Skip to content
  • Categories
  • KForum
  • KClub
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
kaspersky beta

beta

  1. Home
  2. ENGLISH USER FORUM
  3. Home
  4. Kaspersky
  5. Archive
  6. 2020
  7. [2020] Application Control (HIPS, SW, Firewall, IDS, TAM)
  8. PowerShell *.ps1 allowed exeution + TAM enabled

PowerShell *.ps1 allowed exeution + TAM enabled

Scheduled Pinned Locked Moved [2020] Application Control (HIPS, SW, Firewall, IDS, TAM)
3 Posts 2 Posters 3.8k Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • harlan4096H Online
    harlan4096H Online
    harlan4096
    wrote on last edited by Jarvis
    #1

    <p><strong>Reproduction steps:</strong></p>
    <p><span>0.- Enable TAM.</span></p>
    <p><span>1.- Run the following ps1 script file Hello World.ps1:</span></p>
    <pre class="language-clike"><code>Write-Host "Hello World"
    Write-Host "Press any key to continue ..."
    $x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")</code></pre>
    <p><strong></strong></p>
    <p><strong>Actual result:</strong></p>
    <p><span>KTS2020 moves it to Low Restricted group and allows execution.</span></p>
    <p><span>Screen-shot: https://cloud.qainfo.ru/s/7b80TMnGolxXW7V</span></p>
    <p><strong></strong></p>
    <p><strong>Expected Result:</strong></p>
    <p>Script ps1 files should be blocked by TAM upon execution. I also reported this issue in previous beta testing and it was fixed... unless the policy to execute ps1 scripts had change?</p>

    S1 (Desktop MELPOMENIA): KES 12.9 + Windows 11 Pro 24H2 *** S2 (Desktop TERMINUS): Kaspersky Premium 21.21 beta + Windows 10 Pro 22H2

    1 Reply Last reply
    0
    • D Offline
      D Offline
      Dmitriy.Pisarets
      Kaspersky Lab
      wrote on last edited by
      #2

      <p>Hello, @<strong><a href="/user/harlan4096" target="_blank" rel="noopener" data-username="harlan4096" data-uid="58">harlan4096</a> !</strong> </p>
      <p>Please run this scenario:</p>
      <p>0 - will be great, if you have clean virtual PC and can install product "for the first time"</p>
      <p>1 - be sure you have not PS scripts on your desktop (in any folders of desktop, or in "documents") </p>
      <p>2 - enable TAM </p>
      <p>3 - get your PS script file in ZIP or RAR archive <span style="text-decoration: underline;">after</span> TAM finish analyze </p>
      <p>4 - try to start file with Power Shell</p>
      <p>So it should be blocked.  </p>
      <p></p>
      <p>There are some cases, when TAM think you trust app or file, so he doesn't go to server to check privileges — just moves it to "light restriction" automatically. </p>

      1 Reply Last reply
      0
      • harlan4096H Online
        harlan4096H Online
        harlan4096
        wrote on last edited by
        #3

        <p>I just installed new build KTS2020 b713 and enabled TAM, this time I created the ps1 script file after TAM analysis and ran it, and this time the .ps1 script was moved to Low Restricted but blocked upon execution by TAM!</p>
        <p>Thanks!</p>

        S1 (Desktop MELPOMENIA): KES 12.9 + Windows 11 Pro 24H2 *** S2 (Desktop TERMINUS): Kaspersky Premium 21.21 beta + Windows 10 Pro 22H2

        1 Reply Last reply
        0
        Reply
        • Reply as topic
        Log in to reply
        • Oldest to Newest
        • Newest to Oldest
        • Most Votes


        • Login

        • Don't have an account? Register

        • Login or register to search.
        • First post
          Last post
        0
        • Categories
        • KForum
        • KClub