Problem with TAM

[XhenEd]

I have a problem with the Trusted Applications Mode of Kaspersky. It seems that TAM heavily relies on KSN for it to work properly without problems. Whenever I have no internet connection, TAM will just wreck havoc to my softwares. It will block the running of specific softwares or parts of the softwares (e.g. dlls). I still have to allow them, so that they'll work. However, these softwares have already been classified as Trusted by Kaspersky in the Applications Control. Examples of programs blocked are Waterfox, Palemoon and 7zip.

If I'm connected to the internet, all is well.

 

[Cch123]

Its not a problem, its a security feature. Just go into Kaspersky's settings to unblock them manually. Btw what are your settings for "Automatically move unknown programs to ____" under application control? That is more likely to be the source of the problem than TAM. After making an initial whitelist, TAM is unlikely to block a lot of things even when not connected to the internet. On the other hand if you set move unknown programs to high restricted or untrusted, many things will be blocked because this setting does not rely on the initial TAM whitelist.

Some random ramblings here, AV vendors are having a hard time trying to please everyone. Avast hardened mode sacrifices security for usability, and will allow anything through if it does not have access to the internet, thus preventing such issues. But then people complain about how this is not true application control because it has a "weakness" when not connected to the internet. On the other hand, Kaspersky takes the opposite approach, sacrificing usability for more security and would block a lot of things when not connected to cloud. Its really a matter of the position of the vendor.

 

[XhenEd]

Its not a problem, its a security feature. Just go into Kaspersky's settings to unblock them manually. Btw what are your settings for "Automatically move unknown programs to ____" under application control? That is more likely to be the source of the problem than TAM. After making an initial whitelist, TAM is unlikely to block a lot of things even when not connected to the internet. On the other hand if you set move unknown programs to high restricted or untrusted, many things will be blocked because this setting does not rely on the initial TAM whitelist.

Some random ramblings here, AV vendors are having a hard time trying to please everyone. Avast hardened mode sacrifices security for usability, and will allow anything through if it does not have access to the internet, thus preventing such issues. But then people complain about how this is not true application control because it has a "weakness" when not connected to the internet. On the other hand, Kaspersky takes the opposite approach, sacrificing usability for more security and would block a lot of things when not connected to cloud. Its really a matter of the position of the vendor.

If it's a security feature, then I think it's a bad feature. As I said, the programs that were blocked by TAM were already Trusted in the Application Control. As for the "Automatically move unknown programs to ____" under application control, all is set to default (Trust Group Selected Automatically). But I know that it's TAM that blocks because the blocked items are in the TAM window.

But when I'm connected to the internet, there will be no blocking from TAM. I believe it's because the programs, themselves, are in the KSN whitelist. But since KSN is not available offline, TAM blocks them even if the programs are in the Trusted list of the App Control.

 

[hjlbx]

If it's a security feature, then I think it's a bad feature. As I said, the programs that were blocked by TAM were already Trusted in the Application Control. As for the "Automatically move unknown programs to ____" under application control, all is set to default (Trust Group Selected Automatically). But I know that it's TAM that blocks because the blocked items are in the TAM window.

But when I'm connected to the internet, there will be no blocking from TAM. I believe it's because the programs, themselves, are in the KSN whitelist. But since KSN is not available offline, TAM blocks them even if the programs are in the Trusted list of the App Control.

@XhenEd

Windows System\OS files or newly installed files blocked ?

Did you white-list all unknown files discovered during the TAM enable process ?

IF not, then you have to unblock in TAM on a case-by-case basis when they are executed.

The TAM enable process can be a bit tricky and cause problems if it is not performed according the the Kaspersky Guide.

 

[XhenEd]

@XhenEd

Windows System\OS files or newly installed files blocked ?

Did you white-list all unknown files discovered during the TAM enable process ?

IF not, then you have to unblock in TAM on a case-by-case basis when they are executed.

The TAM enable process can be a bit tricky and cause problems if it is not performed according the the Kaspersky Guide.

No OS files. Blocked files are the installed programs that are installed after the TAM was enabled.
They are all fine when online. TAM doesn't block them when online. But when offline, TAM blocks them.

