windows 10 reports trojan in process hacker

[martinlindhe]

Just checked for update on process hacker and windows told me this:

[luckydonald]

This is very lovely. #system_you_own

[letrec]

@dmex, Actually there's a way to restore it without reinstalling the application. One needs to go to Windows Security -> Virus & treat protection -> Protection history, identify the right "Threat blocked item" and click the button to unblock it.

[dmex]

Microsoft has released 3 additional detections for Process Hacker:

"We have determined that the files meet our criteria for detection. At this time detection will remain in place. "

• OnlineChecks.dll - Trojan/Win32/Detplock
• ProcessHacker.exe - Trojan/Win32/Casdet!rfn
• ProcessHacker-setup.exe - Trojan/Win32/Wacatac.C!ml

https://www.microsoft.com/en-us/wdsi/submission/645d8857-7058-4e89-b329-8b358f1fdccc

[namazso]

I also had the Detplock / Wacatac detections on my software, seems like Microsoft just detects absolutely everything that is unsigned now

[RossWang]

Isn't the original author work at Microsoft? Oh no, he left one year ago!

As I said in issue #408, hackers login to RDP and use PH to turn off security software. What interested me is a recent release of Kaspersky Endpoint Security blocks PH in a clever way—only detects PH in RDP sessions.

[dmex]

Isn't the original author work at Microsoft?

Yes. The project author and founder was a senior engineer for the Microsoft Hyper-V team.

Oh no, he left one year ago!

He has left yes. I don't know the details but it's unfortunate and I hope it wasn't because other employees at Microsoft have been attacking his projects and labeling everything as "trojans" or sending him threats,,. It's probably not appropriate to speculate since its unrelated to this issue and I'm biased as to the reasons after employees at Microsoft (Karen Burger) emailed me a few years ago with threats and the more recent actions by Microsoft towards the project.

As I said in issue #408, hackers login to RDP and use PH to turn off security software.

This is not what Microsoft or anyone else has been claiming with their descriptions and signatures?

You also can't disable security software using Process Hacker... Terminating a process does not stop the process from restarting and does not uninstall the product and also does not even disable kernel drivers, remove kernel object callbacks or remove disk minifilter callbacks or alter/disable group security policies - all of these and other security related callbacks, functionality and policies cannot be changed or disabled with Process Hacker.

You're probably confusing Process Hacker with how attackers are actually exploiting RDP flaws and the access level provided by RDP (which isn't available for home users) and how it bypasses literally every security policy and mitigation on Windows - I can't fix the security issues with RDP because its a Microsoft product and can only recommend you don't ever use it over the internet (which it does not provide any protection and was never designed for).

For example; If you execute this powershell script over RDP then it'll permanently destroy all security software (and the entire operating system) with a single built-in Windows command: https://gist.github.com/dmex/5885ec528b8231fb75d5a591845b96e6

RDP security issues can only be fixed and addressed by Microsoft and employees trying to shift the blame to Process Hacker is idiotic when its a Microsoft product and not something we created or maintain.

[dmex]

Microsoft has released 5 new signatures for Process Hacker today:

Trojan:Win32/Wacatac.D!ml
Trojan:Win32/Wacatac.C!ml
Trojan:Win32/Wacatac.B!ml
Trojan:Win32/Fuery.C!cl
Trojan:Win32/Detplock

These are additional to the 3 signatures from yesterday:

OnlineChecks.dll - Trojan/Win32/Detplock
ProcessHacker.exe - Trojan/Win32/Casdet!rfn
ProcessHacker-setup.exe - Trojan/Win32/Wacatac.C!ml

[dylmye]

Contacted MDATP again, they're looking into it:

https://twitter.com/dylmye/status/1232594687090941953

[ddbb2017]

@dmex wtf, dude? why tf would you post a scrambled PowerShell script here to delete someone's boot partition? It really doesn't help your case.

@dylmye Did anyone actually look into the source code that MSFT are flagging?

[dmex]

@ddbb2017

why tf would you post a scrambled PowerShell script here to delete someone's boot partition? It really doesn't help your case

The truth dies in darkness when you dismiss legitimate discussion like that. That's not my code. I found it while investigating an attack and it should be discussed instead of hidden away.

