Kaspersky
Question

What are the rules "Severity," "KLPublic" and "KLPrivate"? Spotify.

  • 4 December 2021
  • 4 replies
  • 55 views

I can’t find enough documentation for how the firewall works. Things keep being blocked with these rules and I don’t know why. It’s frustrating. I’m having to trust applications I really don’t want to put in the trust list because I can’t figure out these rules. Any help would be appreciated.


4 replies

Userlevel 7
Badge +8

Hello @72pzXCa,

unfortunately I can't do anything with the terms "Severity," "KLPublic" and "KLPrivate" right now.

Can you please post a screenshot where these terms appear? Maybe then the memory will come back...

Much easier to just copy a line from the Firewall section of the report:

Today, 12/4/2021 5:51:48 PM;Network activity blocked;Spotify;TCP;Outbound;Blocked;216.239.34.21;443;10.40.139.5;50613;Public network;NT AUTHORITY\SYSTEM;System user;Severity;;;

Spotify is currently in the trusted applications list. It shouldn’t be subject to firewall rules at all. I don’t really want it to be there, but I get so many alerts for connections that should be allowed if I take it out it’s distracting. These alerts say that “a process may be using this trusted process to gain access” or something like that. I think this may be a different kind of alert than the normal firewall one, but I can’t remember if all firewall alerts say that or not.

I reset the rules for Spotify, and those entries went away. I have no idea what was causing them because I don’t know what the Severity rule means. However, now I get these:

 

 

Once again, there are not any rules blocking any Spotify connections. It isn’t in the trusted application list since I reset the rules, but it is in the Trusted group. I’d like to avoid putting third-party apps like this in that list. Why are these coming up? Perhaps another rule related to application control is affecting it, but Spotify has no parent processes, and the only child processes are additional Spotify processes it creates. So I don’t know where this could be coming from. Maybe the fact that it is a UWP app is causing an issue? I don’t use very many.

In addition, when I get alerts for scvhost.exe and try to create rules from the alert, no window shows up to create the rule. Nothing happens. If I choose “Apply/Block always” I don’t know what happens there either, because no rules that I can find are created for always allowing/blocking these connections. How am I supposed to keep track of what I have allowed and blocked “always”  if there’s no record of it? How is this any different from creating a rule, and so why does it exist as a different option? The questions abound.

It would be nice if there were a centralized list of all created application rules for troubleshooting purposes, similar to the packet rules menu, as opposed to having to dig around separate menus for each application. Or at least an XML file or some such for power users to view/edit these rules. And of course, an explanation for these hidden rules like Severity and KPublic. At least KPublic hints that it has something to do with blocking the Public zone, but Severity tells me nothing.

Should I create different forum threads about the issues I have, or address them all in one? I have a support ticket that was escalated, but I have to run a system info tool and wait for them to respond back. I forgot to ask the agent in the chat about those hidden firewall rules. I appreciate the excellent features in this software, but from a configuration and usability perspective it’s been a nightmare. I’m sure it works fine when running on mostly default settings, but my network setup is a bit more specialized than an average user, and I am concerned with privacy more than most (they should be).

For that reason I’m concerned with filtering my outgoing traffic as well as incoming, and I don’t automatically trust Windows processes like svchost. To me it is safer to block undesired service connections with the firewall rather than go and deactivate a bunch of a services that might be needed for something. Of course some can’t be deactivated at all, but function just fine without internet access. The ability to create rules by service is a big missing feature in Kaspersky. Instead I have to do it by ports and by giving IP rules to svchost.exe for services that don’t have an executable I can block, which is inefficient and only protects against IPs I’ve already encountered. It makes no sense to allow me to create rules manually for this process, but not allow me to create them more easily from the alerts. It’s really not my fault that Windows leaks like a sieve. All I can do is try to address it.

I’d really like to keep the software, but I need explanations for these cryptic rules and unexpected behavior. As of now I’ve finally managed to get Spotify working again without putting it into the Trusted applications list, but these strange alerts are still popping up every now and then. When I log Spotify, the Application Control report shows AC being triggered for it, but these are all allowed, no warnings or blocks. They are local actions as well, not network. Something must be affecting it that I can’t catch in logs.

Any help is appreciated. Thanks for taking the time to read all this.

Userlevel 7
Badge +9

@72pzXCa Welcome.

Are you running  Spotify for Windows version 1.1.73.517.gbef50fdb , digital signature “Spotify AB” ?

 

 

 

Yes, that’s correct. The Spotify issue seems to be resolved more or less, it’s stopped bombing me with these firewall requests for that at least. I’m not even sure what resolved it. The problem extends beyond that though. I still get alerts for applications in the Trusted group even if I select options to apply always. I may just reinstall Kaspersky.

Reply