While checking file permissions, I noticed that Kaspersky 6.0 for Windows Workstation gives "Everyone" full control over the files in its data folder:
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6

This includes the anti-virus bases, config files, report files, and an XML file named updcfg.xml that appears to contain the URLs for the servers that KAV gets its updates from. I'm running Kaspersky 6.0.2.678 on Windows XP with SP2. I have Kaspersky's Settings panel password-protected.

Even though Everyone has Full Control, in practice I was (thankfully) unable to modify or delete any of the files (although I was able to create new folders), so there appears to be some Kaspersky magic going on here. It still makes me uneasy to see "Everyone" and "Full Control" applied to such important files.

On one of our machines, I restricted the permissions for this folder as follows:

* Administrators - Full Control
* SYSTEM - Full Control
* Users - Read Only (i.e. Read & Execute and List Folder Contents)

In order for updates to still I run, I also had to configure Kaspersky's Update service to run as Administrator. Kaspersky's Settings has an option for this.

I have two questions about restricting the permissions on this folder to make them more restrictive:

1) Is there any harm in doing this?
2) Is there any point in doing this? (does it make my system any more secure?)


Thanks,
Brian

Hi Brian,

have you noticed that Kaspersky has a Selfdefense running in the background ?!

You don't have to change anything but for the autoupdate task i would recommend to use a special account with needed permissions because even a admin has to change his pw from time to time!


Never tested this - could you try?

I've been running with the more restrictive permissions for a few days and it seems to be working. I don't know if there's a scenario out there, though, that could eventually cause it to break. For example, the Quarantine directory is affected by the change in permissions -- will quarantining a virus still work? Base updates appear to be working -- will application module updates also work?

If someone from Kaspersky is reading this, I'd be interested in your thoughts.

As pointed out by defekt, while self defense is running no changes can be made by any user, even if Kaspersky is exited (klif.sys driver is protecting all of the KAV files), so I think the risk for modification of those files even without the restrictions are minimal

I thought of and verified a loophole. Anyone can change permissions on these files. This allows a malicious user or malware run by any user (even probably the Guest account) to disable Kaspersky entirely, which is probably what most malware writers would want to do. The following steps don't just disable Kaspersky but appear to trash it, requiring a reinstall to get Kaspersky working again.

Keep that in mind before you try them

Log in as any user, go to the "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab" folder, right-click on the AVP6 subdirectory, and remove every user and every group from the Permissions -- make sure that no group nor user has any permission to do anything with the AVP6 folder and its children. Make sure that no permissions are being inherited from the parent.

Once you do this, updates no longer work. When you reboot. Kaspersky will no longer start. Kaspersky might fail sooner than a reboot -- I didn't play around with different scenarios.

A malicious script could even schedule itself to do this on Patch Tuesday, since the system often automatically reboots then, anyway, if you have Automatic Updates turned on.

I looked at one of my older machines, and it appears that Kaspersky 5.0 did not give "Everyone" Full Control over its data folder. Instead, its data folder ("KAV for Workstations") inherited much more restrictive permissions from:
C:\Documents and Settings\All Users\Application Data

It looks like this security hole was introduced with KAV 6.