System Watcher does not stop ransomware that is manually placed in Trusted Group.

[RiderExpert]

Hi, guys. How are you today?

I’ll go strictly to the point: I was testing old ransomware samples (Locky and Shade) on a VM with Kaspersky just to see how the ransomware behaves according to some configurations and I believe I’ve may found a problem: If you manually put the malicious file in the Trusted group, System Watcher does absolutely nothing and the program gets executed. This does NOT happen if you turn off application control or put the executable in another group (LR, HR)

Here is what happened:

1. Since they were old variants, I’ve disabled File-AV
2. I’ve executed the program and it was moved to the Untrusted group (correct) and then it was deleted (also correct)
3. I’ve extracted the file again and moved it to the Trusted group
4. After that, the program was successfully executed and all files were encrypted (not a word from System Watcher)
   
   If you do the test disabling App Control instead of moving the file to Trusted, System Watcher stops it. 

According to this test, it sounded to me like System Watcher does not observe programs that are in the Trusted group. If that is the case we may have a serious problem. An unknown malware with a valid certificate may go to Trusted group and do whatever it wants

I’ve sent this information to official support. Do you guys know anything about it?

Thanks

[Flood and Flood's wife]

Hello @RiderExpert, 

Welcome!

• Please post the incident request number that you will have received when you logged the case with Kaspersky Technical Support? 

Thank you🙏

Flood🐳 +🐋

[RiderExpert]

Hello @RiderExpert, 

Welcome!

• Please post the incident request number that you will have received when you logged the case with Kaspersky Technical Support? 

Thank you🙏

Flood🐳 +🐋

 

The code is: INC000011956569. I’ve posted in Brazilian Portuguese. 

 

Edit: I believe that this problem goes beyond ransomware. I think it is a problem for all malware

[Flood and Flood's wife]

Hello @RiderExpert, 

You’re welcome!

Thank you for the INC👌 . 

• What is the advice you’ve received from the Technical experts? 

Please share it with the Community? 

Thank you🙏

Flood🐳 +🐋

[RiderExpert]

Hello @RiderExpert, 

You’re welcome!

Thank you for the INC👌 . 

• What is the advice you’ve received from the Technical experts? 

Please share it with the Community? 

Thank you🙏

Flood🐳 +🐋

Hello, @Flood and Flood's wife.

 

I haven't received any advice yet. I’ll let you know when it happens :)

 

[RiderExpert]

@Flood and Flood's wife while we wait for the official support answer, would you mind telling me if you have ever tested System Watcher with apps in Trusted groups or if you know that it works?

 

I really got the impression that SW may not “watch” apps in the Trusted group.

 

[Flood and Flood's wife]

Hello @RiderExpert, 

System Watcher collects data from various sources, including other components of Kaspersky Total Security. System Watcher analyzes application activity and provides other Kaspersky Total Security components with the collected information about events

Limitations of System Watcher functionality

Thank you🙏

Flood🐳 +🐋

[RiderExpert]

I got the answer from the Kaspersky team and it scared me. I’ll translate the answer. If possible, I’d like some Kaspersky employee to take a look at this:

 

“Hi,

Good afternoon, thank you for contacting Kaspersky Technical Support.

We understand your concern about the functionality of Kaspersky in relation to Malware, but when any type of file is inserted in the applications Trusted group, Kaspersky does not actually scan/observe this file anymore. This is not a vulnerability, it is an option that Kaspersky leaves for when The client does not want Kaspersky to check such a file, and so it is up to the client to decide whether the file is vulnerable or not. These are more advanced options that should be done with caution.
We always advise the client to put a program in trust when Kaspersky blocks it, but we warn you that this is palliative and is not an adequate option to be left for a long time, because when Kaspersky blocks something, we do analyzes with the experts so we can verify why Kaspersky is blocking such a file until the problem is resolved.”

 

I replied to them saying that this is against every white paper I’ve read and that the files that Kaspersky should not check are the ones in the exclusion list. I’ve also sent part of some white papers that explain the “Security Corridor” Kaspersky have and told them other stuff related to vulnerable applications that may be on the Trusted group or malicious programs that are able to get a valid digital signature.

 

Edit: based on Kaspersky official answer, disableing App Control or not having it (Kaspersky Security Cloud Free, for example) would make System Wacher more effective (since there is no Trust group so it would check any apps)

 

What do you guys think about this?

