Jump to content
greyclear

Cryptolocker replacement [Solved]

Recommended Posts

Hello,

 

This is great. The exported profile however doesnt appear to work for me. I'm wondering if perhaps its for an older version of KSC. Any chance you could re-export for KSC 10.2

 

You can get updated contents from this archive: http://go.kaspersky.com/rs/802-IJN-240/ima...yptomalware.zip

This includes a predefined category and a protection policy for the latest version of KSC and KES that you can import.

In this version I decided to give a policy instead of a policy profile.

The list of file extensions protected by App. privilege control has been extended.

A guide in french is also included but you can ignore it.

 

Policy profiles were introduced in KES SP1, which corresponded to KSC SP1, which is still in use now. It is more likely a KES version issue. Please specify what exactly does not work for you and how you are importing this file.

 

I found that policy profile created within policy designed for KES10 SP1 could not be imported in policy designed for KES10 SP1 MR2, an error occurs.

Share this post


Link to post
I found that policy profile created within policy designed for KES10 SP1 could not be imported in policy designed for KES10 SP1 MR2, an error occurs.

 

Since policies themselves need to be explicitly converted in order to apply to a newer version, the same would go for profiles (which essentially contain a set of settings for a specific KES version). Please let us know if you consider this a bug (e.g. if the error is non-descriptive about the reason for its occurence).

 

Thank you.

Share this post


Link to post
Since policies themselves need to be explicitly converted in order to apply to a newer version, the same would go for profiles (which essentially contain a set of settings for a specific KES version). Please let us know if you consider this a bug (e.g. if the error is non-descriptive about the reason for its occurence).

 

This makes senses.

I won't consider this as a bug but yes the error could be more explicit:

post-1491-1460535636_thumb.png

 

Thank you

Share this post


Link to post
This makes senses.

I won't consider this as a bug but yes the error could be more explicit:

2016_04_13_10_17_54.png

 

Thank you

 

Thank you for information.

Share this post


Link to post
Since policies themselves need to be explicitly converted in order to apply to a newer version, the same would go for profiles (which essentially contain a set of settings for a specific KES version). Please let us know if you consider this a bug (e.g. if the error is non-descriptive about the reason for its occurence).

 

Thank you.

 

I wouldnt consider this a bug - but it would be nice to allow this type of activity...

Share this post


Link to post

Hmm, one more strange thing I noticed:

While adding the main KL application categories to the exclusions list seems to be enough in order to also have their subcategories excluded, this seems not to be true for

"Other Software\Applications, trusted according to reputation in KSN"

I tried installing the Kyocera printer driver and it was blocked like this:

 

Event type: Application startup prohibited

Object\File name: KDSInst.exe

Object\File version: 1.0.12.16

Object\Application name: KDSInst.exe

Object\File path: c:\windows\system32\spool\drivers\x64\3\kdsinst.exe

Object\Vendor: KYOCERA Document Solutions Inc.

Object\KL category: Other Software\Applications, trusted according to reputation in KSN

User: NT-AUTORITÄT\SYSTEM (Initiator)

Rule\Category: Block start of unknown applications from dangerous locations

Rule\Rule type: Not test

 

BTW, checking the "Trusted updaters" checkbox in the rule did not help. I had to manually add the "Other Software\Applications, trusted according to reputation in KSN" subcategory to exclusions list to make the driver installer work.

Edited by Anguel

Share this post


Link to post
Hmm, one more strange thing I noticed:

While adding the main KL application categories to the exclusions list seems to be enough in order to also have their subcategories excluded, this seems not to be true for

"Other Software\Applications, trusted according to reputation in KSN"

I tried installing the Kyocera printer driver and it was blocked like this:

 

Event type: Application startup prohibited

Object\File name: KDSInst.exe

Object\File version: 1.0.12.16

Object\Application name: KDSInst.exe

Object\File path: c:\windows\system32\spool\drivers\x64\3\kdsinst.exe

Object\Vendor: KYOCERA Document Solutions Inc.

