KVRT found not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen

[simmerskool]

had not used kaspersky kvrt in many months, ran a scan tonight and it found not-a-virus:HEUR:RemoteAdmin.Win32.ConnectWise.gen in reference to ScreenConnect.ClientService.exe
"Legal software that can be used by criminals to damage your computer or personal data"
The file is located in
C:\Users\*****\AppData\Local\Apps\2.0\long directory name with numerical characters...\...\ (seeing nothing to help me figure out how it got there)
SHA256: 7324F196699CE2761418AB97CE7C718F3F9EBC0634CB03E71FE6FC2668472969
three(3) av at VT say it's bad, including kaspersky. KVRT offers to quarantine it, but my "concern" I have no idea what other software uses it, could use it, and perhaps it is legit and I end up breaking something. Also wonder if it is part of a tool I use? Also wonder why kvrt is the only scanner to find it or rather warn about it. I don't seem to be infected. I read a little about "not-a-virus" all I get out of it is it could be good, it could be bad. I am not familiar how to undo a kvrt quarantine if this turns out good since kvrt is not installed and updates itself often from what I recall about it.

Edit & update: upon further "research" I ran KVRT again, and let it quarantine the 2 suspicious finds. I now see that KVRT keeps its data (old scan info) in a different c\ location than its .exe

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

In order to give your sound advice I need more information.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Attach Files.
Navigate to the location of the File.
Click the file. It will appear in the reply section.
Click the Post Reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

 

[simmerskool]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

In order to give your sound advice I need more information.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Attach Files.
Navigate to the location of the File.
Click the file. It will appear in the reply section.
Click the Post Reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

Thanks for your reply. Apologize that I did not read all the pinned posts, ie, the one about using FRST, but I did read some of them...
Meanwhile in MS Edge, the FRST download is blocked by Defender Smart Screen, so I did a work around to download it to desktop as requested. Then I scanned it with Voodooshield, and VS did not like it, so I asked VirusTotal to scan it, and 6 av vendors found it malicious. Since I am "merely" trying to clarify if the Kaspersky KVRT scan finding not-a-virus... should be quarantined, or is a false positive to be ignored, downloading a file, FRST64.exe sha256= 64d020c37c5baffd5e7c395d8cfb8d5f0f77864e26a4591182f19fb0ad201e32 that has more red flags than the file I'm originally suspicious of, further complicates the question (for me), ie, the cure is potentially worse than the not-a-virus disease. I'll research the question another way.

 

[nasdaq]

Hi,

I understand all of it but you must trust it.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.

 

[simmerskool]

Hi,

I understand all of it but you must trust it.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.

thanks again, once that I saw that kvrt exe stores its detection info in another directory, I re-ran kvrt and quarantined the 2 related not-a-virus that it detected. I'm not seeing any ill-effect due to quarantine. I'm still working out some minor 'kinks" on my win10 pro. (I have run FRST in the distant past)

 

[nasdaq]

Do you still need assistance?