Kaspersky endpoint security deletes files in User temp folder - exclusions not working [MOVED]

[Yebach]

Hello

I have kaspersky security center 11 on my server and I have 15 machines that use enpoint security.

Clients use a application that runs from server (exe file). It is a legacy documentation system taht stores some outlook emails. 

the temp folder and file are created in User\appdata\temp\EPP folder so a user can see an old email

If I have kaspresky running it prevents the creation of a file in that subfolder, and also it deletes files prevously created by this app.

 

I am loosing my mind over this, I added all exclusions and automatic deletion of any files anywhere but I am still unable to get this trough. If kaspersky is running and I have an app oppend, once I want to look up some old email with this *.msg attachement the app returns an error that the file cannot be found (this is due to the fact Kaspersky has deleted it or prevented its creation).

 

any suggestions? 

thank you

 

//Mod Note: moved to the correct section.

 

[Kavuser10]

Do you see from Kaspersky logs (Reports) which component deleted the file and what the reason was?

[Yebach]

No. Kaspersky logs are useless unfortunately 

[Yebach]

I attached some logs if this helps in any way

[Nikolay Arinchev]

Hi,

Could you please confirm that once Kaspersky is deleted or disabled everything goes back to normal?

Thank you!

[Yebach]

Yes. If I pause Kaspersky all works ok. Once turned on again it also deletes all previous files created in subfolders %USER%\Temp\EPP2\…..

the subfolders stay tough

[Kavuser10]

Have you looked at HIPS > Protected Ressources to check if the temporary location has write access to the program? As this is legacy app it might have been put into Untrusted or High Restricted group in KES. I can’t remember if the temp locations are protected by default or did I make those entries myself, but we have write access to those folders disabled for stuff that is not trusted. 

HIPS

Also could you upgrade one machine to KES v11.2? I see from logs that you are on 11.1.1

[Yebach]

So after some try, catch I figured out that if I disable web threat protection and add .msg as exclusion in mail threat protection it works.

How can i set up my web threat protection to still allow the *.msg files to be opened?

[Nikolay Arinchev]

Hi,

Could you please provide us with an export of active policy?

Thank you!

[Yebach]

I hope this is what you are looking for. 

[Nikolay Arinchev]

Thank you for that info!

Please collect KES traces, while KES deletes files at TEMP folder.

Please also specify file names that were deleted.

Thank you!

[Yebach]

Where can I collect them? there is no sign of that in reports or anywhere. At least I haven’t found them

[Guest #37]

Where can I collect them? there is no sign of that in reports or anywhere. At least I haven’t found them

Hi,

Please review: https://support.kaspersky.com/14364

Regards

[Yebach]

Yeah I checked there. Nothing there. Nothing that would even signify that something happens in the folder.

I added some logs

"\\lzs-srv\EPP\EPP2\Program\EPP2 - Shortcut - Dean.lnk" - this is the app that is started

 

