Object exclusion question KSC 11

[VM_MPN]

Hello,

Hoping anybody can help me here,

 

I’m running Kaspersky Security Cloud across multiple clients (around 50 licenses) and one client in particular uses proprietary Practice Management Software (NexTech) which requires installation of executable app (details below). Kaspersky recognizes it as a trojan and deletes this file from the download folder automatically. My problem is I can’t whitelist / exclude this file from Kaspersky Security portal by either filename, object name, etc.

 

1. Download itself goes smoothly - file saved under downloads folder.

 

2. File activated (opened) with the following error… Shortly after it disappears!

 

3. Looking at Kaspersky client threat protection log its flagged as Trojan…

 

Adding exceptions under Kaspersky Cloud Web portal does not seem to work… 

 

I’ve tried adding exclusion by direct path to the file: (example: C:\Users\*\NxTSAddinSetu*.exe) 

Possible Object names I have found under Kaspersky log (example: NxTSAddinSetup(1).exe also UDS:Trojan.Win32.Scar or even SHA256 hash   4DF57CAE33AF2E6596A2E366731A3A8D764788F81750A22F32151B5C18C26643

None of these exclusions worked at the end - each time I download and try to execute this file its detected as a threat and quarantined by Kaspersky upon execution. All this has been tried on Windows 2012 server or multiple Windows 10 Pro workstations by the way.

I strongly suspect I’m doing something wrong but can’t figure this out so far… Being licensed business user I also found it difficult to contact Kaspersky support directly (do they even have dedicated email address or phone number for technical issues in USA?) . Any help from this community will be greatly appreciated!

 

VM

[Guest #37]

Hi,

My personal recomendation:

Please send the sample to opentip, and reported as false positive.

Regards

[VM_MPN]

Thank you for your reply Caos, 

Yes, as expected file shows as infected: 

At this point I’m turning off / exiting Kaspersky client on every workstation to be able to run and install this file… I have been dealing with NexTech for years and I can virtually guarantee their files are legitimate and clean. What can I say…

 

Thank you again,

 

VM

P.S. Link to the original file: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fservices.nextech.com%2FClient%2FUpdate%2FNxTSAddin%2FNxTSAddinSetup.exe&data=04%7C01%7Cc.kobil%40nextech.com%7Cd169e44f19624d4ec35d08d9adeebdaf%7Cfc68edfc9b5346948fe4a73270550dd1%7C0%7C0%7C637732064085483626%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=no2efKz2BmmMrNjwyUaSNC4RnVQm21PG%2FiAKWoR%2BTfw%3D&reserved=0

[BlakeThoennes]

Hello,

 

I too am searching for exclusion tips for nicehash on a number of client systems.

Of course Kasp is doing its job and eliminating potential “trojans” from the mining software used by nicehash… I have tried various exclusion paths like C:\users\*\appdata\local\programs\nicehash\*\ with little to no success… I know from looking at examples from existing exclusion rules things like %windir%\blah   works. So i tried %userprofile%\appdata\local\…. and so on.

I have also tried just nbminer.exe and no path, thinking the objectname will be enough. No dice.

 

As for your comment about contacting support… I cant tell you here, but contact your vendor or rep at kaspersky and they have tech support contacts for you in the US. I have a less than 4 hour wait when we reach out. We are reaching out tomorrow about the exclusions we are trying to do, and I will post them here so you have better examples to work with. I can tell you for sure that the cloud rules ARE making it to the client in our case they just are not being recognized properly. Thats on us not knowing how to use the software. 

 

Blake

[DonKid]

As Caos mentioned, did you submit the file for analysis?
If yes, what is the result?