Information on Trojan.Multi.Accesstr detection [KES for Windows]

By Antipova Anna
October 15, 2023 in Advice and solutions for Kaspersky Endpoint Security for Business

https://forum.kaspersky.com/topic/information-on-trojanmultiaccesstr-detection-kes-for-windows-36582/

Followers 1

Recommended Posts

Antipova Anna

Posted October 15, 2023

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article is about Kaspersky Endpoint Security for Windows (KES for Windows)

Trojan.Multi.Accesstr detection is triggered when KES detects that one of Windows utilities in %systemroot%\system32 folder is replaced by cmd.exe or powershell.exe. Please see below for a list of affected files with exact detection names. Detection event looks like this:

Trojan.Multi.Accesstr object detected in System Memory

Result:

Untreated: Trojan.Multi.Accesstr.a Reason: Skipped

Trojan.Multi.Accesstr.a.ok
- "%SystemRoot%\\system32\\osk.exe"
- "%SystemRoot%\\syswow64\\osk.exe"
Trojan.Multi.Accesstr.a.mf
- "%SystemRoot%\\system32\\magnify.exe"
- "%SystemRoot%\\syswow64\\magnify.exe"
Trojan.Multi.Accesstr.a.ds
- "%SystemRoot%\\system32\\displayswitch.exe"
- "%SystemRoot%\\syswow64\\displayswitch.exe"
Trojan.Multi.Accesstr.a.ab
- "%SystemRoot%\\system32\\atbroker.exe"
- "%SystemRoot%\\syswow64\\atbroker.exe"
Trojan.Multi.Accesstr.a.um
- "%SystemRoot%\\system32\\utilman.exe"
- "%SystemRoot%\\syswow64\\utilman.exe"
Trojan.Multi.Accesstr.a.sh
- "%SystemRoot%\\system32\\sethc.exe"
- "%SystemRoot%\\syswow64\\sethc.exe"
Trojan.Multi.Accesstr.a.ed
- "%SystemRoot%\\system32\\easeofaccessdialog.exe"
- "%SystemRoot%\\syswow64\\easeofaccessdialog.exe"
Trojan.Multi.Accesstr.a.nr
- "%SystemRoot%\\system32\\narrator.exe"
- "%SystemRoot%\\syswow64\\narrator.exe"

After attack is detected, KES will try to restore the original files by looking for a backup of the file on the endpoint machine. However backup of these files may be missing from the affected PC, so a manual attempt might be in order. Here's the recommended way to proceed with repairing an affected system manually:

Run sfc /scannow
If sfc command fails to repair the files, try these steps:
1. run DISM tool by executing DISM /Online /Cleanup-Image /RestoreHealth
2. run sfc /scannow again after DISM finishes
If all of the above fails to restore original files or these tools are unavailable for some reason, you can replace the files manually using the list above.

Please see relevant Microsoft Docs article for full information on using DISM to repair OS.

Please sign in to comment

You will be able to leave a comment after signing in

https://forum.kaspersky.com/topic/information-on-trojanmultiaccesstr-detection-kes-for-windows-36582/

Followers 1

Go to topic listing

Information on Trojan.Multi.Accesstr detection [KES for Windows]

Recommended Posts

Antipova Anna

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Please sign in to comment

Forum

Products

Support

Personal Account