Hi @ Wilders I am trying out KVRT free which is a no install exe and my principal Firewall is Tinywall on Win 10. The problem I am having is that I cannot permanently allow KVRT through TinyWall. Every time I use KVRT I have to set it up again as though it is a first time setup also I have to turn on Auto Learn in TinyWall (Which doesn't learn). I think it might be to do with the fact that the Cloud scanner uses a Temp folder which is different each time KVRT.exe is used. Can anyone help me to set up KVRT through TinyWall to ensure I don't have to keep repeating set up? Thanks Terry
My solution has been to disable any Windows FW frontend such as Tinywall in that scenario... youve still got Windows FW running in that case which will allow the connection. Ive got Windows FW hardened with Hard Configurator rules, so its not a big worry for me to have it running alone for a short time. Admittedly its a quick and dirty fix, maybe youre looking for a better solution.
Hi drhu22 Thanks for that. I hadn't thought of it the way you put it. Still, there ought to be a solution that permanently enables access for KVRT? Perhaps other members may have a solution? Thanks Terry
any reason to run that tool? doubts about your current used residental antivirus? then uninstall, but dont let kaspersky do a bad job. the random folder names are against detection. but you can copy out the whole temp folder, remove the random 0815abcd.exe, use kvrt.exe instead (its same). and save the cmd file which looks currently like this Code: @echo off @echo "KVRT cleanup script" @echo "Cleanup started..." cd / FOR /L %%i IN (1, 1, 1000) DO ( rmdir /s /q "C:\Users\...\AppData\Local\Temp\{a3130789-ed79-426f-bb2e-a26373d0ddee}" if not exist "C:\Users\...\AppData\Local\Temp\{a3130789-ed79-426f-bb2e-a26373d0ddee}" goto RemoveOK ping 127.0.0.1 -n 1 > Nul ) exit :RemoveOK cd /D C:\Windows\System32\Drivers FOR %%i IN ("klupd_e07da9a3a*.sys") DO ( REG DELETE "HKLM\System\CurrentControlSet\services\%%~ni" /f DEL /F /Q "%%i" ) reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 90d5978e-3a01-4725-8ff2-1b1c57ee4f1e /f @echo "Cleanup completed." rmdir /s /q "%~dp0" this is a cleanup command no more. if may different in your case, in special the random SYS files (c:\windows\system32\drivers) results go to c:\KVRT2020_Data kvrt is another only water boiling software.
T- Kaspersky does indeed drop the executable into App Data/Local/temp (where the actual subfolder changes). As TinyWall considers this temp executable as Unknown and it will constantly change (especially as KVRT updates "versions' quite often), you really can't have a universal rule to prevent the block. The easiest (and best) remedy is to quit Tinywall during the few minutes KVRT is running, then restart it. M
Sorry! I should have specified database versions. This updating will change the name of the temp files generated.
Courtesy your endorsement I downloaded KVRT but as always I would never use it but for testing local and in the wild malwares on an isolated machine. Still it should prove interesting since everyone is aware by now a single AV can't possibly sweep up every single potential baddy 100% but in the 90's is a worthy report. When first engaging WVSX some think it doesn't do anything. But dare say drop or slip in some malware and watch the Tom & Jerry Show go into action. Even better yet, user's seat Comodo FW on their system and revel in caged captures as you well know. Thanks again and always for fine tuning Comodo FW
that sounds plausible. thank you. this let me remember my latest tries with the KAV boot disc, which was older than the used signature files which were loaded from the net. seems that it makes not really a difference.
Hi Terry, first, I've never used Tinywall, but the question I have about it is: does it handle wildcards for path names? If so, I have run the KVRT.exe tool five consecutive times, and although as expected the path name changed every time, the pattern in the path stayed consistently the same. If wildcards can be used in Tinywall, then try the following path rule: Code: \device\harddiskvolume?\users\username\appdata\local\temp\{????????-????-????-????-????????????}\????????.exe Note that "username" would of course be yours. This is about as granular as you can get, but it should probably work. I was able to find these entries in Windows Event Viewer under: Windows Logs\Security. Then just right-click on Security and select: "Filter current Log..." and in the field: <All Event IDs> type in "5156" (no quotes) then Ok. I would think that Tinywall should have a log viewer of its own to find these entries as well, which is probably easier to use. Edit Event ID 5156 is for permitted connection from Windows filtering platform. In the case where you need to find blocked connections, use ID 5157
