IPB

Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Closed TopicStart new topic
> Kaspersky keeps deleting my hosts file [ How to exclude host file ], false virus warning win32.hosts2.gen
Deakus
post 5.04.2011 18:48
Post #1


Newbie
*

Group: Members
Posts: 2
Joined: 5.04.2011




Hello,

We have Kaspersky installed in the office and since yesterday all users have had the virus alert trojan.win32.hosts2.gen which subsequently removes the system32/Drivers/Etc/hosts file (or any other hosts file backups).

We are a web company so we use the hosts file a lot for test and dev purposes.

I've discovered that if the same IP is repeated several times and the domain names are similar kaspersky will assume that the file's been infected.

Does anyone know how to stop this?
Go to the top of the page
 
+Quote Post
lvalnegri
post 5.04.2011 21:31
Post #2


Newbie
*

Group: Members
Posts: 2
Joined: 5.04.2011




here the same mad.gif
and despite the fact it's plain text if you just change the name it stops bother you... what kind of "euristic" approach is that?!?! I dont like at all this new version and I'm wondering if it should be better to change a bit after years of KIS...

This post has been edited by lvalnegri: 5.04.2011 21:34
Go to the top of the page
 
+Quote Post
Deakus
post 6.04.2011 01:18
Post #3


Newbie
*

Group: Members
Posts: 2
Joined: 5.04.2011




I agree it's annoying me so much I too am thinking about uninstalling the software and installing a more sensible application.
Go to the top of the page
 
+Quote Post
richbuff
post 6.04.2011 04:22
Post #4


Oldtimer
****************

Group: Moderators
Posts: 48881
Joined: 14.06.2007




QUOTE
I've discovered that if the same IP is repeated several times and the domain names are similar kaspersky will assume that the file's been infected.
Please inform the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. And here: http://forum.kaspersky.com/index.php?showtopic=13881


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
lvalnegri
post 6.04.2011 14:12
Post #5


Newbie
*

Group: Members
Posts: 2
Joined: 5.04.2011




QUOTE(richbuff @ 6.04.2011 01:22) *
Please inform the Lab, instructions are located in the third important topic located near the top of the Virus section of this forum. And here: http://forum.kaspersky.com/index.php?showtopic=13881


This is just ridiculous...
Go to the top of the page
 
+Quote Post
Slavian
post 6.04.2011 14:37
Post #6


Head of Vulnerability Research Group
*

Group: KL Russia
Posts: 5
Joined: 24.10.2007




Hello.

We won`t change detection logic, if you want to use modified 'hosts' files add it to 'white list'.
Go to the top of the page
 
+Quote Post
feno
post 7.04.2011 16:01
Post #7


Newbie
*

Group: Members
Posts: 5
Joined: 7.04.2011




QUOTE(Slavian @ 6.04.2011 14:37) *
We won`t change detection logic, if you want to use modified 'hosts' files add it to 'white list'.

Hello,
How then to add the hosts file to "white list" ?
Thanks
Go to the top of the page
 
+Quote Post
Yury Parshin
post 8.04.2011 08:13
Post #8


Lead Malware Analyst
******

Group: KL Russia
Posts: 744
Joined: 21.10.2008




For example for KAV for WKS 6: http://support.kaspersky.com/faq/?qid=208280716
Go to the top of the page
 
+Quote Post
Rene-gad
post 8.04.2011 18:37
Post #9


Helper
************

Group: Members
Posts: 2974
Joined: 2.08.2005
From: Linz




QUOTE(feno @ 7.04.2011 14:01) *
How then to add the hosts file to "white list" ?

I'm not sure, it is a good solution: if hosts file would be really changed from any malware application, than we've got a really problem.


--------------------
Servus
Rene-gad
Go to the top of the page
 
+Quote Post
feno
post 14.04.2011 17:55
Post #10


Newbie
*

Group: Members
Posts: 5
Joined: 7.04.2011




Hello,
I added my hosts file to the exclusions, but it's still been removed by KIS


Go to the top of the page
 
+Quote Post
dawgg
post 14.04.2011 19:30
Post #11


Forum Elite
**************

Group: Moderators
Posts: 9300
Joined: 6.04.2006
From: London




QUOTE(Rene-gad @ 8.04.2011 15:37) *
I'm not sure, it is a good solution: if hosts file would be really changed from any malware application, than we've got a really problem.

