HitmanPro.Alert BETA

Is the standalone HitmanPro application installed on your system?
If not, installing the standalone HitmanPro application may help. Starting a scan in HMPA should then start the HMP scan.
However, even if the standalone HMP application is not installed, starting a scan in HMPA should start the HMP scan, and it seems it doesn't. This issue is not limited to CTP, but also concerns the other beta series, and the stable, if I'm not mistaken.
This is something that needs fixing.

What exactly do you mean?
Do you mean the "Check for update" context menu item in the System Tray?
How do you know checking for updates does not work?
If the behavior is the same as in the other beta series and the stable, HMPA automatically checks for updates. After that, if no update is available, the System Tray context menu item says "No update available". A little later, the "Check for update" option returns, and can be started manually. If no update is available, the System Tray context menu item changes to "No update available" once again.

 

@erikloman & @markloman
Having the HMP scan issue reappear again in v709 CTP3


Also posted on MalwareTips and tagged you. Thanks Erik

 

Additional Observations:
The scheduled scan with HMP is successfully killed by HMP.A CTP3, while a manual scan started from the HMP Icon does trigger the
HMP.A warning, the scan does complete and is "not" killed:
Manual scan will get a window showing the scan completed.

And yes, both trigger the exact same error message with the same code and thumb,
it's weird.
Disabling CredGuard for now to try and resolve the error until a fix can be issued.

 

PM replied to

 

I noticed that too. In fact if you start the scan from HMPA by clicking the tile and then open a separate HMP scan window by clicking the HMP tray icon the scan will complete in spite of the CredGuard intercept.

 

A traditional AV has a "historic" list of known malware, meaning that it goes back in time, and includes even the old samples that are not popular right now.
Supplemental antimalware scanners tend to focus on the current, popular samples.

 

Mitigation PrivGuard

Platform 10.0.14393/x64 v709 06_4e
PID 3840
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 58

Sweep

Code Injection
0000000000010000-0000000000016000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1832]
0000000000020000-0000000000021000 4KB
00007FF9E8689000-00007FF9E868A000 4KB
000002A965099000-000002A96509A000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10512]
00007FF9E86B6000-00007FF9E86B7000 4KB
00007FF9E86B8000-00007FF9E86B9000 4KB

Still having issues with SBIE @ random

 

I got a credentials shield block, when installing Kaspersky Internet Security 2018 on top of HMPA 3.7.0.709.
It happened immediately after the actual installation was completed, so it did not mess up the installation.

 

Not sure if you got my PM, the Asynchronus Process Call mitigation false positive in svchost from CTP1 has been fixed as of CTP2

 

Mitigation PrivGuard

Platform 10.0.14393/x64 v709 06_4e
PID 12188
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 58

Sweep

Code Injection
0000000000B90000-0000000000B96000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1832]
0000000000BA0000-0000000000BA1000 4KB
00007FF9E8689000-00007FF9E868A000 4KB
000001CF86C27000-000001CF86C28000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10952]
00007FF9E86B6000-00007FF9E86B7000 4KB

Process Trace
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [12188]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088 --primordial-pipe-token=611D9D2D043A7BFAAB72AFCE396DA019 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visi
2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10952]


Again @ random... But with added process trace

 

@Duotone:
SandBoxie 5.20 is out:
https://www.sandboxie.com/index.php?DownloadSandboxie
Give it a try, it should fix your issue...

 

Do you have the eventlog details?

 

Still having the same issue... after updating!

 

Anyone else seen this with CTP3?

 

Just upgraded to HMPA 3.7.0 709 and I have windows tone at restart (Windows 7).

 

Thanks. Maybe it's only Win10.

 

HMP.A CTP3

Trying to play the game Atlas Reactor from the Glyph Launcher.

https://www.atlasreactorgame.com/en/
https://www.trionworlds.com/glyph/download/en/

Code:

Log Name:      Application
Source:        HitmanPro.Alert
Date:          8/06/2017 4:00:02 PM
Event ID:      911
Task Category: Mitigation
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DESKTOP-LPQ76IG
Description:
Mitigation   CallerCheck

Platform     10.0.15063/x64 v709 7f_00
PID          9316
Application  C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe
Description  Atlas Reactor 5.4.3

Callee Type  LoadLibrary

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  056DEDEC (anonymous; mono.dll)  
            8945d8                   MOV          [EBP-0x28], EAX
            e81c627771               CALL         0x76e55010
            83ec0c                   SUB          ESP, 0xc
            50                       PUSH         EAX
            e8afffffff               CALL         0x56dedac
            83c410                   ADD          ESP, 0x10
            8b45d8                   MOV          EAX, [EBP-0x28]
            8bf8                     MOV          EDI, EAX
            8b0588691f10             MOV          EAX, [0x101f6988]
            85c0                     TEST         EAX, EAX
            750f                     JNZ          0x56dee1e
            8bc7                     MOV          EAX, EDI
            8b55dc                   MOV          EDX, [EBP-0x24]
            8b4de0                   MOV          ECX, [EBP-0x20]
            8911                     MOV          [ECX], EDX
            8b7df0                   MOV          EDI, [EBP-0x10]

2  056DE91F (anonymous; mono.dll)  
3  056DE843 (anonymous; mono.dll)  
4  056DE823 (anonymous; mono.dll)  
5  056C02F3 (anonymous; mono.dll)  
6  100F1716 mono.dll              
7  1005D82C mono.dll                 mono_runtime_invoke +0x51
8  100603FB mono.dll                 mono_array_new +0x232
9  10060281 mono.dll                 mono_array_new +0xb8
10 100F12A2 mono.dll              

