I believe this is the result of a recently-compromised mailbox belonging to one of our customers. That mailbox has been secured and the webmail server itself has no issues.

Can this server please be unflagged?

www.anypro.it

I am reaching out to request an expert analysis / false positive investigation for the file OmenCore.exe, which Kaspersky is detecting as a Trojan and automatically deleting.

🖥️ System Information

Operating System: Windows 11 Pro 24H2 (Build 26100.8328)

Kaspersky Product: Kaspersky Premium 21.25.7.504 (Latest version, all databases up to date)

🛡️ Kaspersky Detection Details

FieldValue

ResultDeleted

TypeTrojan

Detection NameTrojan-Downloader.MSIL.Krocomain.abp

AccuracyExact

Threat LevelHigh

Object TypeFile

Object NameOmenCore.exe

📋 What is OmenCore?

OmenCore is an open-source, modern, lightweight control center that replaces HP OMEN Gaming Hub. It is built with .NET 8 and WPF, providing professional-grade hardware control without bloat, telemetry, or mandatory sign-ins.

Key features include:

Custom fan curves with temperature breakpoints

WMI BIOS control for HP OMEN laptops

Real-time monitoring with live CPU/GPU temperature history charts

Per-fan telemetry and Embedded Controller (EC) access

Official Links:

🌐 Website: https://omencore.pages.dev/

📂 GitHub Repository (Open Source): https://github.com/theantipopau/omencore

⚠️ The developer's own antivirus note states: "Some AV products flag OmenCore's kernel driver as suspicious — this is a known false positive for hardware utilities that use low-level driver access."

Known detections by other vendors (all considered false positives):

Windows Defender → HackTool:Win64/WinRing0

Bitdefender → Gen:Application.Venus.Cynthia.Winring

These detections are triggered because OmenCore uses WinRing0 (a well-known open-source kernel driver) to access hardware-level features like EC registers and fan control — which is standard practice for hardware monitoring utilities.

🔍 VirusTotal Analysis

I have uploaded the file to VirusTotal for independent verification:

🔗 VirusTotal Link: https://www.virustotal.com/gui/file/cb2b4b95226fd479aad7333c2090b23f35b92b1058d699baf7023752359bd0f7?nocache=1

SHA-256: cb2b4b95226fd479aad7333c2090b23f35b92b1058d699baf7023752359bd0f7

Please review the detection ratio — the majority of engines show the file as clean.

❓ My Request

I believe this is a false positive detection. OmenCore is an open-source, community-trusted application hosted on GitHub with full source code transparency. It uses low-level WMI BIOS and EC (Embedded Controller) access via WinRing0 driver, which may trigger heuristic-based detections.

I kindly request the Kaspersky analysts to:

✅ Review the file and the VirusTotal report

✅ Examine the open-source GitHub repository for full code transparency

✅ Confirm whether this is a false positive

✅ If confirmed, update the Kaspersky signature database to whitelist this application

Thank you very much for your time and support. I look forward to your analysis.

I'm the owner of bargi.app, a legitimate B2B SaaS for pub and bar management, developed by my company Byte Livre (Brazil). The product was launched on May 8, 2026.

Kaspersky Endpoint Security for Windows is blocking tenant-specific login pages with the following message:

- Message: "Evitamos o acesso a um site que pode causar vazamento de dados"
- Reason: "ameaça de perda de dados"
- Detection method: Kaspersky Security Network
- Detection date: 08/05/2026
- Blocked by: Web Threat Protection

Blocked URLs (multi-tenant login pattern bargi.app/{tenant-slug}/login):

- https://bargi.app/teste-pub-starter/login
- https://bargi.app/teste-pub-pro/login
- https://bargi.app/teste-pub-business/login
- https://bargi.app/beer-and-code/login

Important: the root domain (https://bargi.app) and the master login page (https://bargi.app/login) are NOT blocked — only the tenant-specific subpaths.

Context:
This is a standard multi-tenant SaaS architecture (similar pattern used by Slack, Notion, Linear, etc.). Each customer (pub/bar) has their own URL slug to access their administrative panel. These are legitimate login pages for real paying customers — not phishing.

I understand the recent domain registration (May 2026) combined with the /slug/login URL pattern likely triggered heuristic classification by Kaspersky Security Network. However, I confirm:

- bargi.app is legally registered and owned by Byte Livre
- The application is a real B2B SaaS product with valid customers
- Valid SSL/TLS certificate (Let's Encrypt) is in place
- No phishing, credential harvesting, or malicious behavior
- Company information and contact are publicly available

I have already submitted reanalysis requests through OpenTIP for the affected URLs.

Could a moderator please escalate this to the Virus Lab / Data Loss Threats Protection Group, so the domain bargi.app and the URL pattern bargi.app/*/login can be whitelisted?

