Symantec Protection identifies Process Hacker as a risk

[nephewtom]

Well, I know Process Hacker can not do anything with this... But I wanted to inform about this issue. Unfortunately the laptop where it is happening its from my company. So for the moment I can not avoid Symantec to remove Process Hacker which is a hassle.

I also found this online: https://www.symantec.com/security-center/writeup/2019-010717-0848-99?om_rssid=sr-mixed30days

[dmex]

For a fact, I cannot kill my antivirus engine (Avast!).

Avast does this by installing a hypervisor and hooking the SYSENTER/SYSEXIT syscalls for ntdll.dll exports. You could just as easily restart the process considering the antimalware driver doesn't stop executing when the usermode process terminates.

My point there (which is not objective) was that "Process Hacker" name can serve them as an argument good enough (for them, and their executives) to put the app on the black-list.

You can setup policies with your own equipment.

PH can kill Symantec relatively easily (or other AV engine)

You can't disable and terminate an antivirus product by calling the process terminate function for a process and wrong assuming termination actually terminates an antivirus product.

The anti-malware driver and anti-malware services continue running and they restart the process after termination by registering for recovery using the Windows API or by using their own service and driver.

Microsoft uses the same documented API for system components. Try terminate winlogon.exe and the process restarts while terminating wininit.exe bluescreens and restarts the machine while Antivirus products have similar functionality.

Just being me, I'd step back a bit, and maybe remove the intrusive features from the driver

This is not supported by facts. Process Hacker is a task manager for Windows using the process manager API for task managers with the exact same API functions as Microsoft's own software and tools since 2008 (11 years).

You can go through every file and all functions are documented on MSDN and used by other task manager software and Microsoft's own software. If the driver or something else was a problem then why not create an issue here? https://github.com/processhacker/processhacker/issues https://github.com/processhacker/processhacker/blob/master/SECURITY.md

[nanoant]

@dmex Okay then, you have valid arguments why PH cannot be used to dismantle AV and I will not trying to argue with them. All I have wrote were just speculations, why anyone would want to tear down PH. I think all what you wrote deserves to be put on the front page and README of this project. I think PH users including new potential ones that download it and find out that it is marked as a "virus", deserve to know.

I tried it to follow reasoning of HackTool:Win64/ProcHack "Hacktools can be used to patch or "crack" some software so it will run without a valid license or genuine product key.", which can be attributed to any primitive debugger app, not to mention "sophisticated" tools like WinDbg. And this is only statement of why this is harmful. Rest is complete babble.

Process Hacker is the biggest competitor to Microsofts Process Explorer and the Windows Task Manager. Microsoft Defender is automatically removing a competitors product from Windows as "Malware" based on the information published here: (...)

Competitors? In what sense? I had impression that you don't need to pay for SysInternals or TaskMan, hence don't see clear financial benefit of MS' actions.

If I can, last time (I promise), speculate (not based on facts, but on subjective experience) that PH exposes much more information of the internals of the Windows that any other tool, that may be sort of against corporate trend to sell hardware to the consumers, so they don't really own it and they have absolutely no control and/or knowledge on what's happening on that hardware. And this is advertised as a mean of protection, but not sure who is protected in this game.

Btw. FYI if this wasn't already reported - wj32.org is also blocked by corporate firewalls as malicious site 😞

[WiliTest]

Just in case it could help:

EDIT (2019_12_13) : windows has uninstalled process hacker (and its shortcuts)

[speedwaystar]

i have no objection (in principle) to Windows Antivirus or Symantec or whoever flagging powerful kernel-level tools which allows advanced users to bypass system security as "potentially unwanted/dangerous," because for the average user, they arguably are. many game trainers and cracks are so-identified, which is fine, so long as the algorithm doesn't overstep the bounds of reality and claim the software is actively malicious. falsely identifying PH2 as a trojan, or a rootkit dropper, is quite another thing. i completely understand that virus fingerprinting is a difficult and arcane art that's hard to get reliably right, with polymorphicly evolving viruses making it even more difficult, but Microsoft really should have a robust mechanism in place to reverse false positives in cases like this.

On Thu, Dec 5, 2019 at 6:35 PM Miliia notifications@github.com wrote:

Just in case it could help: [image: 2019-12-05_11-34-06] https://user-images.githubusercontent.com/24194840/70227682-4a083e00-1753-11ea-8c03-627a10e35fc4.png

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/processhacker/processhacker/issues/388?email_source=notifications&email_token=AAAUBWLBI72LO4HXOPR6WZ3QXDKQLA5CNFSM4G5NY23KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGAIQIQ#issuecomment-562071586, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAUBWNSA3447HQUHWZSMQLQXDKQLANCNFSM4G5NY23A .

