HitmanPro.Alert BETA

Apparently not. Still crashing on v729. I have another dump and won't be sending it unless someone from Surfright/SOPHOS specifically requests it to show me there is interest. I also still have all the other dumps I sent. If you need more specifics just holler

Spoiler

referring to.

 

Hi Adric,

Please send me a DM with links to where I can get them.

 

I can create as many dumps as you want, so if you need more, let me know. I have a feeling SOPHOS QA doesn't do much testing on 32-bit systems . Crashes consistently together with Shadow Defender when in shadow mode after shutting down on Win7 32-bit on ThinkPads L460 and T60 and with XP on T60.

See your PM for the link. This dump is with v729 installed.

 

HitmanPro.Alert 3.7.4 Build 734 BETA

Changelog (compared to build 729)

• Improved Credential Theft Protection, which now terminates applications that attempt to access LSASS in an offending way.
  
• Improved error handling when activating a trial or product key
  
• Improved startup time of the HitmanPro.Alert Service
  
• Improved mini-filter performance which speeds-up CryptoGuard
• Improved CryptoGuard to handle compressed PDF files more accurately
• Improved Application Lockdown with detailed thumbprint generation for script-based attacks and to block abuse of Certutil and Python
• Improved event logging of APC mitigation alerts
  
• Added Event ID 800 (malware detected) to the custom HitmanPro.Alert view in the Windows Event Log
  
• Added malware detections to the "Number of alerts" counter on the HitmanPro.Alert user interface
  
• Added support for Spectre mitigations; i.e. our binaries are now compiled with /Qspectre compiler switch
  
• Added offline indicator when the HitmanPro Anti-Malware Cloud is unreachable
• Fixed the "Scan failed" issue which could occur when pressing the "Scan Computer" or "Scan with HitmanPro" button
• Fixed unexpected behavior of Safe Browsing to improve detection and prevent false positives
  
• Fixed issue that prevented proper disabling of Exploit Mitigations on Java binaries
• Fixed rare issue that caused a hanging thread (locked a file) when CryptoGuard creates a file backup
  
• Fixed an issue with code injection on Windows XP
• Fixed an issue with the Reflective DLL Injection mitigation (part of Load Library mitigation)
• Fixed an issue with the Windows 10 Start Menu
• Fixed an issue when importing previously exported settings
• Fixed a rare issue that could cause a BSoD mentioning partmgr.sys
  
• Several other minor fixes and improvements

Download (with drivers co-signed by Microsoft)
http://test.hitmanpro.com/hmpalert3b734.exe

Please let us know how this version runs on your machine. Thanks!

 

Just finished the reboot after installation and looked over all the settings. Noticed that Anti-Malware: Offline is evident. Is the cloud down, or should I be investigating whether it is only my PC that can't reach it?

 

After initiating a complete antivirus scan with Comodo Internet Security, HMP.A generated the following message. Please note I tried it both with and without SAM protection enabled. I also noticed that it popped up at the same time the Comodo scan generated a warning about a suspicious digital certificate.

UPDATE: I see in the HMP.A changelog the first bullet is "Improved Credential Theft Protection, which now terminates applications that attempt to access LSASS in an offending way." Could a virus scan be accessing the LSASS in an offending way, and if so, what is the best way to remediate?

Also, it always triggers 3 almost identical messages to the one below. The one obvious difference is the "Reading LSASS (856) process memory" line. Here are the three lines from the 3 separate entries in the Event Viewer:
Reading LSASS (856) process memory: 00007FFB80C80000 L20480
Reading LSASS (856) process memory: 00007FFB622100000 L4096
Reading LSASS (856) process memory: 00007FFB3DCF0000 L65536

---------------------------------------------------------------------------------------------

Mitigation CredGuard

Platform 10.0.16299/x64 v734 06_2a
PID 188
Application C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
Description COMODO Internet Security 10.1

Reading LSASS (856) process memory: 00007FFB80C80000 L20480

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFB7DD465A4 KernelBase.dll ReadProcessMemory +0x14

