Help - Search - Members
Full Version: Proactive Defense "white list"
Kaspersky Lab Forum > Beta Testing > KIS\KAV 2015
Pages: 1, 2, 3
The_BMK
Acrobat Reader

Execution of macro 'API function 'OpenClipboard' from library 'user32'' in document 'C:\Programme\Adobe\Acrobat 6.0\PDFMaker\Office\PDFMaker.ppa' is blocked


PDF Maker (Excel)

Execution of macro 'API function 'GetVersion' from library 'kernel32'' in document '...\Anwendungsdaten\Microsoft\Excel\XLSTART\PDFMaker.xla' is blocked
c4p0ne
BlackICE PC protection:

Temp folder, "blat.exe"
rthrdsmt
These applications are in my exclusion mask list:


MacroExpress:
C:\Program Files\Macro Express3\MacExp.exe Keylogger

Oxford English Dictionary. I think the invaderlike behaviour is caused by the CD-cops protection software that comes with it:
C:\Program Files\OED\OED CD v3.1\Bin\OEDCD_V3.QZ_ Invader
C:\Program Files\OED\OED CD v3.1\Bin\OEDCD_V3.W_X Invader

Favorites Home Page. A Script which used to be available for download. It builds an organized HTML-document with hyperlinks from your IE favorites (very handy as a personal startpage). This is not being maintained anymore, so perhaps too obscure for the whitelist:
C:\Program Files\Favorites Home Page\homepage.js Hidden data sending

An all running applications closer:
C:\Program Files\SmartClose\SmartClose.exe Invader

And two TuneUp utilities components:
C:\Program Files\TuneUp Utilities 2007\WinStyler.exe Invader
C:\Program Files\TuneUp Utilities 2007\ProcessManager.exe Invader
zammy
Hi
Hey i think you ppl should take a look at " Bit Defender " white list......

Object name : C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.5\YTPro.exe
Verdict mask : C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.5\YTSysHk.dl
dah145
Sanboxie:


Start.EXE verdict: Invader

SandboxieRcpSs.EXE verdict: Invader

www.sandboxie.com

wink.gif
dawgg
Suggestion: add all verified Microsoft certified files to WhiteList, providing they have not been modified since being verified... if they have been modified, verify the integrity of the file and add it to white-list again if it is genuinely certified?

I dont know if this is safe or not, if its not, dont bother... dont all complain to me that its a bad idea, i dont know too much about viruses and vulnerabilities and all that... the balls in your court, upto you. If the suggestion is not a good idea, disregard this post
ilev
c:\program files\internet explorer\iexplor.exe
detected modification of riskware - Hidden data sending
AHS0
With KIS MP2 and with it's default setting which under malware categories
Potentialy dangerous software (riskware)is not checked,
I got these proactive defense alert :



detected: riskware Invader (loader) Running process: C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
detected: riskware Invader (loader) Running process: C:\Program Files\Logitech\SetPoint\KEM.exe

2/17/2007 2:55:25 PM C:\Program Files\Logitech\SetPoint\KEM.exe Process is trying to inject module C:\Program Files\Logitech\SetPoint\HookDll.dll into all processes. This behaviour is typical of some malicious programs.


2/17/2007 2:39:43 PM C:\Program Files\Babylon\Babylon-Pro\Babylon.exe Process is trying to inject module C:\Program Files\Babylon\Babylon-Pro\CAPTLIB.DLL into all processes. This behaviour is typical of some malicious programs.

child prosseses


C:\Program Files\Logitech\SetPoint\KHALMNPR.exe 2080 KHALMNPR.EXE /API
Big_Dawg
CounterSpy 2.1.917
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

Tried to save the verdicts but now I cannot find them.

Here is one of the alerts.

02/27/2007 5:10:05 PM Process
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (PID: 2112): suspicious action.
Attempt to create list of system services
(key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SBTEDrv, value ImagePath, data \??\C:\WINDOWS\SYSTEM32\drivers\SBTEDrv.sys).


Thanks
Big_Dawg
charlie__
QUOTE(abuttayeb @ 28.10.2005 03:04)
cant u guys set the update to "manual" under settings? this way AVP wont connect automatically.  and what is the big deal if yr security app updates itself automatically to provide latest protection?

if i know that all my apps r blocked accept for 1 that will get me latest protection, i would consider it an advantage.

snap out of it guys. it is not like there are no apps r getting connected without yr knowledge. if u use windows, microsoft already connects u without u knowing it.
*

i use k-lite [khancer.exe kazaa.core are virus and keyloggers, but i added to trusted zone
also mirc, when i click on a link, i had to add to trusted zone, if i want to open IE by clicking on a link in mIRC, same thing whith msn messenger.
Mike Mail
sandboxie
Chataro
Acronis True Image 10 (Build 4942)
C:\Program Files\Acronis\TrueImageHome\True Image.exe
Suspicious Driver Installation

