Jump to content

How do Application Control and HIPS work?


Recommended Posts

Posted (edited)

I tried to dig up info but I could only find info related to KES, not KTS

 

So basically there's Trusted, Restricted and Unknown. Trusted are apps with verified signature and OS processes, Restricted are malware, and Unknown are files without a signature if I understand correctly.

 

So say I download an .exe from the middle of nowhere, no signature. Isn't a malware but still not signed or signed in a verified way. It's going to be put in the Unknown category. In that case, what permissions is it going to be given? Say I have a NAS and I am the admin on it with read/right privileges to everything. Will, for example, this file be able to read or write to those files on the network shares? And so on

And will the .exe be able to run powershell, python etc scripts on my systems if it's Unknown? 

 

Edited by Studynx
Posted

Welcome to Kaspersky Community.

 

KES and KTS HIPS / Application Control / new name Intrusion Prevention module, works in a similar way.

 

Unknown apps are moved to Low Restricted group by default.

 

It's easy to check Low Restricted rights, just open Application Control / Intrusion Prevention -> Manage Applications, once open just right mouse click button over Low Restricted text -> Details and Rules.

 

You can check the default settings here for the assignment of the groups:

 

imagen.thumb.png.6143284c7ef8b84df02e7bf62c379faa.png

 

As You can see in the pic, I've hardened the default settings of my Kaspersky Premium, since I find default rules weak against unknown malware.

 

You can change the default rights and harden Low Restricted group rights, see an example here:

 

 

 

You can also implement a default-deny protection.

  • Like 1
Posted
16 minutes ago, harlan4096 said:

Welcome to Kaspersky Community.

 

KES and KTS HIPS / Application Control / new name Intrusion Prevention module, works in a similar way.

 

Unknown apps are moved to Low Restricted group by default.

 

It's easy to check Low Restricted rights, just open Application Control / Intrusion Prevention -> Manage Applications, once open just right mouse click button over Low Restricted text -> Details and Rules.

 

You can check the default settings here for the assignment of the groups:

 

imagen.thumb.png.6143284c7ef8b84df02e7bf62c379faa.png

 

As You can see in the pic, I've hardened the default settings of my Kaspersky Premium, since I find default rules weak against unknown malware.

 

You can change the default rights and harden Low Restricted group rights, see an example here:

 

 

 

You can also implement a default-deny protection.

I still don't quite get what rights Low Restricted programs have by default, based on the above screenshots, sorry.

Posted
18 minutes ago, harlan4096 said:

Welcome to Kaspersky Community.

 

KES and KTS HIPS / Application Control / new name Intrusion Prevention module, works in a similar way.

 

Unknown apps are moved to Low Restricted group by default.

 

It's easy to check Low Restricted rights, just open Application Control / Intrusion Prevention -> Manage Applications, once open just right mouse click button over Low Restricted text -> Details and Rules.

 

You can check the default settings here for the assignment of the groups:

 

imagen.thumb.png.6143284c7ef8b84df02e7bf62c379faa.png

 

As You can see in the pic, I've hardened the default settings of my Kaspersky Premium, since I find default rules weak against unknown malware.

 

You can change the default rights and harden Low Restricted group rights, see an example here:

 

 

 

You can also implement a default-deny protection.

Okay I clicked on the other post of yours and now it's become a little clearer. However, I still don't know if, following my original example, if a given app is in the Low Restricted group, then by default, will it be able to read or write to (eg.: delete) folders on a network share? Since I'm logged into my NAS as the admin. Just an example I'm curious of.

Posted

Can't be posted all the rights here, but just go here:

 

imagen.thumb.png.2b31947566def36388262da43a6e96a9.png

 

And select Details and Rules, as shown...

Posted

Access to NetWork for Low Restricted groups apps are set to Prompt by default, I recall, but as by Default Kaspersky home products comes in Auto Mode, all prompts rights in this mode are ignored and are allowed, so to get the prompts, You have to setup the product to Interactive Mode:

 

imagen.png.2463edf071523895d6d56fbfd062f028.png

 

Disabling that setting.

 

Or You just can set Deny if You want.

 

By Default the product comes in Auto Mode, to avoid issues with standard and newbies users, but this module (Intrusion Prevention) has huge possibilities to be tweaked and customized.

  • Like 2
Posted
49 minutes ago, harlan4096 said:

Access to NetWork for Low Restricted groups apps are set to Prompt by default, I recall, but as by Default Kaspersky home products comes in Auto Mode, all prompts rights in this mode are ignored and are allowed, so to get the prompts, You have to setup the product to Interactive Mode:

 

imagen.png.2463edf071523895d6d56fbfd062f028.png

 

Disabling that setting.

 

Or You just can set Deny if You want.

 

By Default the product comes in Auto Mode, to avoid issues with standard and newbies users, but this module (Intrusion Prevention) has huge possibilities to be tweaked and customized.

Can't find the Interactive Mode setting

Posted

Go to Settings ->  Security Settings -> Exclusions and actions on object detection -> Disable: Perform Recommended action automatically.

  • Like 1
Posted
3 hours ago, harlan4096 said:

Go to Settings ->  Security Settings -> Exclusions and actions on object detection -> Disable: Perform Recommended action automatically.

Might be a weird question but how secure is the default config of the application control module / firewall of the KTS ? Since you recommend altering it

I remember reading other mods' threads / guides specifically recommending NOT to tinker with the default config settings.

  • Like 1
Posted

It's enough secure for standard users in general... but still may fail against some unknown malware/ransomware, as in fact it sometimes happens...

 

On the other hand, these hardening tweaks may block legit apps if They are still unknown to KSN (K. cloud) and/or not digitally signed properly, but You may always move manually to Trusted group.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...