HitManPro first timer

Discussion in 'other anti-malware software' started by CloneRanger, Aug 11, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yeah i know, it's been out for some time, never got round to trying it until now :D

    Disabled AviraGuard whilst installing HMP v3.5.6 so it wouldn't keep jumping in with endless alerts due to numerous malware files i have. Prevx still active.

    During the install i got this ?

    no-av.gif

    After the 30 minute scan :p i enabled Avira and started a new scan to see what would happen, and got the same warning ? Note, it didn't recognise Prevx either, but this "might" be because i don't have the paid real time version ?

    hmp-log.gif

    20 FP's out of 25 alerts, i've seen worse before :D Some could not be selected as Report as FP, just Do Not Delete ? but i would have thought a lot of these would be known to HMP as safe test files and apps etc, obviously not :p I guess it must be how one or more of the AV's classifies certain things ?

    Why it wanted to do this ?

    pg.gif
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    that aint good my friend.
     
  3. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    It also did not detect my PCAV Pro last time I used it.
     
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Ive never had any FP's on any client's machines.
     
  5. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    This should still be merged into the Hitman Pro thread for Erik to respond to.
     
  6. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    As for the antivirus detection , I think it can't detect all antivirus brands and versions. The false-positives can be reported if you click on the detection and there is an option there (you'll see it).
     
  7. progress

    progress Guest

    I had about 10 FP when I installed HitmanPro for the first time :doubt: But hey, it's free ...
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    It's been moved :p so HMP is classed as other anti-malware software not other anti-virus software ! OK, but ?

    Hi guys, thanks for the replies :thumb:

    The FP's i can live with, and most of them are not would many others would see. A few are Genuine apps, but again not many would have them.

    But i'm more concerned as to why HMP would want to terminate Explorer.exe ? That's not good :(
     
  9. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Funny how people never complain of FP's with Hitman Pro... this is really Hitman Pro grace period... i also got a bunch of them on XP SP2 and SP3 machines
     
  10. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    No wonder they have lot's of them with kings of FP's as scanners (A-Squared & Ikarus)
     
  11. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    You're making assumptions it is a-squared, but in a lot of the drop down boxes, it will show you the engine. Some fps could be relating to prevx, some to a-squared, some could be dr web, etc.

    Besides, having multiple scanning engines means more opinions. It's advertised as a second opinion scanner, not the definitive opinion scanner.

    I also think saying hitman pro has had a grace period is a little unfair as well. The average user doesn't have half the ton of obscure specialist programs we have, so won't experience a single false positive. Don't be mistaken in thinking 'our machines' are always the norm, because they're not.

    AVs and HMP's role is to flag possible files that are out of the ordinary on a regular user's machine. AVs/HMP's role isn't to classify all the out of the ordinary files we tend to download as safe.

    I spoke to Joe from prevx awhile back, when I was downloading a ton of portable programs, why various programs were classified as possible malware. I probably got on his nerves but quickly realised, these programs I was downloading, were coded/packed in the same way as malware (so prevx, and HMP for example, are doing their job correctly).

    Since I've curbed my downloading of obscure programs, no more FPs. Recently I downloaded a new version of 'aMSN' from portable apps, HMP flags some files as a rootkit. Considering the program isn't popular, is open source, isn't released to many users, or have many users even using it, I'm not going to complain too much that it produced a few FPs. I'm actually glad obscure software is flagged.

    For example, If I were to buy a new machine right now, use it for business purposes, install photoshop, illustrator, editing software, I can guarantee not a single FP will be found (and that if some 'junk' software was installed without my knowledge, it'd most likely be flagged).
     
  12. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Well for me it was also Prevx engine who flagged FP. But i was not saying HP FP rate = sum of it's parts, but HP is prone to FP's like any other AV and like CR shows above, even if they are less frequent (for me) than other AV; i only whish it provided more info's about the detections, maybe a way to upload to VT... in sum, an easier way to troubleshoot possible FP.
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,027
    Location:
    Hengelo, The Netherlands
    I just noticed this thread ...

    That is quite a list of very dubious software :eek:
    That basically means that the file was deemed as malicious by at least three partner vendors.

