Process Hacker and Windows discussion

 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

02 Aug 2017, 18:53

Same results as above when going from 846 to 848 without rebooting. However, with 852, I went from 848 to 852 without doing step 4 above except 852 extracted and it seems like Norton Security with Backup keeps autodetecting a bunch of the files in 852 as risky and deleted it, so I had to exclude, restored and then unzipped to overwrite files again, before the only file that was detected was kprocesshacker.sys in x64 and when running 852, both nsbu.exe processes got killed without any issues when Norton Tamper protection was still enabled. The only thing different is Norton File Insight seems to be flagging down every .exe and .dll file in 852 for having a bad reputation and not to be trusted while earlier builds only flagged down x64/kprocesshacker.sys.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

03 Aug 2017, 14:56

Went from 852 to 855 without rebooting without doing step 4 above. Norton deleted the x86/kprocesshacker.sys like before so I had to exclude, restored and then unzipped to overwrite files again. Ran 855 with Norton Tamper protection enabled and both nsbu.exe processes says Access as denied.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

03 Aug 2017, 23:37

Almighty1 wrote:
03 Aug 2017, 14:56
Went from 852 to 855 without rebooting without doing step 4 above. Norton deleted the x86/kprocesshacker.sys like before so I had to exclude, restored and then unzipped to overwrite files again. Ran 855 with Norton Tamper protection enabled and both nsbu.exe processes says Access as denied.
I've submitted a whitelist request... It'll take a few days before I get a response.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

04 Aug 2017, 01:03

Thanks, not sure why it seem to have blacklisted almost everything in 852.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

04 Aug 2017, 19:14

Saw build 863 was out and basically this is what happened. Was running 855 with Norton Tamper protection enabled and then exited it without rebooting.
When I extracted with WinRAR to the desktop folder, Norton Security basically deleted the x64\kprocesshacker.sys:

Filename: kprocesshacker.sys
Threat name: WS.Reputation.1Full Path: c:\users\vince\desktop\processhacker-3.0.863-bin\x64\kprocesshacker.sys

____________________________

____________________________


On computers as of 
8/4/2017 at 9:40:07 AM

Last Used 
8/4/2017 at 9:43:26 AM

Startup Item 
No

Launched 
No

Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe


____________________________


kprocesshacker.sys Threat name: WS.Reputation.1
Locate


Few Users
Hundreds of users in the Norton Community have used this file.

Mature
This file was released 1 year 4 months ago.

Medium
This file risk is medium.


____________________________


Source: External Media

Source File:
winrar_5.40_x86-x64.exe

File Created:
winrar.exe

File Created:
kprocesshacker.sys

____________________________


File Thumbprint - SHA:
220a2dcf4d597f9208c0e7fd7057a91e88e118d420f20aac8e75ae3e39a7ac22
File Thumbprint - MD5:
963f148316e193b2ae68c6cbf5f7b09a

So I run ProcessHacker.exe by right clicking and run as Admin and when I tried to kill the two nsbu.exe processes, it says Access is denied so I decided to try something else as Norton's File Insight always comes up and asks if I want to allow ProcessHacker.exe to run for each version before the nsbu.exe processes can be killed so I basically WinRAR extract and allowed it to replace all the files again and this time I ran ProcessHacker.exe by right clicking and run as Admin, this time Norton File Insight prompted to allow or deny access of running ProcessHacker.exe for this time only or always allowed or deny and I selected always allowed and with Norton still with Tamper Protection Enabled, I was able to successfully kill the nsbu.exe processes without issues and to test this even further.

With Norton still with tamper protection enabled.
I made a directory called temp in the desktop and then moved the 863's zip file into the temp folder, then right click and extracted the processhacker-3.0.863-bin.zip so Desktop\temp\processhacker-3.0.863-bin and when I run ProcessHacker.exe, Norton File Insight prompted to ask for access with the allow, deny, allow always option and I selected allow always and then I can kill the nsbu.exe successfully. So just to test this further.
I made a Desktop\temp2 folder and copied Desktop\temp\processhacker-3.0.863-bin folder to it so when I go to Desktop\temp2\processhacker-3.0.863-bin and run ProcessHacker.exe as admin, it doesn't have Norton File Insight prompting and just runs PH directly but basically I get the Access is denied when I try to kill the nsbu.exe processes so I exit PH again and run ProcessHacker.exe by right clicking and run as admin, this time, Norton File Insight prompted to ask about allowing/allowing always or denying access for ProcessHacker.exe and I select allow always and this time, I can kill both nsbu.exe processes without issues so basically it seems like unless Norton File Insight runs and adds the full path for ProcessHacker.exe to it's database, nsbu.exe will not allow killing by PH.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

07 Aug 2017, 18:14

Saw 866 today and this was the results going from 863 to 866 without rebooting and Norton Tamper Protection was enabled the entire time.

