Skip to content
  • Categories
  • KForum
  • KClub
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
kaspersky beta

beta

  1. Home
  2. ENGLISH USER FORUM
  3. Home
  4. Kaspersky
  5. Archive
  6. 2021
  7. [2021] Other (AVZ/RD/MasterCD/KPC/KSDE)
  8. Kaspersky cannot start if modified windows dll is placed under Product installation folder

Kaspersky cannot start if modified windows dll is placed under Product installation folder

Scheduled Pinned Locked Moved [2021] Other (AVZ/RD/MasterCD/KPC/KSDE)
5 Posts 2 Posters 4.4k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • xzz123X Offline
    xzz123X Offline
    xzz123
    Moderators
    wrote on last edited by Jarvis
    #1

    <p><strong>Reproduction steps:</strong></p>
    <p><span></span>1 disable selfprotect and turn on traces</p>
    <p>2 find version.dll under %sys64wow% and use a special tool to modify its MD5, the dll file lost its digital signature but still functional </p>
    <p>3 place the modified dll under K's program folder and try run the product</p>
    <p><strong>Actual result:</strong></p>
    <p><span></span>product will not start using any method, starting service or avpui.</p>
    <p><strong>Expected Result:</strong></p>
    <p><span></span>product will detect the fact that the modified dll has no digital signature and:</p>
    <p>go to %syswow64% to find another dll, than load the dll so that the product start up properly</p>
    <p>OR</p>
    <p>popup message that telling user that certain file is missing or corrupted. Alert the user that reinstallation is required.</p>
    <p></p>
    <p>I uploaded traces and video</p>

    xzz123X 1 Reply Last reply
    0
    • xzz123X Offline
      xzz123X Offline
      xzz123
      Moderators
      wrote on last edited by
      #2

      <p>I have conduct more tests and find that the product still can not load even if the dll file I placed under its program folder never modified.</p>
      <p><strong>Reproduce steps:</strong></p>
      <p>1. stop selfprotect and place the Unmodified dll file under K's program folder</p>
      <p>2. re-enable selfprotect than exit and restart the product</p>
      <p></p>
      <p><strong>Actual result</strong>:</p>
      <p>the product will not start up by double click avpui.exe and desktop shortcut;</p>
      <p>only avp.exe can be start up by starting the Kaspersky antivirus service manually in computer management console.</p>
      <p>It is no different whether you have re enable selfprotect or not. In traces, I tried both situation and found it out.</p>
      <p></p>
      <p><strong>Expected result</strong>:</p>
      <p>by double click desktop shortcut, the product should load the unmodified dll in its program folder and successfully start up its GUI and service.</p>
      <p></p>
      <p></p>
      <p>traces:</p>
      <p>https://cloud.qainfo.ru/s/WynbDMIN0bPt3vd</p>

      1 Reply Last reply
      0
      • xzz123X xzz123

        <p><strong>Reproduction steps:</strong></p>
        <p><span></span>1 disable selfprotect and turn on traces</p>
        <p>2 find version.dll under %sys64wow% and use a special tool to modify its MD5, the dll file lost its digital signature but still functional </p>
        <p>3 place the modified dll under K's program folder and try run the product</p>
        <p><strong>Actual result:</strong></p>
        <p><span></span>product will not start using any method, starting service or avpui.</p>
        <p><strong>Expected Result:</strong></p>
        <p><span></span>product will detect the fact that the modified dll has no digital signature and:</p>
        <p>go to %syswow64% to find another dll, than load the dll so that the product start up properly</p>
        <p>OR</p>
        <p>popup message that telling user that certain file is missing or corrupted. Alert the user that reinstallation is required.</p>
        <p></p>
        <p>I uploaded traces and video</p>

        xzz123X Offline
        xzz123X Offline
        xzz123
        Moderators
        wrote on last edited by
        #3

        <p>@xzz123</p>
        <p>As shown below and my test in the topic</p>
        <p><a href="/topic/2248/with-self-protection-turned-on-the-use-of-a-software-can-delete-most-of-kaspersky-s-files-on-the-c-drive" target="_blank" rel="noopener">https://eap.kaspersky.com/topic/2248/with-self-protection-turned-on-the-use-of-a-software-can-delete-most-of-kaspersky-s-files-on-the-c-drive</a></p>
        <p>cyber criminal may hijack a ARK tool to drop modified windows file into Kaspersky's program folder easily, with self defense still on.</p>
        <p>after user's device restarted, kaspersky cannot start up at all. </p>

        1 Reply Last reply
        0
        • JarvisJ Offline
          JarvisJ Offline
          Jarvis
          wrote on last edited by
          #4

          Hi, sir! This is not bug for beta forum. I sent your information to my colleagues who work with our protection system.

          1. about your scenario - when you start with "turn off self defense" it is not proper scenario. We don't provide defence for users who switch off main functions.
          2. about file shredder - it works through drivers and nothing can block it =(
          xzz123X 1 Reply Last reply
          0
          • JarvisJ Jarvis

            Hi, sir! This is not bug for beta forum. I sent your information to my colleagues who work with our protection system.

            1. about your scenario - when you start with "turn off self defense" it is not proper scenario. We don't provide defence for users who switch off main functions.
            2. about file shredder - it works through drivers and nothing can block it =(
            xzz123X Offline
            xzz123X Offline
            xzz123
            Moderators
            wrote on last edited by
            #5

            <p>@jarvis</p>
            <p>Hi</p>
            <p>thanks for the info. I got your point.</p>

            1 Reply Last reply
            0
            Reply
            • Reply as topic
            Log in to reply
            • Oldest to Newest
            • Newest to Oldest
            • Most Votes


            • Login

            • Don't have an account? Register

            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • KForum
            • KClub