[LiamKarlMitchell]

Well it's not just Microsoft, bit defender has been flagging it at work for several weeks... Chrome too now...

To restore it and allow in the future at least with Windows Antivirus (Windows 10) 1) Goto Windows Defender Security Center, can be found in system tray. 2) Click Virus & threat protection 3) Allowed Threats, see full history 4) Select Process Hacker and Allow 5) Check Quarantine threats and Restore as needed

[WiliTest]

@LiamKarlMitchell

"Check Quarantine threats and Restore as needed"

Thanks, it works (the app wasn't uninstalled after all, but "just" quarantined) but, I guess I have already done that a week ago, and it has been quarantined again. (I'll confirm that if it happens again).

[dmex]

Please use the correct topic: https://github.com/processhacker/processhacker/issues/454

Competitors? In what sense?

Task Manager, Process Explorer?

I had impression that you don't need to pay for SysInternals or TaskMan, hence don't see clear financial benefit of MS' actions.

There are many financial and other benefits from eliminating your competition.

One example would be if you consider how there has only been 4 or 5 updates to Task Manager in the last 19 years and how Process Hacker has been in constant development since 2009 with hundreds of updates (and includes so many features and statistics) that it will take significant funding and resources for Microsoft to include similar features in Task Manager. Microsoft probably determined it's a lot cheaper to just publish a webpage with false and misleading information and block anyone from being able to use Process Hacker than innovate and compete fairly by devoting money and resources to Task Manager development.

PH exposes much more information of the internals of the Windows that any other tool

Microsoft could easily innovate and include that same information in their own products if they wanted.

Everything you see included with Process Hacker is only possible because Microsoft makes that information or feature available for administrators and developers via the built-in Windows API and Process Hacker literally cannot show or do anything without those APIs.

You need as much information as possible these days to make informed decisions and determine when something is not secure, not setup correctly, malicious etc... More than a few companies have emailed us demands over the years that we remove XYZ features but then refuse to provide any facts that support their case.

that may be sort of against corporate trend to sell hardware to the consumers, so they don't really own it and they have absolutely no control and/or knowledge on what's happening on that hardware.

This is how the entire antivirus industry operates. Antivirus products give zero control and/or knowledge about your machine and what anything on the machine is doing - these products are also not able to detect and terminate malicious software without regular ($$) updates.

Microsoft and other companies have spent millions on their products and they earn millions more from those constant updates - Process Hacker does not require constant updates for you to detect and terminate malicious software making those investments and their products practically meaningless so there is a huge incentive for Microsoft to try protect that investment by labeling Process Hacker malicious and preventing users from being able to use third party products.

[LiamKarlMitchell]

It's actually used along side some trojans/viruses though. So it probably got caught up in that as it would make it a PUP for some? https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

[speedwaystar]

okay, this starts to make more sense.

In order to terminate some of these processes and services, DopplePaymer uses an interesting technique that leverages ProcessHacker https://processhacker.sourceforge.io/, a legitimate open-source administrative utility. This application is bundled with a kernel driver that can be used to terminate processes and services. DoppelPaymer is bundled with six portable executable (PE) files that are encrypted and compressed in the malware’s sdata section. These PE files contain 32-bit and 64-bit versions of the following:

• ProcessHacker application
• ProcessHacker kernel driver
• A custom stager DLL that is used to exploit ProcessHacker

On Sat, Dec 14, 2019 at 8:47 PM Liam Mitchell notifications@github.com wrote:

It's actually used along side some trojans/viruses though. So it probably got caught up in that as it would make it a PUP for some? https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/processhacker/processhacker/issues/388?email_source=notifications&email_token=AAAUBWIDLOKK4SCBBFAZSVLQYTIW7A5CNFSM4G5NY23KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG4BZLI#issuecomment-565714093, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAUBWPVKBVJZTJ2ZMIUMMTQYTIW7ANCNFSM4G5NY23A .

[dmex]

@LiamKarlMitchell @speedwaystar

It's actually used along side some trojans/viruses though

I asked CrowdStrike months ago for copies of the samples but never heard back from them and I haven't been able to verify any information they've posted on that blog.

