Israeli 9 Posted May 3, 2023 Share Posted May 3, 2023 PLEASE stop false alerts of System Informer and also their plugins asap. Website: https://www.systeminformer.com Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,271 Posted May 3, 2023 Administrators Solution Share Posted May 3, 2023 We'll unblock the app, however, there are still many other AVs that detect it: https://www.virustotal.com/gui/file/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287 Israeli 1 Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 3, 2023 Share Posted May 3, 2023 3 hours ago, Marcos said: We'll unblock the app, however, there are still many other AVs that detect it: https://www.virustotal.com/gui/file/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287 Eset should still detect as most of these others do; a PUA/PUP; Quote YARA Signature Match - THOR APT Scanner RULE: HKTL_PUA_SystemInformer_Nov22_1 RULE_SET: Livehunt - Hacktools58 Indicators 🛠 RULE_TYPE: VALHALLA rule feed only ⚡ RULE_LINK: https://valhalla.nextron-systems.com/info/rule/HKTL_PUA_SystemInformer_Nov22_1 DESCRIPTION: Detects SystemInformer components (former Process Hacker), a legitimate tool often used by malicious actors REFERENCE: https://systeminformer.sourceforge.io/nightly.php RULE_AUTHOR: Florian Roth Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted May 3, 2023 Administrators Share Posted May 3, 2023 Quote DESCRIPTION: Detects SystemInformer components (former Process Hacker), a legitimate tool often used by malicious actors As far as I know, we have no evidence that System Informer was misused in attacks, e.g. to kill antivirus before malware was run by the attacker. Israeli 1 Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 3, 2023 Share Posted May 3, 2023 11 minutes ago, Marcos said: As far as I know, we have no evidence that System Informer was misused in attacks, e.g. to kill antivirus before malware was run by the attacker. https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021 Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 3, 2023 Share Posted May 3, 2023 (edited) Another "tidbit" in regards to Process Hacker use: Quote Process Hacker Another example of such a driver is the process hacker driver. This driver exposes an IOCTL interface that looks very promising. Process hacker can be used to open a handle to a process from kernel mode or call ZwTerminateProcess. Another cool functionality is: Process hacker has an IOCTL for reading the memory of other processes. This can be abused to read the memory of processes like lsass.exe to dump credentials. This of course, can be used to bypass protections like NtReadVirtualMemory hooks and the threat intelligence ETW… Just take an interesting product that has a driver and try to hack with it - I’m sure you start collecting them (like me;)) https://repnz.github.io/posts/abusing-signed-drivers/ Add to this I assume Process Hacker, like Process Explorer, can load their kernel mode driver "on-the-fly" thereby bypassing Win Secure Boot protection. Edited May 3, 2023 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted May 3, 2023 Administrators Share Posted May 3, 2023 The article talks about Process Hacker, System Informer is different in this regard. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 3, 2023 Share Posted May 3, 2023 Based on what I read in this thread: https://github.com/winsiderss/systeminformer/issues/1668 , I still say it should be flagged as a PUA. Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 3, 2023 Share Posted May 3, 2023 3 hours ago, Marcos said: The article talks about Process Hacker, System Informer is different in this regard. Is it? Thor considers the driver's equivalent: https://valhalla.nextron-systems.com/info/sigma-rule/67add051-9ee7-4ad3-93ba-42935615ae8d Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted May 3, 2023 Administrators Share Posted May 3, 2023 Unlike Process Hacker, the System Informer driver was fixed to prevent exploitation. Also it's signed by Microsoft to allow loading on latest OS: Process Hacker: System Informer: Israeli 1 Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 3, 2023 Share Posted May 3, 2023 (edited) 48 minutes ago, Marcos said: Also it's signed by Microsoft to allow loading on latest OS: The driver is attestation signed; not WHQL certified. Should I launch into another posting on what I think of attestation signed drivers? -EDIT- Of note is Process Explorer's driver is WHQL certified: Lest one has doubt's that attestation signed drivers are safe, review again this posting: https://forum.eset.com/topic/34454-new-whql-rootkits/ where a Chinese poster dropped a hoard of 20 rootkit drivers that were attestation signed. Edited May 3, 2023 by itman Link to comment Share on other sites More sharing options...
Israeli 9 Posted May 4, 2023 Author Share Posted May 4, 2023 21 hours ago, Marcos said: We'll unblock the app, however, there are still many other AVs that detect it: https://www.virustotal.com/gui/file/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287 Thanks a lot!! Link to comment Share on other sites More sharing options...
Israeli 9 Posted May 4, 2023 Author Share Posted May 4, 2023 12 hours ago, itman said: The driver is attestation signed; not WHQL certified. Should I launch into another posting on what I think of attestation signed drivers? -EDIT- Of note is Process Explorer's driver is WHQL certified: Lest one has doubt's that attestation signed drivers are safe, review again this posting: https://forum.eset.com/topic/34454-new-whql-rootkits/ where a Chinese poster dropped a hoard of 20 rootkit drivers that were attestation signed. Point is: Professionals need badly a good Task Manager, tho too buggy from MS. Sure, there is also the alternative Process Explorer (SysInternals) but on the other side System Informer is much better and has more options etc. We also know that almost every deeper tool might be abused, even a simple DELETE or FORMAT. But come on... Link to comment Share on other sites More sharing options...
