Advice Request Trusted Applications mode in Kaspersky

[hamo]

Kaspersky : said that Trusted Applications (TAM) mode IS:

prevents untrusted programs from launching. Kaspersky Internet Security 2018 declares a program untrusted if Kaspersky Security Network has no information about it, or if it was downloaded from an untrusted website. Only known and trusted applications are allowed to run.

How to enable the Trusted Applications mode in Kaspersky Internet Security 2018

Now I use Kaspersky Internet Security 2018 Only with TAM active,
according to the above, Is this mean I am fully protected 100%? yes or no and why?
Thanks

 

[RoboMan]

No, you're never 100% protected because certificates can be faked, and applications (rare but possible) can bypass this module. Nothing is impentrable brother.

I personally do not use this mode, it's way too much paranoia.

 

[hamo]

No, you're never 100% protected because certificates can be faked, and applications (rare but possible) can bypass this module. Nothing is impentrable brother.

I personally do not use this mode, it's way too much paranoia.

Thank you for your reply,

I use this mode for more than 100 days and I have some paranoia (even if famous application) only if I disconnected from internet for any reason.

I think that mode, Kaspersky Lab watching my PC and control it, If I disconnect from Net paranoia start.

 

[Bleak]

No, I think you're not fully protected (it's a myth to be 100% secure anyways). For a simple example. you can get infected by an adware which comes with an installer that has a certificate, this is where other parts of the programs kicks in. If blocking applications is your concern you can use Voodooshield alongside KS with other security modules enabled.

 

[XhenEd]

About TAM and digital certificates, there's an official Kaspersky document that states that only those digital certificates that are approved by Kaspersky would be allowed while TAM is running.

Spoiler: From KL's Whitepaper on TAM

Trusted chain
Trusted chain is a set of mechanisms that confirm or refute the legitimacy of an application
based on certain characteristics, such as its compliance with application trust inheritance
rules, the authenticity of the file’s digital signature and whether the file was downloaded from
a trusted source.

Application trust inheritance principle
Many programs create other applications during their operation. Information about these
applications may be absent from the Kaspersky Lab knowledge base. For example, in order
to download an update a program may have to launch a specialized module, which will
connect to the software vendor’s server and download a new version of the program. In
effect, the update module is a new application created by the original program and there may
be no data on it in the Whitelisting database. However, since this application was created
and launched by a trusted program, it is regarded as trusted.

Digital signature
A program’s update module might automatically download a new version of an application,
and the ‘footprint’ of that new version could be different from the one in the Whitelisting
database. However, its legitimacy can be determined based on other characteristics, e.g., by
checking new files for the presence of unique digital signatures.
Many software vendors sign their program files using a unique digital signature, which
protects the files from unauthorized modification. Kaspersky Lab analyses these signatures,
rates their reliability and maintains a constantly updated database of security certificates
used by software vendors to create digital signatures. This can determine whether a specific
file’s digital signature is genuine or not. If it is, the new version of the application is
considered trusted. If any of these signatures are compromised they will be immediately
removed from the database, even if the OS still regards them as trusted.

Verifying whether the source is trusted
However, it is not uncommon for a file to have no unique signature. In this situation, Trusted
Applications uses one more source – a trusted domains database – and searches it for the
domain from which the file in question was downloaded. If the domain is on the list of trusted
domains (in most cases, these are domains of well-known software vendors), the object
being downloaded is also deemed legitimate.
In addition to software vendors’ sites the trusted domains database includes distributor sites
– file collections which have not been detected as sources of malware. If it turns out that one
of these sites has been used to distribute malicious code, it is immediately removed from the
trusted domains database.

As a result, the Whitelisting database, together with additional application trust verification
tools – application trust inheritance rules and checks against a security certificate and trusted
domain database – create a fault-tolerant chain of mechanisms for trust verification,
providing a high level of protection for the computer.
However, even if all of these components are used, there is still a danger that cybercriminals
will try to infect the computer via vulnerabilities in legitimate programs. Trusted Application
technologies were developed with this in mind.

Whether or not this "Trusted Chain" is very reliable is another issue. But at least we should recognize that not all programs with digital signatures are allowed in Kaspersky.

 

[hamo]

Thank you all.@XhenEd Bleak RoboMan

During use TAM for more than 100 days and test many malware:

Disadvantages:
- Should be connected to internet to work perfect, if not you will get many false positive and block ligated application.(Paranoia)
- Much impact to performance.
- Should use famous application.

Advantage:
- If malware have a fake digital signatures (worst malware), and you apply that malware - If pass "Antivirus signature&Application Control" will never pass TAM. (tested many times)

Above make me to ask that Q.

 

[hamo]

Like that, see photo pleas :

 

[XhenEd]

Like that, see photo pleas :

Are you sure that's TAM? TAM only acts on-execution. On-demand scanning (even Kaspersky File Advisor) is done by other modules.

 

[Bleak]

Are you sure that's TAM? TAM only acts on-execution. On-demand scanning (even Kaspersky File Advisor) is done by other modules.

You have different options for that in File AV module advanced settings (Smart mode, on access, on access and modification, and on execution).

 

[hamo]

Are you sure that's TAM? TAM only acts on-execution. On-demand scanning (even Kaspersky File Advisor) is done by other modules.

yes, I mean Kaspersky (TAM) will prevent execution (internet connection is important), even if antivirus data base tell it is safe.
prevents untrusted programs from launching

Do you see a deference between TAM & Kaspersky File Advisor ??

 

[509322]

Like that, see photo pleas :

TAM does not auto-block all scripts by default. Try just renaming the script, such as "Test.bat", and you might get different results. Some scripts are auto-added to Low Restricted and allowed to launch by default.

Create various scripts and execute them yourself to learn how TAM and Application Control handle scripts. The interpreters themselves are all whitelisted by Kaspersky, so if a script can launch, even in Low Restricted, you could very well be beat.

TAM does not behave like an anti-executable; Application Control itself can be set to be more anti-executable-like by adjusting the settings so that unknown files are added to Untrusted.

It seems like everybody keeps thinking TAM and Application Control are anti-executables. They are not anti-executables. And Kaspersky's file reputation system does not help matters.

Kaspersky's definition of "untrusted programs" is loose.

 

[XhenEd]

yes, I mean Kaspersky (TAM) will prevent execution (internet connection is important), even if antivirus data base tell it is safe.
prevents untrusted programs from launching

Do you see a deference between TAM & Kaspersky File Advisor ??

Obviously, I know the difference between TAM and Kaspersky File Advisor.

TAM's pop-up is distinct from those in the photo you posted. That's why I asked you if you're sure that there's TAM action there.

 

[hamo]

You have different options for that in File AV module advanced settings (Smart mode, on access, on access and modification, and on execution).

In fact I use Kaspersky in default sitting - just:
- active TAM
- uncheck "Do not delete probably infected object
- uncheck "Trust digitally singed application.
- check "If web site can be used by a criminal to ......" in web antivirus.
- check "detect other software that can be used by criminals .........."

 

[509322]

- uncheck "Trust digitally singed application."

How long have you used the above setting - a few hours, a few days, a week, a month ?

 

[hamo]

Obviously, I know the difference between TAM and Kaspersky File Advisor.

TAM's pop-up is distinct from those in the photo you posted. That's why I asked you if you're sure that there's TAM action there.

Do you know, I asked you because I do not know the deferent exactly ... whole post to know more.

@Lockdown
I was think that TAM is like anti-executable !!! .... whit list for Kaspersky.

 

[hamo]

How long have you used the above setting - a few hours, a few days, a week, a month ?

365 - 235 = 130 days

 

[XhenEd]

Do you know, I asked you because I do not know the deferent exactly ... whole post to know more.

Awww... hahaha... I misinterpreted what you posted.

Kaspersky File Advisor is there to know the "reputation" of a program. The program may be trusted, untrusted, or unknown.

Trusted Applications Mode creates a trusted environment where, supposedly, only trusted applications can launch. But as @Lockdown said, TAM is not really perfect in establishing this "trusted environment."

 

[hamo]

Awww... hahaha... I misinterpreted what you posted.

Kaspersky File Advisor is there to know the "reputation" of a program. The program may be trusted, untrusted, or unknown.

Trusted Applications Mode creates a trusted environment where, supposedly, only trusted applications can launch. But as @Lockdown said, TAM is not really perfect in establishing this "trusted environment."

TAM = whit list for Kaspersky ? OR not exactly ?

 

[XhenEd]

TAM = whit list for Kaspersky ? OR not exactly ?

Yes, it's supposed to be the whitelisting default-deny module of Kaspersky.

 

[509322]

365 - 235 = 130 days

32 or 64 bit system ?

Everybody that I know who has disabled "Do not trust digitally signed programs" on 64 bit system, Application Control will move the entire Trusted Group to Untrusted and smash the system.