Jump to content
Kaspersky Support Forum

Need more explanations please

total

By total
in Virus and Ransomware related questions

 Share
Go to solution Solved by harlan4096,

Recommended Posts

total

total

Posted
Posted

 

Hello, 

I downloaded a zip file from MalwareBazaar and I unzip it without any execution; I have this detection:

 

Event: Malicious object detected
User: JDOE-DESKTOP\JDoe
User type: Active user
Application name: SearchProtocolHost.exe
Application path: C:\Windows\System32
Component: File Anti-Virus
Result description: Detected
Type: Trojan
Name: VHO:Trojan-Spy.Win32.Stealer.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: 3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3.exe
Object path: D:\Last_screen\Downloads
MD5: F5C6596ED435C7CBB67627752D8B7D01
Reason: Cloud Protection

 

What is "Application path"????

 

I repeat, nothing has been executed, the object was just unzipped on "D:\Last_screen\Downloads"   ( which is correctly identified on "object Path")

harlan4096

harlan4096

Posted
Posted

Welcome to Kaspersky Community.

 

There is nothing weird in that behavior, there is File Anti-Virus module, that monitors in real-time many actions taking in the system, even if you did not execute that malware, and only extracted, it was identified and removed.

 

Also, the detections it's a cloud one, so that file is tagged as untrusted in KSN (Kaspersky Cloud Protection), and to top it off, it's tagged as VHO (Very Harmful Object), so Your Kaspersky product did a good job in prevention.

 

https://support.kaspersky.com/help/Kaspersky/Win21.14/en-US/85606.htm

 

Quote

Application name: SearchProtocolHost.exe
Application path: C:\Windows\System32

 

It seems Windows Search Service (SearchProtocolHost.exe, located in C:\Windows\System32) tried to index that new extracted file, and then it was caught by Kaspersky ?

  • Like 2
total

total

Posted
  • Author
Posted
1 hour ago, harlan4096 said:

It seems Windows Search Service (SearchProtocolHost.exe, located in C:\Windows\System32) tried to index that new extracted file, and then it was caught by Kaspersky ?

Thank you for your answer!

Do you care to explain how did you figure out "It seems Windows Search Service (SearchProtocolHost.exe, located in C:\Windows\System32) tried to index that new extracted file" ????

If I disable "indexing" in my PC , the detection would be different?

 

Thanks!

  • Like 1
harlan4096

harlan4096

Posted
Posted
Quote

Do you care to explain how did you figure out "It seems Windows Search Service (SearchProtocolHost.exe, located in C:\Windows\System32) tried to index that new extracted file" ????

Because it appears in Your Kaspersky detection report, Your Kaspersky probably detected the malware when Windows Search Service was accessing that malware to index it.

 

Quote

If I disable "indexing" in my PC , the detection would be different?

In essence would be the same, but probably would not appear SarchProtocolHost.exe data ?

total

total

Posted
  • Author
Posted
2 hours ago, harlan4096 said:

In essence would be the same, but probably would not appear SarchProtocolHost.exe data ?

So, I disabled "indexing" on C:drive and all subfolders. Now I get:

 

Event: Malicious object detected
User: JDOE-DESKTOP\JDoe
User type: Active user
Application name: SearchProtocolHost.exe
Application path: C:\Windows\System32
Component: File Anti-Virus
Result description: Detected
Name: UDS:DangerousObject.Multi.Generic
Precision: Exactly
Threat level: High
Object type: File
Object name: 3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3.exe
Object path: D:\Last_screen\Downloads\3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3
MD5: F5C6596ED435C7CBB67627752D8B7D01
Reason: Cloud Protection

 

So, in fact, no change compared with previous detection; I do not get the "Application path: C:\Windows\System32"

Thanks!

  • Confused 1
total

total

Posted
  • Author
Posted
26 minutes ago, harlan4096 said:

Weird, how did You disable the service? Via services.msc?

No , simply in HDD properties, you disadle it from there:

image.thumb.png.009b6d8ae15c29c846d193c9b778d799.png

But you were right, I had to reboot the PC after that in order NOT to have indexing.

After that , the detection looks like this:

Event: Malicious object detected
User: JDOE-DESKTOP\JDoe
User type: Active user
Application name: WinRAR.exe
Application path: C:\Program Files\WinRAR
Component: File Anti-Virus
Result description: Detected
Name: UDS:DangerousObject.Multi.Generic
Precision: Exactly
Threat level: High
Object type: File
Object name: 3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3.exe
Object path: D:\Last_screen\Downloads\3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3
MD5: F5C6596ED435C7CBB67627752D8B7D01
Reason: Cloud Protection

 

Thanks, all clear now!

  • Like 1
harlan4096

harlan4096

Posted
Posted

Great, You are welcome ?

  • Thanks 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...