I just got this with Build 723. Code: Log Name: Application Source: HitmanPro.Alert Date: 16/11/2017 4:41:42 PM Event ID: 911 Task Category: Mitigation Level: Error Keywords: Classic User: N/A Computer: David-HP Description: Mitigation CredGuard Platform 10.0.16299/x64 v723 06_5e PID 3416 Application C:\Windows\System32\svchost.exe Description Host Process for Windows Services 10 SAM access denied. Range = LBA 1328464 :224 Read = LBA 1328256 :224 Process Trace 1 C:\Windows\System32\svchost.exe [3416] c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt 2 C:\Windows\System32\services.exe [780] 3 C:\Windows\System32\wininit.exe [664] wininit.exe Thumbprint bbd5384dfb0088568607a4d6a193393774dc834fad764e38529ca1ad3fd671f8 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-11-16T05:41:42.840554200Z" /> <EventRecordID>2879</EventRecordID> <Channel>Application</Channel> <Computer>David-HP</Computer> <Security /> </System> <EventData> <Data>C:\Windows\System32\svchost.exe</Data> <Data>CredGuard</Data> <Data>Mitigation CredGuard Platform 10.0.16299/x64 v723 06_5e PID 3416 Application C:\Windows\System32\svchost.exe Description Host Process for Windows Services 10 SAM access denied. Range = LBA 1328464 :224 Read = LBA 1328256 :224 Process Trace 1 C:\Windows\System32\svchost.exe [3416] c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt 2 C:\Windows\System32\services.exe [780] 3 C:\Windows\System32\wininit.exe [664] wininit.exe Thumbprint bbd5384dfb0088568607a4d6a193393774dc834fad764e38529ca1ad3fd671f8</Data> </EventData> </Event> I wasn't doing anything other than reading ealier posts in this thread using Firefox 57. Win10 x64 1709 Norton Security 22.11.2.7 Malwarebytes 3.3.1
I deleted the HMPA Event Log but the HMPA interface still shows the events? I must have done something incorrectly.
Running smoothly over here. I enabled SAM and I am presently running a Macrium Reflect backup job without hitch.
Sandboxie is actually stealing tokens and elevating privileges with them so our mitigation is not wrong. Disable Local Privilege Mitigation if you insist on using Sandboxie around your browsers. Note that most browsers already run in a sandbox, like Microsoft Edge and Google Chrome, so adding another sandbox might be overkill on top of the native sandbox and all our mitigations.
I got an interception from SAM. It seems to have blocked Windows Defender (Win 10 x64 fall creators):
You may want to reboot your system so HitmanPro.Alert receives a data update which solves the alert you are having.
All users, whatever build they are running, receive silent data updates. A new one went out two hours ago but HMPA only checks it once every 4 hours.
Thanks for that info. The block I saw was immediately preceded by the one pasted below, I am assuming that also this was covered by the data update: C:\Windows\System32\SrTasks.exe CredGuard Mitigation CredGuard Platform 10.0.16299/x64 v723 06_5e PID 8884 Application C:\Windows\System32\SrTasks.exe Description Microsoft® Windows System Protection background tasks. 10 SAM access denied. Range = LBA 178212384 :16 Read = LBA 178212384 :16 Process Trace 1 C:\Windows\System32\SrTasks.exe [8884] C:\WINDOWS\system32\srtasks.exe ExecuteScheduledSPPCreation 2 C:\Windows\System32\svchost.exe [1168] c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule 3 C:\Windows\System32\services.exe [856]
The times that I have tried to combo HMPA with SBIE, I didn't see HMPA blocking anything. I rather saw SBIE complaining that it could not communicate with sandboxed browser. And I never found a solution, other than to hide the error message. Is this a different issue?
Laptop A lots of PrivGuard mitigations caused by Sandboxie and with laptop B no problems at all. Example of a PrivGuard mitigation: HitmanPro.Alert BETA Both laptops: Win10 1709 build 16299.64 x64/Norton Security v22.11.2.7
No problems installing or using build 723 RC on Win 10 Pro x64 v1709 16299.64. But I have left SAM unticked. One imaging program I use is AOMEI Backupper, not sure if that one is covered (over and above Macrium and Acronis) - would have to test.