Adobe Flash Player 9.0.45
(for Internet Explorer during installing using ActiveX)
(C:\WINDOWS\system32\Macromed\Download\Download.exe)
Hidden Install
Lucian Bara
Winfast PVR Wizard
Object: C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe
Verdict Mask: Keylogger

Winfast TV
Object: C:\Program Files\WinFast\WFTVFM\WFTV.exe
Verdict Mask: Keylogger

Intervideo WinDVD
Object: C:\Program Files\InterVideo\WinDVD\WinDVD.exe
Verdict Mask: Keylogger
bildos
Micorosft Virtual PC 2007

C:\Program Files\Microsoft Virtual PC\Virtual PC.EXE

Suspicious acction: Keylogger.
deleted@#.net
QUOTE(siliconman01 @ 21.09.2006 13:23)
...

Thumbsplus Pro
C:\Program Files\Thumbs7\thumbs.exe      Invader

...


On my machine (OS: Windows 2000, sp4) Kaspersky thinks Thumbsplus Pro is a keylogger.

Nothing else (firewall included) is showing anything anomalous or strange connections to anywhere, everything was OK until I clicked on a .htm file but the page + site were clean (have checked both thoroughly), so maybe this a glitch or something else to be covered if Thumbplus Pro is added to a whitelist?

Internat.exe + Hypersnap 6 on my machine are also classed as Invaders.
omid750
Ulead photo impact

C:\Program Files\Ulead Systems\Ulead PhotoImpact 11\Iedit_.exe
Invader (loader)
Chataro
Google Desktop Search 5.1 (Japanese)
GoogleDesktopSetiup.exe
Verdict : Hidden Install
Verdict: Invader(loader)

iTunes 7.1.1.5 (Japanese)
C:\Program Files\itunes\itunes.exe
Verdict: Invader(loader) C:\Program Files\itunes\iTunesKeyboardCompatibility.dll

Google Updater (Japanese, compulsorily installed while installing Google Toolbar)
GoogleUpdaterService.exe, and GoogleUpdaterSetup.exe
verdict: invader(loader)

Yahoo! Messenger 7.0.0.7 (Japanese)
C:\Program Files\Yahoo!J\Messenger\YPagerj.exe
verdict: Invader(loader) C:\Program Files\Yahoo!J\Messenger\idle.dll
TsunamiZ
StrokeIt
C:\Program Files\Strokeit\strokeit.exe
invader

Macro Express 3
C:\Program Files\Macro Express3\MacExp.exe
keylogger

pm me if you need any details
bildos
Winamp.exe

Sending hidden data
gderreck
Trusted Applications

Internet Download Manager
C:\Program Files\Internet Download Manager\IDMan.exe
-setup as trusted application (network access). Had to do this as using download manager template did not stop the prompts.

MailFrontier Desktop
C:\Program Files\MailFrontier\mantispm.exe
-setup as trusted application (do not scan encrypted network traffic). This was to stop prompts and also to stop the nagging about invalid security certificates

Microsoft Office Outlook 2003
C:\Program Files\Office 2003\OFFICE11\OUTLOOK.EXE
-setup as trusted application (do not scan encrypted network traffic). This was to stop the nagging about invalid security certificates.

Internet Explorer 7
C:\Program Files\Internet Explorer\iexplore.exe
-setup as trusted application (do not scan encrypted network traffic). This was to stop the nagging about invalid security certificates.

Host Process For Windows Services
%SystemRoot%\system32\svchost.exe
-setup as trusted application (do not scan encrypted network traffic). Was getting prompted 3 to 4 times on each reboot.

Windows Live Messenger
%ProgramFiles%\MSN Messenger\MsnMsgr.Exe
--setup as trusted application (do not scan encrypted network traffic). Could not connect while encrypted filtering was enabled.

Winpatrol
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
-setup as trusted application. Do not restrict application activity or registry access. Security application that monitors startup and other activities. Needs registry access to eliminate startup and other activities.

NOTE: KIS can control startup in the registry, but not in the startup folder. Therefore I have disabled this as I believe the feature is not complete.


Exclusion Masks

Amnesty Generator (setup file)
aginstall.exe(not-a-virus:AdWare.Win32.Dm.l)
-file anti-virus, scan

Sun Java
C:\Users\Graham\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\3c0ee589-7806fe1f/FcPred.class (Trojan-Downloader.Java.Agent.c)
-scan
Lucian Bara
but that's the whole idea, to have kis scan encrypted webpages ofr the webbrowser,

QUOTE
Host Process For Windows Services
%SystemRoot%\system32\svchost.exe
-setup as trusted application (do not scan encrypted network traffic). Was getting prompted 3 to 4 times on each reboot.