[RiderExpert]

Update: After a talk with the local support, they sent the case to specialists in Moscow. 

According to Kaspersky Lab’s specialists, if the program is in the Trusted group, System Watcher does not consider file operations (read, write, create, delete) to be dangerous (since programs that are in that group are trusted programs and may do that legitimately).

On the Trusted group, SW monitors only critical events like process starts, thread starts, write on remote process, etc.

Also, when Application Control is turned off, SW follows KSN rules, so the program was not considered as Trusted. Hence, its files operations were intercepted and blocked.

 

With that being said, I believe that is the reason SW didn't block the file.

[SAJFLADD]

UPDATE: After a talk with the local support, they sent the case to specialists in Moscow. 

According to Kaspersky Lab’s specialists, if the program is in the Trusted group, System Watcher does not consider file operations (read, write, create, delete) to be dangerous (since programs that are in that group are trusted programs and may do that legitimately).

On the Trusted group, SW monitors only critical events like process starts, thread starts, write on remote process, etc.

Also, when Application Control is turned off, SW follows KSN rules, so the program was not considered as Trusted. Hence, its files operations were intercepted and blocked.

 

With that being said, I believe that is the reason SW didn't block the file.

 

Hi

You understand this stuff a lot more than I do, but isn't the answer to just not put things in to the trusted group manually and leave it up to the kaspersky application to decide?

S

[RiderExpert]

UPDATE: After a talk with the local support, they sent the case to specialists in Moscow. 

According to Kaspersky Lab’s specialists, if the program is in the Trusted group, System Watcher does not consider file operations (read, write, create, delete) to be dangerous (since programs that are in that group are trusted programs and may do that legitimately).

On the Trusted group, SW monitors only critical events like process starts, thread starts, write on remote process, etc.

Also, when Application Control is turned off, SW follows KSN rules, so the program was not considered as Trusted. Hence, its files operations were intercepted and blocked.

 

With that being said, I believe that is the reason SW didn't block the file.

 

Hi

You understand this stuff a lot more than I do, but isn't the answer to just not put things in to the trusted group manually and leave it up to the kaspersky application to decide?

S

 

The problem here was a possible vulnerability on the product, not the infection itself.  No one would never put an untrusted file in the Trusted group (I hope so).

What if a malicious program has a valid digital signature and because of that, it is placed in the Trusted group? Does it mean SW wouldn’t check its activities? 

The main question was: Does System Watcher really monitors apps in the Trusted group? According to my test, I thought it didn't, But as it turns out, it does. We’re just discussing and learning about the product.

This discussion may help people tune their configuration (as it did for me). 

 

[SAJFLADD]

UPDATE: After a talk with the local support, they sent the case to specialists in Moscow. 

According to Kaspersky Lab’s specialists, if the program is in the Trusted group, System Watcher does not consider file operations (read, write, create, delete) to be dangerous (since programs that are in that group are trusted programs and may do that legitimately).

On the Trusted group, SW monitors only critical events like process starts, thread starts, write on remote process, etc.

Also, when Application Control is turned off, SW follows KSN rules, so the program was not considered as Trusted. Hence, its files operations were intercepted and blocked.

 

With that being said, I believe that is the reason SW didn't block the file.

 

Hi

You understand this stuff a lot more than I do, but isn't the answer to just not put things in to the trusted group manually and leave it up to the kaspersky application to decide?

S

 

The problem here was a possible vulnerability on the product, not the infection itself.  No one would never put an untrusted file in the Trusted group (I hope so).

What if a malicious program has a valid digital signature and because of that, it is placed in the Trusted group? Does it mean SW wouldn’t check its activities? 

The main question was: Does System Watcher really monitors apps in the Trusted group? According to my test, I thought it didn't, But as it turns out, it does. We’re just discussing and learning about the product.

This discussion may help people tune their configuration (as it did for me). 

 

 

Will the kaspersky app put an item in the trusted group just because it has a valid digital signature, or does it consider the apps behaviour as well - such as examined by the the so-called heuristic analyses? Hopefully, if the program behaved in a suspicious way, regardless of valid signature, it would not get put in the trusted group.

[RiderExpert]

UPDATE: After a talk with the local support, they sent the case to specialists in Moscow. 

According to Kaspersky Lab’s specialists, if the program is in the Trusted group, System Watcher does not consider file operations (read, write, create, delete) to be dangerous (since programs that are in that group are trusted programs and may do that legitimately).

