Kerish Doctor is detected as malware by Emsisoft

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
Hello,


Yesterday, I was installing Kerish Doctor and Emsisoft did throw a couple of alerts (I have configured Emsisoft behaviour protection to Alert). The alerts I receieved are listed below.

Behavior Blocker detected suspicious behavior in C:\Users\USER\AppData\Local\Temp\is-TIET8.tmp\Kerish_Doctor_4.90.tmp

Behavior Blocker detected suspicious behavior in C:\Windows\system32\inpout32.dll

Behavior Blocker detected suspicious behavior in C:\Program Files (x86)\Kerish Doctor\KerishDoctor.exe

I know sometimes Emsisoft behaviour protection can be aggressive, but it is not the first time Kerish Doctor gets detected. In the past Bullguard detected it as malicious, too. Any ideas?
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
To get it resolved it is best to contact Emisoft support.
I have contacted Emsisoft support, but I still have not got a reply. They requested that I upload the sample from Quarantine, but that kept failing. I have also contacted Kerish Doctor support and here is their reply.

Your antivirus is reporting a false positive. We provide a 100% guarantee that our software contains no malware or adware, which can be confirmed by the results of an analysis by VirusTotal.com. All executable files of our software are signed with a secure digital signature, which guarantees their safety.

We have already contacted the developers of the antivirus in order to eliminate the false positive as soon as possible.
Until then, you can add the following paths to the antivirus exclusion list:

For Windows 11/10/8 (8.1)/7/Vista:
1) C:\ProgramData\Kerish Products
2) C:\Program Files (x86)\Kerish Doctor
(or another folder where the application is installed)

For Windows XP:
1) C:\Documents and Settings\All Users\Kerish Products
2) C:\Program Files\Kerish Doctor
(or another folder where the application is installed)

--
Sincerely, Kerish Products Technical Support.
support@kerish.org
www.kerish.org

Personally, I would not add it to exclusions and I believe it is Kerish Doctor devlopers responsibility to fix this. Their programme must be behaving in a way that triggers behavioual protection, right?
 
Last edited:

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
The detection was not triggered by a signature. It was the behaviour protection module that alerted me, so it makes no sense to check VT for such detection, right?
Yeah that makes sense, never heard that emsi bb was agressive at all though

Just uploaded the vt for ppl to see VirusTotal

3 rep vendors detect the exe, so yeah waiting for emsi to answer is the way to go
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
I still have not received a reply from Emsisoft, but Kerish Doctor support replied.

C:\Windows\system32\inpout32.dll is one of the components of Kerish Doctor.

Here is a check of the inpout32.dll file, which the game developers say about 69 existing antiviruses in the world: VirusTotal

This library has existed for 8 years since 2010 and is used in a wide variety of software that need access to work with ports. For example, our program uses it to poll devices in order to obtain their temperatures.
 
  • Like
Reactions: franz

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
ESET’s detection is correct. Last time I tried Kerish Doctor and I experienced BSOD.

Also, people should avoid using 3rd party PC "optimization" programs.
I restored a full system image and I am not installing Kerish Doctor. Their support have not answered my question the way I expected them to.

ESET also detected kerish doctor ,but allowed option to ignore
Eset is detecting it as a PUP. In my case it triggered Emsisoft BB, and that concerned me.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
Since it was detected by behavior blocker, it was just a false positive in my opinion. Utility software often interfere deeply into the system with all the scanning, cleaning aka deleting files etc., which some malware also do, so Emsisoft notified you just in case
The fact Emsisoft corrected the mistake proofs more than enough that it was, indeed that, a mistake.
 

Divine_Barakah

Level 29
Thread author
Verified
Top Poster
Well-known
May 10, 2019
1,854
The reason why KD was flagged as PUA can be found here (AppEsteem - Deceptor List).
Thanks for the link. I read it yesterday and I agree the detection as PUP is justified.
Since it was detected by behavior blocker, it was just a false positive in my opinion. Utility software often interfere deeply into the system with all the scanning, cleaning aka deleting files etc., which some malware also do, so Emsisoft notified you just in case
Yes this is the case, but for me it is no longer needed. In case sth wrong happens to my system, I simply restore a system image rather than fixing issues or depending on a programme to fix that.
The fact Emsisoft corrected the mistake proofs more than enough that it was, indeed that, a mistake.
At first, they asked me to add it to exclusions, but it seems to fixed the detection. Honestly, I did not check.
 

Lavamate

Level 1
Sep 2, 2022
15
It looks like it is no longer recognized by F-Secure and Symantec. According to all the information that has become known to us, i think it was all just a false alarm.
Possibly it has also something to do with his Russian origin?

Screenshot 2023-01-22 at 02-37-53 VirusTotal - File - ea862031f0afcc175acc97c34c63cd6560ef49c9...png
 
Last edited by a moderator:
  • Applause
  • Like
Reactions: Nevi and dinosaur07

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top