Skip to main content
Solved

It seems I am getting FALSE positive for HITMAN PRO 3.7 as a rootkit.


Scan Started: Fri 2013-12-06 00:43:08
[r] SystemCurrentControlSetServiceshitmanpro37
[u] c:program files (x86)stardockstart8start8_64.dll [MD5: 41A8BD7904C00AC9FE86A38C36982F80] [Flags: 00011001.7040]
[u] c:windows empcrf000audiosetup.exe [MD5: 28E857302E01FFBEDD53E67B8A6848EE] [Flags: 00001

Best answer by RetiredTripleHelix

@CommanderShran wrote:
Hi Daniel,
After restoring to the image with Webroot on it and scanning with max heuristics again it detects the registry keys, but when I lower the heuristics to enhanced based on age, origin, etc. it doesn't detect the registry keys anymore so I gave kudos to both of your posts about the heuristics. Still though I would like to be able to have the higher heuristics enabled.

Thanks for the help :D

Shran
Thanks just contact support with the lines in the scan log that show the detections and they will correct it for you!
 
Cheers,
 
Daniel 😉
View original
Did this help you find an answer to your question?

38 replies

shorTcircuiT
Gold VIP
  • Gold VIP
  • 7721 replies
  • December 6, 2013
That is rather interesting, but not entirely unexpected either.  The way HITMAN works may very well display behaviors similar to malware.
 
I would suggest you submit a Trouble Ticket, which is the suggested method of reporting for potential False Positives.

superssjdan
Community Leader
Forum|alt.badge.img+13
  • Community Leader
  • 354 replies
  • December 6, 2013
I usually run Hitman Pro a few times a week and haven't received that detection yet.I am assuming you downloaded your hitmanpro from www.surfright.nl versus downloading from another sight.Definitely sounds like a false positive if that's the case.Webroot has always been great about responding to tickets quickly,especially false positives.I have found that every time i have submitted a fp,it was fixed within a few hours at the latest.Please keep us informed as things go along.

  • Author
  • Popular Voice
  • 50 replies
  • December 6, 2013
Ticket Created yesterday.
 
Yes I downloaded from Surfright, however this is what happened.
I downloaded the HItman Pro Alert 2.5 beta with Cryptoguard.  link to it
I allready ahve the Hitman Pro Alert 2.0 installed so I upaded the 2.0 to 2.5 and it prompted me to reboot the PC but I told it to wait.  So I did not reboot the PC (had been working on stuff). 
Then after an hour or so I did the manual Webroot Scan (I do that before I hit the sack) and that's when it found the rootkit. 
 
So I assume the rootkit ID false positive is based on the fact that Webroot is detecting the path to the file and the version but it sees that the file is not "visible" or "running".  So it assumes the file is hidden and unseen by the OS...so it thinks it's a rootkit.
 
I don't know it's a wild guess.
 
I have created a ticket and will check on the detectibility once I get home this evening.

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • December 7, 2013
Hi tempnexus
 
Intrigued by your issue (and by the CryptoLocker malware) I have tried to reproduce what you have highlighted.  The only difference is that I did not have HitmanPro Alert 2.0 installed already when I installed v2.5 beta, and as such I did not get a prompt to reboot after installation (in fact installation was very, very snappy).
 
Ran a full scan just after installation and...nothing...so I can only assume that either the issue was specific to your system or (more likely) the Support Ticket has resulted in the review & whitelisting of HitmanPro Alert v2.5 beta components.
 
Looks like an interesting piece of functionality so i am going to keep in installed and see how it plays with WSA & KIS.
 
Please post back with your experiences as it will be useful for other Forum users...including me! ;)
 
Cheers
 
 
Baldrick
 
 

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
I am also getting a false positive but not for Hitman Pro, for Norton Internet Security. Webroot is giving me the same results as you marking the registry entries as rootkits and I've sent a support ticket. I'm sure they can get it sorted out for both of us :D
 
 
Shran

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Do you both have Heuristics above Standard as that could be why as I have HMP x64 and it's not being detected? And I have mine on Max?
 
Daniel
 


Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Hi Daniel,

Yes I have my heuristics (had past tense, I'm now back onto a system image that was made before I put Webroot on). I can't speak regarding to Hitman Pro as I don't use it though.

Shran

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
@CommanderShran wrote:
Hi Daniel,

Yes I have my heuristics (had past tense, I'm now back onto a system image that was made before I put Webroot on). I can't speak regarding to Hitman Pro as I don't use it though.

Shran
When you go back to the other image can you put heuristics back to standard and run a scan to see if it still detects?
 
But in any case contact support and they will whitelist the files or in the case of the OP the Registry Entry.
 
Thanks,
 
Daniel 😉

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Okay, I'll go ahead and restore my system to the image with Norton and Webroot and tell you what happens. That will take about 20 to 30 minutes, so I'll log into the forums on my tablet while that's running.

