19.04.2009 there was published a virus definition update that lead to a false positive "Backdoor.Win32.Agent.afqs" in the file wmiprvse.exe (at least of WXP SP3 EN with the latest, i.e. 14.04., updates).
The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.
Full Version: Warning: false positive
If my system "deletes" the critical file from a client, how can it be restored? My kav 6.0 is detecting it on all my xp boxes and removing it.
QUOTE(aehrlich @ 19.04.2009 11:55) 
19.04.2009 there was published a virus definition update that lead to a false positive "Backdoor.Win32.Agent.afqs" in the file wmiprvse.exe (at least of WXP SP3 EN with the latest, i.e. 14.04., updates).
The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.
The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.
No updated virus definitions so far...
QUOTE(aehrlich @ 19.04.2009 20:55)
19.04.2009 there was published a virus definition update that lead to a false positive "Backdoor.Win32.Agent.afqs" in the file wmiprvse.exe (at least of WXP SP3 EN with the latest, i.e. 14.04., updates).
The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.
The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.
Did you report our virus analysts about this? (newvirus@kaspersky.com), and if yes, how much time ago?
QUOTE(Vitaly Belyakov @ 20.04.2009 09:00)
Did you report our virus analysts about this? (newvirus@kaspersky.com), and if yes, how much time ago?
Yes I did. The reply was as follows:
-------- Original Message --------
Subject: RE: [VirLabSRF][False Alarm][M:1][LN:RU][L:0] [KLAN-26845990]
Date: Sun, 19 Apr 2009 20:11:23 +0400
From: <newvirus@kaspersky.com>
To: <removed>
Здравствуйте,
Это было ошибочное срабатывание.
Оно будет исправлено.
Благодарим Вас за помощь.
<translation for english-speaking people>
Hello,
It was a false alarm.
It will be fixed.
Thank you for your help.
</translation for english-speaking people>
And please note that deleting the wmiprvse.exe file prevents about 1/4 (in my setup) of the system services from starting...
This false positive was fixed yesterday at 20.30 (GMT+03). Don't forget to update your databases 
Problem not solved!!
QUOTE(Vitaly Belyakov @ 20.04.2009 09:32)
This false positive was fixed yesterday at 20.30 (GMT+03). Don't forget to update your databases
Very interesting behaviour of KAV.
In the 1st attached screenshot one can see two updates: 19.04.2009 21:40:26 and 20.04.2009 08:43:07. The latter of them stated that "update is not required" (the 2nd screenshot). In between the false positive did still occur.
However, if I make an explicit scan for viruses for the file now it is not reported as infected anymore.
Any comments to this?
QUOTE(Kidbyte @ 20.04.2009 02:14)
If my system "deletes" the critical file from a client, how can it be restored? My kav 6.0 is detecting it on all my xp boxes and removing it.
Up !
Is there any way to restore from the Admin kit ? Because, it did it on a lot of computer too
Hello,
How to restore the file from the Administration Server :
1. Create a policy for Kaspersky network Agent: http://support.kaspersky.com/faq?qid=205057289
2. Enable the option "Transfer information about the objects in Backup to the Administration Server": http://support.kaspersky.com/faq?qid=205057289#set
Do not forget to lock this setting.
3. In the Administration Console, under Storage > Backup menu, you will see all files that have been placed into the backup storage. Right click on each object and restore it to its original location.
How to restore the file from the Administration Server :
1. Create a policy for Kaspersky network Agent: http://support.kaspersky.com/faq?qid=205057289
2. Enable the option "Transfer information about the objects in Backup to the Administration Server": http://support.kaspersky.com/faq?qid=205057289#set
Do not forget to lock this setting.
3. In the Administration Console, under Storage > Backup menu, you will see all files that have been placed into the backup storage. Right click on each object and restore it to its original location.
QUOTE(Tybilly @ 20.04.2009 10:15)
Hello,
How to restore the file from the Administration Server :
1. Create a policy for Kaspersky network Agent: http://support.kaspersky.com/faq?qid=205057289
2. Enable the option "Transfer information about the objects in Backup to the Administration Server": http://support.kaspersky.com/faq?qid=205057289#set
Do not forget to lock this setting.
3. In the Administration Console, under Storage > Backup menu, you will see all files that have been placed into the backup storage. Right click on each object and restore it to its original location.
How to restore the file from the Administration Server :
1. Create a policy for Kaspersky network Agent: http://support.kaspersky.com/faq?qid=205057289
2. Enable the option "Transfer information about the objects in Backup to the Administration Server": http://support.kaspersky.com/faq?qid=205057289#set
Do not forget to lock this setting.
3. In the Administration Console, under Storage > Backup menu, you will see all files that have been placed into the backup storage. Right click on each object and restore it to its original location.
(Thank you very much Tybilly)² !
This policy answers all the problems i was trying to solve With Kaspy !!!!
QUOTE(aehrlich @ 20.04.2009 10:30)
Very interesting behaviour of KAV.
In the 1st attached screenshot one can see two updates: 19.04.2009 21:40:26 and 20.04.2009 08:43:07. The latter of them stated that "update is not required" (the 2nd screenshot). In between the false positive did still occur.
However, if I make an explicit scan for viruses for the file now it is not reported as infected anymore.
Any comments to this?
