HitManPro first timer

Yeah i know, it's been out for some time, never got round to trying it until now

Disabled AviraGuard whilst installing HMP v3.5.6 so it wouldn't keep jumping in with endless alerts due to numerous malware files i have. Prevx still active.

During the install i got this ?



After the 30 minute scan i enabled Avira and started a new scan to see what would happen, and got the same warning ? Note, it didn't recognise Prevx either, but this "might" be because i don't have the paid real time version ?



20 FP's out of 25 alerts, i've seen worse before Some could not be selected as Report as FP, just Do Not Delete ? but i would have thought a lot of these would be known to HMP as safe test files and apps etc, obviously not I guess it must be how one or more of the AV's classifies certain things ?

Why it wanted to do this ?

 

that aint good my friend.

 

It also did not detect my PCAV Pro last time I used it.

 

Ive never had any FP's on any client's machines.

 

This should still be merged into the Hitman Pro thread for Erik to respond to.

 

As for the antivirus detection , I think it can't detect all antivirus brands and versions. The false-positives can be reported if you click on the detection and there is an option there (you'll see it).

 

I had about 10 FP when I installed HitmanPro for the first time But hey, it's free ...

 

It's been moved so HMP is classed as other anti-malware software not other anti-virus software ! OK, but ?

Hi guys, thanks for the replies

The FP's i can live with, and most of them are not would many others would see. A few are Genuine apps, but again not many would have them.

But i'm more concerned as to why HMP would want to terminate Explorer.exe ? That's not good

 

Funny how people never complain of FP's with Hitman Pro... this is really Hitman Pro grace period... i also got a bunch of them on XP SP2 and SP3 machines

 

No wonder they have lot's of them with kings of FP's as scanners (A-Squared & Ikarus)

 

You're making assumptions it is a-squared, but in a lot of the drop down boxes, it will show you the engine. Some fps could be relating to prevx, some to a-squared, some could be dr web, etc.

Besides, having multiple scanning engines means more opinions. It's advertised as a second opinion scanner, not the definitive opinion scanner.

I also think saying hitman pro has had a grace period is a little unfair as well. The average user doesn't have half the ton of obscure specialist programs we have, so won't experience a single false positive. Don't be mistaken in thinking 'our machines' are always the norm, because they're not.

AVs and HMP's role is to flag possible files that are out of the ordinary on a regular user's machine. AVs/HMP's role isn't to classify all the out of the ordinary files we tend to download as safe.

I spoke to Joe from prevx awhile back, when I was downloading a ton of portable programs, why various programs were classified as possible malware. I probably got on his nerves but quickly realised, these programs I was downloading, were coded/packed in the same way as malware (so prevx, and HMP for example, are doing their job correctly).

Since I've curbed my downloading of obscure programs, no more FPs. Recently I downloaded a new version of 'aMSN' from portable apps, HMP flags some files as a rootkit. Considering the program isn't popular, is open source, isn't released to many users, or have many users even using it, I'm not going to complain too much that it produced a few FPs. I'm actually glad obscure software is flagged.

For example, If I were to buy a new machine right now, use it for business purposes, install photoshop, illustrator, editing software, I can guarantee not a single FP will be found (and that if some 'junk' software was installed without my knowledge, it'd most likely be flagged).

 

Well for me it was also Prevx engine who flagged FP. But i was not saying HP FP rate = sum of it's parts, but HP is prone to FP's like any other AV and like CR shows above, even if they are less frequent (for me) than other AV; i only whish it provided more info's about the detections, maybe a way to upload to VT... in sum, an easier way to troubleshoot possible FP.

 

I just noticed this thread ...

That is quite a list of very dubious software

That basically means that the file was deemed as malicious by at least three partner vendors.

If you expand the row (by clicking on the arrow in front of the row) then you can see which vendors classified the file as malicious.

 

There is an expression that 2 wrongs dont make a right(or in this case 3 wrongs).

http://research.pandasecurity.com/automated-false-positives/

Not sure if you have seen the following article/related discussions but do you care to give us your insight on this type of F/P creation and whether you feel auto-adding is an acceptable practice since some of your vendors are fully subscribed to that methodology.

 

Sorry to interrupt you gentleman, but i would like to know whether you have the above mentioned samples (fp's in your case) and if not how could you be sure that its indeed a false +ve? No doubt that vendors do mistakes, but in the above mentioned case it would be great if the thread creator handover those so called malicious files to Erik Loman ... He can also send me the samples so that we can able to find out whether it is fp or not...

 

Avinash, I'm not knocking the original poster, as I too have had similar software.

Such as rootkit searching/unhooker software, test security software (beta editions, small vendors, not common), software released say by small developers such as Nirsoft, and so on.

So although the original poster, who I value reading his posts by the way, has 20/25 fps, given the obscure software, I'd bring this down to say a few fps. Now if you told any user/customer a program may remove a couple of safe files/programs, but 5 actual malware would be removed (including a keylogger), I'm pretty sure they'd say to proceed with the removal. I mean, to me that's a good result!

 

CloneRanger, can you click Next and export detection results in XML and post it here? Or click on each arrow next to the file name and take few screenshots and post them as well? I'm curious what engine detected these and suspect a good number of them are legitimate risks in AV's point of view.

 

Your post has come up with a good suggestion. Erik, you able to add a function/button to expand all detections (show all the drop-down arrows)? Be useful when a lot of malware is listed.

 

Do you have almost similar ones which was there at picture posted by Clone Ranger?

