Sign in to follow this  
sg09

Is this a FP detection from EEK?

Recommended Posts

Everytime I run a scan in my PC with EEK I find the same scan results (some suspicious registry entries). EEK do not find any other malware, nor does the installed security softwares (WSA, MBAM). I also ran scans with several other portable/online scanners and never found anything. Even with newly installed PC+freshly installed security software I find these results. So, I continued to ignore these results, although this time I choose to post this in the forum.

 

As far as I understand from the scan results, the task manger, folder options, CMD, regedit, run etc. are disabled in my system, but this is untrue. Is this a FP detection?

 

Installed Security Softs: Webroot SecureAnywhere AV, Malwarebytes  AM, WinPatrol Plus, Windows Firewall, MCShield. I am running a genuine Windows 10 Pro 64 bit OS.

 

--------------------------

Scan start:    01-06-16 9:19:49 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)

------------------------------

scan_160601-211949.txt

Share this post


Link to post
Share on other sites

Those are Group Policies that are being detected. They are defined in the registry, and they can have a value of 1 (yes) or 0 (no). These Group Policies don't exist by default, so our scanner will detect them if they exist, and warn about their presence. If your Task Manager is working, then these can be ignored, or they can be deleted/quarantined without causing any issues.

Note that if you delete/quarantine them then it is possible that whatever created them will recreate them. Some software will do this thinking that it fixes problems, rather than simply deleting the Group Policies if they exist.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thank you for your kind reply Arthur.

Yes, the detection come back even if I quarantine it. Which is creating/re-creating those group policies, OS or the Security softwares?

 

I reckon in my case the group policies have the 'safe' registry values, as the ask manger, folder options, CMD, regedit, run etc. are not disabled in my system. Shouldn't EEK understand which registry value is safe and which is not, rather than giving an alert for just its presence?

 

Thank you again.

Share this post


Link to post
Share on other sites

Yes, the detection come back even if I quarantine it. Which is creating/re-creating those group policies, OS or the Security softwares?

Windows does not create these Group Policies on its own. It's more than likely a security software, or a computer "optimization" or "cleaning" software that is doing it (Registry Mechanic used to make changes like this, for instance).

I reckon in my case the group policies have the 'safe' registry values, as the ask manger, folder options, CMD, regedit, run etc. are not disabled in my system.

Yes, you would notice very quickly if these Group Policies were configured to block those tools. ;)

Shouldn't EEK understand which registry value is safe and which is not, rather than giving an alert for just its presence?

Our scanning engine doesn't check the values of the registry entries. It only checks for their presence, and if they exist it lists them in the scan results.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.