Advice Request Kaspersky suddenly detected setup files of legit software

[Dhruv2193]

In the laptop of one of my family members, kaspersky was installed and today it suddenly started detecting setups of legit programs like kerish doctor, idm, gom player as win.32.sality.gen. It disinfected them but it did not detect them for a week.
Update- Kaspersky was right in detecting the files as they were infected.

 

[harlan4096]

Please, attach clear screen-shots or copy/paste from Reports exported txt, with the detections...

 

[Local Host]

Could be legit,

Virus:Win32/Sality.gen!Q is a generic detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. It also terminates various security products, prevents certain Windows utilities from executing and attempts to download additional files from a predefined remote Web server.

 

[Dhruv2193]

Does it mean the virus came from somewhere else and then infected these files?

 

[Local Host]

Does it mean the virus came from somewhere else and then infected these files?

It's possible

 

[harlan4096]

Hum a generic detection, could be a false positive, anyway You can select 1 of those files (the smallest in MBs), recover it from quarantine, and send it to:

Kaspersky VirusDesk

When You get the infected verdict, click on disagree button, type Your email address, it will be send as false positive.

 

[Dhruv2193]

Thanks. sent the file.

 

[Local Host]

Thanks. sent the file.

Try it on VirusTotal too, and show us the results

 

[Av Gurus]

In the laptop of one of my family members, kaspersky was installed and today it suddenly started detecting setups of legit programs like kerish doctor, idm, gom player as win.32.sality.gen. It disinfected them but it did not detect them for 1 week. Your thoughts?

I think you should check/scan yout PC with some 3rd party app (like. HitmanPro, Norton Power Eraser, Emsisoft Emergancy Kit...)

 

[Dhruv2193]

Will do the same and reply about the result.

I scanned with malwarebytes it did not find any threat but zemana did - the same malware. Maybe a malware really infected the setup. I also got a reply from kaspersky that it was not a false detection.

 

[harlan4096]

So it seems the installers were infected... what about VirusTotal?

 

[CoherentCrayon]

I scanned with malwarebytes it did not find any threat but zemana did - the same malware. Maybe a malware really infected the setup. I also got a reply from kaspersky that it was not a false detection.

I would have scanned with HitmanPro also to make sure you have no virus on your computer (it seems like you have a virus which infects your files?). Also you need to enable rootkit scanning in the Malwarebytes options for it to scan for rootkits.

/steel9

 

[RoboMan]

On the CCleaner infection hype, some antivirus detected the installer as malware right before the news about it went viral. What i mean, is: if it happened to CCleaner there's no reason why more people couldn't go in attacking this kind of companies. It's most likely to be malware that infected those files, but it's a possibility those servers were compromised. Just an opinion.

 

[Transhumana]

If malware infected files, would it change it's hash? If so, you could compare the hash of the legit setup file and the infected one on the computer. If it's different then malware might have infected the file after it was downloaded. If it's the same, could it be that it was already infected when it was downloaded from the server?
I'm not sure if it makes sense, and if it doesn't please correct me.

 

[Local Host]

If malware infected files, would it change it's hash? If so, you could compare the hash of the legit setup file and the infected one on the computer. If it's different then malware might have infected the file after it was downloaded. If it's the same, could it be that it was already infected when it was downloaded from the server?
I'm not sure if it makes sense, and if it doesn't please correct me.

It was detected days after it was downloaded according to OP, so it's safe to say the file was infected after and didn't come from the server infected. Not to mention Win32/Sality.gen is a known variant, so it would be detected the moment he tried to download the files.

 

[Transhumana]

Okay, thanks for the clarification.

 

[Dhruv2193]

So it seems the installers were infected... what about VirusTotal?

i tried but it did not give any output sorry a bit new to it

 

[brambedkar59]

In the laptop of one of my family members, kaspersky was installed and today it suddenly started detecting setups of legit programs like kerish doctor, idm, gom player as win.32.sality.gen. It disinfected them but it did not detect them for a week.
Update- Kaspersky was right in detecting the files as they were infected.

Did you inserted any USB drive in that device at that time? It's a pretty nasty infection. Even if Kaspersky has removed the malware, I would suggest you to open a thread in malware removal too, just to be sure

 

[Dhruv2193]

Virustotal also showed the same. It was a virus.

 

[vemn]

Probably get a second opinion scanner to ensure nothing else was dropped onto the system?