If you can't see any HMP.A-related event in the Event Viewer then i don't know from where HMP.A is getting the number of alerts
The antivirus in this version of HMP.A is Sophos, i guess, and according to tests Sophos is mediocre. Anyone testing this Av to see if it any better.
Multiple Sandboxie COM Services (DCOM) 5.20-alerts when starting Firefox 54.0 sandboxed. Code: Logboeknaam: Application Bron: HitmanPro.Alert Datum: 19-6-2017 12:56:54 Gebeurtenis-id:911 Taakcategorie: Mitigation Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: **** Beschrijving: Mitigation PrivGuard Platform 10.0.15063/x64 v710 06_17* PID 4696 Application C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe Description Sandboxie COM Services (DCOM) 5.20 Sweep Code Injection 00000000001B0000-00000000001B6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3612] 00000000001C0000-00000000001C1000 4KB 00007FFB40F49000-00007FFB40F4A000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [3612] 2 C:\Windows\System32\services.exe [692] 3 C:\Windows\System32\wininit.exe [624] wininit.exe Process Trace 1 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [4696] 2 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [3060] 3 C:\Program Files\Sandboxie\SbieSvc.exe [3612] 4 C:\Windows\System32\services.exe [692] 5 C:\Windows\System32\wininit.exe [624] wininit.exe Gebeurtenis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-06-19T10:56:54.910282900Z" /> <EventRecordID>4024</EventRecordID> <Channel>Application</Channel> <Computer>sjaak2-PC</Computer> <Security /> </System> <EventData> <Data>C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe</Data> <Data>PrivGuard</Data> <Data>Mitigation PrivGuard Platform 10.0.15063/x64 v710 06_17* PID 4696 Application C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe Description Sandboxie COM Services (DCOM) 5.20 Sweep Code Injection 00000000001B0000-00000000001B6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3612] 00000000001C0000-00000000001C1000 4KB 00007FFB40F49000-00007FFB40F4A000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [3612] 2 C:\Windows\System32\services.exe [692] 3 C:\Windows\System32\wininit.exe [624] wininit.exe Process Trace 1 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [4696] 2 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [3060] 3 C:\Program Files\Sandboxie\SbieSvc.exe [3612] 4 C:\Windows\System32\services.exe [692] 5 C:\Windows\System32\wininit.exe [624] wininit.exe </Data> </EventData> </Event> And ~50% CPU usage hmpalert 710 CTP4. Erik, do you want the hmpalert.dmp (via wetransfer)? Win10 1703 build 15063.332 x64/Norton Security v22.9.4.8
A sandboxed Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe-alert with Sandboxie 5.20 and build 710 CTP4. Code: Logboeknaam: Application Bron: HitmanPro.Alert Datum: 19-6-2017 13:23:02 Gebeurtenis-id:911 Taakcategorie: Mitigation Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: **** Beschrijving: Mitigation PrivGuard Platform 10.0.15063/x64 v710 06_17* PID 6640 Application C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Description Adobe RdrCEF 17.9 Sweep Code Injection 0000000000940000-0000000000946000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3612] 0000000000950000-0000000000951000 4KB 00007FFB40F49000-00007FFB40F4A000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [3612] 2 C:\Windows\System32\services.exe [692] 3 C:\Windows\System32\wininit.exe [624] wininit.exe Process Trace 1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe [6640] "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --primordial-pipe-token=E782BF0AACF5E65C73BC61EF128A3712 --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.lo 2 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe [5500] "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=5066061 3 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [4472] "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\sjaak2\Desktop\Verlopenreisdocument.pdf" 4 C:\Windows\explorer.exe [7420] 5 C:\Windows\System32\userinit.exe [7412] 6 C:\Windows\System32\winlogon.exe [8004] C:\WINDOWS\System32\WinLogon.exe -SpecialSession 7 C:\Windows\System32\smss.exe [7564] \SystemRoot\System32\smss.exe 000000d0 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession Gebeurtenis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-06-19T11:23:02.722103100Z" /> <EventRecordID>4049</EventRecordID> <Channel>Application</Channel> <Computer>****</Computer> <Security /> </System> <EventData> <Data>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Data> <Data>PrivGuard</Data> <Data>Mitigation PrivGuard Platform 10.0.15063/x64 v710 06_17* PID 6640 Application C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Description Adobe RdrCEF 17.9 Sweep Code Injection 0000000000940000-0000000000946000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3612] 0000000000950000-0000000000951000 4KB 00007FFB40F49000-00007FFB40F4A000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [3612] 2 C:\Windows\System32\services.exe [692] 3 C:\Windows\System32\wininit.exe [624] wininit.exe Process Trace 1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe [6640] "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --primordial-pipe-token=E782BF0AACF5E65C73BC61EF128A3712 --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.lo 2 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe [5500] "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=5066061 3 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [4472] "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\sjaak2\Desktop\Verlopenreisdocument.pdf" 4 C:\Windows\explorer.exe [7420] 5 C:\Windows\System32\userinit.exe [7412] 6 C:\Windows\System32\winlogon.exe [8004] C:\WINDOWS\System32\WinLogon.exe -SpecialSession 7 C:\Windows\System32\smss.exe [7564] \SystemRoot\System32\smss.exe 000000d0 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession </Data> </EventData> </Event>
Source on that! That their scanner consists of them is a long known fact but that their Av would be the same now when they are owned by Sophos. Well, i don`t know .
No, there is no antivirus inside HitmanPro.Alert, it's in the cloud. And the cloud contains Sophos, Kaspersky and Bitdefender. Sophos scores pretty good lately: https://www.av-test.org/en/antivirus/business-windows-client/windows-10/ Details: https://www.av-test.org/en/antiviru...os-endpoint-security-and-control-10.7-171502/
@markloman Any further insights on this issue? https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-10#post-2684302 Others had issues with Terabyte backups too - could be something to do with Credential Theft Protection? Should I try 710 CTP4 again and just disable that?
Thanks for clearing that up. Do you see the boot up time as an issue to fix, for me it went from 34sec to 52 when i tried these beta versions.
Hi Paul Indeed it is Credential Theft Protection. Just disable it. What is happening is it's blocking access to the file system32/config/sam
I can confirm that Macrium Reflect now works for me on 710 CTP4, with Credential Theft Protection disabled.
Yep, turning it off is fixing the issue. There are also some issues after sandboxed applications have been started ("Mitigation PrivGuard"). This should be fixed with turning off the Process Protection: "Local Privilege Mitigation". But we'll see if they implement a fix with the next version, so that the user doesn't have to turn it off/on every time:
That's what I do, and all the issues go away, it would seem most if not all of the CTP4 issues are born of or have something to do with the Cread Guard feature.
Is there a way to white list my keyboard so I don't get a notification of the USB keyboard module with every login? Even if I disable the module I still get the screen alert I have a IR USB connected to a USB slot of the keyboard, that is used for the wireless mouse ? The beta is about to expire how are you still testing it?
No, I would not say all Alerts are CredGuard. In fact, the CodeCave mitigation I got a while ago seems to be legit or at least a warning sign, and reminds me that even though this is a test software, it's a security layer on my machine.The website whose downloader triggered it is still having issues, with no internet problems on my end. It is not possible to "sign in" on this site. .
mood, I have sent you a PM with the requested information and some additional details about the issue.
HMP.A build 603 is showing very high RAM usage on a Vista HP SP2 x64 system: and: Memory leak? Killing the two processes often (but not always) requires a reboot in order to bring HMP.A back to life. In the present case, they came back on their own, currently using 8,000K and 5,000K of RAM respectively.
Uninstalled CTP 4, reinstalled Build 604 and my Start up tone, plus other tones, are now working again. Weird that I am the only person who reported this but I don't know what's special about this machine.