Hello, you can define the exclusion to exclude only certain detection names, eg, "Trojan.Win32.Hosts2.gen", so other detected items in that location will still be detected, so no problems.

QUOTE(feno @ 14.04.2011 14:55) *
Hello,
I added my hosts file to the exclusions, but it's still been removed by KIS

Hi, in your first screenshot, delete the Hosts entry you added there. It is not needed.
In your second screenshot, select the Host entry, click "Modifier" and post a screenshot of that window. Also make sure the detection name is exactly "Trojan.Win32.Hosts2.gen" if that is what is detected.

This post has been edited by dawgg: 14.04.2011 19:31
Go to the top of the page
 
+Quote Post
Rene-gad
post 14.04.2011 20:47
Post #12


Helper
************

Group: Members
Posts: 2974
Joined: 2.08.2005
From: Linz




QUOTE(dawgg @ 14.04.2011 17:30) *
In your second screenshot, select the Host entry, click "Modifier" and post a screenshot of that window. Also make sure the detection name is exactly "Trojan.Win32.Hosts2.gen" if that is what is detected.

Possibly I'm an full idiot, but it does not work...
Attached File(s)
Attached File  1.jpg ( 86,42K ) Number of downloads: 39
Attached File  2.jpg ( 123,47K ) Number of downloads: 35
 


--------------------
Servus
Rene-gad
Go to the top of the page
 
+Quote Post
dawgg
post 14.04.2011 22:59
Post #13


Forum Elite
**************

Group: Moderators
Posts: 9300
Joined: 6.04.2006
From: London




Rene-gad, when you scan the individual file, then the exclusion will not work (by design of Kaspersky).

If in the Exclusion setting you've chose "Protection Components: Any", Kaspersky should not detect it unless you intentionally scan the file via the right-click - Scan.

feno, the exclusion setting should be as shown in the screenshot below (including Protection component "Any"). Again, as I just said above, when you scan the individual file, it will still be detected. Other than that, it should not be detected.
Attached File  Hosts_exclusion.PNG ( 12,93K ) Number of downloads: 56
Go to the top of the page
 
+Quote Post
Rene-gad
post 15.04.2011 00:02
Post #14


Helper
************

Group: Members
Posts: 2974
Joined: 2.08.2005
From: Linz




It's clear, what you have explained, thank you.
What is NOT clear :
- if any file IS a virus it has to be detected ALWAYS and with ANY MODULE of antivirus program
- if any file IS NOT a virus it has to be detected NEVER and with NO MODULE of antivirus program
Another way we cannot talk about virus protection AT ALL.


--------------------
Servus
Rene-gad
Go to the top of the page
 
+Quote Post
dawgg
post 15.04.2011 00:16
Post #15


Forum Elite
**************

Group: Moderators
Posts: 9300
Joined: 6.04.2006
From: London




QUOTE(Rene-gad @ 14.04.2011 21:02) *
It's clear, what you have explained, thank you.
What is NOT clear :
- if any file IS a virus it has to be detected ALWAYS and with ANY MODULE of antivirus program
- if any file IS NOT a virus it has to be detected NEVER and with NO MODULE of antivirus program
Another way we cannot talk about virus protection AT ALL.

Sorry, I do not understand about what you are not clear about.
If a file is malicious or related to a malicious/suspicious behavior, then yes, it should be detected - unless the user wishes it to no-longer be detected, whereby they will add it to exclusions.
If a file is not malicious or related to malicious/suspicious behavior, then as you correctly say, it should not be detected.
Go to the top of the page
 
+Quote Post
Rene-gad
post 15.04.2011 10:30
Post #16


Helper
************

Group: Members
Posts: 2974
Joined: 2.08.2005
From: Linz




QUOTE(dawgg @ 14.04.2011 22:16) *
Sorry, I do not understand about what you are not clear about.

