Kaspersky Internet Security 2012


With Kaspersky Internet Security 2012 installed on my computer the dialog window that informs about suspicious activity: "Unknown application is trying to intercept keyboard input: Keylogger. Driver file: kernel mode memory patch" periodically appears. What should I do?

Back to "Proactive Defense"
2012 Aug 15 ID: 6446


What is Keylogger

If the interactive mode is enabled in the Kaspersky Internet Security 2012 settings and in the Proactive Defense component settings the Prompt for action option is selected, then in some cases the Kaspersky Internet Security 2012 dialog window that will inform you about suspicious activity may appear. The process will be detected as Driver file: kernel mode memory patch.

Keyloggers may send your personal information (logins, passwords, credit card numbers) you enter using your keyboard to a cyber criminal. However, similar actions can be performed not only by malicious programs, but also by some other not malicious applications installed on your computer. Very often these actions are performed by means of hotkeys to access some functions of an application installed on your computer.

In most cases, the process kernel mode memory patch is not malicious. You can add this process to the exclusions list by clicking Add to exclusions.

In the Exclusion rule window you can find the information that the object kernel mode memory patch which is defined as PDM.Keylogger kernel mode memory patch will not be scanned by Proactive Defense. To add the rule click the OK button.

When the object is added to the list of exclusions the notification window that will inform you that Behaviour similar to PDM.Keylogger. Allowed will appear.

Back to the contents

How to manually add the kernel mode memory patch object to the list of exclusions

You can also manually add the object kernel mode memory patch to the list of exclusions. For this, perform the following actions:
  1. Open the main application window.
  2. In the top right corner of the window click the Settings link.
  3. In the Settings window go to the Additional tab.
  4. In the left part of the window select Threats and Exclusions.
  5. In the right part of the window in the Exclusions section click the Settings button.
  6. In the Trusted zone window on the Exclusion rules tab click the Add button.


  1. In the Exclusion rule window in the Properties section check the Threats type box.
  2. In the Rule description section perform the following actions:
    • In the Object string click the select object link.
    • In the Object name window in the empty field enter kernel mode memory patch and click the OK button.
    • In the Treats type string click the enter threat name link.
    • In the Threat type window in the empty field enter PDM.Keylogger and click the OK button.
    • In the Protection components string click the any link, then click the select component link.
    • In the Protection component window check the Proactive defense box and click the OK button.
  3. In the Exclusion rule window click the OK button.
  4. In the Trusted zone window click the OK button.
  5. In the Settings window click the OK button.
  6. Close the main application window.


Back to the contents

What should I do if I suspect that the kernel mode memory patch process is malicious 

If you suspect the process is malicious, perform the following actions:

  1. Once the scan is complete, export scan report to a file.
  2. Create a request to Kaspersky Lab Technical Support via the My Kaspersky Account service. Describe your issue in all details and attach the created report file to the request.

Back to the contents

Was this information helpful?
Yes No

Applies To:

  • Kaspersky Internet Security 2012
  • Windows