Kaspersky
Solved

Exclusions not working, xmrig miner. [Solved][Closed]

  • 21 February 2020
  • 15 replies
  • 3048 views

I’m trying to use xmrig, a cryptocurrency miner downloaded from this github release. The program is legitimate, however it gets a false positive detection from Kaspersky as the source code is used in a lot of malware to mine cryptocurrency without the users consent. I’ve tried adding the folder and application to my exclusions, and also added it to my trusted applications, however it still gets stopped and deleted by Kaspersky. I haven’t been able to get it to work without pausing protection entirely, is there a solution for this? Windows defender does not have the same problem when adding the folder to my exclusions.

icon

Best answer by andrew75 21 February 2020, 20:04

View original

This topic has been closed for comments

15 replies

Userlevel 7
Badge +3

Hi, 

Welcome. 

Kaspersky is still detecting because it is in memory.

Pause protection and add folder to EXCLUSIONS then enable protection. 

 

Hi, 

Welcome. 

Kaspersky is still detecting because it is in memory.

Pause protection and add folder to EXCLUSIONS then enable protection. 

 


I already paused protection and added it to my exclusions when I downloaded it. When protection is re enabled and I try to run the program it still gets detected and deleted by Kaspersky.

Userlevel 7
Badge +3

Paused protection and then download and add to EXCLUSIONS? 

Userlevel 7
Badge +9

@DeliciousStorage, show how you configure exclusions please

@DeliciousStorage, show how you configure exclusions please


A screenshot is in the attachment.

Paused protection and then download and add to EXCLUSIONS? 


Yes, I did this.

Userlevel 7
Badge +9

Turn on the interactive protection mode.
Then you can choose the actions when the protection is triggered.

 

Turn on the interactive protection mode.
Then you can choose the actions when the protection is triggered.

 


Without running the program when I enabled protection I got a popup asking me if I wanted to block it or add to exclusions, I added to exclusions, the popup closed but came back a couple of seconds later. This process kept repeating, I checked my exclusions and I had a long list of duplicate exclusions. I deleted it, paused protection again and re downloaded. Now I’m no longer getting a popup when it’s closed, but when I try to run it I’m getting a totally different popup (see attachment) asking me to Allow now or Block. I clicked on Allow now and remember choice but it still didn’t work, the popup kept closing and reappearing a couple of seconds later. Then I clicked on additional actions and something about a trusted application, and did the same for a couple of similar popups after that, and now finally I have it working.

It was a total pain to get working and the point remains that the exclusions do not work as they should.

Userlevel 7
Badge +9

Everything is working correctly.
Protection was triggered by an attempt by an application with limited rights to start the system process.
It was necessary to add XMRigminer to trusted applications, which you did as a result.

Now you can turn off the interactive protection mode.

Everything is working correctly.
Protection was triggered by an attempt by an application with limited rights to start the system process.
It was necessary to add XMRigminer to trusted applications, which you did as a result.

Now you can turn off the interactive protection mode.


When I add a folder or application to my exclusions I expect it to work when I run it, which is what happens with Windows Defender. I don’t expect it to be stopped and automatically deleted as happens with the default settings. If you read my first post in full you will see that I already added it to my trusted applications so this doesn’t work as intended.

Userlevel 7
Badge +9

Then I clicked on additional actions and something about a trusted application, and did the same for a couple of similar popups after that, and now finally I have it working.

So the antivirus reacted to something else that was in “couple of similar popups”.

Then I clicked on additional actions and something about a trusted application, and did the same for a couple of similar popups after that, and now finally I have it working.

So the antivirus reacted to something else that was in “couple of similar popups”.


You also missed the fact that the program was initially getting deleted when it wasn’t running despite being in my exclusions, and that there was a weird bug with endless popups asking to add to exclusions. Surely you don’t consider this working as intended?

Userlevel 7
Badge +9

I find it difficult to answer this question. At least because I did not see all these pop-ups.
You can always create a request for technical support and ask what they think about this.

I am just the same user as you.

I find it difficult to answer this question. At least because I did not see all these pop-ups.
You can always create a request for technical support and ask what they think about this.

I am just the same user as you.


If anyone wants to try and replicate it the steps are as follows for Windows 10 Pro Build 1909.

1. Pause protection
2. Download XMRig
3. Extract XMRig and move to a folder in a data drive
4. Add folder and application (xmrig.exe) to exclusions
5. Add xmrig.exe to "Specify trusted applications" in threats and exclusions settings
6. Turn off "Perform recommended actions automatically" in Interactive protection
7. Resume protection and open xmrig folder

You should then get a popup asking if you want to delete xmrig.exe or add to exclusions, despite already adding both the folder and application to exclusions. If you select add to exclusions in the popup it will disappear and come back a couple of seconds later. This will repeat endlessly when you select add to exclusions, if you check your exclusions afterwards you will find a long list of duplicate exclusions.

Userlevel 7
Badge +9

I did a little different.

  1. My antivirus is always in interactive protection mode. Therefore, when the antivirus swore when downloading and unpacking, I simply allowed these actions.
  2. Downloaded xmrig-5.6.0-gcc-win64.zip
  3. Unpacked.
  4. Added a folder to exclusions
  5. Added xmrig.exe and xmrig-notls.exe to trusted (Settings - Protection - Application Control - Manage Applications - Trusted Group - Add application to group):
  6. Start xmrig.exe
  7. Everything works, no pop-ups

But I have Windows 7 x64.