False Positive

[Daytime506]

Hey, I'll keep this brief the antivirus is falseflagging systeminformer and my host file on a new installation of windows I can't provide a screenshot because my entire system is being scanned by tron just DIY, remove the false negative ty

[harlan4096]

Welcome to Kaspersky Community.

 

This is a topic that has been widely discussed in recent years.

 

The reason Kaspersky and others av solutions still detect Process Hacker/SystemInformer, post taken from ESET forum thread:

 

Quote

Process Hacker

Another example of such a driver is the process hacker driver. This driver exposes an IOCTL interface that looks very promising.

Process hacker can be used to open a handle to a process from kernel mode or call ZwTerminateProcess. Another cool functionality is: Process hacker has an IOCTL for reading the memory of other processes. This can be abused to read the memory of processes like lsass.exe to dump credentials. This of course, can be used to bypass protections like NtReadVirtualMemory hooks and the threat intelligence ETW…

Just take an interesting product that has a driver and try to hack with it - I’m sure you start collecting them (like me;))

 

Quote

"Add to this I assume Process Hacker, like Process Explorer, can load their kernel mode driver "on-the-fly" thereby bypassing Win Secure Boot protection. " 

 

https://repnz.github.io/posts/abusing-signed-drivers/

 

Here is another link from TrendMicro.

[Daytime506]

It's just a really good open-source tool, misused by bad actors, should cmd and/or powershell be flagged by the antivirus as malicious because it can execute RCE?

It also flagged my C:\Windows\System32\drivers\etc\hosts as malware too (its a new installation of windows)

Edited 3 hours ago by Daytime506
context