Jump to content

False positive for Process Hacker 3.0


Recommended Posts

https://wj32.org/processhacker/forums/viewforum.php?f=5 

A legitimate program that has been used by different people for many years to accurately remove processes, rootkits, to track processes and their actions in the system. Absolutely safe. ESET Endpoint Security 7.0.2053.0 delete file kprocesshacker.sys and remove from Program Files program folder.

Link to comment
Share on other sites

  • Administrators

The detection is correct. Process Hacker is not detected as malware but as a potentially unsafe application. This detection covers legitimate tools that can be misused in the wrong hands for malicious purposes. It is disabled by default and users enable it at their discretion. Tools like this have been seen to be misused by hackers for killing security solutions after breaching into networks which enabled them to run ransomware and subsequently extort money from the victim.

If you want to use the tool while keeping detection of pot. unsafe application enabled, exclude it from detection.

Link to comment
Share on other sites

37 minutes ago, Marcos said:

The detection is correct. Process Hacker is not detected as malware but as a potentially unsafe application. This detection covers legitimate tools that can be misused in the wrong hands for malicious purposes. It is disabled by default and users enable it at their discretion. Tools like this have been seen to be misused by hackers for killing security solutions after breaching into networks which enabled them to run ransomware and subsequently extort money from the victim.

If you want to use the tool while keeping detection of pot. unsafe application enabled, exclude it from detection.

In that case, you need to make the module, as it is implemented in Comodo. The program writes that it considers this application potentially dangerous. And this application has helped me many times and has never harmed the system. The problem is that if you have a detect, then there not a choice. The file is immediately quarantined. It would be useful to isolate the file and write Win32 / ProcessHacker.A, then give the user a choice like on the screenshot in the attachment. But only for potentially unwanted or dangerous programs. This does not apply to viruses. The virus must be deleted. I do not have time to unzip and install the program. You immediately delete it. I return it from quarantine, but again I do not have time to add it to the exceptions. It is just necessary to turn off the antivirus.

index.png

Edited by Descloix
Link to comment
Share on other sites

  • ESET Staff

Showing the interactive window to the end-user is not very good idea, because users often click "allow" and then get "infected". The decision should be in hands of administrator (e.g. through ERA console) who should add exclusions for potentially harmful tools he wants to use. Additionally when users clicked "allow" without adding an exclusion, the tool was detected again and again (by on-demand or on-access scanners). More information here:

https://forum.eset.com/topic/14743-request-for-feedback-on-a-plan-to-change-handling-of-potentially-unwanted-unsafe-applications/

 

Link to comment
Share on other sites

2 minutes ago, J.D. said:

Showing the interactive window to the end-user is not very good idea, because users often click "allow" and then get "infected". The decision should be in hands of administrator (e.g. through ERA console) who should add exclusions for potentially harmful tools he wants to use. Additionally when users clicked "allow" without adding an exclusion, the tool was detected again and again (by on-demand or on-access scanners). More information here:

https://forum.eset.com/topic/14743-request-for-feedback-on-a-plan-to-change-handling-of-potentially-unwanted-unsafe-applications/

 

It's just incredible.  It's just incredible. My 11-year-old sister knows that ask.com it is rare muck. One must be an idiot to allow to install this toolbar.

By the way, virustotal............................................................

 

 

2018-05-24_9-04-23.jpg

Link to comment
Share on other sites

  • Administrators

It's the PH driver which needs to be excluded. That doesn't matter if you create an exclusion by detection name which we prefer to excluding a particular file completely.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...