Advice Request Ransomware Protection Kaspersky - KnowBe4

Please provide comments and solutions that are helpful to the author of this topic.

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Hi!!
My most interest on Patch J was to know if ransomware protection had been improved. I tried on VM patch H, resulting in 6 vulnerabilities, patch I improved, and just 4 vulnerabilities, but patch J is keeping on 4 vulnerabilities.
I have both tested Kaspersky Security Cloud Free and Kaspersky Total Security, if default configs, exact same results. If on TS apply untrusted for unknow apps, 0 vulnerabilities, but also 2 incorrectly blocked. Is there any approach of Kaspersky of solving Collaborator, InsideCryptor, Slowcryptor and VirlockVariant? I checked manually the test folders and the app marks the 4 vulnerabilites right, files got encrypted.
With protected folders on C:\ as some guides suggest or higher restrictions on app control this would be solved, but will also cause false positive blocks. Any approach to fix it without causing "unwanted" blocks?
I attach CSV with results, just in case it is helpful.
Regards!!
PS: My main concern regarding security suites is ransomware. What would be the recommended config for everyday use without too many prompts but with higher ransomware protection? Looking into Kaspersky settings I reached a similar config as the KSC Free guide pinned, but Idk if that is best idea providing my concerns.

KnowBe4-PatchJ.PNG
 

Attachments

  • 2020414_RansimResults.csv.txt
    3.6 KB · Views: 237

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Hi!
I see that you changed the trust group for unknown apps to "untrusted" which I am currently using. Using Kaspersky tweaked with a user being careful should be enough. I know that this is not the answer you're expecting but it is very hard for a ransomware to get into your system unless you are very reckless and click-happy. Kaspersky offers decent protection and when combined with user carefulness the result is unbeatable protection. I would suggest resorting to backups as no security product is bullet-proof.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,633
My main concern regarding security suites is ransomware. What would be the recommended config for everyday use without too many prompts

* With KIS/KTS/KSCloud (paid): In Auto Mode (Default Settings) + Appliaction Control -> Unknown Applications -> UnTrusted.

* KSCFree -> as it has no Application Control, I would use a tool to harden the system: NVT SysHardener or Hard_Configurator.

About this tool, You have to think that it is executed with full rights, as it is Trusted in KSN and digitally signed, so We can't trust much in the results:

1586944501313.png
 

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Hi!
I see that you changed the trust group for unknown apps to "untrusted" which I am currently using. Using Kaspersky tweaked with a user being careful should be enough. I know that this is not the answer you're expecting but it is very hard for a ransomware to get into your system unless you are very reckless and click-happy. Kaspersky offers decent protection and when combined with user carefulness the result is unbeatable protection. I would suggest resorting to backups as no security product is bullet-proof.
Hi there!
I just changed it for testing purposes. For my everyday setup I am currently running almost bone stock except for little settings...
But if I put not trust, then of course the whole app won't run, which isn't the point of this test for me... But yes, there is always that alternative of "blocking everything". But as I explain down here, that's not what I'm expecting.
* With KIS/KTS/KSCloud (paid): In Auto Mode (Default Settings) + Appliaction Control -> Unknown Applications -> UnTrusted.

* KSCFree -> as it has no Application Control, I would use a tool to harden the system: NVT SysHardener or Hard_Configurator.

About this tool, You have to think that it is executed with full rights, as it is Trusted in KSN and digitally signed, so We can't trust much in the results:

View attachment 237356
Yes you are right, it is in the KSN, but just tested, full clean VM, opted out of KSN during installation and removed "trust signed programs" and "trust KSN checked programs", and the results are exactly the same: 4 vulnerabilities. If it was taken as a whole, nothing should be blocked or the whole program should be blocked (as manual untrusted apps on settings). I really think is a system watcher regard since Kaspersky Security Cloud Free, which lacks of App Control gives exact same 4 vulnerabilities... Then I think it is a Kaspersky wrong way of identifying those generated ransoms (as from Patch H to Patch I improved fixing 2 vulnerabilities)
I was just hoping there was a workaround for this without blocking everything as a whole, but looks like that what I am looking for just depends on Kaspersky...
Well, just in case I attach the config I made for test. If everything default (KSN on) it would set to max restriction, if no KSN but auto select, it would go for minimum restriction (but still the same 4 vulnerabilities, which is kinda strange)
Anyway, thank u both for the replies!
See u!
 

