jb_wisemo

The reproduction method is to use the Swedish browser “Pale Moon” with the latest compatible versions of the “uMatrix” and “RequestPolicy” browser extensions to control insecure cross-domain sharing of login information. It might be possible to create a similar permission-prompting configuration with latest Firefox and compatible plugins. Using these, it becomes very visible that the login process gets redirected and cross-domain loaded back and forth between domains under kaspersky.com and domains under other companies (including algolia.net, insided.com, numbered accounts under cloudfront.net and various javascript CDNs). During the login process, recaptcha.net also appears in the list of domains accessed.

⚠ KES 11.5 detects HEUR:Trojan.AndroidOS.Boogr.gsh in the Android bytecode (classes.dex) in an apk we have archived on our file server (so not detected on Android, only by file system scanning on a Windows client endpoint). 🤔 As this is a Heuristic detection, the likelihood of a false alarm is higher, so for now, I have simply tried added the detection to exclusions via the “Active threats” window. However rescanning the files (using avp.com SCAN) after adding the exclusions keeps redetecting the threat as if it wasn’t excluded. So the questions are: What is HEUR:Trojan.AndroidOS.Boogr.gsh supposed to detect and is there a way to manully examine file contents to check if it is a false alarm? Why doesn’t adding an exclusion prevent redetecting the same exact threat in the same exact file, and adding the thread back into the “Active threats” window? Why does scanning the directory containing the apk report this threat as being in filename.apk instead of filename.apk/classes.dex ?

When logging in to these forums today, I found that the “new” community/forum system run by Algolia and it’s further integration with Kaspersky Company accounts has a number of problems with “ad blocking” browser plugins, some of these related to the use of Google ReCaptcha on the login page. Basically, any attempt to whitelist the cacaphony of javascript domains loaded by the login page causes the login page to error out, requiring the user to go back to the community front page and click the login link again. It should also be noted that the use of Google scripts on login pages may pose a security risk when used on any Russian login page, as it seems that Google will be able to change their javascript code to actively hunt down and extract the usernames and passwords used on the login page, and they might potentially share such sensitive login information with their government, which is obviously not the Russian Government, which should be a concern for Kaspersky, given prior conflicts between Kaspersky Labs and said government.

We are using KES on a number of computers (some running Linux, hence the need to use a KES license for our small business), but not the (somewhat loosely slapped together KSC). The release of KES 11.4 has caused the standalong KES 11.3 installations to report that the 11.4 update requires acceptance of new license terms, but looking in the release notes in the Kaspersky knowledge base contains no list of what was intentionally changed in the terms and conditions (which are rather long to read) compared to earlier versions such as 11.0 and 11.3. So what are the changes in Kaspersky’s license terms upon installing 11.4?

When going to https://activation.kaspersky.com/en to activate a new license purchase, my webbrowser tells me the page has an untrusted certificate. In fact the certificate was issued by an internal Kaspersky policy CA, and has a long (5 years) validity period, with even longer validity periods for the intermediary CAs in the cert chain. Additionally, the certificate indicates that information for that Kaspersky PKI is at URLs below pki.kaspersky.com, but the front page of pki.kaspersky.com just gives “403 Forbidden” error page, so no information to reassure us of the validity of this PKI. Also, there is no https access to pki.kaspersky.com. Please fix your server setup so corporate licenses can be activated. P.S. The page seems to unsafely redirect to https://keyfile.kaspersky.com/en which has a proper certificate, but the order confirmation mail instructs customers to go to https://activation.kaspersky.com/en so that page needs a valid certificate too.

We use KES 11.0.1.90 for Windows with no license for the disk encryption feature. Yet today we are getting a Yellow triangle telling us to install "security fix 1" for the disk encryption feature. The short description tells us to read more at https://support.kaspersky.com/15118 but that page doesn't even exist! What's going on? Should this security fix be installed or ignored on KES without a disk encryption license?