Kaspersky
Question

Kaspersky System Watcher does not Quarantine detected files anymore since version 20?


So, I recently tested Kaspersky 2020 (Security Cloud Free) in a virtual machine and tested its system watcher capabilities.
For doing this, I use my own custom program that is completely harmless by itself but its installer uses a really... let's say shady way to install the program into the local user autostart directory. The "shady" installer is successfully detected by both version 2019 (19.0.0.X) and 2020 (20.0.0.X). Both flag the installer as PDM:Trojan.Win32.Generic, the typical generic behavoir alert. Version 19 then terminates the program, deletes the installer executable and rolls back all actions it did, as intended.
Version 20 however also terminates the installer and rolls back all of its actions, but guess what?
It just leaves the installer on the disk and doesn't move it to quarantine, even though it clearly identified it as malware!
This could have many reasons.
It could be a major critical flaw in Kaspersky System Watcher.
It could be that fact that SW is now smart enough to detect my installer is not actually malicious enough to instant delete it and chooses to just terminate it instead.
But it gets worse............
When you go to system watcher settings and set the action to "delete application" or "termiante application".....
The installer just fully bypasses Kaspersky, like System Watcher was set to "Ignore"! (The tray icon turns red shortly but then the AV just ignores the threat).
Now my question is... Is this behavoir in ANY kind normal?!
Has anyone else tested system watcher yet and expirienced the same issue?
If not where can I report this bug?

10 replies

Userlevel 7
Badge +5
I recently tested Kaspersky 2020 (Security Cloud Free) in a virtual machine and tested its system watcher capabilities.
Hello @DarkWav,
Welcome!
Before installing Kaspersky 2020 (Security Cloud Free), did you check all hardware and software compatibility requirements?
Please let us know?
Thanks.
Thanks for the reply ☺.
Yes, I tested on both my real machine which meets all requirements (16GB RAM + 8x4.70GHZ CPU Intel 9th gen, NVidia Maxwell GPU (900-series) with Driver 436.02) as well as a freshly installer virtual machine inside virutalbox, both running latest Windows 10 1903 with no other security solution asides integrated windows defender installed. The described behavoir can be observed on both machines equally.
Userlevel 7
Badge +5
Yes, I tested on both my real machine which meets all requirements (16GB RAM + 8x4.70GHZ CPU Intel 9th gen, NVidia Maxwell GPU (900-series) with Driver 436.02) as well as a freshly installer virtual machine inside virutalbox, both running latest Windows 10 1903 with no other security solution asides integrated windows defender installed. The described behavoir can be observed on both machines equally.

Hello @DarkWav,
Thanks for replying.
From the "real" machine, please export Kaspersky Security Cloud 2020, Reports, ALL Events, please choose 7day or 30 day period.
Please upload the report, using the "upload icon", in your reply.
Thank you.
I did, the logs are attatched below.
Heres what I did:
  1. Run the sample with all settings at default.
  2. Run the sample with System Watcher Application Activity Controlll set to "Delete Application"
  3. Run the sample with System Watcher Application Activity Controlll set to "Terminate Application"
  4. Run the sample with System Watcher Application Activity Controlll set to "Ignore."
Thanks
Userlevel 3
Badge
I advice author to ask support about it. If it's bug they will fix it.
Thanks for the advice, I'll do that 🙂
Userlevel 3
Badge
What support told you? Just interesting...
After providing detaild information and samples, the bug has been forwarded to the product development. From what I can telll it isn't fixed in patch D, yet.
Userlevel 3
Badge
After providing detaild information and samples, the bug has been forwarded to the product development. From what I can telll it isn't fixed in patch D, yet.
That's nice. Another one bug in 2020...
Userlevel 7
Badge +5
After providing detaild information and samples, the bug has been forwarded to the product development. From what I can telll it isn't fixed in patch D, yet.

After providing detaild information and samples, the bug has been forwarded to the product development. From what I can telll it isn't fixed in patch D, yet.That's nice. Another one bug in 2020...

Hello @DarkWav & @Vitalik93,
Patch (d) was confined to fixing a specific issue only, it was not the "planned" (d), that has now become (e), due Mid October.
Thank you.

Reply / Ответить