Rule for Kav AV?

Is this rule sufficient for Kav?

http://i143.photobucket.com/albums/r157/Rilla927/NewGroup.png

Thanks,

 

This rules touch all subkey of kav install root.
However from the screenshot you have made i cannot see what decision have you made about those key ...

My suggestion could be read only for all, and allow write access for kav.
Then there would be two rule,
one global to deny write
one per application to allow write to only truste ones

Also i do not know what is stocked under this subkey.
But i higly doubt that kaspery would be smart enougth to prevent disabling hteir av by setting a simple 1 to a 0 in regisry.


What are you trying to do exactly ?

 

The Key you are protecting is not in itself sufficient. Firstly you would need to protect all the sub-keys and values, secondly there are other areas in the Registry to consider, for example:-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KL1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl1

Personally I don't consider it worthwhile attempting to protect KAV's Reg entries using RD, because KAV has its own self defence mechanism (just ensure it is enabled) which should prevent critical changes from occuring. Just go to the latter Key above in Regedit and try and create a new value - you will find that it is not possible to do so, 'cos KAV's self defence does not allow such editing.

 

i wouldn't restrict kav to much, there are other things it needs to read, for example the startup entries to get the loaded programs/modules/drivers etc.
again, as topperid said, there's always self defense.

 

@f3x, TopperID, Plantextract

I just wanted to see if that rule was correct*(just*learning) for Kav or not in order to protect it.

Since Topper mentioned the PDM module/ self protection I will leave it a lone. I forget about that module sometimes.

Thanks too all of you,