Solved

It seems I am getting FALSE positive for HITMAN PRO 3.7 as a rootkit.

  • 6 December 2013
  • 38 replies
  • 194 views

Scan Started: Fri 2013-12-06 00:43:08
[r] SystemCurrentControlSetServiceshitmanpro37
[u] c:program files (x86)stardockstart8start8_64.dll [MD5: 41A8BD7904C00AC9FE86A38C36982F80] [Flags: 00011001.7040]
[u] c:windows empcrf000audiosetup.exe [MD5: 28E857302E01FFBEDD53E67B8A6848EE] [Flags: 00001
icon

Best answer by RetiredTripleHelix 7 December 2013, 22:14

View original

38 replies

Userlevel 7
That is rather interesting, but not entirely unexpected either.  The way HITMAN works may very well display behaviors similar to malware.
 
I would suggest you submit a Trouble Ticket, which is the suggested method of reporting for potential False Positives.
Userlevel 7
Badge +13
I usually run Hitman Pro a few times a week and haven't received that detection yet.I am assuming you downloaded your hitmanpro from www.surfright.nl versus downloading from another sight.Definitely sounds like a false positive if that's the case.Webroot has always been great about responding to tickets quickly,especially false positives.I have found that every time i have submitted a fp,it was fixed within a few hours at the latest.Please keep us informed as things go along.
Ticket Created yesterday.
 
Yes I downloaded from Surfright, however this is what happened.
I downloaded the HItman Pro Alert 2.5 beta with Cryptoguard.  link to it
I allready ahve the Hitman Pro Alert 2.0 installed so I upaded the 2.0 to 2.5 and it prompted me to reboot the PC but I told it to wait.  So I did not reboot the PC (had been working on stuff). 
Then after an hour or so I did the manual Webroot Scan (I do that before I hit the sack) and that's when it found the rootkit. 
 
So I assume the rootkit ID false positive is based on the fact that Webroot is detecting the path to the file and the version but it sees that the file is not "visible" or "running".  So it assumes the file is hidden and unseen by the OS...so it thinks it's a rootkit.
 
I don't know it's a wild guess.
 
I have created a ticket and will check on the detectibility once I get home this evening.
Userlevel 7
Hi tempnexus
 
Intrigued by your issue (and by the CryptoLocker malware) I have tried to reproduce what you have highlighted.  The only difference is that I did not have HitmanPro Alert 2.0 installed already when I installed v2.5 beta, and as such I did not get a prompt to reboot after installation (in fact installation was very, very snappy).
 
Ran a full scan just after installation and...nothing...so I can only assume that either the issue was specific to your system or (more likely) the Support Ticket has resulted in the review & whitelisting of HitmanPro Alert v2.5 beta components.
 
Looks like an interesting piece of functionality so i am going to keep in installed and see how it plays with WSA & KIS.
 
Please post back with your experiences as it will be useful for other Forum users...including me! ;)
 
Cheers
 
 
Baldrick
 
 
Userlevel 7
I am also getting a false positive but not for Hitman Pro, for Norton Internet Security. Webroot is giving me the same results as you marking the registry entries as rootkits and I've sent a support ticket. I'm sure they can get it sorted out for both of us :D
 
 
Shran
Userlevel 7
Badge +56
Do you both have Heuristics above Standard as that could be why as I have HMP x64 and it's not being detected? And I have mine on Max?
 
Daniel
 

Userlevel 7
Hi Daniel,

Yes I have my heuristics (had past tense, I'm now back onto a system image that was made before I put Webroot on). I can't speak regarding to Hitman Pro as I don't use it though.

Shran
Userlevel 7
Badge +56
@CommanderShran wrote:
Hi Daniel,

Yes I have my heuristics (had past tense, I'm now back onto a system image that was made before I put Webroot on). I can't speak regarding to Hitman Pro as I don't use it though.

Shran
When you go back to the other image can you put heuristics back to standard and run a scan to see if it still detects?
 
But in any case contact support and they will whitelist the files or in the case of the OP the Registry Entry.
 
Thanks,
 
Daniel 😉
Userlevel 7
Okay, I'll go ahead and restore my system to the image with Norton and Webroot and tell you what happens. That will take about 20 to 30 minutes, so I'll log into the forums on my tablet while that's running.

Talk again soon!

Shran
Userlevel 7
Hi Daniel
 
If it is of any help my heuristics are set to "Enhanced..." and I am not experiencing an issue withthe software.  I will try chaning the setting to 'Maximum' and see what that gives.
 
