kaspersky product's file monitor and scan (OAS and ODS) can not trigger detection for some files which already been blacklisted by KSN. But System Watcher is able to trigger detection correctly once the file is executed.
-
BUG description: kaspersky product's file monitor and scan module (OAS and ODS) can not trigger detection for some files which already been blacklisted by KSN. But System Watcher is able to trigger detection correctly once the file is executed.
I encountered this problem a long time ago in some old versions of Kaspersky products, but no one discovered it at the time, so I didn't report it. Recently, many friends on chinese K fans forum have discovered this problem when testing viruses.
These files can not be detected as malicious by both scanning and monitoring.but these files are already KSN blacklisted. If you scan them on virustotal, the Kaspersky engine will report viruses. However, there is no virus report on the user's computer, and the query of KSN reputation shows that it has been blacklisted. In this case, only double-clicking to run the file or the script can trigger the detection which comes from system monitor component. I have tried methods such as clearing the KSN cache and renaming the file, but none of them worked. You must double-click to run the virus to trigger it.
Reproduction process:
- Start Kaspersky
- Browse the virus file, right-click the file, check the file properties, check the KSN reputation, the reputation status is blacklisted, and OAS has no detection at this time
- Scan the file, ODS has no detection
- Use selective scanning select scan, and close iswift and ichecker to ensure that it is not affected by the scan cache, and there is still no detection.
- Double-click to run the virus, the system monitor reports the virus and deletes it. HIPS only moves the file to the low-restricted group and does not process the file. In fact, according to the design, HIPS should trigger detection independently before System Watcher, HIPS should obtain the bad reputation and move the file to untrusted group. It should not be the turn for the system monitor component to process the virus. There is a problem here as well.
It should be noted that as the file will eventually added to the signature detection, the problem cannot be reproduced. Unless KL finds a similar file again and tests it immediately, it cannot be reproduced for the file I uploaded.
Above, I think this problem will affect the user's security, and this phenomenon does not conform to the correct design intention of Kaspersky products. I hope the developers will investigate the problem and fix it as soon as possible.
please see my traces. there is screen record with it.
I cannot login owncloud now, can you download from google drive?https://drive.google.com/file/d/172dCEVJTdMx-C0zP1fV9gjQ4k2axrm3x/view?usp=sharing, https://drive.google.com/file/d/1YkHlh5BZDDSHnkUyIBU7bNKZSPJqD0EC/view?usp=sharing
-
@Wesly-Zhang
Knock Knock
My last chance to investigate the problem would be here. -
any update?
-
I myself made little investigation of this problem.
I look deeply into traces file which generated while- I right click the file and check reputation.
- I scan the file.
- I run the file and system watcher detect the file.
I can clearly found KSN was used when 1 and 3 were performed. there were logs indicate that http communication with ksn server were made. and a untrust reputation or a PDM. Bazon.a verdict is distribute from KSN to client.
But I cannot found evidence that those ksn communication were made when I do 2. when scan the file, I cannot see traces indicate the product check KSN. looks like no communication with KSN server.
So a file with bad reputation cannot be detected by OAS and ODS.
-