Jump to content
  • Announcements

    • Rodion Nagornov

      Недоступность форума // Forum maintenance   08/16/2017

      В связи с техническими работами форум будет недоступен с 20.00 (МСК) 18.08.2017. Максимальное время недоступности - до 20.00 (МСК) 20.08.2017. *** Due to maintenance forum will be unavailable since 8pm (+3 GMT) 18-Aug-2017. The longest possible time of maintenance - till 8.pm (+3 GMT) 20-Aug-2017.
guilijan

Disk Defragmenter NTFS Module

Recommended Posts

guilijan   

Hi

 

Is there any way to avoid this in the self defense report? I have more than 45.000 of it.

 

Kav .506 with update problem solved :rolleyes:

28/11/2008 16:46:11 Denied Disk Defragmenter NTFS Module Open C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

 

Share this post


Link to post
Share on other sites
guilijan   
Hi

 

Is there any way to avoid this in the self defense report? I have more than 45.000 of it.

 

Kav .506 with update problem solved :rolleyes:

28/11/2008 16:46:11 Denied Disk Defragmenter NTFS Module Open C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

 

Hi, any idea?

:dash1:

Share this post


Link to post
Share on other sites
Schulte   

Hi guilijan,

 

'Settings->System Security->Application Filtering->Settings'. Doubleklick 'Disk Defragmenter NTFS Module', go to 'Exclusions' and check 'Do not monitor application activity'.

Share this post


Link to post
Share on other sites
guilijan   
Hi guilijan,

 

'Settings->System Security->Application Filtering->Settings'. Doubleklick 'Disk Defragmenter NTFS Module', go to 'Exclusions' and check 'Do not monitor application activity'.

 

Nop, it haven't that posibility in System Security.

It's Kav .506

Today I have 21460 of this

 

29/11/2008 10:58:29 Denied Kaspersky Anti-Virus Modification REGISTRY\MACHINE\SOFTWARE\KasperskyLab\protected\AVP8\Trace\Default

 

29/11/2008 11:37:32 Denied Disk Defragmenter NTFS Module Open C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

 

There may be any way to avoid that.

I can't believe that Kav make so much or so many (I dont know what is corect) reports about this. Some must be wrong but I don´t know what.

Share this post


Link to post
Share on other sites
mbt   
Nop, it haven't that posibility in System Security.

It's Kav .506

Today I have 21460 of this

 

29/11/2008 10:58:29 Denied Kaspersky Anti-Virus Modification REGISTRY\MACHINE\SOFTWARE\KasperskyLab\protected\AVP8\Trace\Default

 

29/11/2008 11:37:32 Denied Disk Defragmenter NTFS Module Open C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

 

There may be any way to avoid that.

I can't believe that Kav make so much or so many (I dont know what is corect) reports about this. Some must be wrong but I don´t know what.

 

Schulte should have said:

'Settings->System Security->Application Filtering->Settings'>Expand Microsoft Categoy>Scroll down to Disk Defragmenter NTFS Module> Doubleklick 'Disk Defragmenter NTFS Module', go to 'Exclusions' and check 'Do not monitor application activity'.

 

He also should have said to do the same for the "Disk Defragmenter" module too. I tried what he suggested and the log entries are greatly reduced to a couple hundred process start and process exit messages over a 2 minute period.

 

I don't understand why the Disk Defragmenter and Disk Defragmenter NTFS modules are starting up by themselves at all and can't seem to find an answer.

 

Share this post


Link to post
Share on other sites
guilijan   
Schulte should have said:

'Settings->System Security->Application Filtering->Settings'>Expand Microsoft Categoy>Scroll down to Disk Defragmenter NTFS Module> Doubleklick 'Disk Defragmenter NTFS Module', go to 'Exclusions' and check 'Do not monitor application activity'.

 

He also should have said to do the same for the "Disk Defragmenter" module too. I tried what he suggested and the log entries are greatly reduced to a couple hundred process start and process exit messages over a 2 minute period.

 

I don't understand why the Disk Defragmenter and Disk Defragmenter NTFS modules are starting up by themselves at all and can't seem to find an answer.

 

 

Well if you read the post #4 I said that following that route I dont find Application filtering

System Security

 

Perhaps I'm doing something wrong.

Share this post


Link to post
Share on other sites
mbt   
Well if you read the post #4 I said that following that route I dont find Application filtering

System Security

 

Perhaps I'm doing something wrong.

Sorry I misunderstood. If you don't have a "Settings" button next to the checkbox to Enable Application Filtering in the System Security settings section, then something bigger is wrong. Perhaps a reinstall might help.

Share this post


Link to post
Share on other sites
rudger79   

Same here. I have 1000's yesterday and today. See screen shot.

 

Version 8.0.0.506

Windows XP Media Center SP3

 

Also when I click on the virus activity review, it won't load completely.

