows Vista. Windows 7 has got preinstalled PowerShell 3.0. Windows 10 and 11 have got preinstalled PowerShell ver. 5.1. One can manually install higher versions (up to ver. 7.4).
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
It is not PowerShell ver. 1.0.
From Windows 7, all preinstalled versions of PowerShell (ver 3.0 and higher) are by default in the same folder:
c:\Windows\System32\WindowsPowerShell\v1.0\
PowerShell 1.0 and 2.0 could be installed on Windows Vista. Windows 7 has got preinstalled PowerShell 3.0. Windows 10 and 11 have got preinstalled PowerShell ver. 5.1. One can manually install higher versions (up to ver. 7.4).[/spoiler]
Yeah, I read this more carefully:

It is PowerShell 2 that can be downgraded to and that offers less robust AMSI scanning features. I’ve updated the post accordingly. I saw stealer that dropped portable PowerShell (I can still find it). I didn’t check the properties of the file, but I am assuming it is a version that offers decreased AMSI capabilities.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,542
It is PowerShell 2 that can be downgraded to and that offers less robust AMSI scanning features.
I am not sure if this is true (but I did not investigate this topic). A typical downgrade attack is not related to AMSI, but avoids some security features like: Script Block Logging, Constrained Language Mode, Block Script Execution (by policy), etc.
A downgrade attack on Windows 10+ is hardly possible (requires installing .NET Framework 2.0).
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I'm thinking can we apply this approach with Norton or it is specific for Kaspersky.
We can not, Norton manages reputation of apps but doesn’t assign individual trust level to different scripts. It will trust the interpreter and will allow it do many things that are not against Symantec Behavioural Policy Enforcement or described as a threat via behavioural profile. In addition, Norton sadly offers no implementation of HIPS.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I am not sure if this is true (but I did not investigate this topic). A typical downgrade attack is not related to AMSI, but avoids some security features like: Script Block Logging, Constrained Language Mode, Block Script Execution (by policy), etc.
A downgrade attack on Windows 10+ is hardly possible (requires installing .NET Framework 2.0).
The topics surrounding PowerShell are always very controversial. 😒
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
It is worth mentioning, that a similar idea of the Kaspersky preventive setup was presented a few years ago by @harlan4096 .
Yeah, I doubt I’ve re-discovered the hot water there. My idea is to put Kaspersky more in reputation mode similar to webroot, whilst adding a hint of Comodo there, without the risk of running outdated software and “look-at-my-hobby” projects. The setup prevents damage of RATs and ransomware as a last instance, for example, where supply chain attack may have been presented.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
just first skimming this thread, have not read the contents yet, sounding very good! I have Kaspersky Standard on one win10, and Kaspersky Free on another, do same tweaks apply to both??
Intrusion Prevention is absent from the free version I believe, let @harlan4096 confirm though.
The whole setup revolves around the idea that Intrusion Prevention alone can prevent damage from malware.
 

Decopi

Level 8
Verified
Oct 29, 2017
361
@Trident, amazing job... thank you!
You positively way exceeded my expectations.

Unfortunately I'm testing the free version, so "Intrusion Prevention" and other layers are absent for me.
Yeah, I understand the concept you developed regarding Intrusion Prevention (alone can prevent damage from malware, enormous benefits etc). But as I said, at present moment for me Kapersky is a test. So I'll keep testing the free version for several weeks, and let's see how it behaves.
The free version may not have Intrusion Prevention and other important settings, but it has lot of the settings you tweaked. So, for my test will be enough, it'll be give me an idea about how nowadays Kaspersky protection and hardware performance behave.

At first glance, an as usual, my tweaked Kaspersky-free RAM consumption is ±10 times bigger than Comodo or WV. This is not going to be a problem if RAM consumption stays at current level.
I'll take several days to watch CPU, disk writings etc.

Thank you again!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top