Kaspersky flags TCPIP.SYS as Malware

Published: 2013-10-25
Last Updated: 2013-10-25 17:41:34 UTC
by Rob VandenBrink (Version: 1)
5 comment(s)

One of our readers has alerted us to the fact that Kaspersky AV has identified tcpip.sys as malware on his Windows 7 32bit hosts - the file is flagged as "HEUR:Trojan.Win32.Generic"

Fortunately, Microsoft's Windows File Protection feature ( http://support.microsoft.com/kb/222193 ) prevented it from quarantining this critical file, but his end users were all treated to the error message (both from the AV and from the OS I'm guessing)

His version of Kaspersky is the OEM Checkpoint version, but it appears to be a Kaspersky issue, not Checkpoint specific.

Kaspersky has verified ( https://twitter.com/kaspersky/status/393777843341393920 )  that this is resolved in their latest update.  If you're seeing this issue, get your AV to "phone home" for the fix!


Rob VandenBrink

5 comment(s)


I don't have time to research it at the moment, but didn't tcpip.sys get flagged as malware a few years ago by an AV?
You would think that by now; Antivirus vendors would have signatures of "known safe files" --- A SHA1 message digests of known system files; both original media, and the updated hashes of files of clean systems before and after every valid combination of Windows updates/patches to the file.

There's really no reason in the world it ought to be possible to have a false positive on TCPIP.SYS; the crypto hash of the legitimate versions of the file should be well-known by now.
happen here too

Temporary solution:

1. Do not restart the computer.
2. Restore tcpip.sys from quarantine folder.
3. Create exlusion rule for "C:Windows\System32\drivers\tcpip.sys "
Kaspersky Lab has released anti-virus databases, which was mistakenly added detection system file tcpip.sys

Diary Archives