7. Kaspersky cannot start if modified windows dll is placed under Product installation folder

#2272 Kaspersky cannot start if modified windows dll is placed under Product installation folder

  • Rejected

    , last edited by Jarvis

    Reproduction steps:

    1 disable selfprotect and turn on traces

    2 find version.dll under %sys64wow% and use a special tool to modify its MD5, the dll file lost its digital signature but still functional 

    3 place the modified dll under K's program folder and try run the product

    Actual result:

    product will not start using any method, starting service or avpui.

    Expected Result:

    product will detect the fact that the modified dll has no digital signature and:

    go to %syswow64% to find another dll, than load the dll so that the product start up properly

    OR

    popup message that telling user that certain file is missing or corrupted. Alert the user that reinstallation is required.

    I uploaded traces and video

    System Settings

    Operating system: Win 10, x64

    System: DELL XPS13 9380

    Product: KIS

    Product Version: 21.0.44.1537

    Language: zh-CN

    Product Logs: https://cloud.qainfo.ru/s/y46vOZ1aDQfxIXt

  • I have conduct more tests and find that the product still can not load even if the dll file I placed under its program folder never modified.

    Reproduce steps:

    1. stop selfprotect and place the Unmodified dll file under K's program folder

    2. re-enable selfprotect than exit and restart the product

    Actual result:

    the product will not start up by double click avpui.exe and desktop shortcut;

    only avp.exe can be start up by starting the Kaspersky antivirus service manually in computer management console.

    It is no different whether you have re enable selfprotect or not. In traces, I tried both situation and found it out.

    Expected result:

    by double click desktop shortcut, the product should load the unmodified dll in its program folder and successfully start up its GUI and service.

    traces:

    https://cloud.qainfo.ru/s/WynbDMIN0bPt3vd

  • @xzz123

    As shown below and my test in the topic

    https://eap.kaspersky.com/topic/2248/with-self-protection-turned-on-the-use-of-a-software-can-delete-most-of-kaspersky-s-files-on-the-c-drive

    cyber criminal may hijack a ARK tool to drop modified windows file into Kaspersky's program folder easily, with self defense still on.

    after user's device restarted, kaspersky cannot start up at all. 

  • Hi, sir! This is not bug for beta forum. I sent your information to my colleagues who work with our protection system. 1) about your scenario - when you start with "turn off self defense" it is not proper scenario. We don't provide defence for users who switch off main functions. 2) about file shredder - it works through drivers and nothing can block it =(

  • @jarvis

    Hi

    thanks for the info. I got your point.

Looks like your connection to Beta Testing was lost, please wait while we try to reconnect.