TAM blocking dropbox

Status
Not open for further replies.

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
after enabling TAM with default settings, it prevented dropbox desktop app from syncing.
I had to grant it special permissions in order to get it to work.
Why does this happen, and maybe TAM is preventing certain programs from updating, without my knowledge?
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
As far as I know, TAM shouldn't be blocking internet traffic. What it should block are non-whitelisted software or parts of software.
I also don't see anything about this blocking of internet traffic in Kaspersky's official paper.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I think the problem was that I unticked "trust digitally signed applications" in the Application Control Settings. Now it seems to be working.

EDIT: after another reboot, dropbox stopped syncing again. The behavior is erratic.
 
Last edited:

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
You can find this behaviour if You don't trust signed applications, and some users also say when there is no internet connection... TAM (Trusted Application Mode), the acronym just say it, if We disable trusting signing applications (whielisting), although We still have KSN rules, We are cutting one of big bases of TAM :D

We can find this specially, for instance, with new versions of applications... but in general, going to TAM settings -> manage blocked applications, and allowing there the application to Start, or via Application Control (manage Applications) -> Start, and find the applications located in Blocked StartUp and allowing them, should fix the issue.

I have always TAM enabled and untrusting signed applications, and in general not having any issues, sometimes as I said before, We can find a blocked application, but allowing them manually should solve the problems...
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You can find this behaviour if You don't trust signed applications, and some users also say when there is no internet connection... TAM (Trusted Application Mode), the acronym just say it, if We disable trusting signing applications (whielisting), although We still have KSN rules, We are cutting one of big bases of TAM :D

We can find this specially, for instance, with new versions of applications... but in general, going to TAM settings -> manage blocked applications, and allowing there the application to Start, or via Application Control (manage Applications) -> Start, and find the applications located in Blocked StartUp and allowing them, should fix the issue.

I have always TAM enabled and untrusting signed applications, and in general not having any issues, sometimes as I said before, We can find a blocked application, but allowing them manually should solve the problems...
the funny thing here is dropbox doesn't appear in the list of blocked applications, and kaspersky doesn't give any warning about blocking it. Even though dropbox is in the list of trusted apps in TAM, it still can't sync, unless I give it special permissions.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Ok, if dropbox can't sync then maybe is an issue with encrypted connections... in Settings -> Additional -> NetWork -> Encrypted connections scanning, how do You have this setting?.

You can try to create an exclusion for dropbox services/executables and its encrypted traffic in Settings -> Additional -> Threats & Exclusions -> Specify Trusted Applications, something similar to this but with dropbox:
0s5ebdy.png
 
  • Like
Reactions: Ink

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
okay, I think I got it sorted out now.
I uninstalled dropbox, and reinstalled.
after the reinstall, I saw a lot more subprocesses under the heading of dropbox.
I think that TAM failed to detect some of the subprocesses, so it didn't know whether to allow them or not, and gave unreliable results. Now it sees all of them, and allows them , even though I did not enable trust for digitally signed apps.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
It's ok, I also don't trust in digitally signed applications ;)
 
  • Like
Reactions: shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
It's ok, I also don't trust in digitally signed applications ;)
I see you have unknown apps set at high restricted. Does this cause any problems? And what is the Kaspersky default setting for this?
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
You see, my settings are quite paranoid :rolleyes:

Kaspersky defaults settings for that is: Select trust group automatically...

Well, not signed digitally applications and/or those still unknown in KSN are sent in 1st run to High Restricted group (as I set, of course) but it's normal behaviour, since this is very paranoid setting :D, but if You trust that applications and are really trusted, just moving them manually to Trusted group does the trick.

With TAM on, sending to High Restricted group unknown applications and untrusting digitally unsigned ones, We are in a "default deny" environment :) I like it :cool:
 
  • Like
Reactions: shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
You see, my settings are quite paranoid :rolleyes:

Kaspersky defaults settings for that is: Select trust group automatically...

Well, not signed digitally applications and/or those still unknown in KSN are sent in 1st run to High Restricted group (as I set, of course) but it's normal behaviour, since this is very paranoid setting :D, but if You trust that applications and are really trusted, just moving them manually to Trusted group does the trick.

With TAM on, sending to High Restricted group unknown applications and untrusting digitally unsigned ones, We are in a "default deny" environment :) I like it :cool:
if you untrust digitally signed applications, and you place everything unknown,and everything that starts before Kaspersky, in the high restricted group, isn't that the same effect as TAM, more or less?
 
  • Like
Reactions: harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Not exactly the same, TAM only restricts start/execution of applications, and in High Restricted group there are many others system resources/rules/rights that are controlled, but yes, in that point of execution, would be similar effect in many cases...
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Not exactly the same, TAM only restricts start/execution of applications, and in High Restricted group there are many others system resources/rules/rights that are controlled, but yes, in that point of execution, would be similar effect in many cases...
for some reason, TAM seems to slow down the starting of programs, even the approved programs. Some programs start up very, very slow, at least on the first execution of the current session. But with TAM turned off, they start up normally, even with paranoid settings in application control.
 
  • Like
Reactions: XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
for some reason, TAM seems to slow down the starting of programs, even the approved programs. Some programs start up very, very slow, at least on the first execution of the current session. But with TAM turned off, they start up normally, even with paranoid settings in application control.
Fortunately, I'm not the only one experiencing this!
One of the reasons why I disabled TAM is because of very, very slow startup of some programs, even though they're "trusted".
 
  • Like
Reactions: shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I think putting application control on paranoid settings should give pretty good protection. Even if malware executes, it can't actually do damage.

But whatever settings you use, you still need protection against process hollowing and exploits of that type, where the malware appears as a known and trusted app, and inherits its permissions. Any ideas how to improve protection in that area?
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I think putting application control on paranoid settings should give pretty good protection. Even if malware executes, it can't actually do damage.

But whatever settings you use, you still need protection against process hollowing and exploits of that type, where the malware appears as a known and trusted app, and inherits its permissions. Any ideas how to improve protection in that area?
You're pretty much covered.
Kaspersky has Automatic Exploit Prevention for exploit protection. It has also protection against process hollowing (he would say above average protection), according to a member of Wilders.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
In general I have not been experiencing slowdowns running applications with TAM on, well maybe on 1st run when it has to be categorized, but once it is allowed, didn't notice much slowdown, anyway every system is a different world ;)

About to improve Kaspersky anti-exploit protection with a companion, sometimes I use MW-AE Free and KeyScrambler Free alongside my KTS2016 but probably They are not necessary :)
 
Last edited:
  • Like
Reactions: shmu26 and XhenEd

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Does Application Control apply to anything that executes, including scripts and BAT files etc, or is it only for exe files?
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
Yes, just go to Microsoft group in Trusted, and check... .exe .dll .com .bat .msc etc. even .cpl and .tmp could appear...
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top