Maybe something in this part

10:14:46.662    0x1330    INF    avs    AVSSession::ProcessObjectEx: ver: 30.0.2437.154-1436bf9e1f uptime: 241562.125000 steady_clock_time: 241562.133283 num_of_cores: 6 thread priorities: (dynamic: 8, base: 0, io: 2, mem: 5, boost: 1) process priority class: 0x20
10:14:46.662    0x1330    INF    avs    AVSSession::ProcessObjectEx: Scan settings: cProtectionSettings[ iC=1 iS=1 uE=1 el=1 sl=1 tp=0 iop=0 absnum=1 SA=2 DM=0xf AA=0xffff TD=0 TDC=0 TDis=1 TCoR=1 SS=0x0000000000010001 AD=0 SU=0 SSU=0x0000000000010001 USA=0 FConSVM=(off) KSNum=3 PMBD=1 DCO=0 DPPO=0 FAD=0 DMtd=0x0 DbyMSO=0x1 IL=(off),<C:\Users\bkristan\AppData\ (recurse)> EL=0]
10:14:46.662    0x1330    INF    avs    AVSSession::ProcessObjectEx: Rescan settings: cProtectionSettings[ iC=0 iS=0 uE=1 el=1 sl=1 tp=0 iop=0 absnum=1 SA=4 DM=0xf AA=0xffff TD=0 TDC=0 TDis=1 TCoR=1 SS=0x0000000000010001 AD=0 SU=1 SSU=<null> USA=0 FConSVM=(off) KSNum=3 PMBD=1 DCO=0 DPPO=0 FAD=0 DMtd=0x0 DbyMSO=0x1 IL=(off),<C:\Users\bkristan\AppData\ (recurse)> EL=0]
10:14:46.662    0x1330    INF    avs    AVSSession::ProcessObjectEx: External services: factory: 0x08f25d28 excl: 0x08f51a58 incl: 0x08f51b48
10:14:46.662    0x1330    INF    avs    AsyncKsnScanScope::AsyncKsnScanScope: [0x1ae76990] , taskId: 0x14de
10:14:46.662    0x1330    INF    avs    PendingRequestsGuard::OnPendingScanBegin: Enter. taskId = 0x14de
10:14:46.662    0x1330    INF    avs    PendingRequestsGuard::OnPendingScanBegin: Leave.
10:14:46.662    0x1330    INF    avs    KsnDetectsCollector::KsnDetectsCollector: [0x08216688] 
10:14:46.662    0x1330    INF    avs    VerdictsUpdaterImpl::VerdictsUpdaterImpl: [0x1ab0f518] 
10:14:46.662    0x1330    INF    amfcd    ThreatsProcessingEventsLogic::OnProcessingStarted: 0x8f8f410
10:14:46.662    0x1330    INF    avs    CScanContext::CScanContext: [0x18123b78] Enter
10:14:46.662    0x1330    INF    avs    VerdictsUpdaterImpl::GetISwiftVerdict: [0x1ab0f518] : 0x1822d5a0
10:14:46.662    0x1330    INF    avs    VerdictsUpdaterImpl::GetFastCheckerVerdict: [0x1ab0f518] : 0x1822d0f0
10:14:46.662    0x1330    INF    aveng    GetScanLevel: [0x0B59C4F8]
10:14:46.662    0x1330    INF    aveng    GetScanLevel (result) : 0x2
10:14:46.662    0x1330    INF    avs    CScanContext::CScanContext: Failed to get antimalware::context_properties::Durable: 0x0x8000004c
10:14:46.662    0x1330    INF    avs    CScanContext::CScanContext: Failed to get antimalware::context_properties::OmitMandatoryPeriodForDurableFiles: 0x0x8000004c
10:14:46.662    0x1330    INF    avs    CScanContext::CScanContext: CScanContext - durable is false, omit mandatory period is false
10:14:46.662    0x1330    INF    avs    CreateFormatRecognizer: no format has been set
10:14:46.662    0x1330    INF    avs    YieldHandlerProxy::YieldHandlerProxy: [0x1822d690] 
10:14:46.662    0x1330    INF    avs    CObjectContext::AssignIoObject: Object instance <0xae9a2c8> with iid: 0xa
10:14:46.662    0x1330    INF    avs    CObjectContext::AssignIoObject: Object size: 2073
10:14:46.662    0x1330    INF    avs    YieldHandler::YieldHandler: [0x09202030] 
10:14:46.662    0x1330    INF    avs    YieldHandlerProxy::SetYieldHandler: [0x1822d690] 0x09202030
10:14:46.662    0x1330    INF    avs    FormObjectInfo: Oo1: 0x0
