Process Hacker now seen as malware by Windows Defender.

Post Reply
oafsalot
New User
Posts: 1
Joined: 29 Nov 2019, 21:47
OS: Win 10
Location: UK

Process Hacker now seen as malware by Windows Defender.

Post by oafsalot »

Just had to resintall process hacker, only to be met by a arning upon running it that it was a virus.

Had to allow it in windows defender and then reinstall for a thrid time.

This is not good.

Oafs

wowjustwow
New User
Posts: 1
Joined: 30 Nov 2019, 06:23
OS: 10
Location: United States

Re: Process Hack now seen as malware by Windows Defender.

Post by wowjustwow »

I about had a heart attack. I've been using Process Hacker for 3 years and never had any issue. I originally got it to monitor when windows 10 was doing funky and unwanted things in the background and now suddenly it's malware? Uh huh, Microsoft... sure it is..

orion44
Member
Posts: 3
Joined: 15 Sep 2016, 19:46
OS: Windows 7 64bit

Re: Process Hack now seen as malware by Windows Defender.

Post by orion44 »

Same here, flagged as malware as soon as I opened Process Hacker. Guess those security experts at Microsoft know what's up.

expert_vision
Member
Posts: 6
Joined: 02 Mar 2014, 19:06
OS: Windows 7 64bit

Re: Process Hack now seen as malware by Windows Defender.

Post by expert_vision »

Looks like they made a dedicated thread ID for it https://www.microsoft.com/en-us/wdsi/th ... 2147221926.
Maybe this can be addressed with Microsoft.

HighGuard
Member
Posts: 3
Joined: 04 Dec 2019, 12:12
Location: UK

Re: Process Hack now seen as malware by Windows Defender.

Post by HighGuard »

There are more Process Hacker 2 users on other forums (Malwarebytes) who've run into this new problem. It does not just affect Defender but also MSE (Microsoft Security Essentials) which almost certainly uses the same MS definitions.

No other security software is reporting any problems so why PH2 is suddenly being flagged as a hack tool threat MS need to explain.

That thread linked to by expert_vision is pretty much useless, as are so many MS help pages, but the fact the article is there and published only last week, just before the most recent Defender/MSE definitions updates causing these reports is suspicious. Just look at the primary source of concern cited in the article:-
Hacktools can be used to patch or "crack" some software so it will run without a valid license or genuine product key.
Its not that hack tools can be used to gain remote access to your PC, stuff up your system and steal your money no, it is MS suddenly being concerned that hack tools can be used for that including Windows OS and other MS products. Can PH2 even be used for that? Has it ever been used in this way? MS probably also do like the fact PH2 can be used as replacement for Task Manager and is more useful. It is good at highlighting and locating MS snooping software which they've a habit of sneaking onto our computers as "important" updates.

The fact is MSE and I assume Defender have been happy with PH2 for years so this is new behaviour and undoubtedly the result of the MS definitions update - whether deliberate or accidental awaits to be seen.

What is ironic is that if you're using the 64bit version of PH2 the quarantined files do not include the x86 folder which contain the 32bit Process Hacker.exe. Pretty dumb if this is an intentional change for genuine security reasons.

expert_vision
Member
Posts: 6
Joined: 02 Mar 2014, 19:06
OS: Windows 7 64bit

Re: Process Hack now seen as malware by Windows Defender.

Post by expert_vision »

Good news. It looks like the threat detection was a mismatch.
They've updated the threat ID page:
https://www.microsoft.com/en-us/wdsi/th ... 2147221926
I think they meant to detect a modified version of Process Hacker that was used with malware intention, but the signature also matched the legitimate version.
The page now says:
"NOTE: Previous detections under this name also applied to legitimate, unmodified versions of Process Hacker that have been used for malicious purposes. We have addressed these incorrect detections starting with security intelligence version 1.307.674.0 released December 17, 2019. Detections under this name now apply only to modified versions of Process Hacker. Microsoft, however, continues to maintain behavioral detections that can catch malicious use of the legitimate tool."

I can also confirm that Windows Defender no longer removes the legitimate version. Every time I wanted to start Process Hacker I had to go to Windows Security > Thread History > Quarantined Threats and click Restore files. But for the last 2-3 weeks, I no longer had to do that, is no longer removed. Yay!

Post Reply