HitmanPro.Alert BETA

@paulderdash, I have a VM that has been running Windows 10 since September, 2014. This VM is currently running 64-bit 1703, Build 540. I am using HMP.A in this VM with beta build 712. When build 502 came along the update didn't install the first time. I disabled Credential Theft Protection and then that build installed. On Patch Tuesday when build 540 came out, it installed with no problem. Credential Theft Protection was still disabled.

It may be some other software on your system? This VM of mine has virtually no other software, just some apps from the store, a couple of browsers and a couple of outside apps. It also runs Windows Defender and HMP.A beta build 712.

 

Note that I was talking about Intercept X which is an enterprise solution solely aimed for businesses. The only home-user product of Sophos that I am aware of is "Sophos Home" which has none of the mentioned features.
Also I am not aware of any comparative tests including the "Endpoint Protection" product of Sophos together with Intercept X.

 

Thanks @Cactus5. I guess that blows my theory about it being peculiar to Win 10 x64 and v1703.

It could be some interaction with HMPA and something else.I did try disabling other stuff, but didn't go as far as uninstalling.

All I know is that with HMPA installed (with CTP disabled) I have cumulative update (@shmu26 encountered similar) and DISM / sfc issues, but when uninstalled I don't. I can reproduce the DISM / sfc issues on demand. IIRC, even stopping the service was not enough..

I have also PM'd the Lomans, hoping they could find something, but they have net been around for the last six weeks. I would like to test a new build when it comes. I would be reluctant to give up on HMPA on this machine.

 

Mark has reached out re my issue. They should be back soon (his permission given):

And sure, just mention we are busy with Sophos Intercept X 2.0. One of the things we've been working is a completely new malware scanner, which will debut in Sophos Intercept X 2.0, and maybe sooner on Wilders Security!

 

We were not forgotten

 

While browsing to link on sandboxed FF 55.0.2 ((Sandboxie 5.21.2 beta), this intercept from HMPA 712 beta (Win 10 Pro x64 v1703 15063.540):
Credential Theft Protection, Process Protection - Local Privilege, Code Cave, DLL Hijacking Mitigations disabled.

Code:

Mitigation   ROP

Platform     10.0.15063/x64 v712 06_45
PID          29660
Application  C:\Program Files\Mozilla Firefox\firefox.exe
Description  Firefox 55.0.2

Callee Type  ProtectVirtualMemory
             0x00000342CC4A2000 (8192 bytes)

Branch Trace                              Opcode  To                                   
---------------------------------------- -------- ----------------------------------------
ReadProcessMemory +0x2b                    ~ RET* +0x22551                             
0x00007FFA614086CB KernelBase.dll                 0x00007FFA60D72551 hmpalert.dll       
                    33ff                     XOR          EDI, EDI
                    448d6701                 LEA          R12D, [RDI+0x1]
                    48397da8                 CMP          [RBP-0x58], RDI
                    f20f84da000000           JZ           0x7ffa60d7263c
                    488b45a0                 MOV          RAX, [RBP-0x60]
                    4885c0                   TEST         RAX, RAX
                    f20f84cc000000           JZ           0x7ffa60d7263c
                    488b08                   MOV          RCX, [RAX]
                    4883f908                 CMP          RCX, 0x8
                    f20f86b4010000           JBE          0x7ffa60d72732
                    4881f900200000           CMP          RCX, 0x2000
                    f20f87b0000000           JA           0x7ffa60d7263c
                    488b45a8                 MOV          RAX, [RBP-0x58]
                                         ( 9FD0E660F044409)


_aligned_free +0xc6                          RET  0x00007FFA14403471 xul.dll           
0x00007FFA537F5056 mozglue.dll                                                         

RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6                   
0x00007FFA64BFFF89 ntdll.dll                      0x00007FFA537F5046 mozglue.dll       

_aligned_free +0x221                         RET  _aligned_free +0x84                   
0x00007FFA537F51B1 mozglue.dll                    0x00007FFA537F5014 mozglue.dll       

memset +0x19f                                RET  _aligned_free +0x73                   
0x00007FFA5147C91F vcruntime140.dll               0x00007FFA537F5003 mozglue.dll       

RtlEnterCriticalSection +0x2a                RET  _aligned_free +0x35                   
0x00007FFA64BE447A ntdll.dll                      0x00007FFA537F4FC5 mozglue.dll       

0x00007FFA148449C2 xul.dll                   RET  0x00007FFA1440345F xul.dll           

0x00007FFA167F6D79 xul.dll                   RET  0x00007FFA14403453 xul.dll           

0x00007FFA1430AEEC xul.dll                 ~ RET  0x00007FFA14403449 xul.dll           

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFA61411735 KernelBase.dll           VirtualProtect +0x35

2  00007FFA143042C7 xul.dll               
                    85c0                     TEST         EAX, EAX
                    7447                     JZ           0x7ffa14304312
                    488b0d0eddf802           MOV          RCX, [RIP+0x2f8dd0e]
                    483bd9                   CMP          RBX, RCX
                    0f8274bf7f00             JB           0x7ffa14b0024f
                    4881c100000040           ADD          RCX, 0x40000000
                    483bf9                   CMP          RDI, RCX
                    0f8764bf7f00             JA           0x7ffa14b0024f
                    b001                     MOV          AL, 0x1
                    488b5c2438               MOV          RBX, [RSP+0x38]
                    4883c420                 ADD          RSP, 0x20
                    5f                       POP          RDI
                    c3                       RET       