A simple script that bypasses all security software and causes considerable damage is I would think highly relevant to our case since people have been accusing Process Hacker of RDP attacks and damage oblivious to the RDP vulnerabilities causing the security issues and resulting damage in the first place.

Process Hacker is not some magical unicorn that is able to bypass security privileges and security policies or exploit Windows - It calls the exact same functions used by Microsofts own products and can only do something when you have privileges to preform that action just like Microsofts products.

If you do something you think is 'bad' with Process Hacker it's because you have the privileges and the right defined by group policy to use those functions - if you don't want Process Hacker doing something then change your group policies and account privileges it's that simple - something else can come along and do exactly what Process Hacker does unless you configure your polices - singling out and targeting Process Hacker won't help anyone and just demonstrates incompetence and anti-competitive behavior.

Microsoft is the only one that can stop RDP attacks by improving the security and authentication support of RDP... There is nothing else that we can do that I know about. I've already added every last security mitigation and security feature available on Windows into Process Hacker - I literally can't add anything more unless Microsoft changes their policies allowing open-source projects to use PPL and CI (which they already use with the Windows store for Games and Calculator apps)...

Maybe one day when Microsoft stops attacking the project and changes their policies...

hackers login to RDP and use PH to turn off security software

In addition to my last comment about that...

What happens when you terminate dwm.exe? It restarts. What happens when you terminate winlogon.exe? It restarts. What happens when you terminate explorer.exe? It'll restart when you use status 0. What happens when you terminate lsass.exe? It shows a message for 60s before rebooting (you can cancel the reboot using shutdown.exe /a) What happens when you terminate csrss.exe? It fails a handle check and ntoskrnl.exe bug-checks the machine with an error code.

What happens when you terminate security processes? Nothing. Just blame Process Hacker.

Why doesn't security software shutdown the machine or restart the process like everything else? Lazy idiots and a convenient excuse to target Process Hacker which they see as a competitor after we integrated 71 antivirus products and the ability to terminate threats without requiring constant daily updates and monthly subscriptions.

Security software is implemented in the kernel and even after terminating the process it'll continue running. You can check using Windows-Kernel-Explorer and viewing the various callbacks: https://github.com/AxtMueller/Windows-Kernel-Explorer

Microsoft and other companies are deliberately choosing the worst possible way at handing this issue and the only thing I can summarize is they would rather destroy the project than do anything constructive and let open-source projects to use PPL and CI.

[namazso]

meanwhile it seems like detections were cleared once again

[dylmye]

Can confirm @namazso - https://www.microsoft.com/en-us/wdsi/submission/645d8857-7058-4e89-b329-8b358f1fdccc

[ygoe]

May I ask what is "PPL and CI"? Google doesn't know it.

[ddbb2017]

@ygoe PPL = Protected Process Light, CI = Code Integrity.

At this stage, both are available for Microsoft products only (or, through a kernel hack.) CI, or special code signatures, are enabled by default for Windows Store apps, but as a developer you won't be able to do much with it afterwards.

@dmex my point was not about worthiness of PH. (I agree with you on that.) What I was trying to tell you is that linking to an obfuscated malware sample that can wipe out someone's boot drive (if they run your power shell script) is not the best of options to prove what we're trying to prove here. That's it.

As a developer myself I totally hear you. I hate most AVPs and their false detections. But that's the world we have to live in since consumers seem to rely on them.

[Bartolomeus-649]

Interested reading that might be of some help...

• Rick Strahl: Dealing with Anti-Virus False Positives https://weblog.west-wind.com/posts/2016/oct/05/dealing-with-antivirus-false-positives

• Microsoft docs: How Microsoft identifies malware and potentially unwanted applications https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/criteria

• Microsoft Defender ATP Research Team: Partnering with the industry to minimize false positives https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/

• Windows -> Security -> Threat protection: Information for developers https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/developer-info

[Bartolomeus-649]

Also, it seem like the certificate used has expired...

[gchq-zz]

@Bartolomeus-649

What age is the file? It's not like an SSL Cert, the valid date is only relevant during publishing! According to your screenshot it was signed on 09 April 2016, but was valid at the time until Jan 2017

[ddbb2017]

@Bartolomeus-649 that's why that signature has a timestamp that makes it valid, even today, when the certificate itself has expired. That's the whole point of timestamps.

