Kaspersky detects KeyLogger within MP

Can someone help me understand why Kaspersky anti-virus identified and deleted a DLL within a recent Mission Planner update that is defined as a KeyLogger. I had to disable Kaspersky for the update to download; I was getting an update failed due to virus protection error; but my night time virus scan found this DLL with the Mission Planner directory and deleted it. Why is it there? Does it matter that it was deleted?Cheers!Pem

You need to be a member of diydrones to add comments!

Join diydrones

Email me when people reply –

Replies

  • Kaspersky advanced settings cause the malware affected files to be deleted directly without giving an option. Which is good for security measures but risky as it might delete certain program files. K7 Antivirus Customer Support can explain more on this topic. The firewall settings also perform certain access blockage.

  • This file is already present in previous versions of MP, but...

    from version 1.3.15 of Mission Planner : the file is 241152 bytes long, and no malware detected (not a single).

    from version 1.3.31 of Mission Planner : the file is 235008 bytes long, and malware detected by 15 antivirus.

    The weird point is that both file are version 1.0.0.6 so they should be exactly the same.

    It should be noted that this file is not developed by Michael Oborne, but by "Maxim Kartavenkov aka Sonic 2012". Who is probably someone reliable, but it's just to understand that it's a dll imported into the project, not a development from Michael so who knows what's really inside.

    PS : I didn't compare to all versions of MP, but I had version 1.3.15 laying around, it could be interesting to compare with other versions too.

  • I am using MalwareBytes and Avast here and no report of infection have been found coming from the Mission Planner directories. Furthermore, I am using the latest version of the Mission Planner on my PC. As it has been mentioned previously, it must be a false positive. 

    Also, that .DLL file must have a certain line of code that is causing the AV to trigger it as a Trojan or Malware. If I were you, I would just report it to Kaspasky as a false positive.

  • Developer

    Hey Michael
    This must be what is going on with the false alarm :)

    http://www.torontosun.com/2015/08/14/antivirus-firm-kaspersky-faked...

  • Developer

    I have removed this dll from the current release of MP.

    it is no longer part of the MSI, or the zip, and will not be downloaded as part of the update process either.

    • Michael,

      Thanks. I was able to update two Win 7 pro computers to without Norton saying anything. However, on the Win 8.1 tablet it's a different story. I uninstalled MP to get a clean start, then did a new install from planner.ardupilot.com this morning. Norton complained about baseclassesnet.dll again and deleted it but did not complain about ardupilot.com. Is there a delay between you posting it to http://firmware.diydrones.com  and it getting used by the installer on ardupilot.com or perhaps a difference between a new install and an update? The build numbers are the same - 1.3.31 build 1.1.5696.33420

      The drivers also failed to install but I'm still looking at that. I suspect it's because they were already there.

      • Developer

        drivers are failing because of a Linux/windows line ending issue

  • This reply was deleted.
    • The same thing happened to me last night when I tried to update MP to the latest Beta release. It found that baseclassesnet.dll was a “Trojan.Gen.2 with “High” severity. In addition to deleting the dll it marked “http://oborne.me/MissionPlanner/upgrade//MissionPlanner.exe?881085803” as having a “bad” reputation.

      I don’t think you can completely dismiss this as a false positive. There are plenty of individuals, groups, and nation states that might think that it would be amusing or in their national interest to take control of a drone or keep track of drone activity first hand. The perceived threat of a surveillance drone or kamikaze drone violating controlled airspace near an airport or government installation is enough reason for many governments to attempt to put a Trojan into the computers of the pilots. It would enable them to scan flight logs and report back violations or look for specific gps coordinates that match specific incidents.

      It doesn’t really matter if oborne.me is on a server with a secured and updated OS and web server, if a group or nation state really wants to compromise it they will find a way. I think whatever solution is found for this problem should not involve turning off virus and malware checking programs. They may not be perfect but they have prevented lots of infections.

This reply was deleted.

Activity

Neville Rodrigues liked Neville Rodrigues's profile
Jun 30
Santiago Perez liked Santiago Perez's profile
Jun 21
More…