Malware in programs I wrote and built

[Sam Hobbs]

I am using Kaspersky Total Security in Windows 10 build 19045.2075.

I wrote two programs recently and built them using Microsoft Visual Studio 2022. Yesterday Kaspersky found malware in them (the exe files); both the Debug and Release builds and in AppHost files for them. Kaspersky deleted the relevant files. Kaspersky did not find malware anywhere else.

Today I want to build them again and scan them to determine if the malware is there after the build. Kaspersky immediately deletes the files. I could copy the projects to somewhere else just for the purpose of determining if the malware is put in the exe file during the build. Does anyone have any other suggestions? I will try to find the option to remove the files from Kaspersky's list of files to zap, whatever that is called.

If the malware is in the files immediately after the build then I know my development software is compromised. Or the problem is Docker, as I describe in a different thread.

[Flood and Flood's wife]

Hello @Sam Hobbs, 

Welcome!

 ?Only if you trust the object(s), you may wish to try this solution from @Berny:

1. Open KTS, select Settings -> General -> disable/uncheck - Perform recommended actions automatically.
2. KTS will ask you to decide which action to take on detected objects
3. Select for “Quarantine”
4. Restore the quarantined object(s)
5. Create an exclusion rule for the object(s)
6. Go back to KTS, select Settings -> General -> enable/check - Perform recommended actions automatically.
7. Reboot the computer. 

Thank you?
Flood?+?

[Sam Hobbs]

Thank you but things are not working. For Step 2 when I unchecked Perform recommended actions automatically it did not ask me what to do.

I do not know if you are familiar with Visual Studio and programming; I will assume not. When I tried to build (compile) the program Kaspersky asked me whether to delete or block. I selected block. But the build failed; it was unable to compile the program. For anyone that understands this stuff, VS complained about a NuGet package.

However I think I have accomplished the objective of determining that the program (the one being built/compiled) is infected at the time of the build/compile. When I execute Kaspersky it says that a part of the build (apphost.exe) is infected with Sdum.

It is Sunday night for me. Unless I hear otherwise, I will open a ticket with Kaspersky later, probably Monday afternoon for me.

[Flood and Flood's wife]

18 minutes ago, Sam Hobbs said:

1. Thank you but things are not working. For Step 2 when I unchecked Perform recommended actions automatically it did not ask me what to do. 
2. Unless I hear otherwise, I will open a ticket with Kaspersky later, probably Monday afternoon for me.

Hello @Sam Hobbs, 

Thank you for posting back!

1. Same for us, & when we checked, we could not find that step either?
2. That was going to be our next recommendation, so please proceed.

• When it's available, please share the outcome with the Community?

Thank you?
Flood?+?

Edited September 26, 2022 by Flood and Flood's wife

[Sam Hobbs]

I submitted a ticket and they have escalated the issue. So they are working on it. I definitely have malware, my system is doing many suspicious things. I am tempted to uninstall and reinstall everything but I will give them a couple of days to try to find the malware.

[Flood and Flood's wife]

32 minutes ago, Sam Hobbs said:

I submitted a ticket and they have escalated the issue. So, they are working on it. (2) I definitely have malware; my system is doing many suspicious things. I am tempted to uninstall and reinstall everything, but (1) I will give them a couple of days to try to find the malware.

Hello @Sam Hobbs, 

Thank you for the update & (your) proactive actions?!

1. To set realistic expectations, the Kaspersky technical expert team - troubleshooting/analysis/diagnosis - may take longer than "a couple of days". 
2. IF you're convinced the system is infected, have you checked with other AV? IF no, it may be worthwhile to see what results are collected?, noting, whichever AV you select, do not install with 'Real-time' active. 

Thank you?
Flood?+?

Edited October 10, 2022 by Flood and Flood's wife

[Gionatan]

On 9/26/2022 at 6:52 AM, Sam Hobbs said:

I do not know if you are familiar with Visual Studio and programming; I will assume not. When I tried to build (compile) the program Kaspersky asked me whether to delete or block. I selected block. But the build failed; it was unable to compile the program.

I use VB in Visual Studio and when it compiled Kaspersky blocked it, i insert VB in trusted application so Kaspersky not block VB compiling.

The new particola programs compiled can be suspected in Kaspersky because they have no reputation.

Have you try to insert the folder in exclusions?

[Sam Hobbs]

6 hours ago, Flood and Flood's wife said:

1. To set realistic expectations, the Kaspersky technical expert team - troubleshooting/analysis/diagnosis - may take longer than "a couple of days". 

If it will take them more than a couple of days then they will likely lose the opportunity to diagnose the problem. It is foolish for me to allow the malware to remain in my system.

 

1 hour ago, Gionatan said:

insert VB in trusted application so Kaspersky not block VB compiling.

I sure do not want to do that. The problem is not Kaspersky. Kaspersky is blocking the malware and asking me if it should be allowed. The malware is attempting to do a variety of things that the good software would not do.

[Sam Hobbs]

I get a few of these each time I build a program using Visual Studio. I do not get them from the build; I get them the first time the program is run. Note that I am selecting the option to remember my selection but then it forgets the selection when the exe is built again. I always block the requests. The important thing is that this should not be happening.

 

Edited October 10, 2022 by Sam Hobbs
I added the image and added clarification

[Flood and Flood's wife]

31 minutes ago, Sam Hobbs said:

If it will take them more than a couple of days then they will likely lose the opportunity to diagnose the problem. It is foolish for me to allow the malware to remain in my system.

Hello @Sam Hobbs, 

You're most welcome!

We said it may take more than a couple of days, IF the issue has been there since the last week of September or more, & now you cannot allow time for the experts to assist you, it's your choice. 

1. ?IF you're convinced the system is infected, have you checked with another AV? 

Thank you?
Flood?+?

[Sam Hobbs]

I submitted a ticket. I provided them with the data they requested. They replied by saying I am not infected. They seem to ignore the possibility that they have not yet seen the malware I have. Their solution is to set Kaspersky to allow my program to do everything it is asking for. I know it is not my program doing the asking, it is malware. I replied to them saying I know my system is infected. Instead of replying to that, they closed the ticket. I consider it to be highly irresponsible for them to tell me to allow the malware to have all the privileges it asks for. I am disappointed and highly frustrated.

As for using other vendors, I thought I would begin by using the protection provided by Microsoft, provided by Windows built-in. Relevant to that I asked the question Pause versus exit.

Also, I am getting a new computer soon.

Edited November 6, 2022 by Sam Hobbs

[Flood and Flood's wife]

3 hours ago, Sam Hobbs said:

I submitted a ticket. I provided them with the data they requested. They replied by saying I am not infected. They seem to ignore the possibility that they have not yet seen the malware I have. Their solution is to set Kaspersky to allow my program to do everything it is asking for. I know it is not my program doing the asking, it is malware. I replied to them saying I know my system is infected. Instead of replying to that, they closed the ticket.

Hello @Sam Hobbs, 

Welcome back!

Thank you for posting back & the information!

Please share the incident reference number? 

Thank you?
Flood?+?