Solved

It seems I am getting FALSE positive for HITMAN PRO 3.7 as a rootkit.

  • 6 December 2013
  • 38 replies
  • 229 views

Scan Started: Fri 2013-12-06 00:43:08
[r] SystemCurrentControlSetServiceshitmanpro37
[u] c:program files (x86)stardockstart8start8_64.dll [MD5: 41A8BD7904C00AC9FE86A38C36982F80] [Flags: 00011001.7040]
[u] c:windows empcrf000audiosetup.exe [MD5: 28E857302E01FFBEDD53E67B8A6848EE] [Flags: 00001
icon

Best answer by RetiredTripleHelix 7 December 2013, 22:14

View original

38 replies

Userlevel 7
Nope...and unlikely to as I most likely do not have your resources...but would be very interested in the results as and when you...PM me rather than post back as otherwise this post will end up going off topic...and the very nice Mods wil not like that...;)
I am yet to test the HMP against an MIM attack and see if it's actually worth it's salt.
 
have you tried taht yet?
Userlevel 7
Hi tempnexus
 
Completely agree with the sentiment in your last paragraph.  Very wise.
 
Glad to hear that the issue is sorted for you, in whatever way.  I have beein running v2.5 beta for a week now and have had no mishaps or points of contention...get the notification on protection with IE but not with Maxthon (secondary browser) despite the site saying it is supported...will have to check into that.
 
Regards
 
 
Baldrick
Typical...get all IT security geeks, throw in start trek and end up in drunken debuchery.   :)
 
Anywho,  yes my heuristics were set to Maximum.
Yes I do believe that if were to restart when it first asked me to then I would have been fine.  However, the fact taht I overwrote the 2.0 with 2.5 and didn't restart might have been an issue.
 
I am running it along with SandBoxie on a 64bit Windows.
 
Sorry to say I can't replicate the issue since over the weekend I was fooling around with rootkits and other nice stuff that I found on my honey pot and had to re-image the system.
 
One of the baddies decided to lock my Windows 8 drive so the only answer was re-image and drive firmware reflash (it is an SSD).  Tried everything else that I normally try with Windows 8 locked drive (rebuild the BCD etc) to no avail. 
 
I do like running on MAX heuristics, I don't mind false positive as long as it doesn't FP my System Files then I am ok with it.  (Still shudder from the Malware Bytes system file FP debackle that occured few months ago).
 
Number one lesson to have with everything...MAKE sure to keep current images of your system...HD space is cheap nowdays so no excuse not to have a nice fresh at most a month old backup.
Userlevel 7
Hey when you did get Tranya and didn't share with the rest of us?
;)

Shran 😃
Userlevel 7
As you can read from the article Romulan ale is very strong, combine that with Andorian ale and who knows what kind of crazy things might happen! I found myself hanging upside down off the roof with a chicken hat on my head!

Shran
Userlevel 7
Badge +56
I know what did it! It was the Tranya of the First Federation!
 
Daniel 😃
Userlevel 7
Probably both! :D

Shran
Userlevel 7
Badge +56
I was wondering why I was swinging on the clothes line I wonder which one did it, the Andorian ale or the Romulan ale [img]https://uploads-us-west-2.insided.com/webroot-en/attachment/6197iFDED702D8161645F.gif[/img]
 
Daniel 😃
Userlevel 7
Daniel I see your new avatar being pulled into the toilet and everyone is quiet now, did the ale finally kick in? lol :D

Shran
Userlevel 7
18...here in the UK...but like Daniel...I am well, well past that...;)
Userlevel 7
I live in the United States and here it's 21!

Shran
Userlevel 7
Badge +56
Well I live in Ontario Canada and it's 19 years of age and I'm more then twice that! And you?
 
Daniel 😃
Userlevel 7
Your welcome Baldrick and thanks to you and Daniel both!

No the Andorian Ale is my personal stash, the Captain of an Andorain Imperial Guard ship always keeps a stash hidden away for celebrations like these! (But I had to send some of my stash to Daniel so that he could post it! 😉 )

Cheers! :D
Shran
Userlevel 7
Hi Shran
 
Thanks for the feedback.  I stand corrected on the default setting...good to have that confirmed (as I do not want to change my configuration at present). ;)
 
Anyway, glad the issue is sorted for you. :D 
 
Now, down to the important stuff...as all this Foruming is thirsty stuff...Daniel, where do you get the A ale from...is that you personal stash? ;)
 
Regards...to you both!
 
 
 
Solly
Userlevel 7
Yes have to be old enough lol! What is the legal drinking age where you live if you don't mind my asking?
:D

Shran
Userlevel 7
Badge +56
@ wrote:
Hi Shran
 
Completely understand your confusion at the conflicting advice.  The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be.  But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated.  If you can live with that then no problem. ;)
 
Regards
 
 
Solly
In some cases yes but I assume the install scan sets it to standard but on the Online Helpfile it shows as how Shran set it to default: http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C13_Settings/CH13d_AdjustingHeuristics.htm
 
Daniel 😠
Userlevel 7
Badge +56
Yes Virtual Pints for everyone of age that is!
 
Daniel 😃
Userlevel 7
Awesome thanks Daniel!!

I raise my glass to you all! :D

Shran
Userlevel 7
Hi Baldrick,

I went into the advanced settings > heuristics and clicked "reset to defaults" and it set it to "Enhanced based on age, origin, etc.". No over sensitive detections with that :D

Shran
Userlevel 7
Hi Shran
 
Completely understand your confusion at the conflicting advice.  The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be.  But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated.  If you can live with that then no problem. ;)
 
Regards
 
 
Solly
Userlevel 7
Hi Baldrick and Daniel,

Thank you both for your responses. I always like to have all my settings on the most aggressive levels. Also I read from someone else on these forums who said it's best to have them set to highest, so now I'm not sure :@

A glass of Romulan ale for all of us! (I can't post a picture of it though)!

Shran
 
I did it for you Cheers Daniel!

Userlevel 7
Badge +56
@ wrote:
Pushing it to 'Enhanced' or even 'Maximum' is what I would recommend only if there is a suspicion of infection...for the very reason that these higher settings are more likely to give what is generally termed False Positive...but what I call, in WSA's case, Overly Sensitive...;) 
Regards
 
 
Solly
Correct buddy right on the nose!

  And I always run at Max and never seen a (FP) Overly Sensitive because of it!
 
Daniel
Userlevel 7
Hi Shran
 
I understand what you mean re. "...would like to be able to have the higher heuristics enabled".  That was my thoughts when I first started using WSA but as far as I understand it one is perfectly safe/protected with the setting at 'Standard'.  Pushing it to 'Enhanced' or even 'Maximum' is what I would recommend only if there is a suspicion of infection...for the very reason that these higher settings are more likely to give what is generally termed False Positive...but what I call, in WSA's case, Overly Sensitive...;)
 
Regards
 
 
Solly
Userlevel 7
Already sent a ticket in!

Shran

Reply