Advanced cleanup technology can cause problems when there is a timed shutdown
-
<p><strong>Reproduction steps:</strong></p>
<p><span>This time I tested a virus sample. This virus sample will execute the shutdown command. It will automatically restart the computer after 2000 seconds, but after being discovered by Kaspersky, it will roll back the operation and start the advanced cleaning technology, but the advanced cleaning technology is completed. In the future, Kaspersky did not restart immediately, but did not restart until the time set by the shutdown command.</span></p>
<p><strong>Actual result:</strong></p>
<p><span>Wait until the set time to restart</span></p>
<p><strong>Expected Result:</strong></p>
<p><span>Should restart immediately</span></p>
<p><span></span></p>
<p><span></span></p>
<p><span>I tested it. This problem has occurred in all versions of Kaspersky. If the shutdown time is set to be long, it will cause users to be bothered. Users cannot run cmd to cancel the restart command. During this period, the user cannot Perform any valid action.Although this problem is very rare, I think it is necessary to study how to prevent such phenomena from happening. The sample of spoofs has always existed.If you need me to provide a trace, please leave a comment below, I did not provide a trace, because I think this is a functional suggestion.</span></p> -
<p>I add some information about this behavior.</p>
<p></p>
<p>The discussion about this behavior are in this topics:</p>
<p></p>
<p><a href="https://bbs.kafan.cn/thread-2156860-1-1.html" target="_blank" rel="noopener">https://bbs.kafan.cn/thread-2156860-1-1.html</a>.</p>
<p></p>
<p>and</p>
<p></p>
<p><a href="https://bbs.kafan.cn/thread-2157065-6-1.html" target="_blank" rel="noopener">https://bbs.kafan.cn/thread-2157065-6-1.html</a></p>
<p></p>
<p>It seems AVP couldn't do system reboot after done a <span>Advanced Disinfection because malware pre-execute following system command to setup a system shutdown scheduled task for turning off OS.</span></p>
<p><span></span></p>
<pre class="language-clike"><code>shutdown -s -t 2000 -c 0</code></pre>
<p></p>
<p>In order to avoid this problem, Can you execute the following command before executing the restart command to cancel all shutdown scheduled task at the end of advanced disinfection process.</p>
<p></p>
<pre class="language-clike"><code>shutdown -a</code></pre>
<p></p>
<p>If need some additional information, Please let us know.</p> -
<p><strong>Reproduction steps:</strong></p>
<p><span>This time I tested a virus sample. This virus sample will execute the shutdown command. It will automatically restart the computer after 2000 seconds, but after being discovered by Kaspersky, it will roll back the operation and start the advanced cleaning technology, but the advanced cleaning technology is completed. In the future, Kaspersky did not restart immediately, but did not restart until the time set by the shutdown command.</span></p>
<p><strong>Actual result:</strong></p>
<p><span>Wait until the set time to restart</span></p>
<p><strong>Expected Result:</strong></p>
<p><span>Should restart immediately</span></p>
<p><span></span></p>
<p><span></span></p>
<p><span>I tested it. This problem has occurred in all versions of Kaspersky. If the shutdown time is set to be long, it will cause users to be bothered. Users cannot run cmd to cancel the restart command. During this period, the user cannot Perform any valid action.Although this problem is very rare, I think it is necessary to study how to prevent such phenomena from happening. The sample of spoofs has always existed.If you need me to provide a trace, please leave a comment below, I did not provide a trace, because I think this is a functional suggestion.</span></p><p>Please, provide samples, traces and any other valuable logs to ownCloud.</p>
-
<p>Please, provide samples, traces and any other valuable logs to ownCloud.</p>
<p>@yunpeng-song said in <a href="/post/6144" target="_blank" rel="noopener">Advanced cleanup technology can cause problems when there is a timed shutdown</a>:</p>
<blockquote>
<p>Please, provide samples, traces and any other valuable logs to ownCloud.</p>
</blockquote>
<p>Report download address: <a href="https://cloud.qainfo.ru/s/oyUWyUzsLsVZoJ4" target="_blank" rel="noopener">https://cloud.qainfo.ru/s/oyUWyUzsLsVZoJ4</a></p>
<p>Trace download address: <a href="https://cloud.qainfo.ru/s/NkE9MlKyAUmX9a2" target="_blank" rel="noopener">https://cloud.qainfo.ru/s/NkE9MlKyAUmX9a2</a></p>
<p>Virus sample download address (extract password: infected): <a href="https://cloud.qainfo.ru/s/sDuBWeNwR8Dw5lI" target="_blank" rel="noopener">https://cloud.qainfo.ru/s/sDuBWeNwR8Dw5lI</a></p>
<p>Recurring process:</p>
<p>First of all, in order to avoid this sample being directly detected by Kaspersky monitoring, you need to suspend Kaspersky protection first, then enter the command "shutdown -r -t 900" in the command line (I set 900 seconds here because the whole process is not More than 900 seconds, in order to save time and save redundant information of trace), after the execution is completed, double-click the virus sample I provided (this virus sample has double verification, you need to enter a test password in the input box above, click to execute, countdown 30 seconds Only malicious behavior will occur, so both real and virtual machines can try), open Kaspersky protection, Kaspersky will detect malware in a while, request to clear and restart the computer, click this button, Kaspersky enters Advanced clear mode, when Kaspersky Advanced is cleared, you will find that Kaspersky will not restart automatically. After the scheduled restart command takes effect, Kaspersky will restart.</p>
