Solved

It seems I am getting FALSE positive for HITMAN PRO 3.7 as a rootkit.

  • 6 December 2013
  • 38 replies
  • 217 views

Scan Started: Fri 2013-12-06 00:43:08
[r] SystemCurrentControlSetServiceshitmanpro37
[u] c:program files (x86)stardockstart8start8_64.dll [MD5: 41A8BD7904C00AC9FE86A38C36982F80] [Flags: 00011001.7040]
[u] c:windows empcrf000audiosetup.exe [MD5: 28E857302E01FFBEDD53E67B8A6848EE] [Flags: 00001
icon

Best answer by RetiredTripleHelix 7 December 2013, 22:14

View original

38 replies

Userlevel 7
Hi Shran
 
Thanks for the feedback.  I stand corrected on the default setting...good to have that confirmed (as I do not want to change my configuration at present). ;)
 
Anyway, glad the issue is sorted for you. :D 
 
Now, down to the important stuff...as all this Foruming is thirsty stuff...Daniel, where do you get the A ale from...is that you personal stash? ;)
 
Regards...to you both!
 
 
 
Solly
Userlevel 7
Badge +56
Do you both have Heuristics above Standard as that could be why as I have HMP x64 and it's not being detected? And I have mine on Max?
 
Daniel
 

Userlevel 7
Badge +56
@CommanderShran wrote:
Hi Daniel,

Yes I have my heuristics (had past tense, I'm now back onto a system image that was made before I put Webroot on). I can't speak regarding to Hitman Pro as I don't use it though.

Shran
When you go back to the other image can you put heuristics back to standard and run a scan to see if it still detects?
 
But in any case contact support and they will whitelist the files or in the case of the OP the Registry Entry.
 
Thanks,
 
Daniel 😉
Userlevel 7
Hi Daniel,
After restoring to the image with Webroot on it and scanning with max heuristics again it detects the registry keys, but when I lower the heuristics to enhanced based on age, origin, etc. it doesn't detect the registry keys anymore so I gave kudos to both of your posts about the heuristics. Still though I would like to be able to have the higher heuristics enabled.

Thanks for the help :D

Shran
Userlevel 7
Badge +56
@CommanderShran wrote:
Hi Daniel,
After restoring to the image with Webroot on it and scanning with max heuristics again it detects the registry keys, but when I lower the heuristics to enhanced based on age, origin, etc. it doesn't detect the registry keys anymore so I gave kudos to both of your posts about the heuristics. Still though I would like to be able to have the higher heuristics enabled.

Thanks for the help :D

Shran
Thanks just contact support with the lines in the scan log that show the detections and they will correct it for you!
 
Cheers,
 
Daniel 😉
Userlevel 7
Already sent a ticket in!

Shran
Userlevel 7
Hi Shran
 
I understand what you mean re. "...would like to be able to have the higher heuristics enabled".  That was my thoughts when I first started using WSA but as far as I understand it one is perfectly safe/protected with the setting at 'Standard'.  Pushing it to 'Enhanced' or even 'Maximum' is what I would recommend only if there is a suspicion of infection...for the very reason that these higher settings are more likely to give what is generally termed False Positive...but what I call, in WSA's case, Overly Sensitive...;)
 
Regards
 
 
Solly
Userlevel 7
Hi Baldrick and Daniel,

Thank you both for your responses. I always like to have all my settings on the most aggressive levels. Also I read from someone else on these forums who said it's best to have them set to highest, so now I'm not sure :@

A glass of Romulan ale for all of us! (I can't post a picture of it though)!

Shran
 
I did it for you Cheers Daniel!

Userlevel 7
Hi Shran
 
Completely understand your confusion at the conflicting advice.  The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be.  But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated.  If you can live with that then no problem. ;)
 
Regards
 
 
Solly
Userlevel 7
Awesome thanks Daniel!!

I raise my glass to you all! :D

Shran
Userlevel 7
Badge +56
Yes Virtual Pints for everyone of age that is!
 
Daniel 😃
Userlevel 7
Badge +56
@ wrote:
Hi Shran
 
Completely understand your confusion at the conflicting advice.  The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be.  But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated.  If you can live with that then no problem. ;)
 
Regards
 
 
Solly
In some cases yes but I assume the install scan sets it to standard but on the Online Helpfile it shows as how Shran set it to default: http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C13_Settings/CH13d_AdjustingHeuristics.htm
 
Daniel 😠
Userlevel 7
Yes have to be old enough lol! What is the legal drinking age where you live if you don't mind my asking?
:D

Shran
Userlevel 7
Your welcome Baldrick and thanks to you and Daniel both!

