This is on Windows 10x64 Pro, Build 16299.19 with Alert beta 720. It occurs when attempting to defrag the system registry using AVG's PC TuneUp. Anyway to whitelist ?? - Provider [ Name] HitmanPro.Alert - EventID 911 [ Qualifiers] 0 Level 2 Task 9 Keywords 0x80000000000000 - TimeCreated [ SystemTime] 2017-10-28T09:18:14.632557400Z EventRecordID 7297 Channel Application Computer TomsSurfacePro Security - EventData C:\Program Files (x86)\AVG\AVG PC TuneUp\RegistryDefrag.exe CredGuard Mitigation CredGuard Platform 10.0.16299/x64 v720 06_3a PID 7904 Application C:\Program Files (x86)\AVG\AVG PC TuneUp\RegistryDefrag.exe Description AVG Registry Defrag 16.74.2 \REGISTRY\MACHINE\SAM\ Thumbprint 8529489fa92470b0e5adf9fafb47e74160e1904e4623d9e6d293ea74cdd2a7a71709
Seems to me HMP.Alert is breaking more then it protects. Well done, guys... Well done indeed. I removed HMP.A from my up-to-date Windows 10 systems so at least I can work properly again. What a shame.....
The Credential Theft Protection (CredGuard) is protecting a registry key which AVG PC TuneUp wants to access. Disabling of the mitigation should solve this issue.
Today I'm getting a red fly-out, it relates to the KMS server I run: Code: MalwareBlocked Mitigation MalwareBlocked Platform 10.0.16299/x64 v720 06_5e PID 840 Application C:\ProgramData\KMSAutoS\bin\KMSSS.exe Description App/Generic- AC Process Trace 1 C:\Windows\System32\services.exe [840] 2 C:\Windows\System32\wininit.exe [756] wininit.exe I've added the exe under the exceptions before but now it's showing up again. I know the file is clean. I'm using it for years. How to solve this?
The file was detected by the "Real-time Anti-Malware"-feature and it currently doesn't provide a way to exclude files but this is in preparation. The only solution is to disable the Real-time Antimalware protection if you want to execute the file.
PrivGuard-mitigation Build 720 beta, Firefox 56.0.2 and Sandboxie 5.22. Logboeknaam: Application Bron: HitmanPro.Alert Datum: 31-10-2017 10:02:44 Gebeurtenis-id:911 Taakcategorie: Mitigation Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: **** Beschrijving: Mitigation PrivGuard Platform 10.0.16299/x64 v720 06_17* PID 5456 Application C:\Program Files\Mozilla Firefox\firefox.exe Description Firefox 56.0.2 Sweep Code Injection 0000000000570000-0000000000576000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [6640] 0000000000580000-0000000000581000 4KB 00007FF9A1719000-00007FF9A171A000 4KB Process Trace 1 C:\Program Files\Mozilla Firefox\firefox.exe [5456] 2 C:\Program Files\Sandboxie\Start.exe [7020] "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.2.lnk" 3 C:\Program Files\Sandboxie\SbieSvc.exe [6640] Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
PrivGuard mitigation Build 720 beta, Firefox 56.0.2 and Sandboxie beta 5.21.7. Logboeknaam: Application Bron: HitmanPro.Alert Datum: 30-10-2017 12:56:05 Gebeurtenis-id:911 Taakcategorie: Mitigation Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: **** Beschrijving: Mitigation PrivGuard Platform 10.0.16299/x64 v720 06_17* PID 9020 Application C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe Description Sandboxie COM Services (DCOM) 5.21.7 Sweep Code Injection 0000000000D50000-0000000000D56000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3296] 0000000000D60000-0000000000D61000 4KB 00007FF9A1719000-00007FF9A171A000 4KB Process Trace 1 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [9020] 2 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [9788] 3 C:\Program Files\Sandboxie\SbieSvc.exe [3296] Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
CredGuard build 718 beta. Logboeknaam: Application Bron: HitmanPro.Alert Datum: 30-10-2017 10:43:12 Gebeurtenis-id:911 Taakcategorie: Mitigation Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: **** Beschrijving: Mitigation CredGuard Platform 10.0.16299/x64 v718 06_5e PID 5476 Application C:\Windows\System32\SrTasks.exe Description Achtergrondtaken voor Microsoft® Windows Systeembeveiliging. 10 SAM access denied. Range = LBA 1616856 :224 Read = LBA 1616920 :56 Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
Not sure what is going on here, was trying to install Astah as I need it for my studies. Spoiler: Mitigation CodeCave Mitigation CodeCave Platform 10.0.16299/x64 v717 8f_01 PID 7836 Application C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp Description Setup/Uninstall Intersectional control flow detected! Process Trace 1 C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp [7836] "C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp" /SL5="$30A72,92158849,569856,C:\Users\sanya\Downloads\astah-professional-7_2_0-1ff236-jre-64bit-setup.exe" 2 C:\Users\sanya\Downloads\astah-professional-7_2_0-1ff236-jre-64bit-setup.exe [16140] 3 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10500] 4 C:\Windows\explorer.exe [11704] 5 C:\Windows\System32\userinit.exe [13780] 6 C:\Windows\System32\winlogon.exe [7492] C:\WINDOWS\System32\WinLogon.exe -SpecialSession 7 C:\Windows\System32\smss.exe [7500] \SystemRoot\System32\smss.exe 000001d8 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession Thumbprint 37a1c59855a4c83de118d54424ab6cf74b1bf93f6de08b0a37bff1e7659618d2 Is it safe to ignore this (false positive or benign)? Edit: I just created a new console application (c++) in Visual Studio and tried running a super basic application and I got another CodeCave alert. I'll just disable this mitigation considering the headache it's going to cause otherwise.
