Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Kaspersky
Prevention-First Kaspersky
Message
<blockquote data-quote="Trident" data-source="post: 1036985" data-attributes="member: 99014"><p>Welcome to this guide on how to put Kaspersky in high performance, Prevetion-First mode.</p><p>In this guide we will discuss:</p><ul> <li data-xf-list-type="ul">What's Prevention-First Approach</li> <li data-xf-list-type="ul">How this approach differs from containment</li> <li data-xf-list-type="ul">Why it is recommended</li> <li data-xf-list-type="ul">How to enable it with Kaspersky</li> <li data-xf-list-type="ul">What's the performance impact of Kaspersky when using this mode</li> </ul><p>[SPOILER="Disclaimer"]In addition to the forum rules that apply to each topic, I would kindly ask members not to engage in discussions related to speculations, geographical region/5,9,14 eyes and other topics not related to the technical specifications of Kaspersky.</p><p>If such comments are posted, I am kindly asking readers not to engage in any way (liking, quoting, replying). This thread must be purely technical.</p><p>Other products and technologies must be discussed only in relation to Kaspersky's protection abilities or performance impact.</p><p>No company, product, approach or defence can block 100% of all attacks at all times.</p><p>This guide contains tips related to system hardening. System hardening may in some situations cause issues. System hardening is to be deployed and managed by people who know how to react when problems arise.</p><p>This guide is not in any way incentivised by Kaspersky.</p><p>Performance impact is measured on a system with 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz 2.42 GHz, 16 GB DDR4 RAM, Average Samsung NVME SSD with read speed of 560MB. On other systems different metrics may be observed.</p><p>Some comments and views will be supported by evidence, for others, evidence may not be provided. You are responsible for Googling and double-checking any statements you believe may be false or inaccurate.</p><p>If certain setting groups are not mentioned in this guide, it means there is nothing to modify or mention there.</p><p>[/SPOILER]</p><p>[SPOILER="Abstract & What's prevention-first approach"]</p><p>Cybersecurity is centread around the CIA triad - confidentiality, integrity and availability of information. Confidentiality manages who can access information. Integrity manages who can modify it. Availability ensures that information can be accessed when needed.</p><p>Any attempt that goes against the CIA triad is a <strong>threat</strong> and there are various technologies aimed at blocking threats.</p><p>Some of them are oriented towards identification of malicious code - antivirus scanning, behavioural blocking, machine learning, heuristics, generic detection and many others.</p><p>Another set of technologies such as sandboxing and default-deny are oriented towards preventon of dangerous actions, without anything in particular (such as ransomware) having being identified.</p><p>This guide is centred around permissions-managment and default-deny.[/SPOILER]</p><p>[SPOILER="How this approach differs from containment"]</p><p>Whilst sandboxing is oriented towards virtualising resources (creating fake copies of operating system, hardware and files), Host-Based Intrusion Prevention systems such as Kaspersky Intrusion Prevention manage permissions to access, modify and delete real resources. This approach is lighter on performance and doesn't compromise security severely.</p><p>The end goal of mitigating damage from unknown, undetected malicious code is still maintained.</p><p>[/SPOILER]</p><p>[SPOILER="Why is prevention-first recommended"]</p><p>With so many criminals working non-stop to evade detection, methods oriented towards identification code can't keep up and can't cover all threats at all times. Attackers can easily obtain copies of pretty much any security product and via trial and error can discover vector that is poorly covered. Even methods such as cloud detonation have multiple evasion methods.</p><p>More information can be found on the <a href="https://evasions.checkpoint.com/" target="_blank">CheckPoint Cloud Detonation Evasion Page</a>. Majority of technologies and even gateways can be "fooled" just by putting a file in a password-protected archive.</p><p>[/SPOILER]</p><p>[SPOILER="How to make Kaspersky prevention-first"]</p><p>Now we'll discuss how to decrease Kaspersky's standard antivirus and other non-core activities whilst boosting its prevention abilities.</p><p></p><p>First, we'll decrease the impact of standard antivirus. In this approach, we need antivirus only to detect known threats.