Kaspersky AV is warning about Explorer injecting code in other processes

Discussion in 'other anti-virus software' started by HandsOff, May 27, 2006.

Thread Status:
Not open for further replies.
  1. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    This is the beginning of my 30 day trial for Kaspersky AV 6.0

    I tend to doubt it is a real malware, but everything explorer touches it tries to inject code into (supposedly)

    I've recently done full scans with NOD32, Trojan Hunter, and Kaspersky and none of them found any infection. I do have alternative "explorers" on my machine, and could that somehow cause a problem (e.g. Xplorer2, XnView, Bridge, Visere). However none of the other explorer like programs were running at the time.

    Kaspersky offers to block the injection, and when it does it seems to be satisfied all is well, so I suppose in the long run everything will get a rule to be blocked...

    But there is another thing that struck me as suspicious, and this has gone on for ages. Often when I right click a file in explorer, my firewall will say Explorer is trying to connect to the internet. On those occasions I curse Microsoft for spying, and then block the connection. I have asked about that in the past and the general consensus is that it is a common phenomenon in XP and to ignore it, and the Microsoft would never dream of spying on people.

    Well, just in case anyone has any knowledge about these things. It seems to me enough people around here use Kaspersy that maybe someone else has some further info.


    -HandsOff

    Here is a sample
     

    Attached Files:

    Last edited by a moderator: May 28, 2006
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    That is not a problem. Explorer.exe is what controls your desktop and starts anything you click on. Just add to to the trusted list and the messages will go away. I agree calling it an invader is lousy terminalolgy, but if you have the advanced level turned on in the Proactive Defense Module, you will see that message quite a bit until you get all the trusted stuff on the trusted list.

    Pete
     
  3. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    Hmm, this is really tricky. The technology permitting your AV tool to trace injections into various processes is really a good one. But if you have all your trusted software added to the trusted list the efficiency of this technology will be reduced to 0.
    For if a malicious code uses the process of Explorer (trusted forever) to do whatever its creator would have planned - the protection tool will stay silent though observing the tragedy going on under its control.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Yes, but if you don't put it under trusted, you will go nuts with pop ups to the point of turning it off. Note though if everything you trust is listed, before the malicious code can use explorer, it has to inject into explorer and should be caught.
     
  5. Severyanin

    Severyanin AV Expert

    Joined:
    Mar 19, 2006
    Posts:
    57
    Well, in most cases it will never be caught. Thanks to Billy the billionaire....
     
  6. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Well the key is IF the file is not infected at the time it is put on the trusted list. In my case I am still going to do some checking before I add it to the list because there are indications that this might be real. Did you get messages that "a new varient of invader has been detected" I think "invader" is there term for dll injecting trojan that invades other processes.

    But back to the trusted list...Unless I am mistaken it is only trusted so long as the file has not been changed. So even if it missed the injection, it would discover the file has changed at it will not be trusted unless you add it again.

    Did you actually recieve those messages. also....i think this version of KAV is only 1 month old, bound to be some changes.


    -HandsOff
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    They are using the term invader for the injection process. When I first started using PDM, I got a bunch of them, but just added the stuff to trusted. That module is acting independently of the AV as far as I know. I've cut way back on what I use in the pDM module cause I also run SSM,Ghost, and OA.

    Pete
     
  8. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Well the thing that bothers me is that the processes and things they describe don't seem like they are things that are likely to happen. To hear PDM tell it just about every program on my computer is injecting ever other one. Some are even injecting themselves!

    I should have guessed by "new varient" thing. I should have recalled from experience that when they cannot supply a name, it is usually a false positive. I have done just about every test I can think of and everything seems to be okay, so I will have to put a muzzle on PDM.

    Since we are on KAV 6, do you use it's registry protection as well as Ghost Reg Defend, or did you mean a different product? I think at the moment I have them both running. but will probably not use them both when I am done testing all the modules.


    -HandsOff
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi Handsoff

    I left them all on until one of the modules on the latest beta build started conflicting with SSM. Now I have PDM installed but all I have active is the office macro's part of it. I also have Regdefend, and use Tony's rules, so I don't need the registry guard in KAV 6.0

    Pete

    PS Registry Guard didn't appear to conflict with Regdefend.
     
  10. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Handsoff

    If you also have RegDefend, then i would probably use this and disable the one in Kav or uninstall RegDefend.

    Most of the popups are of a onetime nature i usually only add anything to trusted if it annoy me long enough, i have very few there (3) and yes, it will detect if the file is changed.

    Do you have Windows Defender installed?
     
  11. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California

    Thanks for the reply. It's probably wasteful to run both, but was thinking I might get two differently worded messages...sometimes its tough to know whether to allow something or not!
     
  12. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California

    Nope. I haven't looked into it yet. It sounds like something that would be good to have. I'll have to take a look at it!


    -HandsOff!
     
  13. Mem

    Mem Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    292
    I think the reason he was asking about Windows Defender is because it will give conflicts with KAV/KIS6. You would probably see a ton of alerts with both installed and they never seem to go away :D
     
  14. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    It certainly seems key to get programs that can work together. I still think it would be nice if you could do double teaming at times, it would provide useful info!

    -HandsOff
     
Loading...
Thread Status:
Not open for further replies.