In the 1st attached screenshot one can see two updates: 19.04.2009 21:40:26 and 20.04.2009 08:43:07. The latter of them stated that "update is not required" (the 2nd screenshot). In between the false positive did still occur.
However, if I make an explicit scan for viruses for the file now it is not reported as infected anymore.
Any comments to this?
OK, the statement about the strange behaviour ("update is not required") was my fault: there were two updates, 08:43 and 08:45 and the "update is not required" message concerned the second one, so no more mystics.
However, the stated fix time 20:30 GMT+3 (Moscow time) is 19:30 GMT+2, am I correct ;-)? And from the screenshots one could see that the false positive was still detected after update at 21:40 GMT+2, i.e. 2 hours later than the "stated fix time".
QUOTE(aehrlich @ 19.04.2009 11:55)
19.04.2009 there was published a virus definition update that lead to a false positive "Backdoor.Win32.Agent.afqs" in the file wmiprvse.exe (at least of WXP SP3 EN with the latest, i.e. 14.04., updates).
The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.
The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.
Does kaspersky even test any of their releases so this crap doesn't happen? Sure doesn't seem so. Also seems that if you are running kas in a business setting you are doing a lot more work fixing it's screwups that you would if you actually had REAL viruses instead of false positives. I've said it in the past and I'll say it again, I rue the day I picked kas for our office and will NEVER renew it again. Now I've got to go restore all the wmiprvse.exes that kas deleted. Nice.
QUOTE(g3l33m @ 20.04.2009 08:23)
Does kaspersky even test any of their releases so this crap doesn't happen? Sure doesn't seem so. Also seems that if you are running kas in a business setting you are doing a lot more work fixing it's screwups that you would if you actually had REAL viruses instead of false positives. I've said it in the past and I'll say it again, I rue the day I picked kas for our office and will NEVER renew it again. Now I've got to go restore all the wmiprvse.exes that kas deleted. Nice.
Kaspersky smoked wmiprvse.exe off of 30 of my XP boxes. Now I too am wondering about this. In another month I am adding 200 new worsktations running new Point-Of-Sale software in our 53 offices. Since they will all be managed through Kaspersky, I am really concerned that this might happen again with much larger and far reaching results.
I already asked this question in the past and yes there is a QA process, threats signatures are uploaded on a pre-release server which is:
ftp://dnl-test.kaspersky-labs.com/beta_updates/pre-release/
After that they are checked for false alarms during some time and at the end they are finally pushed on public update servers.
This QA process can explain why this false alarm has been fixed at 20:30 GMT+3 whereas the file was still detected later.
You can add your software in the exclusion list then you will be sure it can not be flagged as a threat by Kaspersky Anti-Virus.
ftp://dnl-test.kaspersky-labs.com/beta_updates/pre-release/
After that they are checked for false alarms during some time and at the end they are finally pushed on public update servers.
Citation (aehrlich @ 20.04.2009 10:39)
OK, the statement about the strange behaviour ("update is not required") was my fault: there were two updates, 08:43 and 08:45 and the "update is not required" message concerned the second one, so no more mystics.
However, the stated fix time 20:30 GMT+3 (Moscow time) is 19:30 GMT+2, am I correct ;-)? And from the screenshots one could see that the false positive was still detected after update at 21:40 GMT+2, i.e. 2 hours later than the "stated fix time".
However, the stated fix time 20:30 GMT+3 (Moscow time) is 19:30 GMT+2, am I correct ;-)? And from the screenshots one could see that the false positive was still detected after update at 21:40 GMT+2, i.e. 2 hours later than the "stated fix time".
This QA process can explain why this false alarm has been fixed at 20:30 GMT+3 whereas the file was still detected later.
Citation (svsuser @ 20.04.2009 17:51)
Kaspersky smoked wmiprvse.exe off of 30 of my XP boxes. Now I too am wondering about this. In another month I am adding 200 new worsktations running new Point-Of-Sale software in our 53 offices. Since they will all be managed through Kaspersky, I am really concerned that this might happen again with much larger and far reaching results.
You can add your software in the exclusion list then you will be sure it can not be flagged as a threat by Kaspersky Anti-Virus.
QUOTE(g3l33m @ 20.04.2009 13:23)
Does kaspersky even test any of their releases so this crap doesn't happen?
FYI - false positives were on other vendors as well, e.g. FSecure and ZoneAlarm. Suggestion was that the issue lies with patch KB956572 but I've no set-up where that patch hadn't been applied to test whether it would have generated false +ve on prior versions.
Check the log files and the email notifications (if enabled) for the detection event. I bet you'll find that the notifications that you are getting are from the original detection and not from a false positive that hasn't been corrected.
In my case the original detection of the false positive on wmiprvse.exe keeps getting re-emailed to me, not a continuing false positive report on the affected file. I've run a manual scan on wmiprvse.exe and it came back clean.
So to recap:
KAV had a false positive, this was corrected in an definition update file, and KAV Admin Kit keeps emailing a detection report for the original detection - it is not a continuing false positive.
hope that helps.
In my case the original detection of the false positive on wmiprvse.exe keeps getting re-emailed to me, not a continuing false positive report on the affected file. I've run a manual scan on wmiprvse.exe and it came back clean.
So to recap:
KAV had a false positive, this was corrected in an definition update file, and KAV Admin Kit keeps emailing a detection report for the original detection - it is not a continuing false positive.
hope that helps.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.