 

No, but you can see the filenames, location - icesword, processhacker, rootkit unhooker (few programs for this such as this, this, this, hide toolz, some diamond software, I'm assuming that's system protect installed (spyware terminator developers?). Not that those are the actual ones, but seen most of those programs before.

Regarding my fps with aMSN on portable apps, now removed.

 

Ya, the FP's i reported were also removed. But i haven't seen the "export als XML" option before, this is good enough for me

 

Mainly security/ARK tools etc

Yes, but i agree with Dr who below

Can you explain why neither Avira or Prevx is detected on my comp by HMP ?

Agreed

Thanks

@ AvinashR

I know for a FACT those files flagged as FP's are NOT malicious, as i've been using them for years. They might not be the types of files/apps that everyone would have, but that doesn't make them malicious. And as they have been around for years, ALL vendors should already be aware of them, and know they are safe and NOT flag them. Why they still do after all this time ?

Conformation

Thanks

Not sure if people would be happy with safe files/apps removed. Imagine all the installs/DL's/updates etc and possible licence renewals they might have to do afterwards Naturally they'd be glad to eliminate the nasties though.

I don't have any spyware terminator files, so not sure what you are seeing ?

Scanned again, last time it took 30 minutes. I was going to say "so i'll post the results later" but this time it's just finished in 1 minute 52 seconds

Actually they aren't, please see above reply to AvinashR

*

Find_Dll.exe (by Eric_71) -http://eric71.geekstogo.com/beta/FindDll2.exe- is a legit DLL finder app. It's just one of many extremely useful apps listed in here - http://www.kernelmode.info/forum/viewtopic.php?f=11&t=10

passxoverdesigner5.1.exe is a legit app, not installed there, just that it's zipped/packed with UPX, which some vendors often see as suspicious I uploaded passxoverdesigner5.1.exe here



AVG sees macros ? in passxoverdesigner5.1.exe I presume it's the UPX that fools it ?

On to todays scans. On the first run it detected these



About 5 minutes later on a second scan both Find_Dll.exe & passxoverdesigner5.1.exe were no longer detected I presume some fast analysis, or something ?

Also notice how quite a number of yesterdays detects are no longer detected. On 2 detects there are NO options, or click to expand buttons ?

I tried to do a scrolling screenie of the expanded vendor detects, but it's gone a bit wobbly. Don't know why ? i've included it anyway as i was asked to, but hopefully you should be able to make sense of it



I also saved the XML file and conveted it to .txt

View attachment log.txt

Spyshelter is also listed in there which i do have but havn't installed, but it's not in any of the actual scan screenies ? Anyway it's a FP too

passxoverdesigner5.1.exe is also detected on my installed Prevx, i've marked it as a FP.

When the scan had finished, i selected streamviewer.45132.exe to be deleted, so clicked NEXT, it was NOT ?

*

I've ended up spending a LOT more time on this than i initially evisaged, so i'm beginning to wish i hadn't started playing with it

 

Thanks for the reply, image, and text file. It seems almost all the scan engines identified those files, meaning a user with g-data, eset, prevx, or a-squared should see a similar number of false positives.

Everyone is entitled to their own opinion whether they like a product or not. People just have to ask, if an AV that cruises right past these relatively unknown programs, would you trust it to identify unknown software?

Overall, I think HMP is a valuable backup scanner. YouTube videos aren't a gauge of a program's performance, but if you scan to the end of many videos from languy99 , hitman pro does a solid job in identifying the files missed.

Once vendors start adding new files from say portableapps, portablefreeware, majorgeeks, nirsoft, to name a few, you'll see the FPs will decrease. Either that, or once more people start using the product, more people will do the job for you in reporting FPs.

 

Impact

I ran a couple of queries against the files in question to determine the impact of these alleged false positives among our users. I also included the VT scores (not sure I can post these but I did not include the links in my defense ).

The impact column denotes the actual number of users with the specified file (based on the SHA-256 hash).

Code:

Impact    VT Name
------ ----- -----------------
17      7/42 foldermon.exe
32      4/39 AntiTest.exe
60     18/42 AntiTest2.exe
16      5/42 setupfree_001.exe
17      7/42 foldermon.exe
17      8/42 errordesc.exe
1      26/42 IceSword.exe
1       1/42 kprocesshacker.sys
1       6/42 rkstart.EXE
1      18/42 ioport.sys
1       9/42 UnPrevx.exe
5       7/42 Find_Dll.exe
12     17/42 RkU3.8.342.554.exe
5      25/42 SysProt.exe
1      25/42 streamviewer.45132.exe
9       1/42 passxoverdesigner5.1.exe

How to interpret these results
For example, errordesc.exe was found by Hitman Pro on 17 different computers. Hitman Pro has millions of users so the impact of this alleged false positive is extremely low.

I agree, some of these files are actual FPs (like kprocesshacker.sys). But since we largely rely on our users to report FPs, these FPs will not get resolved due to the low number of users that have these special files.

Judging a product on just these rare files won't do any AV product justice. I am sure AV Comparatives, AV-test or Virus Bulletin do not use these files in their test sets. Most of these files can be used with bad and good intentions.

 

Erik, interesting post. Highlights some of the programs we rely on, and use as 'security enthusiasts/professionals', how uncommon the files/programs may be. More people are using these programs, but using the programs and using Hitman Pro, creates an even lower number.

Given the VT results, most of the programs would appear to be packed as CloneRanger said, with UPX, and have the same qualities as malware, or could be used to a degree, for not everyday normal purposes.

From the results you posted, Hitman Pro shouldn't be producing many more FPs than your typical AV. Maybe a slight more, given the number of scanning engines, but that's a fair trade (for increased security).