I created a simple script that parsed all those “.ini” files and compiled the results in a CSV file that will be available in the repository mentioned at the start of this blog. There are 2450 “.ini” files in the “cleaner.cab” file which means we have a method and in some cases “multiple” methods to detect around “2450” different security products (AV, EDR, VPN, Firewalls…). One interesting side effect of this research is the discovery of those “.ini” files that I mentioned above. On the other hand, this could offer an interesting setup for attackers who might stumble upon organizations that are already running Kaspersky, as this could be used to execute commands coming from a Kaspersky process which could be already whitelisted by the security team or it could be used as some kind of backdoor/persistence where each time the KES installation occures this behaviour will occur.
Note that this of course requires admin privileges in order to modify the necessary registry keys (HKLM) and run the KES installer. Brand Representative for Kaspersky Lab North America serrano Dec 7th, 2016 at 7:52 AM two things: if there is an uninstall password set in the Network Agent policy, you'll want to disable/remove that. We now are able to execute arbitrary commands and processes from the context of the signed Kaspersky process as long as we simulate an AV that is “unsupported” by KES in order to trigger the uninstallation process. Merhabalar, bilgisayara indirdiim dosyay taratmak istediimde Kasperskyn kapal olduunu gördüm ne yapsam bir türlü balatamadm, Denetim Masasndan silmeye çalyorum donuyor ve kapanyor, internetten exe dosyasn indirip yeniden kuraym dedim onu da yapamyorum önceki sürüm kaldrlyor.