Kaspersky Anti-Ransomware False Detection: HEUR:Trojan.Multi.Crypren.gen

Issue

1. You have a server running Kaspersky Anti-Virus, and you have shared several folders.

2. You have installed antivirus or anti-malware on another system in the network.

3. When accessing and editing files in the shared server folder, the connection is lost, and the following log is inserted in Kaspersky Anti-Virus:

File Threat Protection - HEUR: Trojan.Multi.Crypren.gen - <Path to shared file>.CryptoBackup

This happens in Kaspersky versions that include AntiCryptor modules (for example, Kaspersky Security for Windows Server).

Quick solution

Upgrade your’s anti-ransomware version.

Although this is a problem with Kaspersky’s file-based diagnostics, in the following products, the backup file name is changed to cover this Kaspersky error and prevent further false alarms:

• Padvish anti-crypto 1.5.169.1137 versions and higher

• Padvish Antivirus in 2.9.134.8001 versions and higher

Cause of the problem

The cause of the error is in the Kaspersky ransomware detection module. In general, the Kaspersky AntiCryptor module is responsible for this diagnosis. it will detect the following performances, it will detect it as HEUR: Trojan.Multi.Crypren.gen Detects:

• Create a new file in a shared folder that has the same name as the previous file and has a different extension.

This detection has nothing to do with the content of the file or the encryption operation and merely depends on «Filename», and can be easily created by repeatedly copying a file into a shared folder with different extensions.

For example, the following simple script alerts Kaspersky and closes the Share folder:

Copy SomeFile.png \\ 192.168.1.1 \ share \ SomeFile.png
Copy SomeFile.png \\ 192.168.1.1 \ share \ SomeFile.png.test

This script just Copies a healthy png file to a shared folder, but because in the second copy, the file name has an extra extension (here test) Kaspersky identifies it as ransomware (for example, use the word “test“, every other extension has the same behavior). Even manually copying two files with such names, regardless of their content, can lead to this misdiagnosis.

Interestingly, this detection mechanism works with well-known software such as SolidWorks And SPSS Statistics, Types of email clients, etc. also interferes and leads to misdiagnosis. Kaspersky’s solution to these interferences is to include a list of fixed exceptions in its products that have the extensions used in the software. (As stt, sldprt, sig, And even extensions exe) And does not issue a warning about them.

Since the data protection layer in the Padvish Anticrypto in certain circumstances creates a temporary backup with the “CryptoBackup” extension then it shows the error. The new version of Padvish covers this issue by changing this extension and bypassing it.

solution

You can extend the Kaspersky Anti-Virus settings to fix the misdiagnosis by excluding the CryptoBackup:

1. Please refer to Anticryptor settings

2. Open the part Exclusion list.

3. Enter the *.CryptoBackupsuffix.

4. All windows with OK Close.

Settings guide link on Kaspersky site: https://support.kaspersky.com/KSWS/11/en-US/193127.htm (Padvish is not responsible for the content of external links).

Complementary explanation

Note that since Kaspersky’s method of detection is based solely on the file name, this method is prone to high detection error and interference with many software; that’s why Kaspersky defines a default exception list in the AntiCryptor module that includes the following: (Source https://support.kaspersky.com/KSWS/11/en-US/193127.htm)

• stt – SPSS Statistical software extension

• exe – Extensions of Windows executable files

• sig – Extensions used in email software

• sldprt – Solid Works software extension

• , etc.

What you add is a new exception to the list above.