I just got this while running a scan with SUPERAntiSpyware. Yeah, I know, I know. Code: Log Name: Application Source: HitmanPro.Alert Date: 19/11/2017 8:07:17 AM Event ID: 911 Task Category: Mitigation Level: Error Keywords: Classic User: N/A Computer: David-HP Description: Mitigation CredGuard Platform 10.0.16299/x64 v723 06_5e PID 3468 Application C:\Program Files\SUPERAntiSpyware\SASCore64.exe Description Core Service 6 SAM access denied. Range = LBA 1328464 :224 Read = LBA 1328464 :8 Process Trace 1 C:\Program Files\SUPERAntiSpyware\SASCore64.exe [3468] 2 C:\Windows\System32\services.exe [780] 3 C:\Windows\System32\wininit.exe [664] wininit.exe Thumbprint 57c90e4bc46240f0d225530dd45c3dc5669c6f9b15fce6506e787a251ed1eccd Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-11-18T21:07:17.020639300Z" /> <EventRecordID>4252</EventRecordID> <Channel>Application</Channel> <Computer>David-HP</Computer> <Security /> </System> <EventData> <Data>C:\Program Files\SUPERAntiSpyware\SASCore64.exe</Data> <Data>CredGuard</Data> <Data>Mitigation CredGuard Platform 10.0.16299/x64 v723 06_5e PID 3468 Application C:\Program Files\SUPERAntiSpyware\SASCore64.exe Description Core Service 6 SAM access denied. Range = LBA 1328464 :224 Read = LBA 1328464 :8 Process Trace 1 C:\Program Files\SUPERAntiSpyware\SASCore64.exe [3468] 2 C:\Windows\System32\services.exe [780] 3 C:\Windows\System32\wininit.exe [664] wininit.exe Thumbprint 57c90e4bc46240f0d225530dd45c3dc5669c6f9b15fce6506e787a251ed1eccd</Data> </EventData> </Event> SAM is disabled on my other two machines for now.
I even get a CredGuard error when I open the Windows 10 task manager, if SAM is enabled... Am I wrong in thinking that default OS components should be whitelisted out of the box?
The problem with whitelisting OS components is that it doesn't actually help as most attacks initiated from whitelisted binaries, including ransomware. Whitelisting is dead.
Oh, bummer. What's the alternative? How can I enable SAM, yet don't get any errors when opening the task manager?
Is there any way HMP.A could add migitations for this? https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/
We are investigating our options but there are not many details available because of the severity of the vulnerability. Stay tuned.
Yeah, it sounds like every one can just chuck their hardware . But I've also read that one needs physical access to the computer, like via a USB.
Most of the mentioned vulnerabilities are AV:L (Attack Vector: Local), but CVE-2017-5712 is AV:N (Attack Vector: Network), and Intel writes: "allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege."
Yes. I thought I saw the text SAM in the report. Will try to reproduce this and post the exact message.
Code: Mitigation CredGuard Platform 10.0.16299/x64 v723 06_17* PID 7596 Application C:\Windows\System32\Taskmgr.exe Description Task Manager 10 SAM access denied. Range = LBA 124392040 :256 Read = LBA 124392168 :8 Process Trace 1 C:\Windows\System32\Taskmgr.exe [7596] "C:\WINDOWS\System32\Taskmgr.exe" /3 2 C:\Windows\System32\LaunchTM.exe [7036] launchtm.exe /3 3 C:\Windows\System32\winlogon.exe [768] winlogon.exe It does mention SAM. Can you please explain?
Nothing at all... I only pressed Ctrl+Alt+Del to open it. Is it possible that my antivirus software (Emsisoft Anti-Malware) interferes?
Hi Mark, Can you provide a more specific timeframe for the automatic update to build 723 for users running build 604?
Build 723 is offered now, to users running build 604. Offered on my two Windows 7 systems. Also see plat1098's post in the HitmanPro.Alert (non beta) thread.
