#2272 Kaspersky cannot start if modified windows dll is placed under Product installation folder
Rejected, last edited by Jarvis last edited by Jarvis
1 disable selfprotect and turn on traces
2 find version.dll under %sys64wow% and use a special tool to modify its MD5, the dll file lost its digital signature but still functional
3 place the modified dll under K's program folder and try run the product
product will not start using any method, starting service or avpui.
product will detect the fact that the modified dll has no digital signature and:
go to %syswow64% to find another dll, than load the dll so that the product start up properly
popup message that telling user that certain file is missing or corrupted. Alert the user that reinstallation is required.
I uploaded traces and video
Operating system: Win 10, x64
System: DELL XPS13 9380
Product Version: 22.214.171.1247
Product Logs: https://cloud.qainfo.ru/s/y46vOZ1aDQfxIXt
As shown below and my test in the topic
cyber criminal may hijack a ARK tool to drop modified windows file into Kaspersky's program folder easily, with self defense still on.
after user's device restarted, kaspersky cannot start up at all.
I have conduct more tests and find that the product still can not load even if the dll file I placed under its program folder never modified.
1. stop selfprotect and place the Unmodified dll file under K's program folder
2. re-enable selfprotect than exit and restart the product
the product will not start up by double click avpui.exe and desktop shortcut;
only avp.exe can be start up by starting the Kaspersky antivirus service manually in computer management console.
It is no different whether you have re enable selfprotect or not. In traces, I tried both situation and found it out.
by double click desktop shortcut, the product should load the unmodified dll in its program folder and successfully start up its GUI and service.