How do Application Control and HIPS work?

[Studynx]

I tried to dig up info but I could only find info related to KES, not KTS

 

So basically there's Trusted, Restricted and Unknown. Trusted are apps with verified signature and OS processes, Restricted are malware, and Unknown are files without a signature if I understand correctly.

 

So say I download an .exe from the middle of nowhere, no signature. Isn't a malware but still not signed or signed in a verified way. It's going to be put in the Unknown category. In that case, what permissions is it going to be given? Say I have a NAS and I am the admin on it with read/right privileges to everything. Will, for example, this file be able to read or write to those files on the network shares? And so on

And will the .exe be able to run powershell, python etc scripts on my systems if it's Unknown? 

 

Edited December 26, 2023 by Studynx

[harlan4096]

Welcome to Kaspersky Community.

 

KES and KTS HIPS / Application Control / new name Intrusion Prevention module, works in a similar way.

 

Unknown apps are moved to Low Restricted group by default.

 

It's easy to check Low Restricted rights, just open Application Control / Intrusion Prevention -> Manage Applications, once open just right mouse click button over Low Restricted text -> Details and Rules.

 

You can check the default settings here for the assignment of the groups:

 

 

As You can see in the pic, I've hardened the default settings of my Kaspersky Premium, since I find default rules weak against unknown malware.

 

You can change the default rights and harden Low Restricted group rights, see an example here:

 

 

 

You can also implement a default-deny protection.

[Studynx]

16 minutes ago, harlan4096 said:

Welcome to Kaspersky Community.

 

KES and KTS HIPS / Application Control / new name Intrusion Prevention module, works in a similar way.

 

Unknown apps are moved to Low Restricted group by default.

 

It's easy to check Low Restricted rights, just open Application Control / Intrusion Prevention -> Manage Applications, once open just right mouse click button over Low Restricted text -> Details and Rules.

 

You can check the default settings here for the assignment of the groups:

 

 

As You can see in the pic, I've hardened the default settings of my Kaspersky Premium, since I find default rules weak against unknown malware.

 

You can change the default rights and harden Low Restricted group rights, see an example here:

 

 

 

You can also implement a default-deny protection.

I still don't quite get what rights Low Restricted programs have by default, based on the above screenshots, sorry.

[Studynx]

18 minutes ago, harlan4096 said:

Welcome to Kaspersky Community.

 

KES and KTS HIPS / Application Control / new name Intrusion Prevention module, works in a similar way.

 

Unknown apps are moved to Low Restricted group by default.

 

It's easy to check Low Restricted rights, just open Application Control / Intrusion Prevention -> Manage Applications, once open just right mouse click button over Low Restricted text -> Details and Rules.

 

You can check the default settings here for the assignment of the groups:

 

 

As You can see in the pic, I've hardened the default settings of my Kaspersky Premium, since I find default rules weak against unknown malware.

 

You can change the default rights and harden Low Restricted group rights, see an example here:

 

 

 

You can also implement a default-deny protection.

Okay I clicked on the other post of yours and now it's become a little clearer. However, I still don't know if, following my original example, if a given app is in the Low Restricted group, then by default, will it be able to read or write to (eg.: delete) folders on a network share? Since I'm logged into my NAS as the admin. Just an example I'm curious of.

[harlan4096]

Can't be posted all the rights here, but just go here:

 

 

And select Details and Rules, as shown...

[harlan4096]

Access to NetWork for Low Restricted groups apps are set to Prompt by default, I recall, but as by Default Kaspersky home products comes in Auto Mode, all prompts rights in this mode are ignored and are allowed, so to get the prompts, You have to setup the product to Interactive Mode:

 

 

Disabling that setting.

 

Or You just can set Deny if You want.

 

By Default the product comes in Auto Mode, to avoid issues with standard and newbies users, but this module (Intrusion Prevention) has huge possibilities to be tweaked and customized.

[Studynx]

49 minutes ago, harlan4096 said:

Access to NetWork for Low Restricted groups apps are set to Prompt by default, I recall, but as by Default Kaspersky home products comes in Auto Mode, all prompts rights in this mode are ignored and are allowed, so to get the prompts, You have to setup the product to Interactive Mode:

 

 

Disabling that setting.

 

Or You just can set Deny if You want.

 

By Default the product comes in Auto Mode, to avoid issues with standard and newbies users, but this module (Intrusion Prevention) has huge possibilities to be tweaked and customized.

Can't find the Interactive Mode setting

[harlan4096]

Go to Settings ->  Security Settings -> Exclusions and actions on object detection -> Disable: Perform Recommended action automatically.

[Studynx]

3 hours ago, harlan4096 said:

Go to Settings ->  Security Settings -> Exclusions and actions on object detection -> Disable: Perform Recommended action automatically.

Might be a weird question but how secure is the default config of the application control module / firewall of the KTS ? Since you recommend altering it

I remember reading other mods' threads / guides specifically recommending NOT to tinker with the default config settings.

[harlan4096]

It's enough secure for standard users in general... but still may fail against some unknown malware/ransomware, as in fact it sometimes happens...

 

On the other hand, these hardening tweaks may block legit apps if They are still unknown to KSN (K. cloud) and/or not digitally signed properly, but You may always move manually to Trusted group.