Kaspersky: FraudTool.Win32.Spylocked.ds

[Serra]

Kaspersky just zapped ever SageTV client off of all of my computers claiming it was a virus.

Hit my computer and my son's computer at almost the same time, just a few minutes appart. Basically deleted SageTV and made us reboot. I tried to download the client again, but it deleted the download as soon as it was finished with the same virus claim!

Hmmm... not happy.

[OneOfMany]

http://www.securelist.com/en/descrip...2.SpyLocked.cx

Not sure if Kaspersky is actually responsible, sounds more like malware

Grant

[Serra]

That was my first thought that it was malware infection that got sage. But how would malware infect a zip file that has the sage client in it? I didn't know malware could infect unopened zip files.

Also, Sage wasn't running on either of the desktops when Kaspersky flagged it.

Edit: Yea, I can't even download it without it being flagged and deleted before I open it.

[barney B.A.]

When was the last update to Kaspersky?
Maybe a bad DAT file
Did you submit a sample to Kaspersky?
Could be a false positive. I've had those before

Also you might want to set an exception for the SageTV program file folder

[Entz]

Same problem here. SageTV was working fine yesterday and then today (after updates?) it suddenly is flagging SageTV.exe as a virus and deleting it.

You can restore it from the Quarantine window and add an exception =/

[impro]

Highly doubt it is a false positive.
My laptop crashed today when I tried to start client.
I did full restore and kaspersky blocks it even while downloading.
Sage should look in to it.
I do not want to restore again!

[Serra]

I ran a couple of tests and Kaspersky 2010 and 2011 both prevent new downloads of the client. They are fine with the server, but not the client. As noted, the file will not even open on download, both version prevent it from opening at all.

It could be a false positive, but I don't think the file was infected at my end since PCs that are clean will not open the file. I can't find a way to flag it as ignore, since it isn't actually installed... Strange.

Also, the client isn't in my quarantine. Looks like my version 2010 settings delete them rather than quarantine them.

After a lot of looking around, I'm going with the idea I'm not infected. If I were infected and it was spreading across my network, then I'd expect it to show up in places that weren't SageTV Client files and SageTV downloads.

I'm basically without Sage right now until a we can assure that this is a false positive.

[voidpt]

I would give it a 98,999% certainty of false-positive. I have a standard procedure in cases like this. Download the latest versions. Did that now for both SageTV Client & SageTV Server. Installed them on a virtual machine. Copied out the following two files from virtual machine:
» SageTV.exe (from Server installation)
» SageTVClient.exe (from Client installation)

Then upload/ran them through VirusTotal web service:
» SageTV.exe report (1 positive of 43 scanners - ClamAV)
» SageTVClient.exe report (3 positive of 43 scanners - ClamAV, Kaspersky, Panda)
This is a free web service with 43 virus/security products with up-to-date def/dat files. It scans the file you send through them all and gives a report. URL link in lines above.

If I experienced this myself (using ESET Smart Security), I would log a false-positive request against my vendor. At the same time do re-analyzing on VirusTotal service as def/dat files are updated. See if the hit-rate gets larger. If suddenly I got 10, or more, positive hits. I would start to worry, look if hits are identifying common type, and find out what properties the thing identified has.

With all the heuristic scanning going on in AV products, it is not uncommon getting false-positive these days. And boy is it fun when they even manage to make a false-positive on a vital Windows system file and quarantine it (McAfee vs. Intel). Guess McAfee probably downsize'd some QA process to increase margins Talk about return on investment

[Serra]

Quote:

Originally Posted by voidpt

I would give it a 98,999% certainty of false-positive.

Given that, I'd agree... now to figure out how to get Kaspersky to allow me to download it...

[voidpt]

Quote:

Originally Posted by Serra

how to get Kaspersky to allow me to download it...

Not used Kaspersky myself. But isn't there a "temporary-disable" option on it ? Just to get the file downloaded. Install SageTV Client. Enable Kaspersky again. Figure out an exception rule on SageTV directory. And at that point, do a full virus scan on machine, just to see nothing slipped through.

[Serra]

Quote:

Originally Posted by voidpt

Not used Kaspersky myself. But isn't there a "temporary-disable" option on it ? Just to get the file downloaded. Install SageTV Client. Enable Kaspersky again. Figure out an exception rule on SageTV directory. And at that point, do a full virus scan on machine, just to see nothing slipped through.

Yes, I downloaded it with it disabled. Then I set the sage folder as an exception. That seems to have done the trick. As far as I can tell, there is no way to download it without disabling Kaspersky!

[Zone99]

I got the same thing with ZoneAlarm. Then it quarantined it.

I'm surprised there aren't more complaints about it.

[Skirge01]

Quote:

Originally Posted by Zone99

I got the same thing with ZoneAlarm. Then it quarantined it.

I'm surprised there aren't more complaints about it.

We're tech savvy, we don't need to stinking anti-virus. In all seriousness, I usually don't on computers only I use, but on my SageTV client, I moved away from ZoneAlarm many years ago and I never cared for Kaspersky. I used AVG for quite some time, but moved away from that, as well, a number of years ago. At this point in time, I'm using MS Security Essentials and it works fine.

[Serra]

Quote:

Originally Posted by Skirge01

We're tech savvy, we don't need to stinking anti-virus. In all seriousness, I usually don't on computers only I use, but on my SageTV client, I moved away from ZoneAlarm many years ago and I never cared for Kaspersky. I used AVG for quite some time, but moved away from that, as well, a number of years ago. At this point in time, I'm using MS Security Essentials and it works fine.

Yea, I liked ZA back in the day, but it simply became too disruptive and I moved to a hardware firewall.

Your level of virus blocking really depends on what the PC is for. I don't have virus blockers on some of my PCs, don't need them. On my work PC and my son's PC, I use Kaspersky as it is the best I've found.

I can't really take any chances with my work PC, if it goes down, I can't make a living.

[Narflex]

Thanks for the info; we're contacting ZoneAlarm and Kaspersky about this. You can be 100% sure this is a false positive. There are no viruses in the software that we distribute.

[Serra]

Thanks for confirming that for us. For anyone that lost their sagetv.exe file, just do a reinstall and say "Repair" and it will just put the file back without any other changes.

[Taddeusz]

This kind of thing is one reason why signature based A/V is outdated.

[impro]

Quote:

Originally Posted by Narflex

Thanks for the info; we're contacting ZoneAlarm and Kaspersky about this. You can be 100% sure this is a false positive. There are no viruses in the software that we distribute.

I am not saying that sage froze my computer.
I am sure it is Kaspersky while trying to clean it.
The strange thing is sageclient.exe was already setup as a trusted application.

Let us know in here when Kaspersky resolves the issue so I can install sageclient again.

[hedly]

I have Symantec on one computer and Windows Essentials on two others and neither of them have had any issues.

[Fuzzy]

Meh, yet another reason I don't waste my CPU resources with anti-virus software.. I mean, why NOT run every single IO process through 2 or 3 extra checks, that ultimately, will get defeated at some point.