FALSE ALERTS of System Informer

Israeli · May 3, 2023

PLEASE stop false alerts of System Informer and also their plugins asap.

Website: https://www.systeminformer.com

Marcos · May 3, 2023

We'll unblock the app, however, there are still many other AVs that detect it:

https://www.virustotal.com/gui/file/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287

itman · May 3, 2023

3 hours ago, Marcos said:

We'll unblock the app, however, there are still many other AVs that detect it:

https://www.virustotal.com/gui/file/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287

Eset should still detect as most of these others do; a PUA/PUP;

Quote

YARA Signature Match - THOR APT Scanner

RULE: HKTL_PUA_SystemInformer_Nov22_1
RULE_SET: Livehunt - Hacktools58 Indicators 🛠
RULE_TYPE: VALHALLA rule feed only ⚡
RULE_LINK: https://valhalla.nextron-systems.com/info/rule/HKTL_PUA_SystemInformer_Nov22_1
DESCRIPTION: Detects SystemInformer components (former Process Hacker), a legitimate tool often used by malicious actors
REFERENCE: https://systeminformer.sourceforge.io/nightly.php
RULE_AUTHOR: Florian Roth

Marcos · May 3, 2023

Quote

DESCRIPTION: Detects SystemInformer components (former Process Hacker), a legitimate tool often used by malicious actors

As far as I know, we have no evidence that System Informer was misused in attacks, e.g. to kill antivirus before malware was run by the attacker.

itman · May 3, 2023

11 minutes ago, Marcos said:

As far as I know, we have no evidence that System Informer was misused in attacks, e.g. to kill antivirus before malware was run by the attacker.

https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021

itman · May 3, 2023

Another "tidbit" in regards to Process Hacker use:

Quote

Process Hacker

Another example of such a driver is the process hacker driver. This driver exposes an IOCTL interface that looks very promising.

Process hacker can be used to open a handle to a process from kernel mode or call ZwTerminateProcess. Another cool functionality is: Process hacker has an IOCTL for reading the memory of other processes. This can be abused to read the memory of processes like lsass.exe to dump credentials. This of course, can be used to bypass protections like NtReadVirtualMemory hooks and the threat intelligence ETW…

Just take an interesting product that has a driver and try to hack with it - I’m sure you start collecting them (like me;))

https://repnz.github.io/posts/abusing-signed-drivers/

Add to this I assume Process Hacker, like Process Explorer, can load their kernel mode driver "on-the-fly" thereby bypassing Win Secure Boot protection.

Edited May 3, 2023 by itman

Marcos · May 3, 2023

The article talks about Process Hacker, System Informer is different in this regard.

itman · May 3, 2023

Based on what I read in this thread: https://github.com/winsiderss/systeminformer/issues/1668 , I still say it should be flagged as a PUA.

itman · May 3, 2023

3 hours ago, Marcos said:

The article talks about Process Hacker, System Informer is different in this regard.

Is it? Thor considers the driver's equivalent: https://valhalla.nextron-systems.com/info/sigma-rule/67add051-9ee7-4ad3-93ba-42935615ae8d

Marcos · May 3, 2023

Unlike Process Hacker, the System Informer driver was fixed to prevent exploitation. Also it's signed by Microsoft to allow loading on latest OS:

Process Hacker:

System Informer:

itman · May 3, 2023

48 minutes ago, Marcos said:

Also it's signed by Microsoft to allow loading on latest OS:

The driver is attestation signed; not WHQL certified. Should I launch into another posting on what I think of attestation signed drivers?

-EDIT- Of note is Process Explorer's driver is WHQL certified:

PE_Cert.png.358cd7a21e99b76d70aea9d258af4cff.png

Lest one has doubt's that attestation signed drivers are safe, review again this posting: https://forum.eset.com/topic/34454-new-whql-rootkits/ where a Chinese poster dropped a hoard of 20 rootkit drivers that were attestation signed.

Edited May 3, 2023 by itman

Israeli · May 4, 2023

21 hours ago, Marcos said:

We'll unblock the app, however, there are still many other AVs that detect it:

https://www.virustotal.com/gui/file/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287

Thanks a lot!!

Israeli · May 4, 2023

12 hours ago, itman said:

The driver is attestation signed; not WHQL certified. Should I launch into another posting on what I think of attestation signed drivers?

-EDIT- Of note is Process Explorer's driver is WHQL certified:

Lest one has doubt's that attestation signed drivers are safe, review again this posting: https://forum.eset.com/topic/34454-new-whql-rootkits/ where a Chinese poster dropped a hoard of 20 rootkit drivers that were attestation signed.

Point is: Professionals need badly a good Task Manager, tho too buggy from MS. Sure, there is also the alternative Process Explorer (SysInternals) but on the other side System Informer is much better and has more options etc.
We also know that almost every deeper tool might be abused, even a simple DELETE or FORMAT. But come on...

5Z4 · May 4, 2023

1 hour ago, Israeli said:

Point is: Professionals need badly a good Task Manager, tho too buggy from MS. Sure, there is also the alternative Process Explorer (SysInternals) but on the other side System Informer is much better and has more options etc.
We also know that almost every deeper tool might be abused, even a simple DELETE or FORMAT. But come on...

This.

I too am in favor of completely unblocking the app, but also have a proposal, if I may, in case the app has to be flagged suspicious/dangerous: how about categorizing it as "potentially unsafe", for which, if I'm not mistaken, both the detection and reporting are by default disabled, at least in NOD32?

Edited May 4, 2023 by 5Z4

Marcos · May 4, 2023

41 minutes ago, 5Z4 said:

how about categorizing it as "potentially unsafe", for which, if I'm not mistaken, both the detection and reporting are by default disabled, at least in NOD32?

Process Hacker is indeed detected as a potentially unsafe application. System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it.

Israeli · May 4, 2023

23 minutes ago, Marcos said:

Process Hacker is indeed detected as a potentially unsafe application. System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it.

And because of that is ESET still the best and avoid per default false alerts & weird theories. 😎
Thanks a lot again!!

itman · May 4, 2023

2 hours ago, Marcos said:

System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it.

Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it.

I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously.

Israeli · May 4, 2023

1 hour ago, itman said:

Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it.

I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously.

Luckily I never ever use McAfee, not as AV and also not 'em as person. 🤣

SeriousHoax · May 4, 2023

1 hour ago, itman said:

Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it.

I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously.

Looks like it got 100% only because of detection from other vendors. Everything else is Suspicious Indicators only. So the score would have been much lower without these AV detections.

I'm also a fan of System Informer. It has some nice features not present in others. I would just use Process Explorer if MS had made it equivalent to it. Both have some unique features, so I use both.

5Z4 · May 4, 2023

1 hour ago, itman said:

Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it.

I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously.

I think it's called CrowdStrike Falcon. Worth checking out its false positive statistics, e.g. in AV-Comparatives' tests.

Israeli · May 4, 2023

9 minutes ago, 5Z4 said:

I think it's called CrowdStrike Falcon. Worth checking out its false positive statistics, e.g. in AV-Comparatives' tests.

Some people still believe Earth is flat if just often enough mark & write it... 😄

Edited May 4, 2023 by Israeli

5Z4 · May 4, 2023

9 minutes ago, SeriousHoax said:

Everything else is Suspicious Indicators only.

Yeah, those "may be used", "possibly checks" etc. in assessment obviusly give a realistic end result of "100% malicious". I mean, a fork also "may be used" to attack, instead of, for example, lifting food, but let's not ban its use just yet, right?

Israeli · May 4, 2023

1 minute ago, 5Z4 said:

Yeah, those "may be used", "possibly checks" etc. in assessment obviusly give a realistic end result of "100% malicious". I mean, a fork also "may be used" to attack, instead of, for example, lifting food, but let's not ban its use just yet, right?

... and MS of course wants his own AV and Task Manager become as bible.

5Z4 · May 4, 2023

Just now, Israeli said:

... and MS of course wants his own AV and Task Manager become as bible

...along with their other cr*p. Just look at the "progress" of the ability to set default apps in Windows.

Dude, I think we should stop, before we get banned on our first day on the forum.😁

Israeli · May 4, 2023

12 minutes ago, 5Z4 said:

...along with their other cr*p. Just look at the "progress" of the ability to set default apps in Windows.

Dude, I think we should stop, before we get banned on our first day on the forum.😁

Btw... Also this week and updated HWiNFO kicked the Task Manager parts, since then for example CPU usage displays correct again. 😎

But also true, enough about this problem here. Enjoy my friend!

Edited May 4, 2023 by Israeli

Sign In

FALSE ALERTS of System Informer

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics