Frequently encountered messages, you will find some hints here Options

[Lucian Bara]

Win.MSSQL.worm.Helkern

1)What is Helkern?
Helkern is an internet worm, that exploits a vulnerability in Microsoft SQL server 2000.
You can find more about it here or here

2)Who is attacking me and why?
These attacks are made by the malware which tries to infect other vulnberable PCs. They are automated and target random PCs. The so called attacking PCs are mostly victims of the malware themselves.

3)How can i protect myself?
First of all the Intrusion Detection System (IDS) in KIS blocks it, so you are safe. When the IDS blocks such an attack you will get a notification like this one:



Even without the IDS to block the attack only some PCs are vulnerable to it, PCs running SQL Server 2000 that aren't patched against this vulnerability.
This is why you should keep your pc updated. Not only against this form of malware but also others.

4)How can i get rid of this notification?
If you find this notification annoying then you can easily disable it, by clicking on the arrow pointing downwards in the notification and selecting "Disable this notification".



This post has been edited by Lucian Bara: 30.09.2007 00:38

[Lucian Bara]

Keylogger

1)What is this message and why am I getting it?
Beginning with version 6.0.1.411 (also known as MP1) KAV/KIS 6 can detect keyloggers based on the behaviour of an application.
Because of this you can get popups from KIS about certain applications, popups like this one:



These aren't false detection, KAV is detecting the keylogger based on behaviour (capturing certain keys, filtering keys etc.), behaviour that is displayed by genuine keyloggers aswell.

2)How can i tell if the program is legitimate?
If you aren't entirely sure about the application you can use an internet search engine (Google, Yahoo, Ask etc.) to search for its name or even search the
forum.

When you know that the application is trustworthy (for example ICQ, Skype and so on) you can add it to the trusted zone, there's a link at the bottom of the popup for that.



If you haven't found any conclusive information on it, or if it's actually a genuine keylogger, feel free to post a new subject in the Virus related issues section

3)Terminate is disabled in some keylogger popups
The programs detected as keyloggers are drivers, since you can't terminate the driver on the fly only allow is available.

4)Kernel mode memory patch
If a keylogger popup should have this as the Keylogger name and you are using a HIPS (host intrusion prevention system) application like System Safety Monitor or Process Guard, then you are safe to add that to the trusted zone, as this behaviour is common with such tools.

5. Increased "Keylogger" activity after upgrading to v7
Starting with v7 Kaspersky Internet Security and Anti-Virus include additional protection against Keyloggers. One of these is detection of programs using DirectX DirectInput methods for keylogging. Unfortunatly a lot of legitimate programs use these methods too, mostly Games & Media Players. However these don't actually log keys like a keylogger.
If you know that the program is safe (a normal game from a large Company like EA for example, or a video player like WinDVD or PowerDVD) then you can add it to the trusted zone.

This post has been edited by Lucian Bara: 4.08.2007 23:18

[Lucian Bara]

Integrity violations

1)Why do i get such a message?
If you enabled the application integrity control, you will certainly get such messages
Integrity control monitors a list of so called critical applications. Changes caused by malware that occur to these applications could seriously compormise the system. The component will notify you when changes in these applications occur, or when one of these applications attempts to load a new or modified module file. In this case it will display a popup like this one:



2)So what can i do?
At first such messages will occur frequently since all of the loaded modules are new or modified.
If you click Details you will be presented with another window. Access the Modules tab and you will be displayed information about this module, information like path, version, manufacturer and description. If you still don't know if you should trust it you can search for the file name using an online search engine to get more information. After you have decided if the module is clean or not you can allow it or deny it, allow will let the program load the module and deny will block it.
If you know that your pc is clean you can save up time and check Apply to all, when that option is selected all of the modules loaded by that application this session will be allowed/denied.
Also if the module is used by more then one program (for example files in the windows\system32 directory are usually used by more then one application) you can add them to the shared dll list so that you won't get notificatinos if the module is loaded by another critical application. This is done by clicking the Add to Shared Dll list option at the bottom of the popup wizard. Again you will be presented with the choice to add only this module or all of the modules loaded by the application this seesion.
After an update of the application, or a windows update you might get a popup for a module you allowed, this is normal since the file has changed since the last time it was loaded.

3)I have accidentally blocked a module
If you have blocked a module, you will get such a popup every time the application tries to load that module. The popup displays the name of the critical application for which the module was blocked (in this case iexplore.exe, Microsoft Internet Explorer).



Go to Settings, click on Proactive defense on the left side and click on Settings next to the Application Integrity control. This window which is now displayed contains the list of the monitored applications, when you found the one you were looking for, select it and click Detalis. This next window gives you an overview of the modules which have a predefined action. Look for the blocked module (you can recognize it by the Action next to it), select it, click Edit and change the action from Block to Allow. Then press ok to leave the settings.



4)This is too complicated for me
The integrity control is a component designed for users who have a better understanding of computers. If those popups annoy you or if you can't handle the popups you can disable the integrity control under Settings, Proactive defense, you will not lose much protection by doing it.