10:14:46.662    0x1330    INF    avs    FormObjectInfo: Ot:0x0
10:14:46.662    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.662    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.662    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.662    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.662    0x1330    INF    avs    FormObjectInfo: Got strObjectName from property: \\lzs-srv\EPP\EPP2\Program\EPP2 - Shortcut - Dean.lnk
10:14:46.662    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.662    0x1330    INF    avs    Io::Io: yield: 0x1, preload params: a:0x0 re:0x0 rf:0x0 ios:0x819 iohs:0x1 bs:0x10000 ebs:0x100000 mcs:0x2000000
10:14:46.662    0x1330    INF    esm    Can't provide interface requested iface=0xdf241b2f, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor=. result=0xa6440003 (Can't find service specifie)
10:14:46.662    0x1330    INF    esm    Can't provide interface requested iface=0xef9425bb, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor=. result=0xa6440003 (Can't find service specifie)
10:14:46.662    0x1330    INF    avs    AVSSession::SendMsg: msgclass - 0x51121368, msgid - 0x0, send point - task (0xaf255e0)
10:14:46.662    0x1330    INF    avs    CScanContext::CScanContext: [0x18123b78] Leave
10:14:46.662    0x1330    INF    avs    CScanContext::IsShouldBeScan: serializedScanMode: 0x0
10:14:46.662    0x1330    INF    avs    CScanContext::IsISwiftUsageAllowed: Drive type: 0x4
10:14:46.662    0x1330    INF    avs    CScanContext::IsISwiftUsageAllowed: ISwift does not support this drive type
10:14:46.662    0x1330    INF    avs    CObjectContext::IsShouldBeScan: preProcess: 0x1, serializedScanMode: 0x0
10:14:46.662    0x1330    INF    avs    VerdictsUpdaterImpl::GetICheckerVerdict: [0x1ab0f518] : 0x1822d0a0
10:14:46.662    0x1330    INF    avs    TraceICheckerConditions: IChecker, isISwiftOnAndApplicable = 0x0, useICheckerWithISwift = 0x1
10:14:46.662    0x1330    INF    avs    CObjectContext::SkipByIChecker: ProcessStatusMask: 0x00000100
10:14:46.662    0x1330    INF    avs    CObjectContext::SkipByIChecker: skipUnchanged = 0x1, useVerdictCache = 0x1, shouldCheckIfObjectIsUnchanged = 0x0, needToCheckUnchanged = 0x1
10:14:46.662    0x1330    INF    avs    AVSImpl::IsKsnAvailable: 0x0
10:14:46.662    0x1330    INF    avs    CObjectContext::GetKsnAvailabilityForContext: KSN: 0x0
10:14:46.662    0x1330    INF    avs    CObjectContext::IsCheckByMetaAllowed: 
10:14:46.662    0x1330    INF    avs    CObjectContext::IsCheckByMetaAllowed: Leave - skip top context check
10:14:46.662    0x1330    INF    avs    CObjectContext::SkipByIChecker: P5
10:14:46.662    0x1330    INF    MemoryManager::Alloc: [0x09230938] size:65536
10:14:46.662    0x1330    INF    MemoryManager::AllocStandardBlob: [0x09230938] 
10:14:46.662    0x1330    INF    MemoryManager::AllocNewBlob: [0x09230938] revision:81204
10:14:46.662    0x1330    INF    oas    Pender::Pend: Pend (0x17ba4ca0, 0x8f8f218) for 5000 ms
10:14:46.662    0x1330    IMP    SI    system_interceptors::blocking_event_processor::EventController::Pend Pending seq 861423, time: 5000
10:14:46.662    0x1330    INF    oas    Pender::Pend: Pend finished
10:14:46.662    0x1330    INF    avs    MakeAutoIoIdlePriority: Perform with current priority
