Security Failure..

[Yoji]

Kaspersky premium 21.25.7.504(a)  on Win 11 Pro 25H2 fully patched. 

I was working on manually updating my Secure boot certs, since Microsoft was having problems doing it.
And I needed to copy the newest boot loader to the EFI partition, 
The commands were

Quote

mountvol S: /s
copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi S:\EFI\Microsoft\Boot\bootmgfw.efi
mountvol S: /d

so while I could type each command in, I decided to paste them all into a bat file and execute that.
so while its not something you would expect to do much, I needed to, and it worked.
HOWEVER
Once it completed, Kaspersky stuck its oar in and said it was dangerous and deleted the bat file.

So.
1. Why did it delete it rather than just quarantine it?
2. More importantly... if its so dangerous that Kaspersky considers it needs to be removed/deleted, why did it allow the script to run?  if it was a horribly dangerous thing to do, it should have stopped it BEFORE execution.

Anyway - the command executed fine and solved my problem.
So just reporting it here as the bahaviour does not make sense.

[harlan4096]

Welcome to Kaspersky Community.

 

If You did not change Intrusion Prevention settings, that .bat probably was placed in Low Restricted group, that still allows the execution with some restrictions, until it finds some suspicious behavior (probably System Watcher), and then remove the file.

 

And yes, it's weird that K. did not save a copy in Quarantine, but not the 1st time I find the same behavior 🤔

 

Please, can You attach the exact details of the detection?

[Yoji]

Here you go... four entries, in the system watcher area... earliest to latest (sorry... stupid Kaspersky does not make it easy to include all info easily/sensibly... e.g. save the report and attach it).
Oh.. and correction, it DID save a copy in the Quarentine area, it must have taken some time (and a refresh?) to get it to show as it was def not shown when I immediately checked.

Event: Malicious object detected
Application: Windows Command Processor
User: xxxxxxxxxxx
User type: Initiator
Component: System Watcher
Result description: Detected
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\justi\Downloads\SecureBoot-CA-2023-Updates-main\SecureBoot-CA-2023-Updates-main
Object name: Hotfix.bat
Reason: Behavior analysis
Databases release date: Yesterday, 01/06/2026 19:47:00
MD5: C6DEA2838BD12CECC5980A708B4BA718

Event: Process terminated
Application: Windows Command Processor
User: xxxxxxxxxxxxxxx
User type: Initiator
Component: System Watcher
Result description: Terminated
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\justi\Downloads\SecureBoot-CA-2023-Updates-main\SecureBoot-CA-2023-Updates-main
Object name: Hotfix.bat
MD5: C6DEA2838BD12CECC5980A708B4BA718

Event: A backup copy of the object was created
Application: Windows Command Processor
User: xxxxxxxxxxx
User type: Initiator
Component: System Watcher
Result description: Backup copy created
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\justi\Downloads\SecureBoot-CA-2023-Updates-main\SecureBoot-CA-2023-Updates-main
Object name: Hotfix.bat
MD5: C6DEA2838BD12CECC5980A708B4BA718

Event: Object deleted
Application: Windows Command Processor
User: xxxxxxxxxxxxxx
User type: Initiator
Component: System Watcher
Result description: Deleted
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\justi\Downloads\SecureBoot-CA-2023-Updates-main\SecureBoot-CA-2023-Updates-main
Object name: Hotfix.bat
MD5: C6DEA2838BD12CECC5980A708B4BA718

 

Edited June 2 by Yoji

[harlan4096]

https://support.kaspersky.com/kes-for-windows/14.0/diagnostics/15898

[AlexeyK]

11 часов назад, Yoji сказал:

Why did it delete it rather than just quarantine it?

1 час назад, Yoji сказал:

Event: A backup copy of the object was created

Object name: Hotfix.bat

[AlexeyK]

12 часов назад, Yoji сказал:

More importantly... if its so dangerous that Kaspersky considers it needs to be removed/deleted, why did it allow the script to run?  if it was a horribly dangerous thing to do, it should have stopped it BEFORE execution.

In addition to @harlan4096 post - some more info about System Watcher.  It works in real time with real app actions and files.

