Kaspersky
Solved

Bug(?) Kaspersky Free finds generic trojan in .reg files when registring with RegEdit in Windows 10


Userlevel 1
Hi!
I always do backups when using CCleaner to "clean" the system registry. This time it had cleaned to much (or I was not awake enough) and Outlook stopped functioning. When I tried to re-register a backup registry file for that day, Kaspersky promptly deleted the file and blocked RegEdit. I scanned RegEdit, all the .reg backup files and even CCleaner. All clean! I then restored the file from Quarantine and scanned it as well. Nothing!

I do not get support with the Free version, so I did all that I could do - I paused protection and registered the backup files anyway. After that I scanned all the Office folders - nothing. I restarted the PC and everything was fine - even Outlook functioned again. (I activated protection again of course)

So I have to ask - is this a bug, a chance occurence or what? Is there anything else I should/could have done? If you need more information (OS or Free versions) just ask.

🤓
icon

Best answer by harlan4096 9 April 2019, 16:03

@MacDknife: it would be an specific exclusion only for that reg file, not for all reg files in general 😉
View original

15 replies

Userlevel 7
Badge +5
Welcome to the New Kaspersky Community!

Even being a bat file with legitimate commands (that may be use to malicious behaviour also), probably their behaviour triggered "System Watcher" (Proactive Defence Module), in these cases You may try to add an exclusion.
Userlevel 6
Badge +1
Hi, welcome to the new Kaspersky forum.
As well as above post.
Get yourself "premium" Kaspersky Internet Security.
Suggestion only.
https://www.kaspersky.com/internet-security
Then we can help you find that "trogan"
Userlevel 1
@harlan4096 : Thanks for your quick reply. I also thought of that, but would this not weaken my defence? There must be a reason why .reg files could be considered a threat, right? Do you know if RegEdit has sort of built-in defence that could maybe warn against a file it is trying to register? That way I would feel much more at ease doing an exclusion for.reg files.
🤔
Userlevel 4
Do you know if RegEdit has sort of built-in defence that could maybe warn against a file it is trying to register?
In my opinion: no.
Is a feature that the Antivirus itself offers.
Userlevel 6
Badge +1
Okay so what "security" do you have installed besides Windows Defender?
Userlevel 1
@KarDip : Hi! My son works for Kaspersky (David Jacoby), so I have tried all the latest fancy versions, but I really do not need all those bells and whistles, at least not now that I am retired. All I need is a simple A-V that checks everything and stops an infection from anywhere. I do not mind paying, as I have done in the past, but I think that there could be a version between Free and "standard" at a low cost for people like pensioners. I do not know how Europe and Russia treat their pensioners, but in Sweden we pay more taxes than the employed, so it doesn't leave us with much!

So when Kaspersky came out with the free version, with all the functions it has, there was no choice for me really - it was made for me. I have been amongst other things, an IT technician, so I don't always need support, but instead a place I can communicate with like minded souls and be able to give any feedback or bug reports when necessary - like here! Good one Kaspersky!
😎
Userlevel 1
@KarDip : re "other security"
Windows Defender.
😉
Userlevel 7
Badge +5
@MacDknife: it would be an specific exclusion only for that reg file, not for all reg files in general 😉
Userlevel 6
Badge +1
Okay thank you for that.
Free version has limited resources, usually used with you have other active full defence.
Userlevel 6
Badge +1
Okay the other option for you in particular why not just do a restore point?
If it succeeds your troubles will vanish.
Userlevel 1
@The Shield
Thank you. If only Kasperky (Free) can prevent an infection through a .reg file (Windows Defender said nothing), should it then not be more accurate in it's accessment? There must at least be a better reason to stop RegEdit cold and delete (!) the .reg file, just based on the fact that it may have (or not) a generic trojan.

I feel that if the software senses that a file might be infected or contain dangerous code, that it then does not just delete and quarantine without first doing a double or even tripple check to see if it is so or if the file just contains normal code.

To me it seems as if the A-V was actually trying to prevent the ANY registration of the.reg files. Maybe it should do that - BUT it should at least double check first in some sort of isolation/sandbox, before deleting the file. It could then also present a more accurate version of the culprit in question. I do not know if this function exists in the paid versions, but I think it should - in all versions.

Just saying...
🤓
Userlevel 1
@KarDip : re "restore point"
My restore point was the .reg backup files. I have not considered another option as this has not happened to me before. I have re- registered those files before without any commotion. But, everything changes, so I guess I will have to reconsider....

😋
Userlevel 1
@harlan4096 : re: "specific exclusion"
Ahh! I have just tested. Yes it is only for that one file. Then I still feel as though an exclusion would over the top. I cannot know if a particular file is going to generate a hit with the A-V, so I can only fix this in hind sight. I cannot know if that file contains a actual dangerous code, so if I do an exclusion, or just pause protection, it doesn't really matter. I normally only use the file once and pausing the protection is quicker.

😉
Userlevel 1
@All:
Thanks for all the advice. I recieved more answers that I had bargained for and had a bit of difficulty keeping up, but I think I know what to do in the future. Sorry KarDip, not your first suggestion, but maybe doing a restore point before doing any registration in the system register, is not a bad idea!
Bye all! Have a good one!

😄
Userlevel 6
Badge +1
OKay thank you @ MacDknife
Restore point is magic if it works for you.
Please do not clean your Registry, it is all bad news.

Reply / Ответить