10:14:46.678    0x1330    INF    avs    IoImpl::ReadInternal: Incomplete block, probably EOF
10:14:46.678    0x1330    INF    avs    IoDecorator::CheckIoCached: eka::io_property::FullIOCached has been set
10:14:46.678    0x1330    INF    ichecker    ichecker::UseWholeContent: file is small, not PE, calc hash by pattern
10:14:46.678    0x1330    INF    avs    IoImpl::ReadInternal: Incomplete block, probably EOF
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    ichecker    Processor::processFile:  filename: [EPP2 - Shortcut - Dean.lnk]
10:14:46.678    0x1330    INF    ichecker    CalcFileHash::Get: calc file hash by descriptor - 0x27da349eca159ffd, res 0x0
10:14:46.678    0x1330    INF    ichecker    AutoThreadPriority::AutoThreadPriority: priority: 0x1, flags: 0x1
10:14:46.678    0x1330    INF    ichecker    detail::SetThreadPriority: priority: 131072, error: 0x191
10:14:46.678    0x1330    INF    ichecker    AutoThreadPriority::AutoThreadPriority: prev: 0, 0x0
10:14:46.678    0x1330    INF    ichecker    ICheckerDBImpl<class ichecker::ICheckerPersistentStorage>::FindRecordImpl: ICheckCtx { vol: 0x0 hash: 0x27da349eca159ffd first: 0x190d5db last: 0x190d5db params: 0x10161010001 file rev: <empty> }
10:14:46.678    0x1330    INF    ichecker    AutoThreadPriority::~AutoThreadPriority: 
10:14:46.678    0x1330    INF    ichecker    IChecker_impl::GetStatusImpl: success ICheckCtx { vol: 0x0 hash: 0x27da349eca159ffd first: 0x190d5db last: 0x190d5db params: 0x10161010001 file rev: <empty> }
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    ichecker    ICheckerVerdictImpl::ICheckerVerdictImpl: Object is unchanged: 0x1
10:14:46.678    0x1330    INF    ichecker    ICheckerVerdictImpl::CheckScanParams: in CheckScanParams, mandatoryScanPeriod: 2880
10:14:46.678    0x1330    INF    ichecker    ICheckerVerdictImpl::CheckScanParams: first_scan = 0x190d5db, last_scan = 0x190d5db, diff = 0x0, current = 0x190db0a, omit_mandatory_period = 0x0
10:14:46.678    0x1330    INF    ichecker    ICheckerVerdictImpl::CheckScanParams: mandatoryPeriodExpired = 0x0, omit_mandatory_period = 0x0
10:14:46.678    0x1330    INF    ichecker    ICheckerVerdictImpl::CheckScanParams: ICCheckData verdict: rescan - secure period isn't long enough, sp=0x0, mp=0xb40
10:14:46.678    0x1330    INF    avs    CObjectContext::SkipByIChecker: P4<0x0>
10:14:46.678    0x1330    INF    avs    CObjectContext::SkipByIChecker: Object is OK (Unchanged)
10:14:46.678    0x1330    INF    avs    FormObjectInfo: Oo1: 0x0
10:14:46.678    0x1330    INF    avs    FormObjectInfo: Ot:0x0
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    avs    FormObjectInfo: Got strObjectName from property: \\lzs-srv\EPP\EPP2\Program\EPP2 - Shortcut - Dean.lnk
10:14:46.678    0x1330    INF    CEkaIoPrIoProxy    Use m_eka_io
10:14:46.678    0x1330    INF    avs    AVSSession::SendMsg: msgclass - 0xe532519d, msgid - 0x1, send point - task (0xaf255e0)
10:14:46.678    0x1330    IMP    bl    process_notification :: Input :: notification = eNotify_None, severity = 0 (info is ser=pid=0x0000000F:34, StateId = 0, mc=0xE532519D:0x00000001)
10:14:46.678    0x1330    INF    bl    process_notification: cDetectObjectInfo .m_nObjectStatus=1 .m_nDescription=4 .m_nDetectDanger=0 .m_nDetectType=0 .m_nObjectType=0
