Jump to content

Process Hacker 3.0.3813 false positive


Recommended Posts

Hey,

 

The latest Process hacker nightly is showing Malware.AI.1270165517 by Malwarebytes but is also showing 36 other detections... Are these false positives?

 

Specifically the ZIP file downloaded from here:

https://processhacker.sourceforge.io/nightly.php

 

Can also be downloaded directly from the build servers here:

https://ci.appveyor.com/project/processhacker/processhacker/builds/37681352/artifacts

 

Showing Malwarebytes detections and others here:

https://www.virustotal.com/gui/file/6104dca0af58911a9d0835c15b849754bbbe23f1c9eaf01c7ea41d50afd007a1/detection

 

That's a lot of detections... Are they false positives?

 

Edited by AdvancedSetup
disabled live hyperlinks
Link to post
Share on other sites
  • Root Admin

I went ahead and downloaded the zip file and scanned it. Below is the output from the scan.

Virus Total also shows 36/63 vendors also detect it as malware

https://www.virustotal.com/gui/file/6104dca0af58911a9d0835c15b849754bbbe23f1c9eaf01c7ea41d50afd007a1/detection

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/10/21
Scan Time: 7:07 PM
Log File: 4bf400e6-6c16-11eb-82d9-00d8617a9654.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1173
Update Package Version: 1.0.36945
License: Premium

-System Information-
OS: Windows 10 (Build 19042.804)
CPU: x64
File System: NTFS
User: computer\pc

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 0 min, 8 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.AI.1270165517, D:\DOWNLOADS\PROCESSHACKER-3.0.3813-BIN.ZIP, No Action By User, 1000000, 0, 1.0.36945, C85CC967AB90339A4BB5300D, dds, 01111765, EECD9D4496282F5D48B34764CD839936, 6104DCA0AF58911A9D0835C15B849754BBBE23F1C9EAF01C7EA41D50AFD007A1

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Link to post
Share on other sites

Virus Total also shows 36/63 vendors also detect it as malware

 

Is it actually malware or a false positive?

 

I'm the lead developer/owner of these binaries so some clarification is required... These binaries are compiled automatically by Github and Appveyor (third party companies)... So if the binaries contain malware that implies the github repository is also infected with malware?

 

It would also require reviewing this previous statement by Malwarebytes:

"Malwarebytes does not detect Process Hacker as malicious or potentially unwanted."

 

 

 

Link to post
Share on other sites
2 hours ago, miekiemoes said:

Hi,

While this isn't malware, , hence why most AVs detect it.

We will remove the Malware.AI. detection for this and adjust the detection name.


 

"it's unfortunately being used (abused) by a lot of malware" 

 

Can you give some examples? Is that a current campaign or a new attack? 

 

Malwarebytes is currently detecting our x86 executable, not the x64 executable and also not the driver... It's also not including detections for the last stable release v2.39 from 2016... So what you've said makes zero sense because otherwise you would blacklist the stable version and the driver, not the x86 nightly build.

 

If you know about attacks using our software then you should share that information so I can fix the issue otherwise it'll keep happening.

 

Link to post
Share on other sites
  • Staff

Processhacker is is especially being used by some ransomware variants, such as Dharma/Crysis. It mainly uses the x86 executable, hence why most detect it.

 

Edited to add, as you probably have noticed, we are no longer detecting it as Malware.AI anymore.

Edited by miekiemoes
Link to post
Share on other sites
3 minutes ago, miekiemoes said:

Processhacker is is especially being used by some ransomware variants, such as Dharma/Crysis. It mainly uses the x86 executable, hence why most detect it.

The published analysis of this published by malwarebytes states this is an RDP attack?

https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/

 

So is there an actual security issue with our software or are they installing it manually and just using like anyone else would over remote desktop is that correct?

 

Link to post
Share on other sites
  • Staff

There is no security issue with your software, it's just that it's abused by malware, so that's why most AVs alert on that.

But as I said already, we are no longer detecting this anymore, also since Dharma/Crysis isn't prevalent these days anymore either.

Link to post
Share on other sites
34 minutes ago, miekiemoes said:

There is no security issue with your software, it's just that it's abused by malware, so that's why most AVs alert on that.

But as I said already, we are no longer detecting this anymore, also since Dharma/Crysis isn't prevalent these days anymore either.

 

1) You've detected/blocked our binaries, not the actual malware binaries.

2) You've blamed us for an RDP exploit and attack - RDP is owned/operated by Microsoft and not us.

3) You've refused to disclose the attack to the development team per our security policy: https://github.com/processhacker/processhacker/security/policy

4) You've prevented us from investigating the attack and thus prevented fixing any possible security issues, effectively prolonging these attacks.

5) You've only blocked the x86/ProcessHacker.exe and not the x64 version which - if true - would also be vulnerable, as would our kernel driver but neither of those are blocked.

