False positive?

[Bav]

Wow, what this little exe put me through with Kaspersky.

So I reinstalled Kaspersky premium, instantly it detects keyboard locker as malware again. Mind you I've been using it every day when gaming or cleaning touchpad and keyboard, with Avira I was testing. And a complete FULL scan with Kaspersky finds only one malware, this little 200kb exe. Once it's deleted, another full, hour long complete system scan is clean.

So again, if it was malware, it would have been infecting system for those last two weeks I used it when Kaspersky wasn't installed. It would have done SOMETHING malicious to my system. But as long as that little exe is not on my system,  a full 1 hour scan finds zero malware anywhere. THAT'S how I always knew it was safe, before I even finally managed to get real proof (below). Remember, this all started over 2 weeks back, so it's been a very ridiculous process.

I have every right to legitimately complain, and I am going to write a letter to Kaspersky support about it and express my disappointment and wasting hours of my time over this. Allow me to explain why. I followed all the instructions here in this forum:

I booted in safe mode and it easily allowed me to access the exe file.

Oh by the way, before I go on, I thought you might be interested in virustotal results:

https://www.virustotal.com/gui/file/d4c104c17449e5eded7520d6c77f4dce1df933bd514ad65b515516aad3fc6829?nocache=1

Let that sink in. Do you know I have never seen any so called malware before, ever, where only one engine has detected it? If it's a false positive, it's always at least 2 or 3 or 4, but when even Mcafee and Norton say it's clean, you really know something is wrong LOL.

So much for Kaspersky having the lowest false positives in recent av comparatives April test. And Avira having so much higher. LOL I ran Avira for 2 weeks straight, 24/7, and not a single false positive whatsoever. But I digress.

I want people to understand what I went through to get this exe to submit it for reanalysis.

OK So I booted in safe mode and copied it. As soon as I rebooted back into normal mode, I right clicked and disabled Kaspersky for 5 hours, of course I was going to manually re enable protection when I had submitted the file, but this is why something like Malwarebytes becomes so useful when you need to disable an AV.

You see, disabling Kaspersky means your system is open to everything, as defender does not come back on, and not even if you right click the icon and exit Kaspersky (more on that later).

I use Malwarebytes VPN and have a 2 year plus subscription  for 5 devices because I use it on my mac and my iPhone, and I have it on the PC for second opinion scans like SO many others do., But because I am a paid user of it, when I need to disable an AV, with one click I can enable all real time protections of Malwarebytes so I am NOT NAKED to the internet, so to speak.

Anyway, K was disabled, yet one minute into it, somehow it detected it and deleted it. Same as always, just two options, disinfect or disinfect without restart.

It NEVER puts it into quarantine so I can restore it and add an exception, and if I reinstall it, Windows gives it a different install folder number which it does every time you uninstall and re install any windows store app.

So this was impossible to make an exception for.

It gets better. I had to go all the way and actually tell Kaspersky NOT to start with windows, and then I went back into safe mode, re copied the exe file to a place I had user access, re started and it was gone when the computer booted back into normal windows. So Kaspersky must have some kind of boot time protection.

So I had no option but to uninstall Kaspersky, leave it uninstalled whilst I submitted the file to virus total and the false detection form and just re installed.

Weeks of hell for one app.

As to why I don't use the one other similar alternative app out there, it's incredibly slow, and has made an error before and locked my entire computer and I had to force shut down with power button. The windows store app is lightning fast and just works and always has. So that's why, before anyone asks.

To me, Kaspersky behaved worse than any malware I have personally encountered. The real problem is the disinfection pop up that gave me no option to add it as an exception, no matter what I tried.

It does make one think, and before anyone thinks I am whining, just remember I've spent about 10 hours of real time on this, submitting reports, testing other AVs, and so on. Kaspersky should not have behaved this way and given me an easy option to exclude it, like every other, I mean EVERY other AV I tested. How did I test the other AV's (I made a complete list of the ones I fully tested, about 17 of them, the ones that had 100% functional trials, but that's another storey for another time), well I used Eicar files. All of them bar Kaspersky allow simple restore from quarantine. ALL of them. Kaspersky just deletes.

The thing is, if it's actually something like an info stealer or ransomware, of course I want kaspersky to delete it, but just for my own info, is there ANY setting, something in Kaspersky that could have saved me from this fresh hell with this innocent little file?