    If you expand the row (by clicking on the arrow in front of the row) then you can see which vendors classified the file as malicious.
     
  14. Dr who

    Dr who Registered Member

    Joined:
    Jun 6, 2009
    Posts:
    46
    There is an expression that 2 wrongs dont make a right(or in this case 3 wrongs).

    http://research.pandasecurity.com/automated-false-positives/

    Not sure if you have seen the following article/related discussions but do you care to give us your insight on this type of F/P creation and whether you feel auto-adding is an acceptable practice since some of your vendors are fully subscribed to that methodology.
     
  15. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Sorry to interrupt you gentleman, but i would like to know whether you have the above mentioned samples (fp's in your case) and if not how could you be sure that its indeed a false +ve? No doubt that vendors do mistakes, but in the above mentioned case it would be great if the thread creator handover those so called malicious files to Erik Loman ... He can also send me the samples :) so that we can able to find out whether it is fp or not...
     
  16. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Avinash, I'm not knocking the original poster, as I too have had similar software.

    Such as rootkit searching/unhooker software, test security software (beta editions, small vendors, not common), software released say by small developers such as Nirsoft, and so on.

    So although the original poster, who I value reading his posts by the way, has 20/25 fps, given the obscure software, I'd bring this down to say a few fps. Now if you told any user/customer a program may remove a couple of safe files/programs, but 5 actual malware would be removed (including a keylogger), I'm pretty sure they'd say to proceed with the removal. I mean, to me that's a good result! ;)
     
  17. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    CloneRanger, can you click Next and export detection results in XML and post it here? Or click on each arrow next to the file name and take few screenshots and post them as well? I'm curious what engine detected these and suspect a good number of them are legitimate risks in AV's point of view.
     
  18. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Your post has come up with a good suggestion. Erik, you able to add a function/button to expand all detections (show all the drop-down arrows)? Be useful when a lot of malware is listed.
     
  19. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Do you have almost similar ones which was there at picture posted by Clone Ranger?
     
  20. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    No, but you can see the filenames, location - icesword, processhacker, rootkit unhooker (few programs for this such as this, this, this, hide toolz, some diamond software, I'm assuming that's system protect installed (spyware terminator developers?). Not that those are the actual ones, but seen most of those programs before.

    Regarding my fps with aMSN on portable apps, now removed. :thumb:
     
  21. fsr

    fsr Registered Member

    Joined:
    Jul 26, 2010
    Posts:
    190
    Ya, the FP's i reported were also removed. But i haven't seen the "export als XML" option before, this is good enough for me :thumb:
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Mainly security/ARK tools etc ;)

    Yes, but i agree with Dr who :thumb: below

    Can you explain why neither Avira or Prevx is detected on my comp by HMP ?

    Agreed ;)

    Thanks :thumb:

    @ AvinashR

    I know for a FACT those files flagged as FP's are NOT malicious, as i've been using them for years. They might not be the types of files/apps that everyone would have, but that doesn't make them malicious. And as they have been around for years, ALL vendors should already be aware of them, and know they are safe and NOT flag them. Why they still do after all this time ?

    Conformation :thumb:

    Thanks :thumb:

    Not sure if people would be happy with safe files/apps removed. Imagine all the installs/DL's/updates etc and possible licence renewals they might have to do afterwards :D Naturally they'd be glad to eliminate the nasties though.

    I don't have any spyware terminator files, so not sure what you are seeing ?

    Scanned again, last time it took 30 minutes. I was going to say "so i'll post the results later" but this time it's just finished in 1 minute 52 seconds :eek:

    Actually they aren't, please see above reply to AvinashR ;)

    *

    Find_Dll.exe (by Eric_71) -http://eric71.geekstogo.com/beta/FindDll2.exe- is a legit DLL finder app. It's just one of many extremely useful apps listed in here - http://www.kernelmode.info/forum/viewtopic.php?f=11&t=10

    passxoverdesigner5.1.exe is a legit app, not installed there, just that it's zipped/packed with UPX, which some vendors often see as suspicious :D I uploaded passxoverdesigner5.1.exe here

    up.gif

    AVG sees macros ? in passxoverdesigner5.1.exe I presume it's the UPX that fools it ?

