Jump to content

Need more explanations please


Go to solution Solved by harlan4096,

Recommended Posts

 

Hello, 

I downloaded a zip file from MalwareBazaar and I unzip it without any execution; I have this detection:

 

Event: Malicious object detected
User: JDOE-DESKTOP\JDoe
User type: Active user
Application name: SearchProtocolHost.exe
Application path: C:\Windows\System32
Component: File Anti-Virus
Result description: Detected
Type: Trojan
Name: VHO:Trojan-Spy.Win32.Stealer.gen
Precision: Heuristic Analysis
Threat level: High
Object type: File
Object name: 3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3.exe
Object path: D:\Last_screen\Downloads
MD5: F5C6596ED435C7CBB67627752D8B7D01
Reason: Cloud Protection

 

What is "Application path"????

 

I repeat, nothing has been executed, the object was just unzipped on "D:\Last_screen\Downloads"   ( which is correctly identified on "object Path")

Link to comment
Share on other sites

Welcome to Kaspersky Community.

 

There is nothing weird in that behavior, there is File Anti-Virus module, that monitors in real-time many actions taking in the system, even if you did not execute that malware, and only extracted, it was identified and removed.

 

Also, the detections it's a cloud one, so that file is tagged as untrusted in KSN (Kaspersky Cloud Protection), and to top it off, it's tagged as VHO (Very Harmful Object), so Your Kaspersky product did a good job in prevention.

 

https://support.kaspersky.com/help/Kaspersky/Win21.14/en-US/85606.htm

 

Quote

Application name: SearchProtocolHost.exe
Application path: C:\Windows\System32

 

It seems Windows Search Service (SearchProtocolHost.exe, located in C:\Windows\System32) tried to index that new extracted file, and then it was caught by Kaspersky ?

  • Like 2
Link to comment
Share on other sites

1 hour ago, harlan4096 said:

It seems Windows Search Service (SearchProtocolHost.exe, located in C:\Windows\System32) tried to index that new extracted file, and then it was caught by Kaspersky ?

Thank you for your answer!

Do you care to explain how did you figure out "It seems Windows Search Service (SearchProtocolHost.exe, located in C:\Windows\System32) tried to index that new extracted file" ????

If I disable "indexing" in my PC , the detection would be different?

 

Thanks!

  • Like 1
Link to comment
Share on other sites

Quote

Do you care to explain how did you figure out "It seems Windows Search Service (SearchProtocolHost.exe, located in C:\Windows\System32) tried to index that new extracted file" ????

Because it appears in Your Kaspersky detection report, Your Kaspersky probably detected the malware when Windows Search Service was accessing that malware to index it.

 

Quote

If I disable "indexing" in my PC , the detection would be different?

In essence would be the same, but probably would not appear SarchProtocolHost.exe data ?

Link to comment
Share on other sites

2 hours ago, harlan4096 said:

In essence would be the same, but probably would not appear SarchProtocolHost.exe data ?

So, I disabled "indexing" on C:drive and all subfolders. Now I get:

 

Event: Malicious object detected
User: JDOE-DESKTOP\JDoe
User type: Active user
Application name: SearchProtocolHost.exe
Application path: C:\Windows\System32
Component: File Anti-Virus
Result description: Detected
Name: UDS:DangerousObject.Multi.Generic
Precision: Exactly
Threat level: High
Object type: File
Object name: 3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3.exe
Object path: D:\Last_screen\Downloads\3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3
MD5: F5C6596ED435C7CBB67627752D8B7D01
Reason: Cloud Protection

 

So, in fact, no change compared with previous detection; I do not get the "Application path: C:\Windows\System32"

Thanks!

  • Confused 1
Link to comment
Share on other sites

26 minutes ago, harlan4096 said:

Weird, how did You disable the service? Via services.msc?

No , simply in HDD properties, you disadle it from there:

image.thumb.png.009b6d8ae15c29c846d193c9b778d799.png

But you were right, I had to reboot the PC after that in order NOT to have indexing.

After that , the detection looks like this:

Event: Malicious object detected
User: JDOE-DESKTOP\JDoe
User type: Active user
Application name: WinRAR.exe
Application path: C:\Program Files\WinRAR
Component: File Anti-Virus
Result description: Detected
Name: UDS:DangerousObject.Multi.Generic
Precision: Exactly
Threat level: High
Object type: File
Object name: 3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3.exe
Object path: D:\Last_screen\Downloads\3283e60979e2767695506468f28d11aa16817e52182ce35d3aa99c0e02d3e8d3
MD5: F5C6596ED435C7CBB67627752D8B7D01
Reason: Cloud Protection

 

Thanks, all clear now!

  • Like 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...