Windows Live Messenger
%ProgramFiles%\MSN Messenger\MsnMsgr.Exe
--setup as trusted application (do not scan encrypted network traffic). Could not connect while encrypted filtering was enabled.


those 2 are already there, unless you deleted them manually.
bildos
ImTOO DivX to DVD Converter v3.0

C:\Program Files\ImTOO\DivX to DVD Converter\DivX to DVD Converter.exe

Suspicious action: Keylogger
Chataro
McAfee SiteAdvisor Version 26.3 (Japanese)
C:\Documents and Settings\Owner\Local Settings\Temp\SiteAdv.exe
Verdict : Trojan.Generic

InterVideo WinDVD Gold 8 (Japanese)
Installer: InterVideo WinDVD8 Gold\WinDVD8Gold.exe
Verdict: Trojan.Cryptor

C:\Program Files\InterVideo\DVD8\WinDVD.exe
Verdict: Keylogger
Chataro
Google Desktop Search 5.1.0705.(Japanese)
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
Verdict : Trojan.Cryptor (Red Dialog)

Cyberlink PowerDVD 7.3 Ultra (Japanese)
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
Verdict: Keylogger

Google Earth 4.1 (Japanese)
Verdict : Hidden Install


P.S. I think this topic should be sticky like before. smile.gif

Best Regards,
Lucian Bara
wasn't my decision.

The Elder Scrolls IV Oblivion
Object: C:\Program Files\Oblivion\oblivion.exe
Verdict: keylogger

Adobe Flash CS 3
Object:C:\Program Files\Adobe\Adobe Flash CS3\Flash.exe
Verdict: Keylogger

WinFast PVR V2
Object: C:\Program Files\WinFast\WFDTV\WFWIZ.exe
Verdict: Keylogger

WinFast PVR V2
Object: C:\Program Files\WinFast\WFDTV\DVBTAP.exe
Verdict: Keylogger

Autocad 2007
Object: C:\Program Files\AutoCAD 2007\acad.exe
Verdict: Keylogger

VMWare Keyboard driver
Object: \Driver\vmkbd
Verdict: Keylogger \??\C:\WINDOWS\system32\drivers\VMkbd.sys
Chataro
QUOTE(Lucian Bara @ 22.05.2007 23:05)
wasn't my decision.


All Right. smile.gif

Process Explorer 10.21

C:\Program Files\Process Explorer\procexp.exe

verdict: Suspicious Driver Installation
The Driver is C:\WINDOWS\system32\drivers\PROCEXP100.sys.
Chataro
Nero 7 Premium Ver.7.960

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
Verdict; Invader(loader)

C:\Program Files\Common Files\Ahead\Lib\NeroScoutOptions.exe
Verdict; Invader(loader)

Sorry for continuous posting. tongue.gif
dawgg
offtopic... whitelist no longer going to be implemented?... why's it not a sticky anymore?
Chataro
Unlocker 1.85
C:\Program Files\Unlocker\UnlockerAssistant.exe
Verdict: Invader(loader) C:\Program Files\Unlocker\UnlockerHook.dll

ObjectDock 1.9 (launcher)
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
Verdict: Invader(loader) C:\Program Files\Stardock\ObjectDock\DockShellHook.dll

RoboForm 6.92
C:\DOCUME~1\Owner\LOCALS~1\Temp\RFS9651.tmp\rfwipeout.exe
Verdict: Private Data and Password Access

GetASFStream 2.2.0.5 (Japanese Application)
C:\Program Files\GetASFStream\StreamGet.exe
Verdict: Invader(loader)
Chataro
SUPERAntiSpyware Free Edition 3.7.1018
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Vercict: Hidden Data Sending (on execution)

Intended address: res://SUPERAntiSpyware.exe/%2323/%23161

(Protection of Confidential Data Dialog)

P.S. Should I send the applications which cause PDM Alarms to KL Labs by myself or not ???
(Especially, Trojan.***, Hidden Data Sending, Keylogger)

Thanks in advance.
Chataro
SIW (Diaplaying System Inforamtion Tool)
C:\Program Files\SIW\siw.exe
Verdict; Invader(loader)


