Kaspersky
Question

Kaspersky has false positives by downgrading a virus as PUA

  • 14 September 2021
  • 6 replies
  • 110 views

Kaspersky has false positives by downgrading a virus as PUA (potentially unwanted software).

I have personally been infected with these viruses on my computer, so I know that they are not PUA but instead they are a virus. They made explorer.exe and searchapp.exe (called searchui.exe in earlier windows versions) crash on my computer nearly every day. It degraded the speed and performance of my computer and caused third party software crash to crash much more often.

 

I have no idea how these viruses got onto my computer. I did not download them and I was the only person within the physical proximity of my computer. Maybe a third party software exploit was used to download them (eg. an itunes exploit). What I find mysterious is how they both have a digital signature which allows them to evade antivirus detection.

 

I uploaded the files to Kaspersky Open TIP today. (threat intelligence portal)

 

“facebook-messenger-for-windows-7-2-1-4623-en-win_0491186471.exe”

“Flash32-32-0-0-465.ocx_333907.msi”

 

It should not have the orange caution triangle badge saying “adware and other” but it should instead have the red warning square badge saying “malware”.


6 replies

Userlevel 7
Badge +8

@desbest Welcome. Only Kaspersky Virus Lab can confirm or deny a FP.

Why were my hyperlinks removed from my post?

Does that mean the Open TIP website is outdated, inaccurate or misleading? How can I get Kaspersky Virus Lab confirm to me personally if it’s false positive or not?

I clicked the button on Open TIP to “submit to reanalyse” and posted in the comment form why I think it should be reanalysed and considered a virus instead of PUA.

Userlevel 7
Badge +8

@desbest The Moderator Team is disabling (potential) malicious links.

Please wait for the verdict from Kaspersky Virus Lab.

Userlevel 7
Badge +5

Hello, @desbest 

Do you think you have downloaded and use a fake facebook message ? As I see, this software have a valid facebook.Inc digital certification. Please check the installation file whether has a digital certification or not.

Flash32-32-0-0-465.ocx_333907.msi, Do you use flash player? If you use a chinese version flash player browsers plugin, you will encounter some bad AD, But it is maintained by a Chinese company authorized by adobe, so it will embed advertising features in this plug-in. It is a commercial software. If it is rashly defined as a malicious program, it will be warned by a lawyer's letter, which will involve judicial proceedings.

I give you advice that uninstall flash play plugin, everything will be OK.

Regards.

That's not what I see.

Notice how the digital certificate doesn’t say Adobe or Facebook,

 

 

 

Userlevel 7
Badge +5

Hello, @desbest 

I don’t know the facebook messenger you provided is from what place. But the ordinary build is in here: https://www.microsoft.com/en-us/p/messenger/9wzdncrf0083, I think you should use official source. Where do you download the installation file?

BTW. If there is anyone know that this build ( digital signature: bronze paradise ) is official installation file, Please let us know. 

I don’t know whether was the flash build handled by your country local services company. If you don’t use flash play, you can uninstall it without any problem.

Regards.

Reply