As for re-signing it, then they can't. For that they will need a special certificate to sign a 64-bit kernel driver. That is done with an EV code signing certificate. I'm not sure about the further steps. It may also require passing it through the WHQL.

[namazso]

@Bartolomeus-649 as you can see it is countersigned by the DigiCert time server, with a date of 2016. As far as I'm aware 2016 is between 2013 and 2017

[mbalous]

Windows Security just quarantied two of the plugins of ProcessHacker as Trojan:Win32/Detplock.

• plugins\ExtendedNotifications.dll
• plugins\OnlineChecks.dll

[dmex]

Isn't this the 9th "false positive" from Microsoft so far this year? and it's only March...

They did the same thing last Friday because they know nobody would be in the office over the weekend and it would prolong/maximize damage to the project.

Also not surprised they would target the OnlineChecks plugin and automatically remove it from Windows (second time this week) when its required for integrating Process Hacker with 72 antivirus engines via the cloud....

...

[ygoe]

Looks like a targeted offence. Sounds to me like Microsoft is now officially evil. This is the kind of game that little children play. Windows Defender might no longer be a serious security solution but simply a tool to suppress undesired developer productivity apps. Have they learnt too much from Chinese politicians? Process Hacker should explain this offensive behaviour to their users prominently and strongly suggest not using Windows Defender if they seek for reliable and responsible protection.

[Laibalion]

And we're there again:

This is for version 3.0.2993

[ExtremeGTX]

Just Downloaded the latest portable version from release page, and Windows defender didn't detect anything. Also after scanning the whole directory, everything is clean!. Windows 10 1903 Build 18362.720

[poizan42]

This time it's the ExtendedTools plugin that's being detected:

[h-h-h-h]

Can somebody please explain why, on VirusTotal, the nightly downloads get assigned the tags downloads-pe and downloads-zip?

VirusTotal links:

• Setup .exe (downloads-pe)
• Portable .zip (downloads-zip)

[dmex]

the nightly downloads get assigned the tags downloads-pe and downloads-zip

Those tags are assigned based on the HTTP headers returned by the URL rather than the actual file content because you're actually scanning the URL itself and not the downloaded file. If you want to scan the file downloaded by the URL you have to first download it then submit to VirusTotal rather than passing the URL.

[poizan42]

This is a whole new level of heuristics fail. A Linux/Android exploit in a Win32 DLL...

[Biswa96]

A Linux/Android exploit in a Win32 DLL...

Well done! ProcessHacker is now officially a cross platform 100% free and open-source malware! 🥳

[dmex]

[garoto]

I guess at this point, this should be an issue only for people who use PH (or try to) on some sort of restrictive environment, like a corporate network, because otherwise issues dealing with AV snake-oil vendors are just noise.

[dmex]

The detection is still active: https://user-images.githubusercontent.com/1306177/98056549-45cd2f00-1e94-11eb-83c9-402cd9582e09.png

some sort of restrictive environment, like a corporate network,

Defender is built-in and technically cannot be disabled so that's an issue for everyone. How are you going to use Process Hacker when Microsoft keeps deleting the binaries claiming they're malware?

[ralvarador]

I worked in two companies that its AV were set to block Process Hacker. The AV software: Kaspersky and Sophos...

[ygoe]

Wow, that AV thing doesn't seem to be about "viruses" and malware anymore but rather opinionated. Like so many sad things these days.

This is my standard Process Hacker installation procedure:

1. Install Process Hacker
2. Add the installation directory to Defender's exclusion list (like Thunderbird's mail storage to prevent total mail corruption, theoretically)
3. Install Process Hacker

Maybe the website and/or setup package could promote or even automate that, too.

[HealsCodes]

I'd be okay if it was a Windows Defender only false positive.. but this is a joke:

[luckydonald]

"Riskware.Processhacker" Wow.

[Dwarden]

Windows Defender reports those processhacker-3.0.3585-setup.exe = Trojan:Win32/CryptInject!ml ProcessHacker.exe , ProcessHacker.lnk = Trojan:Win32/Zpevdo.B processhacker-3.0.3585-bin.zip = Trojan:Win32/Detplock replace .zip files with .7z please sign installer and processs binary with same certificate as the driver (or w/e trustable)

[Dwarden]

Windows Defender changed the detection and reports those processhacker-3.0.3593-setup.exe = Trojan:Win32/Woreflint.A!cl processhacker-3.0.3593-bin.zip = Trojan:Win32/CryptInject!ml

[dmex]

@luckydonald

Wen Jia (wj32) was an employee for Webroot and worked in their US offices for a few years - they issued the "Riskware.Processhacker" signature the same day he left the company.

