Hey, this is a known false positive from Kaspersky. Its PDM Proactive Defense Module is behavior-based heuristic analysis, not signature detection. cursor-agent is a Node.js CLI that does what any dev tool does, like outbound API calls, running terminal commands, spawning child processes, and talking to MCP servers. For PDM that can look suspicious, so you get the generic detection PDM:Trojan.Win32.Generic.
A few similar threads with the same detection:
- Kaspersky Flagged Cursor IDE as ClipBanker Trojan on Windows
- Kaspersky accusing Cursor of being a trojan
- Trojan in Cursor
Workaround: add the full path C:\Users\upupu\AppData\Local\cursor-agent\ to Kaspersky exclusions, including the versions subfolder. It also helps to submit a false positive report directly to Kaspersky so they can update their detections faster: https://opentip.kaspersky.com/
If something still gets triggered after the exclusion, tell me and we’ll take a look.