PrivGuard mitigation build 720 beta, Acrobat Reader DC and Sandboxie 5.22. Logboeknaam: Application Bron: HitmanPro.Alert Datum: 1-11-2017 15:48:14 Gebeurtenis-id:911 Taakcategorie: Mitigation Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: **** Beschrijving: Mitigation PrivGuard Platform 10.0.16299/x64 v720 06_5e PID 10176 Application C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Description Adobe RdrCEF 17.12 Sweep Code Injection 0000000000DF0000-0000000000DF6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2360] 0000000001140000-0000000001141000 4KB 00007FFCD12C9000-00007FFCD12CA000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [2360] 2 C:\Windows\System32\services.exe [884] 3 C:\Windows\System32\wininit.exe [796] wininit.exe Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
Thanks. This evening EAM updated, everything looks to be ok. Although the Event viewer mentioned: Code: Mitigation CredGuard Platform 10.0.16299/x64 v720 06_5e PID 1480 Application C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe Description Emsisoft Protection Service 2017.9 SAM access denied. Range = LBA 12498272 :128 Read = LBA 12498384 :8 Thumbprint c5b6c71bb03e77b3bf36844029caf3a9e17aa21d7cea861a1a34cd3fdc7118bf Should I report this also to Emsisoft?
No. When I ran Emsisoft, I mutually excluded the other in each interface, specifically also running the Alert beta. Then, they ran very quietly and nicely together.
Usually I exclude EAM etc. also, this I missed. Never had any trouble before so it never caught my attention. I'm going to exclude it
HitmanPro.Alert 3.7.0 build 721 Release Candidate Changelog (compared to build 720) Improved Code Cave Mitigation. Improved Software Radar so it now also scans 'App path' for browsers. This will put Opera under Browsers instead of Office. It now also detects web browser that allow to be installed by less-privileged normal users. Improved VBScript God Mode protection on Windows 10 Creators Update (Redstone 2) and newer. Improved Control Flow Integrity (CFI) on Windows 10 64-bit. Fixed an incompatibility with an Internet Explorer browser plugin from Agricultural Bank of China. Fixed an incompatibility with Internet Explorer browser plugins from South Korean SoftForum XecureWeb. Fixed an incompatibility between our APC Mitigation, that thwarts e.g. DoublePulsar and AtomBombing code injection, and Avast / AVG on Windows 10 Fall Creators Update only (Redstone 3). This also only affected specific applications installed by the enduser. Note: Requires a secondary update in our cloud before this fix is completely operational. Please allow us until next week to complete this - no further manual update by enduser needed. Most Avast / AVG user wouldn't have noticed this incompatibility issue. Fixed real-time protection against prevalent malware (anti-malware) on Windows XP. Fixed a BSOD caused by BadUSB Protection, which could occur on specific hardware coming out of sleep. Fixed several other minor issues. Important notices Before uninstalling the existing 7xx build or upgrading to this build, please disable the Block Untrusted Fonts mitigation (which is default disabled). This because we removed the Block Untrusted Fonts mitigation, which is only available on Windows 10. This mitigation relied on a structure in Windows 10 which is no longer supported by Microsoft. More information: https://blogs.technet.microsoft.com...dropping-the-untrusted-font-blocking-setting/ Furthermore, to start fresh, we recommend that you uninstall the existing version of HitmanPro.Alert and that you remove this folder from your machine before rebooting: C:\ProgramData\HitmanPro.Alert Credential Theft Protection is now default disabled. If you'd like to enable it, please do, as it protects against Mimikatz and similar attacks. But remember that if you want to make a full system backup of your Windows, you might need to temporarily disable this protection or your backup software may be unable to backup the Windows SAM database. We'll improve this in a future version. Download http://test.hitmanpro.com/hmpalert3b721.exe This version includes drivers co-signed by Microsoft and thus also runs on systems with Secure Boot enabled. Please let us know how this version runs on your system. Thanks!
PrivGuard mitigation build 721 RC, Firefox 56.0.2 and Sandboxie 5.22. Logboeknaam: Application Bron: HitmanPro.Alert Datum: 3-11-2017 19:51:52 Gebeurtenis-id:911 Taakcategorie: Mitigation Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: **** Beschrijving: Mitigation PrivGuard Platform 10.0.16299/x64 v721 06_17* PID 8168 Application C:\Program Files\Mozilla Firefox\firefox.exe Description Firefox 56.0.2 Sweep Process Trace 1 C:\Program Files\Mozilla Firefox\firefox.exe [8168] 2 C:\Program Files\Sandboxie\Start.exe [7588] "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.2.lnk" 3 C:\Program Files\Sandboxie\SbieSvc.exe [1976] 4 C:\Windows\System32\services.exe [712]
I suppose where it says HitmanPro, it should say HitmanPro.Alert. Does this recommended cleanup apply to HitmanPro.Alert 3.7.0 beta only, or also to updating/upgrading 3.6.7.604 stable? If this recommended cleanup also applies to updating/upgrading 3.6.7.604 stable, the mentioned cleanup should be done automatically when later on the Release version is offered by automatic update.
1) Yes that should read HitmanPro.Alert 2) Only applies to beta testers (normally it's not advised to stack beta's on beta's as internal changes can cause unexpected issues).