1) Extracted processhacker-3.0.866-bin.zip to Desktop so it's under Desktop\processhacker-3.0.866-bin
2) Norton did not complain about the files so seems like everything is in the whitelist.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.866-bin with Run Admin as after right clicking, Norton Download Insight came up and prompted to ask for access with the allow, deny, allow always option and I selected allow always but trying to kill nsbu.exe resulted in Access is Denied.
4) Made a Desktop\temp2 folder and extracted processhacker-3.0.866-bin.zip from Desktop\temp2 so it created the files in Desktop\temp2\processhacker-3.0.866-bin
5) Norton did not complain about any of the files so the whitelist works
6) Ran ProcessHacker.exe in Desktop\processhacker-3.0.866-bin with Run Admin as after right clicking, was able to kill both nsbu.exe processes without issues.
7) deleted the Desktop\temp2 folder
8) Extracted processhacker-3.0.866-bin.zip to Desktop so it's under Desktop\processhacker-3.0.866-bin
9) Norton did not complain about the files so seems like everything is in the whitelist.
10) Ran ProcessHacker.exe in Desktop\processhacker-3.0.866-bin with Run Admin as after right clicking, Norton Download Insight came up and prompted to ask for access with the allow, deny, allow always option and I selected allow always and this time it killed both nsbu.exe processes successfully.
 
User avatar
diversenok
Member
Posts: 23
OS: Windows 7 x64
Location: Source Code
Contact:

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

07 Aug 2017, 18:50

Seems like heuristic detection drops some privileges of a process or a driver before asking user and don't return them back on "allow always".
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

09 Aug 2017, 13:47

Went from 860 to 870 without rebooting and Norton Tamper Protection was enabled the entire time. Norton did not complain about any of the files so everything was whitelisted.

1) Extracted processhacker-3.0.870-bin.zip to Desktop so it's under Desktop\processhacker-3.0.870-bin
2) Norton did not complain about the files so seems like everything is in the whitelist.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.870-bin with Run Admin as after right clicking, was able to kill both nsbu.exe processes without issues.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

09 Aug 2017, 13:54

System rebooted last evening as Windows 10 Automatic Updates restarted it after patch tuesday even though I have the reboot disabled which did disable for the past few years except for last night. So ran 870 upon rebooting.

Saw 872 of PH available this AM so basically went from 870 to 872 without rebooting and Norton Tamper Protection was enabled the entire time.

1) Extracted processhacker-3.0.872-bin.zip to Desktop so it's under Desktop\processhacker-3.0.872-bin
2) Norton complained about every .exe and every .dll and deleted it having a bad reputation. I excluded every file but the x64/processhacker.exe kept getting deleted until I extracted processhacker-3.0.872-bin.zip to Desktop and overwrited all files and replaced deleted ones so it's under Desktop\processhacker-3.0.872-bin and then had to manually right click on processhacker-3.0.872-bin\x64\ProcessHacker.exe and selected Norton File Insight under Norton Security with Backup and then manually trusted the file before everything worked.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.872-bin with Run Admin as after right clicking, was able to kill both nsbu.exe processes without issues.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

13 Aug 2017, 14:00

Saw build 897 of PH available this AM so basically went from 872 to 897 without rebooting and Norton Tamper Protection was enabled the entire time.

1) Extracted processhacker-3.0.897-bin.zip to Desktop so it's under Desktop\processhacker-3.0.897-bin
2) Norton did not complain about the files so seems like everything is in the whitelist.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.897-bin with Run Admin as after right clicking, Norton Download Insight came up and prompted to ask for access with the allow, deny, allow always option and I selected allow always and was able to kill both nsbu.exe processes without issues.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

14 Aug 2017, 21:55

Saw build 900 of PH available just a few moments ago so basically went from 897 to 900 without rebooting and Norton Tamper Protection was enabled the entire time.

1) Extracted processhacker-3.0.900-bin.zip to Desktop so it's under Desktop\processhacker-3.0.900-bin
2) Norton did not complain about the files so seems like everything is in the whitelist.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.900-bin with Run Admin as after right clicking, Norton Download Insight came up and prompted to ask for access with the allow, deny, allow always option and got the following error even though PH did run. So I closed PH.
Image
4) Ran ProcessHacker.exe in Desktop\processhacker-3.0.900-bin with Run Admin as after right clicking, got the same error as step #3 above even though PH did run. Trying to kill nsbu.exe resulted in Access is Denied.
5) After turning off Norton Tamper Protection, was able to kill both nsbu.exe processes successfully.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

14 Aug 2017, 23:17

False alarm as I got the same error trying to run 897 again and step #2 below fixed it.

