Jump to content

Why is psinject in Kaspersky Lab temporary folder?


Go to solution Solved by Igor Kurzin,

Recommended Posts

Posted

I was using the update feature of the Kaspersky Cloud AV to update the software in my computer and found that inside the folder KasperskyLab/Temp/tempio, there exists several PSInject.ps1 scripts (https://github.com/EmpireProject/PSInject). May I know if this is intended and what is the use?

Flood and Flood's wife
Posted

I was using the update feature of the Kaspersky Cloud AV to update the software in my computer and found that inside the folder KasperskyLab/Temp/tempio, there exists several PSInject.ps1 scripts (https://github.com/EmpireProject/PSInject). May I know if this is intended and what is the use?

Hello @whwhwh

Welcome!

  1. Read before you create a new topic! & please provide the information detailed by @Danila T. ?
  2. Is Kaspersky Security Cloud Premium or Free? 

Please let us know?

Thank you🙏

Flood🐳+🐋

Flood and Flood's wife
Posted

Hello @whwhwh

Thank you for the information!

  1. Which Kaspersky Security Cloud version & patch(x) is installed, on the Windows taskbar or hidden icons, rightclick the Kaspersky icon, select About? 
  2. Neither Kaspersky Security Cloud Premium Trial or Free have access to Kaspersky Technical Support, we’ve sought guidance from the Kaspersky experts in this forum, please wait for a response.

Thank you🙏

Flood🐳+🐋

Posted

Hi @whwhwh , 

tempio is a Kaspersky temporary folder, anything can appear in this folder when Kaspersky is doing checks of files/network traffic.

tempio is a well protected Kaspersky folder, there is nothing to worry about. 

This situation seems to be not connected to Software Updater process. 

Posted

Hi Igor,

 

Thanks for the information. Just wondering if the KasperSky AV could be using this powershell script anywhere else or its because my computer was infected? Because they were detected by AVG after i’ve installed and used the Kaspersky Security Cloud. 

 

Posted

Hi @whwhwh , 

It can be a false detection on the side of AVG. If the file is still there, you can submit it via https://opentip.kaspersky.com for analysis. 
Also you can upload it to some cloud in a password protected archive and send me a download link via private messages. 

  • Solution
Posted

hi @whwhwh , 

that’s what I get trying to save the file: 
Component: Web Anti-Virus
Result description: Blocked
Type: Malicious link
Name: https://…./Invoke-PSInject.ps1
Precision: Exactly
Threat level: High
Object type: Web page
Object name: Invoke-PSInject.ps1
Object path: https://….
Reason: Cloud Protection

So far it looks like some script was intercepted by Kaspersky Web Anti-Virus and placed in the tempio folder.

 

Posted

Hi Flood and Igor,

 

Thank you for the assistance. The weird thing is the Kaspersky security cloud AV did not flag the malicious script during a scan I did initially with KSC. After the scan, I used the KSC to update my software (OpenVPN, iTunes, TeamViewer etc.) and that's when AVG alerted me of the malicious scripts in KasperSky Lab tempio folder so I thought that the KSC AV might have something to do with it.

Also, after removing the malicious scripts, I did multiple rounds of scans with KSC AV, AVG and Windows defender. So far, there are no malware detected so I’m not sure where this script came from.

Flood and Flood's wife
Posted

So far it looks like some script was intercepted by Kaspersky Web Anti-Virus and placed in the tempio folder.

 

Hello @Igor Kurzin

Why tempio?

By rights users should not be manipulating tempio (should they?), which is what @whwhwh has done to clear the files: “I’ve since accessed the tempio directory as administrator and deleted the powershell scripts.”

Thank you🙏

Flood🐳+🐋

Posted

Hi Flood and Igor,

 

Based on the user controls set, An administrator user is able to manipulate the tempio folder which is what i did by running cmd as administrator and deleting the files via cmd.

 

Igor might be right. I’ve reinstalled the KSC AV and did a scan again. I made sure that the tempio folder is empty before scanning. This time, they found multiple powershell scripts in a zipped folder that i forgot existed. After scanning, the powershell scripts appeared in tempio folder which im guessing is stored as a backup. 

 

Thank you all for the help!

Posted

hi @whwhwh , 

You are most welcome, glad you have figured out the mistery.

Have a good day and stay safe! 

Guest
This topic is now closed to further replies.


×
×
  • Create New...