</p><p>To do that, we will apply the following settings to standard antivirus:</p><p>[SPOILER="File Antivirus Settings"]</p><p>We are enabling scan by extension and turning off heuristics. This removes the performance impact of the parser that must be used to detect the true file type and the emulator that will run instructions in a virtual environment.</p><p>[ATTACH=full]274792[/ATTACH]</p><p></p><p>[ATTACH=full]274808[/ATTACH]</p><p>We will configure scan only on-access as well.</p><p></p><p></p><p>[ATTACH=full]274793[/ATTACH]</p><p>Making sure scanning of office formats is enabled.</p><p>[/SPOILER]</p><p>[SPOILER="Safe browsing settings"]</p><p>Under web antivirus, we will disable heuristics analysis as well.</p><p>[ATTACH=full]274794[/ATTACH]</p><p>We'll still leave antiphishing heuristics on though. These should detect attemts to impersonate companies/brands by checking the text for spelling mistakes, checking the logos and other logics. The prevention of damage from malicious code does not apply to phishing attacks and they continue being a problem.</p><p></p><p>A little bit further down the Safe browsing settings, we'll disable this:</p><p>[ATTACH=full]274798[/ATTACH]</p><p>[/SPOILER]</p><p>[SPOILER="AMSI Protection Settings"]</p><p>Nothing to modify here but:</p><p>It is important to note that the default PowerShell 5.1 built-in to Windows 11 could be downgraded to a less secure version 2 that offers decreased scanning.</p><p><a href="https://www.trendmicro.com/en_gb/research/22/l/detecting-windows-amsi-bypass-techniques.html" target="_blank">In the process of bypassing AMSI, attackers frequently call PowerShell 1</a>.</p><p>Further on in the guide, we'll block the execution of PowerShell completely and will also prevent unknown code from launching child processes (they can easily drop portable powershell and launch an attack).</p><p></p><p>Installing the latest PowerShell can be performed via this command:</p><p></p><p>Users not in a need of executing complicated scripts (which is probably above 90%) can skip updating PowerShell.</p><p>[/SPOILER]</p><p>[SPOILER="Weak System Scan settings"]</p><p>We are turning this off, it is non-core module.</p><p>[/SPOILER]</p><p>[SPOILER="Network settings"]</p><p>We are turning off the scanning of encrypted connections. I initially thought about turning off the injection of scripts, but it did not make any difference in terms of impact.</p><p></p><p>[ATTACH=full]274795[/ATTACH]</p><p></p><p>[/SPOILER]</p><p>[SPOILER="Performance settings"]</p><p>We are turning off few things here as they diverge from the core protection.</p><p>[ATTACH=full]274796[/ATTACH]</p><p>[ATTACH=full]274797[/ATTACH]</p><p>[/SPOILER]</p><p>[SPOILER="Privacy-> Secure Data Input"]</p><p>This is not needed, we will disable everything there.</p><p>[/SPOILER]</p><p>[SPOILER="Privacy->Application Manager"]</p><p>This is not needed, we will disable it.</p><p>[/SPOILER]</p><p>[SPOILER="Intrusion Prevention (Previously known as Application Control)"]</p><p>To reiterate again, this is Host-Based Intrusion Prevention or smart HIPS. It is not network-based intrusion prevention that inspects traffic for signs of bots, exploits, laterral movement and others. Kaspersky blocks connection to infected hosts via other components.</p><p></p><p>Intrusion Prevention assigns trust to every object (script, program) individually and does not suffer issues where trust is assigned to the script interpretor, and all scripts can do whatever they decide.</p><p>For example, 5 *.bat files and 5 *.vbs scripts will have individual trust levels, based on the reputation Kaspersky has assigned to them. I tried many different Intrusion Prevention settings but a lot of them generated a sheer number of alerts & events. The most quiet and acceptable setups are 2 and displayed below:</p><p></p><p>Complete default-deny:</p><p>[ATTACH=full]274799[/ATTACH]</p><p>In this setup, it is impossible to execute code that has not undergone prior checks.</p><p></p><p>High-Restricted:</p><p>[ATTACH=full]274800[/ATTACH]</p><p>In this setup, code that has not undergone prior checks will be severely restricted.</p><p></p><p>Notice in both setups, I have unchecked "Trust digitally signed applications".</p><p>This will prevent code signing abuse</p><p>For more information on signed malware, I recommend looking here:</p><p>[URL unfurl="true"]https://www.trendmicro.com/en_us/research/18/d/understanding-code-signing-abuse-in-malware-campaigns.html[/URL]</p><p></p><p>Moving on, we will protect browser passwords and more crucially, session cookies from being accessed by anything else, apart from the browser itself.</p><p>For example, only Edge will have access to the Edge data folder.