Help - Search - Members
Full Version: Trusted Zone Exclusion Verdit not working
Kaspersky Lab Forum > English User Forum > Protection for Small and Medium Businesses
Mr C
7.05.2008 18:18
I have an exclusion entered as:

Object: * (Unticked)
Verdict: not-a-virus:URL.IDFrame
Checking Task: any

I've tried lots of different ways of entering this, including putting * at either end, both ends and even removed not-a-virus: and added a *, and tried not-a-virus*. I've even tried unlocking the Trusted Zone option and added it directly from the server which included the full path and filename.

With every change I have Syncronised the server, and verified that the exclusion is set from the main window on the server albeit grayed out.

Nothing I do seems to exclude this from detection.

What am I doing wrong? bc.gif
Mr C
7.05.2008 18:44
Forgot to mention the version 6.0.3.837 b
Mr C
14.05.2008 11:27
Does no one have a suggestion? huh.gif
Tybilly
14.05.2008 12:10
Hello,

What about the report of the File Antivirus component ? It should contain event about detection or exclusions.
Also I can't find any threat named "not-a-virus:URL.IDFrame" or beginning like that. Are you sure about this ? Could you post a screenshot of the detection ?
Mr C
14.05.2008 16:56
Thanks, here is a screen shot. Unsure what you mean by Report of the File Antivirus component?

Gets picked up by Scan and on access to the file.

Click to view attachment Click to view attachment
Tybilly
14.05.2008 18:21
What if you set your exclusion like this:

Object: * (Unticked)
Verdict: not-a-virus:URL.IDFrame*
Checking Task: any

If I understand you've already tried this, just in case.
Is there any real malicious code in this file ? In case no, I mean if you have created this file, it can be a false positive. In this case you can send the sample in a password protected archive to newvirus@kaspersky.com

Anyway, exclusion should be effective. Could you attach file "technical details0402.htm" to a new post ?
Mr C
15.05.2008 14:20
Yes I have tried that.

The file is from 2003 and is a saved email I think from outlook 2000 in html form. This detection started a couple of months ago, I'm afraid I can not remember exactly when.

I can not upload the file, attachment system says I can not upload files of that type, and the zip filed failed as well so I have cut and pasted for you to see.

Thanks, again.

CODE
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="MSHTML 5.00.3315.2870" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff><B>From:</B> Gérard NOLAND
[g.noland@mercura.fr]<BR><B>Sent:</B> 01 April 2003 15:28<BR><B>To:</B>
technical@durite.co.uk<BR><B>Subject:</B> technical details<BR>
<DIV><FONT face=Arial size=2>      
Sir</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2> would it be possible to have a technical
notice on a cigarette lighter plug ref: 0-601-16    page 5.17 of
your brochure.</FONT></DIV>
<DIV><FONT face=Arial size=2>can I have a quotation for 2000 pieces, would it be
possible to have a sample for review ?</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>        
Regards </FONT></DIV>
<DIV><FONT face=Arial size=2>  </FONT></DIV>
<DIV><FONT face=Arial size=2>      Noland
Gerard</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>    email    
g.noland@mercura.fr</FONT></DIV>
<DIV><IFRAME frameBorder=0 height=1 marginHeight=0 marginWidth=0 scrolling=no
src="http://www.rawtocash.net/cgi-bin/link.cgi?ref=10068"
width=1> </IFRAME></DIV></BODY></HTML>
Tybilly
15.05.2008 22:50
Hello,

I think you found a bug in the product. I managed to reproduce it on KAV WKS 6.0.3.837, the following exclusion is not effective in the product :

QUOTE
Object: * (Unticked)
Verdict: not-a-virus:URL.IDFrame*
Checking Task: any


Even this exclusion which should concern all this category of threat does not work:

QUOTE
Object: * (Unticked)
Verdict: not-a-virus:*
Checking Task: any


The threat is still detected.

Actually I'm testing the product KIS2009 on my personal computer and the same exclusion works in this product...

Click to view attachment
Mr C
16.05.2008 12:13
Yes, the only way to prevent detection is to add the filename with no verdict but that is obviously not how it should work.

ay.gif Thanks for your help, I'll see what I need to do to report it now.
Tybilly
17.05.2008 12:25
Hello Mr C

I wrote about this topic to Igor who is Administrator off this board and he replied to me that a new bug has been created, developers will probably study this case and fix it in a future version.

I hope we will heard from them soon smile.gif

Mr C
20.05.2008 14:59
Thanks very much for that, I haven't had a chance myself as I had to fix a server that went down dash1.gif
Yury
30.07.2008 17:10
Hello all. I bring the good news smile.gif
This bug has been fixed in version KAV 6.0.4.937. Unfortunately, it is internal test build and cannot be spreaded out. Will be fixed in the upcoming version of WKS.
brian.mahieu
26.06.2009 19:20
Having the same trouble with another program. PSEXEC

C:\WINDOWS\psexecsvs.exe
detected Riskware: Rootshell


I have gotten so far as to find trusted zone exclusion type stuff and the verdict but I can't find the exact strings to put in for
Object name:
Verdict type:

Clicking on view on www.viruslist.com gives:
Home / Viruses / Virus Encyclopedia / RootShell
RootShell
Cyber criminals frequently use this type of software to gain remote shell
access to the victim’s system. Root shells bind standard input/output
streams to sockets, allowing access to the system
...I'm not having any luck digging there...

Running Kaspersky Administration Kit 6.0.1710
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.