    On to todays scans. On the first run it detected these

    hmp2.gif

    About 5 minutes later on a second scan both Find_Dll.exe & passxoverdesigner5.1.exe were no longer detected :eek: I presume some fast analysis, or something ?

    Also notice how quite a number of yesterdays detects are no longer detected. On 2 detects there are NO options, or click to expand buttons ?

    I tried to do a scrolling screenie of the expanded vendor detects, but it's gone a bit wobbly. Don't know why ? i've included it anyway as i was asked to, but hopefully you should be able to make sense of it ;)

    det.gif

    I also saved the XML file and conveted it to .txt

    View attachment log.txt

    Spyshelter is also listed in there :D which i do have but havn't installed, but it's not in any of the actual scan screenies ? Anyway it's a FP too :p

    passxoverdesigner5.1.exe is also detected on my installed Prevx, i've marked it as a FP.

    When the scan had finished, i selected streamviewer.45132.exe to be deleted, so clicked NEXT, it was NOT ?

    *

    I've ended up spending a LOT more time on this than i initially evisaged, so i'm beginning to wish i hadn't started playing with it :D
     
  23. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Thanks for the reply, image, and text file. :) It seems almost all the scan engines identified those files, meaning a user with g-data, eset, prevx, or a-squared should see a similar number of false positives.

    Everyone is entitled to their own opinion whether they like a product or not. People just have to ask, if an AV that cruises right past these relatively unknown programs, would you trust it to identify unknown software?

    Overall, I think HMP is a valuable backup scanner. YouTube videos aren't a gauge of a program's performance, but if you scan to the end of many videos from languy99 , hitman pro does a solid job in identifying the files missed.

    Once vendors start adding new files from say portableapps, portablefreeware, majorgeeks, nirsoft, to name a few, you'll see the FPs will decrease. Either that, or once more people start using the product, more people will do the job for you in reporting FPs.
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,027
    Location:
    Hengelo, The Netherlands
    Impact

    I ran a couple of queries against the files in question to determine the impact of these alleged false positives among our users. I also included the VT scores (not sure I can post these but I did not include the links in my defense :doubt:).

    The impact column denotes the actual number of users with the specified file (based on the SHA-256 hash).
    Code:
    Impact    VT Name
    ------ ----- -----------------
    17      7/42 foldermon.exe
    32      4/39 AntiTest.exe
    60     18/42 AntiTest2.exe
    16      5/42 setupfree_001.exe
    17      7/42 foldermon.exe
    17      8/42 errordesc.exe
    1      26/42 IceSword.exe
    1       1/42 kprocesshacker.sys
    1       6/42 rkstart.EXE
    1      18/42 ioport.sys
    1       9/42 UnPrevx.exe
    5       7/42 Find_Dll.exe
    12     17/42 RkU3.8.342.554.exe
    5      25/42 SysProt.exe
    1      25/42 streamviewer.45132.exe
    9       1/42 passxoverdesigner5.1.exe
    How to interpret these results
    For example, errordesc.exe was found by Hitman Pro on 17 different computers. Hitman Pro has millions of users so the impact of this alleged false positive is extremely low.

    I agree, some of these files are actual FPs (like kprocesshacker.sys). But since we largely rely on our users to report FPs, these FPs will not get resolved due to the low number of users that have these special files.

    Judging a product on just these rare files won't do any AV product justice. I am sure AV Comparatives, AV-test or Virus Bulletin do not use these files in their test sets. Most of these files can be used with bad and good intentions.
     
  25. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Erik, interesting post. Highlights some of the programs we rely on, and use as 'security enthusiasts/professionals', how uncommon the files/programs may be. More people are using these programs, but using the programs and using Hitman Pro, creates an even lower number.

    Given the VT results, most of the programs would appear to be packed as CloneRanger said, with UPX, and have the same qualities as malware, or could be used to a degree, for not everyday normal purposes.

    From the results you posted, Hitman Pro shouldn't be producing many more FPs than your typical AV. Maybe a slight more, given the number of scanning engines, but that's a fair trade (for increased security).
     
Loading...
Thread Status:
Not open for further replies.