Adlice forum

Software feedback => RogueKiller => Topic started by: XiRw on October 16, 2014, 07:14:53 AM

Title: False positive?
Post by: XiRw on October 16, 2014, 07:14:53 AM

Hello, Today I ran RK 3 times and the results varied.

The one thing I am 100 percent sure thats a fp is the MEGA for desktop.

The other thing I am not so sure with and I included it in the log. Supposedly its a Keylogger.
The weird part is during the 3 scans I did, the driver showed up malicious twice only and was clean once. Could this be a rootkit hiding the malicious code when it the driver is being scanned? Or something to do with Rogue Killer itself?

Any help is appreciated  : D

Title: Re: False positive?
Post by: Tigzy on October 16, 2014, 08:19:51 AM

Thanks, that will be added.

Title: Re: False positive?
Post by: XiRw on October 16, 2014, 06:20:54 PM

Wait what about the keylogger. Is it legit?

Title: Re: False positive?
Post by: Tigzy on October 16, 2014, 06:49:00 PM

It's what I've added :)
hidclass is a driver that filters mouse/keyboard IRPs, this is why it's tagged (falsely) as possible keylogger.

Title: Re: False positive?
Post by: XiRw on October 16, 2014, 07:13:47 PM

Oh  ok thanks for letting me know and the quick replies  8)

Title: Re: False positive?
Post by: Tigzy on October 16, 2014, 08:22:54 PM

BTW HID means "Human Interface Device", a keyboard/mouse/joystick/whatever.

Title: Re: False positive?
Post by: XiRw on October 16, 2014, 10:03:29 PM

Yeah I read everything when RK opened the website for kernel mode rootkit but I thought it was just something else intercepting my keystrokes but good to know its nothing.