Exclusions won't work for GoodbyeDPI

[Roothieboi1337]

Hello, I'm a user of Kaspersky Premium(Sorry, I couldn't find the right product category). I was using the same tool 3 months before with Kaspersky without any problem. But now the Antivirus blocks the tool and the ethernet connection. When I checked the logs the service called "Windivert" makes the issue so I tried to exclude this service but didn't work. Also I disabled all of the protection components to find out the issue but blockage still stands until I completely close the AV software. These are my exclusion panel, please let me know if you see any mistake while I setting parameters. In addition; How I check detailed log about what's actually going on at AV?

[Flood and Flood's wife]

2 hours ago, Roothieboi1337 said:

• I'm a user of Kaspersky Premium(Sorry, I couldn't find the right product category).
• I was using the same tool 3 months before with Kaspersky without any problem.
• But now the Antivirus blocks the tool and the ethernet connection.
• When I checked the logs the service called "Windivert" makes the issue so I tried to exclude this service but didn't work.
• Also I disabled all of the protection components to find out the issue but blockage still stands until I completely close the AV software.
• These are my exclusion panel, please let me know if you see any mistake while I setting parameters.
• A.-> in addition; How I check detailed log about what's actually going on at AV?

 

Hello @Roothieboi1337, 

Welcome!

• Don't worry about the topic being in the wrong section, we've put in a request for it to be moved, it's not a problem. 

1. What are the *actual* errors shown, when Kaspersky blocks Windivert -> post a full screen-screen-print including system date & time please? The *errors* will help *refine* the exclusions -> Hide any personal information before posting.
2. Which Windows OS & *Build*, in Windows SEARCH, type WINVER, open the WINVER app & post back all of the information shown please?
3. A. -> in Kaspersky Reports, select the timeframe for when the issue has been happening (either a day OR a week, so the report is not huge), in the search field search for Windivert
4. To apply exclusions - in the first instance - you may have to turn OFF  Perform recommended actions automatically                                                   
5. Also, in Intrusion Prevention, Manage applications, after adding the exclusions, check the status of the application(s)?
6. Windivert -> Kaspersky shows: not-a-virus:HEUR:RiskTool.Multi.WinDivert.gen, this is a standard Kaspersky warning - to inform in case the users do not know the software is on the computer OR, when downloading, in case the user does not know the potential for the software to do harm; it's saying, it's not a virus, it's a Risk-tool, READ: Not-a-Virus: What is it?
7. The exclusion should look similar to the following with the actual error in the Object name field:                      

Thank you🙏
Flood🐳+🐋

Edited December 12 by Flood and Flood's wife
added image

[Roothieboi1337]

Hello @Flood and Flood's wife, I've collected some information that you are requested. I needed to disable all of the exclutions that I manually added.
The first notification is this:

1. Then I clicked "Add to exclusions" at bottom-right corner.
2. I checked the Notification Center and I see this (SS is before I click "add to exclusions")
3. I reviewed the exclusion that automatically added.
    
4. This is when I adjusted time of pediod filter to find the actual error as you asked.
   
5. At the bottom It shows detailed information about this highlighted error.
6. Additionally I exported the report but I couldn't upload .txt file so I copy paste content below
   Today, 12/12/2024 12:05:27    C:\Users\ROOT\Documents\sq\x86_64\WinDivert64.sys    WinDivert64.sys    C:\Users\ROOT\Documents\sq\x86_64    
   File    Detected    We found an application that can be used by intruders to damage your computer or personal data.    
   Detected    not-a-virus:HEUR:RiskTool.Multi.WinDivert.gen    Legitimate software that can be used by intruders to damage your computer or personal data    Low    Exactly        avp.exe    
   C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.19\avp.exe    
   C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.19        ROOT-MACHINE\ROOT    Active user    Expert analysis
       Today, 12/12/2024 12:03:06                        Task started                            avp.exe    
   C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.19\avp.exe    
   C:\Program Files (x86)\Kaspersky Lab\Kaspersky 21.19        ROOT-MACHINE\ROOT    Active user  
7. Lastly this is my WINVER information

I don't know why but these screenshots were not low quality. I can find other ways to upload these screenshots if you needed.

[Flood and Flood's wife]

3 hours ago, Roothieboi1337 said:

24H2, 26100.2605, Kaspersky Premium 21.19  

I've collected some information that you are requested. I needed to disable all of the exclusions that I manually added.