3  00007FFA1440111A xul.dll               
4  00007FFA14403488 xul.dll               
5  00007FFA1424D5FA xul.dll               
6  00007FFA14276753 xul.dll               
7  00007FFA14AA3829 xul.dll               
8  00007FFA14217921 xul.dll               
9  00007FFA14407356 xul.dll               
10 00000342CC066A2E (anonymous; xul.dll) 

Process Trace
1  C:\Program Files\Mozilla Firefox\firefox.exe [29660]
2  C:\Program Files\Mozilla Firefox\firefox.exe [31808]
3  C:\Windows\explorer.exe [20944]
explorer.exe

Thumbprint
24fc80ff0410b56eff613c91e2ca09b7497dfc45d2d96fbfcd9584d801b047ee

 

@shmu26 Just FYI Mark asked me to try this: Stop HMPA service, rename excalibur.db, then reboot. This solved my DISM and SFC problems. It is too early to say if this will resolve the identification and install of Windows Cumulative updates also, but I suspect it might (if say, DISM is involved in the WU process).

He asked for my excalibur.db file, and responded that he suspects the issue is likely caused by the DLL Hijack Mitigation (which corresponds to what I also saw in the dism.log). I have unticked this for now.

Edit: From the horse's mouth ...
You shouldn't have to uncheck DLL Hijack Mitigation. Actually, the error is not really in the DLL Hijack Mitigation but an incorrect category for one of your browsers (likely Opera or so). You likely downloaded and installed a Windows update manually. Unsure yet though. What is certain is:

1. Stop the HitmanPro.Alert Service
2. Rename or delete the excalibur.db in C:\ProgramData\HitmanPro.Alert
3. Reboot the machine or start the HitmanPro.Alert service again.

You can post this as a possible solution. People shouldn't en masse delete their excalibur.db though. Only if you ran into the issue with SFC.

 

Had mentioned this before, but now that HMPA build 712 is back on my machine, I have noticed memory usage creep up more than normal on my machine, leading me to reboot eventually.

Don't know if it's possible that HMPA could have some sort of memory leak ... ?

 

Noticed this too, I have enough memory that it didn't really bother me, but I have Sophos Home
on one Firecuda HD, same windows os and setup, and I don't get the problem. So it's something
for sure exclusive to HMPA, which is on my other Firecuda.
Maybe something in the HMPA elements in Sophos are slightly different ?
Or the leak was cut out in the Sophos version ?

 

HMPA elements in Sophos builds are a bit ahead of the beta build here on Wilders Security.
We plan to post a new build on this forum soon - expect next week!

 

Thanks Mark, and nice to see you back here.

 

I love the Sophos beta, that's why I felt that was the case, you can feel the difference between the HMPA beta and it's Sophos cousin. Thanks Mark.

 

+1

 

+2

 

Build 712 gives a LoadLib alert on Firefox when browsing 24kitchen.nl as soon as it loads a video.(Win7x64 with Eset Smart Security 10.1.219.0)
Interestingly the alert log shows "This program cannot be run in DOS mode". Haven't seen that before.

 

I've experienced the same thing on a variety of other sites. For me it happened while using Firefox 43 after installing the Foxit PhantomPDF plug-in, but your report suggests that the age of the FF version may not be related to the problem with HMP.A.

BTW I tried disabling mitigations for the FF plug-in container, and that didn't help. I also tried adding the Foxit plug-in to the exclusions, and that didn't help either. I even tried starting the browser in FF safe mode (that is, with all extensions disabled), and still it got intercepted by HMP.A (b712) when trying to go to a site where these crashes were occurring.

 

Because "HMPA elements in Sophos builds are a bit ahead", i assume that LoadLib False Positives will be fixed with a new version of HMP.A ("We plan to post a new build on this forum soon" #463)
A similar "LoadLib"-issue was mentioned in the Sophos forum:

 

Sounds like HMP.A elements in Sophos builds are even ahead of HMP.A beta builds!

 

Re: LoadLib "mitigations": a reason why I uninstalled Firefox (among others). HMP products will remain HMP for the foreseeable future, right?--but not at the expense of being overlooked in favor of Sophos!

 

Does HPMA have these problems as IX 2.0 beta:

Problem: Any operation on any office 2016 app [Licenced through Office 365 pro plus] fails
Fix: Only solution is to completely remove Intercept X [including older version], restart, disable the HitmanPro.alert service, uninstall Sophos Endpoint. Then remove computer from the EAP for Intercept X, and reinstall current version.

Regards

 

I uninstalled b712 and installed b604, and the problem with Firefox went away even after re-enabling all of 604's mitigations for the Foxit Plug-in Container. Tried it on three web pages where FF had consistently crashed in b712 after installing the Foxit plug-in.

Will try the beta builds again when there is some assurance that the LoadLib issue has been resolved.

ADDENDUM: There was an unexpected side benefit of removing 712 and going back to 604. I had been getting frequent, repetitive notices in IE11 for the Foxit PhantomPDF Creator plug-in, to the effect that "A website wants to open web content using this program on your computer." Every single time I opened a new tab or clicked on a link, the notice would pop up and interrupt the workflow. These notices, too, have now stopped appearing with the replacement of 712 with 604.

Hope this info helps Eric and Mark with future builds.