Kaspersky
Solved

Why is psinject in Kaspersky Lab temporary folder?

  • 10 November 2021
  • 13 replies
  • 100 views

I was using the update feature of the Kaspersky Cloud AV to update the software in my computer and found that inside the folder KasperskyLab/Temp/tempio, there exists several PSInject.ps1 scripts (https://github.com/EmpireProject/PSInject). May I know if this is intended and what is the use?

icon

Best answer by Igor Kurzin 11 November 2021, 11:37

View original

13 replies

Userlevel 7
Badge +11

I was using the update feature of the Kaspersky Cloud AV to update the software in my computer and found that inside the folder KasperskyLab/Temp/tempio, there exists several PSInject.ps1 scripts (https://github.com/EmpireProject/PSInject). May I know if this is intended and what is the use?

Hello @whwhwh

Welcome!

  1. Read before you create a new topic! & please provide the information detailed by @Danila T. ?
  2. Is Kaspersky Security Cloud Premium or Free? 

Please let us know?

Thank you:pray_tone3:

Flood:whale:+:whale2:

Hi Flood,

 

Here are the info:

 

OS: Windows 10 21H1 19043.1288

I downloaded Kaspersky Security Cloud Free but upgraded to Premium for 1 month trial a few hours ago (https://www.kaspersky.com/downloads/thank-you/free-antivirus-download).

 

Thank you!

Userlevel 7
Badge +11

Hello @whwhwh

Thank you for the information!

  1. Which Kaspersky Security Cloud version & patch(x) is installed, on the Windows taskbar or hidden icons, rightclick the Kaspersky icon, select About? 
  2. Neither Kaspersky Security Cloud Premium Trial or Free have access to Kaspersky Technical Support, we’ve sought guidance from the Kaspersky experts in this forum, please wait for a response.

Thank you:pray_tone3:

Flood:whale:+:whale2:

Userlevel 7
Badge +6

Hi @whwhwh , 

tempio is a Kaspersky temporary folder, anything can appear in this folder when Kaspersky is doing checks of files/network traffic.

tempio is a well protected Kaspersky folder, there is nothing to worry about. 

This situation seems to be not connected to Software Updater process. 

Hi Igor,

 

Thanks for the information. Just wondering if the KasperSky AV could be using this powershell script anywhere else or its because my computer was infected? Because they were detected by AVG after i’ve installed and used the Kaspersky Security Cloud. 

 

Userlevel 7
Badge +6

Hi @whwhwh , 

It can be a false detection on the side of AVG. If the file is still there, you can submit it via https://opentip.kaspersky.com for analysis. 
Also you can upload it to some cloud in a password protected archive and send me a download link via private messages. 

Hi Igor,

 

I’ve since accessed the tempio directory as administrator and deleted the powershell scripts. It looked exactly like the link here - https://…./Invoke-PSInject.ps1.

(Moderator: edited the url)

I’ve scanned the script with virustotal as well - https://www.virustotal.com/gui/file/2c416a3571cf4c98bc430372ff1422803bab89a27527000bc25efb4ac7321509

 
 

 

 

Userlevel 7
Badge +6

hi @whwhwh , 

that’s what I get trying to save the file: 
Component: Web Anti-Virus
Result description: Blocked
Type: Malicious link
Name: https://…./Invoke-PSInject.ps1
Precision: Exactly
Threat level: High
Object type: Web page
Object name: Invoke-PSInject.ps1
Object path: https://….
Reason: Cloud Protection

So far it looks like some script was intercepted by Kaspersky Web Anti-Virus and placed in the tempio folder.

 

Userlevel 7
Badge +11

Hello @whwhwh & @Igor Kurzin

FYI:

Thank you:pray_tone3:

Flood:whale:+:whale2:

Hi Flood and Igor,

 

Thank you for the assistance. The weird thing is the Kaspersky security cloud AV did not flag the malicious script during a scan I did initially with KSC. After the scan, I used the KSC to update my software (OpenVPN, iTunes, TeamViewer etc.) and that's when AVG alerted me of the malicious scripts in KasperSky Lab tempio folder so I thought that the KSC AV might have something to do with it.

Also, after removing the malicious scripts, I did multiple rounds of scans with KSC AV, AVG and Windows defender. So far, there are no malware detected so I’m not sure where this script came from.

Userlevel 7
Badge +11

So far it looks like some script was intercepted by Kaspersky Web Anti-Virus and placed in the tempio folder.

 

Hello @Igor Kurzin

Why tempio?

By rights users should not be manipulating tempio (should they?), which is what @whwhwh has done to clear the files: “I’ve since accessed the tempio directory as administrator and deleted the powershell scripts.”

Thank you:pray_tone3:

Flood:whale:+:whale2:

Hi Flood and Igor,

 

Based on the user controls set, An administrator user is able to manipulate the tempio folder which is what i did by running cmd as administrator and deleting the files via cmd.

 

Igor might be right. I’ve reinstalled the KSC AV and did a scan again. I made sure that the tempio folder is empty before scanning. This time, they found multiple powershell scripts in a zipped folder that i forgot existed. After scanning, the powershell scripts appeared in tempio folder which im guessing is stored as a backup. 

 

Thank you all for the help!

Userlevel 7
Badge +6

hi @whwhwh , 

You are most welcome, glad you have figured out the mistery.

Have a good day and stay safe! 

Reply