C:\Users\ROOT\Documents\sq\x86_64\WinDivert64.sys WinDivert64.sys C:\Users\ROOT\Documents\sq\x86_64 File Detected  We found an application that can be used by intruders to damage your computer or personal data.  Detected  not-a-virus:HEUR:RiskTool.Multi.WinDivert.gen  Legitimate software that can be used by intruders to damage your computer or personal data  Low  Exactly      

Hello @Roothieboi1337, 

Thank you for the information!

1. Try adding asterisks before & after the object name -> *Object name* - as shown in this image: 

Thank you🙏
Flood🐳+🐋

[Roothieboi1337]

Didn't work😔, still blocks the ethernet while av software is running.

 

 

[harlan4096]

I would just let K. removes it. Do you need actually that suspicious file? I guess nothing will happen if You just remove it.

 

"WinDivert.sys used for game cheating, and to steal usernames and password. You might want to remove it."

 

https://forums.tomsguide.com/threads/hacking-program-on-my-pc-windivert-sys.427543/

 

K. exclusions system works differently than in other security products, You can create exclusions in general when the product detects a false positive, but for those files that are actually suspicious or directly malware, and added to the K. signatures, even creating full exclusions, the product will continue warning You, I think it is by design and by security.

[Roothieboi1337]

Okay. My country has using Deep Package Inspection system to block DNS servers. And also blocks discord. Yes I can use VPN (Kaspersky VPN premium in this case) for that but the other online client platform that I use simulteniously doesn't allow VPN servers. Blocks 80% of premium vpn server list. 20% is comes with 200ms+ ping. I make my living by using Discord and the others. I'm using GoodByeDPI for like more than a year and 9 months of it was with kaspersky. Maybe there's other softwares, batches etc. using this malicious purposes this Windivert.sys but its also provides a clean escape route from assaults of freedom. I'm really sorry if kaspersky doesn't really gives freedom of what we want. I always give a benefit of doubt for kaspersky.

Edited December 14 by Roothieboi1337

[andrew75]

@Roothieboi1337, try clearing the "Object name" field.

[Flood and Flood's wife]

1 hour ago, andrew75 said:

@Roothieboi1337, try clearing the "Object name" field.

Hi @andrew75, 

Thanks for pitching in, we already have; sadly it's not successful.

13 hours ago, Roothieboi1337 said:

Okay. My country has using Deep Package Inspection system to block DNS servers. And also blocks discord. Yes I can use VPN (Kaspersky VPN premium in this case) for that but the other online client platform that I use simulteniously doesn't allow VPN servers. Blocks 80% of premium vpn server list. 20% is comes with 200ms+ ping. I make my living by using Discord and the others. I'm using GoodByeDPI for like more than a year and 9 months of it was with Kaspersky. Maybe there's other software, batches etc. using this malicious purposes this Windivert.sys but its also provides a clean escape route from assaults of freedom. I'm really sorry if Kaspersky doesn't really gives freedom of what we want. I always give a benefit of doubt for Kaspersky.

Hello @Roothieboi1337, 

Thank you for posting back!

This particular warning - is Kaspersky 'advising' their subscribers that the software is installed & has the *potential* to do harm; nothing more, nothing less. 

The majority of these can be overridden; for some reason WD is proving to be a PIA. 

You're more than welcome to raise the issue direct with Kaspersky / the Kaspersky Virus Lab, we don't expect them to *reclassify* WD but they may know a trick to circumvent the issue, that those of us who've contributed to this issue have not suggested; for contact & process, follow these steps:

1.  -> *zip* the executables that are being blocked by Kaspersky - protect the zip with a password, either *MALICIOUS* or *INFECTED*; add zip archive to the problem when you submit it & *include the archive password* 
2. Log a case with Kaspersky Customer Service, https://support.kaspersky.com/b2c#contacts  - on the support page, select either Chat or Email, then fill in the template as shown; please include a *detailed history*. Support may request logs, traces & other data, they will guide you. 
3. *Also* -> IF using Chat - ask the operator to email (you) a copy of the chat transcript *before* ending the chat - otherwise (you'll) have no record of the chat* 

Please share the outcome, with the Community, when it's available?

Thank you🙏
Flood🐳+🐋

Edited December 15 by Flood and Flood's wife
grammar

[AlexeyK]

1 час назад, Flood and Flood's wife сказал:

we already have; sadly it's not successful

Check the path (x86 vs. x64). And files too: WinDivert32.sys vs. WinDivert64.sys. 🙂

Спойлер

 

Edited December 15 by AlexeyK

[Flood and Flood's wife]

11 minutes ago, AlexeyK said:

Check the path (x86 vs. x64). And files too: WinDivert32.sys vs. WinDivert64.sys. 🙂

Hello @AlexeyK, 

Thanks for your input!

