Jump to content

WPS Office 2016 false positive

ptcman

By ptcman
in Malware Finding and Cleaning

 Share

Recommended Posts

ptcman

ptcman 1

Posted
Posted (edited)

Hi.

Here is a video during WPS Office 2016 installation where there's a potentially unwanted application (KingSoft.D) warning.

I cleaned it several times during installation.
When I opened each WPS application a URL addess is contantly blocked.

If on the other hand I do not clean the KingSoft.D file during the installation, everytime I open of of WPS application I get multiple pop up windows referring to the potentially unwanted application.

I contacted WPS support which they replied saying that this should be fixed by ESET since ESET is the only antivirus that create false positives with WPS. 

How to solve these warnings?

Regards

Edited by ptcman
Link to comment
Share on other sites
Carl S

Carl S 1

Posted
Posted

Since it's called Kingsoft.D, I suspect that's not a false positive, but a PUP that was specifically found in WPS Office. If you don't like it, turn off PUP detection.

Link to comment
Share on other sites
ptcman

ptcman 1

Posted
  • Author
Posted

Turning off PUP detection doesn't sound a safe thing to do.

A friend of mine has an antivirus from another company and he had not any problem while installing WPS Offic on his computer.
On one hand this might be a warning sign because the antivirus he's using might not be all that good in detecting possible threats but on the other hand ESET might be too cautions and warning about files that are harmless.

Instead of switching off detection modes from ESET, I rather ESET could check this behavior with WPS Office.

Regards

Link to comment
Share on other sites
Carl S

Carl S 1

Posted
Posted (edited)

Well, it's doing exactly what it's supposed to be doing.  ESET is warning about files that may be "harmless" because you have PUP detection turned on.  If you don't want it to be so aggressive and that ESET's being too cautious, you can turn PUP detection off.  Or, you can temporarily turn off ESET's detection while you install the software, and turn it back on later.

It is clear that software from Kingsoft has been determined to be a Potentially Unwanted Program by ESET and/or some of its users.  Otherwise, they wouldn't have named the detection after the software publisher itself. This doesn't mean it is a virus or trojan.  It means that it does something else that many users don't like.

It doesn't make sense for ESET to ignore this software for everyone, when you're the one who has determined this particular PUP is OK for you. I understand that. In the past, I have installed software that included adware, but I thought it was worth it to get the free software.  I ignored ESET's PUP warning and still used the software.  I do not expect ESET to remove that particular PUP detection for that item for everyone else, because for many it is indeed an unwanted program.

Edited by Carl S
Link to comment
Share on other sites
ptcman

ptcman 1

Posted
  • Author
Posted

Thank you for your reply.

When you say "is an unwanted program", are you reffering to the KingSoft.D file which seems to be the file that is generating all the issues?

Regards

Link to comment
Share on other sites
Carl S

Carl S 1

Posted
Posted (edited)

KingSoft.D is the signature name by which ESET labels the unwanted program.  It is the unique identifier that goes along with the definition in the ESET database that is used to name the PUP.  The file in question is either the WPS Office installer or one of the files inside it or that it retrieves from the web during the installation process.  Without further details, it's hard to tell exactly what file that is, and it may not be important. If the software is not working correctly, you might try installing and clicking Ignore instead of Clean if you're sure you really want WPS Office.

You can probably see why it is considered a PUP at 1:18 in your video.  At that point it is going out to a possibly shady ad-server on the web when you start the Office program.  You can see this WPS Office is advertising supported (see the ad in the spreadsheet for WebStorm).  That's why it's considered a PUP.  It is getting advertising from the web, probably without fully warning the user before installation that it would be doing that.  If you're OK with that type of behavior, just ignore the Win32/KingSoft.D PUP warnings during the installation.  

The URL warnings near the end of your video are a bit more problematic.  It appears it is getting javascript from 1-1ads.com to load up ads in the software.  Either that javascript is malicious or URL/domain have been identified as a problem. You can ignore them by whitelisting, but without further details, that would be a tough call for the user.  My thought is if WPS Office works as expected, would be to let ESET block the URLs.  You might want to turn off the notifications, though as that might get annoying.  There is an option in the settings called "Display only notifications requiring user interaction."  That would let ESET silently block those URLs.  If, however, WPS Office stops working as expected, then you may need to whitelist things so the software can work correctly, but I would not recommend that unless you're absolutely clear as to why ESET is blocking the ad URLs.  You can ignore PUPs if you're personally OK with that.  Ignore other ESET warnings at your own peril.

Edited by Carl S
Link to comment
Share on other sites
  • 5 months later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...