#1476 Advanced cleanup technology can cause problems when there is a timed shutdown
Fixed, last edited by Jarvis last edited by Jarvis
This time I tested a virus sample. This virus sample will execute the shutdown command. It will automatically restart the computer after 2000 seconds, but after being discovered by Kaspersky, it will roll back the operation and start the advanced cleaning technology, but the advanced cleaning technology is completed. In the future, Kaspersky did not restart immediately, but did not restart until the time set by the shutdown command.
Wait until the set time to restart
Should restart immediately
I tested it. This problem has occurred in all versions of Kaspersky. If the shutdown time is set to be long, it will cause users to be bothered. Users cannot run cmd to cancel the restart command. During this period, the user cannot Perform any valid action.Although this problem is very rare, I think it is necessary to study how to prevent such phenomena from happening. The sample of spoofs has always existed.If you need me to provide a trace, please leave a comment below, I did not provide a trace, because I think this is a functional suggestion.
Operating system: Win 10, x64
System: Intel Core i7 4790k, Western Digital 2T black disk
Product Logs: no need
, last edited by Wesly.Zhang last edited by Wesly.Zhang
I add some information about this behavior.
The discussion about this behavior are in this topics:
It seems AVP couldn't do system reboot after done a Advanced Disinfection because malware pre-execute following system command to setup a system shutdown scheduled task for turning off OS.
shutdown -s -t 2000 -c 0
In order to avoid this problem, Can you execute the following command before executing the restart command to cancel all shutdown scheduled task at the end of advanced disinfection process.
If need some additional information, Please let us know.
Please, provide samples, traces and any other valuable logs to ownCloud.
Report download address: https://cloud.qainfo.ru/s/oyUWyUzsLsVZoJ4
Trace download address: https://cloud.qainfo.ru/s/NkE9MlKyAUmX9a2
Virus sample download address (extract password: infected): https://cloud.qainfo.ru/s/sDuBWeNwR8Dw5lI
First of all, in order to avoid this sample being directly detected by Kaspersky monitoring, you need to suspend Kaspersky protection first, then enter the command "shutdown -r -t 900" in the command line (I set 900 seconds here because the whole process is not More than 900 seconds, in order to save time and save redundant information of trace), after the execution is completed, double-click the virus sample I provided (this virus sample has double verification, you need to enter a test password in the input box above, click to execute, countdown 30 seconds Only malicious behavior will occur, so both real and virtual machines can try), open Kaspersky protection, Kaspersky will detect malware in a while, request to clear and restart the computer, click this button, Kaspersky enters Advanced clear mode, when Kaspersky Advanced is cleared, you will find that Kaspersky will not restart automatically. After the scheduled restart command takes effect, Kaspersky will restart.