Looks like the driver was somehow still running which was fixed as follows:
1) Open an elevated command prompt - made sure command prompt has 'Administrator' in the window title
2) Execute:
sc stop KProcessHacker3
sc delete KProcessHacker3
8) Didn't see "[SC] DeleteService SUCCESS" as the error is as follows:
C:\WINDOWS\system32>sc delete KProcessHacker3
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

After this:
Ran ProcessHacker.exe in Desktop\processhacker-3.0.900-bin with Run Admin as after right clicking, was able to kill both nsbu.exe processes successfully with Norton Tamper Protection on.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

15 Aug 2017, 17:01

Saw build 902 of PH available just a few moments ago so basically went from 900 to 902 without rebooting and Norton Tamper Protection was enabled the entire time.

1) Extracted processhacker-3.0.902-bin.zip to Desktop so it's under Desktop\processhacker-3.0.902-bin
2) Norton did not complain about the files so seems like everything is in the whitelist.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.902-bin with Run Admin as after right clicking, Norton Download Insight came up and prompted to ask for access with the allow, deny, allow always option. Was able to kill both nsbu.exe processes successfully.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

16 Aug 2017, 15:46

Almighty1 wrote:
15 Aug 2017, 17:01
Norton did not complain about the files so seems like everything is in the whitelist.
I guess Symantec fixed those issues with Norton. I'll close the ticket :thumbup:
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

16 Aug 2017, 20:06

Yep, looks like they did and great job with the whitelist!

Saw build 910 of PH available just a few moments ago so basically went from 902 to 910 without rebooting and Norton Tamper Protection was enabled the entire time.

1) Extracted processhacker-3.0.910-bin.zip to Desktop so it's under Desktop\processhacker-3.0.910-bin
2) Norton did not complain about the files so seems like everything is in the whitelist.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.910-bin with Run Admin as after right clicking, Norton Download Insight came up and prompted to ask for access with the allow, deny, allow always option. Was able to kill both nsbu.exe processes successfully.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

Yesterday, 13:39

Saw 913 of PH available this AM so basically went from 910 to 913 without rebooting and Norton Tamper Protection was enabled the entire time.

1) Extracted processhacker-3.0.913-bin.zip to Desktop so it's under Desktop\processhacker-3.0.913-bin
2) Norton complained about every ProcessHacker.exe file and deleted it having a bad reputation which is strange as it seems to be picky one day while being file the day before. I excluded every file but the ProcessHacker.exe kept getting deleted until I extracted processhacker-3.0.913-bin.zip to Desktop and overwrited all files and replaced deleted ones so it's under Desktop\processhacker-3.0.913-bin and then had to manually right click on the ProcessHacker.exe's and selected Norton File Insight under Norton Security with Backup and then manually trusted the file before everything worked.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.913-bin with Run Admin as after right clicking, was able to kill both nsbu.exe processes without issues.
 
Almighty1
Member
Posts: 29
Location: San Francisco, California USA

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

Today, 05:33

Saw 916 of PH available so basically went from 913 to 916 without rebooting and Norton Tamper Protection was enabled the entire time.

1) Extracted processhacker-3.0.916-bin.zip to Desktop so it's under Desktop\processhacker-3.0.916-bin
2) Norton did not complain about the files so seems like everything is in the whitelist.
3) Ran ProcessHacker.exe in Desktop\processhacker-3.0.916-bin with Run Admin as after right clicking, Norton Smart Firewall came up saying ProcessHacker.exe did not have a valid signature and asked to allow/deny access and I selected allow. Was able to kill both nsbu.exe processes without issues.
 
User avatar
dmex
Admin
Posts: 1244
Location: Australia

Re: Unable to kill nsbu.exe ever since 3.0.797 nightly build

32 minutes ago

Almighty1 wrote:
Yesterday, 13:39
deleted it having a bad reputation which is strange as it seems to be picky one day while being file the day before.
The ws1.reputation 'detection' is based entirely on how many other Norton users have those exact same files and how recently they were compiled. The nightly builds are always going to trigger the 'reputation' detection because they're always compiled less than 48 hours ago and not everyone is going to be using that same nightly version right away (since you can cancel the update prompt and it won't ask again for another week).

The nightly builds are never going to be out long enough to gain a 'reputation' and will always compiled less than a few days ago. The only options are going back to the stable version or changing your Norton settings to make sure w/e setting hasn't been set too 'aggressive'.

The only issue that we care about is the one where Norton decided to ignore the "always allow" option and continue blocking Process Hacker anyway and that's what Symantec have apparently fixed in recent versions.

Who is online

Users browsing this forum: dmex and 1 guest