Kaspersky
Question

Suspicious file quarantined... An Exclusion seems to be made by the files location and not by file name across the whole system regardless of its location....

  • 26 January 2021
  • 8 replies
  • 96 views

Suspicious file quarantined... An Exclusion seems to be made by the files location and not by file name regardless of its future location on the system…  Let me explain.

The executable for Winzip 20.5 is seen by many as adware.  It is not.  It is stored on my external drive for future reference or use.  When scanned Kaspersky sees it as suspicious and quarantines it.  I make an exclusion to the location… e.g.  e:\programs\winzip20.5.exe  and I can store it there without it being re-detected.  HOWEVER,  Even though I can copy it to another drive, when I try to access the copy on that drive or the other drive is scanned, the file will yet again be seen as adware and be deleted to quarantine.  So the exclusion is governed by the location of the file and not cleared for use anywhere on the system by its filename.  And as a result any false positive or allowed file, rightly or wrongly must remain in the current location or it will be seen as adware once its location is changed.  I was advised to pause the antivirus and then move it.  That worked until I turned the antivirus back on and it went to work quarantining the copies.   The same thing happens with Bit Defender whereas Windows Defender and ESET exclude the filename from detection across the whole system regardless of location.  This happens with any installation executable stored on that the antivirus considers risky; Winzip, Recuuva, Undelete and an older Quicktime file.

Unless and until the exclusion allows the file to be stored or utilized across other drives, then the deletion to quarantine resumes with a suspect file (cleared by exclusion) if it is relocated.  Windows Defender and ESET validate the file across the system by name and not location.  I called multiple time and support wanted to escalate the case.  It seems like a straight forward situation.  It exclusions are location based, then the antivirus makes anything it considers adware, useless on the system.  Any thoughts or work-a-rounds?

Paul


This topic has been closed for comments

8 replies

Userlevel 7
Badge +8

@tsoilihoi Welcome. 

⚠️ Only if you trust the object please try this ⚠️

  • Disable option : Settings > General > Perform recommended actions automatically
  • Kaspersky will ask you to decide which action to take on detected objects
  • Chose for “Quarantine”
  • Restore the  quarantined object
  • Create an exclusion rule for the object 
  • Enable option : Settings > General > Perform recommended actions automatically !

I have no problem with the above.  The issue is that if the excluded file is located say on drive

D and then you should copy it to drive E, then when you work with the new copy on E, that new file

will be quarantined.  The excluded file is not given global permission when it changes location or it duplicated on the system.  It seems to be location registered.

Userlevel 7
Badge +8

@tsoilihoi Please contact K-Lab Technical Support https://center.kaspersky.com 

I figure that either a file is excluded be the path and filename or it's filename across the system.  I asked on this board because I could not get an expedient answer. The screen print requested off the filter in a folder seemed rather unnecessary and it's pretty clear that a file will be seen as adware if it's location is changed.  It seemed like the problems are screened before an expert will come on board. Regardless.  The files I spoke of are not adware and it was impossible to keep them on a drive.  save for that Kaspersky has a great product but location based exclusion killed it for me.

Userlevel 7
Badge +9
  1. I figure that either a file is excluded by the path and filename or it's filename across the system. 
  2. I asked on this board because I could not get an expedient answer.
  3. The screen print requested off the filter in a folder seemed rather unnecessary and it's pretty clear that a file will be seen as adware if it's location is changed. 
  4. It seemed like the problems are screened before an expert will come on board.
  5. The files I spoke of are not adware and it was impossible to keep them on a drive.  

Hello @tsoilihoi.

  1. Exclusions are location specific unless a very generic exclusion is applied, however, that potentially raises other issues. 
  2. This is a Community forum, the best people, in fact, the only people to actually resolve this, are the Kaspersky Technical Team → see below for process & response times. 
  3. What screen print? Are you referring to the Incident template requirements? It’s a guide, not mandatory to provide everything listed, however, the more accurate detail provided, the sooner the incident gets to the correct team, who will try to effectively address your concerns and media is an excellent way to show information that often facilitates clear comprehension of an issue. 
  4. If by that you mean, incidents submitted to Kaspersky Technical Support, are “screened” before getting to the Russian HQ experts; that’s true & standard for all technical support, across the industry.  Of the thousands of tickets raised every single day, if they all went down the pipe, straight to an elevated team, we’d all be waiting many months for a response, that could have been proficiently managed by very experienced Kaspersky staff who are not physically in Russia HQ. 
  5. We think the issue you’ve raised is very valid & requires addressing, you should give the Kaspersky Technical Team the opportunity to do so, the right outcome could benefit many Kaspersky consumers who encounter similar issues. 

Kaspersky Technical Team, provide as much information as possible & include the URL to your Community topic; Support may request: traces, data, logs, they will guide you:

 

 

  • After submitting the case, you’ll receive an automated email with an INC+12digits reference number, then, normally, within 5 business days (it’s often much sooner), a Kaspersky Technical Support human will be in touch, also by email, you may continue to engage with the Kaspersky Technical Team via email or by updating the INC in your MyKaspersky account.

Please share the outcome with the Community when it’s available? 

Thank you:pray_tone3:

Flood:whale:+:whale2:

Userlevel 7
Badge +8

I asked on this board because I could not get an expedient answer. 
 

Please see the post above your post , Kaspersky  Tech Support is your best option.

Userlevel 7
Badge +5

Hi @tsoilihoi , 

Did you try using masks? 
 

 

Tech support responded that they are sending the problem up the chain.  The Exclusion is location specific and if the executable(s) are move to another drive or location then another exception has to be made.  I copied an excluded file to 4 different drives having turned off protection and when it went back on the original exclusion held but the scanned deleted the others to quarantine…
This is a similar behavior as with Bit Defender… but Windows Defender, ESET and Webroot whitelist the name, only and the file can reside anywhere on the system.

Why is this important?  Because I store older program executables on a drive in a folder tree arrangement and when I moved that three of stored executables to a new drive things got nuts.

These were trusted companies, but older programs and they were false positives.  The companies involved were Winzip 20+, Winzip 18, Quicktime , an Ashampoo Office 2018 file presentation.tbl in the program files folder.  The latter file had zero bytes.

I tried to develop a workaround with the techs but nothing prevented detection if the storage folder is moved and its too much hassle to house keep false positives.

Kaspersky was receptive to looking into this.  I think its important to white tag by name to give the operator control of one’s computer.  Something Kaspersky works hard to allow.  At least a global exclusion that is not location specific should be offered and the decision made by the operator.

This was a deal killer for me.  Paul