Kaspersky
Solved

KIS making SQL calls to SQL Server

  • 26 February 2021
  • 6 replies
  • 66 views

I noticed KIS occasionally makes SQL calls to MS SQL Server. It sends a SELECT for each database on the server looking for rows from sys.assemblies. I’m assuming it’s able to access MSSQL and the databases using the elevated permissions granted to the KIS app. I can understand anti-virus apps checking the CLR assemblies for malware, but this approach via SQL seems unusual to me.

Can anyone provide any insight on this?

Thanks!

icon

Best answer by Wesly.Zhang 27 February 2021, 04:44

Thanks!

Hello, 

From my friend, He said there are the SQL Server Transact-SQL none file attack could be used in SQL sys.assembly_files to store malicious content. ExecCode id point to malicious content in sys.assembly_files table. So avp scan use this way to search threats in sql server. This is correct.

Regards.

View original

6 replies

Userlevel 7
Badge +4

Hello,

As I know, KIS use sqlite to create report database and use sql to write event report in it. How do you know this behavior?

Regards.

If you run a trace on SQL Server to watch the sql commands, then do a KIS scan, KIS sends this SQL...

SELECT name FROM sys.databases

… to get the list of databases. Then for each database it sends...

SELECT assembly_id, name, content FROM mydatabase1.sys.assembly_files

SELECT assembly_id, name, content FROM mydatabase2.sys.assembly_files

etc

This returns the assembly binaries for all the databases on the server. I’m guessing this is the only way to access them to scan for malware?

 

 

Userlevel 7
Badge +4

If you run a trace on SQL Server to watch the sql commands, then do a KIS scan, KIS sends this SQL...

SELECT name FROM sys.databases

… to get the list of databases. Then for each database it sends...

SELECT assembly_id, name, content FROM mydatabase1.sys.assembly_files

SELECT assembly_id, name, content FROM mydatabase2.sys.assembly_files

etc

This returns the assembly binaries for all the databases on the server. I’m guessing this is the only way to access them to scan for malware?

 

 

Hello ,

Let me check it. I am not familiar with SQL Server. except for MySQL. I will install check both of them. I will reply back if the research was fruitful. But I think it's possible to search for certain keywords in the system SQL SERVER system database, not sure what the point of this is, the malicious code doesn't get into the system database itself.

Regards.

Thanks!

Userlevel 7
Badge +4

Thanks!

Hello, 

From my friend, He said there are the SQL Server Transact-SQL none file attack could be used in SQL sys.assembly_files to store malicious content. ExecCode id point to malicious content in sys.assembly_files table. So avp scan use this way to search threats in sql server. This is correct.

Regards.

 I appreciate your time to confirm this. Thank you.

Reply