none
Process Explorer 16.21 Submit Unknown Executables to VirusTotal even if it's disabled RRS feed

  • General discussion

  • Last version Process Explorer 16.21, Windows10 x64, Submit Unknown Executables is disabled. On start scan when new executable appear PE say in VirusTotal column: Sending, Analyzing ... but wait, it should not send my executable if i have disabled this option! Ok i try check and unchecked this setting again (just for test), make new exe (new hash) and again, PE send my file to VirusTotal. Why is PE ignoring this setting? Why is PE ignoring privacy?

    Settings: VirusTotal.com > Check VirusTotal.com - ON, Submit Unknown Executables - OFF

    If i check VirusTotal site for my new executable hash - file it's already there.

    • Edited by Ask TechNet Friday, September 28, 2018 10:36 AM
    Friday, September 28, 2018 8:31 AM

All replies

  • I tried to reproduce this but I'm not seeing this issue. In my tests when I start a newly compiled executable the virus total column shows "unknown" and when I look for the hash on VT I don't see it.

    Am I missing a step here ??

    MarkC(MSFT)

     
    Wednesday, October 10, 2018 4:13 PM
  • I tested in more computers, but only one has this behavior. Still send files no matter what is set (ON/OFF). Only if i disable Check VirusTotal.com - then is stops, but then i miss checking functionality.

    Screenshot of the settings: https://imgur.com/a/YHDKlKj

    I try simulate it on other computer but without success. (playing with the rights - user/admin, x64 exe, replacing TskMgr, various settings..) It will be better look to sources and check cases when  PE sends files, or maybe it's something wrong with settings visualization (maybe it's set on background and in some cases display wrong state or something like that..)

    Result of the testing was that I found another bug :-) If you use only procexp64.exe (not procexp.exe!) and from menu use Replace Task manager, you get on next start this error:

    Windows cannot find ‘C:\Windows\system32\Taskmgr.exe’. Make sure you typed the name correctly, and then try again.

    It's because it writes to registry:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE value 

    "path\procexp.exe" and not "path\procexp64.exe"

    So application should writes correct value based on what type of executable is user using.

    Thursday, October 11, 2018 6:45 AM
  • OK thank you. I will take a look at the sources and see if I can see anything and I've added the other bug to the backlog. Will notify you once there has been an update
    Thursday, October 11, 2018 3:14 PM
  • I would try deleting the Process Explorer Registry entries from the misbehaving system to see if that fixes the problem.
    Thursday, October 11, 2018 8:03 PM
  • I will try, also i make a backup for case it can be reproduced for testing. I keep you informed.
    Friday, October 12, 2018 9:53 AM