Kerish Doctor is detected as malware by Emsisoft

Divine_Barakah

Divine_Barakah

Level 33
Thread author
Verified
Top Poster
Well-known
May 10, 2019
2,289
Hello,


Yesterday, I was installing Kerish Doctor and Emsisoft did throw a couple of alerts (I have configured Emsisoft behaviour protection to Alert). The alerts I receieved are listed below.

Behavior Blocker detected suspicious behavior in C:\Users\USER\AppData\Local\Temp\is-TIET8.tmp\Kerish_Doctor_4.90.tmp

Behavior Blocker detected suspicious behavior in C:\Windows\system32\inpout32.dll

Behavior Blocker detected suspicious behavior in C:\Program Files (x86)\Kerish Doctor\KerishDoctor.exe

I know sometimes Emsisoft behaviour protection can be aggressive, but it is not the first time Kerish Doctor gets detected. In the past Bullguard detected it as malicious, too. Any ideas?
 
  • Like
  • Wow
Reactions: Nevi, Shadowra, franz and 6 others
Divine_Barakah

Divine_Barakah

Level 33
Thread author
Verified
Top Poster
Well-known
May 10, 2019
2,289
Gandalf_The_Grey said:
To get it resolved it is best to contact Emisoft support.
Click to expand...
I have contacted Emsisoft support, but I still have not got a reply. They requested that I upload the sample from Quarantine, but that kept failing. I have also contacted Kerish Doctor support and here is their reply.

Your antivirus is reporting a false positive. We provide a 100% guarantee that our software contains no malware or adware, which can be confirmed by the results of an analysis by VirusTotal.com. All executable files of our software are signed with a secure digital signature, which guarantees their safety.

We have already contacted the developers of the antivirus in order to eliminate the false positive as soon as possible.
Until then, you can add the following paths to the antivirus exclusion list:

For Windows 11/10/8 (8.1)/7/Vista:
1) C:\ProgramData\Kerish Products
2) C:\Program Files (x86)\Kerish Doctor (or another folder where the application is installed)

For Windows XP:
1) C:\Documents and Settings\All Users\Kerish Products
2) C:\Program Files\Kerish Doctor (or another folder where the application is installed)

--
Sincerely, Kerish Products Technical Support.
support@kerish.org
www.kerish.org
Click to expand...

Personally, I would not add it to exclusions and I believe it is Kerish Doctor devlopers responsibility to fix this. Their programme must be behaving in a way that triggers behavioual protection, right?
 
Last edited:
  • Like
Reactions: Nevi, franz, harlan4096 and 3 others
Moonhorse

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Divine_Barakah said:
The detection was not triggered by a signature. It was the behaviour protection module that alerted me, so it makes no sense to check VT for such detection, right?
Click to expand...
Yeah that makes sense, never heard that emsi bb was agressive at all though

Just uploaded the vt for ppl to see VirusTotal

3 rep vendors detect the exe, so yeah waiting for emsi to answer is the way to go
 
  • Like
  • Applause
Reactions: Nevi, franz, Divine_Barakah and 3 others
Divine_Barakah

Divine_Barakah

Level 33
Thread author
Verified
Top Poster
Well-known
May 10, 2019
2,289
I still have not received a reply from Emsisoft, but Kerish Doctor support replied.

C:\Windows\system32\inpout32.dll is one of the components of Kerish Doctor.

Here is a check of the inpout32.dll file, which the game developers say about 69 existing antiviruses in the world: VirusTotal

This library has existed for 8 years since 2010 and is used in a wide variety of software that need access to work with ports. For example, our program uses it to poll devices in order to obtain their temperatures.
Click to expand...
 
  • Like
Reactions: franz
Divine_Barakah

Divine_Barakah

Level 33
Thread author
Verified
Top Poster
Well-known
May 10, 2019
2,289
Anthony Qian said:
ESET’s detection is correct. Last time I tried Kerish Doctor and I experienced BSOD.

Also, people should avoid using 3rd party PC "optimization" programs.
Click to expand...
I restored a full system image and I am not installing Kerish Doctor. Their support have not answered my question the way I expected them to.

Dave Russo said:
ESET also detected kerish doctor ,but allowed option to ignore
Click to expand...
Eset is detecting it as a PUP. In my case it triggered Emsisoft BB, and that concerned me.
 
  • Like
Reactions: Stopspying, plat and franz
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
SillyBilly299 said:
Since it was detected by behavior blocker, it was just a false positive in my opinion. Utility software often interfere deeply into the system with all the scanning, cleaning aka deleting files etc., which some malware also do, so Emsisoft notified you just in case
Click to expand...
The fact Emsisoft corrected the mistake proofs more than enough that it was, indeed that, a mistake.
 
  • Like
Reactions: GonzitoVir, Nevi, Stopspying and 2 others
Divine_Barakah

Divine_Barakah

Level 33
Thread author
Verified
Top Poster
Well-known
May 10, 2019
2,289
Anthony Qian said:
The reason why KD was flagged as PUA can be found here (AppEsteem - Deceptor List).
Click to expand...
Thanks for the link. I read it yesterday and I agree the detection as PUP is justified.
SillyBilly299 said:
Since it was detected by behavior blocker, it was just a false positive in my opinion. Utility software often interfere deeply into the system with all the scanning, cleaning aka deleting files etc., which some malware also do, so Emsisoft notified you just in case
Click to expand...
Yes this is the case, but for me it is no longer needed. In case sth wrong happens to my system, I simply restore a system image rather than fixing issues or depending on a programme to fix that.
Azure said:
The fact Emsisoft corrected the mistake proofs more than enough that it was, indeed that, a mistake.
Click to expand...
At first, they asked me to add it to exclusions, but it seems to fixed the detection. Honestly, I did not check.
 
  • Like
Reactions: Nevi, Stopspying, Anthony Qian and 2 others
Lavamate

Lavamate

Level 1
Sep 2, 2022
18
It looks like it is no longer recognized by F-Secure and Symantec. According to all the information that has become known to us, i think it was all just a false alarm.
Possibly it has also something to do with his Russian origin?

Screenshot 2023-01-22 at 02-37-53 VirusTotal - File - ea862031f0afcc175acc97c34c63cd6560ef49c9...png
 
Last edited by a moderator:
  • Applause
  • Like
Reactions: Nevi and dinosaur07

Similar threads

Divine_Barakah
    • Like
    • +Reputation
Serious Discussion Zen Browser (Firefox Fork) detected by Emsisoft
Replies
44
Views
2,400
Emsisoft
jamey910111
J
Divine_Barakah
    • Like
Serious Discussion Windows and Office Genuine ISO Verifier detected by Emsisoft BB
Replies
23
Views
867
Emsisoft
simmerskool
simmerskool
C
  • Locked
Emsisoft Emergency Kit's temp files detected as Trojan:Script/Wacatac.B!ml by Windows Security
Replies
8
Views
1,175
Windows Malware Removal Help & Support
Can't Decide
C

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top