api182 2 Posted February 8, 2024 Posted February 8, 2024 All of a sudden this morning, presumably after the update to Emby Server 4.8.1.0 I'm unable to run EmbyServer.exe without Kaspersky kicking off about it being a Trojan and deleting the executable Event: Process terminated Application: EmbyServer User: SERVER\Admin User type: Initiator Component: System Watcher Result description: Terminated Type: Trojan Name: PDM:Trojan.Win32.Generic Threat level: High Object type: Process Object path: C:\Users\Admin\AppData\Roaming\Emby-Server\system Object name: EmbyServer.exe MD5: 1E806DA4E9E42325C1241EF8931B9520 I've downloaded the Portable x64 and manually dropped the EmbyServer.exe over into C:\Users\Admin\AppData\Roaming\Emby-Server\system (after Kaspersky deleted it...), scanned it manually and it seems fine, but upon running it, I get Kaspersky kill the process and class it as a virus again. Is this some sort of false positive?? Also, 4.8.0.80 still runs from the system.old directory, albeit wanting to setup from scratch again?
TeamB 2438 Posted February 8, 2024 Posted February 8, 2024 (edited) Its probably an FP but submit your EmbyServer.exe to virus total and see what it says about the file: https://www.virustotal.com/gui/ Update: Actually it looks like that file is already been submitted: https://www.virustotal.com/gui/file/f28e9270f95c5ff3e8537ab936d740155f458364d1e86a36c70c0ffa72c0121f Edited February 8, 2024 by TeamB
api182 2 Posted February 8, 2024 Author Posted February 8, 2024 virustotal says it's clean, but so does Kaspersky if I manually scan the executable, it's come runtime that things get flagged...
api182 2 Posted February 8, 2024 Author Posted February 8, 2024 Strange thing is though, upon running EmbyServer.exe (4.8.1.0) it tries to run this batch file? I assume that some magic happens in there but it's likely after running this that the 'Trojan' is flagged? Is this batch file an expected part of running EmbyServer.exe 4.8.1.0?
TeamB 2438 Posted February 8, 2024 Posted February 8, 2024 It is probably a behaviour sig detecting it, if it is no detecting on open and close but on run, from the look of the name it is a generic so it is triggering on something the exe is doing, one of the generic behaviours that it does not like which could be anything, so I would say wack an exclusion on the emby server path in Kas and move forward.
TeamB 2438 Posted February 8, 2024 Posted February 8, 2024 1 minute ago, api182 said: Strange thing is though, upon running EmbyServer.exe (4.8.1.0) it tries to run this batch file? I assume that some magic happens in there but it's likely after running this that the 'Trojan' is flagged? Is this batch file an expected part of running EmbyServer.exe 4.8.1.0? well that would be the behaviour that is triggering it I would guess. why is there a bat file in your emby cache data dir @Luke?
TeamB 2438 Posted February 8, 2024 Posted February 8, 2024 can you find and open that BAT file with notepad and see what it contains? perhaps submit that to virus total as well.
api182 2 Posted February 8, 2024 Author Posted February 8, 2024 rem 7359 = udp server port rem 8096 = http server port rem 8920 = https server port rem C:\Users\Admin\AppData\Roaming\Emby-Server\system\EmbyServer.exe = exe path netsh advfirewall firewall delete rule name="Port 7359" protocol=UDP localport=7359 netsh advfirewall firewall add rule name="Port 7359" dir=in action=allow protocol=UDP localport=7359 netsh advfirewall firewall delete rule name="Port 8096" protocol=TCP localport=8096 netsh advfirewall firewall add rule name="Port 8096" dir=in action=allow protocol=TCP localport=8096 netsh advfirewall firewall delete rule name="Port 8920" protocol=TCP localport=8920 netsh advfirewall firewall add rule name="Port 8920" dir=in action=allow protocol=TCP localport=8920 netsh advfirewall firewall delete rule name="mediabrowser.serverapplication.exe" netsh advfirewall firewall delete rule name="EmbyServer.exe" netsh advfirewall firewall delete rule name="Emby Server" netsh advfirewall firewall add rule name="Emby Server" dir=in action=allow protocol=TCP program=C:\Users\Admin\AppData\Roaming\Emby-Server\system\EmbyServer.exe enable=yes netsh advfirewall firewall add rule name="Emby Server" dir=in action=allow protocol=UDP program=C:\Users\Admin\AppData\Roaming\Emby-Server\system\EmbyServer.exe enable=yes :DONE Exit That's the contents of the temporary bat file it opens, but I don't think that is to blame, even if I deny it running through the UAC dialog by clicking No, Kaspersky still ends up kicking off about EmbyServer.exe, terminates and deletes it. I'm a little hesitant to add an exception for the minute, I'll maybe wait and see what @Lukecomes back with, if anything? Thanks for responding @TeamBthough
TeamB 2438 Posted February 8, 2024 Posted February 8, 2024 it looks like that file is part of the Emby setup, it is adding firewall rules to allow emby to listen on ports. I still think this is what the generic detection is, its the sort of generic I would write, not many things should be adding to the firewall so it is a common attack behaviour that av can look for. @Lukecan comment on the correctness of the above bat file though.
