HitmanPro.Alert BETA

This is on Windows 10x64 Pro, Build 16299.19 with Alert beta 720. It occurs when attempting to defrag the system registry using AVG's PC TuneUp. Anyway to whitelist ??


- Provider
[ Name] HitmanPro.Alert
- EventID 911
[ Qualifiers] 0
Level 2
Task 9
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2017-10-28T09:18:14.632557400Z
EventRecordID 7297
Channel Application
Computer TomsSurfacePro
Security
- EventData
C:\Program Files (x86)\AVG\AVG PC TuneUp\RegistryDefrag.exe
CredGuard
Mitigation CredGuard Platform 10.0.16299/x64 v720 06_3a PID 7904 Application C:\Program Files (x86)\AVG\AVG PC TuneUp\RegistryDefrag.exe Description AVG Registry Defrag 16.74.2 \REGISTRY\MACHINE\SAM\ Thumbprint 8529489fa92470b0e5adf9fafb47e74160e1904e4623d9e6d293ea74cdd2a7a71709

 

Well done, Hitman

 

Seems to me HMP.Alert is breaking more then it protects.

Well done, guys... Well done indeed.

I removed HMP.A from my up-to-date Windows 10 systems so at least I can work properly again.
What a shame.....

 

The Credential Theft Protection (CredGuard) is protecting a registry key which AVG PC TuneUp wants to access. Disabling of the mitigation should solve this issue.

 

Allmost same problem here in FCU with 3.7.0.720Beta:

 

Today I'm getting a red fly-out, it relates to the KMS server I run:

Code:

MalwareBlocked
Mitigation MalwareBlocked Platform 10.0.16299/x64 v720 06_5e PID 840
Application C:\ProgramData\KMSAutoS\bin\KMSSS.exe Description App/Generic-
AC Process Trace 1 C:\Windows\System32\services.exe [840] 2
C:\Windows\System32\wininit.exe [756] wininit.exe  

I've added the exe under the exceptions before but now it's showing up again. I know the file is clean. I'm using it for years.
How to solve this?

 

The file was detected by the "Real-time Anti-Malware"-feature and it currently doesn't provide a way to exclude files but this is in preparation.
The only solution is to disable the Real-time Antimalware protection if you want to execute the file.

 

Ah, ok. Where is the disable option? Can't find it in the GUI.

 

Click Settings icon, top right.
Select Advanced Interface.
Click Anti-Malware tile.
Select Disabled.

 

PrivGuard-mitigation Build 720 beta, Firefox 56.0.2 and Sandboxie 5.22.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 31-10-2017 10:02:44
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation PrivGuard

Platform 10.0.16299/x64 v720 06_17*
PID 5456
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 56.0.2

Sweep

Code Injection
0000000000570000-0000000000576000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [6640]
0000000000580000-0000000000581000 4KB
00007FF9A1719000-00007FF9A171A000 4KB

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [5456]
2 C:\Program Files\Sandboxie\Start.exe [7020]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.2.lnk"
3 C:\Program Files\Sandboxie\SbieSvc.exe [6640]

Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41

 

PrivGuard mitigation Build 720 beta, Firefox 56.0.2 and Sandboxie beta 5.21.7.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 30-10-2017 12:56:05
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation PrivGuard

Platform 10.0.16299/x64 v720 06_17*
PID 9020
Application C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
Description Sandboxie COM Services (DCOM) 5.21.7

Sweep

Code Injection
0000000000D50000-0000000000D56000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3296]
0000000000D60000-0000000000D61000 4KB
00007FF9A1719000-00007FF9A171A000 4KB

Process Trace
1 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [9020]
2 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [9788]
3 C:\Program Files\Sandboxie\SbieSvc.exe [3296]

Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41

 

CredGuard build 718 beta.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 30-10-2017 10:43:12
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation CredGuard

Platform 10.0.16299/x64 v718 06_5e
PID 5476
Application C:\Windows\System32\SrTasks.exe
Description Achtergrondtaken voor Microsoft® Windows Systeembeveiliging. 10

SAM access denied.

Range = LBA 1616856 :224
Read = LBA 1616920 :56

Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41

 

Not sure what is going on here, was trying to install Astah as I need it for my studies.

Spoiler: Mitigation CodeCave

Mitigation CodeCave

Platform 10.0.16299/x64 v717 8f_01
PID 7836
Application C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp
Description Setup/Uninstall

Intersectional control flow detected!

Process Trace
1 C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp [7836]
"C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp" /SL5="$30A72,92158849,569856,C:\Users\sanya\Downloads\astah-professional-7_2_0-1ff236-jre-64bit-setup.exe"
2 C:\Users\sanya\Downloads\astah-professional-7_2_0-1ff236-jre-64bit-setup.exe [16140]
3 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10500]
4 C:\Windows\explorer.exe [11704]
5 C:\Windows\System32\userinit.exe [13780]
6 C:\Windows\System32\winlogon.exe [7492]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
7 C:\Windows\System32\smss.exe [7500]
\SystemRoot\System32\smss.exe 000001d8 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

Thumbprint
37a1c59855a4c83de118d54424ab6cf74b1bf93f6de08b0a37bff1e7659618d2

Is it safe to ignore this (false positive or benign)?

