Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Kaspersky flags TCPIP.SYS as Malware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Kaspersky flags TCPIP.SYS as Malware

One of our readers has alerted us to the fact that Kaspersky AV has identified tcpip.sys as malware on his Windows 7 32bit hosts - the file is flagged as "HEUR:Trojan.Win32.Generic"

Fortunately, Microsoft's Windows File Protection feature ( ) prevented it from quarantining this critical file, but his end users were all treated to the error message (both from the AV and from the OS I'm guessing)

His version of Kaspersky is the OEM Checkpoint version, but it appears to be a Kaspersky issue, not Checkpoint specific.

Kaspersky has verified ( )  that this is resolved in their latest update.  If you're seeing this issue, get your AV to "phone home" for the fix!


Rob VandenBrink

Rob VandenBrink

571 Posts
ISC Handler
Oct 25th 2013
I don't have time to research it at the moment, but didn't tcpip.sys get flagged as malware a few years ago by an AV?

24 Posts
You would think that by now; Antivirus vendors would have signatures of "known safe files" --- A SHA1 message digests of known system files; both original media, and the updated hashes of files of clean systems before and after every valid combination of Windows updates/patches to the file.

There's really no reason in the world it ought to be possible to have a false positive on TCPIP.SYS; the crypto hash of the legitimate versions of the file should be well-known by now.

146 Posts
happen here too
1 Posts

Temporary solution:

1. Do not restart the computer.
2. Restore tcpip.sys from quarantine folder.
3. Create exlusion rule for "C:Windows\System32\drivers\tcpip.sys "
1 Posts
Kaspersky Lab has released anti-virus databases, which was mistakenly added detection system file tcpip.sys
1 Posts

Sign Up for Free or Log In to start participating in the conversation!