Contents:
General information and working principles
System Security in Kaspersky Internet Security 2009 is Host Intrusion Prevention System (HIPS) which embraces in itself functionality of proactive defense and firewall. HIPS allows flexibly manipulating the access permissions to files and system registry, system rules and networks of various types. As a result requests to the user from Kaspersky Internet Security 2009 are reduced since trusted applications are granted full freedom and non-trusted applications are fully restricted.
.jpg)
Any HIPS is based on the table of rules. In HIPS in Kaspersky Internet Security 2009 table of rules is grouped by applications.
HIPS controls specific system events (for example, file creation or deletion), and each time these events occur, HIPS checks with its table of rules, and acts according to the rules set in the table – the action is either allowed or blocked, or HIPS prompts the user for action.
Remember: do not expect from HIPS to perform actions which were not set. Only the objects defined in the rules of HIPS will be protected by it. For example, if you want to protect the system root directory from changes, you should create a corresponding rule. Otherwise HIPS will not protect the desired computer area.
Top of page
Group policy
Group policy in HIPS allows applying the same permissions for all applications in one group. By default, four groups are predefined in Kaspersky Internet Security 2009 according to which applications are launched by product on the computer. The four groups are following:
- Trusted
- Low restricted
- High restricted
- Untrusted
.jpg)
Adequate permissions and restrictions are preset for each group. For example, Trusted applications are not restricted in their rights and abilities. Low restricted applications are denied to perform actions which can be dangerous for the system. High restricted applications are only allowed to perform the actions which cannot make any harm, and Untrusted can practically perform no system actions.
Top of page
Rules for applications
The main table of the Security control allows quickly defining permissions of the same type for groups and some applications. The table consists of five columns – Applications, Operating system, Confidential data, Rights and Networks.
.jpg)
Rules in HIPS usually contain three basic components: subject (i.e. the application or group which triggers the definite event), action (allow, deny or prompt for action) and object (to which the application or group is trying to get access). HIPS in Kaspersky Internet Security 2009 functions by the same principle. Depending on the type of the object, rules divide into three groups:
- Files and system registry
- System rights
- Networks
Objects in the first group are files and registry keys. Objects in the second group are system rights to perform any actions (for example, to start or to stop processes); in the third group these are network objects (IP-addresses and their groups, ports and directions).
Objects for rules of the first and the third type can be created and edited on the Resources tab. For more convenience the objects are grouped on the tab. For example, group of resources Operating system includes files and registry keys, which provide normal work of the Windows OS, and the subgroup Startup settings contains a full set of keys which provide automatic start of the system components. Malicious software can write itself into the subgroup Startup settings to launch itself in a hidden way. If you want you can create your own resources and thus define access rights for applications to your own objects.
.jpg)
Some rules can be flexibly configured: for example, permissions to read, write, delete and enumerate can be separately defined for objects files and registry. Such flexible configuration cannot be performed from the main table – this should be done with the help of extended editing rules. In order to open the mentioned editor – highlight the necessary application or group and click the Edit link. In the open window you can define permissions for each object – for example, in the Rights section all system rights which Kaspersky Internet Security 2009 controls are listed.
.gif)
Remember, that if you define permissions for a group (for example, for the Trusted group), then these settings will be automatically copied for all applications in this group. You can also define for a separate application its own, individual rights, which differ from group settings.
Top of page
Rights’ inheritance
Rights can be inherited in Kaspersky Internet Security 2009. When one application launches another, permissions of the first application are automatically inherited by the second. Without this mechanism an untrusted application could use a trusted one for its own purposes and could use its unlimited privileges to perform any activity.
At the same time the mechanism has its own disadvantages. There may occur situations when a created allowing rule for a definite action for an application does not trigger. In this case you can either grant a corresponding permission to the parental process or in the window of the extended editor clear the box which is responsible for automatic transfer of rights of the parental process to the application.
.jpg)
Top of page
Firewall
Firewall rules are now part of the HIPS table and have the same components as other rules in the table: subject – action – object.
Most common settings of Firewall are in the Networks column in the System security table. If you set the Allow action for all application groups then Firewall will function in the mode equivalent to the mode “Allow all” in the previous version of Kaspersky Internet Security (versions 6.0 and 7.0). Defining the verdict Prompt for action is an equivalent to Training mode. The Block action transfers Firewall into the Block all mode.
