Symantec Protection identifies Process Hacker as a risk

[nephewtom]

Well, I know Process Hacker can not do anything with this... But I wanted to inform about this issue. Unfortunately the laptop where it is happening its from my company. So for the moment I can not avoid Symantec to remove Process Hacker which is a hassle.

I also found this online: https://www.symantec.com/security-center/writeup/2019-010717-0848-99?om_rssid=sr-mixed30days

[stdedos]

Can you somehow (ask to) update its signatures?

You can see also see related things at https://github.com/processhacker/processhacker/issues/356, but the virustotal signatures I have (just) checked, show that Symantec "Update 20190311" does not mark it as harmful.

[nephewtom]

This is what the supporting team is telling me:

This detection is not false and the same will not be excluded as this is a risk for the environment.

Such tools like this mentioned by the user can be used for Injecting, Hooking to legit processes and this is a risk. Please advise the user to use another process tool.

please refer to the KB from Symantec.

https://www.symantec.com/security-center/writeup/2019-010717-0848-99

How can I prove them that Symantec "Update 20190311" does not mark Process Hacker as harmful. ?

[stdedos]

This is what the supporting team is telling me

Support team of your "company environment"? Tell them that Task Manager is also a potential security risk (sorry, couldn't resist the sarcasm).

How can I prove them that Symantec "Update 20190311" does not mark Process Hacker as harmful. ?

• Show them the link? .. and
• Can you somehow (ask to) update its signatures?

[nephewtom]

Support team of your "company environment"? Tell them that Task Manager is also a potential security risk (sorry, couldn't resist the sarcasm).

Ha, ha, ha, nice joke! Yes, my company environment, indeed!

How can I prove them that Symantec "Update 20190311" does not mark Process Hacker as harmful. ?

• Show them the link? .. and
• Can you somehow (ask to) update its signatures?

Which link? The virustotal one found on #356 ? I am confused...

[nephewtom]

Ok, I provided virustotal link. Let's see what they say...

[zzColin]

TrendMicro OfficeScan that is required to be installed on my office computer reported the installer of PH as PUA.Win32.ProcHack.A about 6 days ago, and it reported the KProcessHacker driver as PUA.Win32.ProcHack.B today. This information might help.

(Sadly, OfficeScan in my corporate environment is technically prevented from being turned off or being uninstalled, and it is set to remove everything it suspects and this behaviour cannot be changed.)

[stdedos]

@zzColin I assume same as everyone else. If you, also, check the link above, the setup is being treated as trojan installer.

Hopefully @dmex can work his magic here too 😄. Hopefully not on a one-to-one basis.

[stdedos]

@zzColin I assume, the same as the OP. If you check the VirusTotal link, however, TrendMicro is treating the installer as TROJ_GEN.R03FC0OC419 i.e. (IMHO) Heuristically Trojan. It is a rather more explicit classification than #356's (i.e. malware on the installer, clear executable); we don't know if OPs Symantec is catching the installer - VirusTotal is saying no.

However, if you check the definition of TrendMicro for PH is "really dedicated and explict": PUA.Win32.ProcHack.A:

• PUA --> PUP/PUA
• Win32 for Windows
• ProcHack --> PH
• And every part of it is assigned explicitly (i.e. A for the main executable, B for the driver)

I also just noted that Symantec is also explicitly marking PH as a hacking tool. Maybe Symantec (like Avast!), could agree that PH, without Terminator and the Kernel Driver it is "harmless", but no saying how or why PH was marked as a PUA on TrendMicro. PH is a HackTool as "enough other programs", but PUA? It is a much more generic term.

---

@dmex this might "somehow" interest you: On the latest PH executable, someone (some-bot?) marked something regarding its detection status: https://www.virustotal.com/#/file/4ff1194547430bf84ea7bb9cec896e8bce1ab3dfdb0138e4942fa80ec91e2165/community

[nephewtom]

Hi there! This is the response I got from the support team:

Hello Team,

User can manually update SEP client by clicking on LiveUpdate button on the left on main SEP window. But this will not be necessary because client checks (by policy) for new updates once per 2 or 4 hours - depends on location - office/internet. Although his machine is already running with latest definitions. We can't trust information provided by third party products such as virustotal. Official statement from Symantec as vendor of SEP products was already provided by my colleague in previous update. This info was updated on 7th of Jan this year. At this stage we can't whitelist this product.

Thanks.

Which is unfortunate...

