Useful tips regarding Kaspersky App Control and System Watcher

RiderExpert

Level 2
Thread author
Verified
Jul 21, 2016
53
Hi, guys. I'd like to share some information that may be useful for some Kaspersky users.

First of all, we should point out how powerful Kaspersky App Control can be if configured correctly. You can prevent an undetected ransomware from encrypting your files just creating the correct rules.

The first two tips focus on people that often change their PCs or frequently format them. The idea is to allow usage of the same config file on every PC you use.

*Important Windows Folders = Library folders (Documents, Pictures, Videos...)

IMPORTANT:
> DO NOT DO STEP 1) IF THE FOLDER YOU WANT TO PROTECT IS NOT ON DEFAULT LOCATION

> DO NOT DO STEP 1) OR 2) IF YOU ARE USING THE BUILD IN ADMINISTRATOR ACCOUNT OR IF (FOR SOME REASON) YOU HAVE DIRECT ACCESS TO A DIFFERENT USER FOLDER. Since Windows Vista, not build in Administrator accounts (normal admin accounts) do not have direct access to other user's file by default.

> This worked for me. I've tested with new ransomware samples and it did the job. Please don't blame me if something goes wrong. If you are not sure, DO NOT DO IT.


1) The first tip I found useful is to configure resources (like protected Windows folders) using environment variables instead of common folder address. For example:

Instead of adding the folder "C:\Users\Walter White\Documents\*" use "%USERPROFILE%\Documents\*".

This is a good practice to protect the currently logged user without the need of adding multiple users folders and it is useful if you want to reuse your config file in another PC and do not want to config resources again.

2) If you keep your important folders in a different location (maybe because you installed Windows on a SSD and want to move the important windows folders to other location) you should use registry values.

Open regedit.exe and go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

See in the "name" column, on the right side of the window, what is the name of the registry entry that links to the folder you want to protect. The folder address can be found in the "data" column (also in the right side of the window)

Now, if you want to protect your Documents, Pictures, Videos and Desktop for example, go to Kaspersky manage resource windows, click in Add > File or Folder (Yes, folder, not registry) and add the following entrys:

%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^Personal%\*

%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^My Pictures%\*


%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^My Video%\*


%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders^Desktop%\*


This will keep your folders protected even if you change its locations.

3) Create a folder inside your user root folder and fill it with 20+ txt files. This will be your Ransomware Bait folder. I'll explain why you need it.

Suppose all your important files are kept in Documents and Pictures folders. Both folders are protected with Application Control component, that is, restricted applications do not have permission to create, write, or delete, inside that two folders.

If a ransomware (not detected by Kaspersky) tries to encrypt your files Application Control will block its action and your files will be safe (it does not matter if the Ransomware is detected or not). This sounds good right? Yes, and it is, but there is a problem: since the ransomware was not able to encrypt, or even try to encrypt your files, System Watcher will not flag it as a malware. So, despite your files and system are safe, you may not know you are dealing with a dangerous file. (I've already sent this information to Kaspersky. Let's see if they do something about it).

That is why you need a bait folder. If you have a folder with lot of useless files, ransomware will try to encrypt them. System Watcher will now be able to intercept that action and deal with the malware. If system watcher fails (what is very unlikely, I mean, very!), the only files you would lose would be that useless txt

That's it. :)

If you find something wrong, please let me know. I'm just trying to help.
 
Last edited:

shukla44

Level 13
Verified
Top Poster
Well-known
Jan 14, 2016
601
Great idea....;)
But i have a more elaborate way....:D:p
Every filetype that is important, no matter where it is located, is protected from unknown programs as u can see in the screenshot. Took a little time to set up but worth it.
ScreenShot00562.jpg


Plus Appdata folders protected as well. As most ransomware need access to it.
ScreenShot00563.jpg


Regards.
 

RiderExpert

Level 2
Thread author
Verified
Jul 21, 2016
53
Great idea....;)
But i have a more elaborate way....:D:p
Every filetype that is important, no matter where it is located, is protected from unknown programs as u can see in the screenshot. Took a little time to set up but worth it.
View attachment 163608

Plus Appdata folders protected as well. As most ransomware need access to it.
View attachment 163609

Regards.

Good job. I preferer protecting folders because I don't know which kinds of files I'll consider important, but I know they will be inside some important folder. But that's my case.

I have data folders protected as well, but the default deny is only for the HR group. LR are allowed to use it (so basically, since almost every unknown malware goes to LR, I'd say it is not protected but is logged).

Remember my tip 3: if you want Kasperskyt System Watcher to be able to detect that a program is malicious you, unfortunately, have to give it some kind of freedom.
If you don't mind SW detection, just deny almost everything. :)
 
  • Like
Reactions: Fritz and shukla44

shukla44

Level 13
Verified
Top Poster
Well-known
Jan 14, 2016
601
Good job. I preferer protecting folders because I don't know which kinds of files I'll consider important, but I know they will be inside some important folder. But that's my case.

I have data folders protected as well, but the default deny is only for the HR group. LR are allowed to use it (so basically, since almost every unknown malware goes to LR, I'd say it is not protected but is logged).

Remember my tip 3: if you want Kasperskyt System Watcher to be able to detect that a program is malicious you, unfortunately, have to give it some kind of freedom.
If you don't mind SW detection, just deny almost everything. :)

The files i consider important are the ones i have. So i put every file i have in the identity protection module. every doc filetype, every image filetype, every video filetype (only which i have, as there are so many in general) is protected regardless of folder. I have various folders for various tasks in various places & i create many on the way, can't put them on every-time i create them. I guess you have all your files in those 4 places only so it is easy for you to just protect the 4 places.

I have trust digital signature disabled plus unknown files goes to HR group and for HR i have set the start rights to prompt so that every unknown file that wants to run on my computer have to go through me. So there is basically no need of LR for me but still i have some vulnerable apps in it with custom rights.

As for System watcher & having some useless files for bait, i think is a good idea but redundant nonetheless. :)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top