HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

Page 12 of 91
  1. Man van het noorden

    Man van het noorden Registered Member

    Joined:
    Jun 26, 2014
    Posts:
    12
    Location:
    NL
    Getting this FP with CTP4 doing a search in the registry with RegeditX Crawler. Second search performed no problem.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 13-06-17 23:29:47
    Gebeurtenis-id:911
    Taakcategorie: (9)
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: xxxxxxxx
    Beschrijving:
    Mitigation CredGuard

    Platform 6.1.7601/x86 v710 06_25
    PID 1544
    Application C:\Program Files\RegEditX\RxCrawler.exe
    Description RegEditX Crawler 3.0

    \REGISTRY\MACHINE\SAM\SAM

    Process Trace
    1 C:\Program Files\RegEditX\RxCrawler.exe [1544]
    "C:\Program Files\RegEditX\rxcrawler.exe" -SingleInstance
    2 C:\Windows\regedit.exe [4256]
    regedit.exe
    3 C:\Program Files\RegEditX\RegEditX.exe [3424]
    4 C:\Windows\explorer.exe [5164]
    5 C:\Windows\System32\userinit.exe [5576]
    6 C:\Windows\System32\winlogon.exe [5708]
    winlogon.exe
    7 C:\Windows\System32\smss.exe [1424]
    \SystemRoot\System32\smss.exe 00000000 0000004c

    Thumbprint
    eebfee85859808e7c4774d74e7e4095fd8f71735cd7abbf4ab79ce401862e5f2
    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-06-13T21:29:47.000000000Z" />
    <EventRecordID>20681</EventRecordID>
    <Channel>Application</Channel>
    <Computer>norbert-m</Computer>
    <Security />
    </System>
    <EventData>
    <Data>C:\Program Files\RegEditX\RxCrawler.exe</Data>
    <Data>CredGuard</Data>
    <Data>Mitigation CredGuard

    Platform 6.1.7601/x86 v710 06_25
    PID 1544
    Application C:\Program Files\RegEditX\RxCrawler.exe
    Description RegEditX Crawler 3.0

    \REGISTRY\MACHINE\SAM\SAM

    Process Trace
    1 C:\Program Files\RegEditX\RxCrawler.exe [1544]
    "C:\Program Files\RegEditX\rxcrawler.exe" -SingleInstance
    2 C:\Windows\regedit.exe [4256]
    regedit.exe
    3 C:\Program Files\RegEditX\RegEditX.exe [3424]
    4 C:\Windows\explorer.exe [5164]
    5 C:\Windows\System32\userinit.exe [5576]
    6 C:\Windows\System32\winlogon.exe [5708]
    winlogon.exe
    7 C:\Windows\System32\smss.exe [1424]
    \SystemRoot\System32\smss.exe 00000000 0000004c

    Thumbprint
    eebfee85859808e7c4774d74e7e4095fd8f71735cd7abbf4ab79ce401862e5f2</Data>
    </EventData>
    </Event>
     
    Man van het noorden, Jun 13, 2017
    #276
  2. guest

    guest Guest

    @Peter2150
    Btw.: Do you get a "Anti-VM" Mitigation after the tray-application (beta) from FIDES has been started? (see below)
     
    guest, Jun 13, 2017
    #277
  3. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    Mitigation PrivGuard

    Platform 10.0.14393/x64 v710 06_4e
    PID 9288
    Application C:\Program Files\Sandboxie\SandboxieCrypto.exe
    Description Sandboxie COM Services (CryptSvc) 5.20

    Sweep

    Code Injection
    00000000001E0000-00000000001E6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1980]
    00000000001F0000-00000000001F1000 4KB
    00007FFE60AF9000-00007FFE60AFA000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [1980]
    2 C:\Windows\System32\services.exe [932]
     
    Duotone, Jun 13, 2017
    #278
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Sorry, I haven't tried the tray application beta.
     
    Peter2150, Jun 13, 2017
    #279
  5. guest

    guest Guest

    The mitigation "Credential Theft Protection" is responsible for this. It is preventing you from accessing the credentials which are stored in the registry key \REGISTRY\MACHINE\SAM\SAM.
    To get no alert from HMP.A, try to turn the mitigation off before you do a search in the registry.
     
    guest, Jun 13, 2017
    #280
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,644
    Location:
    Under a bushel ...
    I've only seen it once (after an image restore to 603 beta), not since ... Also I don't use any VM.
     
    paulderdash, Jun 14, 2017
    #281
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,550
    Did anyone on Windows 10 CU have trouble with patch tuesday?
    I needed to manually download and install the updates, and then it failed, with a BSOD.
    I uninstalled it, tried again without security softs, and it worked.
    Not sure if problem was HMPA 710, or Kaspersky Internet Security 2018
     
    shmu26, Jun 14, 2017
    #282
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,240
    Location:
    Among the gum trees
    No, not here.
     
