4 replies to this topic

[pudelein]

I use Sysinternals Process Explorer (actually now a Microsoft product!) as a replacement for the normal Windows Task Manager. In my most recent scan, this morning, using database 5152, trace 2964, SAS detects "Security.Hijack [ImageFileExecutionOptions]" as a malicious Registry key (actually two such). The key reported is HKLM\Software\Microsoft\Windows NT\Current Version\ImageFileExtensionOptions\TaskMgr.exe. This key contains the data "Debugger" which contains "C:\Program Files\Sysinternals Tools\ProcessExplorer\procexp.exe". The path is local to my system; I keep a group of Sysinternals tools executables there. It is NOT a hijack and should not be detected as such. It was not detected last week with what is apparently the same database, but with a different Trace (which I did not record, unfortunately).

Further data: I use Windows XP SP3 Home Edition; SAS 4.40.1002; Process Explorer 12.1.0.0 used since November 2007).

[SUPERAntiSpy]

I use Sysinternals Process Explorer (actually now a Microsoft product!) as a replacement for the normal Windows Task Manager. In my most recent scan, this morning, using database 5152, trace 2964, SAS detects "Security.Hijack [ImageFileExecutionOptions]" as a malicious Registry key (actually two such). The key reported is HKLM\Software\Microsoft\Windows NT\Current Version\ImageFileExtensionOptions\TaskMgr.exe. This key contains the data "Debugger" which contains "C:\Program Files\Sysinternals Tools\ProcessExplorer\procexp.exe". The path is local to my system; I keep a group of Sysinternals tools executables there. It is NOT a hijack and should not be detected as such. It was not detected last week with what is apparently the same database, but with a different Trace (which I did not record, unfortunately).

Further data: I use Windows XP SP3 Home Edition; SAS 4.40.1002; Process Explorer 12.1.0.0 used since November 2007).

I would simply trust that detection as many threats do the exact same thing.

[paradj]

I would simply trust that detection as many threats do the exact same thing.

not if what sas is looking at is wrong...
maybe it needs to check and see exactly what is in those keys as opposed to what is assumed.
any scanner worth it's salt should verify the contents or it's pointers and not just by the reg key placement.
one of the aspects of process explorer that i value is it's ability to verify running components.
Please do more than just suspect the key value.

[LxCi]

Administrator,
I also have this same message with the same SysInternals, now a part of Microsoft, "procexp.exe" with the option to replace the Task Manager of Windows which I have done. This should NOT be labeled as a threat muchless a CRITICAL one. It is a valid Microsoft software created by Mark Russinovich when he had the company SysInternals, now added to Microsoft.
TIA, CU L8R,
LxCi

[LxCi]

Administrator,
This is my versions copied from your website as I have just done an update this morning:
Core Definitions 9083 08/18/2012 01:10AM PDT 11584KB Download
Installer Trace Definitions 6895

TIA, CU L8R,
LxCi

P.S. The entry "#Debugger" was entered by Process Explorer and added the path to my copy of SysInternals' program as quoted in previous message.

Here is the log created by SuperAntiSpyware FREE Edition below the asterisk (*) line:

*************************************************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/19/2012 at 07:39 AM

Application Version : 5.5.1012

Core Rules Database Version : 9083
Trace Rules Database Version: 6895

Scan type : Quick Scan
Total Scan Time : 00:04:40

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Limited User

Memory items scanned : 508
Memory threats detected : 0
Registry items scanned : 57490
Registry threats detected : 2
File items scanned : 10313
File threats detected : 0

Security.HiJack[ImageFileExecutionOptions]
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE#Debugger

Edited by LxCi, 19 August 2012 - 02:35 PM.