This article is currently an experimental machine translation and may contain errors. If anything is unclear, please refer to the original Chinese version. I am continuously working to improve the translation.
Previously, I wrote an article about using TPM for SSH authentication, which finally allowed me to stop using raw id_rsa/id_ed25519 keys lying around unprotected — solving one of my long-standing concerns.
But besides SSH private keys, there are other sensitive or private folders on my PC that need protection — such as browser User Data, XShell configuration directories, and the Start Menu startup items. Since Windows (due to its historical baggage) doesn’t enforce application isolation, I decided to do it myself.
The first time I encountered such proactive defense / intrusion prevention / folder protection / HIPS functionality (I’m not sure what to call it exactly; I’ll just refer to it as HIPS from now on) was with Huorong’s folder protection feature. Back when QQ was exposed for reading browser history, many people started using Huorong to block QQ from accessing private directories like browser data.
A Brief Detour: An Open-Source Attempt
When I first saw this feature, I thought it was pretty cool. But using Huorong to block QQ feels a bit like fighting poison with poison. After searching online for a while, I couldn’t find any credible alternatives. Driven by the belief that everything can (and should) be open-source, I decided to write my own: MiniHIPS. I initially tried using Minifilter to directly intercept IRP requests, but Windows drivers now require expensive Microsoft signing — otherwise they can only run in test mode, which is inconvenient for both myself and potential users.
Later, I changed my approach: instead of going kernel-level, I injected a DLL into all processes and hooked file-related APIs in ntdll.dll, intercepting syscalls before they reach the kernel.
Hooking at the last user-mode opportunity before entering KERNEL
Of course, user-mode interception comes with its own set of issues. There are known methods to bypass such hooks, and the injection approach is more intrusive, leading to compatibility problems (some applications simply don’t like being hooked). Plus, I’d need to ensure child processes are also hooked, and handle complex file access rules.
As a result, I’ve only completed a very basic proof-of-concept — which seems to work roughly on my machine — but turning it into something actually usable would require a ton of additional work and testing (like building a configuration frontend and handling countless edge cases).
Since I haven’t had much free time lately, and I suspect there’d be a million weird bugs to debug, I’ve temporarily decided to 🕊️.
Switching to Kaspersky
After abandoning the open-source route, I turned to commercial solutions. After a quick search, comparison, and a trip to Kafan BBS, I immediately spent 118 RMB on a three-year KIS subscription.
Kaspersky Internet Security (KIS), or any Kaspersky Standard-tier (and above) product, includes an “Intrusion Prevention” feature that allows custom rules similar to Huorong’s folder protection, plus additional behavioral filtering (like restricting memory access to other processes).
By default, Kaspersky runs in “Automatic Mode,” making decisions based on reputation scores from KSN and digital signatures, automatically allowing most file accesses while only prompting or blocking highly suspicious ones. However, I don’t trust digital signatures or so-called Machine Learning malware detection, so I disabled both Automatically perform recommended actions and Trust signed applications, switching to manual mode to configure everything myself.
(p.s. This also creates a kind of “honeypot” behavior — any app trying to access sensitive folders immediately triggers a popup. If something suspicious shows up, I’ll know right away.)
Switching to manual mode increases popup frequency
Example of a blocked access attempt
Here are a few examples of my configurations:
Restrict by Application — Limiting Untrusted Software
My current laptop is a Lenovo XiaoXin Pro14 2021 (Chinese domestic model). Although I’ve wiped and reinstalled the OS and never manually installed any Lenovo software, Windows Update still silently installed several OEM applications. Without reverse engineering them, I can only guess from their names that they’re related to power management and hotkeys (e.g., Fn+Q to switch performance modes).
Even though these apps are signed by both Lenovo and Microsoft, their trustworthiness remains in a Schrödinger-like state. Given their limited functionality, I can still restrict most unnecessary access.
Block all Lenovo-signed software from accessing the network, and optionally restrict access to personal data or critical system settings
If your PC has other untrusted software (I’m looking at you, QQ/WeChat), you can apply similar restrictions.
Restrict by Resource — Protect Specific Folders (e.g., Browser User Data)
Other than the browser itself, there’s almost no legitimate reason for any application to access the browser’s data directory. So in Kaspersky’s Manage Resources settings, I set up a whitelist rule for this resource.
Only allow Chromium-based browsers to access Chrome User Data; prompt for all others
Now, whenever another app tries to access the User Data folder, a popup appears. That’s how I discovered that IDM constantly attempts to access browser folders to install its extension. I simply denied access manually (the red cross in the image above), so it stops prompting repeatedly — and IDM still works fine.
Summary
Even though I have reasonably good PC usage habits and most of my software comes from trusted or open-source origins, my gut tells me I can’t fully trust my future self from accidentally installing something sketchy.
After some detours, I finally got my HIPS setup working. I get occasional popups, but with well-thought-out rules, it barely interferes with daily use. Solved my second major concern (not really)
This article is licensed under the CC BY-NC-SA 4.0 license.
Author: lyc8503, Article link: https://blog.lyc8503.net/en/post/kaspersky-hips/
If this article was helpful or interesting to you, consider buy me a coffee¬_¬
Feel free to comment in English below o/