Thread split - Rollback and Hitman issue

Discussion in 'other anti-malware software' started by Bodhitree, Jan 18, 2013.

Thread Status:
Not open for further replies.
  1. Bodhitree

    Bodhitree Registered Member

    Joined:
    Dec 5, 2012
    Posts:
    567
    Re: Trouble with Hitman Pro and WSA complete

    HMP has a LOT of false positives. It picks up RollbackRX as a rootkit and potentially can destroy your Windows installation. Be very very careful with HMP. I quit using it on client PC's due to the FP's causing dangerous issues. This isn't WSA's issue to be honest.
     
  2. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    Re: Trouble with Hitman Pro and WSA complete

    As I mentioned in another thread, it seems a user of HMP needs to set HMP disk access to Compatible Disk Access instead of Direct Disk Access. I've now found the thread where this was originally discussed: www.wilderssecurity.com/showthread.php?t=330839

    As for WSA, I was correct in that earlier versions of WSA did detect Rollback Rx, but some logic has been applied to try minimise the risks of this happening. (See: https://www.wilderssecurity.com/showthread.php?t=314061)

    It is a difficult task since Rollback Rx does modify the MBR; it's a case of finding the best way to acknowledge this without marking it as malware.
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,032
    Location:
    Hengelo, The Netherlands
    Re: Trouble with Hitman Pro and WSA complete

    Thats a bit unfair because RollbackRX -is by definition a rootkit-. It hooks into miniport and hides the MBR (serves a different MBR to Windows). Also TDSSkiller, aswMBR and EAM (or any other AV with proper antirootkit component) has/had issues with it in the past:
    https://www.wilderssecurity.com/showpost.php?p=2088299&postcount=13

    HitmanPro or any other anti-rootkit tool (ARKs) is reading from physical disk while most regular AVs just ask Windows for files. Rootkits serve Windows fake information and therefore ARKs cannot rely on Windows. RollbackRX serve fake file system and is therefor a rootkit. Its been said that HitmanPro is an 'aggresive scanner' but honestly, it just reads whats really there, and not faked sectors served by software.

    We've fixed RollbackRX conflicts before (see our release notes) and our advice has been to run HitmanPro in "compatible disk access" mode (in addition). See also:
    https://www.wilderssecurity.com/showpost.php?p=2105349&postcount=6

    In any case, one can contact me directly with HitmanPro issues or FPs. This is the quickest path to get things resolved, as can be confirmed by several Wilders members.

    Hope this helps.
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Re: Trouble with Hitman Pro and WSA complete

    It certainly does. Thank you
     
Thread Status:
Not open for further replies.