Jump to content

False positive ransomware?


hcova
 Share

Recommended Posts

I have installed kaspersky AV and Immunet is says the showed in the below picture.

Am I infected with Ransomware.Eicar?
How is it possible that I receiving such failed quarantine?
Any help is welcome.

Regards

Hernan

image.png.443698ff99b8dec7ec25e7d4314908e5.png

Link to comment
Share on other sites

Hello Hernan, I would concur that is a FP, and no you are not infected with ransomware. Believe me, if you were, you'd already know for sure!

It appears that Immunet was attempting to quarantine Kaspersky's definition update for a EICAR ransomware test string.

EICAR test strings are used to examine an AV's efficacy by using dummy malware signatures that do no harm. Some AV vendors white-list these test strings to avoid unnecessary False Positive reports by users who don't know what they downloaded and opened the test string's compressed folder (usually zip or rar) or don't know how to properly use the strings for testing. That's their logic anyway.

One way to avoid conflicts with Immunet & your companion AV is to open the settings and add an exclusion for "Kaspersky's entire Program Files folder" with Immunet. Also do the same for Kaspersky, exclude Immunet's entire Program Files folder in it's settings. Doing this can go a long way to help avoid the situation you just encountered.

Best Wishes, Ritchie...

P. S. - I don't entirely agree with the reasoning behind AV vendors white-listing these test strings. That means a user can't actually test just how good their AV is themselves. Got something to hide maybe?

With Immunet you can't even open & unpack EICAR compressed folders once they're downloaded because they have "already been quarantined" if you have Scan Archive Files & Scan Compressed Files enabled in Settings! Immunet is that good!

Link to comment
Share on other sites

  • 2 years later...

I have this same issue.

Multiple sample files for Kaspersky AntiRansomware detected.

I have already listed the Kaspersky program folder in the exclusions.

The files detected are actually in the C:\ProgramData\Kaspersky Lab\AntiRansom4\protected\Bases\Cache

I entered an exclusion of C:\ProgramData\Kaspersky Lab\AntiRansom4\protected\Bases\Cache\*.kmc which does not seem to work.

I am still getting detections.

Any assistance will be appreciated.

LonnieB

Link to comment
Share on other sites

Exclusions to do in Immunet's settings:

Exclude the entire folder

C:\ProgramData\Kaspersky Lab\

or if you want to reduce the amount of excluded content, try excluding

C:\ProgramData\Kaspersky Lab\AntiRansom4\protected\Bases\Cache\

instead. There is no need to do both, as you see one is just a subfolder of the other.

Similarly, you should also exclude Kaspersky's folder within "Program Files" or "Program Files (x86)" as necessary.

Exclusions to do within Kaspersky's settings:

I have never had a problem with Kaspersky detecting Immunet's updates, but just in case (and to improve performance), go to Kaspersky's settings and exclude

C:\Program Files\Immunet\

(or the equivalent in "Program Files (x86)" if you are on 32-bit), and

C:\Programdata\Immunet\

 

  • Like 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...