thefad3done 3 Posted February 8, 2024 Posted February 8, 2024 (edited) I am also having this, and unfortunately this flagging as a trojan has wiped a chunk of my emby files out, and am struggling to get it to reinstall. Edit: Managed to get a bit further in re-installing, but it's literally lost all my settings then it gets blocked again and re-deleted by KIS Edited February 8, 2024 by thefad3done updated info
TimBer2 8 Posted February 8, 2024 Posted February 8, 2024 Bitdefender and Clam Antivirus report it clean
Neminem 1518 Posted February 8, 2024 Posted February 8, 2024 Guess false positive ! Known issue with AV. 1 1
Luke 42078 Posted February 8, 2024 Posted February 8, 2024 We use that to add windows firewall rules.
BoomerGamer62 18 Posted February 9, 2024 Posted February 9, 2024 The same thing has happened to me. Kaspersky not only deleted embyserver.exe, but also the server tray. Trying to figure out if I can get an exception into the Kaspersky list.....
BoomerGamer62 18 Posted February 9, 2024 Posted February 9, 2024 If it helps, these are the files Kaspersky is putting in quaratine.
BoomerGamer62 18 Posted February 9, 2024 Posted February 9, 2024 I was able to get it to stop deleting the files by putting in an exclusion in Kaspersky here: settings --> secuirty settings --> Excusions and actions on object detection --> manage exclusions So Emby now runs without Kaspersky doing its quarantine. The problem is that since I did a couple of restarts, the system.xml file that I was able to roll back was a copy of when I had tried to re-install. All my configuration now seems GONE. While it looks like system was backed up to system.old, I dont see a backup on the config ANYWHERE. Yes, I KNOW I should have backups, but I dont. I hate to think I have to rebuild my users, my hundreds of live tv channels, etc. @TeamB, @Luke, PLEASE tell me there is a way to get this back the way it was without totally having to rebuild this!
Luke 42078 Posted February 9, 2024 Posted February 9, 2024 Did it wipe out the program data directory as well? if it only wiped system.xml, does it offer a way to get the original file back? If not then just step through the wizard and I think you'll be fine. You'll need to review server settings, but there is not as much stored in system.xml as you might think. 1
yafethk 0 Posted February 9, 2024 Posted February 9, 2024 i am having the same issue as well with my kaspersky. I can't access to any of my folders in the emby server. does that mean all my hard work of arranging the folders and files are wiped out? Administrators please roll out a new update soon as possible for now i can't use the server at all.
api182 2 Posted February 9, 2024 Author Posted February 9, 2024 I managed to get mine back up and running by adding the exception in Kaspersky, then luckily, I've been using the Backup & Restore feature in Emby for years and I had a backup from last week with the system.xml file in, so managed to bring that back and up and running once more. My concerns going forward though are simply why should we have to add an exception effectively telling Kaspersky AV to ignore the application behaviour? I've been running Kaspersky on the same server with Emby for years, no problems whatsoever. The way I see it, there likely 3 possible issues (or a combination of): - 1. Kaspersky itself has updated recently and is now flagging too aggressively? -Unlikely as I was able to temporarily run 4.8.0.80 without Kaspersky kicking off about it, and I'd expect, certainly as it's not a major release that the actual core behaviour of Emby remains the same as the previous version? 2. Emby has changed so much so that it's all of a sudden behaving (according to Kaspersky) like a Trojan? -Possible I guess as it does do all sorts of Network interactivity etc, but looking at the changelog it doesn't seem to have anything fundamentally changed that might trigger this? 3. A 3rd party library is indeed infected and is being used in the Emby Server project, and Kaspersky being as good as it is has caught this before all other AVs? -Possible? I've seen Kaspersky pick-up things in the past that others haven't so I can't simply ride on the "My #INSERT AV NAME HERE# isn't having an issue and is letting Emby run fine, so it must be fine?" idea... How do things move forward from here as this could be a continuous issue if left 'unsolved'?