 

There is no security issue with your software, it's just that it's abused by malware, so that's why most AVs alert on that.

A few months ago you were saying it was a false positive:

 

Why did you block our binaries instead of the actual malware?


At any time you could have contacted us and reported a problem but choose not to and instead attacked/blocked our project binaries which goes against everything that was written by Malwarebytes about our project: https://blog.malwarebytes.com/101/how-tos/2018/11/advanced-tools-process-hacker/ 


Our security policy clearly states you can report issues privately and even includes our personal email addresses... You can't go around saying our project is malware, then saying the project has security issues, then saying no security issues but that it's abused by malware when its an actual human operator using RDP - then refusing to report issues to the development team... this is highly unethical to say the least.

 

If our project is being abused by malware then there's a security issue and you should be doing the right thing and reporting it to us... If it's simply being used over remote desktop then that's a human operator using the project, not actual malware which is a major difference between the two - misconstruing the issues does nothing to help anyone and just makes the issue worse.

 

You need to revaluate your policies and procedures and do the right thing by actually report issues to us so they can be investigated and fixed.

Link to post
Share on other sites
  • miekiemoes locked and unlocked this topic
  • 2 weeks later...
On 2/11/2021 at 9:05 PM, miekiemoes said:

Thanks for your feedback.

Just as a FYI, this was a machinelearning detection.

I was referring to Dharma/Crysis... What good does mentioning it more than 3 years later achieve? You should have brought it up years ago, something could be done about the issue but instead you've kept quiet about it and prolonged the attack so it would cause more damage and justify targeting our project.... We could have done something if you bothered to reach out and let us know earlier! 

 

There are also more detections from your ratio calculator or "machine learning" targeting our binaries: 

Malware.AI.1270165517 - c72e05dfbc0174f3b1fa983bf762b2c96d6266d357fdb17ffefcffb62dfb4476

Malware.AI.1270165517 - d7ca3e108125007b5b1333e79f1861a4d2b8402f0a23946fc38ae9e99483c58d

Malware.AI.1270165517 - 0e190f3ea95e7b3fc64bf55bb91798398f963247278b7902134bf2a21d29e227

 

 

Link to post
Share on other sites
17 minutes ago, miekiemoes said:

We are only detecting this since recently because of our machinelearning engine that we have implemented. A plethora of other Antivirus have been detecting this for years already (and still do).

" A plethora of other Antivirus have been detecting"

What does that even mean exactly? You already stated "Malwarebytes does not detect Process Hacker as malicious or potentially unwanted."? I will gladly share the conversations with other vendors such as Avast who demanded a backdoor in our kernel driver - which we refused so we remain blocked by Avast- and Sophos who blame me for every Windows RDP attack - which we demanded evidence despite the company never responding....... I also have emails from Microsoft employees committing fraud which you're guaranteed to know about within the next few weeks.

You need to stop deflecting the issue and start being honest otherwise you'll be included in our antitrust complaint similar to the existing case with Enigma Software.

 

"We are only detecting this since recently because of our machinelearning engine that we have implemented."

There are currently 967 nightly builds - more than enough samples to train your ratio calculator or "machine learning"... There really isn't any excuses here for constantly declaring our binaries as malicious when no such thing exists. Stop with the deflections about ML and mentioning other vendors which have no bearing on issues with false positives by Malwarebytes... It should be a simple issue to resolve.

Link to post
Share on other sites
  • 4 weeks later...

Hello,

Multiple false positives for Process Hacker:

2021-02-28 - Malware.AI.3287349589 - 6e78b4352c742b17a4e4b5c2fd6f3677617e26b2af48ac0f727ecbe668ea2734

2021-02-28 - Malware.AI.3287349589 - 1e050dc254921a92d10008056e39b67dd00568169ce0d0cd24df28d7aeadef46 

2021-02-28 - Malware.AI.3287349589 - 0dea8a0764a4dc5ae1c9ebea33fa477ed50110bc3d1e4ff64c4557aca6b16cce

2021-03-01 - Malware.AI.3287349589 - 2a9e40335bbe292d69670903f2f3efe2f82fa6391c7a00756bb33c0f350c7554

2021-03-01 - Malware.AI.3287349589 - 73f0bb6c234cc9a0dbb7fefdbccf196f170ef2b96de70e184dbf3378ba90401a

2021-03-15 - Malware.AI.3287349589 - 06d6f0ba5d949d29f556cee8819482ce53b0e7857f4d2a262db11d73e96697ab

2021-03-16 - Malware.AI.3287349589 - a02380d37c29045a73c0dd2274a9b4954b75138441ccdf62519c09961dcfd0d7

2021-03-20 - Malware.AI.3287349589 - 0460457767e5577dbf1d828cdf8f5e54f55c7628f8604073ce6488745b1a65f7

 

Whitelisting is being ignored and overridden... This is also breaking CTRL+ALT+DEL for users since the IFEO keys are being left behind but the executable deleted by Malwarebytes. The kernel driver, plugins and \x86\processhacker.exe are also being left behind but since the uninstaller is deleted users have to manually remove these files and/or reinstall then uninstall which is not optiminal and leaving users confused...  I've already had users complain about this in GH #822 where they thought we hadn't provided an uninstaller but it was in fact deleted.