 

NTSF_MOD.zip

Share this post


Link to post
Share on other sites
guilijan   

Ups I'm not alone :blink:

 

Just start my pc today and:

 

Self-Defense (events: 27840)

 

30/11/2008 09:20:05 Denied Kaspersky Anti-Virus Modification REGISTRY\MACHINE\SOFTWARE\KasperskyLab\protected\AVP8\Trace\Default

30/11/2008 09:49:56 Denied Disk Defragmenter NTFS Module Open C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe

 

There may be a explanation for that?

 

 

Share this post


Link to post
Share on other sites
JanRei   

If you want you can set up the exclusions in the trusted zone (Settings -> Threats and exclusions -> Trusted zone -> tab "Trusted applications"). The way via Application Filtering is equivalent, but works only with KIS (KAV doesn't include this component).

Share this post


Link to post
Share on other sites
guilijan   
If you want you can set up the exclusions in the trusted zone (Settings -> Threats and exclusions -> Trusted zone -> tab "Trusted applications"). The way via Application Filtering is equivalent, but works only with KIS (KAV doesn't include this component).

 

Thank you for your answer.

What are the application to add to trusted zone and where is it located?

Is it like to put the dust under the carpet?

 

And why Kav denied Kav action? See the picture of the report.

Its very, very crazy.

 

The final question is why Kav/Kis do this actions?

:dash1:

Share this post


Link to post
Share on other sites
rudger79   

This is what my vista 64 machine (Home premium) shows for self defense.

post-135305-1228054253_thumb.jpg

 

KAV 8.0.0.506

 

So should deal with this via trusted? JanRei states cannot do this with KAV? Please advise.

 

Thanks

Share this post


Link to post
Share on other sites
JanRei   

In version 8.0.0.506 self-defence was made more aggressive, which results in a higher amount of messages / report entries. In particular defragmentation tools and svchost.exe will cause such messages now when they come across the files or processes of KAV/KIS. It should be safe to define exclusions for the defrag tools, regarding svchost.exe I am not completely sure.

 

You can start with an exclusion for "Disk Defragmenter NTFS Module" (should be C:\WINDOWS\system32\DfrgNtfs.exe) maybe it will already help to reduce the messages.

 

It's always possible to define the exclusions in the trusted zone. Just the way via Application Filtering is restricted to KIS.

 

I don't know exactly why KAV/KIS denies itself access to the mentioned registry key. However, since it is not an unusual behaviour I would suggest to simply ignore it.

Share this post


Link to post
Share on other sites
rudger79   
You can start with an exclusion for "Disk Defragmenter NTFS Module" (should be C:\WINDOWS\system32\DfrgNtfs.exe) maybe it will already help to reduce the messages.

 

This did the trick. Thanks.

 

Share this post


Link to post
Share on other sites
guilijan   
In version 8.0.0.506 self-defence was made more aggressive, which results in a higher amount of messages / report entries. In particular defragmentation tools and svchost.exe will cause such messages now when they come across the files or processes of KAV/KIS. It should be safe to define exclusions for the defrag tools, regarding svchost.exe I am not completely sure.

 

You can start with an exclusion for "Disk Defragmenter NTFS Module" (should be C:\WINDOWS\system32\DfrgNtfs.exe) maybe it will already help to reduce the messages.

 

It's always possible to define the exclusions in the trusted zone. Just the way via Application Filtering is restricted to KIS.

 

I don't know exactly why KAV/KIS denies itself access to the mentioned registry key. However, since it is not an unusual behaviour I would suggest to simply ignore it.

 

Ok I did, will see in the next hours if it works.

But somebody in Moscow must take care about this problems and why it happens. It's very crazy Kav denied Kav :blink:

Otherwise we are blocking the sun with our hands, but the sun is still shining.

 

Thank you JanRei

 

Share this post


Link to post
Share on other sites
guilijan   

It works for Disk Defragmenter NTFS Module.

 

But still Kav vs Kav warnings :blink:

Self-Defense (events: 10)

01/12/2008 09:31:53 Denied Kaspersky Anti-Virus Modification REGISTRY\MACHINE\SOFTWARE\KasperskyLab\protected\AVP8\Trace\Default

 

 

Share this post


Link to post
Share on other sites
JanRei   

I don't think there is much a user can do to avoid these entries, but fortunately the number of entries is not very high. I assume that Kaspersky knows about this issue and I hope they will look into it for one of the next versions. However, it probably doesn't have a high priority since it doesn't seem to be related to malfunctions or things like that.

Share this post


Link to post
Share on other sites

Today I received the same messages related to DfrgNtfs.exe (thousands of them), both in the KIS reports:

 

Protection/Do not group/All Events:

02-Dec-2008 14:52:51 Self-Defense Denied C:\WINDOWS\system32\ dfrgntfs.exe 3580 DfrgNtfs.exe -Embedding Open Process avp.exe

02-Dec-2008 14:52:51 Self-Defense Denied C:\WINDOWS\system32\ dfrgntfs.exe 3580 DfrgNtfs.exe -Embedding Open Process avp.exe

 

and via E-Mail:

 

Product: Kaspersky Internet Security 2009

Operation system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Computer: DELL2400

Domain: OURHOME

 

Notifications:

Important event: 12/2/2008 2:48:00 PM Self-Defense: Disk Defragmenter NTFS Module: Open of our process. Denied.

