AVG detects Kaspersky update files as infected (trojan, infected, malware)

Question

(Note: update at end of Q)

On a Mac, I am using AVG as the primary AV. In addition to this, I have a few scanners (Bitdefender and Malwarebytes) that I update and use periodically. Recently I decided to add Kaspersky's free scanner (from the App Store) to this list as well.

Oddly enough, when I was updating the recently installed Kaspersky, AVG complained about a couple of items:

/Users/UN/Library/Containers/com.kaspersky.kvs.agent/Data/Library/Application Support/KVS/Data/temp/temporaryFolder/updates/kdb/i386/base008.kdc
/Users/UN/Library/Containers/com.kaspersky.kvs.agent/Data/Library/ApplicationSupport/KVS/Data/temp/temporaryFolder/updates/kdb/i386/base005.kdc
/Users/UN/Library/Containers/com.kaspersky.kvs.agent/Data/Library/Application Support/KVS/Data/temp/temporaryFolder/updates/kdb/i386/base004.kdc

Looking into it quickly, one seems to be a trojan and the other an infected iframe and the third seems to be, as described by Microsoft, a malware that attaches itself to other programs

Not surprisingly I am rather concerned. Is Kaspersky unreliable (keeping in mind recent rumors)? Are these false positives? Is my computer already compromised? And most importantly, what do you knowledgeable folks suggest I do now? The KDC file types that were caught by AVG do not seem amenable to inspection by a non-specialist user.

Update:

So, I uninstalled Kaspersky, just to be sure there's only one resident AV, and avoid these conflicts. And I also replaced AVG with Avast (I'm well aware the former is owned by the latter). A full system scan by the new Avast also popped up a nasty courtesy of Kaspersky. It seems this was somehow missed/skipped by AVG:

/Users/yc/Library/Containers/com.kaspersky.kvs.agent/Data/Library/Application Support/KVS/Bases/Cache/kavbase.21d72e24d923846c.kmc

Disregarding the issue of one AV complaining about the other, seems very odd there are lingering base files even after uninstalling Kaspersky and rebooting the system.

Even more interesting oddities: The file caught by Avast seems to exist in the Mac Finder (on right clicking in the AV window and doing show in Finder) but not when I try to find it in the terminal. Doing >file /path/to/directory/of/infected/file/ says there's no such file or directory. But doing "Go to the folder" with the same pathname works just fine.

(I'm also very curious how one can achieve this - get a directory invisible in Terminal even with sudo ls but visible in Finder!! But that's probably a Q for a different site.)

I'm not sure I'd say that it's odd that there are files left around. I'm not very familiar with OS X conventions, but certainly on the other OSes I use, it's very common for installers to not remove everything. Especially stuff that gets created after the initial installation. I wouldn't consider that particularly suspicious. — Kat, Jan 02 '18 at 20:37

score 3 · Answer 1 · answered Dec 28 '17 at 08:41

3

They are false positives. Usually, is not a good idea to have two different AV software installed. One can block other as is your case.

In your case, concretely, it seems it's blocking database files. Maybe it has some known virus pattern. Of course, any AV has itself and its files as exception on detection but it is not know for other AV software and that's the reason why is detected as malware.

answered Dec 28 '17 at 08:41

OscarAkaElvis

5,185
3
17
48

2

There's only one resident AV. The rest are just scanners without any long running background process. Is that suboptimal also? – dakini Dec 28 '17 at 10:58
1

They still can interfere with each other simply because the signatures that would be stored in the AV's databases are naturally gonna contain information about a variety of types of malware and thus are going to look suspicious to the other AV. Scanning-only AVs aren't generally as interfering as ones with live protections and the like (which have to act in some pretty deep rooted ways to function), but they're still going to trip up other AVs, as you've found out. – Kat Jan 02 '18 at 20:34

mootmoot · Answer 2 · 2017-12-29T09:30:02.893

1

It is highly probable a false positive, if you download the antivirus from the legitimate source.

Usually, Antivirus will unpack any signed file, regardless of the file signing certificate. Most Antivirus vendor will selectively store competitor certificate to prevent false positive. But there is always exceptional.

As casual user, you can submit the quarantine file to correspondence AV that report it to check for false positive.

In addition, it is bad idea to have more than one prominent brand of Antivirus install in your system, as they will compete for resource to do redundant work.

edited Dec 29 '17 at 09:30

answered Dec 28 '17 at 13:34

mootmoot

2,387
10
16

suppose I don't care about the resource usage anymore - they're both CPU/RAM efficient and I have enough CPU/RAM sitting idle most of the time... I just want to double check things. And besides, different AV programs work differently, so it is always possible what's missed by one is caught by the other... – dakini Dec 30 '17 at 03:16
@Yogesch I'm not aware of any anti-viruses that play nice with each other. The concept of not running more than one on a computer is extremely widespread and accepted, so there isn't much incentive for AVs to be nice. I would expect that having files that you're so paranoid about is an unusual thing, so perhaps try https://www.virustotal.com, who have put the work into making that process easy. They probably are just running each AV on its own VM (which you could also do as an approach, if you wanted -- it'll be a bit resource heavy, though). – Kat Jan 02 '18 at 20:42
That said, you should perhaps consider why you want to do this. I'm assuming you're not studying malware or anything and are just a "regular user". I think the general consensus would be that an AV is more of a last resort that can only do so much and your best line of defense is to be cautious with what you download and to use safe browsing practices. If any file makes you so paranoid that you want to run it through multiple AVs, perhaps you should reconsider if you should open it in the first place? – Kat Jan 02 '18 at 20:44
@Kat Virustotal probably licensed individual AV command line scan engine. – mootmoot Jan 03 '18 at 09:07
@Kat I generally don't study malware, so I haven't made the time to dig into the suspicious files. But I often need to let others plug their USB sticks (that have very likely been in all sorts of places) into my system. That's where the paranoia originates. In this particular instance, what concerns me is that the other AV's files get detected as a Trojan. Presumably that's because they look similar to how Trojans are generally coded. And besides, most free AV make money off (anonymised?) user data (check e.g. AVG privacy policy). – dakini Jan 04 '18 at 10:37
@Kat if the concept of installing only one AV is so widespread, that's a perfect loophole. If no one's policing the policeman, who's to know if the policeman gets up to thieving? – dakini Jan 04 '18 at 11:10
The notion of only one AV, to me, made sense when average computers were resource poor and AVs (notably Symantec) resource hogs. Both those situations have dramatically changed since the 90s - early 2000s. Background AV processes take up a very tiny fragment of the resources available on the modern average computer. Running an active scan is a different matter of course. – dakini Jan 04 '18 at 11:14
2

@Yogesch, The "only one AV" rule has nothing to do with resources, though. It's because the mechanisms that AVs use for preventing exploits simply aren't compatible with each other, oftentimes. They require making some deep modifications to the OS, often in ways the OS wasn't directly setup to allow. As for who polices them, a variety of security experts do watch AVs for their functionality and working. Programs can only do so much, anyway. AVs would typically think each other are viruses because of their behaviors, so we need humans for such a question, not multiple AVs. – Kat Jan 04 '18 at 15:16

AVG detects Kaspersky update files as infected (trojan, infected, malware)

2 Answers2