Regards
 
 
Baldrick
 
UPDATE:  Nothing detected with heuristics set to 'Maximum'. 😠
Userlevel 7
Badge +56
Hi Solly,
 
Same here no detection and the OP it's a Registry Key being detected and could of been whitelist on it's own in the Cloud.
 
Daniel
Userlevel 7
Hi Daniel,
After restoring to the image with Webroot on it and scanning with max heuristics again it detects the registry keys, but when I lower the heuristics to enhanced based on age, origin, etc. it doesn't detect the registry keys anymore so I gave kudos to both of your posts about the heuristics. Still though I would like to be able to have the higher heuristics enabled.

Thanks for the help :D

Shran
Userlevel 7
Badge +56
@CommanderShran wrote:
Hi Daniel,
After restoring to the image with Webroot on it and scanning with max heuristics again it detects the registry keys, but when I lower the heuristics to enhanced based on age, origin, etc. it doesn't detect the registry keys anymore so I gave kudos to both of your posts about the heuristics. Still though I would like to be able to have the higher heuristics enabled.

Thanks for the help :D

Shran
Thanks just contact support with the lines in the scan log that show the detections and they will correct it for you!
 
Cheers,
 
Daniel 😉
Userlevel 7
Already sent a ticket in!

Shran
Userlevel 7
Hi Shran
 
I understand what you mean re. "...would like to be able to have the higher heuristics enabled".  That was my thoughts when I first started using WSA but as far as I understand it one is perfectly safe/protected with the setting at 'Standard'.  Pushing it to 'Enhanced' or even 'Maximum' is what I would recommend only if there is a suspicion of infection...for the very reason that these higher settings are more likely to give what is generally termed False Positive...but what I call, in WSA's case, Overly Sensitive...;)
 
Regards
 
 
Solly
Userlevel 7
Badge +56
@ wrote:
Pushing it to 'Enhanced' or even 'Maximum' is what I would recommend only if there is a suspicion of infection...for the very reason that these higher settings are more likely to give what is generally termed False Positive...but what I call, in WSA's case, Overly Sensitive...;) 
Regards
 
 
Solly
Correct buddy right on the nose!

  And I always run at Max and never seen a (FP) Overly Sensitive because of it!
 
Daniel
Userlevel 7
Hi Baldrick and Daniel,

Thank you both for your responses. I always like to have all my settings on the most aggressive levels. Also I read from someone else on these forums who said it's best to have them set to highest, so now I'm not sure :@

A glass of Romulan ale for all of us! (I can't post a picture of it though)!

Shran
 
I did it for you Cheers Daniel!

Userlevel 7
Hi Shran
 
Completely understand your confusion at the conflicting advice.  The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be.  But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated.  If you can live with that then no problem. ;)
 
Regards
 
 
Solly
Userlevel 7
Hi Baldrick,

I went into the advanced settings > heuristics and clicked "reset to defaults" and it set it to "Enhanced based on age, origin, etc.". No over sensitive detections with that :D

Shran
Userlevel 7
Awesome thanks Daniel!!

I raise my glass to you all! :D

Shran
Userlevel 7
Badge +56
Yes Virtual Pints for everyone of age that is!
 
Daniel 😃
Userlevel 7
Badge +56
@ wrote:
Hi Shran
 
Completely understand your confusion at the conflicting advice.  The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be.  But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated.  If you can live with that then no problem. ;)
 
Regards
 
 
Solly
In some cases yes but I assume the install scan sets it to standard but on the Online Helpfile it shows as how Shran set it to default: http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C13_Settings/CH13d_AdjustingHeuristics.htm
 
Daniel 😠
Userlevel 7
Yes have to be old enough lol! What is the legal drinking age where you live if you don't mind my asking?
:D

Shran
Userlevel 7
Hi Shran
 
Thanks for the feedback.  I stand corrected on the default setting...good to have that confirmed (as I do not want to change my configuration at present). ;)
 
Anyway, glad the issue is sorted for you. :D 
 
Now, down to the important stuff...as all this Foruming is thirsty stuff...Daniel, where do you get the A ale from...is that you personal stash? ;)
 
Regards...to you both!
 
 
 
Solly
Userlevel 7
Your welcome Baldrick and thanks to you and Daniel both!

No the Andorian Ale is my personal stash, the Captain of an Andorain Imperial Guard ship always keeps a stash hidden away for celebrations like these! (But I had to send some of my stash to Daniel so that he could post it! 😉 )

Cheers! :D
Shran

Reply