Jump to content

Application Firewall question


Studynx

Recommended Posts

Studynx

I'm having issues understanding Low Restricted, High Restricted and Untrusted applications. 

 

Let's say I have a NAS, I'm logged into a NAS user - on Windows - that has read-write access to a share. Let's say this unknown and not validly signed .exe is malware. Let's say it was put in one of those aforementioned categories by Kaspersky. Will it be able to use my NAS user account to write or delete stuff on my share? 

 

I don't know if this question makes sense but I tried my best to word it in such a way that it would

Link to comment
Share on other sites

Schulte

Hello @Studynx,

I'm not quite sure whether I have fully understood your question. Let me try an explanation:

If the KTS on your computer has assigned a program to a certain category, this applies to all users who work on or with your computer. To prevent a change, you can protect the settings with a password. Then they can only be changed by you.

The program in question cannot run on the NAS itself, it must always be started from a client. Your computer would prevent this, regardless of the user account.
Of course, the situation is different if the NAS and the program in question are accessed from another computer without Kaspersky or with different settings. Your settings are not available for this computer and will not be applied.

If access is only from your computer, the restrictions will be applied by your KTS in any case.

  • Like 2
Link to comment
Share on other sites

Studynx
14 minutes ago, Schulte said:

Hello @Studynx,

I'm not quite sure whether I have fully understood your question. Let me try an explanation:

If the KTS on your computer has assigned a program to a certain category, this applies to all users who work on or with your computer. To prevent a change, you can protect the settings with a password. Then they can only be changed by you.

The program in question cannot run on the NAS itself, it must always be started from a client. Your computer would prevent this, regardless of the user account.
Of course, the situation is different if the NAS and the program in question are accessed from another computer without Kaspersky or with different settings. Your settings are not available for this computer and will not be applied.

If access is only from your computer, the restrictions will be applied by your KTS in any case.

Maybe I worded my question wrongly

 

Let's say the .exe is indeed malware, like a RAT or something, and it's put automatically in Low Restricted by KTS. 

I have logged into my NAS on my Windows PC as the admin (of the NAS). I have read-write, full access to all the shares of the NAS via File Explorer - SMB.

Can the malware (which in this case is in the Low Restricted group) modify the files on my NAS shares via SMB (File Explorer) if it's in the Low Restricted group? High Restricted and Untrusted groups, I understand their privileges or lack thereof. But I struggle to understand what an application in the Low Restricted group can do on the LAN, in this case on my NAS specifically when I'm logged into my NAS admin account on my Windows PC.

  • Like 1
Link to comment
Share on other sites

Schulte

Hello @Studynx,

thanks for the in-depth explanation. So second try:

With the default rules, a program from the 'Untrusted' group is not even allowed to start.
You can check the rules in 'Manage applications' by right-clicking on a specific group ('Details and rules').

Spoiler

image.thumb.png.6931c9b789d47000b7f8cff2b86cf366.png


In the rules for networks, you can check whether access to the local (or trusted) network is permitted for programs in this group. If the program has access to the network, it can do anything on the share that its user rights allow. Of course, the actions are monitored by Kaspersky as on a local disk.

Spoiler

image.thumb.png.87556447c56ec06c04ba6252757e9f9c.png

I hope this brings me closer to the right answer...

  • Like 2
Link to comment
Share on other sites

Studynx
5 hours ago, Schulte said:

Hello @Studynx,

thanks for the in-depth explanation. So second try:

With the default rules, a program from the 'Untrusted' group is not even allowed to start.
You can check the rules in 'Manage applications' by right-clicking on a specific group ('Details and rules').

  Reveal hidden contents

image.thumb.png.6931c9b789d47000b7f8cff2b86cf366.png


In the rules for networks, you can check whether access to the local (or trusted) network is permitted for programs in this group. If the program has access to the network, it can do anything on the share that its user rights allow. Of course, the actions are monitored by Kaspersky as on a local disk.

  Reveal hidden contents

image.thumb.png.87556447c56ec06c04ba6252757e9f9c.png

I hope this brings me closer to the right answer...

What's a Trusted Network? I know LAN and Public Network but what's this Trusted Network mean?


Also, I kinda understand the "Ask User" part, but I've never actually seen this happen even with questionable .exe's or programs running on my PCs. Is this literally a UAC prompt, like "Questionable EXE is trying to write to your network, do you want to allow it?" or is this imagination wrong? Because I've never had this happen to me and there's like 10 programs in the Low Restricted group currently, and the App Firewall is always on default, I've never changed its rules nor am I going tyo

Link to comment
Share on other sites

Schulte

A query is only made in interactive mode. In the recommended automatic mode, KTS makes the decision itself.

The interactive mode allows the user to exert more influence, but this can have disastrous consequences if the wrong decisions are made.

  • Like 1
Link to comment
Share on other sites

Studynx
3 minutes ago, Schulte said:

A query is only made in interactive mode. In the recommended automatic mode, KTS makes the decision itself.

The interactive mode allows the user to exert more influence, but this can have disastrous consequences if the wrong decisions are made.

So instead of "Ask User", Kaspersky will decide based on the behavior of the program, exe file?

Link to comment
Share on other sites

Schulte

The decision is made in several stages.

When a program is started on your computer for the first time, it is assigned to one of the groups. According to KSN, reputation plays a role here, but also the digital signature and others.

Unknown programs are first started in a sandbox and checked for their startup behavior; KSN may also be consulted. Classification as 'trustworthy' is initially ruled out.
For permission to connect to the network, mainly the (aforementioned) assignment to a group is used, whereby there are further rules that are loaded with the database updates.

To summarize:
 

Quote

Perform recommended actions automatically

If the check box is cleared, main components of Kaspersky application work in interactive mode. This means that Kaspersky application asks you to decide which action to take on detected objects and threats if the Ask user option is selected in the settings of File Anti-Virus, Safe Browsing, Mail Anti-Virus, System Watcher, and Intrusion Prevention.

If the check box is selected, Kaspersky application automatically chooses the action based on rules defined by Kaspersky experts.

https://support.kaspersky.com/help/Kaspersky/Win21.16/en-US/201385.htm

  • Like 2
Link to comment
Share on other sites

Studynx
On 4/10/2024 at 1:19 PM, Schulte said:

The decision is made in several stages.

When a program is started on your computer for the first time, it is assigned to one of the groups. According to KSN, reputation plays a role here, but also the digital signature and others.

Unknown programs are first started in a sandbox and checked for their startup behavior; KSN may also be consulted. Classification as 'trustworthy' is initially ruled out.
For permission to connect to the network, mainly the (aforementioned) assignment to a group is used, whereby there are further rules that are loaded with the database updates.

To summarize:
 

https://support.kaspersky.com/help/Kaspersky/Win21.16/en-US/201385.htm

Sounds really secure. Has anyone using KTS still ever been hacked? This "no config" antivirus really does sound impressive. I use it btw.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...