Kaspersky Reporting Malware Detected on Roon Installer [Answered False Positive - Whitelist Roon]

I tried to update my clients to the latest version. Both of them have Kaspersky Antivirus Free installed.
On both clients the install fails and KAF reports a ransom trojan in the Roon installer:

This is a false positive detection. Please see Roon Installer for Windows - Infected with a trojan.

2 Likes

This comes up often.
https://community.roonlabs.com/t/roon-installer-for-windows-infected-with-a-trojan/47867/2?u=ged_hickman1

1 Like

I use Kaspersky and I’m getting a message that Roon “Application performing dangerous activity characteristic of malware”

Detected: PDM:Trojan.Win32.Bazon.a

Should I be concerned? If not anyone know how to tell Kerpasky that all is ok?

Thanks in advance!

Your the 2nd one this week. It’s fine.

Hey @James_Austin,

This is a false positive, which can happen from time to time as mentioned by our COO Danny here:

https://community.roonlabs.com/t/trojan-in-roonbridgeinstaller64-exe-false-positives/40557/11

The best solution is to whitelist Roon with Kaspersky and you shouldn’t have any issues.

Thanks!
Dylan

Hi all, this is my first post on here.

After using Roon for some months now Kaspersky Internet Security (Version 18) today decided that Uninstall.exe in file location - C:\Users\Name\AppData\local\Roon\Application\100400310\ was a virus which contained the above and has quarantined it. I don’t know why it has suddenly decided this and am unsure if it’s a false Positive? I am obviously reluctant to restore the file to it’s original location just in case it has been infected.

I am running Windows 10 64bit and this is the first time since installing it that any virus has been flagged. My Core/Library is installed on my QNAP. The Roon interface still runs okay on my laptop which is not surprising as it’s the Uninstall.exe that’s been quarantined.

Any help with this would be greatly appreciated. Hope I’ve posted this in the right place. @support

It not the first time this has been asked. It’s a false positive.

https://community.roonlabs.com/t/trojan-in-roonbridgeinstaller64-exe-false-positives/40557/11?u=martin_webster

My Win 10 with Kaspersky also removed the Uninstall.exe was i a virus and removed it. Now you say it is a false positive, so I tried to restore the file, but as soon it is restored Kaspersky removes it again. How do I stop Kaspersky from removing it again?

Try this: How to create an exclusion rule in Kaspersky Internet Security 2016

https://support.kaspersky.co.uk/12160

Hi Martin, thanks for your response, it’s a bit more reassuring but a pity that we have to basically carry out a work around. I appreciate that the issue is likely to be a false positive by Kaspersky but it would be better if it could be resolved.

It can be difficult to find answers on the forums as they obviously grow longer by the day but it’s great to know so many people are contributing.

Your response and assistance is much appreciated!

Antivirus programs look for a virus signature not the whole virus program. Sometimes antivirus software will find a signature in legitimate programs–this is a false positive. Moreover, because viruses are getting more elaborate (polymorphic and metamorphic) heuristic (self-learning) techniques are used to identify viruses. This tends to have more false positives.

So, there’s very little Roon Labs can do other than ensure their code is clean and safe at the point of download. You may find Windows Defender is more effective and less resource hungry than add-on antivirus packages.

I had a lot a trouble with Kaspersky. I changed to Norton; all problems solved.

May be a silly question but, DO you even need to worry about the Uninstall.exe being deleted? Would you even need the program?

I’m personally wary of Kaspersky in view of it’s Russian connections. I have been very happy with WebRoot, which probably just means my data gets routed through the NSA before getting to the FSB. WebRoot gets excited every time I upgrade to a new build in Roon, but hasn’t identified anything in Roon as a virus.

2 Likes

bearFNF, as a lifetime member I agree that I am extremely unlikely to leave Roon and therefore need to use the uninstall facility. However, there are times that a program needs to be uninstalled then reinstalled due to software conflicts with other programs etc. For this reason I would prefer that the file is not removed from the program.

Thanks andybob for your suggestion, I may look at WebRoot in the future.

I’d like to add that “Gen.hry” at the end of the “virus” name means Generic Heuristic, that is Kaspersky didn’t even find any virus signature in this file but its heuristic engine thought that this file had some functions or was constructed like other Trojan Ransom viruses. This heuristic engine was designed to catch new viruses before the virus signature is available. So, on the assumption that we trust Roon it’s false positive. My Kaspersky also quarantined this file.

Or maybe this file is responsible for the membership fees we pay to Roon. :grin:

Thanks to everyone for their help with this. I decided to run the RoonInstaller64 program through the Kaspersky online VirusDesk & as expected Kaspersky considered it to be a virus. I then submitted the RoonInstaller64 file to Kaspersky confirming that I considered detection to be a False Positive. Since that time I have tried restoring the quarantined file daily but it immediately quarantined it again. I am pleased to say that today I have had complete success restoring the file and it no longer treats it as a virus. I have also scanned both the RoonInstaller64 file and the AppData Roon install directory many times and Kaspersky no longer finds the False Positive virus within these locations. Hopefully the problem does not return.

@Par_Linden would you perhaps try restoring your quarantined file again to see if you get the same results?

Thanks

2 Likes

I know this is both an old/current topic but I thought it best to give a final update on the situation.

Unfortunately it is no longer possible to scan the RoonInstaller and submit a false Positive on the Kaspersky website as the file is > 50 Mb. I therefore contacted Kaspersky through my account and they quickly replied with the following:-

Thus, it should be possible for anyone using Kaspersky with issues to resolve this when the update is applied to their database.

5 Likes