Object\KL category: Other Software\Applications, trusted according to reputation in KSN

User: NT-AUTORITÄT\SYSTEM (Initiator)

Rule\Category: Block start of unknown applications from dangerous locations

Rule\Rule type: Not test

 

BTW, checking the "Trusted updaters" checkbox in the rule did not help. I had to manually add the "Other Software\Applications, trusted according to reputation in KSN" subcategory to exclusions list to make the driver installer work.

 

Hello,

 

please state KES build.

Thank you.

Share this post


Link to post

KES version is 10.2.5.3201 (mr3)

 

And one more problem:

I want to exclude all *.bat files from being blocked, so I added a rule as seen in the screenshot but the *.bat are still blocked:

 

Event type: Application startup prohibited in test mode

Object\File path: c:\users\myuser.mydomain\desktop\test.bat

Object\KL category: Uncategorized

User: MYDOMAIN\MyUser (Initiator)

Rule\Category: Block start of unknown applications from dangerous locations

Rule\Rule type: Test

 

post-246284-1484223489_thumb.png

Share this post


Link to post

Hi,

 

Unfortunately, this method won't work, if you click of "get data" and choose any batch-file you'll see only information about hash sum (MD5, SHA-256), BTW it is highly recommended not to allow running any batch-files from any directory.

For example, you can allow to run files from specific directories.

 

BR

Share this post


Link to post
Unfortunately, this method won't work, if you click of "get data" and choose any batch-file you'll see only information about hash sum (MD5, SHA-256), BTW it is highly recommended not to allow running any batch-files from any directory.

 

Unfortunately, some legitimate software like Intel HD Graphics drivers drop their batch files in SYSTEM32 and run them on startup from there:

 

Event type: Application startup prohibited in test mode

Object\File path: c:\windows\system32\{a6d608f0-0bde-491a-97ae-5c4b05d86e01}.bat

Object\KL category: Uncategorized

User: DOMAIN\User (Initiator)

Rule\Category: Block start of unknown applications from dangerous locations

Rule\Rule type: Test

 

Therefore I need some option to exclude batch files from being blocked.

And unfortunately, Kaspersky does not categorize scripts in contrast to some other manufacturers.

Edited by Anguel

Share this post


Link to post

For now I have gone through "Add exclusion from executable files list" and there I can enter *.bat and see all known .bat files and then add them as separate exclusions with their hash.

Unfortunately, if some of these get changed in future driver versions or if new .bat files are created they will be blocked this way.

 

One more thing - it looks like updating the exclusions list in the application category does not reapply the policy to the clients for some reason. I had to go through the policy and reedit the application startup control rule which uses that application category in order to get it reapplied to the clients. Is this expected?

Edited by Anguel

Share this post


Link to post

Ok, but as you see in my posts above, I tried to add "*.bat" to filename but this did not work either.

Share this post


Link to post

Now I had to enter all KL sub-categories manually to the list, adding just the main category does not include subcategories for some reason...

 

And still some auto-updaters fail like this in the further install process:

 

Event type: Application startup prohibited in test mode

Object\File path: c:\users\user.domain\appdata\local\temp\is-ab4af.tmp\_isetup\_setup64.tmp

Object\KL category: Uncategorized

User: DOMAIN\User (Initiator)

Rule\Category: Block start of unknown applications from dangerous locations

Rule\Rule type: Test

 

I am afraid I have to give up :-(

Share this post


Link to post

For me it looks like the "application startup control" feature is useless at this time.

Kaspersky should at least add some wildcard filters for the exclusions to be able to allow *.bat or *.tmp which are used by many normal installers.

 

The problem is encountered by others too, e.g.:

https://forum.kaspersky.com/index.php?showtopic=359846

https://forum.kaspersky.com/index.php?showtopic=349128

 

I spent so much time on this :-(

Share this post


Link to post
For me it looks like the "application startup control" feature is useless at this time.

Kaspersky should at least add some wildcard filters for the exclusions to be able to allow *.bat or *.tmp which are used by many normal installers.

 

The problem is encountered by others too, e.g.:

https://forum.kaspersky.com/index.php?showtopic=359846

https://forum.kaspersky.com/index.php?showtopic=349128

 

I spent so much time on this :-(

 

Sorry, but nobody didn't give us feedback in both topics.

Thank you.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.