10:14:46.678    0x1330    INF    esm    Returning existing service name='antimalware.ObjectScannerImpl', serviceKey=0x8520a03d, hostId=0x00000000, accessPointId=0x00000000, object=0x08f0824c. Interface requested iface=0xb44e3135, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor=
10:14:46.678    0x1330    INF    esm    Returning existing service name='product.SessionInformationProvider', serviceKey=0x1b0ca888, hostId=0x00000000, accessPointId=0x00000000, object=0x07fcd8a8. Interface requested iface=0x85e82fc6, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor=
10:14:46.678    0x1330    INF    bl    native PID = 1360, our AppID = 1360
10:14:46.678    0x1330    INF    bl    process_notification :: Output :: notification = eNotify_AV_ObjectProcessed, severity = 4, taskId = 1; LocalReport: 0; ETW: 0; Balloon: 0; Mail: 0; OnlyBalloon: 0.
10:14:46.678    0x13b0    INF    bl    NotificationPostprocessor::Postprocessor::Run enter. Notification id - 301
10:14:46.678    0x13b0    INF    bl    NotificationPostprocessor::Postprocessor::Run leave. Notification id - 301
10:14:46.678    0x1330    INF    avs    ICheckerVerdictDecorator::ChangeVerdictAction: Current verdict action: 0x0. New verdict action: 0x1
10:14:46.678    0x1330    INF    avs    CScanContext::UpdateISwift: iswift verdict updated
10:14:46.678    0x1330    INF    avs    CScanContext::~CScanContext: [0x18123b78] Enter
10:14:46.678    0x1330    INF    avs    CScanContext::ReleaseYieldHandler: [0x18123b78] 0x09202030
10:14:46.678    0x1330    INF    avs    YieldHandlerProxy::SetYieldHandler: [0x1822d690] 0x08f21270
10:14:46.678    0x1330    INF    avs    YieldHandler::~YieldHandler: [0x09202030] 
10:14:46.678    0x1330    INF    avs    AVSSession::SendMsg: msgclass - 0x96f7df9d, msgid - 0x1, send point - task (0xaf255e0)
10:14:46.678    0x1330    INF    avs    CScanContext::CleanUp: [0x18123b78] 
10:14:46.678    0x1330    INF    MemoryManager::OnReleaseMemoryBlobInternal: [0x09230938] handle:0x00000000 revision:81204 size:4194304
10:14:46.678    0x1330    INF    amfcd    ThreatsProcessingEventsLogic::OnProcessingFinished: 0x8f8f410
10:14:46.678    0x1330    INF    avs    CScanContext::~CScanContext: [0x18123b78] Leave
10:14:46.678    0x1330    INF    avs    YieldHandlerProxy::~YieldHandlerProxy: [0x1822d690] 
10:14:46.678    0x1330    INF    avs    VerdictsUpdaterImpl::~VerdictsUpdaterImpl: [0x1ab0f518] 
10:14:46.678    0x1330    INF    avs    ICheckerVerdictDecorator::~ICheckerVerdictDecorator: 
10:14:46.678    0x1330    INF    avs    ICheckerVerdictDecorator::~ICheckerVerdictDecorator: 
10:14:46.678    0x1330    INF    avs    ICheckerVerdictDecorator::~ICheckerVerdictDecorator: 
10:14:46.678    0x1330    INF    avs    ICheckerVerdictDecorator::~ICheckerVerdictDecorator: 
10:14:46.678    0x1330    INF    avs    AVSSession::ProcessObjectSync: There were 0 async detects during sync phase of the scan
10:14:46.678    0x1330    INF    avs    AVSSession::ProcessObjectSync: out inf: detect - , packer - 
10:14:46.678    0x1330    INF    avs    AVSSession::ProcessObjectSync: Done, process status mask: 0x00000100
10:14:46.678    0x1330    INF    avs    KsnDetectsCollector::~KsnDetectsCollector: [0x08216688] 
