Skip to content
  • Categories
  • KForum
  • KClub
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
kaspersky beta

beta

  1. Home
  2. ENGLISH USER FORUM
  3. Home
  4. Kaspersky
  5. Archive
  6. 2020
  7. [2020] Traffic checking (AV: web/mail/IM, AS/AB/DNT/PC)
  8. Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'

Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine'

Scheduled Pinned Locked Moved [2020] Traffic checking (AV: web/mail/IM, AS/AB/DNT/PC)
15 Posts 4 Posters 11.1k Views 5 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • xzz123X xzz123

    <p><strong>Reproduction steps:</strong></p>
    <p><span></span>Visit a virus link and avp block the download</p>
    <p><strong>Actual result:</strong></p>
    <p><span></span>Web AV give a incorrect report that Clean Object moved to quarantine</p>
    <p><strong>Expected Result:</strong></p>
    <p><span></span>Web AV only report Object Blocked</p>
    <p></p>
    <p>see screenshot about the incorrect report</p>
    <p><img src="forum.kaspersky.com/uploads/monthly_2018_06/screenshot.thumb.jpg.bf5ca1553585399aaddd090e6c3a54b6.jpg" alt="" /><img src="https://forum.kaspersky.com/uploads/monthly_2018_06/screenshot.thumb.jpg.bf5ca1553585399aaddd090e6c3a54b6.jpg" alt="" width="1000" height="619" /></p>
    <p></p>
    <p>This is a link that you can used to reproduce. Actually any malicious link is ok.</p>
    <p>http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D</p>
    <p></p>
    <p>upload traces and the screenshot:</p>
    <p>https://cloud.qainfo.ru/s/LPcLJbautATgiZ5</p>

    Ilya.ZadonskyI Offline
    Ilya.ZadonskyI Offline
    Ilya.Zadonsky
    Kaspersky Lab
    wrote on last edited by
    #6

    <p>Are there any changes after following the recommendations from the message above?</p>

    xzz123X 1 Reply Last reply
    0
    • Ilya.ZadonskyI Ilya.Zadonsky

      <p>Are there any changes after following the recommendations from the message above?</p>

      xzz123X Offline
      xzz123X Offline
      xzz123
      Moderators
      wrote on last edited by
      #7

      <p>@ilya-zadonsky</p>
      <p>Negative, sir.</p>
      <p><img src="plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-cry.gif" alt="cry" /></p>

      Wesly.ZhangW 1 Reply Last reply
      0
      • xzz123X xzz123

        <p>@ilya-zadonsky</p>
        <p>Negative, sir.</p>
        <p><img src="plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-cry.gif" alt="cry" /></p>

        Wesly.ZhangW Offline
        Wesly.ZhangW Offline
        Wesly.Zhang
        Moderators
        wrote on last edited by Wesly.Zhang
        #8

        <p>@xzz123</p>
        <p></p>
        <p>According to the traces, AVP collectly detected "<a href="http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe&quot;" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"</a> as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?</p>
        <hr />
        <p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms</p>
        <p>21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms</p>
        <p>21:54:34.677 0x8 INF aveng asl_link: objId:0190a918</p>
        <p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms</p>
        <p>21:54:34.677 0x8 INF aveng AVP !EMU (DT)</p>
        <p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051</strong></span></p>
        <p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051</strong></span></p>
        <p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr</strong></span></p>
        <p>21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc</p>
        <p>21:54:34.677 0x8 WRN aveng PROC ST:0x80000051</p>
        <p>21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051</p>
        <p>21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051</p>
        <p>21:54:34.677 0x8 WRN aveng AVP CANCELED</p>
        <p>21:54:34.677 0x8 INF aveng AVP LEAVE <a href="http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe</a></p>
        <p>Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.</p>

        Go! The world ! 💪 Our CD8/CD4 T lymphocytes are on their way to destroy the new tubular virus.😠
        If I don't reply your post here, Please send a PM in KL Community forum or post a E-Mail ( wesly.zhang@qq.com ) to notice me.

        xzz123X 1 Reply Last reply
        0
        • Wesly.ZhangW Wesly.Zhang

          <p>@xzz123</p>
          <p></p>
          <p>According to the traces, AVP collectly detected "<a href="http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe&quot;" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe"</a> as "Backdoor.Win32.Androm.qbms", But failed to deal with it. Does this issue only happened in "360Chrome/ 360极速浏览器" browsers?</p>
          <hr />
          <p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectReportPost Backdoor.Win32.Androm.qbms</p>
          <p>21:54:34.677 0x8 INF aveng asl_trace: enter DetectProcessDone Backdoor.Win32.Androm.qbms</p>
          <p>21:54:34.677 0x8 INF aveng asl_link: objId:0190a918</p>
          <p>21:54:34.677 0x8 INF aveng asl_trace: leave DetectProcessDone Backdoor.Win32.Androm.qbms</p>
          <p>21:54:34.677 0x8 INF aveng AVP !EMU (DT)</p>
          <p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF avs aveng Cancel (req) : 0x80000051</strong></span></p>
          <p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 INF aveng USR CANCEL 0x80000051</strong></span></p>
          <p><span style="color: #ff0000;"><strong>21:54:34.677 0x8 WRN aveng PROC CANCEL: Usr</strong></span></p>
          <p>21:54:34.677 0x8 WRN aveng PROC EF:0x10000 Cnc</p>
          <p>21:54:34.677 0x8 WRN aveng PROC ST:0x80000051</p>
          <p>21:54:34.677 0x8 WRN aveng AM PROCESS_FINISH #0 !ERR:0x80000051</p>
          <p>21:54:34.677 0x8 WRN aveng AM PROCESS_OBJECT_END #0 !ERR:0x80000051</p>
          <p>21:54:34.677 0x8 WRN aveng AVP CANCELED</p>
          <p>21:54:34.677 0x8 INF aveng AVP LEAVE <a href="http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe" target="_blank" rel="noopener">http://bbs.huorong.cn/forum.php?mod=attachment&amp;aid=MzIwNDF8YjZiMmFmN2J8MTUzMDI4MDQzMnwyNzA0N3w0NzcyMA%3D%3D//mv_sophia_docs/mv_sophia_docs.exe</a></p>
          <p>Do you set some ignored message in KL Product settings? Restore all notification message in KL Settings and use IE browser to check this issue again.</p>

          xzz123X Offline
          xzz123X Offline
          xzz123
          Moderators
          wrote on last edited by xzz123
          #9

          <p>@wesly-zhang</p>
          <p>Actually if you can reproduce it, than you can reproduce it in any broswer. Before I already tried Edge broswer.<img src="plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-smile.gif" alt="smile" /></p>
          <p>No additinal notification is ignored.</p>
          <p>And most important, I can not see any relations between a scan error and a Clean Object moved to Quaranteen....</p>

          1 Reply Last reply
          0
          • H Offline
            H Offline
            Helios_07
            wrote on last edited by
            #10

            <p>Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.</p>
            <p>Traces: https://cloud.qainfo.ru/s/QCJrqV15nhsYJsy</p>

            PC:
            Windows 10 64-bit Version 20H2
            Build 19042.985
            Intel Core i10-10900K @ 3,7GHZ
            32,0 GB-RAM
            NVIDIA Geforce RTX 2080 TI 11GB
            KIS 21.4.8.292
            KPM 9.0.2.15298(o)
            Forum Signature from 25.May.2021

            Wesly.ZhangW 1 Reply Last reply
            0
            • xzz123X Offline
              xzz123X Offline
              xzz123
              Moderators
              wrote on last edited by
              #11

              <p>This problem also reproduce with 2019 patch(b)</p>

              Wesly.ZhangW 2 Replies Last reply
              0
              • xzz123X xzz123

                <p>This problem also reproduce with 2019 patch(b)</p>

                Wesly.ZhangW Offline
                Wesly.ZhangW Offline
                Wesly.Zhang
                Moderators
                wrote on last edited by Wesly.Zhang
                #12

