Cannot get application to be Trusted

[Lee Ogley]

We have an softphone application (C:\Program Files (x86)\SoftPhone\SoftPhone.exe) that is getting blocked by Kaspersky.  We are currently using Kaspersky Security Centre 12 and Endpoint 11.06.

 

If I kill Endpoint on a PC, the softphone works fine.  With Endpoint running we can’t make calls.  Looking at the Endpoint Reports, under Host Intrusion Prevention it shows it being blocked with event ‘Application is not allowed to receive audio stream’, lower down shows the application has been added to the restricted group.

 

Within Security Centre I’ve gone to [Policy\General Settings\Exclusions\] and added the application to the ‘Scan exclusions and trusted Applications’ section.  After force synchronisation with Policy no change and still not working.  

 

I then, within SC went into [Policy\Advanced Threat Protection\Host Intrusion Prevention], here within the Protected Resource tab, I clicked the [Exclusions]  button and added the app here.  After Policy Synchronisation, we still have the same issue.

 

I’m at a loss of what to try next. I did try the ‘Add Application(s) to Trust Group’ within the Application Rights tab, but whatever I put in there I can’t get it to list anything.

 

Would really appreciate any help

 

Thanks

 

Lee.

[ak01]

Have you added it to the 2nd tab(trusted applications)?

You can also do a manual recategorization in host intrustion module.

From my experience, it could also be that the process which does the work/gets blocked is different from what gets started.

[Lee Ogley]

Yes added to the 2nd tab (Policy\General Settings\Exclusions\Trusted Zone\Trusted Applications).

 

The application SoftPhone.exe is very small and self contained. Within Task Manager and also Kaspersky Report bit show the actual executable name (softphone.exe)

Thanks

 

Lee

[Cesare]

Hi, well...if that app works as soon as you’ve killed KES this means that it shouldn’t be a driver issue. If it’s not a driver issue than you should investigate at realtime protection level (one or more KES modules are interfering...)...and you highlighted that HIPS module might be our guilty. Usually it’s enough to exclude that\those executable file\s from being scanned at “trusted processes\applications” level...are you sure you’ve ticked all the exclusions checkboxes and closed all the black locks?

Are you sure that this application is based on that softphone.exe file only? Could you please check locally (on KES local GUI, i mean), “More Tools>Application activity monitor, if there are other processes referring to the same vendor?

Cesare

[Lee Ogley]

Think everything is setup correctly.  Application monitor just shows the one application.  It is quiet a small application and self contained.  Screen shots below :

 

 

 

 

[Cesare]

First of all “trusted applications” tab is dedicated to EXE files only, therefore folders or other file types cannot be excluded here: you have to do it within “Scan exclusions” tab\area.
Are you managing KES locally or even via KSC console?

[ak01]

Could you please add the application also under “Application rights” (mark as trusted, last screenshot above).

How does the HIPS message/report in KES (local gui) look like?

[Lee Ogley]

I wasn’t too sure about that, so in the Trusted Applications tab I have two entries. One for the folder and a second one for the executable.

 

I’m doing all this within KSC, and then clicking Force Synchronisation on a test machine where I’m trying to test the Softphone, so it picks up the new updated Policy.

[Lee Ogley]

I’ve tried that, but whatever I put in the Application (by Mask) field, nothing appears in the list when clicking [Refresh].  Tried softphone.exe, *softphone*, *, explorer*…..nothing appears

 

 

[ak01]

You should look for the same application name as the Report messages states (this is sometimes not the exe). Maybe the application reporting is disabled as well….

[Lee Ogley]

The reporting is showing the exact .exe that I should have unblocked as shown the in the previous screenshots:-

 

Appreciate all the help, as you can imagine this is very frustrating.

 

Thanks

 

Lee.

[ak01]

when you look at the properties of a computer object, do you see “executable files”?

 

Could you please post the whole message above?

[Lee Ogley]

No, the executable files is empty.  Have tried a couple of wildcards such as ‘*’,  but nothing lists. Other properties such as Application Registry and Hardware Registry ARE populated.

 

Not sure what you mean by ‘Could you please post the whole message above?’

 

Screen of Application section below:-

 

 

[SIR]

Hi @Lee Ogley 

We are experiencing the same microphone sound issue in our organization with various videocalling apps (such as Zoom or Skype) with KES 11.6.0

We noticed that only the outgoing human voice is blocked (= microphone) but the incomming sounds works fine (=headphones).

We tried to manually add the “.exe” in the trusted applications area within the “Host Intrusion Prevention” module, but didn’t solve the issue.

 

We have openend a ticket regarding this case at Kaspersky Business Support and are waiting for their answer (Ticket n° INC000012735950).

 

For now you can do 2 things to bypass this issue:

• Disable the “Host Intrusion Prevention” Module (which lower the security)
• Stop the “Host Intrustion Prevention” module  temporarly locally on the machine, launch the videocall app, and then restart the “Host Intrustion Prevention” module. It will allow the voice but just until the next OS reboot…

I’ll let you know when i got an answer from Kaspersky Support’ Team.

 

Cheers,

[Lee Ogley]

Thanks

[ak01]

I think that’s why the HIPS windows does not show applications.

 

You should activate (sorry, I just have it in german):

 

 

[SIR]

Hello @Lee Ogley 

We have noticed that today our microphone access was back at working normally with all our videoconference softwares.

We at not sure yet if Kaspersky has releasted an update within Kaspersky Updates or through KSN to correct this issue. We are waiting for their answer.

May i ask you to try again your software with the microphone to see if it is working ?

Be sure of the following to run the tests:

• Host Intrustion Prevention module is activated on the desktop you will test your mic.
• Latest Kaspersky databases downloaded on your Kaspersky Security Center.
• The desktop  has it’s Kaspersky databases up-to-date (today’s date)
• The executable file is in “trusted” category or has a granted access to audio capturing devices

Thank you ! I will send you more infos when i got the answer from Kaspersky’ Business Support.

Best regards,

[Lee Ogley]

Thanks for the update.  Have just tested the application again, and it’s all working now.  Not changed anything our side, so it must be an update or something Kaspersky have done.

 

Again thanks.

[SIR]

Hello @Lee Ogley 

Sadly the issue reappeared today (7th of May) on our machines… we got our microphone access blocked again. 

The symptoms and behavior is the same as last time. We have re-openend the case at Kaspersky’s B2B Support...

Please let me know if it is the same situation for you.

Thanks !

Best regards,

[SIR]

Hello,

Our problem has been solved by the Kaspersky’Support. We have some tools installed on our desktops and some processes of these tools are called when we launch Skype for example.

Some of the .EXE’s of these tools were not identified (or known) by KSN (Kaspersky Security Network), so there were added in the “Low Restricted” category.

Therefore, it blocked access to all audio capturing devices.

Kaspersky added the files in their KSN databases and everything is working correctly now.

Best regards,