Foxit PDF Reader
V2
C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
Verdict: Hidden Install
fox2
Designing a data entry form in MS Access 2007 (ie clicking on the toolbar to bring up the wizard to insert new controls such as a combo box etc into a database form) can cause all kinds of KAV alerts to pop up repeatedly until disabled.
Lucian Bara
QUOTE(fox2 @ 26.05.2007 23:18)
Designing a data entry form in MS Access 2007 (ie clicking on the toolbar to bring up the wizard to insert a new control such as a combo box into a database form) causes all kinds of KAV alerts to pop up repeatedly.
*

alerts like?
fox2
QUOTE(Lucian Bara @ 26.05.2007 23:19)
alerts like?
*


* clicks Access *

It warns over executing API function LoadLibraryA from kernel32.
Clicking OK it warns about FindResourceA from Kernel32
Then "LoadResource", "SizeofResource"... etc.
Lucian Bara
QUOTE(fox2 @ 26.05.2007 23:24)
* clicks Access *

It warns over executing API function LoadLibraryA from kernel32.
Clicking OK it warns about FindResourceA from Kernel32
Then "LoadResource", "SizeofResource"... etc.
*

that sound like Office guard popups. you shouldn't worry about those, office guard was discontinued v7 doesn't have ti any more.
shagreb
please place hl.exe in some white list so i can start up counter strike source without having to click the pop up hl.exe has been changed ...

It s really irritating have to click it every single time!
Baz^^
Sorry I do not know if this has been mentioned yet... probably has...


detected: riskware Trojan.cryptor Running process: C:\Program Files\MSN Messenger\msnmsgr.exe


Windows live messenger- Think when it stored my password it triggered that alert
toyo
Fraps:
C:\Program Files\fraps\fraps.exe Invader (loader)
C:\Program Files\fraps\fraps.dll Invader (loader)

Internet Download Manager: (various browsers)
ex: C:\Program Files\Opera\Opera.exe Invader (loader)
C:\Program Files\Internet Download Manager\idmmkb.dll
Baz^^
QUOTE(shagreb @ 27.05.2007 16:05)
please place hl.exe in some white list so i can start up counter strike source without having to click the pop up hl.exe has been changed ...

It s really irritating have to click it every single time!
*


Kaspersky is just informing you that the HL2 executeable has been modified- STEAM games seem to modify their executable at every startup sad.gif
Chataro
System Safety Monitor 2.0.8.583 Free
Object : Kernel Mode Memory Patch
Verdict: Keylogger (Red Dialog)

Sleipnir 2.5.13 (Browser, popular only in Japan)
C:\Program Files\Fenrir & Co\Sleipnir\bin\Sleipnir.exe
Verdict: Invader C:\WINDOWS\system32\mshtml.dll (Microsoft HTML Viewer)
unrealdude24
PageDefrag which is a program released by microsoft gave me a warning about suspicious driver activity. I don't think its related to heuristics but i dont know where else to post it. You can get the program here: http://www.microsoft.com/technet/sysintern...PageDefrag.mspx
TsunamiZ
XnView
C:\Program Files\XnView\xnview.exe
Keylogger
TsunamiZ
can this topic be pinned?
Lucian Bara
hello
there are already a lot of topics pinned, let's not fill the upper part with topics.
Chataro
Hi, All

Sleipnir 2.5.13 (Popular Browser with both IE and Gecko Engines in Japan)
C:\Program Files\Fenrir & Co\Sleipnir\bin\sleipnir.exe
Verdict: Hidden Data Sending (Protecting Confidential Data)

Alert on using "Searching Box"

For example, Search "Kaspersky" by Google on its Search Box

"Intended Address" and "Data" seems to have no problem.
(fenrir is the name of company of creating this browser and "ja" means "Japanese")

[attachmentid=31485]

[attachmentid=31486]

Best Regards,
besonen
QUOTE(max @ 21.09.2006 03:55)
We are planning to implement "white list" of popular applications, that show "suspicious" behaviour and proactive defense detects them.
[right][snapback]191597[/snapback][/right]


is this white list functional in 7.0.0.125?
Lucian Bara
it's not implemented yet
saly
QUOTE(Lucian Bara @ 13.07.2007 06:57)
it's not implemented yet
[right][snapback]396136[/snapback][/right]


For future implementation sake:

Adobe Captivate 3

Object: C:\Program Files\Adobe\Adobe Captivate 3\AdobeCaptivate.exe
Threat type: Trojan.cryptor (Riskware - process trying to encrypt personal data)
Component: Proactive defense


fp_post
QUOTE(Chataro @ 26.05.2007 20:02)
...

Foxit PDF Reader
V2
C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe
Verdict: Hidden Install

an official "partable" (zip) version can be found on offsite,
so, imho, there's no need in any "whitelisting"
GrEaTwArRiOr
how about roboform? All Version
when ever i try to logon websites it ask the permissions?
i have more than 60 websites
do i have to add all the links to whitlist?
its very annoying
is that any possible add to trusted zone like that?

regards,
Gr
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.