Kaspersky flagging EmbyServer.exe as PDM:Trojan.Win32.Gen

[api182 2]

All of a sudden this morning, presumably after the update to Emby Server 4.8.1.0 I'm unable to run EmbyServer.exe without Kaspersky kicking off about it being a Trojan and deleting the executable

 

Event: Process terminated
Application: EmbyServer
User: SERVER\Admin
User type: Initiator
Component: System Watcher
Result description: Terminated
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Users\Admin\AppData\Roaming\Emby-Server\system
Object name: EmbyServer.exe
MD5: 1E806DA4E9E42325C1241EF8931B9520

 

I've downloaded the Portable x64 and manually dropped the EmbyServer.exe over into C:\Users\Admin\AppData\Roaming\Emby-Server\system (after Kaspersky deleted it...), scanned it manually and it seems fine, but upon running it, I get Kaspersky kill the process and class it as a virus again. Is this some sort of false positive??

 

Also, 4.8.0.80 still runs from the system.old directory, albeit wanting to setup from scratch again?

[TeamB 2353]

Its probably an FP but submit your EmbyServer.exe to virus total and see what it says about the file:

https://www.virustotal.com/gui/

Update:
Actually it looks like that file is already been submitted:
https://www.virustotal.com/gui/file/f28e9270f95c5ff3e8537ab936d740155f458364d1e86a36c70c0ffa72c0121f

Edited February 8 by TeamB

[api182 2]

virustotal says it's clean, but so does Kaspersky if I manually scan the executable, it's come runtime that things get flagged...

[api182 2]

 

Strange thing is though, upon running EmbyServer.exe (4.8.1.0) it tries to run this batch file? I assume that some magic happens in there but it's likely after running this that the 'Trojan' is flagged?

Is this batch file an expected part of running EmbyServer.exe 4.8.1.0?

[TeamB 2353]

It is probably a behaviour sig detecting it, if it is no detecting on open and close but on run, from the look of the name it is a generic so it is triggering on something the exe is doing, one of the generic behaviours that it does not like which could be anything, so I would say wack an exclusion on the emby server path in Kas and move forward.

[TeamB 2353]

1 minute ago, api182 said:

 

Strange thing is though, upon running EmbyServer.exe (4.8.1.0) it tries to run this batch file? I assume that some magic happens in there but it's likely after running this that the 'Trojan' is flagged?

Is this batch file an expected part of running EmbyServer.exe 4.8.1.0?

well that would be the behaviour that is triggering it I would guess.

why is there a bat file in your emby cache data dir @Luke?

 

[TeamB 2353]

can you find and open that BAT file with notepad and see what it contains?

perhaps submit that to virus total as well.

[api182 2]

rem 7359 = udp server port
rem 8096 = http server port
rem 8920 = https server port
rem C:\Users\Admin\AppData\Roaming\Emby-Server\system\EmbyServer.exe = exe path

netsh advfirewall firewall delete rule name="Port 7359" protocol=UDP localport=7359
netsh advfirewall firewall add rule name="Port 7359" dir=in action=allow protocol=UDP localport=7359

netsh advfirewall firewall delete rule name="Port 8096" protocol=TCP localport=8096
netsh advfirewall firewall add rule name="Port 8096" dir=in action=allow protocol=TCP localport=8096

netsh advfirewall firewall delete rule name="Port 8920" protocol=TCP localport=8920
netsh advfirewall firewall add rule name="Port 8920" dir=in action=allow protocol=TCP localport=8920

netsh advfirewall firewall delete rule name="mediabrowser.serverapplication.exe"
netsh advfirewall firewall delete rule name="EmbyServer.exe"
netsh advfirewall firewall delete rule name="Emby Server"

netsh advfirewall firewall add rule name="Emby Server" dir=in action=allow protocol=TCP program=C:\Users\Admin\AppData\Roaming\Emby-Server\system\EmbyServer.exe enable=yes
netsh advfirewall firewall add rule name="Emby Server" dir=in action=allow protocol=UDP program=C:\Users\Admin\AppData\Roaming\Emby-Server\system\EmbyServer.exe enable=yes

:DONE
Exit

 

That's the contents of the temporary bat file it opens, but I don't think that is to blame, even if I deny it running through the UAC dialog by clicking No, Kaspersky still ends up kicking off about EmbyServer.exe, terminates and deletes it.

 

I'm a little hesitant to add an exception for the minute, I'll maybe wait and see what @Lukecomes back with, if anything?

 

Thanks for responding @TeamBthough 

[TeamB 2353]

it looks like that file is part of the Emby setup, it is adding firewall rules to allow emby to listen on ports.

I still think this is what the generic detection is, its the sort of generic I would write, not many things should be adding to the firewall so it is a common attack behaviour that av can look for.

@Lukecan comment on the correctness of the above bat file though.

[thefad3done 2]

I am also having this, and unfortunately this flagging as a trojan has wiped a chunk of my emby files out, and am struggling to get it to reinstall.

 

Edit: Managed to get a bit further in re-installing, but it's literally lost all my settings then it gets blocked again and re-deleted by KIS

Edited February 8 by thefad3done
updated info

[TimBer2 6]

Bitdefender and Clam Antivirus report it clean

[jaycedk 384]

Guess false positive !

Known issue with AV.

[Luke 37099]

We use that to add windows firewall rules.

[BoomerGamer62 18]

The same thing has happened to me.  Kaspersky not only deleted embyserver.exe, but also the server tray.

Trying to figure out if I can get an exception into the Kaspersky list.....

[BoomerGamer62 18]

If it helps, these are the files Kaspersky is putting in quaratine.

