False positive - Unable to exclude

[chestfindman]

Hi,

I'm using Kaspersky Free 21.18.5.438(a) and Windows 10.

Kaspersky keeps detecting "malware" and pointing to a registry branch.

However, I created this registry branch myself and know what I'm doing. All I need is to make some form of exclusion for it, but there seems to be no way to add registry branches to exclusions (it offers the option to "add to exclusions" but it's not effective).

I had to disable "Perform recommended actions automatically" because otherwise it would undo the change immediately.

It looks as if Kaspersky finds this "malware" via background scanning, so I tried disabling that feature, yet somehow even when disabled the scan still runs (that might be a bug of it's own).

The branch: reg:\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe:Debugger

Classification: HEUR:Trojan.Multi.Ifeodeb.a

I get why it suspects the change, but this is something I'm doing for my own purposes, there should be a way to add an exception.

[Flood and Flood's wife]

5 hours ago, chestfindman said:

I'm using Kaspersky Free 21.18.5.438(a) and Windows 10.

Kaspersky keeps detecting "malware" and pointing to a registry branch.

However, I created this registry branch myself and know what I'm doing. All I need is to make some form of exclusion for it, but there seems to be no way to add registry branches to exclusions (it offers the option to "add to exclusions" but it's not effective).

I had to disable "Perform recommended actions automatically" because otherwise it would undo the change immediately.

It looks as if Kaspersky finds this "malware" via background scanning, so I tried disabling that feature, yet somehow even when disabled the scan still runs (that might be a bug of it's own).

The branch: reg:\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe:Debugger

Classification: HEUR:Trojan.Multi.Ifeodeb.a

I get why it suspects the change, but this is something I'm doing for my own purposes, there should be a way to add an exception.

Hello @chestfindman, 

Welcome!

1. Is the original source of the Narrator from MS? 
2. Using Kaspersky Threat Intelligence Portal  & Virus Total to scan Narrator - what results are shown please? 
3. As a user of Kaspersky Free software unfortunately there's no access to Kaspersky support, however, it would be good to have the issue analysed by Kaspersky's Virus Lab & a wonderful Moderator @harlan4096 is a real wizz at that, so we've pinged him for your issue -> please *zip* the Narrator.exe - protect the zip with a password, either *MALICIOUS* or *INFECTED* -> upload the zip to cloud & then wait for further instructions please. 

Thank you🙏
Flood🐳+🐋

[harlan4096]

@chestfindmancan You compress the file with password "infected" (without "), upload to cloud service and send me the link to download it via personal message of the forum? thanks!

[chestfindman]

To clarify, Kaspersky is not pointing to a physical file on disk.

There is no file, infected or otherwise. Files are not involved, that is the problem.

Kaspersky doesn't like the registry branch itself.

I originally posted this issue in a different thread (moved by moderation staff) because this is not about a specific item that can be cleared as a false positive, this is about a feature of Kaspersky itself, that is triggering a "false positive alarm" (for lack of a better term).

The issue is a lack of configuration on Kaspersky's side, i.e. a way to either somehow whitelist this issue to prevent further nagging of the user, or at the very least a way to configure the application so it doesn't automatically bark at registry edits made on the user side.

I don't want to reiterate OS specific features and debugging tools as a whole and I don't know how to make this any clearer.

You can reproduce this issue on your end with ease by creating the registry branch on the OS.

Here is an example (64bit W10):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe]
"Debugger"="dllhost.exe"

 

[Flood and Flood's wife]

6 minutes ago, chestfindman said:

I originally posted this issue in a different thread (moved by moderation staff) because this is not about a specific item that can be cleared as a false positive.

Thanks for the clarification. 

Please share the link to that thread @chestfindman?

Thank you🙏
Flood🐳+🐋

[chestfindman]

1 minute ago, Flood and Flood's wife said:

Thanks for the clarification. 

Please share the link to that thread @chestfindman?

Thank you🙏
Flood🐳+🐋

What I meant was that this issue ended up in "Virus and Ransomeware" because it was moved here.

I opened the issue in the category relating specifically to Kaspersky Free as this is a feature issue.

[Berny]

@chestfindman

The best option for a ‘feature issue’ is Kaspersky Technical Support (Only for paid users)

[chestfindman]

I moved to the "free" version away from the commercial one exactly because of things like these.

This software has been declining in quality progressively over the years. It's riddled with tiny issues like these that were actually introduced by new versions (old ones now out of support didn't have them) and the general policy seems to be focused exclusively on profits over any kind of standard of quality or much less user functionality and/or friendliness. Not to mention that the functionality has been phased out in chunks (by different departments).

This is the final push that I needed to phase it out entirely from my daily use so thank you and you can close this thread.