Jump to content
Kaspersky Support Forum

KIS making SQL calls to SQL Server

Invent

By Invent
in Kaspersky Internet Security

 Share
Go to solution Solved by Wesly.Zhang,

Recommended Posts

Invent

Invent

Posted
  • Author
Posted

I noticed KIS occasionally makes SQL calls to MS SQL Server. It sends a SELECT for each database on the server looking for rows from sys.assemblies. I’m assuming it’s able to access MSSQL and the databases using the elevated permissions granted to the KIS app. I can understand anti-virus apps checking the CLR assemblies for malware, but this approach via SQL seems unusual to me.

Can anyone provide any insight on this?

Thanks!

Wesly.Zhang

Wesly.Zhang

Posted
Posted

Hello,

As I know, KIS use sqlite to create report database and use sql to write event report in it. How do you know this behavior?

Regards.

Invent

Invent

Posted
  • Author
Posted

If you run a trace on SQL Server to watch the sql commands, then do a KIS scan, KIS sends this SQL...

SELECT name FROM sys.databases

… to get the list of databases. Then for each database it sends...

SELECT assembly_id, name, content FROM mydatabase1.sys.assembly_files

SELECT assembly_id, name, content FROM mydatabase2.sys.assembly_files

etc

This returns the assembly binaries for all the databases on the server. I’m guessing this is the only way to access them to scan for malware?

 

 

Wesly.Zhang

Wesly.Zhang

Posted
Posted

If you run a trace on SQL Server to watch the sql commands, then do a KIS scan, KIS sends this SQL...

SELECT name FROM sys.databases

… to get the list of databases. Then for each database it sends...

SELECT assembly_id, name, content FROM mydatabase1.sys.assembly_files

SELECT assembly_id, name, content FROM mydatabase2.sys.assembly_files

etc

This returns the assembly binaries for all the databases on the server. I’m guessing this is the only way to access them to scan for malware?

 

 

Hello ,

Let me check it. I am not familiar with SQL Server. except for MySQL. I will install check both of them. I will reply back if the research was fruitful. But I think it's possible to search for certain keywords in the system SQL SERVER system database, not sure what the point of this is, the malicious code doesn't get into the system database itself.

Regards.

  • Solution
Wesly.Zhang

Wesly.Zhang

Posted
  • Solution
Posted

Thanks!

Hello, 

From my friend, He said there are the SQL Server Transact-SQL none file attack could be used in SQL sys.assembly_files to store malicious content. ExecCode id point to malicious content in sys.assembly_files table. So avp scan use this way to search threats in sql server. This is correct.

Regards.

Invent

Invent

Posted
  • Author
Posted

 I appreciate your time to confirm this. Thank you.

Guest
This topic is now closed to further replies.
 Share
Go to topic listing


×
×
  • Create New...