Kaspersky AV is warning about Explorer injecting code in other processes

This is the beginning of my 30 day trial for Kaspersky AV 6.0

I tend to doubt it is a real malware, but everything explorer touches it tries to inject code into (supposedly)

I've recently done full scans with NOD32, Trojan Hunter, and Kaspersky and none of them found any infection. I do have alternative "explorers" on my machine, and could that somehow cause a problem (e.g. Xplorer2, XnView, Bridge, Visere). However none of the other explorer like programs were running at the time.

Kaspersky offers to block the injection, and when it does it seems to be satisfied all is well, so I suppose in the long run everything will get a rule to be blocked...

But there is another thing that struck me as suspicious, and this has gone on for ages. Often when I right click a file in explorer, my firewall will say Explorer is trying to connect to the internet. On those occasions I curse Microsoft for spying, and then block the connection. I have asked about that in the past and the general consensus is that it is a common phenomenon in XP and to ignore it, and the Microsoft would never dream of spying on people.

Well, just in case anyone has any knowledge about these things. It seems to me enough people around here use Kaspersy that maybe someone else has some further info.


-HandsOff

Here is a sample

 

Hmm, this is really tricky. The technology permitting your AV tool to trace injections into various processes is really a good one. But if you have all your trusted software added to the trusted list the efficiency of this technology will be reduced to 0.
For if a malicious code uses the process of Explorer (trusted forever) to do whatever its creator would have planned - the protection tool will stay silent though observing the tragedy going on under its control.

 

Well, in most cases it will never be caught. Thanks to Billy the billionaire....

 

Well the key is IF the file is not infected at the time it is put on the trusted list. In my case I am still going to do some checking before I add it to the list because there are indications that this might be real. Did you get messages that "a new varient of invader has been detected" I think "invader" is there term for dll injecting trojan that invades other processes.

But back to the trusted list...Unless I am mistaken it is only trusted so long as the file has not been changed. So even if it missed the injection, it would discover the file has changed at it will not be trusted unless you add it again.

Did you actually recieve those messages. also....i think this version of KAV is only 1 month old, bound to be some changes.


-HandsOff

 

Well the thing that bothers me is that the processes and things they describe don't seem like they are things that are likely to happen. To hear PDM tell it just about every program on my computer is injecting ever other one. Some are even injecting themselves!

I should have guessed by "new varient" thing. I should have recalled from experience that when they cannot supply a name, it is usually a false positive. I have done just about every test I can think of and everything seems to be okay, so I will have to put a muzzle on PDM.

Since we are on KAV 6, do you use it's registry protection as well as Ghost Reg Defend, or did you mean a different product? I think at the moment I have them both running. but will probably not use them both when I am done testing all the modules.


-HandsOff

 

Handsoff

If you also have RegDefend, then i would probably use this and disable the one in Kav or uninstall RegDefend.

Most of the popups are of a onetime nature i usually only add anything to trusted if it annoy me long enough, i have very few there (3) and yes, it will detect if the file is changed.

Do you have Windows Defender installed?

 

Thanks for the reply. It's probably wasteful to run both, but was thinking I might get two differently worded messages...sometimes its tough to know whether to allow something or not!

 

Nope. I haven't looked into it yet. It sounds like something that would be good to have. I'll have to take a look at it!


-HandsOff!

 

I think the reason he was asking about Windows Defender is because it will give conflicts with KAV/KIS6. You would probably see a ton of alerts with both installed and they never seem to go away

 

It certainly seems key to get programs that can work together. I still think it would be nice if you could do double teaming at times, it would provide useful info!

-HandsOff