                <p>@xzz123</p>
                <p></p>
                <p>Yeah~ I see now. Sorry for my mistake. This issue happen on "Detected object" in Detail report. Ya... It seems AVP do not deal with some item and filter it.</p>
                <div>
                <div><span></span></div>
                <div><span>ThreatsManagement::GetThreatsByIDs: Threat: </span><span>https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up</span><span>= detect: status: <span style="color: #ff0000;"><strong>Clear object</strong></span> type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: <span style="color: #000000;">0x0</span></span></div>
                </div>
                <p></p>
                <p>When a threat local in the zip,rar,7zip or some compressed package (parent directory ), AVP don't process its log to filter/hide or improve the log event about the processing state of the thread in compressed package to list in Detected Object window. Maybe It is a beta version, So they haven't dealt with it yet.</p>
                <div>
                <div><span></span></div>
                <div>ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up= detect: status: <span style="color: #339966;">Blocked</span> type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: <span style="color: #000000;">0x0</span></div>
                </div>
                <p></p>
                <p></p>
                <pre class="language-markup"><code>15:08:09.326 0xa50 INF SqliteDataDb sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data" where "key" = x'010000008cb9fed65c02';'
                15:08:09.326 0xa50 INF SqliteCache Value not found in cache
                15:08:09.326 0xa50 ERR amfcd RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
                15:08:09.326 0xa50 INF amfcd ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up= detect: status: Clear object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x0
                15:08:09.326 0xa50 INF amfcd RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x3
                15:08:09.326 0xa50 INF SqliteDataDb sqlite query processed: 'select "value","expirationTime","insertionTime" from "Data" where "key" = x'010000008cb9fed65c03';'
                15:08:09.326 0xa50 INF SqliteCache Value not found in cache
                15:08:09.326 0xa50 ERR amfcd RollbackInfoManager::GetRollbackInfo: Unable to retrieve object from storage. Error code: 0x8000004c
                15:08:09.326 0xa50 INF amfcd ThreatsManagement::GetThreatsByIDs: Threat: https://development56.baidupan.com/2018063016bb/2018/06/30/a1130b5f1df6829365e96162d69cace9.zip?st=XyfWJl_YHSw8cbaBzqQMnA&amp;q=MEMZ.zip&amp;e=1530349352&amp;ip=124.79.173.114&amp;fi=3943706&amp;up=//MEMZ/Geometry dash auto speedhack.bat detect: Trojan.BAT.Memz.b status: Untreatable object type: 0x0 rollback made: 0x0 couldBeRestored: 0x0, object size: 0x0, parent: 0x2
                15:08:09.326 0xa50 INF amfcd RollbackInfoProvider::GetRollbackInfo: Enter. Threat 0x4</code></pre>

                Go! The world ! 💪 Our CD8/CD4 T lymphocytes are on their way to destroy the new tubular virus.😠
                If I don't reply your post here, Please send a PM in KL Community forum or post a E-Mail ( wesly.zhang@qq.com ) to notice me.

                1 Reply Last reply
                0
                • H Helios_07

                  <p>Its reproducable for me, i get the same report: Clean object (file) moved to quarantine by user.</p>
                  <p>Traces: https://cloud.qainfo.ru/s/QCJrqV15nhsYJsy</p>

                  Wesly.ZhangW Offline
                  Wesly.ZhangW Offline
                  Wesly.Zhang
                  Moderators
                  wrote on last edited by
                  #13

                  <p>@helios_07</p>
                  <p></p>
                  <p>Yes, You are right, Me too, now. <img src="../../../plugins/nodebb-plugin-composer-kl/vendor/tinymce/plugins/emoticons/img/smiley-wink.gif" alt="wink" /></p>

                  Go! The world ! 💪 Our CD8/CD4 T lymphocytes are on their way to destroy the new tubular virus.😠
                  If I don't reply your post here, Please send a PM in KL Community forum or post a E-Mail ( wesly.zhang@qq.com ) to notice me.

                  1 Reply Last reply
                  0
                  • xzz123X xzz123

                    <p>This problem also reproduce with 2019 patch(b)</p>

                    Wesly.ZhangW Offline
                    Wesly.ZhangW Offline
                    Wesly.Zhang
                    Moderators
                    wrote on last edited by
                    #14

                    <p>@xzz123 said in Web_Antivirus_give_incorrect_report_'Clean Object Move to Quarantine': ></p>
                    <p>This problem also reproduce with 2019 patch(b)</p>
                    <p></p>
                    <p>Really? Oops...</p>

                    Go! The world ! 💪 Our CD8/CD4 T lymphocytes are on their way to destroy the new tubular virus.😠
                    If I don't reply your post here, Please send a PM in KL Community forum or post a E-Mail ( wesly.zhang@qq.com ) to notice me.

                    1 Reply Last reply
                    0
                    • xzz123X Offline
                      xzz123X Offline
                      xzz123
                      Moderators
                      wrote on last edited by
                      #15

                      <p>Issue not fixed in build 554.</p>
                      <p>can be reproduced in 2018 version</p>

                      1 Reply Last reply
                      0
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                      • Login

                      • Don't have an account? Register

                      • Login or register to search.
                      • First post
                        Last post
                      0
                      • Categories
                      • KForum
                      • KClub