Application Firewall question

[Studynx]

I'm having issues understanding Low Restricted, High Restricted and Untrusted applications. 

 

Let's say I have a NAS, I'm logged into a NAS user - on Windows - that has read-write access to a share. Let's say this unknown and not validly signed .exe is malware. Let's say it was put in one of those aforementioned categories by Kaspersky. Will it be able to use my NAS user account to write or delete stuff on my share? 

 

I don't know if this question makes sense but I tried my best to word it in such a way that it would

[Studynx]

Can I get help?

[Schulte]

Hello @Studynx,

I'm not quite sure whether I have fully understood your question. Let me try an explanation:

If the KTS on your computer has assigned a program to a certain category, this applies to all users who work on or with your computer. To prevent a change, you can protect the settings with a password. Then they can only be changed by you.

The program in question cannot run on the NAS itself, it must always be started from a client. Your computer would prevent this, regardless of the user account.
Of course, the situation is different if the NAS and the program in question are accessed from another computer without Kaspersky or with different settings. Your settings are not available for this computer and will not be applied.

If access is only from your computer, the restrictions will be applied by your KTS in any case.

[Studynx]

14 minutes ago, Schulte said:

Hello @Studynx,

I'm not quite sure whether I have fully understood your question. Let me try an explanation:

If the KTS on your computer has assigned a program to a certain category, this applies to all users who work on or with your computer. To prevent a change, you can protect the settings with a password. Then they can only be changed by you.

The program in question cannot run on the NAS itself, it must always be started from a client. Your computer would prevent this, regardless of the user account.
Of course, the situation is different if the NAS and the program in question are accessed from another computer without Kaspersky or with different settings. Your settings are not available for this computer and will not be applied.

If access is only from your computer, the restrictions will be applied by your KTS in any case.

Maybe I worded my question wrongly

 

Let's say the .exe is indeed malware, like a RAT or something, and it's put automatically in Low Restricted by KTS. 

I have logged into my NAS on my Windows PC as the admin (of the NAS). I have read-write, full access to all the shares of the NAS via File Explorer - SMB.

Can the malware (which in this case is in the Low Restricted group) modify the files on my NAS shares via SMB (File Explorer) if it's in the Low Restricted group? High Restricted and Untrusted groups, I understand their privileges or lack thereof. But I struggle to understand what an application in the Low Restricted group can do on the LAN, in this case on my NAS specifically when I'm logged into my NAS admin account on my Windows PC.

[Schulte]

Hello @Studynx,

thanks for the in-depth explanation. So second try:

With the default rules, a program from the 'Untrusted' group is not even allowed to start.
You can check the rules in 'Manage applications' by right-clicking on a specific group ('Details and rules').

Spoiler

In the rules for networks, you can check whether access to the local (or trusted) network is permitted for programs in this group. If the program has access to the network, it can do anything on the share that its user rights allow. Of course, the actions are monitored by Kaspersky as on a local disk.

Spoiler

I hope this brings me closer to the right answer...

[Studynx]

5 hours ago, Schulte said:

Hello @Studynx,

thanks for the in-depth explanation. So second try:

With the default rules, a program from the 'Untrusted' group is not even allowed to start.
You can check the rules in 'Manage applications' by right-clicking on a specific group ('Details and rules').

  Reveal hidden contents

In the rules for networks, you can check whether access to the local (or trusted) network is permitted for programs in this group. If the program has access to the network, it can do anything on the share that its user rights allow. Of course, the actions are monitored by Kaspersky as on a local disk.

  Reveal hidden contents

I hope this brings me closer to the right answer...

What's a Trusted Network? I know LAN and Public Network but what's this Trusted Network mean?

Also, I kinda understand the "Ask User" part, but I've never actually seen this happen even with questionable .exe's or programs running on my PCs. Is this literally a UAC prompt, like "Questionable EXE is trying to write to your network, do you want to allow it?" or is this imagination wrong? Because I've never had this happen to me and there's like 10 programs in the Low Restricted group currently, and the App Firewall is always on default, I've never changed its rules nor am I going tyo

[Schulte]

A query is only made in interactive mode. In the recommended automatic mode, KTS makes the decision itself.

The interactive mode allows the user to exert more influence, but this can have disastrous consequences if the wrong decisions are made.

[Studynx]

3 minutes ago, Schulte said:

A query is only made in interactive mode. In the recommended automatic mode, KTS makes the decision itself.

The interactive mode allows the user to exert more influence, but this can have disastrous consequences if the wrong decisions are made.

So instead of "Ask User", Kaspersky will decide based on the behavior of the program, exe file?

[Schulte]

The decision is made in several stages.

When a program is started on your computer for the first time, it is assigned to one of the groups. According to KSN, reputation plays a role here, but also the digital signature and others.

Unknown programs are first started in a sandbox and checked for their startup behavior; KSN may also be consulted. Classification as 'trustworthy' is initially ruled out.
For permission to connect to the network, mainly the (aforementioned) assignment to a group is used, whereby there are further rules that are loaded with the database updates.

To summarize:
 

Quote

Perform recommended actions automatically

If the check box is cleared, main components of Kaspersky application work in interactive mode. This means that Kaspersky application asks you to decide which action to take on detected objects and threats if the Ask user option is selected in the settings of File Anti-Virus, Safe Browsing, Mail Anti-Virus, System Watcher, and Intrusion Prevention. If the check box is selected, Kaspersky application automatically chooses the action based on rules defined by Kaspersky experts.

https://support.kaspersky.com/help/Kaspersky/Win21.16/en-US/201385.htm

[Studynx]

On 4/10/2024 at 1:19 PM, Schulte said:

The decision is made in several stages.

When a program is started on your computer for the first time, it is assigned to one of the groups. According to KSN, reputation plays a role here, but also the digital signature and others.

Unknown programs are first started in a sandbox and checked for their startup behavior; KSN may also be consulted. Classification as 'trustworthy' is initially ruled out.
For permission to connect to the network, mainly the (aforementioned) assignment to a group is used, whereby there are further rules that are loaded with the database updates.

To summarize:
 

https://support.kaspersky.com/help/Kaspersky/Win21.16/en-US/201385.htm

Sounds really secure. Has anyone using KTS still ever been hacked? This "no config" antivirus really does sound impressive. I use it btw.