Hitman Pro 64 bits detected as malware by IE9

Discussion in 'other anti-malware software' started by moontan, Oct 2, 2011.

Thread Status:
Not open for further replies.
  1. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    wth?

    the SmartScreen filter in IE9 detects Hitman Pro 64 bits as malware?!

    what's hapening?
    is it because of PatchGuard?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    what link? Report it maybe
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Are you downloading a beta version? It could be that due to not being so widely seen (the beta installer/file), SmartScreen is flagging it?
     
  4. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    it is the stable release from Surfright:
    -http://dl.surfright.nl/HitmanPro35_x64.exe-

    from this page:
    -http://www.surfright.nl/en/downloads-
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    It's not a reputation detection. It seems like dl.surfright.nl itself has been placed on the SmartScreen blacklist, could it have been compromised?

    I clicked the report FP link anyway.
     
  6. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    This happend to me yesterday. I went to SurfRight to download HMP x64 through IE 9 and when I clicked on save file the SmartScreen Filter popped up with....

    Hitman Pro35_x64.exe is unsafe to download and was blocked by SmartScreen Filter.

    An alternate download site works fine but in most cases I try to download from the programs own site, in this case SurfRight, before looking elsewhere.
    I reported it but as of today SmartScreen Filter still blocks the download.
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    Not so SmartScreen blocks Hitman Pro 64-bit download

    Thank you for reporting the false positive. We've replaced the 64-bit link to an alternate site.

    Here some screen shots of the false positive:

    NotSoSmartScreen1.png

    I have changed the download location and that helps:

    NotSoSmartScreen2.png

    We've contacted Microsoft by mail and form. Hopefully they will fix the error.

    SmartScreen will be standard and core part of Windows 8:
    Facepalm.png
    Hopefully it will be off by default.

    Thanks again for posting :thumb:
     
    Last edited: Oct 2, 2011
  8. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
    Thank you erikloman :thumb:
     
  9. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Looks like fp is resolved. no more alert on download
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    I changed the download link (see my post above).
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It isn't. Not on the dev at least. And I seriously doubt it will change.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Again, SmartScreen's app reputation will be part of Windows 8, this is an outright blacklist block, a completely different thing.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Ah, I see. I should really read topics before I post.
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    Microsoft calls all its filtering stuff SmartScreen. From (1) Outlook spam filtering, to (2) IE8 URL filtering, (3) IE9 binary filtering and (4) Windows 8 binary filtering.

    Its all based on reputation: How many different people (1) received this email, (2) clicked on the URL, (3) downloaded the binary or (4) ran the binary. Microsoft keeps track of it.

    Personally I have turned it off in my IE because of the many false positives. When SmartScreen doesn't know the binary, its blocked by default. To me that's a white list instead of a black list ;)
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    For the third time, that's called AppReputation.

    Your site isn't blocked by AppReputation, someone has added it to the blacklist, or the file was analysed by software and deemed malicious. AppReputation has nothing to do with the contents of the file(other than attached digital signatures), it's completely automated, and is nothing other than a sign of popularity.

    I've never experienced a false positive, sorry to hear you experience "many" of them.
     
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    You are correct. The download was blocked by SmartScreen URL reputation. Not by Application Reputation.

    But to clarify things. Application Reputation is PART OF SmartScreen:

    http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Interesting that they write this. I wish we could get some kind of agreement.
     
  18. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    I'm aware AppRep is part of SmartScreen. Many many things are part of SmartScreen including spam filtering. You were complaining about SS being part for Windows 8, and I was stating that it's only AppRep that is in Windows 8.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    @ Hungry Man

    I suppose you're thinking of Google's report mentioning that exploits outcome social engineering?

    end of @ Hungry Man

    Anyway, I hope that AppReputation, etc., all come enabled and not disabled. It would be crazy to be disabled by default. And, false positives... then people should not install or use any antimalware applications either?
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, that's what I'm thinking of.
     
  21. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I never experience a false positive either with smart filter and what it has blocked was real malware tested on it.
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,031
    Location:
    Hengelo, The Netherlands
    If its good, of course it should be enabled by default. But in my experience, the AppReputation is a PURE whitelist. If something is not known, it is blocked. I've had numerous rare stuff being blocked by IE9 (at AppReputation level).
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Lots of security programs have white lists, if IE has one too, I'm happy about that. I'd rather my browser alert me to things or even stop suspicious files before my other security apps do. General users don't really need "rare" apps anyway, imho, considering they usually consist of tweaking tools and diagnosis programs that most would probably kill their own systems trying to use.

    Regardless, no matter what security you use, there's always going to be FPs. I'd personally rather something good be flagged suspicious than something suspicious or even bad be flagged good or not flagged at all.
     
  24. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    right you are!

    i only use IE9 for banking.
    on Chrome, i like to scan questionable files manually with HMP or VirusTotal.

    but the last few days i was at a friend's, trying to get her on board the 21st Century. :)
    i'd rather have her use IE9 than Chrome.
    i feel IE9 is safer for newbies, with the SmartScreen and easy securities.
    I slapped MSE on her machine, took a few system images of her system, and installed LogMeIn so i could fix her machine remotelly.
    i showed her how to boot from the Windows Repair disk in case of MBR infections.
    she should be covered. ;)
     
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Another reason for me not to use IE9, plenty of false positives. I've seen so many in my virtual machines that I'm glad they're not used often.
     
Loading...
Thread Status:
Not open for further replies.