Edit: I just created a new console application (c++) in Visual Studio and tried running a super basic application and I got another CodeCave alert. I'll just disable this mitigation considering the headache it's going to cause otherwise.

 

PrivGuard mitigation build 720 beta, Acrobat Reader DC and Sandboxie 5.22.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 1-11-2017 15:48:14
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation PrivGuard

Platform 10.0.16299/x64 v720 06_5e
PID 10176
Application C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Description Adobe RdrCEF 17.12

Sweep

Code Injection
0000000000DF0000-0000000000DF6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2360]
0000000001140000-0000000001141000 4KB
00007FFCD12C9000-00007FFCD12CA000 4KB
1 C:\Program Files\Sandboxie\SbieSvc.exe [2360]
2 C:\Windows\System32\services.exe [884]
3 C:\Windows\System32\wininit.exe [796]
wininit.exe

Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41

 

Thanks.

This evening EAM updated, everything looks to be ok. Although the Event viewer mentioned:

Code:

Mitigation   CredGuard

Platform     10.0.16299/x64 v720 06_5e
PID          1480
Application  C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
Description  Emsisoft Protection Service 2017.9

SAM access denied.

Range = LBA 12498272 :128
Read  = LBA 12498384 :8

Thumbprint
c5b6c71bb03e77b3bf36844029caf3a9e17aa21d7cea861a1a34cd3fdc7118bf

Should I report this also to Emsisoft?

 

No. When I ran Emsisoft, I mutually excluded the other in each interface, specifically also running the Alert beta. Then, they ran very quietly and nicely together.

 

Usually I exclude EAM etc. also, this I missed.
Never had any trouble before so it never caught my attention. I'm going to exclude it

 

HitmanPro.Alert 3.7.0 build 721 Release Candidate

Changelog (compared to build 720)

• Improved Code Cave Mitigation.
• Improved Software Radar so it now also scans 'App path' for browsers. This will put Opera under Browsers instead of Office. It now also detects web browser that allow to be installed by less-privileged normal users.
• Improved VBScript God Mode protection on Windows 10 Creators Update (Redstone 2) and newer.
• Improved Control Flow Integrity (CFI) on Windows 10 64-bit.
• Fixed an incompatibility with an Internet Explorer browser plugin from Agricultural Bank of China.
• Fixed an incompatibility with Internet Explorer browser plugins from South Korean SoftForum XecureWeb.
• Fixed an incompatibility between our APC Mitigation, that thwarts e.g. DoublePulsar and AtomBombing code injection, and Avast / AVG on Windows 10 Fall Creators Update only (Redstone 3). This also only affected specific applications installed by the enduser. Note: Requires a secondary update in our cloud before this fix is completely operational. Please allow us until next week to complete this - no further manual update by enduser needed. Most Avast / AVG user wouldn't have noticed this incompatibility issue.
• Fixed real-time protection against prevalent malware (anti-malware) on Windows XP.
• Fixed a BSOD caused by BadUSB Protection, which could occur on specific hardware coming out of sleep.
• Fixed several other minor issues.

Important notices

1. Before uninstalling the existing 7xx build or upgrading to this build, please disable the Block Untrusted Fonts mitigation (which is default disabled). This because we removed the Block Untrusted Fonts mitigation, which is only available on Windows 10. This mitigation relied on a structure in Windows 10 which is no longer supported by Microsoft. More information: https://blogs.technet.microsoft.com...dropping-the-untrusted-font-blocking-setting/
2. Furthermore, to start fresh, we recommend that you uninstall the existing version of HitmanPro.Alert and that you remove this folder from your machine before rebooting: C:\ProgramData\HitmanPro.Alert
3. Credential Theft Protection is now default disabled. If you'd like to enable it, please do, as it protects against Mimikatz and similar attacks. But remember that if you want to make a full system backup of your Windows, you might need to temporarily disable this protection or your backup software may be unable to backup the Windows SAM database. We'll improve this in a future version.

Download
http://test.hitmanpro.com/hmpalert3b721.exe

This version includes drivers co-signed by Microsoft and thus also runs on systems with Secure Boot enabled.

Please let us know how this version runs on your system. Thanks!

 

Can you retry this with the new build see if it still triggers an alert?

 

No problems upgrading build 721 RC.

Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41

 

PrivGuard mitigation build 721 RC, Firefox 56.0.2 and Sandboxie 5.22.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 3-11-2017 19:51:52
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation PrivGuard

Platform 10.0.16299/x64 v721 06_17*
PID 8168
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 56.0.2

Sweep

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [8168]
2 C:\Program Files\Sandboxie\Start.exe [7588]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.2.lnk"
3 C:\Program Files\Sandboxie\SbieSvc.exe [1976]
4 C:\Windows\System32\services.exe [712]

 

I suppose where it says HitmanPro, it should say HitmanPro.Alert.

Does this recommended cleanup apply to HitmanPro.Alert 3.7.0 beta only, or also to updating/upgrading 3.6.7.604 stable?
If this recommended cleanup also applies to updating/upgrading 3.6.7.604 stable, the mentioned cleanup should be done automatically when later on the Release version is offered by automatic update.

 

1) Yes that should read HitmanPro.Alert
2) Only applies to beta testers (normally it's not advised to stack beta's on beta's as internal changes can cause unexpected issues).