Q&A Need urgent advice on "Mr.Santa Checker is attempting to establish outgoing TCP"

Rebsat

Level 6
Thread author
Verified
Well-known
Apr 13, 2014
257
Dears, I hope you are doing very well. I need an urgent advice on the following case. Yesterday, I installed Kaspersky Internet Security 2021 and tweaked settings based on Soulbound and rndmblk's settings (adaptable). I have also made a change and set Application Control settings to High Restricted which was suggested by rndmblk. Later, I couldn't wait any longer and tried to test the power of this configuration against phishing urls and malwares. I visited some malicious sites and downloaded a setup which KIS didn't show me a pop up window message to be blocked once I saved it on my desktop. Next step, I scanned the setup file by right click --> scan for viruses but nothing has been detected via KIS. The last step was to open the file by double click on it. Based on the screenshot, I did a check reputation in KSN, first appeared: 4 days ago and it seems to be a new/fresh malware or may be a ransomware.

Solution Needed:
First, no matter how many times I clicked on Block but that pop up window message keeps coming back...
What steps should I do in order to effectively block the setup file from making any other connection and prevent it from infecting my laptop? thanks
1. Create rule based on action --> and then Block
OR
2. Apply always --> and then Block

Fortunately, my files, folders, new text document, picture and videos are all still safe... Big Thanks to @harlan4096 @Soulbound and @rndmblk for your original work and amazing Kaspersky config.

@harlan4096 I would greatly appreciated if you could assist me on this bro. Thank you very much for always supporting everyone at MalwareTips :)(y) and in case you need the setup file to be uploaded for further analysis then just let me know and it will be done.


Mr.Santa.png
 
Last edited:

Rebsat

Level 6
Thread author
Verified
Well-known
Apr 13, 2014
257
My brother... were you live testing malware on your actual system?

Just delete the parent file...
You were right bro and I was wrong. It was once but I am on a high level of computer knowledge/skills but I really wanted to test the strength and power of Kaspersky Internet Security via tweaked settings over MalwareTips.

What do you mean by "Just delete the parent file..."? deleting the setup file and nothing else?
What about that pop up window message for establishing an outgoing TCP connection? I need an action.
btw, thank you a ton bro. Your feedback is always appreciated.
 
Last edited:
  • Like
Reactions: Guilhermesene
Upvote 0

RoboMan

Level 34
Verified
Top poster
Content Creator
Well-known
Jun 24, 2016
2,337
You were right bro but I had a a real trust in the strength of Kaspersky through customized configs.
What do you mean by "Just delete the parent file..."? deleting the setup file and nothing else?
What about that pop up window message for establishing an outgoing TCP connection? I need an action.
btw, thank you a ton bro. Your feedback is always appreciated.
Never test malware on your live system. If you want to test a product's capabilities, set up a virtual machine and install the product there. Be sure to configure it conrrectly to not let anything escape. Search on Youtube "how to set up a Windows VM".

As for your question, just apply a "block action", then head to the path where the file is located (Downloads folder, as I can see), and delete it. The firewall's message regarding an outgoing connection is consequence of the execution of the aforementioned file. As long as it didn't fully execute it, no child process should have been created and no system interaction should've started. Deleting the file should do it.

Also, if this is real unsigned malware, and you made it this far, it means you haven't correctly configured Kaspersky's Application Control. You might wanna check that out, there are several threads on that module.
 
Upvote 0

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Well-known
Apr 28, 2015
7,901
Also, check in Application Control in which group is that Setpup.exe... just manually move it to Untrusted (if still in a different trusting group), that will imply blocking execution/network access, if still running, kill manually the execution of Setup.exe (via Windows Task Manager) then delete as @RoboMan already commented :)

If still issues, THEN: Windows Malware Removal Help & Support
 
Last edited:
Upvote 0

Rebsat

Level 6
Thread author
Verified
Well-known
Apr 13, 2014
257
As I have already commented many times in different threads in this forum, I never run Full Scans... only Quick Scan tweaked to Deep + All FIles and all Compound Files + some system specific/risky folders where usually malware is placed...
@harlan4096 regarding Quick Scan settings...

1. Under Security level, should I set to "Extreme"? or "Optimal" is enough?

2. Under Edit scan scope, Would you please point out to those folders as you mentioned here...
"some system specific/risky folders where usually malware is placed..."

3. Under Scan technologies, should I tick "iSwift Technology"?

Thank you for your great assistance bro (y):)
 
  • Like
Reactions: oldschool
Upvote 0

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Well-known
Apr 28, 2015
7,901
1641797483663.png

I'm not sure why, it is by design, always by default Quick Scan in Kaspersky products, comes disabled... probably to force the objects to be scanned.
 
  • Like
Reactions: Berny
Upvote 0