[Yoji]

45 minutes ago, AlexeyK said:

 

Yes... I posted a correction where I said 
"Oh.. and correction, it DID save a copy in the Quarentine area, it must have taken some time (and a refresh?) to get it to show as it was def not shown when I immediately checked."
So as I said, it was def NOT shown in the quarantine section when I went to check immediately I saw the pop up to say it had deleted the item. So thats not great from a usability perspective, it should show immediately.
 

13 minutes ago, AlexeyK said:

In addition to @harlan4096 post - some more info about System Watcher.  It works in real time with real app actions and files.

But from a security perspective, its weak, IF what I was doing was genuinely dangerous... it VERY poor for Kaspersky to allow it to happen, and then only complain AFTER the potentially catastrophic action has been allowed to progress.
And as you say... to me "real time" should mean it checked the hotfix.bat threat as soon as the file was created... and alerted/complained BEFORE I even had a chance to execute it. That seems to be a much safer way for Kaspersky to work.

[AlexeyK]

46 минут назад, Yoji сказал:

But from a security perspective, its weak

You can read smth more about what the behavioral analysis (a part of proactive protection) is. The technology is used not only by KL products.

56 минут назад, Yoji сказал:

NOT shown in the quarantine section when I went to check immediately

Perhaps the detection alert was shown at that moment, but removing and rollback process was not completed. All this does not happen instantly, but over a period of time.

[harlan4096]

Still, if You want to fix this false positive, as it comes from System Watcher:

 

https://support.kaspersky.com/kes-for-windows/14.0/diagnostics/15898

[AlexeyK]

Previously, the well-known AV-Comparatives Lab performed Proactive protection tests. That's what it said: 

Цитата

As behaviour blockers only come into play after the malware is executed, a certain risk of being compromised remains (even when the security product claims to have blocked/removed the threat). Therefore, it is preferable that malware be detected before it is executed, by e.g. the on-access scanner using heuristics. This is why behaviour blockers should be considered a complement to the other features of a security product (multi-layer protection), and not a replacement.

But KL System Watcher has a unique feature - rollback of completed actions with removing of unwanted files, recovery of deleted or modified files, registry restoring, etc. This is especially noticeable, e.g., when restoring files encrypted by ransomware, if all other protection modules have failed.

[harlan4096]

I've replicated Your "issue" in a VM with KES Cloud (managed via Web Console):

 

 

 

 

[Yoji]

3 hours ago, AlexeyK said:

But KL System Watcher has a unique feature - rollback of completed actions with removing of unwanted files, recovery of deleted or modified files, registry restoring, etc. This is especially noticeable, e.g., when restoring files encrypted by ransomware, if all other protection modules have failed.

But you are making a BIG assumption, you are assuming that whatever executed leaves your PC in a usable state... if I had run something that in effect destroyed my access to my system... I would still be stuffed ?
The item you linked seems to recognise this when it says "Therefore, it is preferable that malware be detected before it is executed, by e.g. the on-access scanner using heuristics."

 

[AlexeyK]

5 минут назад, Yoji сказал:

But you are making a BIG assumption, you are assuming that whatever executed leaves your PC in a usable state... if I had run something that in effect destroyed my access to my system... I would still be stuffed ?

If all modules of reactive and proactive protection failed, your PC will be permanently destroyed by malware. Forever and ever.

I really don't understand what exactly the question is. 100%-protection does not exist in nature, if you didn't know. Behavioral block is just one of the protection layers.

2 часа назад, harlan4096 сказал:

I've replicated Your "issue"

And...? Will you create a support request instead of user? 🙂

[Yoji]

11 minutes ago, AlexeyK said:

If all modules of reactive and proactive protection failed, your PC will be permanently destroyed by malware. Forever and ever.

I really don't understand what exactly the question is.

It was not a question, as I said "So just reporting it here as the bahaviour does not make sense."
Sounds like we agree that its a gap/risk, so may be an opportunity for Kaspersky to improve.

And yes... I know if all fails and my PC may be permanently destroyed, thats why I have backups...so I can always recover from such a misfortune. 

[AlexeyK]

35 минут назад, Yoji сказал:

Sounds like we agree that its a gap/risk, so may be an opportunity for Kaspersky to improve.

