Kaspersky
Question

KES 11.0.6499 Windows 10 suspect false positive

  • 22 May 2019
  • 4 replies
  • 245 views

Hello, I'm after some advice. We use KES 11.0.6499 pf5101 on our estate of around 800 Windows 10 devices. We also use this alongside Windows Defender Advanced Threat Protection. We have an instance of one device triggering a suspected false positive. This tends to happen without user intervention i.e. this threat occured outside of office hours when the user had simply logged off the machine and left it turned on for the day. I'm wondering if someone can confirm or provide clarification on this alert.

Any advice would be appreciated

Event type: A backup copy of the object was created
Application\Name: Windows Defender Advanced Threat Protection Service Executable
Application\Path: C:\Program Files\Windows Defender Advanced Threat Protection\
Application\Process ID: 4348
User: F4\xxxx (Active user)
Component: File Threat Protection
Result\Description: Backup created
Result\Type: Adware
Result\Name: not-a-virus:HEUR:AdWare.Script.SearchExt.gen
Result\Threat level: Medium
Result\Precision: Partially
Object: C:\Users\xxxx\AppData\Local\Temp\7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp
Object\Type: File
Object\Path: C:\Users\xxxx\AppData\Local\Temp\
Object\Name: 7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp
Hash: 94ba1af36e29fd4775e113a2e75dc3ed9e481695e067d967ad96daa2fb860b1a

4 replies

Userlevel 2
Badge +1
Hello, I'm after some advice. We use KES 11.0.6499 pf5101 on our estate of around 800 Windows 10 devices. We also use this alongside Windows Defender Advanced Threat Protection. We have an instance of one device triggering a suspected false positive. This tends to happen without user intervention i.e. this threat occured outside of office hours when the user had simply logged off the machine and left it turned on for the day. I'm wondering if someone can confirm or provide clarification on this alert.

Any advice would be appreciated

Event type: A backup copy of the object was created
Application\Name: Windows Defender Advanced Threat Protection Service Executable
Application\Path: C:\Program Files\Windows Defender Advanced Threat Protection\
Application\Process ID: 4348
User: F4\xxxx (Active user)
Component: File Threat Protection
Result\Description: Backup created
Result\Type: Adware
Result\Name: not-a-virus:HEUR:AdWare.Script.SearchExt.gen
Result\Threat level: Medium
Result\Precision: Partially
Object: C:\Users\xxxx\AppData\Local\Temp\7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp
Object\Type: File
Object\Path: C:\Users\xxxx\AppData\Local\Temp\
Object\Name: 7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp
Hash: 94ba1af36e29fd4775e113a2e75dc3ed9e481695e067d967ad96daa2fb860b1a

Hello!
First of all you need to check target host to some advertising applications and extensions for browsers.
Thank you!

Hello, I'm after some advice. We use KES 11.0.6499 pf5101 on our estate of around 800 Windows 10 devices. We also use this alongside Windows Defender Advanced Threat Protection. We have an instance of one device triggering a suspected false positive. This tends to happen without user intervention i.e. this threat occured outside of office hours when the user had simply logged off the machine and left it turned on for the day. I'm wondering if someone can confirm or provide clarification on this alert.

Any advice would be appreciated

Event type: A backup copy of the object was created
Application\Name: Windows Defender Advanced Threat Protection Service Executable
Application\Path: C:\Program Files\Windows Defender Advanced Threat Protection\
Application\Process ID: 4348
User: F4\xxxx (Active user)
Component: File Threat Protection
Result\Description: Backup created
Result\Type: Adware
Result\Name: not-a-virus:HEUR:AdWare.Script.SearchExt.gen
Result\Threat level: Medium
Result\Precision: Partially
Object: C:\Users\xxxx\AppData\Local\Temp\7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp
Object\Type: File
Object\Path: C:\Users\xxxx\AppData\Local\Temp\
Object\Name: 7745a4f1-50e3-42fa-a4f0-3cda56888e0c.tmp
Hash: 94ba1af36e29fd4775e113a2e75dc3ed9e481695e067d967ad96daa2fb860b1a
Hello!
First of all you need to check target host to some advertising applications and extensions for browsers.
Thank you!



Hello,

I believe that the most likely culprit was that the user was synchronising their personal google account with Google Chrome. We're in the process of initiating a full scan after disabling it and will update further if there is any known issues.

Thanks,
Userlevel 4
Badge +2
Hi,

Thank you for that info!
Please keep us updated!
Looks good so far. This can be closed now.
Thanks for the suggestion!

Reply / Ответить