Kaspersky Internet Security detects Virus and crashes SoundSwitch while updating (false-positive)

[FireEmerald]

I reported it at https://virusdesk.kaspersky.com as false-positive. The file has been sent for analysis to the Antivirus Lab. ...

Virus total:

Kaspersky:

In total i used so far 525 trusted applications, 23 restricted and 1 untrusted (SoundSwitch)...

Software information:

• Kaspersky Internet Security 2017
• kis17.0.0.611abcden_12123.exe (latest from 08.04.2017)
• Download: https://www.kaspersky.com/downloads/thank-you/internet-security (Global, English)

How to reproduce:

• Install SoundSwitch Beta (3.14.0.23618) (no custom certificate from Soundwitch installed).
• Click onto Install inside the update window.
• Application crashes.
• Kaspersky Internet Security tells you that it blocked SoundSwitch.

How to allow SoundSwitch update:

Crashlog:

12:28:16.803 Fatal <null> SoundSwitch+ Exception Occurred Exception type: System.ComponentModel.Win32Exception
Message: Zugriff verweigert
Source: System
StackTrace:
   bei System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
   bei System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
   bei SoundSwitch.Framework.Updater.WebFile.Start(String args) in D:\VS\SoundSwitch\SoundSwitch\Framework\Updater\WebFile.cs:Zeile 111.
   bei SoundSwitch.UI.Forms.UpdateDownloadForm.installButton_Click(Object sender, EventArgs e) in D:\VS\SoundSwitch\SoundSwitch\UI\Forms\UpdateDownloadForm.cs:Zeile 91.
   bei System.Windows.Forms.Control.OnClick(EventArgs e)
   bei System.Windows.Forms.Button.OnClick(EventArgs e)
   bei System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   bei System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   bei System.Windows.Forms.Control.WndProc(Message& m)
   bei System.Windows.Forms.ButtonBase.WndProc(Message& m)
   bei System.Windows.Forms.Button.WndProc(Message& m)
   bei System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
   bei System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
   bei System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)
   bei System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
   bei System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
   bei System.Windows.Forms.Form.ShowDialog(IWin32Window owner)
   bei SoundSwitch.Util.TrayIcon.OnUpdateClick(Object sender, EventArgs eventArgs) in D:\VS\SoundSwitch\SoundSwitch\Util\TrayIcon.cs:Zeile 169.
   bei System.Windows.Forms.NotifyIcon.OnMouseClick(MouseEventArgs mea)
   bei System.Windows.Forms.NotifyIcon.WmMouseUp(Message& m, MouseButtons button)
   bei System.Windows.Forms.NotifyIcon.WndProc(Message& msg)
   bei System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

[Belphemur]

I've done the same.

Online it tells me it contains:
Trojan.Win32.Reconyc.hwqz

First Norton, now Kaspersky. Well, I can tell I have no issue with Eset.

[Belphemur]

Case number: [KLAN-6077439232]

[linuxgurugamer]

Two things:
I followed the instructions, and when I try to run it, Kaspersky still says: Trojan.Win32.Reconyc.hwqz

The link used to download the file: https://github.com/Belphemur/SoundSwitch/releases/download/v3.14.1/SoundSwitch_v3.14.1.36246_Release_Installer.exe
is blocked by KIS with the following message:

The requested URL cannot be provided

URL:

https://github-cloud.s3.amazonaws.com/re<...>

Blocked by Web Anti-Virus

Reason: dangerous URL 

Click here if you believe that the web page has been blocked by mistake.

Detection method: cloud protection

[FireEmerald]

-> Click here if you believe that the web page has been blocked by mistake.

Hopefully Kaspersky fixes this false-detection...

[linuxgurugamer]

I'm not blind, I saw that.
But I was letting you know so you can follow up with Kaspersky

[Belphemur]

I ran another VirusTotal (using the URL directly, then you know there isn't any tempering into the EXE before it reachs you):

https://www.virustotal.com/en/url/31c0060b34786648bb7df4995d699a28365a43f3200e4dcf2a233f2c03aa3c9f/analysis/

[Belphemur]

Because of the emails/comments I received, I feel the need to state this:
It's not abnormal that Kaspersky detects false positive.

It happened in the past to another open source project, syncthing/syncthing#3329. Also documented in their forum: https://forum.syncthing.net/t/kaspersky-treats-syncthing-as-virus-false-positive/7659/3

Please be patient. I'm keeping this issue open for visibility and to keep you, the users, updated.

[FireEmerald]

Just as note, this is the e-mail which i received after reporting it (different KLAN):

From: newvirus@kaspersky.com
Sent: Saturday, 8. April 2017 13:19
To: ...
Subject: Re: Anti-virus Lab replies to your request [VD3][FILE:2][LN:en] [KLAN-6076899937]

Thank you for contacting Kaspersky Lab

The files have been scanned in automatic mode.

Malicious code detected by Kaspersky Lab products with KSN technology enabled has been found in the following
files:
SoundSwitch_v3.14.1.36246_Release_Installer.exe ‐ UDS:DangerousObject.Multi.Generic

We will thoroughly analyze the files you sent. If the result of the analysis is different from this automatic scan result,
you will be notified via email.

This is an automatically generated message. Please do not reply to it.

Anti‐Virus Lab, Kaspersky Lab HQ

"39A/3 Leningradskoe Shosse, Moscow, 125212, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com"

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
From: ...
Sent: 4/8/2017 2:16:00 PM
To: newvirus@kaspersky.com
Subject: Anti‐virus Lab replies to your request [VD3][FILE:2][LN:en]
LANG: [LN:en]
email: [...]

[Belphemur]

I received confirmation from Kaspersky support that the next database update should remove SoundSwitch as a threat.

I'll keep this open until the update is done.

[Belphemur]

Kaspersky has been updated. SoundSwitch is not detected as a Virus anymore:

https://www.virustotal.com/en/file/3aee4e28ff43247c7a7cb9d74c48c73b970fc525038c5cd112e8b14a8651f894/analysis/

For the others, we need to wait for them to follow.