 

I just upgraded to 8.0.0.506 from 8.0.0.454 yesterday; never had these messages before. I would like to know why dfrgntfs.exe is even running, since it was not requested manually and it is not a scheduled task. Any insight into this would be appreciated.

 

I would like to get a handle on how I can eliminate the annoying "Keylogger Detected" message at every startup. I'm going to do some experimenting with some of the Logitech tasks, since I think that is what is generating them. If anybody else has found out anything about the keylogger warnings, please pass it on.

 

Protection/Do not group/All Events:

02-Dec-2008 16:09:59 Proactive Defense Not terminated: Keylogger Unknown application Keylogger activity

02-Dec-2008 16:09:59 Proactive Defense Detected: Keylogger Unknown application Keylogger activity

02-Dec-2008 16:09:55 Proactive Defense Detected: Keylogger Unknown application Keylogger activity

 

It would be nice if more information than "Unknown application" was given . . . :rolleyes:

 

Here is the log with what happened before & after the keylogger messages:

 

System Security Report/Do not group/All Events:

02-Dec-2008 16:10:13 C:\WINDOWS\system32\ userinit.exe 4060 C:\WINDOWS\system32\userinit.exe Delete HKEY_USERS\S-1-5-21-4185388653-2980597783-663719902-1006\Software\Microsoft\Windows NT\CurrentVersion\Devices/HPLJ4M (Text Only) Network Printer

02-Dec-2008 16:10:13 C:\Program Files\LOGITECH\SETPOINT\LU\ LULnchr.exe 1388 Process exit C:\Program Files\LOGITECH\SETPOINT\LU\LULnchr.exe

02-Dec-2008 16:10:13 C:\Program Files\LOGITECH\SETPOINT\LU\ LogitechUpdate.exe 1952 Process exit C:\Program Files\LOGITECH\SETPOINT\LU\LogitechUpdate.exe

02-Dec-2008 16:10:13 C:\Program Files\LOGITECH\SETPOINT\LU\ LogitechUpdate.exe 1952 Process start C:\Program Files\LOGITECH\SETPOINT\LU\LogitechUpdate.exe

02-Dec-2008 16:10:13 C:\Program Files\LOGITECH\SETPOINT\LU\ LULnchr.exe 1388 Process start C:\Program Files\LOGITECH\SETPOINT\LU\LULnchr.exe

02-Dec-2008 16:10:00 C:\WINDOWS\system32\ imapi.exe 2696 C:\WINDOWS\system32\imapi.exe Process exit C:\WINDOWS\system32\imapi.exe

02-Dec-2008 16:09:59 Unknown application Keylogger activity Not terminated Riskware Keylogger Medium Heuristic analysis

02-Dec-2008 16:09:59 Unknown application Keylogger activity Detected Riskware Keylogger Medium Heuristic analysis

02-Dec-2008 16:09:59 C:\WINDOWS\ EXPLORER.EXE 688 C:\WINDOWS\Explorer.EXE Modification HKEY_USERS\S-1-5-21-4185388653-2980597783-663719902-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum/Implementing

02-Dec-2008 16:09:58 C:\Program Files\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ AGENT.EXE 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe" -Embedding Process exit C:\Program Files\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\AGENT.EXE

02-Dec-2008 16:09:58 C:\WINDOWS\ EXPLORER.EXE 688 C:\WINDOWS\Explorer.EXE Modification HKEY_USERS\S-1-5-21-4185388653-2980597783-663719902-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum/Implementing

02-Dec-2008 16:09:57 C:\Program Files\LOGITECH\SETPOINT\LU\ LogitechUpdate.exe 2844 Modification HKEY_USERS\S-1-5-21-4185388653-2980597783-663719902-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections/DefaultConnectionSettings

02-Dec-2008 16:09:57 C:\Program Files\LOGITECH\SETPOINT\LU\ LogitechUpdate.exe 2844 Modification HKEY_USERS\S-1-5-21-4185388653-2980597783-663719902-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections/SavedLegacySettings

02-Dec-2008 16:09:56 C:\Program Files\LOGITECH\SETPOINT\LU\ LogitechUpdate.exe 2844 Process start C:\Program Files\LOGITECH\SETPOINT\LU\LogitechUpdate.exe

02-Dec-2008 16:09:56 C:\Program Files\LOGITECH\SETPOINT\LU\ LULnchr.exe 2860 Process start C:\Program Files\LOGITECH\SETPOINT\LU\LULnchr.exe

02-Dec-2008 16:09:55 Unknown application Keylogger activity Detected Riskware Keylogger Medium Heuristic analysis

02-Dec-2008 16:09:54 C:\WINDOWS\system32\DLA\ TFSWCTRL.EXE 1176 "C:\WINDOWS\system32\dla\tfswctrl.exe" Modification C:\WINDOWS\system32\DLA\DLA.INI

 

Sorry if this cut/paste is a little "busy"

 

Tomorrow, I think I'll start with LULnchr.exe and see what that does about the keylogger problem. I'm burnt out right now . . .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×