10:14:46.678    0x1330    INF    avs    PendingRequestsGuard::OnPendingScanDone: Enter. taskId = 0x14de
10:14:46.678    0x1330    INF    avs    PendingRequestsGuard::OnPendingScanDone: Leave.
10:14:46.678    0x1330    INF    avs    AsyncKsnScanScope::~AsyncKsnScanScope: [0x1ae76990] , taskId: 0x14de
10:14:46.678    0x1330    INF    oas    PostponeContext::~PostponeContext: 
10:14:46.678    0x1330    INF    oas    OASImpl::Process: Have result from AVS on object: \\lzs-srv\EPP\EPP2\Program\EPP2 - Shortcut - Dean.lnk; ProcessStatusMask: 0x100; Danger: 0x0; Type: 0x0
10:14:46.678    0x1330    INF    ksnhlp    [SendChecker.cpp:513] No need to send statistic: 0x7757992c (), reason: Statistics disabled by AgreementManager (GDPR)
10:14:46.678    0x1330    INF    oas    OASImpl::Process: (result: 0x00000000) Mark file as trusted
10:14:46.678    0x1330    INF    oas    CheckedFilesCacheImpl::AddCheckedFile: EPP2 - Shortcut - Dean.lnk 0x819 0x550 0x0 0xe65f215 0x2113f3ac
10:14:46.678    0x1330    INF    oas    FlexibleThreadPoolBase::EnableIdleProcessingIfAllowed: FlexTP[OAS] Going to enable idle processing (if allowed)
10:14:46.678    0x1330    INF    oas    cAvpg::CheckObjectSync:  Completer: success: 0x1 0x1
10:14:46.678    0x1330    INF    oas    cAvpg::ProcessContext: Event: 0xd24ef. Processed with verdict: 0x1; Cachable: 0x1
10:14:46.678    0x1330    INF    SI    system_interceptors::blocking_event_processor::DriverMessageLoop::Receive New sync message:  hook id = 3 major = 0 minor = 0 portLocalDrvMark = c532 size = 344 param count = 18
10:14:46.694    0x1330    INF    SI    system_interceptors::blocking_event_processor::Dispatcher::Select selecting 3
10:14:46.694    0x1330    INF    SI    system_interceptors::blocking_event_processor::Dispatcher::Select select push 3 done, size1
10:14:46.694    0x1330    INF    SI    system_interceptors::blocking_event_processor::EventController::SetHandlers size 1
10:14:46.694    0x1330    INF    SI    system_interceptors::blocking_event_processor::EventController::Dispatch size 1
10:14:46.694    0x1330    INF    oas    cAvpg::OnEvent: Event: 0xd24f0; PID: 0x550 (1360); TID: 0x1e48 (7752); On execute event: 0x0; On create process: 0x0; Function: 0x3, 0x0, 0x0; Flags: 0x6700000; Flags2: 0x10; FsFlags: 0x840000188010020; Placeholder:0x0; Ptr: 0x17ba4f88
10:14:46.694    0x1330    INF    excl    trusted_application::is_trusted_local: PID: 0x550 result: 0x0 found in cache
10:14:46.694    0x1330    IMP    oas    Checked if process PID=1360(0x550) is trusted: 0, result is err=0x00000000
10:14:46.694    0x1330    INF    oas    detail::CreateFileIdentity: Got _PARAM_OBJECT_CONTEXT_FLAGS: 0x06700000

[Nikolay Arinchev]

I`m a bit confused because these logs(attached and posted as a text at your post) are different. The logs that were attached does not contain any events that related to any deletions at  User\appdata\temp\EPP 

But the logs posted as text do.

Could you please clarify how exactly these both logs were collected and were?

Thank you!

[Yebach]

Unfortunatelly i do not have access to the machine atm, but consider the logs posted as text are the correct ones.

[Nikolay Arinchev]

Unfortunately, we need full set of KES traces for further analyses.

Thank you!