This post has been edited by Lucian Bara: 26.12.2007 01:41

[Lucian Bara]

Self-Defense

Starting with version 6 Kaspersky Anti-virus and Internet security include a self defense feature. This will deny another application attempts to:
-access the avp processes, or code injections into them
-terminate them
-delete/change the Anti-virus files, folders and registry keys

When a program tries to access one of the running avp.exe processes or terminate them you will be displayed a popup like this one:



Like stated in the popup the action was blocked and you don't have to do anything. A lot of common windows programs will display such actions, like task manager in this case. They are not dangerous and you don't have to panic if you see such a message.

Should the notifications annoy you, you can turn them off by clicking on the arrow in the notification and choosing Disable this notification:



This post has been edited by Lucian Bara: 29.08.2007 22:20

[Lucian Bara]

Invader & Invader (loader)
1)What is this?
Starting with version 6 both Kaspersky Anti-virus and Kaspersky Internet Security include a Proactive Defense Module (a behaviour blocker) which can detect suspicious activities based on the behaviour of an application. Invader is the verdict given when a process tries to inject code into another process (code injection). This is to manipulate certain things in it. This coresponds to the option "Intrusion into processes"from the Activity Analyzer settings. Invader (loader) although similar in name to Invader behaves differently. In this case the process tries to inject a module into another process (Dll injection). This coresponds to the option "Window Hooks" the Activity Analyzer settings.



When one such actions are displayed you will be presented with a popup similar to this one:
Invader:



The choices you are allowed to make are:
Terminate: Injection will be denied and the process attempting it terminated
Deny: Injection will be denied but the process will still run
Skip: Injection will be allowed
Add to trusted Zone: Detection mask for the application will be placed into the trusted zone so there will be no more Invader detections for that process.

Invader (loader):



The choices you are allowed to make are:
Terminate: Injection will be denied and the process attempting it terminated
Allow: Injection will be allowed
Deny: Injection will be denied but the process will still run
Add to trusted Zone: Detection mask for the application will be placed into the trusted zone so there will be no more Invader (loader) detections for that process.

2)So what should I do?
Invader & Invader (loader) can be restricted to an application, meaning that it's easy to identify the program causing this. In this case you can search around the forum or use a search engine like Google to get details on the process or if this particular detection occured before. If you decide that the application is safe you can use the Add to trusted zone option.



Should it not be safe you can send it for analysis to newvirus@kaspersky.com or start a topic on that subject.
There are a few applications with which this can be expected like games, or applications which do things like screen capture.

3)I am getting such popups from all my applications
If that should occur then something is not right, it might be a conflict with another application or it could be malware.
There are a few known applications with which this can occur:
Spyware Doctor
Comodo Firewall
Skinning applications like Windows Blinds
In this case you can either disable the option in the Proactive defense settings or uninstall the application. In some cases this won't lower your security (for example Comodo Firewall also monitors Injections)

If you can't figure out what is causing it start a new topic

This post has been edited by Lucian Bara: 24.01.2009 18:02

[Lucian Bara]

Trojan.generic and Trojan.cryptor
Trojan.generic
1)Why do i get this message?
Trojan.generic is one of the common popups that you will experience, you will mostly recieve it at installations.
This behavioural detection is very simple. If a program creates a copy of itself somewhere and then registers that copy as an autostart object then a Trojan.generic popup like this one is issued.



A lot of malware use this method to "install" themselves on your pc. Some applications also exibit this behaviour, mostly programs where the installer and the executable are the same file. However uninstallation processes can also display this behaviour, as some place a temporary executable in startup to remove parts of the installation on startup.

2)What can i do?
The available options are:
Quarantine: The process will be terminated and the file placed in the quarantine. Afterwards, a Rollback popup will appear. By clicking the Rollback button the changes made by that application are reverted.
Terminate: Process is terminated, but the executable still resides in the same place as before
Allow: Action is allowed
Add to Trusted zone: An Exclusion Mask is created for the corresponding executable.
If you are installing /uninstallingan application or have clicked an option "Load at startup" and see this behaviour, it most likely belongs to it, and the application is safe. Clicking on the Details link and viewing the History tab will reveal other actions of the application so far.
If the program is safe you can add it to the trusted zone, however if this is an installation you will only see the popup once or twice so Skip is a better option.
If you don't recognize the process then try looking at the history panel, it's possible that you will see what files the process created and they will match the installed application. If you think it's malware, or if you are uncertain about it, quarantine the file and send it to analysis as described here


Trojan.cryptor
1)Why do i get this message?
Trojan.cryptor is another common message, but not as easily reproducible as the Trojan.generic popup. It is issued when a program tries to encrypt certain data, the popup looks like this:



There is malware out there which can encrypt documents and then request money for a decryption key, so this detection can prove quite useful.

2)What can i do?
The available options are:
Quarantine: The process will be terminated and the file placed in the quarantine. Afterwards, a Rollback popup will appear. By clicking the Rollback button the changes made by that application are reverted.
Terminate: Process is terminated, but the executable still resides in the same place as before
Allow: Action is allowed
Add to Trusted zone: An Exclusion Mask is created for the corresponding executable.
This behavioural pattern is very complex and it's occurance can't be easily reproduced. Also, because of it's complexity, tweaking is possible, so it can happen that some popups don't reoccur as the signature was teaked to exclude that specific behaviour. As with any proactive defense popup, if you know the application is trustworthy you can choose Add to Trusted zone creating an exclusion mask. If you are uncertain about it or if you think it's malware you can send it for analysis as described here

This post has been edited by Lucian Bara: 24.01.2009 18:00