However, TAM is really not consistent because the files are not blocked immediately sometimes. The programs will run unblocked. But, it will be blocked after some time. Sometimes, they are blocked immediately after launch of such programs. Moreover, some .dll files of a program (e.g. Waterfox) have recently been blocked (upon the launch of Waterfox) even if they were not blocked in the past days.

Also, I already experienced this even in Windows 8.1.

 

[hjlbx]

No OS files. Blocked files are the installed programs that are installed after the TAM was enabled.
They are all fine when online. TAM doesn't block them when online. But when offline, TAM blocks them.

However, TAM is really not consistent because the files are not blocked immediately sometimes. The programs will run unblocked. But, it will be blocked after some time. Sometimes, they are blocked immediately after launch of such programs. Moreover, some .dll files of a program (e.g. Waterfox) have recently been blocked (upon the launch of Waterfox) even if they were not blocked in the past days.

Also, I already experienced this even in Windows 8.1.

That is bug that is reported to Kaspersky.

TAM is supposed to block the installation of all newly introduced applications that are not Trusted by KSN after TAM is enabled.

Lots of users complain about TAM and Application Control.

 

[XhenEd]

That is bug that is reported to Kaspersky.

TAM is supposed to block the installation of all newly introduced applications that are not Trusted by KSN after TAM is enabled.

Lots of users complain about TAM and Application Control.

But Waterfox is trusted by the KSN. In the App Control, Waterfox is in the Trusted because of "KSN information".
So, if there's another bug, it is that a program is blocked by TAM even if KSN has whitelisted the program already. But KSN is online only. I only experience TAM blocking whenever I'm offline.

 

[hjlbx]

But Waterfox is trusted by the KSN. In the App Control, Waterfox is in the Trusted because of "KSN information".
So, if there's another bug, it is that a program is blocked by TAM even if KSN has whitelisted the program already. But KSN is online only. I only experience TAM blocking whenever I'm offline.

The whole intent of TAM as I understand it is to configure system and then lock down system with TAM.

As far as TAM blocking offline that seems to me to be by design. For example, it would also protect against offline launch of files from USB.

Why not just re-run TAM with the blocked apps already installed. Should solve problem.

If re-running TAM doesn't fix issue then something is not right...

 

[XhenEd]

The whole intent of TAM as I understand it is to configure system and then lock down system with TAM.

As far as TAM blocking offline that seems to me to be by design. For example, it would also protect against offline launch of files from USB.

Why not just re-run TAM with the blocked apps already installed. Should solve problem.

If re-running TAM doesn't fix issue then something is not right...

But, as I understand it, Kaspersky components are connected to each other. Don't you think that a Trusted application be allowed by TAM? If an application is Trusted, then why block it offline?

If this is really by design, I think this is a bad design. For example, I'm using 7zip. When I'm offline Kaspersky slightly cripples my ability to use 7zip because it blocks 7zip.dll upon the launch of explorer.exe. Of course, all I need is to allow 7zip again.

 

[harlan4096]

@XhenEd: I'm trying to reproduce Your issue in my system with KTS2016MR0c, I have 7zip x64 but not PaleMoon and WaterFox. In offline (no network connection to InterNet) 7zip was not blocked here by TAM, anyway will continue testing for a while.

I see You've also asked in Kaspersky forum: Trusted Applications Mode Problem - Kaspersky Lab Forum, let's see what They will answer You but I guess in the end You will be asked to contact to KL Support.

 

[XhenEd]

@XhenEd: I'm trying to reproduce Your issue in my system with KTS2016MR0c, I have 7zip x64 but not PaleMoon and WaterFox. In offline (no network connection to InterNet) 7zip was not blocked here by TAM, anyway will continue testing for a while.

I see You've also asked in Kaspersky forum: Trusted Applications Mode Problem - Kaspersky Lab Forum, let's see what They will answer You but I guess in the end You will be asked to contact to KL Support.

Thanks for testing!
It's not the the whole of 7zip that has been blocked. It's the .dll of 7zip when opening Windows Explorer).


Edit: I tried to reproduce the issue now. I can't seem to reproduce the problem. There's really wrong as for the screenshot I gave in the Kaspersky forum. But I'll watch for more anomaly.

 

[harlan4096]

Maybe some kind of temporal issue with trusted/whitelisted applications...

 

[XhenEd]

Gotcha! I opened 7zip, then went to Tools, then Options.