.jpg)
For example, you can set the training mode for low or high restricted applications, allow all (i.e. any action) for trusted applications and block all for untrusted.
Rules for specific applications can be set more precisely either in the Networks table of the extended editor of rules or on the Network packages tab. Packet rules which define the application’s access to network resources are listed here.
.jpg)
In the list of packet rules for each application you will see three inactive rules which are grey and cannot be changed. These three rules show permissions defined on the main table of the System security (i.e. if in the main table in the Networks column for this application the Prompt for action verdict is set, then Prompt for action will be in the network rules). These are rules of the lowest priority and they trigger only if no rules of higher priority contradict them. Do not pay any attention to them they only play the role of indicators, on this tab.
.jpg)
Objects for the Network packages rule comprise several types from global to more precise ones. All these objects are resources and are available on the Resources tab and can be objects of rules.
The most global object is network. The product distinguishes three types of networks: trusted, local and public. Each time you activate an unknown connection, Kaspersky Internet Security 2009 will ask you to which type to refer the network. Pay attention, that if you expand the Networks column in the main table you can define separate general permissions for each type of networks. That is why each application has three inactive package rules: the first presents settings for trusted networks, the second – for local and the third – for public.
If you have defined your connection as public network – Internet – in this case any application activity towards the network will be understood as address to the resource Public networks and will be processed by the third inactive package rule if there are no rues contradicting to it.
Let’s suppose you have defined Prompt for action for the application.exe when working with Public networks. The training for the application has not started yet and the list of rules is empty (with the exception of the above mentioned inactive rules). That is why when application.exe is addressing to a resource in the Internet (for example, IP-address 123.456.789.0) the training mode will prompt for action.
Using the Detailed rule creation wizard you can create an allowing rule for application.exe which will allow the application without any prompts in future to connect with the defined IP. On the first page of the wizard select the Allow action and go to the second page.
Here you meet the next type of objects for the Firewall rules – Network service. In this type of resources a considerable number of templates of a definite network activity is collected – for example DNS-request. The Network service Outgoing DNS-activity will thus contain the data about its direction (outgoing), protocol (UDP) and the remote port (53). The product automatically selects the network services which suit you from its database. You can also seethe list or create your own network service (later the service can be found on the Resources tab).
.jpg)
Now the preparation for the rule creation is nearly finished: it contains the subject (application.exe), action (Allow) and the object (network service Outgoing DNS-activity). Only one last component of the network rule is left – IP-address.
IP-address can also be an object. A group of addresses, range or several ranges can be collected in one resource and can be defined as a secondary object of the rule. In the wizard you can create a resource (where an IP-address to which the application initially addressed will be automatically added) or select it from the list of already created ones.
As a result a new active rule has been created in the list of package rules. This new rule allows application.exe access the object Outgoing DNS-activity with the secondary object IP-address 123.456.789.0. This rule has a higher priority than grey inactive rules and now when application.exe sends an outgoing UDP-package to address 123.456.789.0 and port 53 the product will find this rule in the list and will act corresponding to the rule’s settings. But if application.exe addresses using the protocol TCP to address 12.34.56.78 and port 80, the corresponding rule will not be found and a grey inactive rule will trigger and a user will be prompted for action.
Pay attention: active package rules are not equal. The list of package rules is built hierarchically, i.e. the rule placed above has higher priority than the rules below. It does not refer to inactive rules.
For example, you need allow the application to visit two specific IP-addresses from the range, and the access to other IP-addresses from the same range should be blocked. Now the procedure of the settings is simple. Create the resource, enter the necessary addresses; create a package rule for the application which would allow the application any network activity for the created resource. Now create another resource with the necessary range; create the second rule which would deny the application any network activity for this resource. Using the advanced editor move the first rule above the second.
Now if the application address gets under the action of the first rule, an access will be allowed. If not, the product will check if it gets under the second rule. If the application address does – the action will be blocked. If it does not – the product will move onto the next rule in the list and will continue checking the rules until the list of rules finishes. If no active rule corresponds to the address of the application to the network the decision will be made based on inactive rules.
Top of page
Knowledge base
Product Info
System requirements
73 
2009 Jan 19 11:21