Lm5oXks.png

 

Labelling binaries "Malware" which contain no actual malware is misleading and "unconscionable conduct" per the ACL regulation... I'm going to file a complaint with the regulator if this continues. Breaking CTRL+ALT+DEL for users is another major issue that Malwarebytes needs to resolve as well.

Please improve this behaviour, messaging and labelling.

Link to post
Share on other sites
  • Staff

I have whitelisted all the files in the install itself. 32bit and 64 bit. I also marked the files as good in our ai subsystem. 

Some tips to help us prevent this. Digitally Signing the files goes a long way. Also filling out the version info tab of files. I could do more predictive whitelisting for future versions if either was in place on the files. 

Link to post
Share on other sites
  • Staff

Do you have an example of the ifeo keys? I am trying to investigate why we broke it but i cant seem to get the keys to be created here. I also whitelisted the main executables from malware.ai detections in a more broader way that should help prevent future fps. 

 

Link to post
Share on other sites
On 3/21/2021 at 4:13 AM, shadowwar said:

Digitally Signing the files goes a long way. Also filling out the version info tab of files. I could do more predictive whitelisting for future versions if either was in place on the files. 

 

Digital signing would be ideal but we're currently blocked/banned from the developer dashboard by Microsoft after they changed the attestation signing policy excluding individuals from code signing... I did setup a company but I still can't validate the certificates with Microsoft for code signing for some reason they refuse to explain:

https://abr.business.gov.au/ABN/View?abn=44125908339

 

I've been trying to sign the binaries for years:

6/26/2015

10/11/2017

12/22/2017

1/14/2018

5/14/2018

10/25/2018

5/17/2019

10/21/2020

 

The Microsoft support team just says "This issue surpasses our support" and immediately close the tickets so we haven't been able sign our code and I've wasted a fair amount of time and money on that already... I'm going to be filling some cases against Microsoft for this because we need to sign our code and their policy is anticompetitive.

 

On 3/21/2021 at 4:13 AM, shadowwar said:

Also filling out the version info tab of files.

The versioninfo is configured for the executables but was removed from the plugin DLLs after an anticheat product released a debug driver hard-coding the versioninfo strings and blocking PH from loading plugins... Malwarebytes hasn't deleted the plugins only the executables. The plugins should be ok for now without versioninfo? I will be adding updated versioninfo for the plugins later this year when it's more likely users have an updated anticheat driver.

 

On 3/23/2021 at 1:42 AM, shadowwar said:

Do you have an example of the ifeo keys? I am trying to investigate why we broke it but i cant seem to get the keys to be created here.

The nightly builds have an button on the Options window for configuring the default Task Manager:

https://processhacker.sourceforge.io/nightly.php

Microsoft should honestly provide a mechanism for users to change the default. They've already been fined $1.3bn for preventing users from changing the default web browser and not having options to change the default task manager should have been included a long time ago.

 

On 3/23/2021 at 1:42 AM, shadowwar said:

I am trying to investigate why we broke it

Malwarebytes deleted the main executable (processhacker.exe) however it never removed the IFEO key for taskmgr.exe used to override the default task manager and launch processhacker.exe. If that key still exists when the executable is deleted you can't launch the task manager via CTRL+ALT+DEL or via right-clicking the taskbar or anything that attempts to launch taskmgr.exe while that key still exists.

It's a super rare case that everyone forgets about because of how task managers are currently forced to change the default task manager... I would argue Malwarebytes should delete any IFEO key that is linked to any executable that is removed so there are no residual artefacts left over after the binary gets deleted.

 

On 3/23/2021 at 1:42 AM, shadowwar said:

I also whitelisted the main executables from malware.ai detections in a more broader way that should help prevent future fps. 

 

This is very much appreciated. Thank you! <3

Link to post
Share on other sites
  • Root Admin
34 minutes ago, dmex said:

 I'm going to be filling some cases against Microsoft for this because we need to sign our code and their policy is anticompetitive.

 

👍👏👏👏

I feel for you and empathize with your journey.

On a personal level, I think you make a good program

 

Link to post
Share on other sites
  • Staff

I understand about being a target for malware and version info. We had it multiple times with the rootkit product. 

We tested the ifeo keys here and they all got removed when detected. Do you have the mbamservice.log from the detection as we are unable to duplicate here. 

678183427_image(2).thumb.png.d893121d3287887e27e4511c26297d09.png

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.