Jump to content

Process Hacker 2.39 False Positive

RandomRecursion

By RandomRecursion
in File Detections

 Share

Recommended Posts

  • Staff
cli

cli

Posted
  • Staff
Posted

This is a valid detection. We've decided to start detecting Process Hacker because it's abused by malware and especially by ransomware. If you added Process Hacker yourself and do not wish to see the detection, please add it to your allow list. 

Please read Exclude detections in Malwarebytes for Windows if you need assistance on how to add programs to the allow list.

Thanks for reporting.

Link to post
Share on other sites
RandomRecursion

RandomRecursion

Posted
  • Author
Posted

Thank you, I will do so.

For the benefit of anyone else who runs in to this detection, you may want to update the blog article on Process Hacker, as it currently indicates that Malwarebytes does not detect it (the first note at the very end of the article). The link is https://blog.malwarebytes.com/101/how-tos/2018/11/advanced-tools-process-hacker/.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

It's a blog post from three years ago. I'm sorry but no one goes back and edits documents that are ancient. It becomes rather obvious to most users that something posted three years ago is highly unlikely to be relevant today, but thank you for your feedback

Cheers

 

 

Link to post
Share on other sites
sp123

sp123

Posted
Posted
8 hours ago, cli said:

This is a valid detection. We've decided to start detecting Process Hacker because it's abused by malware and especially by ransomware. If you added Process Hacker yourself and do not wish to see the detection, please add it to your allow list. 

Please read Exclude detections in Malwarebytes for Windows if you need assistance on how to add programs to the allow list.

Thanks for reporting.

How is 'Process hacker' more dangerous then Sysinternals's Process Explorer, or Task Manager, or any of the other hundreds of other process management tools out there? When is it abused by ransomware? Just because something perfectly legit is being abused by malware doesn't mean it should be outright blocked (and deleted). I often use Malwarebytes on VMs, which are reset every time, so adding it to the allowlist doesn't really work.

At least provide some explanation in the prompt that it isn't malware, just abused. I know what riskware is but a lot of people don't (though they probably aren't downloading process hacker).

Link to post
Share on other sites
dmex

dmex

Posted
Posted
7 hours ago, AdvancedSetup said:

It's a blog post from three years ago. I'm sorry but no one goes back and edits documents that are ancient. It becomes rather obvious to most users that something posted three years ago is highly unlikely to be relevant today, but thank you for your feedback

Cheers

 

 

 

Howdy,

 

You said the opposite a few months ago. What's changed?

 

 

11 hours ago, cli said:

This is a valid detection. We've decided to start detecting Process Hacker because it's abused by malware and especially by ransomware. If you added Process Hacker yourself and do not wish to see the detection, please add it to your allow list. 

Please read Exclude detections in Malwarebytes for Windows if you need assistance on how to add programs to the allow list.

Thanks for reporting.

 

How is Process Hacker being abused and why haven't you shared that information with the project developers?

https://github.com/processhacker/processhacker/security/policy

 

AV companies should be working with the industry, how are we going to fix security issues when you keep them a secret?

 

Steven

PH developer

  • Like 1
Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Staff
Posted

ProcessHacker is used in targeted attacks to companies more lately, used manually, not packaged with mass-malware. It's true it's not malicious, but when abused by malware if becomes riskware. Based on shifts in the threat landscape we sometimes have to change our minds to protect our users against shifts in thread landscape. If attackers switch to using alternatives to ProcessHacker, we might have to evaluate adding some form of detection for those as well. Likewise, if they stop using it, we can also remove the detection in the future.

For those of you who use it, which I understand completely as I've used it extensively myself in the past, adding an exclusion for the path where ProcessHacker resides should be fairly straightforward.

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted
3 hours ago, dmex said:

 

Howdy,

 

You said the opposite a few months ago. What's changed?

 

 

 

No, Nothing has changed for me. I said the following

Quote

I feel for you and empathize with your journey.

On a personal level, I think you make a good program

I do like your program. Above I simply said/meant that no one on any website or business site I've seen goes back and edits ancient documents.

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted (edited)
8 minutes ago, sp123 said:

I understand, it just means that malware can hide in that location.

Malwarebytes is not just hide in your folder that was created for process hacker. But if it uses the installed version, it can take advantage of it.

Edited by Porthos
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted (edited)

Download the Portable version. Extract the files to a new folder of your choosing. In my example I created a C:\ProcessHacker folder.
Then right-click and select to have Malwarebytes scan the folder
 

It should detect the two executable files as shown below

image.png

Simply uncheck both detections and click Next

image.png

Set to Always ignore

image.png

Those two files will be put into the Allow List and not be detected again on future scans

image.png

 

New Scan shows the files are no longer detected

image.png

 

And there is the program running without issue now

image.png

 

 

Edited by AdvancedSetup
Updated information
  • Thanks 2
Link to post
Share on other sites
NEI

NEI

Posted
Posted

The complaint that ProcessHacker is Riskware, in as much as malware can use it to do naughty things, strikes me as disingenuous boardering on a dissembling lie.  By that simple definition almost anything on the computer that can shut down a program is RiskWare.  Singling our ProcessHacker, as well as not working with the PH authors to mitigate trouble, suggests something more nefarious is afoot and directed specifically at ProcessHacker.  Bad form leading to distrust.

  • Like 1
Link to post
Share on other sites
sp123

sp123

Posted
Posted

Idea: What if MBAM didn't block process-hacker when it is named something like ProcessHacker.exe but blocks it otherwise. It's simple to use a RegExp to test

Legit users are unlikely to rename it to something totally random, while attackers aren't just going to leave it as ProcessHacker.exe. Win, win!

It would be very simple

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.