Jump to content

False positive ransomware?

Recommended Posts

I have installed kaspersky AV and Immunet is says the showed in the below picture.

Am I infected with Ransomware.Eicar?
How is it possible that I receiving such failed quarantine?
Any help is welcome.




Share this post

Link to post
Share on other sites

Hello Hernan, I would concur that is a FP, and no you are not infected with ransomware. Believe me, if you were, you'd already know for sure!

It appears that Immunet was attempting to quarantine Kaspersky's definition update for a EICAR ransomware test string.

EICAR test strings are used to examine an AV's efficacy by using dummy malware signatures that do no harm. Some AV vendors white-list these test strings to avoid unnecessary False Positive reports by users who don't know what they downloaded and opened the test string's compressed folder (usually zip or rar) or don't know how to properly use the strings for testing. That's their logic anyway.

One way to avoid conflicts with Immunet & your companion AV is to open the settings and add an exclusion for "Kaspersky's entire Program Files folder" with Immunet. Also do the same for Kaspersky, exclude Immunet's entire Program Files folder in it's settings. Doing this can go a long way to help avoid the situation you just encountered.

Best Wishes, Ritchie...

P. S. - I don't entirely agree with the reasoning behind AV vendors white-listing these test strings. That means a user can't actually test just how good their AV is themselves. Got something to hide maybe?

With Immunet you can't even open & unpack EICAR compressed folders once they're downloaded because they have "already been quarantined" if you have Scan Archive Files & Scan Compressed Files enabled in Settings! Immunet is that good!

Share this post

Link to post
Share on other sites

I have this same issue.

Multiple sample files for Kaspersky AntiRansomware detected.

I have already listed the Kaspersky program folder in the exclusions.

The files detected are actually in the C:\ProgramData\Kaspersky Lab\AntiRansom4\protected\Bases\Cache

I entered an exclusion of C:\ProgramData\Kaspersky Lab\AntiRansom4\protected\Bases\Cache\*.kmc which does not seem to work.

I am still getting detections.

Any assistance will be appreciated.


Share this post

Link to post
Share on other sites

Exclusions to do in Immunet's settings:

Exclude the entire folder

C:\ProgramData\Kaspersky Lab\

or if you want to reduce the amount of excluded content, try excluding

C:\ProgramData\Kaspersky Lab\AntiRansom4\protected\Bases\Cache\

instead. There is no need to do both, as you see one is just a subfolder of the other.

Similarly, you should also exclude Kaspersky's folder within "Program Files" or "Program Files (x86)" as necessary.

Exclusions to do within Kaspersky's settings:

I have never had a problem with Kaspersky detecting Immunet's updates, but just in case (and to improve performance), go to Kaspersky's settings and exclude

C:\Program Files\Immunet\

(or the equivalent in "Program Files (x86)" if you are on 32-bit), and



  • Like 1

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...