SIHClient.exe trying to load Kaspersky 21.22\x64\com_antivirus.dll while autostart is turned off

[000]

I'm getting a lot of errors like this (in Event Viewer):

Log Name:      Microsoft-Windows-CodeIntegrity/Operational
Source:        Microsoft-Windows-CodeIntegrity
Event ID:      3033
Task Category: (1)
Level:         Error
User:          SYSTEM
Description:   Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\SIHClient.exe) attempted to load \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky 21.22\x64\com_antivirus.dll that did not meet the Windows signing level requirements.

While the dll signature might have indeed expired as I haven't updated my app in 1-2 weeks, Kaspersky (including AVP21.22 and klvssbridge64_21.22 services) is set to manual start, so why and exactly what is trying to load com_antivirus.dll through SIHClient.exe?

[harlan4096]

Welcome to Kaspersky Community.

 

Quote

What is SIHClient.exe?

The SIHClient.exe is an executable file for the Server-Initiated Healing client running in the background in Task Manager on Windows PCs. This executable does the following:

• Detects and fixes system components needed for automatic Windows updates.
• Manages Microsoft software installed on your computer.
• Starts the background Windows updates installation process
• Connects to Microsoft servers and checks if healing actions are needed on your PC

[AlexeyK]

18 часов назад, 000 сказал:

dll signature might have indeed expired as I haven't updated my app in 1-2 weeks

I think these threads will also be useful: one and two.

[AlexeyK]

21 час назад, 000 сказал:

Kaspersky (including AVP21.22 and klvssbridge64_21.22 services) is set to manual start, so why and exactly what is trying to load com_antivirus.dll through SIHClient.exe?

Maybe because of the registry settings that was changed by the antivirus. Maybe because of the AV drivers, which continue to work even when the AV is turned off (surprised? check it out 🙂). I have the same with disabled AV autorun - there are many events from svchost, securityhealthservice and so on.

[000]

If this is a Microsoft issue, then they haven't fixed that in 2+ years, right? Flooding the logs with errors that should be ignored is not helping helping with system monitoring.

I have found the following references to com_antivirus.dll (or related CLSID) in the registry:

• HKCR\CLSID\{1B31DEEC-7991-40E3-AAB7-49DF33620200}\InprocServer32
• HKCR\CLSID\{C6B857FA-88AD-4C19-9146-E6E66F805FC8}\InprocServer32
• HKCR\WOW6432Node\CLSID\{1B31DEEC-7991-40E3-AAB7-49DF33620200}\InprocServer32
• HKCR\WOW6432Node\CLSID\{C6B857FA-88AD-4C19-9146-E6E66F805FC8}\InprocServer32
• HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached / "{C6B857FA-88AD-4C19-9146-E6E66F805FC8} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF"
• HKLM\SOFTWARE\Classes\CLSID\{1B31DEEC-7991-40E3-AAB7-49DF33620200}\InprocServer32
• HKLM\SOFTWARE\Classes\CLSID\{C6B857FA-88AD-4C19-9146-E6E66F805FC8}\InprocServer32
• HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{1B31DEEC-7991-40E3-AAB7-49DF33620200}\InprocServer32
• HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{C6B857FA-88AD-4C19-9146-E6E66F805FC8}\InprocServer32
• HKLM\SOFTWARE\Microsoft\AMSI\Providers\{1B31DEEC-7991-40E3-AAB7-49DF33620200}
• HKLM\SOFTWARE\WOW6432Node\Classes\CLSID\{C6B857FA-88AD-4C19-9146-E6E66F805FC8}\InprocServer32
• HKLM\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\{1B31DEEC-7991-40E3-AAB7-49DF33620200}
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\286D442E67DCDCD5ABC9A76EB19F6E32

It's probably the last entry that is causing these errors, but I'm reluctant to remove it manually.

[AlexeyK]

25 минут назад, 000 сказал:

If this is a Microsoft issue, then they haven't fixed that in 2+ years, right?

Why ask about this on the Kaspersky forum? It's reasonable to ask the MS, right?

26 минут назад, 000 сказал:

I have found the following references to com_antivirus.dll (or related CLSID) in the registry

What should we do with this super-useful information?