No the Andorian Ale is my personal stash, the Captain of an Andorain Imperial Guard ship always keeps a stash hidden away for celebrations like these! (But I had to send some of my stash to Daniel so that he could post it! 😉 )

Cheers! :D
Shran
Userlevel 7
Badge +56
Well I live in Ontario Canada and it's 19 years of age and I'm more then twice that! And you?
 
Daniel 😃
Userlevel 7
Daniel I see your new avatar being pulled into the toilet and everyone is quiet now, did the ale finally kick in? lol :D

Shran
Userlevel 7
Badge +56
I was wondering why I was swinging on the clothes line I wonder which one did it, the Andorian ale or the Romulan ale [img]https://uploads-us-west-2.insided.com/webroot-en/attachment/6197iFDED702D8161645F.gif[/img]
 
Daniel 😃
Userlevel 7
Probably both! :D

Shran
Userlevel 7
Badge +56
I know what did it! It was the Tranya of the First Federation!
 
Daniel 😃
Userlevel 7
As you can read from the article Romulan ale is very strong, combine that with Andorian ale and who knows what kind of crazy things might happen! I found myself hanging upside down off the roof with a chicken hat on my head!

Shran
Typical...get all IT security geeks, throw in start trek and end up in drunken debuchery.   :)
 
Anywho,  yes my heuristics were set to Maximum.
Yes I do believe that if were to restart when it first asked me to then I would have been fine.  However, the fact taht I overwrote the 2.0 with 2.5 and didn't restart might have been an issue.
 
I am running it along with SandBoxie on a 64bit Windows.
 
Sorry to say I can't replicate the issue since over the weekend I was fooling around with rootkits and other nice stuff that I found on my honey pot and had to re-image the system.
 
One of the baddies decided to lock my Windows 8 drive so the only answer was re-image and drive firmware reflash (it is an SSD).  Tried everything else that I normally try with Windows 8 locked drive (rebuild the BCD etc) to no avail. 
 
I do like running on MAX heuristics, I don't mind false positive as long as it doesn't FP my System Files then I am ok with it.  (Still shudder from the Malware Bytes system file FP debackle that occured few months ago).
 
Number one lesson to have with everything...MAKE sure to keep current images of your system...HD space is cheap nowdays so no excuse not to have a nice fresh at most a month old backup.
Userlevel 7
Nope...and unlikely to as I most likely do not have your resources...but would be very interested in the results as and when you...PM me rather than post back as otherwise this post will end up going off topic...and the very nice Mods wil not like that...;)
Userlevel 7
That is rather interesting, but not entirely unexpected either.  The way HITMAN works may very well display behaviors similar to malware.
 
I would suggest you submit a Trouble Ticket, which is the suggested method of reporting for potential False Positives.
Userlevel 7
Badge +13
I usually run Hitman Pro a few times a week and haven't received that detection yet.I am assuming you downloaded your hitmanpro from www.surfright.nl versus downloading from another sight.Definitely sounds like a false positive if that's the case.Webroot has always been great about responding to tickets quickly,especially false positives.I have found that every time i have submitted a fp,it was fixed within a few hours at the latest.Please keep us informed as things go along.
Ticket Created yesterday.
 
Yes I downloaded from Surfright, however this is what happened.
I downloaded the HItman Pro Alert 2.5 beta with Cryptoguard.  link to it
I allready ahve the Hitman Pro Alert 2.0 installed so I upaded the 2.0 to 2.5 and it prompted me to reboot the PC but I told it to wait.  So I did not reboot the PC (had been working on stuff). 
Then after an hour or so I did the manual Webroot Scan (I do that before I hit the sack) and that's when it found the rootkit. 
 
So I assume the rootkit ID false positive is based on the fact that Webroot is detecting the path to the file and the version but it sees that the file is not "visible" or "running".  So it assumes the file is hidden and unseen by the OS...so it thinks it's a rootkit.
 
I don't know it's a wild guess.
 
I have created a ticket and will check on the detectibility once I get home this evening.

Reply