TeamB 2438 Posted February 9, 2024 Posted February 9, 2024 (edited) 10 minutes ago, api182 said: My concerns going forward though are simply why should we have to add an exception effectively telling Kaspersky AV to ignore the application behaviour? I've been running Kaspersky on the same server with Emby for years, no problems whatsoever. This is a Kaspersky FP, it happens, it is an issue with Kaspersky not with Emby. 10 minutes ago, api182 said: Kaspersky being as good as it is Hahahahhahahahahahahah ... oh your serious... Edited February 9, 2024 by TeamB 1
yafethk 0 Posted February 9, 2024 Posted February 9, 2024 @TeamBso suddenly its a kaspersky issue? why this didn't happen all these years while using kaspersky? clearly i am not the only one facing this...be aware that in this way you are throwing away active users and new potential users with kaspersky will not open a emby account when they read this discussion. for now as i mentioned all my hard work of arranging the folders, users and live tv channels is gone. thanks for nothing...
TeamB 2438 Posted February 9, 2024 Posted February 9, 2024 39 minutes ago, yafethk said: so suddenly its a kaspersky issue? It's up to you how you move forward, I am never going to tell anyone to disregard what they believe in, if you believe this is an Emby issue then ok. To me this looks like it is an FP, no other AV tool in the virus total list (not even kaspersky) are picking this up in a static scan, it looks like a kaspersky FP on a behaviour, the behaviour being the launching of a BAT file (regardless of what is in the bat file) and that possibly with the age of this new version (the file being very new) kaspersky triggers a detection, probably incorrectly thus causing this potential FP. If you feel this is something you need to stick with and kaspersky is correct, then you need to act accordingly. Having said all this, Emby can not fix this, it is what it is. You have the facts, put your big boy pants on and move forward, either delete Emby because kaspersky thinks it is malware or add an exclusion to allow Emby to run. 1
created1ders 0 Posted February 9, 2024 Posted February 9, 2024 You are definitely not the only one facing this. My Emby went down yesterday afternoon with the exact same issues you are facing. Kaspersky keeps quarantining and deleting files even when I made exceptions to anything it listed. I've only had Emby for a couple months and it always worked flawlessly up til now. If this is indeed a Kas issue how are we supposed to fix it if Kas keeps ignoring our request to ignore it?
Neminem 1518 Posted February 9, 2024 Posted February 9, 2024 Guess you could ask them why ? Products for Home - Kaspersky Support Forum
BoomerGamer62 18 Posted February 9, 2024 Posted February 9, 2024 (edited) For those affected, you can do the following in Kaspersky: 1. Add exceptions to the Exception list. From the home screen, you can find it at: Settings (little gear at the bottom left)--> Security settings --> Excusions and actions on object detection --> Manage exclusions. You want the add two exclusions for the following folders (The "xxx" below will vary depending on your windows user name): C:\Users\xxx\AppData\Roaming\Emby-Server\programdata\ C:\Users\xxx\AppData\Roaming\Emby-Server\system\ Leave "Object" field and "FIle Hash" field blank. Select "All components" for Protection Components 2. To get the removed files back, from the home screeen go to Security --> Quarantine. You should see a list of files that were deleted from the Emby-Server folder. Check off all those files and press the "RESTORE" button. 3. Reboot your system. CAUTION: By doing this, you are creating a vunerability where anything that would get put in these two folders would be exempt from scanning for viruses. Im not thrilled with this either, but this does work until I can think of something better -- or Emby reverses whatever they did. Edited February 9, 2024 by BoomerGamer62
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now