False Positive: OmenCore.exe detected as Trojan-Downloader.MSIL.Krocomain.abp and deleted

[STAQ]

Hello Kaspersky Team and Community,

I am reaching out to request an expert analysis / false positive investigation for the file OmenCore.exe, which Kaspersky is detecting as a Trojan and automatically deleting.

🖥️ System Information

Operating System: Windows 11 Pro 24H2 (Build 26100.8328)

Kaspersky Product: Kaspersky Premium 21.25.7.504 (Latest version, all databases up to date)

🛡️ Kaspersky Detection Details

FieldValue

ResultDeleted

TypeTrojan

Detection NameTrojan-Downloader.MSIL.Krocomain.abp

AccuracyExact

Threat LevelHigh

Object TypeFile

Object NameOmenCore.exe

📋 What is OmenCore?

OmenCore is an open-source, modern, lightweight control center that replaces HP OMEN Gaming Hub. It is built with .NET 8 and WPF, providing professional-grade hardware control without bloat, telemetry, or mandatory sign-ins.

Key features include:

Custom fan curves with temperature breakpoints

WMI BIOS control for HP OMEN laptops

Real-time monitoring with live CPU/GPU temperature history charts

Per-fan telemetry and Embedded Controller (EC) access

Official Links:

🌐 Website: https://omencore.pages.dev/

📂 GitHub Repository (Open Source): https://github.com/theantipopau/omencore

⚠️ The developer's own antivirus note states: "Some AV products flag OmenCore's kernel driver as suspicious — this is a known false positive for hardware utilities that use low-level driver access."

Known detections by other vendors (all considered false positives):

Windows Defender → HackTool:Win64/WinRing0

Bitdefender → Gen:Application.Venus.Cynthia.Winring

These detections are triggered because OmenCore uses WinRing0 (a well-known open-source kernel driver) to access hardware-level features like EC registers and fan control — which is standard practice for hardware monitoring utilities.

🔍 VirusTotal Analysis

I have uploaded the file to VirusTotal for independent verification:

🔗 VirusTotal Link: https://www.virustotal.com/gui/file/cb2b4b95226fd479aad7333c2090b23f35b92b1058d699baf7023752359bd0f7?nocache=1

SHA-256: cb2b4b95226fd479aad7333c2090b23f35b92b1058d699baf7023752359bd0f7

Please review the detection ratio — the majority of engines show the file as clean.

❓ My Request

I believe this is a false positive detection. OmenCore is an open-source, community-trusted application hosted on GitHub with full source code transparency. It uses low-level WMI BIOS and EC (Embedded Controller) access via WinRing0 driver, which may trigger heuristic-based detections.

I kindly request the Kaspersky analysts to:

✅ Review the file and the VirusTotal report

✅ Examine the open-source GitHub repository for full code transparency

✅ Confirm whether this is a false positive

✅ If confirmed, update the Kaspersky signature database to whitelist this application

Thank you very much for your time and support. I look forward to your analysis.

[harlan4096]

Welcome to Kaspersky Community. 

 

I just sent your URL to K. analysts, waiting for final verdict.

[harlan4096]

Quote

Hello,

Sorry, it was a false detection. It will be fixed.
Thank you for your help.

Best regards,
Malware Analyst, Kaspersky

For both: exe and .zip

[STAQ]

4 hours ago, harlan4096 said:

Her ikisi için: exe ve .zip

Hello harlan4096,

Thank you very much for the fast response and for forwarding the file to the analysts.

I'm really glad to hear that it was a false positive and that the detection will be fixed soon for both the .exe and the .zip files.

I appreciate your help and the malware analyst’s work on this!

Best regards,