Kaspersky Reporting Trojan in 28.0.0.1 x64 Installer

[bobber575]

Kaspersky Total Security 18-0-0-405(j) will not allow installation of Palemoon 28.0.0.1 x64 downloaded from the U. S. mirror site.
See 18-08-27-Speccy-KOSH.7z for System Specs
See 18-08-28-0900-Palemoon-Trojan-Virus-Report.7z for A/V Report

[Moonchild]

http://www.palemoon.org/faq.shtml#My_an ... _complains

[therube]

Did you check the hash of the downloaded file against that posted on the PM download page?

[bobber575]

Yup! Hash checks on downloaded file, problem happens when I run the installer.

[Night Wing]

Yup! Hash checks on downloaded file, problem happens when I run the installer.

Turn off Kapspersky, then install Pale Moon since it is a false positive. Then tell Kaspersky about the false positive. Free Avast does the same thing to me so I turn off Avast to install windows Pale Moon. Once Pale Moon is installed, I turn Avast back on by rebooting all of my four computers with a windows hard drive installed in them.

[bobber575]

Ok. I get the idea of some A/V products throwing false positives. However, Kaspersky is *normally* quite tolerant of Palemoon. This positive for Palemoon is an outlyer, and therefore the reason for my reporting the problem.
As the checksum and scan of the downloaded file appear to be safe, why does the installation routine trigger the alert from Kaspersky??

[Night Wing]

@ bobber575

There have been quite a few changes in Pale Moon from 27.9.4 to (28.0.1). Kaspersky probably hasn't picked up on those changes yet and it is remembering things in the 27.9.4 installer. In other words, something inside the installer for 28.0.1 is "too new" for Kaspersky.

[bobber575]

I agree that the changes from 27.x to 28.0.0 were substantial, but Kaspersky passed the installation of 28.0.0 with no problems. I'll wait a couple of days and see if I can install Palemoon 28.0.0.1. Kaspersky is reporting that this latest installer is only 5 hours old.
Thanks for your time.

[therube]

Are you using a VPN?
(rubyw.exe is listed & wondering if that is expected?)

[bobber575]

I have Private Internet Access installed, but not active.

[Night Wing]

I agree that the changes from 27.x to 28.0.0 were substantial, but Kaspersky passed the installation of 28.0.0 with no problems. I'll wait a couple of days and see if I can install Palemoon 28.0.0.1. Kaspersky is reporting that this latest installer is only 5 hours old.

Like I said previously, 28.0.1 is too new so Kaspersky is going to "play it safe". Since Kaspersky is a paid AV (as far as I know), Kaspersky is "covering it's own a$$".

[Moonchild]

As the checksum and scan of the downloaded file appear to be safe, why does the installation routine trigger the alert from Kaspersky??

Only Kaspersky can answer that, but my guess is it does a dumb pattern scan whenever new files are written to disk or loaded into memory, and if it happens to hit something in Pale Moon that is a "match" at that stage, it will raise an alarm. Since the installer itself is a compressed 7z SFX archive, it will likely NOT scan inside of it when you scan the installer, and the compressed data will of course not match whatever pattern is tripped up.

AV vendors should really stop using static binary patterns because it will create more and more false positives as both their database grows and applications are getting more optimized resulting in very similar patterns to viruses as a normal part of their compiled state.

[bobber575]

You are probably quite correct about Kaspersky having a severe dose of "CYA". And, Yes, this is a "Paid" version of Kaspersky.
Cheers

[tenseys]

Windows defender (Windows 10) gives an unknown publisher warning after double clicking installer for 28.0.0.1 (Americas, 64bit) stopping the installation.

[bobber575]

I have "Smartscreen" disabled.

[therube]

unknown publisher

Yes this is expected. Binaries are no longer code-signed.

[tenseys]

unknown publisher

Yes this is expected. Binaries are no longer code-signed.

Oh ok, this is the first time I've seen this warning. Doesn't happen with earlier (27.9.4, 28.0.0 etc) installers for me.
I'll probably shut the smartscreen off.

[bobber575]

Well, I have a shiny new definition update for Kaspersky (DtD 2018-08-28 10:23) and by using the internal updater in Palemoon, I successfully installed Palemoon 28.0.0.1 x64. However the Palemoon "Restart Now" button results in an instance of Palemoon running with no GUI. Was necessary to kill the phantom instances and manually restart Palemoon to get the GUI to appear. This is the second time the installer has failed in this manner.

[Moonchild]

That can only happen if something holds the process hostages and prevents it from shutting down normally. AV suites are notorious for doing that.

[bobber575]

If anyone is still interested, Kaspersky Total Security (Definition update DtD 2018-08-29 04:30) now loves Palemoon 28.0.0.1.
I downloaded the 28.0.0.1 64Bit installer from the U. S. Mirror, and successfully installed same with no complaints from Kaspersky.
Dealing with Micro$quash Windows, and the necessity to run competent Anti-Virus products can be a huge PITA.
Thanks to everyone for taking the time to respond to my Tempest in a Teapot.
Cheers,
G. R. "Bob" Main