5Z4 4 Posted May 4, 2023 Share Posted May 4, 2023 (edited) 1 hour ago, Israeli said: Point is: Professionals need badly a good Task Manager, tho too buggy from MS. Sure, there is also the alternative Process Explorer (SysInternals) but on the other side System Informer is much better and has more options etc. We also know that almost every deeper tool might be abused, even a simple DELETE or FORMAT. But come on... This. I too am in favor of completely unblocking the app, but also have a proposal, if I may, in case the app has to be flagged suspicious/dangerous: how about categorizing it as "potentially unsafe", for which, if I'm not mistaken, both the detection and reporting are by default disabled, at least in NOD32? Edited May 4, 2023 by 5Z4 Israeli 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,271 Posted May 4, 2023 Administrators Share Posted May 4, 2023 41 minutes ago, 5Z4 said: how about categorizing it as "potentially unsafe", for which, if I'm not mistaken, both the detection and reporting are by default disabled, at least in NOD32? Process Hacker is indeed detected as a potentially unsafe application. System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it. John Dow, 5Z4 and Israeli 3 Link to comment Share on other sites More sharing options...
Israeli 9 Posted May 4, 2023 Author Share Posted May 4, 2023 23 minutes ago, Marcos said: Process Hacker is indeed detected as a potentially unsafe application. System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it. And because of that is ESET still the best and avoid per default false alerts & weird theories. 😎 Thanks a lot again!! 5Z4 1 Link to comment Share on other sites More sharing options...
itman 1,748 Posted May 4, 2023 Share Posted May 4, 2023 2 hours ago, Marcos said: System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it. Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it. I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously. Link to comment Share on other sites More sharing options...
Israeli 9 Posted May 4, 2023 Author Share Posted May 4, 2023 1 hour ago, itman said: Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it. I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously. Luckily I never ever use McAfee, not as AV and also not 'em as person. 🤣 Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted May 4, 2023 Share Posted May 4, 2023 1 hour ago, itman said: Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it. I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously. Looks like it got 100% only because of detection from other vendors. Everything else is Suspicious Indicators only. So the score would have been much lower without these AV detections. I'm also a fan of System Informer. It has some nice features not present in others. I would just use Process Explorer if MS had made it equivalent to it. Both have some unique features, so I use both. 5Z4 and Israeli 2 Link to comment Share on other sites More sharing options...
5Z4 4 Posted May 4, 2023 Share Posted May 4, 2023 1 hour ago, itman said: Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it. I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously. I think it's called CrowdStrike Falcon. Worth checking out its false positive statistics, e.g. in AV-Comparatives' tests. Israeli 1 Link to comment Share on other sites More sharing options...
Israeli 9 Posted May 4, 2023 Author Share Posted May 4, 2023 (edited) 9 minutes ago, 5Z4 said: I think it's called CrowdStrike Falcon. Worth checking out its false positive statistics, e.g. in AV-Comparatives' tests. Some people still believe Earth is flat if just often enough mark & write it... 😄 Edited May 4, 2023 by Israeli 5Z4 1 Link to comment Share on other sites More sharing options...
5Z4 4 Posted May 4, 2023 Share Posted May 4, 2023 9 minutes ago, SeriousHoax said: Everything else is Suspicious Indicators only. Yeah, those "may be used", "possibly checks" etc. in assessment obviusly give a realistic end result of "100% malicious". I mean, a fork also "may be used" to attack, instead of, for example, lifting food, but let's not ban its use just yet, right? Israeli 1 Link to comment Share on other sites More sharing options...
Israeli 9 Posted May 4, 2023 Author Share Posted May 4, 2023 1 minute ago, 5Z4 said: Yeah, those "may be used", "possibly checks" etc. in assessment obviusly give a realistic end result of "100% malicious". I mean, a fork also "may be used" to attack, instead of, for example, lifting food, but let's not ban its use just yet, right? ... and MS of course wants his own AV and Task Manager become as bible. 5Z4 1 Link to comment Share on other sites More sharing options...
5Z4 4 Posted May 4, 2023 Share Posted May 4, 2023 Just now, Israeli said: ... and MS of course wants his own AV and Task Manager become as bible ...along with their other cr*p. Just look at the "progress" of the ability to set default apps in Windows. Dude, I think we should stop, before we get banned on our first day on the forum.😁 Israeli 1 Link to comment Share on other sites More sharing options...
Israeli 9 Posted May 4, 2023 Author Share Posted May 4, 2023 (edited) 12 minutes ago, 5Z4 said: ...along with their other cr*p. Just look at the "progress" of the ability to set default apps in Windows. Dude, I think we should stop, before we get banned on our first day on the forum.😁 Btw... Also this week and updated HWiNFO kicked the Task Manager parts, since then for example CPU usage displays correct again. 😎 But also true, enough about this problem here. Enjoy my friend! Edited May 4, 2023 by Israeli 5Z4 1 Link to comment Share on other sites More sharing options...
Recommended Posts