On the Trusted group, SW monitors only critical events like process starts, thread starts, write on remote process, etc.

Also, when Application Control is turned off, SW follows KSN rules, so the program was not considered as Trusted. Hence, its files operations were intercepted and blocked.

 

With that being said, I believe that is the reason SW didn't block the file.

 

Hi

You understand this stuff a lot more than I do, but isn't the answer to just not put things in to the trusted group manually and leave it up to the kaspersky application to decide?

S

 

The problem here was a possible vulnerability on the product, not the infection itself.  No one would never put an untrusted file in the Trusted group (I hope so).

What if a malicious program has a valid digital signature and because of that, it is placed in the Trusted group? Does it mean SW wouldn’t check its activities? 

The main question was: Does System Watcher really monitors apps in the Trusted group? According to my test, I thought it didn't, But as it turns out, it does. We’re just discussing and learning about the product.

This discussion may help people tune their configuration (as it did for me). 

 

 

Will the kaspersky app put an item in the trusted group just because it has a valid digital signature, or does it consider the apps behaviour as well - such as examined by the the so-called heuristic analyses? Hopefully, if the program behaved in a suspicious way, regardless of valid signature, it would not get put in the trusted group.

 

Heuristic analyses will always check the file. The decision on which trust group the app should be placed starts after the product has considered the file to be safe. The behavior analysis continues to be executed regardless of the trust group was assigned to the item. But, if the assigned group was the “Trusted” group, non-critical tasks, like some file operations, are not considered to be malicious.

In the settings, is it marked by default “Trust digitally signed applications”. If this is marked, the product may put a digitally signed item on Trusted. But according to Kaspersky experts, this decision takes into account other things.

Even though the probability of this occurs is extremely low, I’d recommend unchecking this option.

[SAJFLADD]

UPDATE: After a talk with the local support, they sent the case to specialists in Moscow. 

According to Kaspersky Lab’s specialists, if the program is in the Trusted group, System Watcher does not consider file operations (read, write, create, delete) to be dangerous (since programs that are in that group are trusted programs and may do that legitimately).

On the Trusted group, SW monitors only critical events like process starts, thread starts, write on remote process, etc.

Also, when Application Control is turned off, SW follows KSN rules, so the program was not considered as Trusted. Hence, its files operations were intercepted and blocked.

 

With that being said, I believe that is the reason SW didn't block the file.

 

Hi

You understand this stuff a lot more than I do, but isn't the answer to just not put things in to the trusted group manually and leave it up to the kaspersky application to decide?

S

 

The problem here was a possible vulnerability on the product, not the infection itself.  No one would never put an untrusted file in the Trusted group (I hope so).

What if a malicious program has a valid digital signature and because of that, it is placed in the Trusted group? Does it mean SW wouldn’t check its activities? 

The main question was: Does System Watcher really monitors apps in the Trusted group? According to my test, I thought it didn't, But as it turns out, it does. We’re just discussing and learning about the product.

This discussion may help people tune their configuration (as it did for me). 

 

 

Will the kaspersky app put an item in the trusted group just because it has a valid digital signature, or does it consider the apps behaviour as well - such as examined by the the so-called heuristic analyses? Hopefully, if the program behaved in a suspicious way, regardless of valid signature, it would not get put in the trusted group.

 

Heuristic analyses will always check the file. The decision on which trust group the app should be placed starts after the product has considered the file to be safe. The behavior analysis continues to be executed regardless of the trust group was assigned to the item. But, if the assigned group was the “Trusted” group, non-critical tasks, like some file operations, are not considered to be malicious.

In the settings, is it marked by default “Trust digitally signed applications”. If this is marked, the product may put a digitally signed item on Trusted. But according to Kaspersky experts, this decision takes into account other things.

Even though the probability of this occurs is extremely low, I’d recommend unchecking this option.

 

Fortunately, I always do uncheck that box. Cheers. 👍

[Wesly.Zhang]

Hello,

This attack only hapen a white trusted application exe + black malware dll file. unfortunately, KIS/KTS doesn't have DLL loader controller.

So before you run the program, not only pay attention to whether the main program file has a digital signature, but also the digital signature of its DLL also needs to be verified in advance.

So if you trust a program, whether you also trust the dll it loads, this is a question.

In Kaspersky Enterprise Edition, the answer is no. There is DLL loading control in the enterprise version.

Regards.