This false positive is preventing legitimate customers from accessing the service.

Screenshots of the Kaspersky block message are attached below for reference.

Thank you very much for your help.

Best regards,
Marcos Vinicius
Byte Livre — Software Architect & Founder
https://bargi.app

I need help because some of the files that were changed were very old and I don't have a backup.

I've attached a file for analysis. Thank you.

https://drive.google.com/file/d/1P9onLouCZCy7i1ai-_mBZ_zyyPQies6O/view?usp=sharing

Kaspersky is flagging my site as Phishing on VirusTotal, but this is a false positive.

Canonical URL: https://www.tranquilityforge.com/
Note: https://tranquilityforge.com/ permanently redirects (301) to the canonical www host.

This is a legitimate small-business website for mentoring services (Tranquility Forge Mentoring). No credential harvesting, malware, or phishing behavior. All scans indicate the site is clean. The site is publicly reachable over HTTPS.

Please re-check and remove the negative classification.

Thank you,
Micah

I've looked in report page and was checking each component detailed report section when I've noticed 'file antivirus' category. It have displayed two 'processing error' on high alert (colored in red). Went to verify myself each of these files and 0 object could not be scanned.

Object name: WmiPrvSE.exe gives the following error as 'Not processed' and object pathfind is: searchms:display=name=Resultados%20da%20Pesquisa%20em%20wbem&crumb=Qualquertexto%3AWmiPrvSE&crumb=location:C%3A%5CWindows%5CSysyem32%5Cwbem\WmiPrvSE.exe

Object name: smartscreenps.dll gives the following error as 'Processing error'

And the object pathfind is:

C:\Windows\System32

I have looked inside quarantine section and there are no files whatsoever. I have started a series of procedure accordingly to 'KS Standard ender' articles like running a fullscan, to erasing manually these files (which I didn't since they have been normal for Yeats before Tonight)

I hardly think my antivirus is corrupted because it is constantly searching for data bank updates.

What I am doing in my reach is to restart the computer, and run Fullscan. However I have noticed Kaspersky Standard 21.24.8.522(b) did not gave the same alert while I am still running Fullscan. Only happen when I execute 'Selective scan' or 'mouse Quick action scan' to verify these files.

My question is:

These alerts were they false positives? Because these system files have been laying around since 2022-2024 and I don't know If I should be worried.

Every time the notification comes up on accessing the folder the file is in my file manager, I am unable to ignore both the notification or add it to the exclusions list.

Seems to get added but the notification still comes up the next time. How do I stop the false positive notifications?

removed

removed

My code software was claimed to have a virus, and then a pop-up window prompted whether to handle it. After clicking on it, even after reinstalling the software, its functions could no longer be used normally.

The virus alert message is: PDM: Trojan.Win32.Generic

How can I solve this problem?

Should I just add to exclusions, if indeed it allows me to do that.  I'm fairly sure theres nothing on the PC, and emails are regularly deleted anyway

Windows 11 PC, betterbird (Ive just changed to betterbird from mailbird so its a bit of a coincidence that this has happened after never having happened before

Thanks 

The API for our website, api.apexyama.com, has been incorrectly marked as a phishing threat by Kaspersky Internet Security.

I can assure you that we are not involved in any phishing activity. I am entirely willing to share the source code of our website privately if it is needed to remove this false-positive detection.

We are a company based in Turkey, and we process transactions through iyzico, a leading payment provider that is also utilized by Amazon. I am happy to provide any official company documents to verify our identity, if necessary.

Thanks in advance!

We have reported the false positive several times, but got no answer: https://forum.kaspersky.com/topic/kaspersky-how-to-report-false-positive-22328/ 
We do not impersonate other brands and do not request wallet seed phrases or credentials outside our authenticated flow.

Swapped has been running since 2022. We are regulated company, regulated by the Financial authorities in Denmark, Norway, Australia, Canada, and the US.
We are a regulated VASP and Digital Currency Exchange. We are MiCA compliant and have been in the industry for 4+ years at this point.

We have not been involved in any phishing activity, and the block that Kaspersky applies to Swapped materially negatively affects our business operations. Hereby kindly requesting that you remove our domain from the blacklist.

You can find our registrations with financial regulators below.

Denmark: https://virksomhedsregister.finanstilsynet.dk/virksomhed-under-tilsyn-en.html?v=B513844C-D285-EC11-A2D7-005056907186
Norway:  https://www.finanstilsynet.no/en/finanstilsynets-registry/details/?id=248545
Canada: Visit https://fintrac-canafe.canada.ca/msb-esm/reg-eng and look up 'Swapped APS'
Australia: Swapped ApS is a registered Digital Currency Exchange under AUSTRAC in Australia with registration number DCE100879379-001.
US: Visit https://www.fincen.gov/resources/msb-state-selector and look up 'Swapped' as the legal name.