They're exploiting the legal immunity given by Section 230 in the USA to attack former employees and others without justification.

@Dwarden

please sign installer and processs binary with same certificate as the driver

The binaries are already signed. The problem is Microsoft has added signature checks to a dozen Windows API functions that are explicitly targeting/blocking Process Hacker (separate from Defender) and have refused to fix other highly critical Windows issues.... Signing won't fix anything until Microsoft changes its illegal policies.

The browser wars have ended but the task manager wars are still going strong... taskmgr.exe has been hard-coded throughout multiple components to prevent users from changing the system defaults to third party programs just like Microsoft did with Internet Explorer - the signature checks included with API functions used by taskmgr.exe designed to block competitors is much worse than attacks by Microsoft on Netscape in the 90's and other APIs have been changed to report incorrect information when used by third parties but not their own products.

The malware detections by Microsoft are part of this and are being used as a pre-emptive attack aimed at diminishing our legitimate claims against the company for anti-trust violations.

2008-2018 - 0 false positives by Defender over those 10 years. 2019 - 10 or so false positives 2020 - well over 35 'false positives'.

The first "false positive" by defender was just a few days after wj32 quit working at Microsoft. Mark Russinovich sent both of us job offers but I turned it down because of work on critical issues at Electronic Arts. David Hepkin from the Azure/hyperv/vsm team was wj32's team leader.

Microsoft targeting former employees is one thing but targeting competitors products is well established as anti-competitive by the courts and regulators so the defender team are including our binary signatures in random detections in an attempt to conceal the purpose of the attacks and there are also potentially cases with employees "stat padding" to obtain contract KPI bonuses.

"stat padding" is a reason behind random defender signatures (e.g. Linux/Lotoor.A) containing signatures for Process Hacker despite there being zero relationship - security vendors have contract bonuses for the number of detections and employees are using competitors binaries to increase the # of detections and obtain those bonuses. This is also why the same signature was used against 6 separate open source projects over 6 months without any shared source code which is statistically impossible for an accidental 'false positive'.

Microsoft still hasn't provided the team with any evidence to support their claims... The best we've received is a regurgitated report from another Microsoft employee here in Melbourne, Australia which made no sense.

MSRC also hasn't responded to emails about these and other issues... These attacks by Microsoft are likely going to get worse until the courts/regulators are more involved so I recommend users switch to Malwarebytes: https://www.malwarebytes.com/

Malwarebytes has been supportive of Process Hacker and they resolve issues extremely quickly in less than two hours - a stark contrast to the actions by Microsoft.

[namazso]

@dmex

About those "!cl" and "!ml" ending detections on Defender, my softwares get that all the time too. They're probably machine learning or some other dumb heuristic. For me it always resolves after submitting, but it's a bit tiresome to do that every single version. (I'd also recommend only caring about it when it's release time, not for random builds, that's just not worth the time.)

However I'm not entirely sure about that Malwarebytes recommendation. They have no way to submit false positives without registering to their forum and stuff (eg. via a form or email). Clearly, they don't really care about software developers trying to get their one of a dozen AV's detection cleared, only about those who use (and often pay) for their software.

Also, do you have any source for the taskmgr signature checks? (source as in what binary has this? I have legitimate interest, not just accusing you or something)

[Dwarden]

@dmex

unfortunately there are some factual errors on your side inbetween the binaries delivered with nightly installer and .zip file processhacker-<%buildnumber%>-setup.exe IS NOT signed processhacker.exe IS NOT signed peid.exe IS NOT signed any <%plugins%>.dll ARE NOT signed the ONLY signed file IS the kprocesshacker.sys with certificate from 2016 including the long deprecated SHA1 and SHA256 (dual sign certificate) (some AV companies seems to auto-flag binaries with dual sha-1 and sha-256 cert since last year)

certificates and intermediates signed in SHA1 won't be recognized anymore and will provoke security alerts https://docs.microsoft.com/en-us/sysinternals/announce/sha1deprecation

my suggestion phase out the dual signature and replace it with fresh new certificate, using just SHA256 then sign all .exe , .dll , .sys files , no exceptions nor leftovers, with this new certificate note: legacy OSses like XP SP3, Vista, Windows 7 and Server 2008 support SHA256 signed binaries with correct KB installed

after this is done we can continue argument about how AV/security or Microsoft handles detection under W10/WS2016/WS2019 if this isn't done all they can do, is point to what i just posted as excuse argument

[Dwarden]

Windows Defender changed the detection and reports those processhacker-3.0.3612-setup.exe = Trojan:Win32/Spursint.F!cl processhacker-3.0.3612-bin.zip = Trojan:Win32/Spursint.F!cl 32bit ProcessHacker.exe = Trojan:Win32/CryptInject!ml

[VictorVG]

People "earn honestly" for bread and butter and girls, and therefore do not be surprised - they will find something else.:)

[dmex]

@Dwarden

Windows Defender changed the detection and reports those

I need screenshots of these detections so they can be used as evidence. WinDefThreatsView from Nirsoft shows all the relevant detection information that we need: http://www.nirsoft.net/utils/windows_defender_threats_view.html

unfortunately there are some factual errors on your side processhacker-<%buildnumber%>-setup.exe IS NOT signed processhacker.exe IS NOT signed

Thanks captain obvious.

If you haven't been paying attention... Microsoft changed the signing requirements for Windows back in 2015 requiring developers to submit binaries to Microsoft and receive 'attestation signed' copies of those binaries: https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/attestation-signing-a-kernel-driver-for-public-release

Attestation signing is another policy Microsoft uses against competitors in the Task Manager wars... To be specific:

Microsoft does not sign our binaries with the correct certificate attributes in order to block and/or severely limit competitors from calling most API functions used by Task Manager and Process Explorer.

The same is true for the following products and not only Process Hacker: (no specific order)

• AnVir Task Manager
• MiTeC Task Manager
• System Explorer
• Daphne
• WinUtilities Process Security
• Process Lasso
• TaskInfo
• DTaskManager
• Auslogics Task Manager
• Also every other competitor.

All of these products are affected and also incorrectly signed blocking them from using dozens of new Windows features and API functions (ntdll/user32) by Microsoft that are being used by Task Manager and Process Explorer.

I'm not sure why those other competitors support that Microsoft policy or why they've been silent about it... I personally refuse to pay $1500 a year for an illegal anticompetitive certificate until it includes the attributes required for features used by Task Manager and Process Explorer.

Even If I wanted to submit the binaries; the submission fails with an unknown error and Microsoft have never corrected either issues with two seperate supports going nowhere. That is effectively banning my account from ever signing a Process Hacker release.

The signing submissions are still in limbo even now:

David Plummer, the former Microsoft developer who wrote Windows Task Manager has also been made statements in the media earlier this year about "secret code" he embedded into Windows giving Microsoft an unfair competitive advantage... I've been discussing Microsoft's actions and policies with our competition regulator here in Australia but its a slow process and I'll have more to share soon™

[Dwarden]

@dmex primary i wasn't writing about driver but binaries and libraries in the nightly

i.e. you mention Process Lasso yet that one has ALL binaries and libraries signed for years Process Lasso works fine, no WindowsDefender detection on any installer, download or install itself nor execution of binaries ... several of the other software from the list aren't detected by Windows Defender either but I've got no time to test each e.g. fire are TaskInfo, Daphne etc.

anyway because you decided to aggressively respond to simple request and comments mainly about unsigned binaries i will not continue in this discussion further

[dmex]

anyway because you decided to aggressively respond

I'm Australian 🤷‍♂️

It wasn't an intention to be aggressive but these are serious issues. Microsoft and other vendors requested Github delete the project for Terms of Service violation earlier this year and there was an attempt to seize our website domain so I've decided to speak out more about the issues we deal with managing this project and the problems we're having going forward and the things we're told by people at those companies.

The webpages published by vendors (i.e. ProcHack!MTB) are used as reference material by other organisations as is this thread on the tracker discussing the issue and the comments weren't aimed at you and I apologise for not making that more clear.

you mention Process Lasso yet that one has ALL binaries and libraries signed for years

The Process Lasso executable certificate hasn't been signed with the correct attributes for over a decade. Microsoft hasn't documented these restrictions so they either don't know or don't care.

