I finally managed to upgrade to Windows 10 1703 Creators update on Saturday. I upgraded HMPA from 3.7.0 build 720 to 721 RC. I kept on noticing several instances in the HitMan Pro log file showing that a registry read was denied for SrTasks.exe. I turned off Credential Theft Protection & disabled Anti-Malware. I noticed five separate entries for Windows 10 1703 Creators update. I downloaded & ran the Windows update troubleshooter on my computer. I suspect that Credential Theft Protection may be blocking some sort of look up for the Windows update in the registry. I reset the computer a few times to get the Windows 10 1703 Creators update tab. The update took about 30 minutes on my laptop.
HitmanPro.Alert 3.7.0 build 721 RC Windows 7 Ultimate SP1 Mitigation CredGuard Platform 6.1.7601/x64 v721 06_2a PID 4020 Application D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe Description Kaspersky System Checker 1.2 \REGISTRY\MACHINE\SAM\SAM\Domains\Account Process Trace 1 D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe [4020] "D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe" --service --flash 2 D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc_launcher.exe [5048] 3 C:\Windows\explorer.exe [4316] 4 C:\Windows\System32\userinit.exe [4252] 5 C:\Windows\System32\winlogon.exe [912] winlogon.exe Thumbprint 789efee4230955347f9fd7163decb5d3928d7339424a374a1d5df2f5b9158dc7 ------------------------------------------------------------------------------------------------------------------------ Mitigation CredGuard Platform 6.1.7601/x64 v721 06_2a PID 1696 Application C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRWUI.exe Description EaseUS Data Recovery Wizard 11.5 SAM access denied. Range = LBA 585016 :512 Read = LBA 584960 :256 Process Trace 1 C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRWUI.exe [1696] DRWUI 2 C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRW.exe [4716] 3 C:\Windows\explorer.exe [4228] 4 C:\Windows\System32\userinit.exe [2512] Thumbprint e9aac23ec2da17b27038dcf4ceaa06f865c3bc3715d0a15d26ab3f0ee8557d1e ----------------------------------------------------------------------------------------------------------------------- Mitigation WipeGuard Platform 6.1.7601/x64 v588 06_2a PID 5920 Application C:\Program Files (x86)\AOMEI Backupper\MakeDisc.exe Description MakeDisc.exe Master Boot Record (MBR) Process Trace 1 C:\Program Files (x86)\AOMEI Backupper\MakeDisc.exe [5920] MakeDisc.exe 2 C:\Program Files (x86)\AOMEI Backupper\Backupper.exe [5996] 3 C:\Windows\explorer.exe [4460] 4 C:\Windows\System32\userinit.exe [4340] 5 C:\Windows\System32\winlogon.exe [980] winlogon.exe Thumbprint aa2bdacb580d62da15435b17133f905a25289ad600c35cf50765224ad82e6954
Hi Valdez Two things. 1. CredGuard needs to be left off. It was defaulted off for a reason, and you just found one of them 2. Anytime you create a boot disk you have to turn off the mbr protection create the disk and then turn it back on again. Pete
I tried installing HMPA first, and then Comodo. This time, I am not seeing any conflicts. Everything works smoothly. Or maybe it's because CFW issued a new build. Or maybe the whole issue was just a fluke.
Do you really feel you will be under attack to have your windows credentials stolen. If so enable it, but realize all the things that are broken.
I dunno, that's why I asked nicely. Just seeking information. The description given here is not exactly brimming with details. Which "authentication passwords" -- all (including for websites, banks, etc.), any, only certain types??
Hi Jeam Sorry if I sounded harsh. It is all the windows credential stuff. Personally I don't worry as malware has to be able to get on the machine first.
As long as you are willing to deal with any issues that may arise -- such as the well-known issue with macrium reflect not being able to image a disk -- by all means, go right ahead and enable that protection.
Hi Would the real-time malware protection of HMPA (with BD/Kaspersky/Sophos engines) conflict with Emsisoft Antimalware (with BD/self engines) real-time protection? Also, I supposed I'll need to disable the Windows default exploit protection if I'll to use HMPA? Thanks
Not i am aware of any, in my case i didn't suffered any issues (yet), the scanner on in HMPA seems purely cloud-based, so i guess it may be just redundant. From what i heard from the Loman brothers, HMPA will take over the one offered by Win10.
HitmanPro.Alert build 723 Release Candidate Screenshot Changelog (compared to build 721) Added protection against dropping shellcode straight into memory from VBA macro code. This mitigation is part of Load Library and triggers a Shellcode alert. Added protection against compilation of arbitrary code straight into memory from an application under exploit mitigations, like Office. Such attacks can bypass whitelisting based protection like Windows Defender Device Guard. Improved Credential Theft Protection by separating LSASS (memory) and SAM protection (disk and registry). LSASS memory protection is now enabled by default. SAM protection (disk and registry) is optional, meaning it is disabled by default to allow system backups. We recommend you to enable the protection of the SAM database (Security Account Manager) from the Credential Theft Protection mitigation so its structures in the Windows Registry and local disk are shielded against dumping. Improved Code Cave mitigation. Improved Import Address Table Address Filtering (IAF) mitigation. Improved logging to the Windows Event Log from the Anti-Malware mitigation. Improved Hollow Process mitigation to block hijacking of a remote main thread to run arbitrary code. Fixed generation of Thumbprints for the Credential Theft Protection module with regard to catalog signed files. Fixed a ROP technique detection on pidgenx.dll when trying to activate Microsoft Office. Fixed a CallerCheck alert associated with Microsoft Power Query and CLR.DLL. Fixed a rare BSOD caused by the Anti-Malware mitigation. Fixed a compatibility issue with Microsoft Hyper-V on Windows 10 version 1709 (Fall Creators Update). Fixed a minor memory leak originating from the CryptoGuard anti-ransomware mitigation. Unless mentioned otherwise, from now on all our builds contain drivers co-signed by Microsoft so they also works on machines with Secure Boot enabled. Download http://test.hitmanpro.com/hmpalert3b723.exe Please let us know how this build runs on your machine. All users running a 7xx beta build are currently automatically updated. Users running build 604 are expected to receive an automatic update early next week (no exact date yet). Thanks everybody!
Yes. Protection of the Security Account Manager (SAM database) on the disk and in the registry is disabled by default to allow system backups. If you enable it, you might run into issues with backup software although we have put effort into making more common backup solutions work, including Macrium Reflect and Acronis True Image. Let us know if you have a backup application that doesn't work in the presence of Credential Theft Protection.
Is this tested only with current Macrium Reflect and Acronis True Image versions, or is it also tested with older versions? (Like, for instance, Acronis True Image 2010 update 3 build 7160, that still works with Windows 7.)
Another popular imaging program at least here is Terabytes Image for Windows and also Drive Snapshot.
Re credguard. I tested Macrium and it's still good. I then tested Acronis Trueimagehome 2018. Credit Theft Prevention blocks it unless SAM is turned off. Also IFW fails with it. Still splitting out LSASS is a good improvement.
Just installed this RC and running along side Norton. No problems so far. @Peter2150 , do you have Security Account Manager enabled, or have you test MR backups with it enabled? Thanks. Edit: Haha, I see you had posted while I was composing my message.
I haven't really been following this thread closely, but how does the Anti-Malware mitigation (real-time protection) work? Is it likely to interfere with other AVs or security programs? Thanks.
Before a file is executed, HMP.A calculates the hash of the file and checks it in the HitmanPro Cloud. If the file is malware, the execution of this file is denied and you should see a red flyout.
Thanks as always, mood. It sounds like there is potentially an avenue for conflict with other security solutions.