Even when I reinstall it, I'm asked to update, and Kaspersky wants to delete the data again.

I uploaded the files to VirusTotal, since I'm not sure if I'm allowed or should upload them here.

MOZA Updater.exe 989ee1bfdc8cdcc4cab4f69511634f85613442ed10d012863dc4b43849f373d9

MaintenanceTool.exe 5026591e471cd9367ceb13765c6c95448b723f3039fe461136d6ab3cfc22de91

Context: Seems to be a trojan I got from running a bad .exe

Full process:

First running yesterday (Windows security detected and removed the supposed trojan right away)but haven't started until the first startup of today, powershell ran weird commands, my discord account was the first to get infected. Has already changed password, so far other account hasn't been infected yet. powershell hasn't started up ever since even if I were to try to restart my pc.

 A ScreenImage.png was created in temp folder, seems to be updated regularly, first generated the same time I started up my pc, I haven't restarted the pc since started doing a full scan with kaspersky, not sure whether it's stopped because of the scan or screenshots only taken after startup.

It seems that a registry key was removed related to powershell? I did find a suspicous powershell registry key manually but wasn't sure whether it's geniune, no longer find it, (kaspersky may had removed the very same registry.)

I'm not sure how should I proceed next, any help would be appreciated, can provide more information if needed.

It only asked me to block it, then navigate me to the app setting. You CANT block Samsung Internet if you want to browse internet. Right? Then the report says no threats found.

I tried Avast and Bitdefender, none of them detected anything.

Another false positive?

O/S = Windows 11

ARV = Kaspersky Standard v21.24.8.422(a)

I use Workona Tab Manager every day.  Today, when I rebooted my laptop I was bit startled to see that rather than load my tabs, Kaspersky decided to block this action.   Is this a an Edge Chromium or Kaspersky issue?

All seemed well until in the Notification Centre Status, Recommendations 2, and Protection 39 Objects.

The Recommendations are fixed and vanish but the 39 Objects remain, I’ve tried all the Resolve all options but nothing removes them.

My previous Kaspersky, KIS, version worked perfectly but this one is very confusing.

HELP!

Depois que realizei as varreduras e permiti que o antivírus removesse ou colocasse em quarentena os arquivos detectados, o sistema operacional acabou sendo corrompido e passou a apresentar falhas graves.

Consegui analisar o primeiro arquivo que foi detectado como vírus no VirusTotal através do link abaixo:

https://www.virustotal.com/gui/file/f7a6eb1d9e42c7b678fcd4ec457b352a0ea5baf18a608742acb24863f70fb9ea/detection

Minha dúvida é: esse arquivo poderia ter sido responsável por infectar milhares de outros arquivos no sistema, ou há possibilidade de ter ocorrido um falso positivo após a atualização do antivírus?

We hope to hear from you soon. Thanks!

However, https://www.virustotal.com/gui/url/65758c5365c663134ad1f7fa0af657096a4a8924f3d6ff5e5cce7f1a3c3c6abf only two showed positive while this report on Kaspersky showed as good website, https://opentip.kaspersky.com/https%3A%2F%2Fnswpedia.com%2Fnintendo-switch-roms/?tab=web . Is it a false positive?

1. Google Search Console: No security issues found, the site is clean.
2. SOCRadar Cyber Intelligence: Already re-evaluated and cleared the domain
3. Current state: The site is safe, no redirects or phishing.

Fortunately it was possible to unencrypt them.  I no longer have the PC I used to do this but I am pretty sure I used Kaspersky RakhniDecryptor and this would have been in 2020.

I've now discovered I missed unencrypting a folder with about 1500 files.  I think this was because there were too many files on the NAS to unencrypt at once so I needed to divide files into batches and through my own sloppiness, I missed a folder.

I've tried to re-do the unencryption using the latest version of Kaspersky RakhniDecryptor and came across the following:

- the original files were encrypted with the extension ".encrypt". The current version of Kaspersky RakhniDecryptor doesn't seem to recognise this.  It does seem to recognise the suffix ".encrypted".  I can change the file extension to ".encrypted" but would prefer not do have to do this. Can Kaspersky RakhniDecryptor not recognise files with extension "encrypt" because I am pretty sure it could back in 2020.

- I ran Kaspersky RakhniDecryptor on a small batch of files with extension changed to ".encrypted" and eventually it did find the password to decrypt and this is stored in the log file.  However I did this on a PC I borrowed for a short time (I now have a Mac at home, not a PC) and have got another PC to do the rest of the files and needed to reinstall Kaspersky RakhniDecryptor.  I couldn't see a way to provide the decryption password to Kaspersky RakhniDecryptor.  Is this possible? 

-