TIA as always and sorry for my rant, now I can chill, K finally has the exe and I am sure before long I'll be able to use the app again.

Cheers

 

 

 

 

Edited 16 hours ago by Bav

[harlan4096]

Can You tell me where to find and download that file?

[Bav]

Ok it's a paid windows store app

 

kaspersky has already deleted it again as soon as I re installed, however since it's so small, I'll try the safe mode tricks and upload it compressed here...

BRB.

Ok, 10 minutes later, here you go. By disabling AND then exiting Kaspersky, and THEN re installing the app from windows store, I was able to do this.

Hope that helps.

Edit, can't upload even zip files, here it is on my google drive. I hope the dev doesn't mind me doing this as it's purely in the interest of stopping the constant removal of it by Kaspersky. Actually I'll PM you with the link.

Edit 2, I had to wait 3 minutes before I sent the PM, I guess there's some anti flooding safe guards here.

But all sent now, let me know if there was any issue with download, I compressed it with winrar and uploaded it as a publicly accessible file to my google drive for anyone who has the link.

 

Cheers!

 

 

 

 

Edited 15 hours ago by Bav
uploaded file to PM, just letting mod know.

[harlan4096]

Got it, thanks!

[harlan4096]

Should I follow some additional steps to reproduce the issue, or just run it?

 

I don't see the file You sent me can be installed, it just executes 🤔

 

[Bav]

Hmm, with me, the exe just existing anywhere makes kaspersky delete it. Maybe try run it? lol. You can see in the virus total that K is the only one saying it's malware, so I am surprised if it hasn;'t reacted yet with you?>

 

Thanks for this anyway 🙂

[harlan4096]

I scanned it in my main with KES 12.8, and now running in a VM with K. Premium 21.20, and no issues for now...

 

 

Also, reported a possible false positive to K. analysts via KOTIP:

 

https://opentip.kaspersky.com/D4C104C17449E5EDED7520D6C77F4DCE1DF933BD514AD65B515516AAD3FC6829/results?tab=upload

[Bav]

I did submit it so it's probably been fixed, they are very fast with FP's once they have the actual file to test. It's probably been say 2 hours since I submitted it.

Let me check over here. Will try install it again!

Yep, it's fixed! Wow. Finally. It's kind of shame no one else experienced it LOL however I also wouldn't wish it on anyone, so, small blessings! Everything I went through and wrote in all those posts in that topic was 100% true. As you can see the virustotal has already changed and now it's a negative with kaspersky. Amazing. I thought the link was a snapshot of how it was at the time, but it's a changing link! I should have taken a pic. Oh well, at least it's over!

[harlan4096]

Last VT re-scanned around 22 min ago, was still showing the detection.

 

Now Rising detecting it:

 

https://www.virustotal.com/gui/file/d4c104c17449e5eded7520d6c77f4dce1df933bd514ad65b515516aad3fc6829?nocache=1

[Bav]

Yeah I noticed that. We know it's safe though as the guys and gals at the K labs would not have ratified the FP so quickly once they actually received the exe. It was getting it to them that was the issue, and I still say that the way K handled it was so wrong, no quarantine, not allowing me to except it and so on. I've really never experienced anything like it with any other AV. But all's well that ends well.

It's late here in OZ, off to sleep. Thanks again for your help.

 

Cheers

THeo

 

[harlan4096]

It's weird Your K. did not save a copy in Quarantine when removed 🤔 what version of K. product do You have?

 

Still, I recall not the 1st time a K. user comes telling the same, that K. did not save in Quarantine before removed...

 

[Bav]

Kaspersky Premium

21.20.8.505

I can not believe I am still awake at 1am. I have issues LOL.

[harlan4096]

Got K. analyst verdict:

 

Quote

 

Hello,

Sorry, it was a false detection. It should be already fixed.
Please update your antivirus bases.

Best regards,

 

 

[Bav]

Oh, I thought I sent this long email to a PM, I think I accidentally posted it here, I am too tired to think. Will look again in the morrow. If it's here, please forgive me, it was meant as a PM to Harlan (all this time I thought this entire chat was the PM, that's how much my brain needs to rest, I only just realized now it's the public forum lol).