1) The hashes for the "custom stager DLL that is used to exploit ProcessHacker" don't seem to exist anywhere?

• 51d8618ec86159327e883615ad8989c7638172cf801f65ab0367e5b2e6af596a
• bfb7e62ba4ad5975e68a1beefb045cb72e056911fd7a8b070a15029dfcbbefe1

I haven't been able to locate these samples so do they actually exist? Did they expect nobody would check and verify?

2) The blog states "Once loaded, ProcessHacker’s kernel driver is leveraged to kill the blacklisted processes"

Windows does not allow processes to load kernel drivers unless you're running with elevated administrative privileges. This would indicate the malware already had complete unrestricted access to the entire machine and was able to patch files/registry keys/literally do whatever without limitation and disable/overwrite/remove the KPH driver security checks.

CrowdStrike might have accidentally omitted or missed important details (or deliberately just to sex-up the blog and drive internet traffic) and there is a major difference between an attacker exploiting a security issue in Process Hacker and an attacker (with administrative access) patching windows to bypass the KPH security checks but since CrowdStrike hasn't provided the samples (or anything else to the development team) there's little information to go on.

The kernel drivers are also still whitelisted by CrowdStrike: https://www.hybrid-analysis.com/sample/70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4?environmentId=110

I can't make any sense from it... If its true then why don't they share information with the development team so we can fix the issue instead of allowing attackers to keep exploiting it?

Then there are some other questions like where did they find the samples (on clintons email server? 😄 ) and how did the attackers breach the network and gain unrestricted administrative access but who knows.

What I do know is there are lots of accusations (by big companies) but scant substance backing them up

[antoinebj]

One example would be if you consider how there has only been 4 or 5 updates to Task Manager in the last 19 years and how Process Hacker has been in constant development since 2009 with hundreds of updates (and includes so many features and statistics) that it will take significant funding and resources for Microsoft to include similar features in Task Manager. Microsoft probably determined it's a lot cheaper to just publish a webpage with false and misleading information and block anyone from being able to use Process Hacker than innovate and compete fairly by devoting money and resources to Task Manager development.

Microsoft and other companies have spent millions on their products and they earn millions more from those constant updates - Process Hacker does not require constant updates for you to detect and terminate malicious software making those investments and their products practically meaningless so there is a huge incentive for Microsoft to try protect that investment by labeling Process Hacker malicious and preventing users from being able to use third party products.

Ok I'll be the devil's advocate. There are several reasons why I think nobody needs go down that line of reasoning here.

1. This is not the Microsoft of the 90s, they have a different philosophy whereby they accept that not everything needs to be made or controlled by Microsoft: Linux is integrated into Windows, Edge uses Chromium, Microsoft apps on Android & iOS, 3rd-party open-source libraries in the development (.NET, VS, etc.) ecosystem, etc.
2. When they do try to crush competitors, it's by either buying them, competing on quality (don't laugh!), marketing, or by pre-installing in Windows, not by preventing the binaries from running. If they did, it would AFAIK be unprecedented.
3. This would be like a city trying to block a private but free recreational park for fear that its own public ones be abandoned when they're still well crowded.
4. I don't see how anybody at Microsoft would ever feel challenged by PH2, because even if nobody used Task Manager or Process Explorer anymore, and everybody used PH2 instead, then it would not change a single cent to their bottom line. Nothing that innovates on their ecosystem (Windows) without being a direct competitor to a product that they sell separately can hurt them. On the contrary, it's positive for them.
5. They're not the only ones blocking PH2.
6. They would have too much to lose in terms of public image if they were caught doing that. The risk is just not worth it.
7. Last but not least, the simplest explanation is almost always the most likely. Malicious software used PH2 (as described above) and the antivirus maintainers found it cheaper to simply use PH2's binaries as the signature, not caring at all about whether it's the right thing to do, or about the legitimate user-base that PH2 has. Simple as that.

[stdedos]

2. When they do try to crush competitors, [...] not by preventing the binaries from running. If they did, it would AFAIK be unprecedented.

What do you mean, exactly? Have you read (I don't remember where it is exactly written) that "Microsoft is allowed to remove programs without confirmation"?

https://www.howtogeek.com/243581/windows-10-may-delete-your-programs-without-asking/

Even though there are legit reasons, ... It is already "unprecedented" enough in my books

3. This would be like a city trying to block a private but free recreational park for fear that its own public ones be abandoned when they're still well crowded.

Yes, for the same reason EU decided to fine Microsoft for "forcefully" bundling IE and WMP.

5. They're not the only ones blocking PH2.

So, if "10 of us" would suddenly decide to bully someone, would that be different, because we have "legit reasons" and "market share" and "we are not nobody's in our field"? 😕

---

I just picked some points to comment on. There could be much more.

The point that makes more sense, 7, while it does make sense ... Wut?

So, if I would write a malware, that utilizes the del /f command ... does that mean that MS will treat del as a virus now?

---

I can't make any sense from it... If its true then why don't they share information with the development team so we can fix the issue instead of allowing attackers to keep exploiting it?

If [1] is true, then the above statement should have been preposterous. Sadly, it seems that this is how everyone treats PH

More than a few companies have emailed us demands over the years that we remove XYZ features but then refuse to provide any facts that support their case.

---

Windows does not allow processes to load kernel drivers unless you're running with elevated administrative privileges. This would indicate the malware already had complete unrestricted access to the entire machine and was able to patch files/registry keys/literally do whatever without limitation and disable/overwrite/remove the KPH driver security checks.

I am suprised that the story does not end at "the attacker was given administrative priviledges". Even though UAC seems to treat some situations more leniently (I would think "non-important configuration options or 'secure' executables"?), it is end of story in my books if a malicious threat is escalated "not by its doing" (i.e. exploit bugs)

@dmex I am slightly suprised that the KPH driver needs to have some security checks. Does that mean security against exploitation, or e.g. that non-escalated user X cannot process owned by Y? (even though I don't understand why would X be able to load the KPH driver then)

[oldmud0]

I had a small thought: What if PH were a commercial product - would MS treat PH differently? One could argue that the competitor in this case (Process Hacker) is suffering economic loss from being "wrongfully" detected as malware, whereas some other similar product is not, and that Microsoft is intentionally marking it as malware to gain a competitive advantage in software debugging and power user tools. But as long as PH is FOSS, economic loss cannot be proven, so MS can safely win a case.

So I wonder if Microsoft's attitude would suddenly change if money started moving - like if there existed a commercial support license for PH's kernel driver. Then a party representing PH could claim economic loss.

At any rate, this sounds like a legal issue, and it doesn't sound like anything else but large-scale petitioning would stop MS from blocking open-source tools that just happen to be robust enough to have malicious uses.

[WiliTest]

robust enough to have malicious uses.

This one looks weird.

[dmex]

This is not the Microsoft of the 90s, they have a different philosophy whereby they accept that not everything needs to be made or controlled by Microsoft: Linux is integrated into Windows, Edge uses Chromium, Microsoft apps on Android & iOS, 3rd-party open-source libraries in the development

Yes, this is true for Linux and markets like browsers but not at all when it comes to the task manager market.

It's a fact that Microsoft does not document the API required by competitors to compete fairly with Microsoft's Task Manager or Process Explorer and has changed other API functions to block third party software including having hard-coded taskmgr.exe throughout the entire Windows operating system.

Task Manager and Process Explorer have features that we still can't implement in Process Hacker because they're not documented and we haven't been able to figure out how it was done.

Microsoft has also never provided any information or documentation to the development team or followed up on any issues we've reported including major issues such as LTSB versions of Windows blue screening under some scenarios when running Process Hacker (caused by changes to the Windows API that only affect Process Hacker) or literally any other issue we've found or encountered on Windows.

When they do try to crush competitors, it's by either buying them, competing on quality (don't laugh!), marketing, or by pre-installing in Windows, not by preventing the binaries from running. If they did, it would AFAIK be unprecedented.

How would you describe the reasoning and actions by Microsoft to classify Process Hacker as malicious software, block downloads from our website and automatically remove the product from users machines?

https://i.imgur.com/wRAeASJ.png https://i.imgur.com/mO1DdRE.png

They're not the only ones blocking PH2.

There is a major legal difference between Microsoft and third party companies.

They would have too much to lose in terms of public image if they were caught doing that.

I don't understand it either.

Malicious software used PH2 (as described above) and the antivirus maintainers found it cheaper to simply use PH2's binaries as the signature, not caring at all about whether it's the right thing to do, or about the legitimate user-base that PH2 has. Simple as that.

That might be true but its not legal (except maybe China). I've read just about everything published online and the only thing that I have seen is:

1) attacker exploits or bruteforces the Remote Desktop Protocol (RDP) owned by Microsoft. 2) attacker logs into the administrative desktop via RDP. 3) attacker executes programs on the desktop with administrative privileges - Chrome, Command Prompt, Powershell, Process Hacker...

So why are companies blaming Process Hacker when attackers have administrative access and can uninstall, disable, remove, change anything on the machine? It's because they're not covered by insurance for their own incompetence.

The staff won't admit to making a massive mistake by allowing RDP connections from the internet and not configuring any local security policies needed to make it secure (lockout, complexity etc) so it's more convenient to blame the programs the attacker executed.

I am suprised that the story does not end at "the attacker was given administrative priviledges".

Microsoft and others won't do anything when an attack requires administrative privileges so they're determined to leave out that fact.

https://devblogs.microsoft.com/oldnewthing/?p=15273 https://devblogs.microsoft.com/oldnewthing/?p=94505 https://devblogs.microsoft.com/oldnewthing/?p=3883

as long as PH is FOSS, economic loss cannot be proven, so MS can safely win a case.

No. Competition laws are not based on monetary losses and include anything that causes any sort of harm to consumers and/or competitors - the laws are especially severe and restrictive when the company is a declared monopoly.

I would think it's obvious how consumers (users of Process Hacker) have been harmed by Microsoft's actions. I've personally had a contract with Electronic Arts practically cancelled by Microsoft's actions. The project has also been harmed by Microsoft refusing to share interoperability information and incompatible design changes to Windows excluding task manager products and by hard-coding taskmgr.exe throughout Windows. Process Hacker is also not the only company affected with the SANS institute and Winsider Seminars & Solutions both have training courses with Process Hacker and face increased costs from helping students reconfigure their machines etc... and we're not even getting into libel and other conduct.

I am slightly suprised that the KPH driver needs to have some security checks. Does that mean security against exploitation, or e.g. that non-escalated user X cannot process owned by Y? (even though I don't understand why would X be able to load the KPH driver then)

Multiple users can be logged onto the machine simultaneously so our kernel driver enforces a privilege check to prevent non-administrators from preforming administrative actions they're not authorized to preform (such as terminating processes owned by other users).

[oldmud0]

No. Competition laws are not based on monetary losses and include anything that causes any sort of harm to consumers and/or competitors - the laws are especially severe and restrictive when the company is a declared monopoly.

Sure, not per se, but it's much easier to prove the case if you can claim economic loss. A FOSS project can't do that by itself - in this case, PH users did not transact for any promise to be able to use the software (and even if there was a transaction, the GPL explicitly waives the warranty of merchantability), and PH does not materially benefit regardless of how many users are able to run the software. Heck, the project doesn't even take donations, so the maintainers cannot claim that a loss of users caused a decrease in donations.

The bottom line is that the PH project by itself can't make the case - another party who has materially lost something as a result of Microsoft's reckless actions (such as the ones you mentioned) would have to make the case.

[dmex]

Heck, the project doesn't even take donations

There is a donation link in the main menu > About > Donate:

There's also a donation link on download page on the project website? https://processhacker.sourceforge.io/downloads.php

The bottom line is that the PH project by itself can't make the case - another party who has materially lost something

This is not how it works (especially outside the USA like we are).

[oldmud0]

Whoops, didn't see those.

I will admit that I am not familiar with law outside of the US - specifically how to establish grounds for a case. In the US, generally a party has to prove that they were harmed by someone's wrongful actions.

So, let me summarize. PH's argument is "our users can't run our software because Microsoft is blocking it, and this violates an anticompetitive law because Microsoft has a software just like it that it allows. Therefore, we demand Microsoft to allow our software to run, so long as Microsoft has a similar product." Is this correct? I'm not sure what action you wish to take, but I don't think a legal case would be easy to argue from PH's side.

[AndrewDP23]

TrendMicro just picked this up on my enterprise workstation. Process Monitor has been there for a long time, but my workstation just received a TrendMicro update that identifies PUA.Win64.ProcHack.B.component and PUA.Win32.ProcHack.C from Process Monitor.

I wouldn't be surprised if our security team ask me (with a concerned look) why I have something called Process Hacker on my workstation, which their authoritative source of threat detection picks up as a hacking tool.

What a disappointment from Trend. Process Monitor does well, and I hope this interference can be overcome - it is a valuable tool, and your great work is much appreciated.

[LiamKarlMitchell]

A strange question, but has anyone started a fork for a Lite build of Process Hacker with things removed and strings changed as to not arouse suspicion by w/e these anti viruses are complaining about?