2 00007FFB6DD23FE7 mem.cav
48397c2438 CMP [RSP+0x38], RDI
742c JZ 0x7ffb6dd2401a
488b542430 MOV RDX, [RSP+0x30]
4c8bce MOV R9, RSI
4d8bc4 MOV R8, R12
488bcd MOV RCX, RBP
897c2420 MOV [RSP+0x20], EDI
e87b010000 CALL 0x7ffb6dd24180
85c0 TEST EAX, EAX
7411 JZ 0x7ffb6dd2401a
393e CMP [RSI], EDI
7408 JZ 0x7ffb6dd24015
488bce MOV RCX, RSI
e8bb1b0000 CALL 0x7ffb6dd25bd0
bf01000000 MOV EDI, 0x1
488b4c2430 MOV RCX, [RSP+0x30]

3 00007FFB6DD23C85 mem.cav
4 00007FFB6DD22D1B mem.cav
5 00007FFB6DD22AEC mem.cav
6 00007FF6F655334E cavwp.exe
7 00007FF6F6554B11 cavwp.exe
8 00007FF6F65516D9 cavwp.exe
9 00007FF6F65820C9 cavwp.exe
10 00007FFB7F941FE4 kernel32.dll BaseThreadInitThunk +0x14

Process Trace
1 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe [188]
"C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvScanner -Embedding
2 C:\Windows\System32\svchost.exe [764]
C:\Windows\system32\svchost.exe -k DcomLaunch -p

Thumbprint
4748ed32fc6b9cefffbb1bc556d783bf958e298d8a02857c64df6c56f1fea82e

 

Disabling of the SAM protection (it protects the registry+disk) has no effect because the "CredGuard" mitigation is still protecting the memory which Comodo wants to scan ("Reading LSASS (856) process memory")
For now the only solution would be to disable the "CredGuard" mitigation else further alerts will appear.

Did it also happen with earlier HMP.A builds, or is it the first time?

 

This is the first time. That's why I believe it is related to the first bullet in the changelog.

I mentioned the SAM protection because antivirus scans usually trigger a HMP.A mitigation alert.

 

No problems (re)installing build 734 BETA.

Win10 1709 build 16299.214 x64/Norton Security v22.11.0.104

 

Hello,

A similar issue is happening when trying to run a scan with Emsisoft Emergency Kit. The scan will start, run for a bit, and then HMP.A intercepts an attack and EEK is shutdown.

Spoiler: Mitigation CredGuard

Mitigation CredGuard

Platform 10.0.16299/x64 v734 06_9e
PID 12232
Application C:\Program Files\EEK\BIN64\a2emergencykit.exe
Description Emsisoft Emergency Kit 2017.12

Reading LSASS (752) process memory: 0000000000000000 L1128

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFD943165A4 KernelBase.dll ReadProcessMemory +0x14
2 00007FFD9439BD86 KernelBase.dll GetModuleFileNameExA +0x2a6
3 00007FFD9439BBD0 KernelBase.dll GetModuleFileNameExA +0xf0
4 00007FFD9439B954 KernelBase.dll EnumProcessModulesEx +0x84

5 00007FFD84A0B933 a2engine.dll
85c0 TEST EAX, EAX
0f8473020000 JZ 0x7ffd84a0bbae
448bf7 MOV R14D, EDI
f74500f8ffffff TEST DWORD [RBP+0x0], 0xfffffff8
0f8663020000 JBE 0x7ffd84a0bbae
0f1f440000 NOP DWORD [RAX+RAX+0x0]
418bd6 MOV EDX, R14D
41b904010000 MOV R9D, 0x104
4c8d8550200000 LEA R8, [RBP+0x2050]
488b54d550 MOV RDX, [RBP+RDX*8+0x50]
498bcc MOV RCX, R12
ff15a27d0200 CALL QWORD [RIP+0x27da2]
85c0 TEST EAX, EAX