</p><p>To do this, we'll create a subgroup of trusted (under manage applications)</p><p>[ATTACH=full]274802[/ATTACH]</p><p></p><p>Under this group, we'll add the following:</p><p>[ATTACH=full]274803[/ATTACH]</p><p></p><p>Next, we under resources to add the Edge repository located at:</p><p></p><p>[ATTACH=full]274804[/ATTACH]</p><p>As shown above, we allow access to this directory for the Edge executables and block access by anything else, even if it is trusted.</p><p>This may prevent cleaners from accessing/deleting history and cookies. I advise against the usage of such software, browsers have cleaning abilities built-in.</p><p>Frequently, the space cleaned by such apps is less than the space they occupied and the data cleaned will be regenerated in a matter of hours.\</p><p></p><p>Similar steps can be taken for all apps that hold sensitive information (other browsers, password managers, crypto wallets).</p><p></p><p>We will then make sure important files are safe from ransomware.</p><p>Under resources, we'll add folders containing sensitive information.</p><p>[ATTACH=full]274805[/ATTACH]</p><p>We'll make sure High Restricted apps and scripts don't have access to read or modify.</p><p>If they can't modify, they can't encrypt them either.</p><p></p><p>But what is an app/script performs code injection in a trusted process? We can block that too. Under Manage Applications, we can modify the rules:</p><p>[ATTACH=full]274806[/ATTACH]</p><p></p><p>I highly recommend that in the same window, <strong>starting processes</strong> is disabled as well.</p><p></p><p>Next, we'll block execution of PowerShell 1.0 and Java. Java Runtime Environment must be installed prior to that.</p><p>For users who may wish to use some Java apps, various restrictions, such as disabling connection to the internet can be implemented.</p><p>[ATTACH=full]274807[/ATTACH]</p><p>Under Untrusted, we'll add</p><p></p><p></p><p>This setup will need to be monitored for errors. As mentioned above, less error-prone setting will be to just block the connection (which won't prevent droppers). To prevent droppers as well, I suggest starting of processes, code injection and modification of startup settings are all blocked for these apps.</p><p>[/SPOILER]</p><p>[SPOILER="Impact and Test"]</p><p>Watch the videos to see the performance impact and see a test of few cases handled by Intrustion Prevention.</p><p>[MEDIA=youtube]kt11yYeJWhg[/MEDIA]</p><p>[MEDIA=youtube]Md-Axo55Ve4[/MEDIA]</p><p>[MEDIA=youtube]Y4z5tMKWlSc[/MEDIA]</p><p>[MEDIA=youtube]s9WjfRHVM-Q[/MEDIA]</p><p></p><p>I did a GeekBench 6 with Kaspersky enabled and disabled.</p><p></p><p>These are the results:</p><p>[ATTACH=full]274809[/ATTACH]</p><p>Enabled</p><p></p><p>[ATTACH=full]274810[/ATTACH]</p><p>Disabled</p><p>[/SPOILER]</p><p>[/SPOILER]</p></blockquote><p></p>
[QUOTE="Trident, post: 1036985, member: 99014"] Welcome to this guide on how to put Kaspersky in high performance, Prevetion-First mode. In this guide we will discuss: [LIST] [*]What's Prevention-First Approach [*]How this approach differs from containment [*]Why it is recommended [*]How to enable it with Kaspersky [*]What's the performance impact of Kaspersky when using this mode [/LIST] [SPOILER="Disclaimer"]In addition to the forum rules that apply to each topic, I would kindly ask members not to engage in discussions related to speculations, geographical region/5,9,14 eyes and other topics not related to the technical specifications of Kaspersky. If such comments are posted, I am kindly asking readers not to engage in any way (liking, quoting, replying). This thread must be purely technical. Other products and technologies must be discussed only in relation to Kaspersky's protection abilities or performance impact. No company, product, approach or defence can block 100% of all attacks at all times. This guide contains tips related to system hardening. System hardening may in some situations cause issues. System hardening is to be deployed and managed by people who know how to react when problems arise. This guide is not in any way incentivised by Kaspersky. Performance impact is measured on a system with 11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz 2.42 GHz, 16 GB DDR4 RAM, Average Samsung NVME SSD with read speed of 560MB. On other systems different metrics may be observed. Some comments and views will be supported by evidence, for others, evidence may not be provided. You are responsible for Googling and double-checking any statements you believe may be false or inaccurate. If certain setting groups are not mentioned in this guide, it means there is nothing to modify or mention there. [/SPOILER] [SPOILER="Abstract & What's prevention-first approach"] Cybersecurity is centread around the CIA triad - confidentiality, integrity and availability of information. Confidentiality manages who can access information. Integrity manages who can modify it. Availability ensures that information can be accessed when needed. Any attempt that goes against the CIA triad is a [B]threat[/B] and there are various technologies aimed at blocking threats. Some of them are oriented towards identification of malicious code - antivirus scanning, behavioural blocking, machine learning, heuristics, generic detection and many others. Another set of technologies such as sandboxing and default-deny are oriented towards preventon of dangerous actions, without anything in particular (such as ransomware) having being identified. This guide is centred around permissions-managment and default-deny.