Process Hacker deleted: Microsoft brands competing product as malware

Update: Added Microsoft’s response. Fixed semantic error.

Update 2: Microsoft stops branding competitor as malware (6 January 2020)

An hour ago Windows Defender incorrectly deleted a benign utility app called Process Hacker from my system. Process Hacker is a free and open-source competitor of Microsoft’s own Process Explorer.

Screenshot of Process Hacker

Specifically, Windows Defender has identified Process Hacker as HackTool:Win64/ProcHack, a category of malware that “hacks” or edits processes with malicious intent. Despite the unfortunate coincidence of names, Process Hacker is no such malware. It has the same function as Microsoft’s own Process Explorer.

To claim that Process Hacker is a HackTool is similar to claiming all people whose family names are “Carpenter” are actual carpenters by profession, or all people whose family names are “Green” or “Greene” have green skins.

You can safely exclude Process Hacker from detection. Microsoft’s standing reputation says this is just an unfortunate mistake that they will resolve soon. Hopefully, we don’t have to migrate to other antivirus products.

Addendum: Microsoft’s response

Today, I submitted Process Hacker for re-evaluation as a false positive. To my surprise, Microsoft responded that they uphold their decision. This means that Microsoft’s anti-virus software is hindering fair competition and disrupting a competing product. (Beware of Hanlon’s razor.)

Analyst comments: We have determined that the files meet our criteria for detection. At this time detection will remain in place. More detailed information about the approach and criteria categories currently used by the Microsoft researchers are available here: https://www.microsoft.com/en-us/wdsi/antimalware-support/malware-and-unwanted-software-evaluation-criteria. Thank you for contacting Microsoft
Microsoft’s response

Posted on 2019-11-29, in Windows Administration and tagged , , , . Bookmark the permalink. 6 Comments.

  1. Kurt Bachtold

    Yeah, I just ran into this today as well. Only other discussion I’ve seen about it here: https://wj32.org/processhacker/forums/viewtopic.php?f=5&t=3729

    Like

  2. Testerhood

    Thanks for posting this. I just googled this topic after Microsoft turned me down too. I got the same response on the submission details page. It’s ridiculous.

    Like

  3. It is not just Defender it is MSE (Microsoft Security Essentials) as well.

    Agreed, utterly ridiculous MS response and behaviour.

    Process Hacker (2) has been around for years and even recommended on PC security software web sites as good alternative.to Task Manager. It has three times helped me to identify and locate “telemetry” gathering software foisted onto my PC by MS as Windows updates.

    Like

  4. I doubt Hanlon’s Razor applies here since the file has been submitted for re-analysis several times and they have explicitly said they consider it malware. This can only be them trying to remove competition of their default/official tools.

    Liked by 1 person

  5. Oh, yes, I forgot to write that. Indeed, all Microsoft anti-malware products use the same engine, called Microsoft Antimalware Engine. (I have even copied virus definitions from MSE to Defender.) So, Defender, MSE, Defender Offline, Endpoint Protection, and Intune are expected to show the same behavior.

    Liked by 1 person

  6. Has anyone else noticed that if you scan PH2 64bits’ x86 folder which contains the PH2 32bit .EXE it (MSE) does not see that as a problem?

    Additionally even when running it does not flag PH2 as a problem at all, it only reports and acts on the ‘problem’ when you do a scan.

    This response to a supposedly high security threat highlights MS security software’s inadequacies. They’ve shot themselves in the foot and made their actions look even more ill-considered and badly implemented as a result than they did already.

    Liked by 1 person

Leave a comment (Markdown syntax accepted)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: