HitmanPro.Alert BETA

I just got this with Build 723.

Code:

Log Name:      Application
Source:        HitmanPro.Alert
Date:          16/11/2017 4:41:42 PM
Event ID:      911
Task Category: Mitigation
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      David-HP
Description:
Mitigation   CredGuard

Platform     10.0.16299/x64 v723 06_5e
PID          3416
Application  C:\Windows\System32\svchost.exe
Description  Host Process for Windows Services 10

SAM access denied.

Range = LBA 1328464 :224
Read  = LBA 1328256 :224

Process Trace
1  C:\Windows\System32\svchost.exe [3416]
c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
2  C:\Windows\System32\services.exe [780]
3  C:\Windows\System32\wininit.exe [664]
wininit.exe

Thumbprint
bbd5384dfb0088568607a4d6a193393774dc834fad764e38529ca1ad3fd671f8
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-11-16T05:41:42.840554200Z" />
    <EventRecordID>2879</EventRecordID>
    <Channel>Application</Channel>
    <Computer>David-HP</Computer>
    <Security />
  </System>
  <EventData>
    <Data>C:\Windows\System32\svchost.exe</Data>
    <Data>CredGuard</Data>
    <Data>Mitigation   CredGuard

Platform     10.0.16299/x64 v723 06_5e
PID          3416
Application  C:\Windows\System32\svchost.exe
Description  Host Process for Windows Services 10

SAM access denied.

Range = LBA 1328464 :224
Read  = LBA 1328256 :224

Process Trace
1  C:\Windows\System32\svchost.exe [3416]
c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
2  C:\Windows\System32\services.exe [780]
3  C:\Windows\System32\wininit.exe [664]
wininit.exe

Thumbprint
bbd5384dfb0088568607a4d6a193393774dc834fad764e38529ca1ad3fd671f8</Data>
  </EventData>
</Event>

I wasn't doing anything other than reading ealier posts in this thread using Firefox 57.

Win10 x64 1709
Norton Security 22.11.2.7
Malwarebytes 3.3.1

 

Do you have any alert details about the block? It should be in the Windows Event Log.

 

I'll eat my shoe if that EVER happens. Our Anti-Malware is the lightest on the planet

 

Can I hold you to that, Mark?

 

I deleted the HMPA Event Log but the HMPA interface still shows the events? I must have done something incorrectly.

 

Running smoothly over here.
I enabled SAM and I am presently running a Macrium Reflect backup job without hitch.

 

Do not delete the HMPA Event Log but the Applications log in the Windows Event Log.

 

Does build 723 RC fix the mitigations caused by Sandboxie?

 

I think Sandboxie is the one that needs to fix the issues.

 

Sandboxie is actually stealing tokens and elevating privileges with them so our mitigation is not wrong. Disable Local Privilege Mitigation if you insist on using Sandboxie around your browsers.
Note that most browsers already run in a sandbox, like Microsoft Edge and Google Chrome, so adding another sandbox might be overkill on top of the native sandbox and all our mitigations.

 

I got an interception from SAM. It seems to have blocked Windows Defender (Win 10 x64 fall creators):

 

Did you enable protection of the Security Account Manager (SAM)?

 

Yes

 

You may want to reboot your system so HitmanPro.Alert receives a data update which solves the alert you are having.

 

This happened shortly after installing 723.
Will 723 receive an update?

 

All users, whatever build they are running, receive silent data updates. A new one went out two hours ago but HMPA only checks it once every 4 hours.

 

Thanks for that info.
The block I saw was immediately preceded by the one pasted below, I am assuming that also this was covered by the data update:

C:\Windows\System32\SrTasks.exe
CredGuard
Mitigation CredGuard Platform 10.0.16299/x64 v723 06_5e PID 8884 Application C:\Windows\System32\SrTasks.exe Description Microsoft® Windows System Protection background tasks. 10 SAM access denied. Range = LBA 178212384 :16 Read = LBA 178212384 :16 Process Trace 1 C:\Windows\System32\SrTasks.exe [8884] C:\WINDOWS\system32\srtasks.exe ExecuteScheduledSPPCreation 2 C:\Windows\System32\svchost.exe [1168] c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule 3 C:\Windows\System32\services.exe [856]

 

Hi Mark,

Will that have any affect on my issue too?

Thanks.

 

Yes it should.

 

Nice! Thanks.

 

Ok. And is it possible to EXCLUDE Sandboxie?

 

The times that I have tried to combo HMPA with SBIE, I didn't see HMPA blocking anything. I rather saw SBIE complaining that it could not communicate with sandboxed browser. And I never found a solution, other than to hide the error message.
Is this a different issue?

 

Laptop A lots of PrivGuard mitigations caused by Sandboxie and with laptop B no problems at all.

Example of a PrivGuard mitigation: HitmanPro.Alert BETA

Both laptops: Win10 1709 build 16299.64 x64/Norton Security v22.11.2.7

 

No problems upgrading build 723 (laptop B).

 

No problems installing or using build 723 RC on Win 10 Pro x64 v1709 16299.64.

But I have left SAM unticked. One imaging program I use is AOMEI Backupper, not sure if that one is covered (over and above Macrium and Acronis) - would have to test.