Jump to content
aehrlich

Warning: false positive

Recommended Posts

19.04.2009 there was published a virus definition update that lead to a false positive "Backdoor.Win32.Agent.afqs" in the file wmiprvse.exe (at least of WXP SP3 EN with the latest, i.e. 14.04., updates).

The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.

Share this post


Link to post

If my system "deletes" the critical file from a client, how can it be restored? My kav 6.0 is detecting it on all my xp boxes and removing it.

 

 

 

 

 

19.04.2009 there was published a virus definition update that lead to a false positive "Backdoor.Win32.Agent.afqs" in the file wmiprvse.exe (at least of WXP SP3 EN with the latest, i.e. 14.04., updates).

The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.

 

Share this post


Link to post
19.04.2009 there was published a virus definition update that lead to a false positive "Backdoor.Win32.Agent.afqs" in the file wmiprvse.exe (at least of WXP SP3 EN with the latest, i.e. 14.04., updates).

The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.

 

Did you report our virus analysts about this? (newvirus@kaspersky.com), and if yes, how much time ago?

Share this post


Link to post
Did you report our virus analysts about this? (newvirus@kaspersky.com), and if yes, how much time ago?

Yes I did. The reply was as follows:

 

-------- Original Message --------

Subject: RE: [VirLabSRF][False Alarm][M:1][LN:RU][L:0] [KLAN-26845990]

Date: Sun, 19 Apr 2009 20:11:23 +0400

From: <newvirus@kaspersky.com>

To: <removed>

Здравствуйте,

 

Это было ошибочное срабатывание.

Оно будет исправлено.

Благодарим Вас за помощь.

 

<translation for english-speaking people>

Hello,

It was a false alarm.

It will be fixed.

Thank you for your help.

</translation for english-speaking people>

 

 

Share this post


Link to post

And please note that deleting the wmiprvse.exe file prevents about 1/4 (in my setup) of the system services from starting...

Edited by aehrlich

Share this post


Link to post
This false positive was fixed yesterday at 20.30 (GMT+03). Don't forget to update your databases ;)

Very interesting behaviour of KAV.

In the 1st attached screenshot one can see two updates: 19.04.2009 21:40:26 and 20.04.2009 08:43:07. The latter of them stated that "update is not required" (the 2nd screenshot). In between the false positive did still occur.

However, if I make an explicit scan for viruses for the file now it is not reported as infected anymore.

Any comments to this?

post-37002-1240212592_thumb.jpg

post-37002-1240212605_thumb.jpg

Share this post


Link to post
If my system "deletes" the critical file from a client, how can it be restored? My kav 6.0 is detecting it on all my xp boxes and removing it.

 

 

Up !

 

Is there any way to restore from the Admin kit ? Because, it did it on a lot of computer too :(

Share this post


Link to post

Hello,

 

How to restore the file from the Administration Server :

 

1. Create a policy for Kaspersky network Agent: http://support.kaspersky.com/faq?qid=205057289

2. Enable the option "Transfer information about the objects in Backup to the Administration Server": http://support.kaspersky.com/faq?qid=205057289#set

Do not forget to lock this setting.

3. In the Administration Console, under Storage > Backup menu, you will see all files that have been placed into the backup storage. Right click on each object and restore it to its original location.

 

 

Share this post


Link to post
Hello,

 

How to restore the file from the Administration Server :

 

1. Create a policy for Kaspersky network Agent: http://support.kaspersky.com/faq?qid=205057289

2. Enable the option "Transfer information about the objects in Backup to the Administration Server": http://support.kaspersky.com/faq?qid=205057289#set

Do not forget to lock this setting.

3. In the Administration Console, under Storage > Backup menu, you will see all files that have been placed into the backup storage. Right click on each object and restore it to its original location.

 

(Thank you very much Tybilly)² !

 

This policy answers all the problems i was trying to solve With Kaspy !!!!

 

 

Edited by ac4362

Share this post


Link to post
Very interesting behaviour of KAV.

In the 1st attached screenshot one can see two updates: 19.04.2009 21:40:26 and 20.04.2009 08:43:07. The latter of them stated that "update is not required" (the 2nd screenshot). In between the false positive did still occur.

However, if I make an explicit scan for viruses for the file now it is not reported as infected anymore.

Any comments to this?

OK, the statement about the strange behaviour ("update is not required") was my fault: there were two updates, 08:43 and 08:45 and the "update is not required" message concerned the second one, so no more mystics.

However, the stated fix time 20:30 GMT+3 (Moscow time) is 19:30 GMT+2, am I correct ;-)? And from the screenshots one could see that the false positive was still detected after update at 21:40 GMT+2, i.e. 2 hours later than the "stated fix time".

Share this post


Link to post
19.04.2009 there was published a virus definition update that lead to a false positive "Backdoor.Win32.Agent.afqs" in the file wmiprvse.exe (at least of WXP SP3 EN with the latest, i.e. 14.04., updates).

The "falseness" has been confirmed by Kaspersky VirusLab and they have promised to publish a correction to the virus deifinitions.

 

Does kaspersky even test any of their releases so this crap doesn't happen? Sure doesn't seem so. Also seems that if you are running kas in a business setting you are doing a lot more work fixing it's screwups that you would if you actually had REAL viruses instead of false positives. I've said it in the past and I'll say it again, I rue the day I picked kas for our office and will NEVER renew it again. Now I've got to go restore all the wmiprvse.exes that kas deleted. Nice.

Share this post


Link to post
Does kaspersky even test any of their releases so this crap doesn't happen? Sure doesn't seem so. Also seems that if you are running kas in a business setting you are doing a lot more work fixing it's screwups that you would if you actually had REAL viruses instead of false positives. I've said it in the past and I'll say it again, I rue the day I picked kas for our office and will NEVER renew it again. Now I've got to go restore all the wmiprvse.exes that kas deleted. Nice.

 

Kaspersky smoked wmiprvse.exe off of 30 of my XP boxes. Now I too am wondering about this. In another month I am adding 200 new worsktations running new Point-Of-Sale software in our 53 offices. Since they will all be managed through Kaspersky, I am really concerned that this might happen again with much larger and far reaching results.

Share this post


Link to post

I already asked this question in the past and yes there is a QA process, threats signatures are uploaded on a pre-release server which is:

ftp://dnl-test.kaspersky-labs.com/beta_updates/pre-release/

 

After that they are checked for false alarms during some time and at the end they are finally pushed on public update servers.

 

OK, the statement about the strange behaviour ("update is not required") was my fault: there were two updates, 08:43 and 08:45 and the "update is not required" message concerned the second one, so no more mystics.

However, the stated fix time 20:30 GMT+3 (Moscow time) is 19:30 GMT+2, am I correct ;-)? And from the screenshots one could see that the false positive was still detected after update at 21:40 GMT+2, i.e. 2 hours later than the "stated fix time".

 

This QA process can explain why this false alarm has been fixed at 20:30 GMT+3 whereas the file was still detected later.

 

Kaspersky smoked wmiprvse.exe off of 30 of my XP boxes. Now I too am wondering about this. In another month I am adding 200 new worsktations running new Point-Of-Sale software in our 53 offices. Since they will all be managed through Kaspersky, I am really concerned that this might happen again with much larger and far reaching results.

 

You can add your software in the exclusion list then you will be sure it can not be flagged as a threat by Kaspersky Anti-Virus.

Share this post


Link to post
Does kaspersky even test any of their releases so this crap doesn't happen?

 

FYI - false positives were on other vendors as well, e.g. FSecure and ZoneAlarm. Suggestion was that the issue lies with patch KB956572 but I've no set-up where that patch hadn't been applied to test whether it would have generated false +ve on prior versions.

 

Share this post


Link to post

Check the log files and the email notifications (if enabled) for the detection event. I bet you'll find that the notifications that you are getting are from the original detection and not from a false positive that hasn't been corrected.

 

In my case the original detection of the false positive on wmiprvse.exe keeps getting re-emailed to me, not a continuing false positive report on the affected file. I've run a manual scan on wmiprvse.exe and it came back clean.

 

So to recap:

KAV had a false positive, this was corrected in an definition update file, and KAV Admin Kit keeps emailing a detection report for the original detection - it is not a continuing false positive.

 

hope that helps.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.