6 00007FFD84A0C15C a2engine.dll
7 00007FFD84A0C97B a2engine.dll
8 00007FFD84A0CFCA a2engine.dll
9 00007FFD84A105CD a2engine.dll
10 00007FFD84990B40 a2engine.dll

Process Trace
1 C:\Program Files\EEK\BIN64\a2emergencykit.exe [12232]
2 C:\Program Files\EEK\Start Emergency Kit Scanner.exe [2468]
3 C:\Windows\explorer.exe [6212]
4 C:\Windows\System32\userinit.exe [5292]

Thumbprint
3172805b62144b24359be9a9c93d7e9c9ae094500e2546589d850c1ce167799d

Note that this happens with SAM disabled but the scan will run normally with CredGuard (Credential Theft Protection) disabled. This may be an issue that will affect several anti-virus and/or anti-malware scanners that scan computer memory.

 

Is it still showing offline? it cloud take some time before it discovers that the connection with the cloud servers is restored.

 

Right you are! The offline message is gone. Thanks Ronny.

 

Mark, does build 734 resolve the BSOD and other issues on Windows Vista? I've been reluctant to move from build 604, as I am not eager to repeat the experience.

Thanks!

 

So far no problems to report with my current setup.

 

Sorry, but Build 734 is a no no for me as it is intercepting Kerish Doctor v4.65 as an issue which clearly it is not being a well known & reputable applicaiton. Running WIndows 10 Pro 64bit.

Baldrick

Mitigation CredGuard

Platform 10.0.16299/x64 v734 06_1e
PID 11856
Application C:\Program Files (x86)\Kerish Doctor\KerishDoctor.exe
Description Kerish Doctor 4.65

Reading LSASS (732) process memory: 771A7BEC L4

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 771427FB ntdll.dll RtlpQueryProcessDebugInformationRemote +0x1ab
2 7713BDF8 ntdll.dll
3 7713B3B5 ntdll.dll LdrQueryModuleServiceTags +0x95
4 7713B808 ntdll.dll
5 77142133 ntdll.dll RtlQueryProcessLockInformation +0x223
6 77141B85 ntdll.dll
7 73B20B31 kernel32.dll Module32Next +0x221
8 73B1F932 kernel32.dll CreateToolhelp32Snapshot +0xa2

9 00A22E00 KerishDoctor.exe
8b1dd0104000 MOV EBX, [0x4010d0]
8bf0 MOV ESI, EAX
ffd3 CALL EBX
8d85c0fbffff LEA EAX, [EBP-0x440]
8d8d80f9ffff LEA ECX, [EBP-0x680]
50 PUSH EAX
51 PUSH ECX
68ecff4600 PUSH DWORD 0x46ffec
8975ec MOV [EBP-0x14], ESI
c785c0fbffff24020000 MOV DWORD [EBP-0x440], 0x224
ff1570124000 CALL DWORD [0x401270]
50 PUSH EAX
56 PUSH ESI
e845d5a4ff CALL 0x47037c
8985a8fbffff MOV [EBP-0x458], EAX
ffd3 CALL EBX

10 00A20C29 KerishDoctor.exe

Process Trace
1 C:\Program Files (x86)\Kerish Doctor\KerishDoctor.exe [11856]
2 C:\Windows\explorer.exe [4560]
3 C:\Windows\System32\userinit.exe [3956]
4 C:\Windows\System32\winlogon.exe [708]
winlogon.exe
5 C:\Windows\System32\smss.exe [596]
\SystemRoot\System32\smss.exe 000000fc 00000080

Thumbprint
542aa3f8e8353e25ee849d4e623444edbb43410b54b06143bdf21af757c42393

 

Now we already have two of them which are triggering the CredGuard Mitigation (memory access):

 

W7-x64, Installed build 734 Beta over build 729. So far NO issues

 

No problems here so far (Windows 7 Pro x64). Credential theft protection turned off.

 

There is an incompatibility with Media Player Classic-HC. It was crashing with build 723 so it's not specific to the 734. I have already added MPC-HC to HMPAs exclusion list (all mitigations are disabled).

