This is all very preliminary...but I've now had two incidents where my Kaspersky Personal 5.0 (actually Defender Pro 2005 which is just a re-brand) honeypot has been infected by malware that the app knows about, i.e. it slips right through the realtime scanning engine. So once I notice the infection (usually due to a lot of network traffic coming from the infected honeypot) I check the box and all the malware processes are in memory and running and kavsvc.exe is utilizing 100% CPU (or as much as it can get as it fights with the malware for CPU time). As you guys probably know, kavsvc.exe is their realtime scanning engine, and the process cannot be killed (at least with Task Manager and kill.exe). I also was not able to stop the service...only a power off or reboot stops it.
The first incident happened on 11/26 and now one just happened today (11/28). In both cases, when I discovered the system the definitions were up-to-date within a few hours (the honeypot AV is set to default KAV values, so every three hours it checks for new stuff).
I've submitted both cases to Kaspersky and I'm working on resolving what happened. The nice thing is that I'm using VMware for my honeypots so I can compress them and FTP them around. Only problem was that last time I had issues getting it to Russia and ended up just giving them my personal FTP..but they haven't picked up the 700MB zip of the VMware files yet. Now I've got a second one to send them.
Has anyone seen anything like this? I'm just really concerned because in the time I've used KAV in my honeypot I have began to worry more and more that their application is crap (but, as we all know, their definitions are excellent)!
I'm going to begin testing Kaspersky Personal Pro 5.0 tonight.
