hollows_hunter icon indicating copy to clipboard operation
hollows_hunter copied to clipboard

Published 20 hours ago verified publisher icon hasherezade

False Positives

Open VirtualAlllocEx opened this issue 2 years ago • 3 comments

Hi, at first thank you a lot for your amazing work and thank you for sharing your awesome tools. I have tested Hollow Hunter on 2 Windows machines where I have installed the AV/EDR CrowdStrike and could observe that Hollow Hunter list 47 suspicious process, but I am 99,99% sure that the processes are clean and not malicous. Could it be, that this are false positives because of the installed EDR and the hooks from the EDR?

VirtualAlllocEx avatar Mar 22 '22 09:03 VirtualAlllocEx

Hi! Thanks for your interest in my tools :) The scenario that you described is covered in the FAQ: https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ#pe-sieve-gives-me-a-lot-of-false-positives-why - I hope it answers your question!

hasherezade avatar Mar 22 '22 22:03 hasherezade

Oh sorry, I didn't saw that. Thank you for the information.

VirtualAlllocEx avatar Mar 23 '22 06:03 VirtualAlllocEx

@VirtualAlllocEx - I added FAQ to the readme, I hope it will make all this information easier to find

hasherezade avatar Mar 23 '22 20:03 hasherezade