Kaspersky founds something bad in LegacyUpdate-1.1.exe

[atauenis]

Cannot download Legacy Update client when Kaspersky Security Cloud is active. When clicking on "Install Legacy Update" button, I'm got virus warning:

Translated:

Redirection to a dangerous site is prevented
Stopped going to a malicious site designed to infect a computer, reduce its performance, disable it completely, or cause other harm.

Kaspersky Lab has protected you from accessing this site. You can close it without risk.

Kaspersky log:

Event: Transition stopped
User: IvyBridge\AT
User type: Active user
Program name: VirtualBoxVM.exe
Program path: C:\Program Files\Oracle\VirtualBox
Component: Web Anti-Virus
Result Description: Forbidden
Type: Malicious Link
Title: http://content.legacyupdate.net/legacyupdate/LegacyUpdate-1.1.exe
Accuracy: Precise
Threat level: High
Object type: Web page
Object name: LegacyUpdate-1.1.exe
Entity path: http://content.legacyupdate.net/legacyupdate
Reason: Cloud protection

Kaspersky version 21.3.10.391(j).
Bases from 7 nov 2022 01:06.

Same appearing when downloading using any other browser when Kaspersky is running. If download it with bypassing network scanner, then scan manually, there is UDS:DangerousObject.Multi.Generic detected in it.

Translated:

Windows Explorer is trying to access a dangerous application, found via Kaspersky Security Network.
Found: UDS:DangerousObject.Multi.Generic
Place: LegacyUpdate-1.1.exe
Can't cure the object.

Going to Virustotal... https://www.virustotal.com/gui/file/23bedf6cc0fe7cc0cddcc8bd063c55eafab2844f36b5d387a933486255a2a4f9

What does not like 5 antiviruses here?

[kirb]

Unfortunately Legacy Update is in an awkward position because it's not a very commonly downloaded file. That causes AVs to be more vigilant, and use more generic detections. The idea is to err on the side of caution, because the AV vendor doesn't have enough information crowdsourced from its users to decide whether it's safe or not. This is how you can end up with "generic" or AI/ML detections like this.

Some reasons it might wrongly flag as malware could be:

• It installs an ActiveX control, which is a bit weird to do on modern Windows versions.
• The installer downloads and executes some .exes, which can feel like malware without further information to go by. It doesn't realise that these are Microsoft-signed .exes being downloaded from microsoft.com.
• It changes registry keys relating to the Windows Update server URL and Internet Explorer trusted sites list
• It isn't signed currently, so there's no cryptographic proof of who LegacyUpdate-1.1.exe and LegacyUpdate.dll came from (I'm planning to get an Authenticode certificate to solve this)

This was a problem with Microsoft Defender as well, but I was able to report a false-positive to Microsoft and they corrected it. I'll look into doing the same with Kaspersky. Microsoft has probably also seen Legacy Update being downloaded frequently enough by now to start trusting it, while less common AVs like Kaspersky won't have as strong user data to go by.

[atauenis]

Thanks. I'm reported the false positive to Kaspersky. There is instruction how to do this: https://support.kaspersky.co.uk/common/error/other/1870 .

[kirb]

Thanks for doing that, really appreciate it!

[atauenis]

After virus base update, no longer detecting as malicious link (and file too).

The service is working great. Even successfully updated MS Office 2003 and some device drivers. 👍 Thanks.

[kirb]

Great news. Thanks again for reporting here and to Kaspersky!