Jump to content

FALSE ALERTS of System Informer


Go to solution Solved by Marcos,

Recommended Posts

PLEASE stop false alerts of System Informer and also their plugins asap.

Website: https://www.systeminformer.com

Link to comment
Share on other sites

3 hours ago, Marcos said:

We'll unblock the app, however, there are still many other AVs that detect it:

https://www.virustotal.com/gui/file/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287

Eset should still detect as most of these others do; a PUA/PUP;

Quote

YARA Signature Match - THOR APT Scanner

RULE: HKTL_PUA_SystemInformer_Nov22_1
RULE_SET: Livehunt - Hacktools58 Indicators 🛠
RULE_TYPE: VALHALLA rule feed only
RULE_LINK: https://valhalla.nextron-systems.com/info/rule/HKTL_PUA_SystemInformer_Nov22_1
DESCRIPTION: Detects SystemInformer components (former Process Hacker), a legitimate tool often used by malicious actors
REFERENCE: https://systeminformer.sourceforge.io/nightly.php
RULE_AUTHOR: Florian Roth

 

Link to comment
Share on other sites

  • Administrators
Quote

DESCRIPTION: Detects SystemInformer components (former Process Hacker), a legitimate tool often used by malicious actors

As far as I know, we have no evidence that System Informer was misused in attacks, e.g. to kill antivirus before malware was run by the attacker.

Link to comment
Share on other sites

11 minutes ago, Marcos said:

As far as I know, we have no evidence that System Informer was misused in attacks, e.g. to kill antivirus before malware was run by the attacker.

https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021

Link to comment
Share on other sites

Another "tidbit" in regards to Process Hacker use:

Quote

Process Hacker

Another example of such a driver is the process hacker driver. This driver exposes an IOCTL interface that looks very promising.

Process hacker can be used to open a handle to a process from kernel mode or call ZwTerminateProcess. Another cool functionality is: Process hacker has an IOCTL for reading the memory of other processes. This can be abused to read the memory of processes like lsass.exe to dump credentials. This of course, can be used to bypass protections like NtReadVirtualMemory hooks and the threat intelligence ETW…

Just take an interesting product that has a driver and try to hack with it - I’m sure you start collecting them (like me;))

https://repnz.github.io/posts/abusing-signed-drivers/

Add to this I assume Process Hacker, like Process Explorer, can load their kernel mode driver "on-the-fly" thereby bypassing Win Secure Boot protection.

Edited by itman
Link to comment
Share on other sites

  • Administrators

The article talks about Process Hacker, System Informer is different in this regard.

Link to comment
Share on other sites

  • Administrators

Unlike Process Hacker, the System Informer driver was fixed to prevent exploitation. Also it's signed by Microsoft to allow loading on latest OS:

Process Hacker:

image.png

System Informer:

image.png

Link to comment
Share on other sites

48 minutes ago, Marcos said:

Also it's signed by Microsoft to allow loading on latest OS:

The driver is attestation signed; not WHQL certified. Should I launch into another posting on what I think of attestation signed drivers?

-EDIT- Of note is Process Explorer's driver is WHQL certified:

PE_Cert.png.358cd7a21e99b76d70aea9d258af4cff.png

Lest one has doubt's that attestation signed drivers are safe, review again this posting: https://forum.eset.com/topic/34454-new-whql-rootkits/  where a Chinese poster dropped a hoard of 20 rootkit drivers that were attestation signed.

Edited by itman
Link to comment
Share on other sites

12 hours ago, itman said:

The driver is attestation signed; not WHQL certified. Should I launch into another posting on what I think of attestation signed drivers?

-EDIT- Of note is Process Explorer's driver is WHQL certified:

PE_Cert.png.358cd7a21e99b76d70aea9d258af4cff.png

Lest one has doubt's that attestation signed drivers are safe, review again this posting: https://forum.eset.com/topic/34454-new-whql-rootkits/  where a Chinese poster dropped a hoard of 20 rootkit drivers that were attestation signed.

Point is: Professionals need badly a good Task Manager, tho too buggy from MS. Sure, there is also the alternative Process Explorer (SysInternals) but on the other side System Informer is much better and has more options etc.
We also know that almost every deeper tool might be abused, even a simple DELETE or FORMAT. But come on...

