Closed markusd1984 closed 4 years ago
Biswa96
commented
4 years ago Its way too old. Try the nightly release from here https://processhacker.sourceforge.io/nightly.php. See README file for further details. Also there is a mega thread about this false virus detection.
markusd1984
commented
4 years ago Its way too old. Try the nightly release from here https://processhacker.sourceforge.io/nightly.php. See README file for further details. Also there is a mega thread about this false virus detection.
Got it February this year, I suppose one can be concerned about what they downloaded/is using and wants to be on the safe side.
Is there any good track record of whether these issues have been acknowledged or rectified so they don't appear as false positives? (or just for new versions?)
Chaython
commented
4 years ago It's a PUP/Riskware, because it has such low level access, can be used to take over your system. There's no way to resolve this besides removing functionality. Unless you download another virus that knows to exploit process hacker then you're fine, downloading from the official repo. It's another vulnerability to consider. But if you're truly worried you should only run Windows in a VM under Linux and never install packages to the host OS. Even the nightly has 21 engines reporting it as bad. If you're nervous and want a similar tool, then use Sysinternals Process Explorer. Sysinternals is a subsidiary of Microsoft. https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer Of course you can also learn to code, then read through everything, and build it yourself instead of prebuilt binaries. But that would be a lot of effort :P
dmex
commented
4 years ago because it has such low level access
There is zero difference between 'low-level' access and high-level access... The both have the exact same privilege and security checks.
can be used to take over your system
Process Hacker is not some magical unicorn capable of bypassing the Windows API and privilege checks... It literally uses the exact same Windows API as its competitors.
Why is the windows version 2.39 executable now being triggered by 20 engines?
"RiskWare" "RiskTool" "Hacking tool" "Potentially unwanted program" "Not-a-virus"
These definitions and dialogs shown to users are intentionally ambiguous to due unsuspecting customers.
Should we be concerned?
Yes. Antivirus companies are running the asylum. They block whatever the hell they want for whatever reason they like. They use their software to block anything they disagree with and have either flat out ignored emails from the team trying to find out why or have responded with demands to make various changes - I've posted screenshots of email conversations with some of the companies a while back (the best to date was Avast asking us to implement a backdoor in our driver..).
It's getting ridiculous and I think it does a lot more damage to their own products than ours. The entire project is open-source and anyone can review the code and confirm that there is nothing malicious - yet not one of those anti-virus companies has been able to show what source code is an issue.
Chaython
commented
4 years ago Firefox now blocks it as a PUP too. Yes, it doesn't have anything more than Sysinternals Process Explorer[PE], but that is a MS subsidiary. Unlike PE, this has a kernel-mode driver[?] "KprocessHacker", I do believe it's the main issue. An antivirus has no more permission than it, therefore to the AV it's PUP/Riskware. User can harm their own system. "Hackers/Call center support scammers" may have used it maliciously[frequently reported]. FOSS, so there probably has been copies compiled with malicious intent. With Kaspersky's new beta there's "improved" driver security, that just causes a BSOD with WinBTRFS on shutdown. Little Registry Cleaner is also a pup, I don't scour the source code, but I think it just doesn't like the fact that it touches registry. Some really dumb engines, probably flag things with "cleaner", "hacker", "remote desktop", "support"...
ree!
dmex
commented
4 years ago Firefox now blocks it as a PUP too.
Firefox doesn't have a built-in scanner. Firefox is just reporting the error returned by your anti-virus blocking the download.
Unlike PE, this has a kernel-mode driver
PE uses a kernel driver named PROCEXP152.SYS which can be seen in the System process Modules tab.
probably has been copies compiled with malicious intent.
Microsoft claims as such "This malware is a modified version of the Process Hacker tool" https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool:Win64/ProcHack
How does an open source project stop someone from taking our source-code and using it illegally? Those people violated the law and our licence but we are blamed and targeted instead of the perpetrators? It is the definition of victim blaming and emboldens the perpetrators to continue their attacks knowing they won't be consequences for them.
If you go down this road you can blame Linux, Android and Google Chrome for almost everything illegal on the internet. Open-source Linux used to host servers and distribute illegal content and containing exploits responsible for almost every major security breach in the last decade and open-source Andoird and Chrome used to upload videos from attacks or view illegal content and provide platforms for Twitter and Facebook.
Blaming an open-source project for illegal use of their source code is illogical and cannot be justified.
With Kaspersky's new beta there's "improved" driver security, that just causes a BSOD with WinBTRFS on shutdown.
They're hooking the import address table (IAT) and the DRIVER_DISPATCH table for every kernel driver since these objects are not protected by PatchGuard adopting a technique used by malicious software against anti-cheat. These hooks are used to redirect execution and obfuscate handles and other system objects which does nothing to improve security and everything to reduce performance and reliability.
https://www.virustotal.com/gui/file/28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063/detection
Why is the windows version 2.39 executable now being triggered by 20 engines? Should we be concerned?