[/SPOILER] [SPOILER="How this approach differs from containment"] Whilst sandboxing is oriented towards virtualising resources (creating fake copies of operating system, hardware and files), Host-Based Intrusion Prevention systems such as Kaspersky Intrusion Prevention manage permissions to access, modify and delete real resources. This approach is lighter on performance and doesn't compromise security severely. The end goal of mitigating damage from unknown, undetected malicious code is still maintained. [/SPOILER] [SPOILER="Why is prevention-first recommended"] With so many criminals working non-stop to evade detection, methods oriented towards identification code can't keep up and can't cover all threats at all times. Attackers can easily obtain copies of pretty much any security product and via trial and error can discover vector that is poorly covered. Even methods such as cloud detonation have multiple evasion methods. More information can be found on the [URL='https://evasions.checkpoint.com/']CheckPoint Cloud Detonation Evasion Page[/URL]. Majority of technologies and even gateways can be "fooled" just by putting a file in a password-protected archive. [/SPOILER] [SPOILER="How to make Kaspersky prevention-first"] Now we'll discuss how to decrease Kaspersky's standard antivirus and other non-core activities whilst boosting its prevention abilities. First, we'll decrease the impact of standard antivirus. In this approach, we need antivirus only to detect known threats. To do that, we will apply the following settings to standard antivirus: [SPOILER="File Antivirus Settings"] We are enabling scan by extension and turning off heuristics. This removes the performance impact of the parser that must be used to detect the true file type and the emulator that will run instructions in a virtual environment. [ATTACH type="full" width="634px" alt="Екранна снимка (33).png"]274792[/ATTACH] [ATTACH type="full" width="636px" alt="Screenshot (25).png"]274808[/ATTACH] We will configure scan only on-access as well. [ATTACH type="full" width="636px" alt="Екранна снимка (34).png"]274793[/ATTACH] Making sure scanning of office formats is enabled. [/SPOILER] [SPOILER="Safe browsing settings"] Under web antivirus, we will disable heuristics analysis as well. [ATTACH type="full" width="636px" alt="Екранна снимка (36).png"]274794[/ATTACH] We'll still leave antiphishing heuristics on though. These should detect attemts to impersonate companies/brands by checking the text for spelling mistakes, checking the logos and other logics. The prevention of damage from malicious code does not apply to phishing attacks and they continue being a problem. A little bit further down the Safe browsing settings, we'll disable this: [ATTACH type="full" width="643px" alt="Screenshot (14).png"]274798[/ATTACH] [/SPOILER] [SPOILER="AMSI Protection Settings"] Nothing to modify here but: It is important to note that the default PowerShell 5.1 built-in to Windows 11 could be downgraded to a less secure version 2 that offers decreased scanning. [URL='https://www.trendmicro.com/en_gb/research/22/l/detecting-windows-amsi-bypass-techniques.html']In the process of bypassing AMSI, attackers frequently call PowerShell 1[/URL]. Further on in the guide, we'll block the execution of PowerShell completely and will also prevent unknown code from launching child processes (they can easily drop portable powershell and launch an attack). Installing the latest PowerShell can be performed via this command: Users not in a need of executing complicated scripts (which is probably above 90%) can skip updating PowerShell. [/SPOILER] [SPOILER="Weak System Scan settings"] We are turning this off, it is non-core module. [/SPOILER] [SPOILER="Network settings"] We are turning off the scanning of encrypted connections. I initially thought about turning off the injection of scripts, but it did not make any difference in terms of impact. [ATTACH type="full" width="589px" alt="Screenshot (11).png"]274795[/ATTACH] [/SPOILER] [SPOILER="Performance settings"] We are turning off few things here as they diverge from the core protection. [ATTACH type="full" width="593px" alt="Screenshot (12).png"]274796[/ATTACH] [ATTACH type="full" width="595px" alt="Screenshot (13).png"]274797[/ATTACH] [/SPOILER] [SPOILER="Privacy-> Secure