*All* exclusions are there & correct; the *inserted* alert screen-print & the larger image were merged from the other day - to save time. 

@Roothieboi1337, can recheck if he wishes, we're confident with our analysis. 

Thank you🙏
Flood🐳+🐋

[KarDip]

@ Roothieboi1337

Maybe try this below:

Kaspersky Firewall Configuration

Kaspersky’s Firewall may flag altered or non-standard packets as suspicious.

Also maybe you can explicitly allow GoodByeDPI traffic:

1. Create a Custom Rule:
   • Open Kaspersky Premium.
   • Go to Settings > Network Settings > Firewall.
   • Click on Configure Application Rules.
   • Find or add GoodByeDPI’s executable(s) and Windivert driver (windivert.sys)😞
     • Set them to Allow for all network connections.
2. Allow Specific Ports or Protocols:
   • Under the Firewall settings:
     • Navigate to Packet Rules or Network Rules.
     • Add a rule to explicitly allow all traffic for the ports/protocols used by GoodByeDPI (e.g., TCP/UDP on ports 80, 443).
   • For non-standard packets:
     • Allow ICMP, fragmented packets, or other custom traffic as needed.
3. Exclude DPI-altered Traffic:
   • If GoodByeDPI uses specific custom packets, add an application exclusion rule for its executables:
     • Go to Settings > Threats and Exclusions > Manage Exclusions.
     • Exclude the executables and processes entirely.

Edited December 15 by KarDip
adjusted font's

[andrew75]

2 часа назад, Flood and Flood's wife сказал:

Thanks for pitching in, we already have; sadly it's not successful

If a rule is written correctly, it cannot fail to work 🙂

В 13.12.2024 в 13:05, harlan4096 сказал:

You can create exclusions in general when the product detects a false positive, but for those files that are actually suspicious or directly malware, and added to the K. signatures, even creating full exclusions, the product will continue warning You

This is not true. Correctly created exclusions will work in any case.

In Russia GoodByeDPI is used quite actively. So I know what I'm talking about.

[harlan4096]

Not in my experience, that can be true for some modules, but not when You run a manual specific scan as I recall 🤔, still it would be detected in spite of the exclusion, maybe that changed with the last versions, not checked again...

[andrew75]

Yes, when scanning manually, exclusions do not work.

[AlexeyK]

29 минут назад, harlan4096 сказал:

when You run a manual specific scan as I recall 🤔, still it would be detected in spite of the exclusion

If you scan the separate file (not folder or drive) via windows context menu exclusion doesn't work. It's "by design".

Edited December 15 by AlexeyK

[harlan4096]

Agree, as I said in my previous post.

[AlexeyK]

В 13.12.2024 в 13:05, harlan4096 сказал:

K. exclusions system works differently than in other security products, You can create exclusions in general when the product detects a false positive, but for those files that are actually suspicious or directly malware, and added to the K. signatures, even creating full exclusions, the product will continue warning You, I think it is by design and by security.

Detections and exceptions for "false positives" or "malicious" are the same. The product knows nothing about false or correct detections, it's not malware analyst. And with a correctly configured full exception, the detection will only occur if you scan a separate file via context menu. If there is a detection in other cases, the full exception was configured incorrectly.

[KarDip]

@Roothieboi1337

Your Long-term Options

1. Maybe worthwhile to Report a False Positive to Kaspersky:
   • If Windivert and GoodByeDPI are clean, submit both the executables and windivert.sys to Kaspersky's false positive portal:
     • Kaspersky False Positive Submission
   • Explain that you use GoodByeDPI for legitimate purposes.
2. Maybe you cantry Split Tunneling in Kaspersky VPN:
   • Kaspersky VPN allows split tunneling, meaning you can bypass VPN for specific applications. Configure it so:
     • Discord uses the VPN.
     • Your other online platform connects without the VPN.
   • This way, Discord avoids DPI, and the other client works without VPN interference.
3. Run GoodByeDPI in a Virtual Machine:
   • Use a lightweight Virtual Machine (e.g., VirtualBox or VMware) to run GoodByeDPI and route traffic only for Discord through it.
   • This keeps your main system unaffected by Kaspersky.
   • Let me know if you need step-by-step guidance on any of these configurations!

[harlan4096]

I already sent WinDivert file to K. analysts, and they replied that the detection is correct, They won't change the detection.