Intrusion Prevention

The Kaspersky application helps to minimize the risk associated with using unknown applications (such as the risk of infection with viruses and other malware).

The Kaspersky application includes components and tools that allow checking an application's reputation and controlling its activities on your computer.

About Intrusion Prevention

Available only in Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium.

The Intrusion Prevention component prevents applications from performing actions that may be dangerous for the operating system, and controls access to operating system resources (including file resources located on remote computers) and your personal data.

Intrusion Prevention tracks actions performed in the operating system by applications installed on the computer and regulates them based on rules. These rules restrict suspicious activity of applications, including access by applications to protected resources, such as files and folders, registry keys, and network addresses.

On 64-bit operating systems, applications' rights for the following actions cannot be configured:

• Direct access to physical memory
• Managing printer driver
• Service creation
• Service reading
• Service editing
• Service reconfiguration
• Service management
• Service start
• Service removal
• Access to internal browser data
• Access to critical objects of the operating system
• Access to password storage
• Setting debug privileges
• Use of program interfaces of the operating system
• Use of program interfaces of the operating system (DNS)
• Use of program interfaces of other applications
• Change system modules (KnownDlls)
• Start drivers

On 64-bit Microsoft Windows 8 and Microsoft Windows 10, applications' rights for the following actions cannot be configured:

• Sending windows messages to other processes
• Suspicious operations
• Installation of keyloggers
• Interception of inbound stream events
• Making of screenshots

Applications' network activity is controlled by the Firewall component.

When an application is started on the computer for the first time, Intrusion Prevention checks the safety of the application and assigns it to a group (Trusted, Untrusted, High Restricted, or Low Restricted). The group defines the rules that Kaspersky applies for controlling the activity of the application.

The Kaspersky application assigns applications to trust groups (Trusted, Untrusted, High Restricted, or Low Restricted) only if Intrusion Prevention or Firewall is enabled, and also when both these components are enabled. If both these components are disabled, the functionality that assigns applications to trust groups does not work.

You can edit application control rules manually.

The rules you create for applications are inherited by child applications. For example, if you deny all network activity for cmd.exe, that activity will also be denied for notepad.exe when it is started using cmd.exe. When an application is not a child of the application it runs from, rules are not inherited.

How to change Intrusion Prevention settings

Available only in Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium.

To change Intrusion Prevention settings:

1. Open the main application window.
2. Click in the lower part of the main window.

   The Settings window opens.

3. Select the Security settings section.
4. Select the Intrusion Prevention component.
5. In the Intrusion Prevention settings window, click the Manage applications link to open the Manage applications window.
6. Select the application you need in the list and double-click its name to open the Application rules window.
7. To configure the rules for access by an application to operating system resources:
   1. On the Files and system registry tab, select the relevant resource category.
   2. Click the icon in the column with an available action for the resource (Read, Write, Delete, or Create) to open the menu. In the menu, select the relevant item (Inherit, Allow, Select action automatically, or Block).
8. To configure the rights of an application to perform various actions in the operating system:
   1. On the Rights tab, select the relevant category of rights.
   2. In the Action column, click the icon to open the menu and select the relevant item (Inherit, Allow, Select action automatically, or Block).
9. To configure the rights of an application to perform various actions on the network:
   1. On the Network rules tab, click the Add button.

      The Network rule window opens.

   2. In the window that opens, specify the required rule settings and click Save.
   3. Assign a priority to the new rule. To do so, select the rule and move it up or down the list.
10. To exclude certain application actions from the scan, on the Exclusions tab, select the check boxes for actions that you do not want to be controlled.
11. Click the Save button.

    All exclusions created in the Intrusion Prevention rules are accessible in the Kaspersky application settings window, in the Threats and Exclusions section.

Intrusion Prevention monitors and restricts the actions of the application in accordance with the specified settings.

Checking application reputation

Kaspersky allows you to verify the reputation of applications with users all over the world. The reputation of an application comprises the following criteria:

• Name of the vendor
• Information about the
  digital signature

  An encrypted block of data embedded in a document or application. A digital signature is used to identify the author of the document or application. To create a digital signature, the document or application author must have a digital certificate proving the author's identity.

  A digital signature lets you verify the data source and data integrity and protect yourself against counterfeits.

  (if the application is digitally signed)
• Information about the group to which the application has been assigned by Intrusion Prevention or most users of Kaspersky Security Network;
• Number of users of Kaspersky Security Network who use the application (available if the application has been included in the Trusted group in the Kaspersky Security Network database);
• Time at which the application become known to Kaspersky Security Network;
• Countries in which the application is the most widespread.

Checking of application reputation is available if you have agreed to participate in Kaspersky Security Network.

To learn the reputation of an application:

Open the context menu of the application’s executable file and select Check reputation in KSN.

This opens a window with information about the reputation of the application in Kaspersky Security Network.

About protecting an audio stream coming from sound recording devices

Available only in Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium.

Intruders may attempt to receive the audio stream from sound recording devices by means of special software. Sound recording devices are microphones that are connected to or built into the computer and capable of transmitting an audio stream through the sound card interface (input signal). The Kaspersky application monitors which applications receive an audio stream from sound recording devices and protects the audio stream from unauthorized intercepts.

By default applications from Untrusted and High Restricted trust groups are not allowed to receive the audio signal coming from sound recording devices connected to the computer. You can manually allow applications to receive the audio stream from sound recording devices.

If an application from the Low Restricted trust group is requesting access to a sound recording device, Kaspersky displays a notification and prompts you to choose whether or not to allow this application to receive the audio stream from a sound recording device. If the Kaspersky application is unable to display this notification (for example, when the graphical interface of the Kaspersky application has not yet loaded), the application from the Low Restricted trust group is allowed to receive the audio stream from a sound recording device.

All applications in the Trusted group are allowed to receive an audio stream from sound recording devices by default.

Audio stream protection has the following special features:

• The Intrusion Prevention component has to be enabled for this functionality to work.
• After the settings of application access to sound recording devices have been changed (for example, the application has been prohibited from receiving the audio stream in the Intrusion Prevention settings window), this application has to be restarted to stop it from receiving the audio stream.
• Control of access to the audio stream from sound recording devices does not depend on an application's webcam access settings.
• The Kaspersky application protects access to built-in microphones and external microphones only. Other audio streaming devices are not supported.
• The Kaspersky application allows an application to receive an audio stream and does not show any notifications if the application began to receive the audio stream before the Kaspersky application was started, or if you placed the application into the Untrusted or High Restricted group after the application began to receive the audio stream.

The Kaspersky application does not guarantee protection of the audio stream from such devices as DSLR cameras, camcorders, and action cameras.

How to change audio stream protection settings

Available only in Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium.

To change audio stream protection settings:

1. Open the main application window.
2. Go to the Security section.
3. Select the Intrusion Prevention component.
4. Click the Manage applications link to open the Manage applications window.
5. In the list, select the application for which you want to allow access to sound recording devices. Double-click the application to open the Application rules window.
6. In the Application rules window, go to the Rights tab.
7. In the list of rights categories, select Operating system modification → Suspicious modifications in the operating system → Access sound recording devices.
8. In the Action column, click the icon and select one of the menu items:
   • To allow the application to receive the audio stream, select Allow.
   • To deny the application access to the audio stream, select Block.
9. To receive notifications about instances of applications being allowed or denied access to the audio stream, in the Action column, click the icon and select Log events.
10. Click the Save button.