Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill - False Positives


  • Please log in to reply
11 replies to this topic

#1 Willqa

Willqa

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 29 July 2018 - 08:05 AM

I have just downloaded each of the 4 versions of Rkill from https://www.bleepingcomputer.com/download/rkill/

 

then, being of a suspicious nature, checked each with virustotal

 

Hence:

 

Sunday 29 July 2018
***WARNING*** Trojans
Every one of these links has a virustotal score of 8 or more,
and a falcon score of 87 or more.

I hope bleepingcomputer will fix the links (tomsguide has removed it)

There ARE versions which do have score zero and are clean.

Someone claiming to be rkill says its a safe false positive. Would you believe them?
Sadly, they are not safe. It suggests the rkill writer has been taken over (or are not competent).

 

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:16 AM

Posted 29 July 2018 - 09:24 AM

Welcome to BC....

 

Those aren't different "versions". RKill is given different names to get past malware that often blocks security programs

by name.

 

If you have reason to think your computer is infected with malware or adware....search misdirects, excessive ads, excessive use of

CPU, etc. then follow the instructions below for starting a new topic in the malware removal forum.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,052 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:16 AM

Posted 29 July 2018 - 09:25 AM

Hi,

 

The rkill writer is Lawrence Abrams aka Grinler one of the Admins at BleepingComputer.

 

The tool is safe but as most of the security tools that can be found at this site, many of them are wrongly detected as Malware!

 

 

If your computer is infected and that's the reason you use RKill in the first place I recommend that you start a topic on the Malware Removal section of the forum to get specific help, start by following Step 6 of this guide.

 


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 AM

Posted 29 July 2018 - 01:57 PM

As I replied to your comment in the Rkill download page:
  
You are completely mistaken. As the creator of Rkill, I can say with certainty that any detections on Rkill are false positives in the programs detecting it, which will be cleared up soon.
 
And your wrong about Tomsguide. It's still there. They are just pointing to an expired link.
Unfortunately, tools that kill processes or target specific infections are detected by some AV companies as the infections themselves. While, I ultimately get a new version whitelisted by these companies, every time I release a new version I have to deal with the same nonsense all over again.

#5 sscoolyssh

sscoolyssh

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:16 AM

Posted 01 August 2018 - 07:47 AM

I think that the case here is in different names, not in different versions. Sometimes the software often blocks security programs and for this it gets different names.


#6 Willqa

Willqa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 01 August 2018 - 10:47 AM

 
@buddy215
Thank you for the welcome.
Naturally if I have an intractable intrusion, I would raise it elsewhere (but you weren't to know that), thanks. Usually I manage OK.
My particular concern here was the existence of positives/false positives and  high "vxstream-threatscores (malicious)" on the BC rkill offerings - which reduce my confidence until the matter is resolved. Which I was hoping the author would do rather than cavilling. 
As for 'versions', yes they have the same version designation, but are different sizes and have different checksums. One 'version' even has a considerable 6k blank padding at the end (not a good sign in my view). 
Virustotal considers them different - and records them going by a variety of different names - since VT identifies by length & MD5.
Best wishes & thanks.


#7 Willqa

Willqa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:16 AM

Posted 01 August 2018 - 10:57 AM

@Grinler,Lawrence Abrams
Lawrence, I am not your enemy here.
 
I wanted to draw your attention to the VT reports & various other inconsistencies, so that they would be addressed and I (and others) could continue to feel confidence in your utility. I might have hoped you would say "thanks, I'll get onto it" rather than blaming the messenger.
Instead, your attitude has been more like the way I would expect a hijacker to behave. I am genuinely sorry about that.
 
I am not "completely mistaken", are you?
Are you saying you have downloaded each version, just to check,  and they are not showing serious VT scores and vxstream/threatscores? 
I have certainly seen a version which passed with score zero; the current ones don't.
 
Are you saying I that a claim on the internet by the (claimed) provider of something (which could be a trojan?) is better than a measure by VT?
You would be mistaken in that view.
 
‬I suppose you did check each download for yourself?
I did, and I note some other host sites didn't have it available any more either (croco). I was looking for a clean version. Don't shoot the messenger.
(And did you note the 'unsigned' creeps outside of its little green box? Could I suggest "password= clean" would be less confusing? No matter.)
 
As I have said, it is not unknown for utilities to become corrupted or be hijacked, even mainstays of old, sad though it is. Some just fade away. And I am familiar with type 1 error, especially in utilities of this kind. 
 
~~~~~~~~~~~~~~~~
 
Does BC have a policy regarding dl offerings which become suspect, or a direct way of reporting suspicions (I didn't find one). Do you regularly monitor the suite? (Tom's appears to keep the description for a while, but not permit downloads.)
 
If not, could I suggest you get one?
 
~~~~~~~~~~~~~~~~~
 
Incidentally, in the distant past, before retiring I was, amongst many other things, a software QA. I can be quite direct, but don't swear too much :-) You can appreciate my attitude to evasion ("don't you know who I am?" :)
 
If you regularly have this false-report problem, what have you done about tackling it? It must be a pita, over the years.
 