If Mr. Smith IS a good guy - he IS a good guy in America, Europe and on the Moon
If Mr. Smith IS NOT a good guy - he IS NOT a good guy in America, Europe and on the Moon and should be placed in a jail wink.gif.
It cannot be dependent form the METHOD OF CHECKING of his travel pass.


--------------------
Servus
Rene-gad
Go to the top of the page
 
+Quote Post
feno
post 15.04.2011 11:26
Post #17


Newbie
*

Group: Members
Posts: 5
Joined: 7.04.2011




dawgg : thanks for your attention,
Here is my screenshot :

Apart from the language, I don't see any difference between yours and mine.
Go to the top of the page
 
+Quote Post
dawgg
post 15.04.2011 12:03
Post #18


Forum Elite
**************

Group: Moderators
Posts: 9300
Joined: 6.04.2006
From: London




Rene-gad, I understand now.

Sometimes files are 'greyware', where there it can be good or bad depending on the purpose it is used for. For example, a Remote Administrator program is useful for administrators, support staff, or anyone else you want to explicitly allow to use your computer over the internet. This type of software can be very useful.

On other occasions, it is malicious if it was used as trojan and someone is on your computer without your permission.

Other potentialy unwanted programs such as port or network scanners, irc clients, hard-drive flashing programs etc can also be classed as malicious or legitimate depending on what they are used for.

Take a knife as an anology - it can be used to cut food (good), cut other things in construction/manufacturing (good), cut people to save their lives in surgery (good) and cut people to hurt or kill them (bad).
So, it can be good or bad depending on what it's being used for.

This post has been edited by dawgg: 15.04.2011 12:22
Go to the top of the page
 
+Quote Post
dawgg
post 15.04.2011 12:21
Post #19


Forum Elite
**************

Group: Moderators
Posts: 9300
Joined: 6.04.2006
From: London




feno, is it being removed only when you scan it via the right-click or also when you do not scan it?

Please open Kaspersky, click Quarantine (at the top) and select All in the drop-down list on the top-left.
Click Save on the top-right and attach that txt file here.
Go to the top of the page
 
+Quote Post
feno
post 15.04.2011 19:57
Post #20


Newbie
*

Group: Members
Posts: 5
Joined: 7.04.2011




It is removed :
- every time I boot up the computer, so every morning I have to create the hosts file before working
- sometimes promptly without any particular reason

Here is the content of the file saved from kaspersky

CODE
Détectés (7)    
23/12/2010 10:59:04    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\USERS\FENO\APPDATA\LOCAL\TEMP\    LBK_20100921150151_MULTILNG.EXE    Elevées    
23/12/2010 10:59:38    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\USERS\FENO\APPDATA\LOCAL\TEMP\    LBK_20101117150244_MULTILNG.EXE    Elevées    
04/02/2011 16:22:19    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\PROGRAM FILES\MYSQL\MYSQL WORKBENCH 5.2 CE\    MYSQLWORKBENCH.EXE    Elevées    
18/02/2011 15:54:42    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\USERS\FENO\DOWNLOADS\    NETBEANS-6.9.1-ML-PHP-WINDOWS.EXE    Elevées    
22/02/2011 11:39:15    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\XAMPP\PHP\    PHPUNIT.BAT    Elevées    
13/04/2011 09:12:17    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\PHP\    PHPUNIT.BAT    Elevées    
22/02/2011 15:43:37    Détectés    programme légitime pouvant être exploité par un individu mal intentionné afin de nuire à l'ordinateur ou à vos données PDM.RootShell    Processus en mémoire        C:\PHP\    PHPCS.BAT    Elevées    
Réparés (1)    
07/04/2011 10:56:27    Réparés    cheval de Troie Trojan.Win32.Hosts2.gen    Fichier        c:\Windows\System32\drivers\etc\    hosts    Elevées
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Closed TopicStart new topic

 



Lo-Fi Version Time is now: 27.08.2014 22:56