Data Input"] This is not needed, we will disable everything there. [/SPOILER] [SPOILER="Privacy->Application Manager"] This is not needed, we will disable it. [/SPOILER] [SPOILER="Intrusion Prevention (Previously known as Application Control)"] To reiterate again, this is Host-Based Intrusion Prevention or smart HIPS. It is not network-based intrusion prevention that inspects traffic for signs of bots, exploits, laterral movement and others. Kaspersky blocks connection to infected hosts via other components. Intrusion Prevention assigns trust to every object (script, program) individually and does not suffer issues where trust is assigned to the script interpretor, and all scripts can do whatever they decide. For example, 5 *.bat files and 5 *.vbs scripts will have individual trust levels, based on the reputation Kaspersky has assigned to them. I tried many different Intrusion Prevention settings but a lot of them generated a sheer number of alerts & events. The most quiet and acceptable setups are 2 and displayed below: Complete default-deny: [ATTACH type="full" width="610px" alt="Screenshot (15).png"]274799[/ATTACH] In this setup, it is impossible to execute code that has not undergone prior checks. High-Restricted: [ATTACH type="full" width="614px" alt="Screenshot (16).png"]274800[/ATTACH] In this setup, code that has not undergone prior checks will be severely restricted. Notice in both setups, I have unchecked "Trust digitally signed applications". This will prevent code signing abuse For more information on signed malware, I recommend looking here: [URL unfurl="true"]https://www.trendmicro.com/en_us/research/18/d/understanding-code-signing-abuse-in-malware-campaigns.html[/URL] Moving on, we will protect browser passwords and more crucially, session cookies from being accessed by anything else, apart from the browser itself. For example, only Edge will have access to the Edge data folder. To do this, we'll create a subgroup of trusted (under manage applications) [ATTACH type="full" width="624px" alt="Screenshot (17).png"]274802[/ATTACH] Under this group, we'll add the following: [ATTACH type="full" width="638px" alt="Screenshot (19).png"]274803[/ATTACH] Next, we under resources to add the Edge repository located at: [ATTACH type="full" width="683px" alt="Screenshot (20).png"]274804[/ATTACH] As shown above, we allow access to this directory for the Edge executables and block access by anything else, even if it is trusted. This may prevent cleaners from accessing/deleting history and cookies. I advise against the usage of such software, browsers have cleaning abilities built-in. Frequently, the space cleaned by such apps is less than the space they occupied and the data cleaned will be regenerated in a matter of hours.\ Similar steps can be taken for all apps that hold sensitive information (other browsers, password managers, crypto wallets). We will then make sure important files are safe from ransomware. Under resources, we'll add folders containing sensitive information. [ATTACH type="full" width="743px" alt="Screenshot (22).png"]274805[/ATTACH] We'll make sure High Restricted apps and scripts don't have access to read or modify. If they can't modify, they can't encrypt them either. But what is an app/script performs code injection in a trusted process? We can block that too. Under Manage Applications, we can modify the rules: [ATTACH type="full" width="644px" alt="Screenshot (23).png"]274806[/ATTACH] I highly recommend that in the same window, [B]starting processes[/B] is disabled as well. Next, we'll block execution of PowerShell 1.0 and Java. Java Runtime Environment must be installed prior to that. For users who may wish to use some Java apps, various restrictions, such as disabling connection to the internet can be implemented. [ATTACH type="full" width="645px" alt="1682259135158.png"]274807[/ATTACH] Under Untrusted, we'll add This setup will need to be monitored for errors. As mentioned above, less error-prone setting will be to just block the connection (which won't prevent droppers). To prevent droppers as well, I suggest starting of processes, code injection and modification of startup settings are all blocked for these apps. [/SPOILER] [SPOILER="Impact and Test"] Watch the videos to see the performance impact and see a test of few cases handled by Intrustion Prevention. [MEDIA=youtube]kt11yYeJWhg[/MEDIA] [MEDIA=youtube]Md-Axo55Ve4[/MEDIA] [MEDIA=youtube]Y4z5tMKWlSc[/MEDIA] [MEDIA=youtube]s9WjfRHVM-Q[/MEDIA] I did a GeekBench 6 with Kaspersky enabled and disabled. These are the results: [ATTACH type="full" width="620px" alt="Screenshot (1).png"]274809[/ATTACH] Enabled [ATTACH type="full" width="621px" alt="Screenshot (2).png"]274810[/ATTACH] Disabled [/SPOILER] [/SPOILER] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
