Malwarebytes Hijack.Securityrun hits explained

When I ran the usual Malwarebytes Anti-Malware Pro scan today I noticed that the program detected a set of threats it called Hijack.Securityrun.

The threats it detected during the scan were rated as high and malware, and pointed all to the Windows Registry. A quick search for the used threat descriptor Hijack.Securityrun would only return one result on a support forum where users of the software reported the same issue in the past couple of days.

First problem that you will experience is that you cannot display the full Registry path in Malwarebytes itself because the interface is not flexible enough to display multiple lines if one line is not enough to display the whole string.

That's a usability issue that you can overcome by selecting save results in the interface to export the data to a text file on your local system.

That text file displays the full string so that you know where you find it in the Registry.

The two strings found on the system were the following ones:

Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{3A25558A-2C26-4E6E-920C-2B64F3314747}, , [76d151fa63275ed8e442a7a722e31de3],
Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{3A25558A-2C26-4E6E-920C-2B64F3314747}, , [e3643615fc8e999dac7a1c32a85d45bb],

Hijack.SecurityRun, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{3a25558a-2c26-4e6e-920c-2b64f3314747}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [76d151fa63275ed8e442a7a722e31de3]
Hijack.SecurityRun, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS\0\PATHS\{3a25558a-2c26-4e6e-920c-2b64f3314747}|ItemData, C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe, , [e3643615fc8e999dac7a1c32a85d45bb]

The second string lists Avira's avnotify.exe program while the first does not provide any information what it is about.

The program suggests to remove the selected entries and classifies them as malware.

But what are they?

If you worked with software restrictions on Windows before, you may know that it is possible to author software restriction policies using the Group Policy Editor or the Windows Registry directly.

You find detailed information about that on Microsoft's Technet.

The entries that Malwarebytes found are software restrictions that someone or a program have added to the system. They can be malicious in nature as they may prevent security software or other important software from running on the system.

A malicious file could use this for example to prevent the antivirus solution to run properly on the system or notify the user about the threat.

Each rule has a security level associated with it which determines its rights on the system.

• Disallowed blocks the program from execution on the system regardless of the rights of the user account trying to run the application.
• Basic User allows the program to be executed with basic user privileges only but not with elevated privileges.
• Unrestricted will run the program with the same rights as the user executing the program (which can be with administrative privileges)

What you should do

The course of action depends on whether you have set those restrictions or not. If you are not the system administrator, an admin may have set them as well.

If you are the only user on the system and have not set them, you may want to consider removing them from the system.

If you are using Malwarebytes, you could have them quarantined which provides you with an option to restore the rules should the need arise.

You can use the Group Policy Editor or the Registry directly as well to remove those entries.

In the Group Policy Editor, you find them under Local Computer Policy > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules.

To remove an entry select it and hit the delete key on the keyboard. Alternatively, right-click on a rule and select delete from the context menu.