Jump to content
bmax1985

KES 10.3.407 ignoring Exclusions [In progress]

Recommended Posts

Hello,

Beginning today, a custom application that we use is being detected as Trojan.Win32.Generic. The application is and was already in the list of exclusions. It was previously just an exception for c:\program files\ProgramDirectory and was working fine. I've taken it farther at this point and also excluded it using 'Object Name' of 'Executablename.exe'. KES Still quarantines the file.

 

I then added it as a 'trusted application' and told KES to essentially ignore everything that it does but it still gets quarantined.

 

I'm currently on the phone waiting for support but had to disable protection on the effected workstations to allow the users to function. Has some bug come down causing KES to all of a sudden ignore exclusions?

Share this post


Link to post

Support was able to identify an error in the exceptions. No clue why it just started acting up today but at least it's resolved.

Share this post


Link to post
Support was able to identify an error in the exceptions. No clue why it just started acting up today but at least it's resolved.

 

Thank you for your feedback!

Please let us know if you have this issue happen again.

Share this post


Link to post

Can we know the solution? Was a typo in exception, or something? I already have suspicious object in the exception list, but always get information about detected object...

Share this post


Link to post

Hi,

 

It looks like we`ll never recive any feedback from Brian Maxwell.

 

Could you please describe your problem with more detailes so we can help you?

 

Thank yoU!

Share this post


Link to post

I have this problem too. Problematic file lies in E:\Setups\Microsoft Cracks\Windows XP Cracks\WindowsUpdate.exe. All exclusions tried from this thread:

E:\Setups\

E:\Setups\*

E:\Setups\*.*

E:\Setups\*\*.*

E:\Setups\*\*.exe

\Setups\*

*\Setups\*

None of them worked. Only when I added WindowsUpdate.exe it worked. But I can't allow this due to security reasons.

KSC 10 v4.343, KES v10.3.0.6294, KA v 10.4.343, Windows 10 including September update.

 

Share this post


Link to post
45 minutes ago, technikarc said:

have this problem too. Problematic file lies in E:\Setups\Microsoft Cracks\Windows XP Cracks\WindowsUpdate.exe

Maybe you should ask Kaspersky to support your building viruses and ransomware also? I mean why stop at supporting your Windows cracks?

Share this post


Link to post

This was a sample, I don't even have disk E:\ on this issue.

I think you should remain silent if you have nothing to say on the topic and spam the forum.

Share this post


Link to post

As I recall, the root of my issue was no \ at the end of my path.

My exclusions under Anti-Virus protection > General Protection Settings > Exclusions and trusted Zone > Scan Exclusions are like:

File or folder:  c:\somepath\

Object Name:  *

That excludes everything under c:\somepath\  Note that you need the \ at the end.

 

I've also used the Trusted Applications section with some success.

 

Share this post


Link to post
48 minutes ago, Nikolay Arinchev said:

Hi,

Have you tries to specify just a filename without specifying a path?

I've tried and wrote about that in my post: "Only when I added WindowsUpdate.exe it worked."

35 minutes ago, bmax1985 said:

As I recall, the root of my issue was no \ at the end of my path.

My exclusions under Anti-Virus protection > General Protection Settings > Exclusions and trusted Zone > Scan Exclusions are like:

File or folder:  c:\somepath\

Object Name:  *

That excludes everything under c:\somepath\  Note that you need the \ at the end.

 

I've also used the Trusted Applications section with some success.

 

I've tried to leave path with \ but it didn't worked. Object name * gives me "Name not specified" error. Still looking forward to solve this problem. It's very annoying.

Share this post


Link to post
3 hours ago, Nikolay Arinchev said:

Could you please provide us with KES configuration file or with an export of active policy?

Thank you!

Yes, of course. I've attached the active policy. The problematic exception is called E:\Setups

Thank you in advance!

Kas_expo.klp

Share this post


Link to post

Hi,

I`m a bit confused.

If you specify an exclusion like E:\Setups\WindowsUpdate.exe it works.

If you specify just WindowsUpdate.exe it works as well(in that case all files with WindowsUpdate.exe name are allowed).

So what is wrong with KES behavior? Would you like to make an exclusion for several programs from one folder?

Share this post


Link to post

No, Nikolay. In fact I never wrote that E:\Setups\WindowsUpdate.exe  works and that's the point. Only WindowsUpdate.exe  works but I can't use that because it would be a security flaw to let any WindowsUpdate.exe work in the system. All of my variations that didn't worked are described at this post. Thank you for trying though!

Share this post


Link to post

This particular folder can be modified only by administrator so I have no security concerns about it's contents. I'm aware of this article you mentioned and the problem is they are not working. All mask variant I've tried are described at my this post.

Share this post


Link to post

Could you please provide KES policy so we could check it for exclusion issues ?

Share this post


Link to post

Could you provide detection messages pointing to that particular directory ? 

Could you upload full GSI report from workstation with this issue ?

Disk E:\  is that a local drive or a network share attached as logical disk ?

Share this post


Link to post

* Detections messages:

Screenshot_2.thumb.png.436cd359a7bdb1db249f70014f115ee3.pngScreenshot_1.png.4260f98e11dc93cc620d690b891600e3.png

* Full GSI Report can't be attached as it's more than 4 MB and I have no rights to upload it so I put it in dropbox here. You don't need to create an account to access this file - it's shared.

* Disk E:\ is a local disk

Share this post


Link to post

Hello. 

I have noticed that you have truecrypt installed in your system and the Object\Path makes me assume that data may reside on encrypted volume. 

Could you please check whether specifying exclution in one of this way work ? 

globalroot\device\truecryptvolumee\soft\

globalroot\device\truecryptvolumee\soft\*.*

globalroot\device\truecryptvolumee\soft\*

*\device\truecryptvolumee\soft\

Could add files to exclusions in local Kaspersky Endpoint Security interface using "Browse..."  function ?

trust.PNG

 

 

Share this post


Link to post

Yes, it's a TrueCrypt disk. Simple globalroot\device\truecryptvolumee\soft\  worked. It was a bit confusing Kaspersky interpreting this kind of storage devices otherwise and not as a simple letter like E:\. But now I got the point. Users should look in the Kaspersky log where from exactly the particular file was deleted. Thank you Evgeny_E

Share this post


Link to post

technikarc 

Hello. 

This actually looks like a bug, as globalroot\device\truecryptvolumee\ should be presented as driveletter the way you see it in your file explorer and rules in your when you specify drive E:\ should actually be applyed. 

On the other hand TrueCrypt project was closed in 2014 and didn't maintained since, this might be a truecrypt driver bug leading to this behaviour or it could be an issue with KES.

Would you like to test this with Kaspersky Endpoint Security 11 RC2 ? You can find installation details in topic below: 

If you would have similar issues with encrypted drive, not being able to add exclusion based on a drive letter and/or getting notifications where Object\Path indicated as globalroot\device\truecryptvolumee, would you mind to collect some diagnostic data ?

 

 

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.