Talk again soon!

Shran

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • December 7, 2013
Hi Daniel
 
If it is of any help my heuristics are set to "Enhanced..." and I am not experiencing an issue withthe software.  I will try chaning the setting to 'Maximum' and see what that gives.
 
Regards
 
 
Baldrick
 
UPDATE:  Nothing detected with heuristics set to 'Maximum'. 😠

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Hi Solly,
 
Same here no detection and the OP it's a Registry Key being detected and could of been whitelist on it's own in the Cloud.
 
Daniel

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Hi Daniel,
After restoring to the image with Webroot on it and scanning with max heuristics again it detects the registry keys, but when I lower the heuristics to enhanced based on age, origin, etc. it doesn't detect the registry keys anymore so I gave kudos to both of your posts about the heuristics. Still though I would like to be able to have the higher heuristics enabled.

Thanks for the help :D

Shran

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
@CommanderShran wrote:
Hi Daniel,
After restoring to the image with Webroot on it and scanning with max heuristics again it detects the registry keys, but when I lower the heuristics to enhanced based on age, origin, etc. it doesn't detect the registry keys anymore so I gave kudos to both of your posts about the heuristics. Still though I would like to be able to have the higher heuristics enabled.

Thanks for the help :D

Shran
Thanks just contact support with the lines in the scan log that show the detections and they will correct it for you!
 
Cheers,
 
Daniel 😉

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Already sent a ticket in!

Shran

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • December 7, 2013
Hi Shran
 
I understand what you mean re. "...would like to be able to have the higher heuristics enabled".  That was my thoughts when I first started using WSA but as far as I understand it one is perfectly safe/protected with the setting at 'Standard'.  Pushing it to 'Enhanced' or even 'Maximum' is what I would recommend only if there is a suspicion of infection...for the very reason that these higher settings are more likely to give what is generally termed False Positive...but what I call, in WSA's case, Overly Sensitive...;)
 
Regards
 
 
Solly

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
@ wrote:
Pushing it to 'Enhanced' or even 'Maximum' is what I would recommend only if there is a suspicion of infection...for the very reason that these higher settings are more likely to give what is generally termed False Positive...but what I call, in WSA's case, Overly Sensitive...;) 
Regards
 
 
Solly
Correct buddy right on the nose!

  And I always run at Max and never seen a (FP) Overly Sensitive because of it!
 
Daniel

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Hi Baldrick and Daniel,

Thank you both for your responses. I always like to have all my settings on the most aggressive levels. Also I read from someone else on these forums who said it's best to have them set to highest, so now I'm not sure :@

A glass of Romulan ale for all of us! (I can't post a picture of it though)!

Shran
 
I did it for you Cheers Daniel!


Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • December 7, 2013
Hi Shran
 
Completely understand your confusion at the conflicting advice.  The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be.  But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated.  If you can live with that then no problem. ;)
 
Regards
 
 
Solly

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Hi Baldrick,

I went into the advanced settings > heuristics and clicked "reset to defaults" and it set it to "Enhanced based on age, origin, etc.". No over sensitive detections with that :D

Shran

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Awesome thanks Daniel!!

I raise my glass to you all! :D

Shran

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
Yes Virtual Pints for everyone of age that is!
 
Daniel 😃

RetiredTripleHelix
Gold VIP
Forum|alt.badge.img+56
@ wrote:
Hi Shran
 
Completely understand your confusion at the conflicting advice.  The default setting is, I believe, "Standard" (Daniel, please correct me if I am incorrect here) and I trust Webroot to know what the normal settings should be.  But there is nothing wqrong with maxing out the fucntionality...other than the risk of 'Overly Senstives'...as previously stated.  If you can live with that then no problem. ;)
 
Regards
 
 
Solly
In some cases yes but I assume the install scan sets it to standard but on the Online Helpfile it shows as how Shran set it to default: http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C13_Settings/CH13d_AdjustingHeuristics.htm
 
Daniel 😠

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Yes have to be old enough lol! What is the legal drinking age where you live if you don't mind my asking?
:D

Shran

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • December 7, 2013
Hi Shran
 
Thanks for the feedback.  I stand corrected on the default setting...good to have that confirmed (as I do not want to change my configuration at present). ;)
 
Anyway, glad the issue is sorted for you. :D 
 
Now, down to the important stuff...as all this Foruming is thirsty stuff...Daniel, where do you get the A ale from...is that you personal stash? ;)
 
Regards...to you both!
 
 
 
Solly

Shran
Community Leader
  • Community Leader
  • 314 replies
  • December 7, 2013
Your welcome Baldrick and thanks to you and Daniel both!

No the Andorian Ale is my personal stash, the Captain of an Andorain Imperial Guard ship always keeps a stash hidden away for celebrations like these! (But I had to send some of my stash to Daniel so that he could post it! 😉 )

Cheers! :D
Shran

Reply