Q&A Is "VBS/KillAV.NAI" a real threat or false positive ?

JB007

Level 25
Thread author
Verified
Top poster
Well-known
May 19, 2016
1,445
Hello,
Yesterday I used "KAV Removal Tool" because, after uninstalling Kaspersky Security Cloud 2 months ago, I want to be sure that the uninstallation was complete.
During the run of "KAV Removal Tool" ESET Smart Security Premium detected and quanrantined a threat : "VBS/KillAV.NAI"
Do you think that it is a real threat or it is a false positive ?

ESSP KRT 20042022.PNG2.PNG1.PNG
 

blackice

Level 36
Verified
Top poster
Well-known
Apr 1, 2019
2,578
Hello,
Yesterday I used "KAV Removal Tool" because, after uninstalling Kaspersky Security Cloud 2 months ago, I want to be sure that the uninstallation was complete.
During the run of "KAV Removal Tool" ESET Smart Security Premium detected and quanrantined a threat : "VBS/KillAV.NAI"
Do you think that it is a real threat or it is a false positive ?

View attachment 266018View attachment 266017View attachment 266016

It looks like it’s detecting the script from the tool as an attempt to kill the AV by malware. Probably a false positive, but worth further investigation.
 
F

ForgottenSeer 94654

Hello,
Yesterday I used "KAV Removal Tool" because, after uninstalling Kaspersky Security Cloud 2 months ago, I want to be sure that the uninstallation was complete.
During the run of "KAV Removal Tool" ESET Smart Security Premium detected and quanrantined a threat : "VBS/KillAV.NAI"
Do you think that it is a real threat or it is a false positive ?

View attachment 266018View attachment 266017View attachment 266016
Submit the file to ESET and ask them about it.
 
  • Like
Reactions: JB007

struppigel

Moderator
Verified
Staff member
Well-known
Apr 9, 2020
531
Hello,
Yesterday I used "KAV Removal Tool" because, after uninstalling Kaspersky Security Cloud 2 months ago, I want to be sure that the uninstallation was complete.
During the run of "KAV Removal Tool" ESET Smart Security Premium detected and quanrantined a threat : "VBS/KillAV.NAI"
Do you think that it is a real threat or it is a false positive ?

View attachment 266018View attachment 266017View attachment 266016

Hello JB007,

KillAV as a detection name means it detects programs that remove, delete, kill or disable antivirus software.
Your removal tool does exactly that. In this case it is nothing to worry about because you actually want to remove your antivirus software with it.

Best regards!
Karsten
 

JB007

Level 25
Thread author
Verified
Top poster
Well-known
May 19, 2016
1,445
Hello JB007,

KillAV as a detection name means it detects programs that remove, delete, kill or disable antivirus software.
Your removal tool does exactly that. In this case it is nothing to worry about because you actually want to remove your antivirus software with it.

Best regards!
Karsten
Thanks @struppigel , but it is strange that ESET is the only AV to detect this kind of action.
 

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,871
Actually Ikarus which kinda=sorta uses the ESET database will also flag it (no others do). Curiously the previous versions of unkis script (prior to 2022 which also called up netcfg.exe ) were not detected by ESET, but this one has been. One would have thought that they would have been made aware of the FP.
 

struppigel

Moderator
Verified
Staff member
Well-known
Apr 9, 2020
531
Thanks @struppigel , but it is strange that ESET is the only AV to detect this kind of action.
Well, it is still a false positive. Even though the detected behavior (removal of AV) is exactly what they intended to detect, a legitimate uninstaller must not be detected as malware.
This is a difficulty in general with malware detection, that the very same behaviors can be malicicous or benign based on the context.