Kaspersky cannot start if modified windows dll is placed under Product installation folder
-
<p><strong>Reproduction steps:</strong></p>
<p><span></span>1 disable selfprotect and turn on traces</p>
<p>2 find version.dll under %sys64wow% and use a special tool to modify its MD5, the dll file lost its digital signature but still functional </p>
<p>3 place the modified dll under K's program folder and try run the product</p>
<p><strong>Actual result:</strong></p>
<p><span></span>product will not start using any method, starting service or avpui.</p>
<p><strong>Expected Result:</strong></p>
<p><span></span>product will detect the fact that the modified dll has no digital signature and:</p>
<p>go to %syswow64% to find another dll, than load the dll so that the product start up properly</p>
<p>OR</p>
<p>popup message that telling user that certain file is missing or corrupted. Alert the user that reinstallation is required.</p>
<p></p>
<p>I uploaded traces and video</p> -
<p>I have conduct more tests and find that the product still can not load even if the dll file I placed under its program folder never modified.</p>
<p><strong>Reproduce steps:</strong></p>
<p>1. stop selfprotect and place the Unmodified dll file under K's program folder</p>
<p>2. re-enable selfprotect than exit and restart the product</p>
<p></p>
<p><strong>Actual result</strong>:</p>
<p>the product will not start up by double click avpui.exe and desktop shortcut;</p>
<p>only avp.exe can be start up by starting the Kaspersky antivirus service manually in computer management console.</p>
<p>It is no different whether you have re enable selfprotect or not. In traces, I tried both situation and found it out.</p>
<p></p>
<p><strong>Expected result</strong>:</p>
<p>by double click desktop shortcut, the product should load the unmodified dll in its program folder and successfully start up its GUI and service.</p>
<p></p>
<p></p>
<p>traces:</p>
<p>https://cloud.qainfo.ru/s/WynbDMIN0bPt3vd</p> -
<p><strong>Reproduction steps:</strong></p>
<p><span></span>1 disable selfprotect and turn on traces</p>
<p>2 find version.dll under %sys64wow% and use a special tool to modify its MD5, the dll file lost its digital signature but still functional </p>
<p>3 place the modified dll under K's program folder and try run the product</p>
<p><strong>Actual result:</strong></p>
<p><span></span>product will not start using any method, starting service or avpui.</p>
<p><strong>Expected Result:</strong></p>
<p><span></span>product will detect the fact that the modified dll has no digital signature and:</p>
<p>go to %syswow64% to find another dll, than load the dll so that the product start up properly</p>
<p>OR</p>
<p>popup message that telling user that certain file is missing or corrupted. Alert the user that reinstallation is required.</p>
<p></p>
<p>I uploaded traces and video</p><p>@xzz123</p>
<p>As shown below and my test in the topic</p>
<p><a href="/topic/2248/with-self-protection-turned-on-the-use-of-a-software-can-delete-most-of-kaspersky-s-files-on-the-c-drive" target="_blank" rel="noopener">https://eap.kaspersky.com/topic/2248/with-self-protection-turned-on-the-use-of-a-software-can-delete-most-of-kaspersky-s-files-on-the-c-drive</a></p>
<p>cyber criminal may hijack a ARK tool to drop modified windows file into Kaspersky's program folder easily, with self defense still on.</p>
<p>after user's device restarted, kaspersky cannot start up at all. </p> -
Hi, sir! This is not bug for beta forum. I sent your information to my colleagues who work with our protection system.
- about your scenario - when you start with "turn off self defense" it is not proper scenario. We don't provide defence for users who switch off main functions.
- about file shredder - it works through drivers and nothing can block it =(
-
Hi, sir! This is not bug for beta forum. I sent your information to my colleagues who work with our protection system.
- about your scenario - when you start with "turn off self defense" it is not proper scenario. We don't provide defence for users who switch off main functions.
- about file shredder - it works through drivers and nothing can block it =(