Attachments

  • Settings1.PNG
    Settings1.PNG
    38.3 KB · Views: 240
  • Settings2.PNG
    Settings2.PNG
    27.2 KB · Views: 197

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,633
Please upload the 4 vulnerabilities screen-shot :unsure: , Application Control does not show vulerabilities, usually detected vulnerabilities are because You don't have the last updated version of some applications or System Settings, anything to do with Application Control or KSN, You should enable load KSN rules and KSN (Aceptar) settings...
 

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Please upload the 4 vulnerabilities screen-shot :unsure: , Application Control does not show vulerabilities, usually detected vulnerabilities are because You don't have the last updated version of some applications or System Settings, anything to do with Application Control or KSN, You should enable load KSN rules and KSN (Aceptar) settings...
Hi there!
The vulnerabilities are attached in the CSV I first sent, but I attach screenshot of that
The 4 ransoms generated than Kaspersky doesn't stop are Collaborator, InsideCryptor, SlowCriptor and VirlockVariant. The rest were successfully blocked.
As I said, since Kaspersky Security Cloud provides the exact same results, I think it is a matter of how System Watcher see them, not an Application Control thing
If needed, I will attach the test folders with the files which should be blocked but Kaspersky doesn't block, and well, the encrypted files as well
Regards!
 

Attachments

  • KnowBe4-Vulnerabilities.jpg
    KnowBe4-Vulnerabilities.jpg
    1 MB · Views: 208

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Ah ok, I got it now, You are referring KnowBe4 report... as I said I would not trust much that report, that tool runs with full rights in the system...
The tool runs with minimum restriction by default. If Kaspersky would set to max restriction, the tool would of course fail even to execute the "legitamate" part of the test.
I know Kaspersky protection is really great, but well, if BitDefender can manage to allow to execute the 2 legitamete and just let pass 1 ransom, I think Kaspersky could also improve on that since it is as great at least!
But as I said, there is no config I can do to still allow the legitamate and block that 4 vulnerabilities, or 4 vulnerabilities, or full block, no middle point. So, definitely, that is an under the box config!
Well, maybe posting on Kaspersky official forums will pump it up and maybe the do something? What do u think?
Regards!
 

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Not in Kaspersky Community but to Kaspersky Support...
Through the Kaspersky app u mean?
Well, I do sleep very comfortably but hey, if they can improve, it is always welcome ;)
Also, I was wondering, if no app control on Free version, what's the real impact of disabling KSN? (Just wondering)
I mean, on KIS/KTS the app control would behave different, but on these ones? Would still make a difference in performance since it would need analysis instead of just check KSN?
Also, following your guide of KSC Free, I saw u disable interactive mode, I guess what that does is to give u prompts of what is doing, instead of "muting" some of the auto actions done, right?
Thanks!
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,633
Also, I was wondering, if no app control on Free version, what's the real impact of disabling KSN? (Just wondering)
Kaspersky Security Network

Also, following your guide of KSC Free, I saw u disable interactive mode, I guess what that does is to give u prompts of what is doing, instead of "muting" some of the auto actions done, right?
For standard users and noobs better to keep Auto Mode (Interactive Mode Disabled)... of coutse I use Interactive Mode in my systems, I like warnings :)
 

miguelang611

Level 2
Thread author
Apr 13, 2020
99
Kaspersky Security Network


For standard users and noobs better to keep Auto Mode (Interactive Mode Disabled)... of coutse I use Interactive Mode in my systems, I like warnings :)
Thank u
Well, for KSN I had already read that article, I was wondering for more a like day-to-day explaining, but well, I just guess it is an extra layer of protection, in compromise of privacy, as always
And that is what I was searching for, disabling auto mode just will prompt some more, which I like, since I prefer to take control since I consider to be an enough experienced user, although I will left that of course for the rest of family
Thank u as always for the reply!
 

miguelang611

Level 2
Thread author
Apr 13, 2020
99
How did you open it if Kaspersky doesn't even let you do that?
Of course it will open with default settings. It will even run the full test.
It is trusted in KSN, although the sub process created should be blocked (following the guide of protected folders of @harlan4096 the app will open, but won't be able to load and execute any of the sub process (also the ones which r not ransomware of course), since all subprocess become high restricted and can't write the C:\ drive
 
  • Like
Reactions: harlan4096

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top