Protection from changes to Kaspersky Industrial CyberSecurity for Nodes registry keys
August 3, 2023
ID 182788
Kaspersky Industrial CyberSecurity for Nodes restricts access to the following registry branches and keys, which facilitates loading of application drivers and services:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\KICS]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfs]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfsgt]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfsslp]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klam]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klelaml]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klfltdev]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klramdisk]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\KICS\3.2\CrashDump]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\KICS\3.2] (on Microsoft Windows 64-bit)
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\KICS\3.2\Trace]
The rights to change these registry branches and keys are granted to Local System (SYSTEM) account only. User and Administrator accounts are granted read-only rights.
Protection from changes to the memory of program service parts
To protect program service parts from third-party processes, Kaspersky Industrial CyberSecurity for Nodes drivers restrict access to the following executable files:
- kavfs.exe
- kavfswp.exe
- kavfswh.exe
- kavfsgt.exe
By default, access to the memory of Kaspersky Industrial CyberSecurity for Nodes service parts is restricted for third-party processes.
You can enable the self-defense functions in the policy properties of Kaspersky Industrial CyberSecurity for Nodes Console and Kaspersky Industrial CyberSecurity for Nodes Administration Plug-in.