[Dobatymo]

I was told by trend micro that processhacker was recently bundled with some malware. That's why it's detected now.

[stdedos]

Define recently and some malware.

Terminator and kernel driver have had bad mojo from multiple companies (e.g. anti-cheat, anti-virus), but it is not "malicious" per se (a metaphor would be that Terminator is like a really sharp knife - you can cook with it, or kill people).

Things also related to the security of the program: https://github.com/processhacker/processhacker/issues/268, https://github.com/processhacker/processhacker/issues/356#issuecomment-454740479

[Dobatymo]

@stdedos sorry, that's all the information I got. They didn't elaborate.

[nephewtom]

Hi again! The IT team is pointing me to this link:

https://www.symantec.com/security-center/writeup/2019-010717-0848-99

Do you know if there is an update of that in Symatec web site?

[stdedos]

@tomasorti: such as injecting [...] processes: that could be a fair assesment; however, @dmex could answer authoritatively on this.

such as [...] ending processes: So can Task Manager (hence my tantrum above https://github.com/processhacker/processhacker/issues/388#issuecomment-472324529). AFAIK, I don't think that PH can do "more" than Task Manager, on a given priviledge level, without the Terminator / Kernel Driver --> I don't think PH is worth the notoriety at this time.

Good luck convincing others though.

[zzColin]

New reports from TrendMicro OfficeScan today (definition version 14.909.71): PE Viewer (peview.exe) -> PUA.Win64.ProcHack.B.component main executable (ProcessHacker.exe) -> PUA.Win64.ProcHack.C and PUA.Win32.ProcHack.C

This effectively rendered PH totally unusable now, as our IT department sets OfficeScan to remove everything it detects without confirmation and deliberately locked its settings.

Sigh.

[stdedos]

It's my turn now :smiley:

BitDefender Endpoint Security Tools (Product versionL 6.69.134, Engines Version: 7.80239 [12798612]):

On-Access scanning has detected a threat. Access to the file has been denied.
C:\Users\user\AppData\Local\Temp\2\947422a5-7a9a-4a37-8223-716e2872301a.tmp is malware of type Application.ProcessHacker.1

However, I think in my case, it just wipes the kernel driver (which, I would say, it's not a bad silver lining). It still blocks automatic updates though :confused:

[nephewtom]

With definitions on Symantec updated to the following dates:

Process Hacker is still considered a risk...

:disappointed:

[dmex]

such as injecting [...] processes: that could be a fair assesment; however, @dmex could answer authoritatively on this.

That feature is blocked by the ObRegisterCallbacks kernel API.

such as [...] ending processes: So can Task Manager.

Termination is also blocked by the ObRegisterCallbacks kernel API at low and medium (user) integrity.

The one and only exception is when the user is running with high integrity (System/Administrator) and calling ZwTerminateProcess from kernel mode.

Good luck convincing others though.

Stupid is as stupid does. Anyone can review the Process Hacker source-code here on Github and it's clearly not malicious.

I talked with the MSRC (Microsoft Security Response Center) and they were not able to find any security issues with our source-code so why are these other companies claiming Process Hacker is malicious?

New reports from TrendMicro OfficeScan today (definition version 14.909.71):

TrendMicro? They were sending thousands of malformed requests to wj32.org between 2016-02-02 and 2018-05-23: https://i.imgur.com/pgsQSNo.png

PE Viewer (peview.exe) -> PUA.Win64.ProcHack.B.component

How can anyone seriously consider peview.exe malicious? notepad.exe has more functionality than peview.exe does 😦

[stdedos]

I talked with the MSRC (Microsoft Security Response Center) and they were not able to find any security issues with our source-code so why are these other companies claiming Process Hacker is malicious?

If only there was some standard way of "pleading your case" against the vendors and/or use that as some leverage at some point.

I am not familiar with any other vendor, but Avast! for the last x years doesn't not give you a way to "ignore" a detection. Neither does it bother to explictly detect PH, so that wouldn't be feasible in any level.

[nanoant]

Same thing happened to me today. I use PH to monitor what is happening on my computer everyday. I fire up my machine today, and poof Symantec swallows my PH claiming it is Hacktool.ProcHack!g1.

This is really both hilarious and sad - It is like removing all knives from the cook's kitchen so the cook cannot hurt him/herself.

[nanoant]

FYI I just have built PH from sources, and it is working fine without alerting "the beast" 😉

[Coruscate5]

I'm basically in the same boat - our Sec team is a bit more knowledgeable so they are fine with me recompiling from source, but I can't seem to get the kernel driver to load properly.