Link to comment
Share on other sites

1 hour ago, Israeli said:

Point is: Professionals need badly a good Task Manager, tho too buggy from MS. Sure, there is also the alternative Process Explorer (SysInternals) but on the other side System Informer is much better and has more options etc.
We also know that almost every deeper tool might be abused, even a simple DELETE or FORMAT. But come on...

This.

I too am in favor of completely unblocking the app, but also have a proposal, if I may, in case the app has to be flagged suspicious/dangerous: how about categorizing it as "potentially unsafe", for which, if I'm not mistaken, both the detection and reporting are by default disabled, at least in NOD32?

Edited by 5Z4
Link to comment
Share on other sites

  • Administrators
41 minutes ago, 5Z4 said:

how about categorizing it as "potentially unsafe", for which, if I'm not mistaken, both the detection and reporting are by default disabled, at least in NOD32?

Process Hacker is indeed detected as a potentially unsafe application. System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it.

Link to comment
Share on other sites

23 minutes ago, Marcos said:

Process Hacker is indeed detected as a potentially unsafe application. System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it.

And because of that is ESET still the best and avoid per default false alerts & weird theories. 😎
Thanks a lot again!!

Link to comment
Share on other sites

2 hours ago, Marcos said:

System Informer cannot be misused in attacks, at least we have no information about a vulnerability that would allow it.

Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it.

I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously.

Link to comment
Share on other sites

1 hour ago, itman said:

Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it.

I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously.

Luckily I never ever use McAfee, not as AV and also not 'em as person. 🤣

Link to comment
Share on other sites

1 hour ago, itman said:

Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it.

I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously.

Looks like it got 100% only because of detection from other vendors. Everything else is Suspicious Indicators only. So the score would have been much lower without these AV detections. 

I'm also a fan of System Informer. It has some nice features not present in others. I would just use Process Explorer if MS had made it equivalent to it. Both have some unique features, so I use both.

Link to comment
Share on other sites

1 hour ago, itman said:

Hybrid-Analysis rates it 100% malicious: https://www.hybrid-analysis.com/sample/8ee9d84de50803545937a63c686822388a3338497cddb660d5d69cf68b68f287/6453b71c9465b3b8990c7e20 . That's good enough for me to never use it.

I will also add CloudStrike Falcon was the only AV that initially detected those 20 attestation signed rootkit drivers I posted about previously.

I think it's called CrowdStrike Falcon. Worth checking out its false positive statistics, e.g. in AV-Comparatives' tests.

Link to comment
Share on other sites

9 minutes ago, 5Z4 said:

I think it's called CrowdStrike Falcon. Worth checking out its false positive statistics, e.g. in AV-Comparatives' tests.

Some people still believe Earth is flat if just often enough mark & write it... 😄

Edited by Israeli
Link to comment
Share on other sites

9 minutes ago, SeriousHoax said:

Everything else is Suspicious Indicators only.

Yeah, those "may be used", "possibly checks" etc. in assessment obviusly give a realistic end result of "100% malicious". I mean, a fork also "may be used" to attack, instead of, for example, lifting food, but let's not ban its use just yet, right?

Link to comment
Share on other sites

1 minute ago, 5Z4 said:

Yeah, those "may be used", "possibly checks" etc. in assessment obviusly give a realistic end result of "100% malicious". I mean, a fork also "may be used" to attack, instead of, for example, lifting food, but let's not ban its use just yet, right?

... and MS of course wants his own AV and Task Manager become as bible.

Link to comment
Share on other sites

Just now, Israeli said:

... and MS of course wants his own AV and Task Manager become as bible

...along with their other cr*p. Just look at the "progress" of the ability to set default apps in Windows.

Dude, I think we should stop, before we get banned on our first day on the forum.😁

Link to comment
Share on other sites

12 minutes ago, 5Z4 said:

...along with their other cr*p. Just look at the "progress" of the ability to set default apps in Windows.

Dude, I think we should stop, before we get banned on our first day on the forum.😁

Btw... Also this week and updated HWiNFO kicked the Task Manager parts, since then for example CPU usage displays correct again. 😎

But also true, enough about this problem here. Enjoy my friend!

Edited by Israeli
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...