Once again (the last one): behavioral blocking is one of the defence levels, which works according to BSS. It's unclear what you want to improve. The products already have a lot of different protection components. If you want this false positive detection to be everywhere for all components - ask support to add it to all modules. 🙂

It's very strange to draw global conclusions about the work of the product based on one false positive. And to give recommendations about improvements.

Edited June 3 by AlexeyK

[harlan4096]

In fact, that bootmanager update probably behaves similar to a rootkit, that's why SW triggered it 😁

[Yoji]

31 minutes ago, AlexeyK said:

It's very strange to draw global conclusions about the work of the product based on one false positive. And to give recommendations about improvements.

It is not as strange as someone who acts as an apologist and stubbornly refuses to recognise an opportunity to improve. 
I clearly make no comment on if it can be improved.. or how it might be improved, I leave that to the experts. I merely point out the obvious, that there is an "opportunity" to improve. 

Why not just take what I posted and said at face value... and say something like 
"Yes, interesting, such a false positive may be tricky to resolve, but thanks for posting" and move on?

Edited June 3 by Yoji

[AlexeyK]

1 час назад, Yoji сказал:

I leave that to the experts

Experts live here: https://support.kaspersky.ru/b2c/#contacts

1 час назад, Yoji сказал:

say something like  "Yes, interesting, such a false positive may be tricky to resolve, but thanks for posting" and move on?

Just false positive? Nothing interesting indeed. Thanks, now I'm moving out from the thread. 🙂

[Turkeytm founder]

The first line means mount EFI drive which is normal but not common. 

The second is suspicious for antivirus because it thinks it's loading unknown EFI file to disk and it might be a UEFI bootkit.

Third one is end of operation so it's normal. 

The source probably come from https://github.com/garlin-cant-code/SecureBoot-CA-2023-Updates/releases

Virustotal link of latest one: https://www.virustotal.com/gui/file/2696bdfb9505af2e125c5c6c788f5b44121ff1c930a6e155ba050c93ff671bff

Your one: https://www.virustotal.com/gui/file/91b9a29779574aa7dc2eeb22619089081c17bd2baff073bfd1e375b166270703

So it blocks loader but that doesn't mean it's loading malware.

I believe from Kaspersky side possible solution is looking EFI signature and Secure Boot state or static analysis since you can't do dynamic analysis easily (except detecting loader).

Also I realized I might made mistake by explaining this because he want to talk with Kaspersky experts but anyways I going to post it.

[Yoji]

1 hour ago, Turkeytm founder said:

The first line means mount EFI drive which is normal but not common. 

The second is suspicious for antivirus because it thinks it's loading unknown EFI file to disk and it might be a UEFI bootkit.

Third one is end of operation so it's normal. 

The source probably come from https://github.com/garlin-cant-code/SecureBoot-CA-2023-Updates/releases

Virustotal link of latest one: https://www.virustotal.com/gui/file/2696bdfb9505af2e125c5c6c788f5b44121ff1c930a6e155ba050c93ff671bff

Your one: https://www.virustotal.com/gui/file/91b9a29779574aa7dc2eeb22619089081c17bd2baff073bfd1e375b166270703

So it blocks loader but that doesn't mean it's loading malware.

I believe from Kaspersky side possible solution is looking EFI signature and Secure Boot state or static analysis since you can't do dynamic analysis easily (except detecting loader).

Also I realized I might made mistake by explaining this because he want to talk with Kaspersky experts but anyways I going to post it.

Thanks... you are right. I was working with Garlin with his tools to help update to 2023 certificates on my motherboard at the time... but the "hotfix.bat" file was one I created.... under guidance of Garlin. The contents of which were exactly per my first post in this thread. 
So yes.. it was copying a bootloader... from my hard drive to the efi partition. the version on my hard drive would have been (signed? and) put there by Microsoft so should have been recognised as safe.. 

I dont understand the "Virustotal" links you posted, but hopefully my explanation helps you put into context what was happening.

If you want to see the chain of events... here is the thread on Garlins thread where he helped me. 
https://www.elevenforum.com/t/garlins-powershell-scripts-for-updating-secure-boot-ca-2023.43423/post-745756

This is the link where he told me use the commands... you can scroll up and down from that a bit to see the full context if interested.