2

I have a C# project in Visual Studio 2015 called "Assembler". Its code looks like this:

using System;
public static class Assembler.Program {
    public static void Main () {  }
}

There are some other (unused) classes, but their purpose is to store and manage byte-level data types. There is no system call in my whole code and my project has no resources.

When starting Assembler.exe as Windows application (by setting it under project properties->Application->Output type), the executable gets marked as Trojan and is deleted instantly. However, when starting it as console application or simply renaming the output assembly to AssemblerTest.exe for example, the executable starts, runs and terminates normally.

Is there a way to tell Kaspersky to not delete my project executable Assembler.exe? I also tried to add my executable to the exceptions, but it gets deleted anyways. Kaspersky's help says, I have to add it to "trusted applications", but I can't add it to trusted applications, because when trying to select the executable with Kaspersky's OpenFileDialog, it says this file is currently used by another process, even when Visual Studio is closed. Adding Visual Studio to trusted applications (with all program controlling activities deactivated) didn't help at all.

I could simply rename my project, but it would be great to not have to rename the project only because Kaspersky thinks I create Trojans.

Some version information: OS: Windows 7 Home Premium 64-bit Kaspersky 15.0.0.463(b) Visual Studio 2013

Cubi73
  • 1,891
  • 3
  • 31
  • 52
  • It sounds like you should restart then add the application to your trusted application list either that determine which process is using that file ( likely a visual studio debugger process ). – Security Hound Apr 03 '15 at 12:40
  • Ok. I restarted my computer, accomplished to add Assembler.exe to trusted applications with all program controlling activities deactivated and Kaspersky is still deleting it. (Why is there a trusted programs section, if Kaspersky still don't trust them?) – Cubi73 Apr 03 '15 at 12:52
  • When copying an arbitrary executable to the bin folder and renaming it to Assembler.exe, it works, so there have to be something wrong with my executable, but I can't find something. Should I upload all my code (150 lines of code)? – Cubi73 Apr 03 '15 at 12:56
  • We don't deal with problems with a program's code here at Superuser. If you are rebuilding the application most security software is designed to treat that new binary file as being different. You should submit the file to Kaspersky as a false positive or disable Kaspersky for the time being or use a different program that will let you add a folder which it won't scan. – Security Hound Apr 03 '15 at 13:18
  • Is this project for your own personal use only? If not, you'll want to avoid workarounds like adding it to whitelists since other users' antiviruses will also quarantine it. Try to figure out what makes it look like a trojan, and change it so it's not seen as one anymore. – Cameron Apr 06 '15 at 17:46
  • My program is primarily written for my self, but the informatics course I'm visiting at school will begin with x86 assembler in a few months so I wanted to write a better assembler simulater than the one we will be using. I think the `_IMAGE_OPTIONAL_HEADER::Subsystem` is within a byte sequence that triggers Kaspersky to alert me, because Kaspersky only alerts me, when changing the project to a windows application, but I don't know, if that's the case. – Cubi73 Apr 18 '15 at 16:47

1 Answers1

1

Try to follow this guide http://support.kaspersky.com/11146#block2 and add your project folder into exclusion list of Kaspersky's AV/IS. In order to minimize the side effects of exclusion list using (e.g. a malware theoretically can be stored in the exclusion area and Kaspersky will skip it), select the check boxes for the components to which the exclusion rule will be applied.

Mike
  • 14,010
  • 29
  • 101
  • 161
  • This is a great tip. I actually tried this solution before asking this question, but I unchecked all protection components, because I thought that checked components remain activated :D Thank you :) – Cubi73 Jun 30 '15 at 13:10
  • @Cubinator73, not at all. Generally, each warning balloon of KAV/KIS contains the name of the module which raise an alert, at least that way it worked previously. Another option is to check the report module, which should contain all detailed information (if such functionality enabled). Based on this data, you can decide which component is a source of the issue and should be disabled. – Mike Jun 30 '15 at 22:11