Jump to content

How come an unofficial exe was put in the Trusted category of the App Firewall?


Recommended Posts

Studynx
Posted

I did a test with KTS on a VM where it wasn't in Enhanced Session mode so no ctrl C - CTRL V worked to secure myself.

I downloaded this exe <removed> , ran it via VirusTotal, nothing found, OK. I ran it on the VM, and I looked in the App Firewall, it was put in the Trusted category. Why? It's not the official program, and according to VirusTotal, it doesn't have a valid certificate. Apparently Trusted category is applied if either it has a valid digital certificate OR it's found in the Kaspersky database.... how can a non-official patched program be in the Kaspersky database as safe?

 

Am I misunderstanding soemthing?

harlan4096
Posted

Welcome to Kaspersky Community.

 

image.thumb.png.7857f4be825cf658e45f613c82c3b3c9.png

 

This file HitmanPro_x64.exe appears as Trusted in KSN (so probably not modified), but not the other HitmanPro.exe...

Studynx
Posted
13 minutes ago, harlan4096 said:

Welcome to Kaspersky Community.

 

image.thumb.png.7857f4be825cf658e45f613c82c3b3c9.png

 

This file HitmanPro_x64.exe appears as Trusted in KSN (so probably not modified), but not the other HitmanPro.exe...

The one I linked to, from the torrent site, was indeed put in the Trusted category, hence my question. 

Which is something I don't understand how it could happen

harlan4096
Posted

I also downloaded that torrent link files, and checked both exes with KSN.

 

Every app Trusted in KSN will be put in Trusted group, so maybe You executed that one...

Studynx
Posted
2 minutes ago, harlan4096 said:

I also downloaded that torrent link files, and checked both exes with KSN.

 

Every app Trusted in KSN will be put in Trusted group, so maybe You executed that one...

No, I ran the one from the torrent site. In fact I'm going to do it again and show you

Imgur: The magic of the Internet

 

As you can see, somehow this app from the torrent site got put in the Trusted category

harlan4096
Posted

Those 2 captures I posted are from the torrent site I also downloaded... and one of them, the x64, looks legit seems it is Trusted in KSN, as I showed in one of my captures.

Studynx
Posted
Just now, harlan4096 said:

Those 2 captures I posted are from the torrent site I also downloaded...

Okay so I guess my question is how come that "unofficial" exe is in the KSN database as a safe app if it's not the official application downloaded from Hitmanpro's official website? It's pre-patched, it's not the official app and lacks a valid signature

  • Like 1
harlan4096
Posted

I don't know... I will investigate it, trying it in a VM...

KOTIP analysis:

https://opentip.kaspersky.com/E482B49A4FB1A43700C4E23E7C8F0794EF6FC06422644ED75907995A6B7A4187/results?tab=upload

https://www.virustotal.com/gui/file/e482b49a4fb1a43700c4e23e7c8f0794ef6fc06422644ed75907995a6b7a4187/detection

It's weird, because almost no main av firms detect it as suspicious... 🤔

I've already reported it to K. analyst via KOTIP.

Studynx
Posted
5 minutes ago, harlan4096 said:

So 9 suspicious activities but then the file is clean? How am I supposed to interpret this?

  • Like 1
Posted

dont worry

I use pre-patch HitmanproA too

 It is safe and no scan detection from Kaspersky

but it will be detected as malicious when you run the pre-patched installer by Kaspersky's system watcher-A Proactive Defense module.

so do not run the pre-patched installer when Kaspersky is turned on. 

After installation, you can re-enable kaspersky.

 

there is a possibility that this pre-patched hitmanproA installer was once forwarded to Kaspersky Lab for detailed manual analysis by someone. And after a Thoroughly analyze, KL believe it is indeed post no harm to you. So at last this file is white-listed by KL.

 

  • Like 1
harlan4096
Posted

I just got K. analyst verdict:


 

Quote

 

Hello,

No malicious software was found in the attached file.

Best regards, Malware Analyst
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 http://www.kaspersky.com https://securelist.com
https://opentip.kaspersky.com/ - get insights about suspicious files, hashes, URLs, IP addresses or domain names

 

  • Like 1
Studynx
Posted
26 minutes ago, harlan4096 said:

I just got K. analyst verdict:


 

Why is it that whenever I submit for a second evauation, they never reply to me via email? 

harlan4096
Posted

🤔 Do You do it being logged in Your My Kaspersky account?

Studynx
Posted
13 minutes ago, harlan4096 said:

🤔 Do You do it being logged in Your My Kaspersky account?

No. Do I have to be?

harlan4096
Posted

Try.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...