Assigned Kaspersky Marked Zemana as Malware!

[omidomi]

If Kaspersky isn't removing its detection against ZAM, then can it be that it's really a true detection?

today , here is not problem, but yesterday yes!
amazing thing is : today many of MH users (Hitman pro detected zemana as malware for them...) got this issue but for me no
you can see here:
https://malwaretips.com/posts/551730/
I do't think true detection, but Dr.Web also Detected Zemana as malware(its 3 or 4 weeks until now) and my concern is...

 

[Der.Reisende]

I had ZAL mark Emsisoft as malware today.

This seems to been fixed, nice

Spoiler: ZAL scan results deep scan

Since yesterday I'm getting the same issue, I already reported (yesterday) it as False Positive to KL VirusDesk, still waiting for an answer...

Great job, thank you!

 

[Evjl's Rain]

same for avira

 

[XhenEd]

@TwinHeadedEagle
Any thoughts about this?

 

[harlan4096]

This could have a thought, as it seems 1st firm in detected ZAM was Kaspersky, the others which are also detecting now it after 2 days just copied the detection

Just joking I know this is not true, because some detections are generic, others heur and others specific...

 

[DardiM]

I use KIS 2017(b)+ Zemana Anti Malware 2.50.133
Hitman Pro uses Kaspersky engine,today many of MH users got Fp (hitman pro detected Zemana as malware),why you said not problem with Kaspersky and zemana
https://malwaretips.com/threads/8-10-16-4.64264/
see here also:
http://whitelisting.kaspersky.com/advisor#search/6ba102896e1569693188362e50065163

"why you said not problem with Kaspersky and zemana "

=> I said that I haven't got this problem on My PC, not said that nobody has this problem

That is why it looked strange ...

So I tried to understand, and the result is :

ZAM shows me 2.50.2.133 version, but it seems KTS auto put in quarantine the zam update exe prog (update_{DB10CABC-BE6B-4CE1-BB97-91A2C4701577}.exe) and kept the old zam.exe. That is why on my precedent post, on the picture the date seen was from 04/10/2016​

​

 

[omidomi]

"why you said not problem with Kaspersky and zemana "

=> I said that I haven't got this problem on My PC, not said that nobody has this problem

That is why it looked strange ...

So I tried to understand, and the result is :

View attachment 117723

ZAM shows me 2.50.133 version, but it seems KTS auto put in quarantine the zam update exe prog (update_{DB10CABC-BE6B-4CE1-BB97-91A2C4701577}.exe) and kept the old zam.exe. That is why on my precedent post, on the picture the date seen was from 04/10/2016​

View attachment 117722​

oops you are right, yup its my fault, sorry my english is not good
btw:its strange your Kaspersky is different from the other
this is why I suspected to GEO problem

 

[DardiM]

oops you are right, yup its my fault, sorry my english is not good
btw:its strange your Kaspersky is different from the other

In fact, i think only the setting change (not default setting), no "infection" but in this case, it have directly put in quarantine the updater, so Zam kept the good "old" zam.exe (but changes the version number in the gui lol)

 

[uninfected1]

I just have scanned the installation package again and HMP says it is clean.
Issue looks to be solved now.

Not solved for me unfortunately. HitmanPro still detecting ZAL as malware (picking up Kaspersky's findings I guess). So what's the general consensus? FP (malicious or otherwise) or is there a ZAL problem?

 

[mlnevese]

I would say that the most likely explanation is that Zemana has an unencrypted malware pattern in their latest update and THAT is what is being recognized by other security software. It would not be the first time a security program makes a mistake like this.

 

[XhenEd]

What surprises me more right now is not that Zemana is (falsely) detected, but that the AVs detecting it are not removing the detection up to now.

It's my belief that FPs must be addressed as soon as possible because in the first place FPs are not malicious and therefore should not be detected and deleted.

 

[mlnevese]

What surprises me more right now is not that Zemana is (falsely) detected, but that the AVs detecting it are still not removing the detection up to now.

It's my belief that FPs must be addressed as soon as possible because in the first place FPs are not malicious and therefore should not be detected and deleted.

If the other vendors are detecting an unencrypted malware pattern in Zemana, as I believe, then it's Zemana who must fix their software, not the other vendors.

