Jump to content

Kaspersky System Watcher does not Quarantine detected files anymore since version 20? [Closed]


DarkWav
Go to solution Solved by DarkWav,

Recommended Posts

So, I recently tested Kaspersky 2020 (Security Cloud Free) in a virtual machine and tested its system watcher capabilities. For doing this, I use my own custom program that is completely harmless by itself but its installer uses a really... let's say shady way to install the program into the local user autostart directory. The "shady" installer is successfully detected by both version 2019 (19.0.0.X) and 2020 (20.0.0.X). Both flag the installer as PDM:Trojan.Win32.Generic, the typical generic behavoir alert. Version 19 then terminates the program, deletes the installer executable and rolls back all actions it did, as intended. Version 20 however also terminates the installer and rolls back all of its actions, but guess what? It just leaves the installer on the disk and doesn't move it to quarantine, even though it clearly identified it as malware! This could have many reasons. It could be a major critical flaw in Kaspersky System Watcher. It could be that fact that SW is now smart enough to detect my installer is not actually malicious enough to instant delete it and chooses to just terminate it instead. But it gets worse............ When you go to system watcher settings and set the action to "delete application" or "termiante application"..... The installer just fully bypasses Kaspersky, like System Watcher was set to "Ignore"! (The tray icon turns red shortly but then the AV just ignores the threat). Now my question is... Is this behavoir in ANY kind normal?! Has anyone else tested system watcher yet and expirienced the same issue? If not where can I report this bug?
Link to comment
Share on other sites

Thanks for the reply :relaxed:. Yes, I tested on both my real machine which meets all requirements (16GB RAM + 8x4.70GHZ CPU Intel 9th gen, NVidia Maxwell GPU (900-series) with Driver 436.02) as well as a freshly installer virtual machine inside virutalbox, both running latest Windows 10 1903 with no other security solution asides integrated windows defender installed. The described behavoir can be observed on both machines equally.
Link to comment
Share on other sites

Yes, I tested on both my real machine which meets all requirements (16GB RAM + 8x4.70GHZ CPU Intel 9th gen, NVidia Maxwell GPU (900-series) with Driver 436.02) as well as a freshly installer virtual machine inside virutalbox, both running latest Windows 10 1903 with no other security solution asides integrated windows defender installed. The described behavoir can be observed on both machines equally.
Hello DarkWav, Thanks for replying. From the "real" machine, please export Kaspersky Security Cloud 2020, Reports, ALL Events, please choose 7day or 30 day period. Please upload the report, using the "upload icon", in your reply. Thank you.
Link to comment
Share on other sites

I did, the logs are attatched below. Heres what I did:
  1. Run the sample with all settings at default.
  2. Run the sample with System Watcher Application Activity Controlll set to "Delete Application"
  3. Run the sample with System Watcher Application Activity Controlll set to "Terminate Application"
  4. Run the sample with System Watcher Application Activity Controlll set to "Ignore."
Thanks
Link to comment
Share on other sites

  • 3 weeks later...
After providing detaild information and samples, the bug has been forwarded to the product development. From what I can telll it isn't fixed in patch D, yet.
After providing detaild information and samples, the bug has been forwarded to the product development. From what I can telll it isn't fixed in patch D, yet.
That's nice. Another one bug in 2020...
Hello DarkWav & Vitalik93, Patch (d) was confined to fixing a specific issue only, it was not the "planned" (d), that has now become (e), due Mid October. Thank you.
Link to comment
Share on other sites

  • 1 month later...

Hello @DarkWav,

Welcome back & thanks for the update🙏 . 

  1. Are we still talking about the original issue and has “virtual” been excluded? 
  2. May we have a GSI & Windows Logs, upload the folder to cloud & post or pm the link please?
  3. Please clear KSCloud Reports, shutdown/reboot device, download Eicar Test file  & perform all tests - using the Eicar test file please.
  4. At the end of the tests, export the ALL Events Report & upload that as well please? 

Thank you. 

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.


×
×
  • Create New...