Process Trace
1  C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe [9316]
"C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe" -s wss://208.94.26.102 -t "C:/Users/lukec/AppData/Local/Temp/Glyph.bZ1300" -o EnableLogging=true -l en
2  C:\Program Files (x86)\Glyph\GlyphClientApp.exe [1300]
3  C:\Program Files (x86)\Glyph\GlyphCrashHandler.exe [6196]
"C:\Program Files (x86)\Glyph\GlyphCrashHandler.exe" -launch "C:\Program Files (x86)\Glyph\GlyphClientApp.exe" "C:\Program Files (x86)\Glyph" ""
4  C:\Program Files (x86)\Glyph\GlyphClientApp.exe [2480]
GlyphClientApp.exe
5  C:\Program Files (x86)\Glyph\GlyphClient.exe [7704]
6  C:\Windows\explorer.exe [5448]
7  C:\Windows\System32\userinit.exe [5424]
8  C:\Windows\System32\winlogon.exe [812]
winlogon.exe
9  C:\Windows\System32\smss.exe [700]
\SystemRoot\System32\smss.exe 000000ac 0000006c

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-06-08T06:00:02.293401200Z" />
    <EventRecordID>6337</EventRecordID>
    <Channel>Application</Channel>
    <Computer>DESKTOP-LPQ76IG</Computer>
    <Security />
  </System>
  <EventData>
    <Data>C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe</Data>
    <Data>CallerCheck</Data>
    <Data>Mitigation   CallerCheck

Platform     10.0.15063/x64 v709 7f_00
PID          9316
Application  C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe
Description  Atlas Reactor 5.4.3

Callee Type  LoadLibrary

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  056DEDEC (anonymous; mono.dll)  
            8945d8                   MOV          [EBP-0x28], EAX
            e81c627771               CALL         0x76e55010
            83ec0c                   SUB          ESP, 0xc
            50                       PUSH         EAX
            e8afffffff               CALL         0x56dedac
            83c410                   ADD          ESP, 0x10
            8b45d8                   MOV          EAX, [EBP-0x28]
            8bf8                     MOV          EDI, EAX
            8b0588691f10             MOV          EAX, [0x101f6988]
            85c0                     TEST         EAX, EAX
            750f                     JNZ          0x56dee1e
            8bc7                     MOV          EAX, EDI
            8b55dc                   MOV          EDX, [EBP-0x24]
            8b4de0                   MOV          ECX, [EBP-0x20]
            8911                     MOV          [ECX], EDX
            8b7df0                   MOV          EDI, [EBP-0x10]

2  056DE91F (anonymous; mono.dll)  
3  056DE843 (anonymous; mono.dll)  
4  056DE823 (anonymous; mono.dll)  
5  056C02F3 (anonymous; mono.dll)  
6  100F1716 mono.dll              
7  1005D82C mono.dll                 mono_runtime_invoke +0x51
8  100603FB mono.dll                 mono_array_new +0x232
9  10060281 mono.dll                 mono_array_new +0xb8
10 100F12A2 mono.dll              

Process Trace
1  C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe [9316]
"C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe" -s wss://208.94.26.102 -t "C:/Users/lukec/AppData/Local/Temp/Glyph.bZ1300" -o EnableLogging=true -l en
2  C:\Program Files (x86)\Glyph\GlyphClientApp.exe [1300]
3  C:\Program Files (x86)\Glyph\GlyphCrashHandler.exe [6196]
"C:\Program Files (x86)\Glyph\GlyphCrashHandler.exe" -launch "C:\Program Files (x86)\Glyph\GlyphClientApp.exe" "C:\Program Files (x86)\Glyph" ""
4  C:\Program Files (x86)\Glyph\GlyphClientApp.exe [2480]
GlyphClientApp.exe
5  C:\Program Files (x86)\Glyph\GlyphClient.exe [7704]
6  C:\Windows\explorer.exe [5448]
7  C:\Windows\System32\userinit.exe [5424]
8  C:\Windows\System32\winlogon.exe [812]
winlogon.exe
9  C:\Windows\System32\smss.exe [700]
\SystemRoot\System32\smss.exe 000000ac 0000006c
</Data>
  </EventData>
</Event>

 

This also can be seen with the 3.6-branch of HMP.A.
Seems to be a compatibility issue with mono.dll:

 

Been running build 709 for three days now. The multiple crashes (especially on IE11) that plagued my Windows 7 system with earlier builds, have stopped completely. (Knock on wood.)

 

Anyway to exclude what was blockg by HMP.A(anti-malware)?

 

exploit mitigation > application > scroll to right > add the process/exe to exceptions.

 

Same process for anti-malware?! Thanks @guest

 

At the moment temporarily disabling of the Anti-Malware Protection is the only "solution".
But would be nice if executables or whole folders could be excluded.

 

I resolved this, just didn't want to face the facts that it was my machine. I'll stick with 708 for the time being. CredGuard alerts during regedit are infrequent; although HMPA "remembered" not to run a malware scan after re-installation of 708, when I ran one manually, again, I got a CredGuard mitigation. Again, not enough for me to justify disabling it and then risk forgetting about it.

 

@mood Thanks!