New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kaspersky Internet Security detects Virus and crashes SoundSwitch while updating (false-positive) #180

Closed
FireEmerald opened this Issue Apr 8, 2017 · 10 comments

Comments

Projects
None yet
3 participants
@FireEmerald
Collaborator

FireEmerald commented Apr 8, 2017

I reported it at https://virusdesk.kaspersky.com as false-positive. The file has been sent for analysis to the Antivirus Lab. ...

Virus total:
2017-04-08 13_11_57-antivirus scan for 3aee4e28ff43247c7a7cb9d74c48c73b970fc525038c5cd112e8b14a8651f

Kaspersky:
2017-04-08 12_49_57-detailed reports
In total i used so far 525 trusted applications, 23 restricted and 1 untrusted (SoundSwitch)...

Software information:

How to reproduce:

  • Install SoundSwitch Beta (3.14.0.23618) (no custom certificate from Soundwitch installed).
  • Click onto Install inside the update window.
  • Application crashes.
  • Kaspersky Internet Security tells you that it blocked SoundSwitch.

How to allow SoundSwitch update:
allow_update

Crashlog:

12:28:16.803 Fatal <null> SoundSwitch+ Exception Occurred Exception type: System.ComponentModel.Win32Exception
Message: Zugriff verweigert
Source: System
StackTrace:
   bei System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
   bei System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
   bei SoundSwitch.Framework.Updater.WebFile.Start(String args) in D:\VS\SoundSwitch\SoundSwitch\Framework\Updater\WebFile.cs:Zeile 111.
   bei SoundSwitch.UI.Forms.UpdateDownloadForm.installButton_Click(Object sender, EventArgs e) in D:\VS\SoundSwitch\SoundSwitch\UI\Forms\UpdateDownloadForm.cs:Zeile 91.
   bei System.Windows.Forms.Control.OnClick(EventArgs e)
   bei System.Windows.Forms.Button.OnClick(EventArgs e)
   bei System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   bei System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   bei System.Windows.Forms.Control.WndProc(Message& m)
   bei System.Windows.Forms.ButtonBase.WndProc(Message& m)
   bei System.Windows.Forms.Button.WndProc(Message& m)
   bei System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
   bei System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
   bei System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr dwComponentID, Int32 reason, Int32 pvLoopData)
   bei System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
   bei System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
   bei System.Windows.Forms.Form.ShowDialog(IWin32Window owner)
   bei SoundSwitch.Util.TrayIcon.OnUpdateClick(Object sender, EventArgs eventArgs) in D:\VS\SoundSwitch\SoundSwitch\Util\TrayIcon.cs:Zeile 169.
   bei System.Windows.Forms.NotifyIcon.OnMouseClick(MouseEventArgs mea)
   bei System.Windows.Forms.NotifyIcon.WmMouseUp(Message& m, MouseButtons button)
   bei System.Windows.Forms.NotifyIcon.WndProc(Message& msg)
   bei System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

@FireEmerald FireEmerald changed the title from Kaspersky Internet Security 2017 crashes SoundSwitch while updating (false-detection) to Kaspersky Internet Security 2017 crashes SoundSwitch while updating (false-positive) Apr 8, 2017

@FireEmerald FireEmerald changed the title from Kaspersky Internet Security 2017 crashes SoundSwitch while updating (false-positive) to Kaspersky Internet Security crashes SoundSwitch while updating (false-positive) Apr 8, 2017

@Belphemur Belphemur added the Pinned label Apr 8, 2017

@Belphemur

This comment has been minimized.

Owner

Belphemur commented Apr 8, 2017

I've done the same.

Online it tells me it contains:
Trojan.Win32.Reconyc.hwqz

First Norton, now Kaspersky. Well, I can tell I have no issue with Eset.

@Belphemur

This comment has been minimized.

