Sign in to follow this  
sg09

Is this a FP detection from EEK?

Recommended Posts

Everytime I run a scan in my PC with EEK I find the same scan results (some suspicious registry entries). EEK do not find any other malware, nor does the installed security softwares (WSA, MBAM). I also ran scans with several other portable/online scanners and never found anything. Even with newly installed PC+freshly installed security software I find these results. So, I continued to ignore these results, although this time I choose to post this in the forum.

 

As far as I understand from the scan results, the task manger, folder options, CMD, regedit, run etc. are disabled in my system, but this is untrue. Is this a FP detection?

 

Installed Security Softs: Webroot SecureAnywhere AV, Malwarebytes  AM, WinPatrol Plus, Windows Firewall, MCShield. I am running a genuine Windows 10 Pro 64 bit OS.

 

--------------------------

Scan start:    01-06-16 9:19:49 PM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLECMD     detected: Setting.DisableCMD (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN     detected: Setting.NoRun (A)
Value: HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-21-2085203064-2389472976-1837661704-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_USERS\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS     detected: Setting.NoFolderOptions (A)

------------------------------

scan_160601-211949.txt

Share this post


Link to post
Share on other sites

Those are Group Policies that are being detected. They are defined in the registry, and they can have a value of 1 (yes) or 0 (no). These Group Policies don't exist by default, so our scanner will detect them if they exist, and warn about their presence. If your Task Manager is working, then these can be ignored, or they can be deleted/quarantined without causing any issues.

Note that if you delete/quarantine them then it is possible that whatever created them will recreate them. Some software will do this thinking that it fixes problems, rather than simply deleting the Group Policies if they exist.

  • Upvote 1

Share this post


Link to post
Share on other sites

Thank you for your kind reply Arthur.

Yes, the detection come back even if I quarantine it. Which is creating/re-creating those group policies, OS or the Security softwares?

 

I reckon in my case the group policies have the 'safe' registry values, as the ask manger, folder options, CMD, regedit, run etc. are not disabled in my system. Shouldn't EEK understand which registry value is safe and which is not, rather than giving an alert for just its presence?

 

Thank you again.

Share this post


Link to post
Share on other sites

Yes, the detection come back even if I quarantine it. Which is creating/re-creating those group policies, OS or the Security softwares?

Windows does not create these Group Policies on its own. It's more than likely a security software, or a computer "optimization" or "cleaning" software that is doing it (Registry Mechanic used to make changes like this, for instance).

I reckon in my case the group policies have the 'safe' registry values, as the ask manger, folder options, CMD, regedit, run etc. are not disabled in my system.

Yes, you would notice very quickly if these Group Policies were configured to block those tools. ;)

Shouldn't EEK understand which registry value is safe and which is not, rather than giving an alert for just its presence?

Our scanning engine doesn't check the values of the registry entries. It only checks for their presence, and if they exist it lists them in the scan results.

  • Upvote 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.