They're blocked from calling Windows APIs used by Task Manager like CreateWindowInBand, classes found in NtQuerySystemInformation/NtSetSystemInformation and from using the "secret code" mentioned by Plummer in csrss/winlogon to name a few of the restricted features,

If they're serious about competing with Task Manager and Process Explorer then these are some of the Windows features they would probably want to include but can't because of Microsoft's ongoing anti-competitive behaviour towards competitors.

several of the other software from the list aren't detected by Windows Defender either

Microsoft added a new detection "ProcHack!MTB can be used to patch or "crack" some software so it will run without a valid license or genuine product key." https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win32/ProcHack!MTB&ThreatID=2147755297

The development team does not and has never supported piracy. No such feature or functionality for cracking Microsoft software or activations has ever existed in Process Hacker.

[Marvin-Brouwer]

I also get a report on this using Sophos: https://search.sophos.com/#q=processhacker&t=Support&sort=relevancy

[dmex]

I also get a report on this using Sophos

Sophos are irrelevant considering they're also targeting and blocking Microsoft software such as Process Explorer:

https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/Process%20Explorer.aspx https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/Sysinternals%20Desktop.aspx https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/PsExec.aspx

Sophos designed those pages to trick unsuspecting customers into believing Sophos protected them from threats which don't exist.

You can't justify this behaviour:

[VictorVG]

This is how Sophos solves its private commercial problem - to increase sales of its software.

In 1993, I had a conversation with Eugene Kaspersky on a similar occasion - then there was a "antivirus" AidsTest by Mr. Lozinsky that was updated as soon as a new virus appeared. And then Eugene said - “It's strange, it takes several days to analyze a new virus and find a way to eliminate it, and a new version of AidsTest comes out a few minutes after the appearance of a new infection, and a significant part of its database is the first programs that came across. the remedies for his treatment are written by the same person to increase the sales of his program, and for the same purpose, random harmless programs are added to the AidsTest database ... ". And after that, similar questions arose about a number of other antiviruses, but there was no direct connection "virus - antivirus creation", although there were plenty of facts of adding random harmless programs to the AV database.

Now other antivirus manufacturers use a similar method to increase their sales - they add randomly selected popular programs to their AV databases, and they also do not hesitate to publish deliberately false messages about the detection of "viruses" in the media. Naturally, anonymous "experts of antivirus companies" or "experienced users" who check numerous user complaints about the malware's harmfulness become the source of information.

So recently a campaign was organized to discredit WinRAR v5.91, and now it is being repeated in relation to v6.00 - there are already messages on forum.ru-board.com about the deletion of RAR 6.00 archives with text files under the pretext "a virus, trojan, malware "a number of antiviruses.

The same strategy is used with respect to RN - why invent something new if the statistics of the number of installations of their product is increasing, and it does not matter that the authors of the declared malicious programs are forced to spend time and money on proving the absurdity of the accusations made on behalf of anonymous users and reworking their software in order to Eliminating false positives from antivirus software is just business and nothing personal.

And the reasons for this behavior back in the 18th century were explained by the British publicist Thomas Joseph Dunning:

"Capital," says the Quarterly Review, "avoids noise and abuse and has a fearful nature." It's true, but it's not the whole truth. Capital is afraid of lack of profit or too little profit, as nature is afraid of emptiness. But once there is sufficient profit, capital becomes bold. Provide 10 percent, and capital agrees to any use, at 20 percent it becomes animated, at 50 percent it is positively ready to break its head, at 100 percent it tramples on all human laws, at 300 percent there is no crime that it would not risk, even on pain of the gallows. Proof: smuggling and slave trade.

[dmex]

Process Hacker was targeted by SolarWinds/Sunburst/Teardrop: 2032008861530788751:processhacker

Russian anti-virus company Doctor Web has today classified Process Hacker as malicious malware: Tool.ProcessHacker.2(7), Tool.ProcessHacker.3, Tool.ProcessHacker.4(2), Tool.ProcessHacker.5

Attacked by vendors (Microsoft/Sophos/Avast) on one side and attacked by malicious software on the other side... plus covid-19 and lockdowns... 2020 has been the absolute worst 😕