Owner

Belphemur commented Apr 8, 2017

Case number: [KLAN-6077439232]

@Belphemur Belphemur changed the title from Kaspersky Internet Security crashes SoundSwitch while updating (false-positive) to Kaspersky Internet Security detects Virus and crashes SoundSwitch while updating (false-positive) Apr 8, 2017

@linuxgurugamer

This comment has been minimized.

linuxgurugamer commented Apr 9, 2017

Two things:
I followed the instructions, and when I try to run it, Kaspersky still says: Trojan.Win32.Reconyc.hwqz

The link used to download the file: https://github.com/Belphemur/SoundSwitch/releases/download/v3.14.1/SoundSwitch_v3.14.1.36246_Release_Installer.exe
is blocked by KIS with the following message:

The requested URL cannot be provided

URL:

https://github-cloud.s3.amazonaws.com/re<...>

Blocked by Web Anti-Virus

Reason: dangerous URL 

Click here if you believe that the web page has been blocked by mistake.

Detection method: cloud protection
@FireEmerald

This comment has been minimized.

Collaborator

FireEmerald commented Apr 9, 2017

-> Click here if you believe that the web page has been blocked by mistake.

Hopefully Kaspersky fixes this false-detection...

@linuxgurugamer

This comment has been minimized.

linuxgurugamer commented Apr 9, 2017

I'm not blind, I saw that.
But I was letting you know so you can follow up with Kaspersky

@Belphemur

This comment has been minimized.

Owner

Belphemur commented Apr 10, 2017

I ran another VirusTotal (using the URL directly, then you know there isn't any tempering into the EXE before it reachs you):

https://www.virustotal.com/en/url/31c0060b34786648bb7df4995d699a28365a43f3200e4dcf2a233f2c03aa3c9f/analysis/

@Belphemur

This comment has been minimized.

Owner

Belphemur commented Apr 11, 2017

Because of the emails/comments I received, I feel the need to state this:
It's not abnormal that Kaspersky detects false positive.

It happened in the past to another open source project, syncthing/syncthing#3329. Also documented in their forum: https://forum.syncthing.net/t/kaspersky-treats-syncthing-as-virus-false-positive/7659/3

Please be patient. I'm keeping this issue open for visibility and to keep you, the users, updated.

@FireEmerald

This comment has been minimized.

Collaborator

FireEmerald commented Apr 11, 2017

Just as note, this is the e-mail which i received after reporting it (different KLAN):

From: newvirus@kaspersky.com
Sent: Saturday, 8. April 2017 13:19
To: ...
Subject: Re: Anti-virus Lab replies to your request [VD3][FILE:2][LN:en] [KLAN-6076899937]

Thank you for contacting Kaspersky Lab

The files have been scanned in automatic mode.

Malicious code detected by Kaspersky Lab products with KSN technology enabled has been found in the following
files:
SoundSwitch_v3.14.1.36246_Release_Installer.exe ‐ UDS:DangerousObject.Multi.Generic

We will thoroughly analyze the files you sent. If the result of the analysis is different from this automatic scan result,
you will be notified via email.

This is an automatically generated message. Please do not reply to it.

Anti‐Virus Lab, Kaspersky Lab HQ

"39A/3 Leningradskoe Shosse, Moscow, 125212, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com"

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐
From: ...
Sent: 4/8/2017 2:16:00 PM
To: newvirus@kaspersky.com
Subject: Anti‐virus Lab replies to your request [VD3][FILE:2][LN:en]
LANG: [LN:en]
email: [...]

@Belphemur

This comment has been minimized.

Owner

Belphemur commented Apr 12, 2017

I received confirmation from Kaspersky support that the next database update should remove SoundSwitch as a threat.

I'll keep this open until the update is done.

@Belphemur

This comment has been minimized.

Owner

Belphemur commented Apr 15, 2017

Kaspersky has been updated. SoundSwitch is not detected as a Virus anymore:

https://www.virustotal.com/en/file/3aee4e28ff43247c7a7cb9d74c48c73b970fc525038c5cd112e8b14a8651f894/analysis/

For the others, we need to wait for them to follow.

@Belphemur Belphemur closed this Apr 15, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment