windows 10 reports trojan in process hacker

[martinlindhe]

Just checked for update on process hacker and windows told me this:

[ExE-Boss]

For me, it says: Trojan:Win32/Occamy.C

[ExE-Boss]

I’ve submitted the file to Microsoft using: https://www.microsoft.com/en-us/wdsi/filesubmission.

Hopefully, it will get resolved soon.

[martinlindhe]

So can someone confirm this is a false positive?

[ExE-Boss]

Microsoft have now confirmed that it indeed isn’t a virus, and it will be whitelisted in the next Windows Defender update:

[dmex]

5th of Aug - Sehyioa.A!cl 12th of Aug - Wacatac.B!ml 12th of Aug - Occamy.C

[Bartolomeus-649]

Perhaps one could submit checksums to Virus Total, they seem to have a program to eliminate false possitives from AV-Tools. https://blog.virustotal.com/2015/02/a-first-shot-at-false-positives.html

Or at least, submit any new executables released to their online service which uses 67 anti virus engines to check for malware.

One could (probably) use an url like this to submit a file:

https://www.virustotal.com/ui/search?relationships%5Bcomment%5D=author%2Citem&relationships%5Burl%5D=network_location%2Clast_serving_ip_address&limit=20&query=<UrlEncodedUrlToFileToSubmit>

this results in a result page looking something like this: https://www.virustotal.com/gui/url/988e8bbea82cc2caa92267ba560c8b25cfacebdb2fe642e087027329c2e4c324/detection

Virus Total also has an API: https://developers.virustotal.com/reference which is probably the prefered way of interacting with them.

[ralvarador]

Well, Windows 10 AV (defender? ) again claiming ProcessHacker as a Virus!, as a TROJAN VIRUS; this time on of its DLLs.

[letrec]

Trojan:Win32/Casdet!rfn: I have it submitted as false positive.

[letrec]

Microsoft confirmed it to be false positive: This is for Process Hacker vrsion 3.0.2780.

[Trojaner]

[dmex]

I've asked Microsoft for more information.

[ExE-Boss]

@Trojaner Above error when translated roughly means:

HackTool: Win64/ProcHack
Warning Level: High
Status: Active
Date: 25.11.2019 15:56
Category: Tool
Details: The behaviour of this program is potentially undesirable.

[Related Information]

Affected Items:
- file: E:\Program Files\Process Hacker 2\kprocesshacker.sys

This is probably to be expected, since kprocesshacker.sys is a kernel driver that allows Process Hacker to provide some extra features that require kernel access, which Windows places extra protection on.

If you press Related Information, there should be a button to whitelist it. If not, then you can do that through the Windows Security center under Virus & threat protection settings.

---

@dmex Does kprocesshacker.sys allow Process Hacker to do stuff that normally requires elevation without being itself elevated?

Because if so, then that might be why: “the behaviour of this program is potentially undesirable”.

[dmex]

Does kprocesshacker.sys allow Process Hacker to do stuff that normally requires elevation without being itself elevated?

You can't load the driver without (elevated) administrative access and the driver does not allow connections or requests from non-elevated processes. An administrator can deliberately disable those protections (patching files/registry keys etc...) and make the current Windows configuration insecure but every one of those cases requires administrative access.

[cliffordx]

Whitelisting did the trick

[TNTUP]

Mine says TrojanDownloader:O97M/Emotet.RO!MTB (Windows Server 2016) not sure if its really safe, been using ProcessHacker since 2-3 years... I'm a paranoid guy so I could whitelist it but it is a false positive I think

[Trojaner]

@TNTUP Emotet is a very dangerous virus, maybe it is indeed a real Trojan hiding as Process Hacker. I suggest downloading process hacker again, from an official download link.

[TNTUP]

@TNTUP Emotet is a very dangerous virus, maybe it is indeed a real Trojan hiding as Process Hacker. I suggest downloading process hacker again, from an official download link.

I downloaded it off processhacker.sourceforge.io, probably thats shady but thats the same file I have on my storage server o_o

[sabihoshi]

@TNTUP Emotet is a very dangerous virus, maybe it is indeed a real Trojan hiding as Process Hacker. I suggest downloading process hacker again, from an official download link.

I downloaded it off processhacker.sourceforge.io, probably thats shady but thats the same file I have on my storage server o_o

Check the hash of the .exe file on virustotal, it should be the one with +300 community score. And also, I got this error in Windows 10 Version 2004 Build 19033.1

Same error as @cliffordx

[ygoe]

This certainly isn't an issue of manipulated files. I've downloaded the setup package on 2016-06-04 and reinstalled it after Windows Defender ate it. Then it ate it again right away. I hope my exclusion works now. Otherwise I'll have to consider disabling Windows Defender completely. Antivirus software never found something here, just deleted or blocked needed files. I don't need that.

[ddbb2017]

It's not resolved yet. Someone at Microsoft needs to get their $h*t together, I could run Process Hacker just fine, but when I navigated to its installation folder in Windows Explorer it showed this:

and deleted the .sys file. The version of the driver is 3.0.0.0 signed by Wen Jia Liu on ‎Monday, ‎March ‎28, ‎2016 10:21:05 AM. The serial # for the cert is 040cb41e4fb370c45c4344765162582f

Then on my other computer, I was getting this message for ProcessHacker.exe v.2.39.0.124:

which was also deleted by Windows Defender, for being a "tool"? :)

[zmni]

Also same issue on Windows 8.1 x64:

[krokofant]

Cool stuff. Suddenly Process Hacker was missing because Windows Defender removed the exe 😆I didn't even notice it.

[hl2guide]

For me as of today it is showing as:

[ygoe]

After I have configured Process Hacker as exception in Defender Antivirus, it was now deleted for the second time. I consequently have to consider Defender AV as malware and deactivated it entirely. Never did anything for me anyway. I have reported this twice as a severe problem of an important feature through Windows Feedback and would advise anybody to do the same.

[speedwaystar]

Windows Defender now seems to be generating a new quarantine for Process Hacker every other day, despite being told the previous day to allow it. It's possible that this (re)occurs whenever it downloads a new threat list from WIndows Update.

It's doubly annoying because when Windows Defender is told to "allow" Process Hacker, it says "This threat has been allowed and will not be remediated in the future." Sadly this is an outright lie, since it has now remediated it for three days running.

Someone at Microsoft really doesn't like Process Hacker.

[ygoe]

Update: Disabling Windows Defender is not effective. After restarting Windows, it is automatically enabled again – and does its thing. Also, stopping, disabling or deleting the service is not possible. The action itself is prohibited for Administrators (when done with Process Hacker) and Windows Updates are likely to restore it anyway. A work-around that I found is adding all of your hard drives as exclusions. Add C:\, D:\ and whatever drives you have as excluded folders. I'll report if this also doesn't help to keep Process Hacker on the computer.

And, please keep reporting this as negative feedback (severe problem) in the Defender app. Microsoft has to read the feedback eventually.

[Trojaner]

@ygoe you can disable Windows Defender permanently by setting DisableAntiSpyware to 1 in your registry (I don't know the exact path, Google it)

[ExE-Boss]

I’d just whitelist the entire ProcessHacker directory.

[VimalShekar]

Defender may be blocking for a valid reason. The owners of this project have to submit an issue to Microsoft using https://www.microsoft.com/en-us/wdsi/filesubmission

MS would analyse and respond back. If they say the detection is intended, you should then raise a "dispute". At this point, they would reveal their reasons and help you fix the code that's causing them to flag it.

If you have just submitted an issue and haven't gone through the "dispute" process, you will never know the reason why it was flagged.

[dylmye]

@VimalShekar this has been done before :( https://github.com/processhacker/processhacker/issues/454#issuecomment-520428285

[dmex]

@VimalShekar

The owners of this project have to submit an issue to Microsoft

I've done this about 8 times this year.

If you have just submitted an issue and haven't gone through the "dispute" process, you will never know the reason why it was flagged.

My account was banned by Microsoft the same day they pushed the detection and I can't dispute it.

There was an email conversation with Microsoft about that issue (and also Process Hacker) but they haven't fixed the issue with my account or provided any information about Process Hacker and it's been over 3 weeks now.

[ddbb2017]

@dmex yeah, sounds like a typical MSFT. (Basically when the right hand doesn't know what the left one is doing.)

Try to create another Microsoft account and see if you can find out why they banned it. My guess is that Process Hacker interferes with the functionality of one of their products, i.e. Process Explorer. In that case they won't let you know. But if it's just a false-positive, say, for calling too many native functions, then it's another matter.

[ddbb2017]

Maybe tweet at them too.

[ygoe]

@ddbb2017 Retweeted. Our little community is probably too small to create a shitstorm.

[dylmye]

Reply from John Lambert from Microsoft Threat Intelligence Center:

We are aware of this and last I heard the Defender team was going to reach out to Process Hacker folks. If you hear this hasn't happened, please have someone ping us!

(source)

[dmex]

@dylmye

I can confirm Microsoft has contacted the development team.

[luckydonald]

Now I'm curious why they deleted your account.

[ddbb2017]

@dmex ok, so what's the rub? What did they not like in there?

[dmex]

@ddbb2017

It's an active conversation and would not be appropriate to share that information right now. I'll post an update after the discussion with Microsoft has concluded.

[ddbb2017]

@dmex ok, fair enough, please do.

[dmex]

"conversation" is the wrong word to describe whats happening at Microsoft right now.

[dylmye]

We can loop in John and Tanmay from MDATP if that helps at all.

[ddbb2017]

@dylmye before anything can be done, can someone please explain what do they want from this project? @dmex I'm lost af.

[dmex]

@dylmye

If you think it would help, feel free to ask them.

dmex I'm lost af.

A riddle wrapped in an enigma... Microsoft hasn't provided any actual details, only some vague claims without the details and a request we change something that was changed a long time ago and they haven't replied since.

Now I'm curious why they deleted your account.

My account is still banned.

[ddbb2017]

I bet they want you to re-sign the driver. and pass it thru their WHQL.

[poizan42]

Are they unhappy about it being able to inspect and manipulate protected processes? But then they should flag kprocesshacker.sys and not processhacker.exe.

[gchq-zz]

As of right now it is being passed by the MS engine at VirusTotal - took some thumping on the door, but it looks like someone finally opened it and listened :-)

[TNTUP]

Windows Defender does not flag Process Hacker anymore. Was able to download 2.39 and install and running as normal. Works on WS 2016 :)

[dmex]

Microsoft declared the PE Viewer utility included with Process Hacker as a Trojan and silently removed the binary and start-menu shortcuts from user' machines.

The only way to restore the peview utility is to completely reinstall. #544

---

The telemetry reports at minimum 1.7 million installations of Process Hacker have been corrupted and/or removed by Microsoft to date... Netscape 2.0 - bill gates would be impressed.

[ddbb2017]

@dmex what? they're at it again.

As a developer don't you "love" those AV companies?