Whenever I run as admin (which is, of course, a separate account than the local user), PH complains that the kernel mode signature couldn't load (either the production kprocesshacker.sys, or one I signed myself) with:

"Unable to verify the kernel driver signature."

Then either a detailed message saying "Object Name not Found" or "The cryptographic signature is invalid"

Any ideas/luck for anyone else?

I've tried all sorts of signatures but I'm not a driver dev unfortunately, so I'm sure I'm missing something simple. I can open a new issue I just figured this group might've gotten through this already

[nephewtom]

FYI I just have built PH from sources, and it is working fine without alerting "the beast" 😉

Really? If that is the case, I can consider building it. I am currently pretty busy, but Easter is coming, so I will have time to do it. I hope is not as time consuming as building ccls, which builds Clang+LLVM, and takes too loooong...

[Coruscate5]

I'm not smart enough to quickly figure out why KPHVerifyClient fails the signature check, so I just disabled the check (since kprocesshacker.sys seems to be properly signed anyway by certs that I made, for both SHA1 and SHA256).

Seems to be working fine for my purposes

[stdedos]

Well, probably the reason you fail detection, is because you have a different building environment and you probably cannot sign it as "official" (as PH is not doing anything wrong, https://github.com/processhacker/processhacker/issues/388#issuecomment-480463694)

Not an expert in AV detection, but I guess PUPs are detected "hard-coded", not signature/heuristically-based

[nanoant]

@stdedos That is my impression too, and happily thanks to that I am still able to use PH to monitor my system, e.g. to see if there is something really suspicious going on or whatever garbage unless software is sucking my resources.

I am really amazed by the fact that PH is considered as a threat by different "authorities". Maybe because it has "hacker" in the name 🤦‍♂️

[nephewtom]

I am really amazed by the fact that PH is considered as a threat by different "authorities". Maybe because it has "hacker" in the name 🤦‍♂️

That is what a friend of mine pointed... that Symantec could identify it as a risk because of that... If that is the case... It is terribly hilarious and stupid!

[stdedos]

^^ see also https://github.com/processhacker/processhacker/issues/388#issuecomment-477989752

[dmex]

It is terribly hilarious and stupid!

You won't get reliable answers from those companies about why they're targeting Process Hacker - I've tried and not one vendor has given the development team any sort of actual answer.... The hilarious thing about this is that literally nobody is buying their bullshit... Here's a graph based on Windows telemetry:

The red text shows when vendors have started targeting Process Hacker... I don't think anyone is buying into the bullshit from so called 'security' vendors claiming Process Hacker is malicious.

The project is open source and anyone can verify the source code and not one person has been able to show how Process Hacker is malicious... I've tried talking to a dozen security companies in the last year about Process Hacker and not even one company has been able to give me even the slightest information showing how Process Hacker could be abused or was malicious.

The MSRC (Microsoft Security Response Center) says they're no issues (https://i.imgur.com/TJnGws6.png) so I don't really care what some 3rd party vendor says (without at least some evidence which not one vendor has provided to date)...

The security industry is a complete joke and the things they're doing just prove they're a joke.

[Biswa96]

Just curious, where did you get the first graph?

[dmex]

where did you get the first graph?

Windows telemetry for weekly execution statistics.

[nephewtom]

FYI I just have built PH from sources, and it is working fine without alerting "the beast" 😉

By the way, about a month ago I tried to build from master and from tag v2.39 and it did not work well. If I recall well, master did crash, and in v2.39 I do not see the Search text box.

Where should I built it from for a stable release with Search text box?

[dmex]

Where should I built it from for a stable release with Search text box?

You need to build Plugins.sln

[dmex]

@stdedos

Well, probably the reason you fail detection, is because you have a different building environment and you probably cannot sign it as "official" Not an expert in AV detection, but I guess PUPs are detected "hard-coded", not signature/heuristically-based

You can use vmprotect (https://vmpsoft.com/) and integrate it into the build process as a post-built event invoking the vmprotect commandline to build binaries that are extremely hard for vendors to create signatures.

[JakeSays]

Just thought I'd mention that Windows Defender now flags the nightly installer and zip file as trojans.

Here's what I'm seeing from the installer after downloading:

And from the zip file:

[WiliTest]

The MSRC (Microsoft Security Response Center) says they're no issues

actually windows 10 (1909) just flagged it as a threat (maybe because I used today the feature "I/O priority" & "priority" to set an app on "high" to speed it ― though, I've no idea of the difference between both).

