Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 10 subscribers
  • Views 9506 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Process hacker kernal driver detected in Memory

Bijoy Chandran

Hi Alls,

 

In one of my server sophos console its giving message of Process hacker kernal driver detected in Memory.Even after scanning its not able to remove it.

How do i get it clean and how do I get it removed from the sophos events.

 

Regards

Bijoy



This thread was automatically locked due to age.
  • 0

    Hi Bijoy,

    Can you please check the alert details if there are any application associated with the alert? If you get the application details, you can choose to:

    • take no action, if you wish to continue blocking the application.
    • remove the software to prevent future alerts.
    • re-authorize a blocked application.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Gowtham Mani

    Generally for this sort of thing I would download and run as administrator Process Explorer.

    https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

    Highlight the System process (as this is a driver) and in the bottom panel look at the loaded modules. 

    You should be able to see the paths of each loaded module.

    I assume that kprocesshacker.sys is in the list?

    If so, where is it on disk? 

    Can you navigate to that location and delete the file?  

    I assume that after rebooting the modules is not loaded as I don't believe it installs a service.  It requires the user mode process to load the driver.

    Regards,

    Jak

     

     

  • 0 in reply to jak

    I've attempted your steps and I don't see it in processes. I already manually deleted the associated folder and I'm at a lost where I can locate the kernel driver. 

  • 0 in reply to David Mei

    If I run Process Hacker as an administrator, then the kprocesshacker.sys driver is installed, started and therefore can be seen in the System process as shown below.

    The service is created under:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KProcessHacker3\

    I guess this could change based on version.




    If I close Process Hacker then the driver is not unloaded from kernel memory but the service is marked for deletion.  I.e. The service registry entry has the DeleteFlag set:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KProcessHacker3\
    DWORD DeleteFlag = 1

    With this set, on the next startup, services.exe will remove the service.

    If you are getting a memory detection for this driver I would expect it to be just loaded in the system process as shown above.  I can only assume that maybe the driver isn't being marked for deletion or services.exe is not removing it.  Maybe search in the registry under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

    for the string hacker for example.

    Regards,
    Jak

Unfiltered HTML