Jump to content
JakeSDS

False Positive - Exclusions Ignored

Recommended Posts

Hi,

 

A program has recently been flagged as a HEUR:Trojan.Win32.Hesv.gen.

File Protection and On-Demand scans detect this however when the file is scanned in quarantined it reports it as a false positive and when the specific .exe within the .cab is uploaded to virusdesk it reports the file as safe.

I have excluded this successfully for a KES policy however I have not been able to exclude the flagged file for Kaspersky for Server.

 

The file is - \AppData\Local\Temp\TestExecute1240.exe//TestExecute.msi//Data1.cab/aqnetutils.exe (Automated QA software)

 

What is the process for having this file recognised as safe by the on-demand scan?

 

Thanks

Share this post


Link to post
1 час назад, JakeSDS сказал:

Hi,

 

A program has recently been flagged as a HEUR:Trojan.Win32.Hesv.gen.

File Protection and On-Demand scans detect this however when the file is scanned in quarantined it reports it as a false positive and when the specific .exe within the .cab is uploaded to virusdesk it reports the file as safe.

I have excluded this successfully for a KES policy however I have not been able to exclude the flagged file for Kaspersky for Server.

 

The file is - \AppData\Local\Temp\TestExecute1240.exe//TestExecute.msi//Data1.cab/aqnetutils.exe (Automated QA software)

 

What is the process for having this file recognised as safe by the on-demand scan?

 

Thanks

Hello!

Please specify the versions of products in use.

Thank you!

Share this post


Link to post
1 minute ago, Dmitry Parshutin said:

Hello!

Please specify the versions of products in use.

Thank you!

Hi,

 

Issue remains on machines with Kaspersky Security for Windows Server 10.1.0.622

 

Share this post


Link to post
3 часа назад, JakeSDS сказал:

Hi,

 

Issue remains on machines with Kaspersky Security for Windows Server 10.1.0.622

 

Please provide us with the active policy export with configured exclusion.

Thank you!

Share this post


Link to post
1 hour ago, Dmitry Parshutin said:

Please provide us with the active policy export with configured exclusion.

Thank you!

I have attached the .xml generated when exporting under exclusions in the Trusted Zone. Is this what you need?

Active Policy Export - SmartBear.xml

Share this post


Link to post
20 hours ago, Nikolay Arinchev said:

Is it possible to create an exprot at *.klp format?

Thank you!

 

KS10.1.klp

Share this post


Link to post

I should add that the file aqnetutils.exe multiple times within different applications.

Probably infected object detected: Trojan HEUR:Trojan.Win32.Hesv.gen. Object name: C:\Documents and Settings\Administrator\AppData\Local\Temp\TestComplete1240.exe//TestComplete.msi//Data1.cab/aqnetutils.exe. User: SYSTEM

Probably infected object detected: Trojan HEUR:Trojan.Win32.Hesv.gen. Object name: C:\Documents and Settings\Administrator\AppData\Local\Temp\TestComplete1240 (2).exe//TestComplete.msi//Data1.cab/aqnetutils.exe. User: SYSTEM

Probably infected object detected: Trojan HEUR:Trojan.Win32.Hesv.gen. Object name: C:\Documents and Settings\administrator.SDSUK\AppData\Local\Temp\TestExecute1240.exe//TestExecute.msi//Data1.cab/aqnetutils.exe. User: SYSTEM

 

 

 

Share this post


Link to post
4 minutes ago, Ivan.Ponomarev said:

Hello!

Where exactly have you added the file to the exclusions? 

Thanks!

[Possible SPAM!!!]ary - Trusted Zone - Exclusions.

 

I also added the exclusions to a KES policy and the exclusions worked however I am not as familiar with Kaspersky Security for Windows Server.

Trusted Zone is being applied.

 

Edited by JakeSDS
Additional info

Share this post


Link to post
18 minutes ago, Ivan.Ponomarev said:

Please check what components detect this file and add it to them too. 

Thanks!

They are detected by the Critical Areas Scan/Custom scans, all the exclusions cover Real-Time File Protection and On-Demand Scan.

Edited by JakeSDS

Share this post


Link to post
11 часов назад, JakeSDS сказал:

They are detected by the Critical Areas Scan/Custom scans, all the exclusions cover Real-Time File Protection and On-Demand Scan.

Hello!

Can you please also try to add this application to trusted processes.

Also, please check the exclusions. You added exe and MSI files like a folders, so the have \ in the end of the string.

Please click add and than select - File and enter the whole path.

Thank you!

Share this post


Link to post
On 2/7/2019 at 4:11 AM, Dmitry Parshutin said:

Hello!

Can you please also try to add this application to trusted processes.

Also, please check the exclusions. You added exe and MSI files like a folders, so the have \ in the end of the string.

Please click add and than select - File and enter the whole path.

Thank you!

Thanks, after a few changes the false positive is no longer detected.

Share this post


Link to post
On 2/8/2019 at 12:00 PM, Nikolay Arinchev said:

Thank you for your feedback!

Could you please confirm that we can mark that topic as solved?

It has been solved on the original servers, it is now being detected within other paths on other machines.

It is possible to have the .exe marked as safe within the Kaspersky databases?

Edited by JakeSDS
additional info

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.