[BoomerGamer62 18]

I was able to get it to stop deleting the files by putting in an exclusion in Kaspersky here:

settings --> secuirty settings --> Excusions and actions on object detection --> manage exclusions

So Emby now runs without Kaspersky doing its quarantine.  The problem is that since I did a couple of restarts, the system.xml file that I was able to roll back was a copy of when I had tried to re-install.  All my configuration now seems GONE.  While it looks like system was backed up to system.old, I dont see a backup on the config ANYWHERE.

Yes, I KNOW I should have backups, but I dont. 

I hate to think I have to rebuild my users, my hundreds of live tv channels, etc.

@TeamB, @Luke, PLEASE tell me there is a way to get this back the way it was without totally having to rebuild this!

[Luke 37099]

Did it wipe out the program data directory as well? 

if it only wiped system.xml, does it offer a way to get the original file back?

If not then just step through the wizard and I think you'll be fine. You'll need to review server settings, but there is not as much stored in system.xml as you might think.

[yafethk 0]

i am having the same issue as well with my kaspersky. I can't access to any of my folders in the emby server. does that mean all my hard work of arranging the folders and files are wiped out? Administrators please roll out a new update soon as possible for now i can't use the server at all.

[api182 2]

I managed to get mine back up and running by adding the exception in Kaspersky, then luckily, I've been using the Backup & Restore feature in Emby for years and I had a backup from last week with the system.xml file in, so managed to bring that back and up and running once more.

 

My concerns going forward though are simply why should we have to add an exception effectively telling Kaspersky AV to ignore the application behaviour? I've been running Kaspersky on the same server with Emby for years, no problems whatsoever.

 

The way I see it, there likely 3 possible issues (or a combination of): -

1. Kaspersky itself has updated recently and is now flagging too aggressively? -Unlikely as I was able to temporarily run 4.8.0.80 without Kaspersky kicking off about it, and I'd expect, certainly as it's not a major release that the actual core behaviour of Emby remains the same as the previous version?

2. Emby has changed so much so that it's all of a sudden behaving (according to Kaspersky) like a Trojan? -Possible I guess as it does do all sorts of Network interactivity etc, but looking at the changelog it doesn't seem to have anything fundamentally changed that might trigger this?

3. A 3rd party library is indeed infected and is being used in the Emby Server project, and Kaspersky being as good as it is has caught this before all other AVs? -Possible? I've seen Kaspersky pick-up things in the past that others haven't so I can't simply ride on the "My #INSERT AV NAME HERE# isn't having an issue and is letting Emby run fine, so it must be fine?" idea...

How do things move forward from here as this could be a continuous issue if left 'unsolved'?

[TeamB 2353]

10 minutes ago, api182 said:

My concerns going forward though are simply why should we have to add an exception effectively telling Kaspersky AV to ignore the application behaviour? I've been running Kaspersky on the same server with Emby for years, no problems whatsoever.

This is a Kaspersky FP, it happens, it is an issue with Kaspersky not with Emby.

10 minutes ago, api182 said:

Kaspersky being as good as it is

Hahahahhahahahahahahah ... oh your serious...

Edited February 9 by TeamB

[yafethk 0]

@TeamBso suddenly its a kaspersky issue? why this didn't happen all these years while using kaspersky? clearly i am not the only one facing this...be aware that in this way you are throwing away active users and new potential users with kaspersky will not open a emby account when they read this discussion.

for now as i mentioned all my hard work of arranging the folders, users and live tv channels is gone. thanks for nothing...

 

[TeamB 2353]

39 minutes ago, yafethk said:

so suddenly its a kaspersky issue?

It's up to you how you move forward, I am never going to tell anyone to disregard what they believe in, if you believe this is an Emby issue then ok.

To me this looks like it is an FP, no other AV tool in the virus total list (not even kaspersky) are picking this up in a static scan, it looks like a kaspersky FP on a behaviour, the behaviour being the launching of a BAT file (regardless of what is in the bat file) and that possibly with the age of this new version (the file being very new) kaspersky triggers a detection, probably incorrectly thus causing this potential FP.

If you feel this is something you need to stick with and kaspersky is correct, then you need to act accordingly.

Having said all this, Emby can not fix this, it is what it is.
You have the facts, put your big boy pants on and move forward, either delete Emby because kaspersky thinks it is malware or add an exclusion to allow Emby to run.

[created1ders 0]

You are definitely not the only one facing this. My Emby went down yesterday afternoon with the exact same issues you are facing.

Kaspersky keeps quarantining and deleting files even when I made exceptions to anything it listed. I've only had Emby for a couple months and it always worked flawlessly up til now. If this is indeed a Kas issue how are we supposed to fix it if Kas keeps ignoring our request to ignore it?

[jaycedk 384]

Guess you could ask them why ?

Products for Home - Kaspersky Support Forum

[BoomerGamer62 18]

For those affected, you can do the following in Kaspersky:

1.  Add exceptions to the Exception list.  From the home screen, you can find it at:

Settings (little gear at the bottom left)--> Security settings --> Excusions and actions on object detection --> Manage exclusions.   

You want the add two exclusions for the following folders (The "xxx" below will vary depending on your windows user name):

C:\Users\xxx\AppData\Roaming\Emby-Server\programdata\

C:\Users\xxx\AppData\Roaming\Emby-Server\system\

Leave "Object" field and "FIle Hash" field blank.  Select "All components" for Protection Components

2.   To get the removed files back, from the home screeen go to Security --> Quarantine.  You should see a list of files that were deleted from the Emby-Server folder.  Check off all those files and press the "RESTORE" button.

3.  Reboot your system.

CAUTION:  By doing this, you are creating a vunerability where anything that would get put in these two folders would be exempt from scanning for viruses.  Im not thrilled with this either, but this does work until I can think of something better -- or Emby reverses whatever they did.

Edited February 9 by BoomerGamer62