HitmanPro.Alert BETA

The job of this mitigation: "Preventing theft of authentication passwords and hash information from memory, registry and disk. Prevents Mimikatz-style attacks."
...and IFW was reading the file from hard disk, so HMP.A has prevented it.
HMP.A should give an alert about it, but in your case it doesn't happened
Maybe they will fix it in a newer build

 

I've just tried hmpalert3b710.
With regards to the real-time malware scanner, if there are lots of malware files in a folder, HMP.A will warn about a couple of files when tried to run, but the rest will not show up any malware warning. The reason seems to be if you run the files one after the other, the alerts do NOT show up. However, if you wait 40 sec or so before you run each file, then the alert does show up.
Has been happening for the past few builds now, and the only reason I didn't post regarding the issue was because I thought something this obvious would be fixed by now. Since it still has NOT been fixed...here is the post.

 

Also, running malware files just alerts the user.
There should be an option to quarantine the files instead of just blocking the run and leaving the malware files in place.

 

HitmanPro.Alert 3.7 Build 710 CTP4 running fine here.

 

Upgrade from 602 to 603. After reboot 603 loaded with all settings preserved. Ran a malware scan which completed successfully.

 

Will have to wait for definite confirmation; the above issue is not frivolous but appears to be more involved and serious than expected. Today, download proceeds in Firefox, then SmartScreen promptly blocks it. Never did this previously, this was a secure site in all respects. IE just shows "Invalid token5." Dang, I'm liking my security setup right about now--way to go HMPA CTP, VS and SS.

 

@erikloman @markloman
Spoke too soon here ya go:
Mitigation CredGuard

Platform 10.0.15063/x64 v710 06_1a
PID 9232
Application C:\Program Files\HitmanPro\HitmanPro.exe
Description HitmanPro 3.7.20

\REGISTRY\MACHINE\SAM\SAM\

Process Trace
1 C:\Program Files\HitmanPro\HitmanPro.exe [9232]
2 C:\Windows\explorer.exe [4600]
3 C:\Windows\System32\userinit.exe [4580]
4 C:\Windows\System32\winlogon.exe [804]
winlogon.exe
5 C:\Windows\System32\smss.exe [704]
\SystemRoot\System32\smss.exe 0000007c 00000080

Thumbprint
507525fb897224310157d8ab8d48fb8ccac4dd2de5999cf03973c056753e7f44

Running 710 CTP4
On: Win10 x64 v1703 15063.332

 

The first time it said Failed because of OpenDNS, the second time the scan ran fine but a UI bug says the scan now completed but it didn't update the upper 'title' text. If you close and reopen the UI the Failed is gone - it's a glitch.
We hope OpenDNS fixes their stuff soon.

 

I even went so far as to disable the firewall.

Both the first and second time I checked that hitmanpro.exe was on the system. In both instances it was not to be found anywhere in the file system.

I opened and closed the GUI multiple times... actually the first thing that I tried.

It doesn't matter if I install 604 or 710 CTP4. The results are the same. Hitmanpro.exe is not written to anywhere in the file system. I even tried multiple DNS such as Google. Same result/

 

Platform 10.0.15063/x64 v709 06_17*
PID 4260
Application C:\Windows\System32\dllhost.exe
Description COM Surrogate 10

Sweep

Code Injection
0000000000A70000-0000000000A76000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [4124]
0000000000A80000-0000000000A81000 4KB
00007FFFAA229000-00007FFFAA22A000 4KB
1 C:\Program Files\Sandboxie\SbieSvc.exe [4124]
2 C:\Windows\System32\services.exe [708]
3 C:\Windows\System32\wininit.exe [636]
wininit.exe

Process Trace
1 C:\Windows\System32\dllhost.exe [4260]
C:\WINDOWS\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [4912]
3 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [2248]
4 C:\Program Files\Sandboxie\SbieSvc.exe [4124]
5 C:\Windows\System32\services.exe [708]
6 C:\Windows\System32\wininit.exe [636]
wininit.exe
</Data>
</EventData>
</Event>

HmP.Alert 709 CTP3/Win10 1703 build 15063.332 x64/Norton Security v22.9.4.8/Sandboxie 5.20.

 

Build 710 CTP4: BADUSB still disabled after upgrade. Scan fails (see earlier post). No clean install btw.

 

After upgrade to ctp4 from ctp2 one machine was fine and the other would not boot - both running W10 build 15063
Error was an irql not less or equal probably caused by hmpalert.sys
Renamed the drivers and to get the machine to boot again

 

as a security expert you should also know perfectly that without the dump file it is very unlikely that SurfRight can figure out the problem...

 

+1 gotta love those self imposed titles huh. lol

 

I'm no security expert - but I play one on TV! lol ...

Just got CTP4 up on my machine yesterday. Smooth & light so far. Caveat: I have very little on my machine - I just installed W10 - so our lovely HMPA beta doesn't have much to work with. I hope to at least do some power surfing soon!

Thanks Loman Bros. Erik & Mark , & Surfright/Sophos, for building such outstanding products for us. I continue to be impressed. And it's fun to be participating! Thanks also, the rest of you here for providing a great place for developers to test.

 

One way you can troubleshoot is to try to download, install and scan with HitmanPro separately.

 

Already did that. If you download and install HMP.A betas separately from HMP, they work - but for HMP no real-time, just on-demand scanning.

I Wiresharked it. There is nothing there to download.

 

Upgrade over CTP3 version

There is always a false positive (HelperFor64Bits file of Soft Organizer app) detection.

For the rest no problems

 

I understand. When you click on the tile to start a scan in HMPA what's supposed to happen is it downloads and initiates a scan with HitmanPro. There isn't a separate scanning engine in HMPA. Since you can download, install and scan with HMP the only problem really is being able to start the scan from HMPA (my apologies if this is already obvious).

 

If the feature is simply scanning on-demand from the GUI, then that isn't real-time scan engine protection. Maybe I am missing something, but I thought the newest beta had a real-time AV protection.

Anyway, the HMP part is not downloading no matter what.

It's not DNS or network related; there is nothing there to download.

 

I am doing a clean install of CTP4 every single time. Each time I install it the Scanner does not get downloaded. The only thing that the GUI shows is "Last scan X hours ago." That should not be happening - as it is a complete clean install. The download is not even happening. I Wiresharked it and HMP.A is not even attempting to download hitmanpro_x64.exe. There is no network activity coming from HMP.A to download, so there is nothing there to download.

Now, when I install any version of HMP.A, during the install launch of HMP.A, the scan fails.

I am using two test systems - both the same OS, both the same DNS, both with all the same settings.

I can get it to work properly on one system and not the other.

It was working fine for days on both systems, but I tested HMP.A really hard on the one system with many installs\uninstalls and eventually this condition started where the scanner will not even be attempted to download by HMP.A.

I reset the network, disabled the firewall, reset the firewall, and nothing will fix the failed scan at first launch of HMP.A immediately after installation.

What is telling is that immediately upon very first launch immediately after installation of any version of HMP.A the GUI is always showing "Last scan X hours ago" and Failure. Something is causing that such that HMP.A is not even attempting to download the scanner.

 

This one is weird indeed...

 

It is a strange "corner case."

 

How are RT clashes with Windows Defender going to be handled ? It doesn't look like it will be integrated into the Security Center.

Actually, on the test system that installs the scanner, I am getting zero detections from RT - and it is enabled in the GUI.

 

I have the same problem. The on-scanner is not downloaded. HMPA just show 'failed'. I have to download and install Hitman Pro separately in order to be able to scan on-demand from within HMPA CTP4.