[Kaspersky/w11] OpenHuman.exe flagged as PDM:Trojan.Win32.Generic + IFEO Debugger entries

[DouglasOttoDavila]

I’m opening this as a possible false positive report. I am not claiming this is malicious behavior, but I wanted to share the details because Kaspersky triggered a high-severity behavioral detection shortly after installing/running OpenHuman on Windows.

Environment

• OS: Windows 11 Pro
• AV: Kaspersky
• OpenHuman install path detected by AV:
  • C:\Program Files\OpenHuman\OpenHuman.exe
• Ollama was also installed on the machine, but the installed Ollama binary appears to be in the normal location:
  • C:\Users\<user>\AppData\Local\Programs\Ollama\ollama.exe

Kaspersky detections
Kaspersky reported the following detection for OpenHuman:

• Object: OpenHuman.exe
• Path: C:\Program Files\OpenHuman
• Detection: PDM:Trojan.Win32.Generic
• Type: Trojan
• Severity: High
• Detection method: Behavioral analysis

Kaspersky then reported actions such as:

• OpenHuman.exe terminated
• backup copy created
• OpenHuman.lnk deleted
• OpenHuman.exe deleted
• OllamaSetup.exe scheduled for deletion after reboot
• application action rollback completed

In another report, Kaspersky detected and disinfected multiple registry entries under:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\...\Debugger

Detection name:
HEUR:Trojan.Multi.Misslink.a

Affected IFEO/Debugger targets included entries related to:

• nordvpn.exe
• nordvpn.diagnosticstool.exe
• nordsecurity.nordvpn.diagnosticstool.application.exe
• nvidia app.exe
• setup.exe
• wondershare filmora launcher.exe

Cleanup performed

After uninstalling/removing OpenHuman and rebooting, I ran the following checks:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /v Debugger
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /v Debugger

Both returned:
End of search: 0 match(es) found.

I also removed:

Remove-Item "C:\Program Files\OpenHuman" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item "$env:USERPROFILE\.openhuman" -Recurse -Force -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\OllamaSetup.exe" -Force -ErrorAction SilentlyContinue

Ollama appears to remain installed in the expected user-local path:
C:\Users\<user>\AppData\Local\Programs\Ollama\ollama.exe

SHA256 of ollama.exe:
A820ECBC8A4B8654064E89EFDEB4340EF29E40EFBCBECBBC704019739F0286F3

Questions

1. Could the maintainers please clarify whether OpenHuman intentionally creates, modifies, or interacts with any Image File Execution Options...\Debugger registry entries on Windows?

2. Also, could you confirm whether the app or installer performs any behavior that might trigger Kaspersky’s behavioral detection, such as:

• process injection/debugger registration
• persistence hooks
• system-wide registry modification
• installer rollback behavior
• downloading/running OllamaSetup.exe from %TEMP%
• modifying shortcuts or startup entries

If this is expected behavior or a known false positive, it would be helpful to document it, ideally with:

• expected Windows registry changes
• official binary hashes/checksums
• code-signing status
• VirusTotal/Kaspersky OpenTIP results for the official release
• explanation of how Ollama is downloaded/installed by OpenHuman

I’m happy to provide the Kaspersky CSV reports privately if needed.

Thanks.