 

[XhenEd]

If the other vendors are detecting an unencrypted malware pattern in Zemana, as I believe, then it's Zemana who must fix their software, not the other vendors.

That's why there's a possibility that the detection is a true detection, which might explain the AVs' refusal to remove the detection.

 

[Ana_Filiz]

If the other vendors are detecting an unencrypted malware pattern in Zemana, as I believe, then it's Zemana who must fix their software, not the other vendors.

What is this unencrypted malware pattern?

 

[harlan4096]

I reclaimed some hours ago the final verdict to Kaspersky and still no answer...

 

[mlnevese]

What is this unencrypted malware pattern?

Antivirus software does not store entire viruses in their databases for recognition as it would make the databases easily go over a terabyte in size. They use patterns long enough to allow the malware to be recognized but not dangerous at all and even those are usually encrypted.

 

[Ink]

Only version 2.50.204.133 of ZAM.exe detected.

Previous version 2.50.2xxx.xxx
http://whitelisting.kaspersky.com/advisor#search/0x4A70D3D04C11948712B0D536AE61E088
https://virustotal.com/en/file/5b50...97bca1eb5e9176af526a6151/analysis/1476020545/ (Definitions may differ per system)

Current version 2.50.204.133
http://whitelisting.kaspersky.com/advisor#search/0x6BA102896E1569693188362E50065163
https://virustotal.com/en/file/6552...daaa1006dfe08358de77fe73/analysis/1476020872/ (Definitions may differ per system)

If you can't beat them, destroy them.

 

[DardiM]

To make some tests :

​

1) I restored my system from a backup created the 14/09/2017 (dd/mm/yy) :

=> ZAM 2.30.2.75

I installed a clean version of KTS 2017 : all setting by default

=> Updating ZAM to 2.50.2.133 version didn't show any report by KTS

- KSN => all ok
- Scan zam.exe => no pb detected
- Kaspersky Application Advisor see : Trojan.Win32.Delf.efbx

So I realy don't understand, lol

Previously, it was directly the updater file that KTS put in quarantine...

Will try with the settings I usually use.

A right click on zam.exe to open the contextual menu makes KTS seems working hard on it, and the contextual menu appears almost up to 25 s after... (it opens immediately on other security exe / files)

=> With Kaspersky deactivated : instant pop of the contextual menu​

2) New Restoration of my system :

=> ZAM 2.30.2.75 : the contextual menu appears immediately (with KTS 2017 protection activated)
​

3) With another tools :

Spoiler: VoodooShield

VoodooShield Pro :
- one prompt for the updater .exe file :



- one prompt for the .tmp file created for installation, but saying it detects it as a safe file :

​

Spoiler: Crystal Security

File: C:\Users\DardiM\AppData\Local\Zemana\Zemana AntiMalware\update_{0A6BE1FB-B623-4C53-B931-6DD80B5BEE3E}.exe
Hash: f2670cb6953793a8ee1ccb3f06c7c903

Detections:
2/56
Kaspersky: UDSangerousObject.Multi.Generic
AegisLab: Uds.Dangerousobject.Multi!c
...
...
Threat score: 3,6%
Overall: Safe​

​

4 ) Personal conclusion :

- False positive
- Don't update it if your are not "sure" and want to wait a Kaspersky / ZAM official answer/correction​

 

[omidomi]

Only version 2.50.204.133 of ZAM.exe detected.

Previous version 2.50.2xxx.xxx
http://whitelisting.kaspersky.com/advisor#search/0x4A70D3D04C11948712B0D536AE61E088
https://virustotal.com/en/file/5b50...97bca1eb5e9176af526a6151/analysis/1476020545/ (Definitions may differ per system)

Current version 2.50.204.133
http://whitelisting.kaspersky.com/advisor#search/0x6BA102896E1569693188362E50065163
https://virustotal.com/en/file/6552...daaa1006dfe08358de77fe73/analysis/1476020872/ (Definitions may differ per system)

If you can't beat them, destroy them.

we never see Kaspersky detected in virus total but...
btw: Dr.Web detected both of them but in second link we never see detection from them

 

[Bergo]

Avira AV Pro detected as malware.....
Wtf!!