Protection from changes to Kaspersky Industrial CyberSecurity for Nodes registry keys
3 August 2023
ID 182788
Kaspersky Industrial CyberSecurity for Nodes restricts access to the following registry branches and keys, which facilitates loading of application drivers and services:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\KICS]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfs]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfsgt]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kavfsslp]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klam]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klelaml]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klfltdev]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klramdisk]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\KICS\3.2\CrashDump]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\KICS\3.2] (on Microsoft Windows 64-bit)
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\KICS\3.2\Trace]
The rights to change these registry branches and keys are granted to Local System (SYSTEM) account only. User and Administrator accounts are granted read-only rights.
Protection from changes to the memory of program service parts
To protect program service parts from third-party processes, Kaspersky Industrial CyberSecurity for Nodes drivers restrict access to the following executable files:
- kavfs.exe
- kavfswp.exe
- kavfswh.exe
- kavfsgt.exe
By default, access to the memory of Kaspersky Industrial CyberSecurity for Nodes service parts is restricted for third-party processes.
You can enable the self-defense functions in the policy properties of Kaspersky Industrial CyberSecurity for Nodes Console and Kaspersky Industrial CyberSecurity for Nodes Administration Plug-in.