Advice Request Is "VBS/KillAV.NAI" a real threat or false positive ?

Please provide comments and solutions that are helpful to the author of this topic.

JB007

Level 26
Thread author
Verified
Top Poster
Well-known
May 19, 2016
1,574
Hello,
Yesterday I used "KAV Removal Tool" because, after uninstalling Kaspersky Security Cloud 2 months ago, I want to be sure that the uninstallation was complete.
During the run of "KAV Removal Tool" ESET Smart Security Premium detected and quanrantined a threat : "VBS/KillAV.NAI"
Do you think that it is a real threat or it is a false positive ?

ESSP KRT 20042022.PNG2.PNG1.PNG
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
Hello,
Yesterday I used "KAV Removal Tool" because, after uninstalling Kaspersky Security Cloud 2 months ago, I want to be sure that the uninstallation was complete.
During the run of "KAV Removal Tool" ESET Smart Security Premium detected and quanrantined a threat : "VBS/KillAV.NAI"
Do you think that it is a real threat or it is a false positive ?

View attachment 266018View attachment 266017View attachment 266016

It looks like it’s detecting the script from the tool as an attempt to kill the AV by malware. Probably a false positive, but worth further investigation.
 
F

ForgottenSeer 94654

Hello,
Yesterday I used "KAV Removal Tool" because, after uninstalling Kaspersky Security Cloud 2 months ago, I want to be sure that the uninstallation was complete.
During the run of "KAV Removal Tool" ESET Smart Security Premium detected and quanrantined a threat : "VBS/KillAV.NAI"
Do you think that it is a real threat or it is a false positive ?

View attachment 266018View attachment 266017View attachment 266016
Submit the file to ESET and ask them about it.
 
  • Like
Reactions: JB007

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Hello,
Yesterday I used "KAV Removal Tool" because, after uninstalling Kaspersky Security Cloud 2 months ago, I want to be sure that the uninstallation was complete.
During the run of "KAV Removal Tool" ESET Smart Security Premium detected and quanrantined a threat : "VBS/KillAV.NAI"
Do you think that it is a real threat or it is a false positive ?

View attachment 266018View attachment 266017View attachment 266016

Hello JB007,

KillAV as a detection name means it detects programs that remove, delete, kill or disable antivirus software.
Your removal tool does exactly that. In this case it is nothing to worry about because you actually want to remove your antivirus software with it.

Best regards!
Karsten
 

JB007

Level 26
Thread author
Verified
Top Poster
Well-known
May 19, 2016
1,574
Hello JB007,

KillAV as a detection name means it detects programs that remove, delete, kill or disable antivirus software.
Your removal tool does exactly that. In this case it is nothing to worry about because you actually want to remove your antivirus software with it.

Best regards!
Karsten
Thanks @struppigel , but it is strange that ESET is the only AV to detect this kind of action.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Actually Ikarus which kinda=sorta uses the ESET database will also flag it (no others do). Curiously the previous versions of unkis script (prior to 2022 which also called up netcfg.exe ) were not detected by ESET, but this one has been. One would have thought that they would have been made aware of the FP.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Thanks @struppigel , but it is strange that ESET is the only AV to detect this kind of action.
Well, it is still a false positive. Even though the detected behavior (removal of AV) is exactly what they intended to detect, a legitimate uninstaller must not be detected as malware.
This is a difficulty in general with malware detection, that the very same behaviors can be malicicous or benign based on the context.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top