Hello all,

I hope you’re doing well. I’m new here so apologies if I’ve formatted this post incorrectly or it’s in the wrong section.

I was going to install HitmanPro 64-bit on my fresh PC build today for a second-opinion scan. I’m referring to the on-demand scanner, not the real-time Alert version. I downloaded the installer from the official hitmanpro.com website (which re-directed to a Sophos domain to get the installation file).

As I do with any EXE/installer I download, I uploaded the HitmanPro installation EXE to VirusTotal. What I saw was quite surprising. One of the tags VirusTotal has associated with the installer is invalid-signature. It’s right up there near the other tags around the detection score. But also present in the tag list is another tag: signed. And if you navigate to the Details tab and scroll down to Signature Verification, you’ll see a green check-mark and “Signed file, valid signature.”

Here is the VirusTotal link: VirusTotal

So the program is signed with a valid signature but also is tagged as having an invalid signature. Huh? What gives? That makes no sense.

Also, as a side-note — the installer was detected by three (rather obscure) AVs. This isn’t much of a problem for most programs but it is surprising for HitmanPro. I’ve used it before and this is the first time I’ve seen multiple detections. Usually there are none, or at most, one. So I don’t know what’s going on but it’s pretty odd.

And, it seems like the program checks network adapters, accesses CPU clock (?) and more according to the other tags. I haven’t seen these tags with most other programs including security software — so why does it access these things when other AV/AM vendors don’t?

I’ve uploaded some screenshots to this post below if you don’t want to check out the VirusTotal link above.

I’m not installing HitmanPro until this gets cleared. You’re the experts here so I thought I’d make an MT account and ask. Thoughts?

6B79CD74-A117-4359-A276-D2E964813B36.jpeg
C64C979B-1344-4154-AA5D-21B9D11E2DC9.jpeg
 
Last edited:

struppigel

Moderator
Verified
Staff member
Hi, malware analyst here. I don't know why the invalid-signature tag is there but the file is clean and the signature is valid.
It's part of various clean file sources too. Maybe it's not the signature of the vendor this tag is referring to. There are more checksums in the file itself. Either that or they did a mistake with tagging.

The detections on VT are false positives. HitmanPro carries a signature database to detect malware, which in turn is often detected by other AV signatures. If they don't implement proper whitelisting of trusted vendors they detect the file.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
So the program is signed with a valid signature but also is tagged as having an invalid signature. Huh? What gives? That makes no sense.

Also, as a side-note — the installer was detected by three (rather obscure) AVs. This isn’t much of a problem for most programs but it is surprising for HitmanPro.
I agree with @struppigel . It's false positives ( fp ).

But still, I agree. In general softwares from companies like Sophos etc, should not get flagged by other vendors. More then likely just a case of slow communication. One can try contact Sophos and ask them to fix the fp.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
It's not the fault of Sophos but the other vendors who need to fix their detections.

I found the following contact points:
Jiangming --> support@jiangmin.com
Zillya --> support@zillya.com
MaxSecure --> Max Secure Software: Submit a sample
I agree as " fix " the fp, I meant exactly that. A contact with the vendors that flag so those vendors can remove it, as reaching out ( send an email etc ) from Sophos is the least Sophos can do. It's Sophos product/s that get's effected and Sophos brand that risk getting unnecessary bad reputation. If I worked at Sophos ( I don't ) I would be very happy see any customer report this. Even non customers can report possible issues. (y)
 

bjm_

Level 8
Verified
FWIW ~
> my download from March
png_6321.png

File: HitmanPro_x64.exe
File size: 10.9 MB (11,429,976 bytes)
MD5 checksum: AAA7885818066476AB337A1CBBD427D9
SHA1 checksum: 81E4F3285715F74AE4CDA178B9015EC6F495B389
SHA256 checksum: CB1E8B96648330E188C3A2B0F5C599D1B45FD916FAB761244EFAB8E25CE457B0

VirusTotal File Version Information
Copyright © 2006-2020 SurfRight, a Sophos company
Product HitmanPro
Description HitmanPro 3.8
Original Name HitmanPro.exe
Internal Name HitmanPro38
File Version 3, 8, 18, 312
Date signed 9:44 AM 3/23/2020

----------------------------------------------------------------------------------------------
> my download from today
png_6322.png

File: HitmanPro_x64.exe
File size: 11.0 MB (11,539,456 bytes)
MD5 checksum: AB6BD28CF973C5A28C00BA8995A5CB24
SHA1 checksum: 6FCC311D5D68E9EC986C90182EDDD8C43F0D48E9
SHA256 checksum: 715168CE423948C6A0B51D930825FDF08E8A1F52059EB4E58E72A7623F6B2F60

VirusTotal File Version Information
Copyright © 2006-2018 SurfRight, a Sophos company
Product HitmanPro
Description HitmanPro 3.8
Original Name HitmanPro.exe
Internal Name HitmanPro38
File Version 3, 8, 15, 306
Date signed 1:46 PM 6/20/2019
 
Last edited:
FWIW ~
> my download from March
View attachment 241416
File: HitmanPro_x64.exe
File size: 10.9 MB (11,429,976 bytes)
MD5 checksum: AAA7885818066476AB337A1CBBD427D9
SHA1 checksum: 81E4F3285715F74AE4CDA178B9015EC6F495B389
SHA256 checksum: CB1E8B96648330E188C3A2B0F5C599D1B45FD916FAB761244EFAB8E25CE457B0

VirusTotal File Version Information
Copyright © 2006-2020 SurfRight, a Sophos company
Product HitmanPro
Description HitmanPro 3.8
Original Name HitmanPro.exe
Internal Name HitmanPro38
File Version 3, 8, 18, 312
Date signed 9:44 AM 3/23/2020

----------------------------------------------------------------------------------------------
> my download from today
View attachment 241417
File: HitmanPro_x64.exe
File size: 11.0 MB (11,539,456 bytes)
MD5 checksum: AB6BD28CF973C5A28C00BA8995A5CB24
SHA1 checksum: 6FCC311D5D68E9EC986C90182EDDD8C43F0D48E9
SHA256 checksum: 715168CE423948C6A0B51D930825FDF08E8A1F52059EB4E58E72A7623F6B2F60

VirusTotal File Version Information
Copyright © 2006-2018 SurfRight, a Sophos company
Product HitmanPro
Description HitmanPro 3.8
Original Name HitmanPro.exe
Internal Name HitmanPro38
File Version 3, 8, 15, 306
Date signed 1:46 PM 6/20/2019
I can’t help but notice your download from today (version 3.8.15.306) is an earlier version than your March download (version 3.8.18.312). I can confirm the SHA256 checksum matches on your download from today versus mine yesterday. So it seems Sophos uploaded an older version of HitmanPro to their website since March?

How strange...
 
Top