Hi Stupendous Man, Thanks for your input. I am aware that build 723 is already available to users running build 604. However, since this is the second Release Candidate and the automatic upgrade timeframe was short, I decided to wait for the general rollout.
Oh, OK, sorry for misunderstanding. I attempted a right click "Check for update" and nothing happened, hence my post. However, I just tried it again, and it prompted me for the update. Go figure.
Yes, that is something I've seen before. Perhaps there is some limitation build in the auto update mechanism, to ease the update servers.
Code: Mitigation PrivGuard Platform 10.0.16299/x64 v723 06_45 PID 11332 Application C:\Program Files\Mozilla Firefox\firefox.exe Description Firefox 57 Sweep Code Injection 00000000007A0000-00000000007A6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1892] 00000000007B0000-00000000007B1000 4KB 00007FFEDC0C9000-00007FFEDC0CA000 4KB 0000017852816000-0000017852817000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [12604] 00007FFEDC0F0000-00007FFEDC0F1000 4KB 00007FFEDC0F2000-00007FFEDC0F3000 4KB 00007FFEDC0EF000-00007FFEDC0F0000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [1892] 2 C:\Windows\System32\services.exe [904] 3 C:\Windows\System32\wininit.exe [828] wininit.exe 1 C:\Program Files\Mozilla Firefox\firefox.exe [12604] "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.kcsoftwares.com/?page=postinstall&sw=SUMo" 2 C:\Sandbox\Marine\DefaultBox\user\current\AppData\Local\Temp\is-6OV9L.tmp\sumo.tmp [9708] "C:\Users\Marine\AppData\Local\Temp\is-6OV9L.tmp\sumo.tmp" /SL5="$1C0BD2,1219898,162816,C:\Users\Marine\Desktop\sumo.exe" /SPAWNWND=$2409D8 /NOTIFYWND=$C0C8E 3 C:\Users\Marine\Desktop\sumo.exe [2032] "C:\Users\Marine\Desktop\sumo.exe" /SPAWNWND=$2409D8 /NOTIFYWND=$C0C8E 4 C:\Program Files\Sandboxie\SbieSvc.exe [9336] "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00000F28_00000000_7FE58384_00000142_ 5 C:\Program Files\Sandboxie\Start.exe [12092] "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00000F28_00000000_7FE58384_00000142_ 6 C:\Program Files\Sandboxie\SbieSvc.exe [1892] 7 C:\Windows\System32\services.exe [904] 8 C:\Windows\System32\wininit.exe [828] wininit.exe Process Trace 1 C:\Program Files\Mozilla Firefox\firefox.exe [11332] "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="12604.13.459363129\1140960185" -childID 2 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124 2 C:\Program Files\Mozilla Firefox\firefox.exe [12604] "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.kcsoftwares.com/?page=postinstall&sw=SUMo" 3 C:\Sandbox\Marine\DefaultBox\user\current\AppData\Local\Temp\is-6OV9L.tmp\sumo.tmp [9708] "C:\Users\Marine\AppData\Local\Temp\is-6OV9L.tmp\sumo.tmp" /SL5="$1C0BD2,1219898,162816,C:\Users\Marine\Desktop\sumo.exe" /SPAWNWND=$2409D8 /NOTIFYWND=$C0C8E 4 C:\Users\Marine\Desktop\sumo.exe [2032] "C:\Users\Marine\Desktop\sumo.exe" /SPAWNWND=$2409D8 /NOTIFYWND=$C0C8E 5 C:\Program Files\Sandboxie\SbieSvc.exe [9336] "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00000F28_00000000_7FE58384_00000142_ 6 C:\Program Files\Sandboxie\Start.exe [12092] "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00000F28_00000000_7FE58384_00000142_ 7 C:\Program Files\Sandboxie\SbieSvc.exe [1892] 8 C:\Windows\System32\services.exe [904] 9 C:\Windows\System32\wininit.exe [828] wininit.exe
@markloman, November 15, you wrote, To which I asked, Now that 604 is auto updated to 723 for all users, this is even more relevant to know.