Here is a crash report from MPC-HC:

WARNING: Following frames may be wrong.
hmpalert!A3+0x41a54
hmpalert!A3+0x41859
hmpalert!A3+0x43fd0
hmpalert!A3+0x1f468
hmpalert!CVCCP+0x5493
hmpalert!CVCCP+0x3cff
kernelbase!ReadProcessMemory+0x1c
mpc_hc!Mine_NtQueryInformationProcess+0x5b
kernelbase!GetProcessId+0x1b
hmpalert!CVCCP+0x1f43

Repeated 661 times:
hmpalert!CVCCP+0x1dbd
hmpalert!CVCCP+0x78b9
hmpalert!CVCCP+0x3d8e
kernelbase!ReadProcessMemory+0x1c
mpc_hc!Mine_NtQueryInformationProcess+0x5b
kernelbase!GetProcessId+0x1b
hmpalert!CVCCP+0x1f43

hmpalert!CVCCP+0x1dbd
hmpalert!CVCCP+0x78b9
hmpalert!CVCCP+0x3d8e
kernelbase!ReadProcessMemory+0x1c
mpc_hc!Mine_NtQueryInformationProcess+0x5b
kernelbase!GetExitCodeProcess+0x1b
kernel32!GetExitCodeProcessImplementation+0x12
quartz!CResourceManager::CheckProcessExists+0x3a
quartz!CResourceManager::CheckProcessTable+0x36
quartz!CResourceManager::OnThreadInit+0x3d
quartz!CFGControl::CGraphWindow::OnReceiveMessage+0x38
quartz!WndProc+0xb6
user32!_InternalCallWinProc+0x2b
user32!InternalCallWinProc+0x20
user32!UserCallWinProcCheckWow+0x1be
user32!DispatchClientMessage+0x1b3
user32!__fnINLPCREATESTRUCT+0xa5
ntdll!KiUserCallbackDispatcher+0x4d
user32!VerNtUserCreateWindowEx+0x244
user32!CreateWindowInternal+0x2ce
user32!CreateWindowExW+0x38
quartz!CBaseWindow:oCreateWindow+0xc9
quartz!CBaseWindow:repareWindow+0xa4
quartz!CFGControl::CFGControl+0x242
quartz!CFilterGraph::CFilterGraph+0x426
quartz!CFilterGraph::CreateInstanceInternal+0x27
quartz!ObjectThread+0x66
kernel32!BaseThreadInitThunk+0x24
ntdll!__RtlUserThreadStart+0x2f
ntdll!_RtlUserThreadStart+0x1b

 

Do you mean MPC-HC still crashes even if MPC-HC is added to HMPA's exclusion list?
Do you mean with both HMPA build 723 and 734?
I don't know about beta 734, but on my system with HMPA 723 stable, MPC-HC does not crash if it is added to HMPA's exclusion list.
I don't know what is different. For specs, see my signature.
Is it with specific file types that MPC-HC crashes?

 

Yes, MPC-HC crashes instantly when trying to play an MP4 video with builds 723 and 734 after adding it to the HMPA exclusions list. For security I'm using Windows Defender, MBAM and HMPA, which over time has proven to be very stable and compatible with all of my applications. This is the first time I've had an app completely fail with this setup.

 

Thanks, Victek.
As I said, I don't know about beta 734, but on my system with HMPA 723 stable, MPC-HC does not crash if it is added to HMPA's exclusion list.
I wonder what the differentiating factor or factors may be. Your Windows 10, Windows Defender and MBAM are different from my system specs.

Are there other HMPA + MPC-HC users that see MPC-HC crashing, even if it is added to HMPA's exclusion list?

 

Do older versions of Windows also take advantage of this or is it limited to w10?

 

Good question. I like MPC-HC but for now I've switched to VideoLAN which has the same features I need and works without issue on my system (well, so far )

It would be interesting to hear from others. Also, since the MPC-HC crash logs are uploaded to their site there may be a fix eventually.