Its a great tool even with reduced functionality to just use a task manager and resource monitor. Maybe released as a new name such as "Better Process Manager" removing the "hacker" functionalities as well.

One that would work in business environments where we are unable/unwiling to flag it as allowed.

I guess I can try Process Explorer thanks :) (I've used that one in the past heh)

[dmex]

if our security team ask me (with a concerned look) why

If they have to ask then you'll know they're incompetent and can't do anything on their own ;P

What a disappointment from Trend.

Trend Micro been sending thousands of malformed http requests to our updater server @ wj32.org for more than two years and always the same static IP address registered to their office in Japan.

I hope this interference can be overcome

They've never once replied to support tickets or emails. I don't know what their problem would be.

has anyone started a fork for a Lite build

There are 576 forks on github that I can see from the Github forks page and even they're being targeted regardless of what parts they're using. For example: https://github.com/lucasg/Dependencies/issues/26

not arouse suspicion by w/e these anti viruses are complaining about?

I'm considering integrating VMProtect from https://vmpsoft.com/ since it encrypts the binary and dynamically changes code execution rendering anti-virus signatures obsolete - anyone can use it themselves too since it only requires the binary and not the source-code.

Maybe released as a new name such as "Better Process Manager" removing the "hacker" functionalities as well.

There is no "hacker functionality"? We use the exact same API functions Microsoft does in their own products and the name was based on the dictionary definition - having to reverse engineer Windows to compete with Task Manager and Process Explorer.

I guess I can try Process Explorer thanks :) (I've used that one in the past heh)

This is the entire point isn't it? Force everyone away to competing products so they're not able to protect themselves without an antivirus product?

[stdedos]

not arouse suspicion by w/e these anti viruses are complaining about?

I'm considering integrating VMProtect from vmpsoft.com since it encrypts the binary and dynamically changes code execution rendering anti-virus signatures obsolete - anyone can use it themselves too since it only requires the binary and not the source-code.

Can I has it? Can I has it? Can I has it? Can I has it? Can I has it? :smile:

[dmex]

@stdedos

VMProtect can be used right now. You just need to install it and select the executable then it'll produce a protected executable that can be distributed anywhere.

[stdedos]

What a disappointment from Trend.

Trend Micro been sending thousands of malformed http requests to our updater server @ wj32.org for more than two years and always the same static IP address registered to their office in Japan.

I've been wondering though, why do you bother with their traffic though, and not block them (expecially with these patterns).

[dmex]

I've been wondering though, why do you bother with their traffic though, and not block them (expecially with these patterns).

It would be easily twisted into justifying their actions towards the project.

[mickae1]

same problem with kaspersky !

[bitraid]

it is amusing to see that some antivirus detect a threat in a program that just calls ExitProcess (compile with fasm):

format PE GUI
entry start

section '.text' code readable executable

  start:
    call    [ExitProcess]

section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dd RVA _ExitProcess
    dd 0

  kernel_name db 'KERNEL32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0

[dmex]

same problem with kaspersky !

Kaspersky was the company caught using their antivirus to steal documents... why does anyone continue using it?

Try something like Malwarebytes instead since they don't block tools like Process Hacker for showing system activity: https://www.malwarebytes.com/premium/

it is amusing to see that some antivirus detect a threat in a program that just calls ExitProcess

It's not the code but rather the binary hash and timestamp. Some companies just consider all binaries with recent timestamps malicious to fool unsuspecting customers into thinking those products protected them from threats which don't exist.

Most antivirus products should be sued for their behaviour but section 230 of the Communications Decency Act (CDA) gives antivirus software immunity for otherwise illegal behaviour.

[mickae1]

same problem with kaspersky !

Kaspersky was the company caught using their antivirus to steal documents... why does anyone continue using it?

Try something like Malwarebytes instead since they don't block tools like Process Hacker for showing system activity: https://www.malwarebytes.com/premium/

it is amusing to see that some antivirus detect a threat in a program that just calls ExitProcess

It's not the code but rather the binary hash and timestamp. Some companies just consider all binaries with recent timestamps malicious to fool unsuspecting customers into thinking those products protected them from threats which don't exist.

Most antivirus products should be sued for their behaviour but section 230 of the Communications Decency Act (CDA) gives antivirus software immunity for otherwise illegal behaviour.

I don't know, but my company is using kaspersky :( and I can't use processhacker :'(