    Krusty, Jun 14, 2017
    #283
  9. guest

    guest Guest

    no, but i disabled HMPA 710 Process Protections beforehand.
     
    guest, Jun 14, 2017
    #284
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,644
    Location:
    Under a bushel ...
    No problems, but I am on build 603 beta.
     
    paulderdash, Jun 14, 2017
    #285
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Change Vaccination from Active to Passive.
     
    erikloman, Jun 14, 2017
    #286
  12. guest

    guest Guest

    Some applications want to find out if they are running in a VM or in a sandbox (="sandbox-aware"). If this happens, the mitigation Vaccination triggers an alert.
    It happened only once so i guess you can leave it that way. Or follow the advice mentioned above: #286
     
    guest, Jun 14, 2017
    #287
  13. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    +1 :thumb:
     
    _CyberGhosT_, Jun 14, 2017
    #288
  14. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    576
    I spoke too soon. Yesterday there were four "application errors" within a 60-minute time span, all like the following:
    Code:
    Faulting application name: IEXPLORE.EXE, version: 11.0.9600.18639, time stamp: 0x58d6bb0d
Faulting module name: hmpalert.dll, version: 3.7.0.709, time stamp: 0x59316cee
Exception code: 0xc0000005
Fault offset: 0x0004e26f
Faulting process id: 0x314
Faulting application start time: 0x01d2e52a137b3c6c
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\Windows\SysWOW64\hmpalert.dll
Report Id: 529c5d9c-5150-11e7-b9a9-4c72b91da94f
     
    JEAM, Jun 15, 2017
    #289
  15. guest

    guest Guest

    You are still running CTP3, maybe you can try it again with the newer beta: CTP 4
     
    guest, Jun 15, 2017
    #290
  16. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    +1 yeah he wasn't updated, good catch :thumb:
     
    _CyberGhosT_, Jun 15, 2017
    #291
  17. tonino

    tonino Registered Member

    Joined:
    Jan 2, 2017
    Posts:
    62
    Location:
    somewhere
    Hi Erik!

    Mitigation CredGuard

    Platform 10.0.14393/x64 v710 06_25
    PID 5852
    Application C:\Program Files (x86)\Soft Organizer\HelperFor64Bits.exe
    Description HelperFor64Bits.exe

    \REGISTRY\MACHINE\SAM\SAM

    Process Trace
    1 C:\Program Files (x86)\Soft Organizer\HelperFor64Bits.exe [5852]
    RpcCapture RegSnapShot64CallParamsMmf-5116-74334976-103444527733
    2 C:\Program Files (x86)\Soft Organizer\SoftOrganizer.exe [5116]
    3 C:\Windows\explorer.exe [3680]
    4 C:\Windows\System32\userinit.exe [3412]

    Thumbprint
    6b4190af73c2d017cf3d7aa463df5c565f3cf041397d2b6db246a1cd41d0ee0b
     
    tonino, Jun 15, 2017
    #292
  18. guest

    guest Guest

    Is there a way to white list my keyboard so I don't get a notification of the USB keyboard module with every login? Even if I disable the module I still get the screen alert
    I have a IR USB connected to a USB slot of the keyboard, that is used for the wireless mouse
     
    guest, Jun 15, 2017
    #293
  19. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    576
    I am updated now to 710 and the crashes continue. :rolleyes:
    Code:
    Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    hmpalert.exe
  Application Version:    3.7.0.710
  Application Timestamp:    593adfaa
  Fault Module Name:    hmpalert.exe
  Fault Module Version:    3.7.0.710
  Fault Module Timestamp:    593adfaa
  Exception Code:    40000015
  Exception Offset:    0023c9f1
  OS Version:    6.1.7601.2.1.0.768.3
  Locale ID:    1033
  Additional Information 1:    202e
  Additional Information 2:    202ebd24078c8a8d508d256df40c3e2d
  Additional Information 3:    78ce
  Additional Information 4:    78ce6fce26317a4c02a360aaa8d5d037
    From the Event Viewer:
    Code:
    Faulting application name: hmpalert.exe, version: 3.7.0.710, time stamp: 0x593adfaa
Faulting module name: hmpalert.exe, version: 3.7.0.710, time stamp: 0x593adfaa
Exception code: 0x40000015
Fault offset: 0x0023c9f1
Faulting process id: 0xd74
Faulting application start time: 0x01d2e6609fc2014e
Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Faulting module path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Report Id: ea7d12aa-52e3-11e7-854a-4c72b91da94f
     
    JEAM, Jun 16, 2017
    #294
  20. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    Anyway to reset the Alert counter?! Its pilling up due to SBIE blocking...
     
    Duotone, Jun 16, 2017
    #295
  21. guest

    guest Guest

    The only way to clean the number of Alerts is to clear the Windows Application Log in Windows Event Viewer.
     
    guest, Jun 16, 2017
    #296
  22. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    I've tried that but it after checking the # alert count is still there... maybe I'm doing it wrong
     
    Duotone, Jun 16, 2017
    #297
  23. guest

    guest Guest

    Strange. Do you have rebooted after clearing of the log?
     
    guest, Jun 17, 2017
    #298
  24. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Alert when visiting flickr.com. F.P.? Using HMPA 3.7.0 710 CTP4.
     

    Attached Files:

    G1111, Jun 17, 2017
    #299
  25. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    Only with chrome and SBIE:

    Platform 10.0.14393/x64 v710 06_4e
    PID 12140
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 59

    Sweep

    Code Injection
    00000000008C0000-00000000008C6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1532]
    00000000008D0000-00000000008D1000 4KB
    00007FFAB9A19000-00007FFAB9A1A000 4KB
    000001C5A6940000-000001C5A6941000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164]
    00007FFAB9A46000-00007FFAB9A47000 4KB
    00007FFAB9A48000-00007FFAB9A49000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [1532]
    2 C:\Windows\System32\services.exe [932]
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164]
    2 C:\Windows\explorer.exe [5608]
    3 C:\Windows\System32\userinit.exe [5260]

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [12140]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604 --primordial-pipe-token=0D4BA418C5F3C900700B2A1B687DD6EB --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visi
    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164]
    3 C:\Windows\explorer.exe [5608]
    4 C:\Windows\System32\userinit.exe [5260]
     
    Duotone, Jun 17, 2017
    #300
Page 12 of 91
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...