[dmex]

@WiliTest

Its flagging the driver included with v2.39 but not the exact same driver included with the nightly builds: https://wj32.org/processhacker/nightly.php

[WiliTest]

@dmex windows (edge chromium) still doesn't like it (even after retrying)

Edit:

Tell me something I dont know (like what the security issue actually is so I fix the code).

Sorry, I understand how frustrating that should be. If you tell me how to do, I'll do it.

[dmex]

@WiliTest

Tell me something I dont know (like what the security issue actually is so I fix the code).

[nanoant]

@WiliTest Tell me something I dont know (like what the security issue actually is so I fix the code).

@dmex Security issue is in the application title. Being both unserious and serious. No point to get upset or fight the ppl that judge the app on its name. And honestly, what do you expect if you name the app Process Hacker? It’s like calling the company Kid Kidnappers and being surprised that police shows up at your door at some point. I’d rename the app to sthing like Process Analyzer and put also clear statement on the website that app is not malicious which can be easily verified reading its sources. If after that the app remains blacklisted, I’d send polite notice to blacklisters to include also SysInternals ProcExplorer since it poses same threat to the users. Also, why this issue is closed if the issue still exist?

[stdedos]

@dmex Security issue is in the application title. Being both unserious and serious. No point to get upset or fight the ppl that judge the app on its name. And honestly, what do you expect if you name the app Process Hacker? It’s like calling the company Kid Kidnappers and being surprised that police shows up at your door at some point.

If "a serious security application's" heuristics are based on a dictonary of bad words .... Well.

If after that the app remains blacklisted, I’d send polite notice to blacklisters to include also SysInternals ProcExplorer since it poses same threat to the users.

He has already, and he is being one way or another ignored. Or, more explicitly, he claims he has done so and he is not given a clear response (https://github.com/processhacker/processhacker/issues/388#issuecomment-509000372), and I don't see much reason "not to believe him". YMMV

At the very least, Microsoft has responded https://github.com/processhacker/processhacker/issues/388#issuecomment-480463694 and I would guess we will try to escalate it again for Edge Chromium.

Also, why this issue is closed if the issue still exist?

Well ... there is always the debate: What to do with an issue that somebody cannot possibly solve, and depends on external factors that "don't come around".

I don't think that he wouldn't try to fix a known issue, if the issue has a somehow specific root cause and not vaguely defined (https://github.com/processhacker/processhacker/issues/388#issuecomment-558563256). He has also removed some functionality (Terminator and something else) to not be hated by someone's anti-cheating mechanisms (Steam, Valve, ... someone else? I don't remember exactly)

[antoinebj]

IMHO, the reasons not to close the issue are:

1. The issue still exists.
2. To make it visible so as to avoid other people opening a similar issue.
3. To not give the initial impression to people who find this issue that there might be a workaround or solution and have to read through the replies hoping to find it.

I think this is a huge issue that can destroy the user base of this tool. I would think that if you want to make it live, you would try everything, including renaming the tool to avert bias from employees of antivirus editors. Don't think they're all geniuses. I also had apprehensions running something called Process Hacker, and recommending it to others.

[mrsshr]

I think it was flagged because the attacker killed the antivirus suite using the ProcessHacker command line + KProcessHacker. like volatility, nc.exe, etc

Powerful signed kernel driver tools can be exploited by attackers.

Process Hacker can kill any process (even protected) with:

ProcessHacker.exe -c -ctype process -cobject <PID> -caction terminate

It will not be excluded from the security threat until Process Hacker removes the feature.

[mrsshr]

Most enterprise users do not use Process Hacker. It can also be seen as a risk in an enterprise environment.

If you don't need the functionality of KProcessHacker, use Process Explorer instead. Most of the functionality is similar, except KProcessHacker functionality.

[speedwaystar]

Windows Virus & Threat Protection seem to have recently escalated their stance against Process Hacker. Today it quarantined Process Hacker out of the blue, which has been running on my machine for several years without complaint:

[SecurityAura]

Regarding Windows Defender, I can confirm this behavior here as well. Out of no where, on November 25th, it started quarantining Process Hacker 2 files and Registry items on my systems. And the HackTool:Win64/ProcHack page was last updated on November 25th on Microsoft's website.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/ProcHack&threatId=-2147221926

[dmex]

@nanoant

A big part of being an adult is putting together information and discussing the facts but too often these days people are not using the facts to form an opinion and instead use their opinion as fact. It's hard to have an adult conversation with other people who have all the facts when you just contribute your uninformed opinion.

He has already, and he is being one way or another ignored. Or, more explicitly, he claims he has done so and he is not given a clear response

You or anyone else can ask them for information and you won't get a clear answer either just buzz words with zero steps/instructions/source or other facts.

what do you expect if you name the app Process Hacker? It’s like calling the company Kid Kidnappers and being surprised that police shows up at your door at some point.

The same legal protection as anyone else? https://abr.business.gov.au/ABN/View?abn=44125908339

Process Hacker is the biggest competitor to Microsofts Process Explorer and the Windows Task Manager.

Microsoft Defender is automatically removing a competitors product from Windows as "Malware" based on the information published here:

The entire page is complete nonsense. Microsoft provided this response via the WDSI portal:

Case closed. You can't reply to these tickets. Process Hacker is officially malware and will be automatically removed from Windows indefinitely as a high risk threat.

Microsoft have also never allowed third party task manager applications on Windows with changes to the Windows API hard-coding taskmgr.exe as the default Task Manager with more recent changes blocking third party task manager applications on Win10 from calling those same API functions.

Microsoft refuse to provide the development team with any information. So I can't make changes to the project that resolve the problem.

You will have to ask Microsoft why the project malware and publish their response somewhere.

[dmex]

Duplicate https://github.com/processhacker/processhacker/issues/454

[nanoant]

@dmex Take my apologies if I sounded offensive ors thing. You have my greatest respect for creating PH and for the actions you take to defend and keep it alive.

You are absolutely right that my comment was not based on the facts, but just on subjective experience. But the decisions taken in corporations are not always based on facts, and are made often by people that have their prejudices. My point there (which is not objective) was that "Process Hacker" name can serve them as an argument good enough (for them, and their executives) to put the app on the black-list. The reality might be more complicated though, e.g. if this is true that PH can kill Symantec relatively easily (or other AV engine), then this is something you don't want in corporate world.

Microsoft refuse to provide the development team with any information. So I can't make changes to the project that resolve the problem.

Looking at the snapshots above, wow 🙄 Looks like a great example of discriminative activities - blocking legit software without providing reasonable explanation. And "Hacktools can be use to patch or run software so it can run without valid license." this is utter bul..it not an explanation. 😞 Maybe having open petition to stop Microsoft from unjustified discrimination and misusing their privileged position would help? I would sign that.

Just being me, I'd step back a bit, and maybe remove the intrusive features from the driver and ... yes, rename the app. Just to take all the arguments (even most ridiculous) from them. Unless there's some better idea what to do in such situation.

I still sustain my statement that issue remain open as long the problem exists, even if there is no viable solution at all. Even just to limit amount of duplicate issues, that will be open anyway as long there are some people that use PH and care about PH.

[stdedos]

The reality might be more complicated though, e.g. if this is true that PH can kill Symantec relatively easily (or other AV engine), then this is something you don't want in corporate world.

For a fact, I cannot kill my antivirus engine (Avast!). That being said, maybe this is a cat-and-mouse game - i.e I need to "dismantle" the protection, I cannot just go full force at it.

All that being said, I'll paraphrase points raised here: Process Hacker is a collection of tools, code, and orchestration, in order to do "more than just" cute taskmgr.exe.

1. Knife is a "legal" tool too. That doesn't mean it is a good idea to throw it to people. Nor can you block people cutting their steak
2. A lot of what it does, it's based on having Administrative Priviledges. e.g., to run a prompt as NT AUTHORITY\SYSTEM, you should have [...] permissions to install services (if the escalation happens comparably to psexec). If you run as normal user and/or block loading the driver, then PH is far from the powerhouse it can be. Note that being and Admin and running as an admin are two separate things since Win7.
3. Disclaimer, I haven't read the source code, nor do I claim to have any knowledge of Windows APIs. I don't think that PH is abusing the APIs. Even if it did, IMHO it's Microsoft's issue to patch vulnerabilities. If that would be the issue, then they can freely study and patch their code.

Even though [3] would be "worth" blocking, I think it's bad behavior on their end regardless.

I still sustain my statement that issue remain open as long the problem exists, even if there is no viable solution at all. Even just to limit amount of duplicate issues, that will be open anyway as long there are some people that use PH and care about PH.

It's called "pinning the issue", not "keeping the issue open" (unless only open issues can be pinned)