Would it not be better to get an OK before release? I appreciate some releases may be urgent, but there's less than 70 companies AV to deal with. Although I suspect some of them can be a bit difficult (to say the least). Maybe form an allegiance of others with a similar problem.
 
Or you could get a better presence on VT?
 
I look forward to using your utility when you have fixed matters.
 
Good luck and thanks.
 
~~~~~~~~~~~~~~
 
For the sake of record, on the dl site comments:
 
Alphur 29July2018
 
Hallo, Lawrence {if that is you} and thank you for providing this utility over many years.
 
I am not mistaken, but I am sorry. I hope you can clear this up soon. For now, I am warning people it seems unsafe (in my clearly dated post - I wouldn't want it tainted for all time). You may well be a victim here.
 
"As the creator of Rkill, I can say with certainty that 
any detections on Rkill are false positives"
To which I say that, as maker/distributor of Rkill, "you would say that, wouldn't you".
Especially if you were to be a hijacker.
 
I agree that false positives can occur, and you have my sympathies in that respect.
 
However, it has also been known for utilities to be vulnerable, hijacked, altered - and when it comes to a question of my system's safety, I will put my trust with virustotal and equally with the Falcon vxstream-threatscore:100/100 (malicious) in the virustotal comments
 
for example, rkill.exe as portable, here
detection 16/67 (and no slouches), see [file detail], see [comments].
 
I found several different versions from different distributors, all with bad scores, each with same version and different sizes (is that not odd?).
 
[Somewhere I did find a good version 0-0, but lost track of it, sorry]
 
It's very sad when some of these old mainstays hit the blocks, some of them even taken over by dubious customers,. I wouldn't be surprised if it hadn't happened before, and it has certainly happened to some of my favourite utilities over the years.
 
"And your wrong about Tomsguide. It's still there. They are just pointing to an expired link"
Well, no, I'm not wrong. I've seen this before at Tomsguide, when a utility has gone bad they appear to keep the article for a short while but block the download. That maybe an incorrect perception of mine, but I still cannot download rkill from there. Blocked.
 
Good luck in repairing it and securing it in future.
Perhaps you could put a constant regular monitor on versions? Or should the distributors do that?

Edited by Willqa, 01 August 2018 - 10:58 AM.


#8 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,163 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:16 AM

Posted 01 August 2018 - 12:15 PM

There is something known as flogging a dead horse.   We've just witnessed a textbook example.

 

A completely reasonable explanation, and one that has been borne out cyclically, has been offered.  If that is not sufficient for any reader, and the reputation of the author is not sterling enough for them, then they have a choice as to whether or not to use any given piece of software.

 

False positives are incredibly common.  That doesn't make them any less false.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#9 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,159 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:02:16 AM

Posted 01 August 2018 - 10:35 PM

Rkill is not a malicious program. The VirusTotal report appears to be a false positive.

And I can say with certainty that Rkill is published by Grinler (Lawrence Abrams) and the program has an excellent reputation.

Edited by iMacg3, 01 August 2018 - 10:38 PM.

Regards, iMacg3

"Do, or do not. There is no try." - Yoda

#10 Replicator

Replicator

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:04:16 PM

Posted 02 August 2018 - 04:59 AM

I would agree, Rkill is an superb application that was designed to kill malicious processes, not inject them.

 

Kudos to Grinler for allowing all of us to share in his hard work......he is one of the good guys!

 

I had a peek at the source code and see that the program is written in Microsoft Visual Studio, or more accurately C#

A bit of research proves that false positives do not escape this language even, and its by MS.

 

Here is a snippet from 'CodeContracts Tools' for Microsofts own .NET framework which gave a false positive until a property was changed.

 

Even though the code below is correct, it still gave a false positive (There is certainly nothing malicious about it)


using System.Diagnostics.Contracts;

namespace ClassLibrary1
{
    public class Class1
    {
        public Class1(string myProperty)
        {
            Contract.Requires(myProperty != null);
            MyProperty = myProperty;
        }

        [ContractInvariantMethod]
        private void ObjectInvariant()
        {
            Contract.Invariant(MyProperty != null);
        }

        public string MyProperty { get; }
    }
}

The false positive was fixed simply by changing the property:

 


 public string MyProperty { get; private set; }

 

 

@Willqa.........I just wanted to point out how simple it can be to create a false positive in 'benevolent' code, even when the code is correct!

 

 

Keep up the good work Grinler :thumbup2:


Edited by Replicator, 02 August 2018 - 05:05 AM.

The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:16 AM

Posted 02 August 2018 - 09:46 AM

Hi Replicator,

Unfortunately, I am not sure what you are looking at. Rkill is coded in Visual Studio C++

#12 Replicator

Replicator

  • Members
  • 203 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:04:16 PM

Posted 03 August 2018 - 09:28 AM

Hehe.....Ah well same man, different haircut :)


The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users