Is the standalone HitmanPro application installed on your system? If not, installing the standalone HitmanPro application may help. Starting a scan in HMPA should then start the HMP scan. However, even if the standalone HMP application is not installed, starting a scan in HMPA should start the HMP scan, and it seems it doesn't. This issue is not limited to CTP, but also concerns the other beta series, and the stable, if I'm not mistaken. This is something that needs fixing. What exactly do you mean? Do you mean the "Check for update" context menu item in the System Tray? How do you know checking for updates does not work? If the behavior is the same as in the other beta series and the stable, HMPA automatically checks for updates. After that, if no update is available, the System Tray context menu item says "No update available". A little later, the "Check for update" option returns, and can be started manually. If no update is available, the System Tray context menu item changes to "No update available" once again.
@erikloman & @markloman Having the HMP scan issue reappear again in v709 CTP3 Also posted on MalwareTips and tagged you. Thanks Erik
Additional Observations: The scheduled scan with HMP is successfully killed by HMP.A CTP3, while a manual scan started from the HMP Icon does trigger the HMP.A warning, the scan does complete and is "not" killed: Manual scan will get a window showing the scan completed. And yes, both trigger the exact same error message with the same code and thumb, it's weird. Disabling CredGuard for now to try and resolve the error until a fix can be issued.
I noticed that too. In fact if you start the scan from HMPA by clicking the tile and then open a separate HMP scan window by clicking the HMP tray icon the scan will complete in spite of the CredGuard intercept.
A traditional AV has a "historic" list of known malware, meaning that it goes back in time, and includes even the old samples that are not popular right now. Supplemental antimalware scanners tend to focus on the current, popular samples.
Mitigation PrivGuard Platform 10.0.14393/x64 v709 06_4e PID 3840 Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Description Google Chrome 58 Sweep Code Injection 0000000000010000-0000000000016000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1832] 0000000000020000-0000000000021000 4KB 00007FF9E8689000-00007FF9E868A000 4KB 000002A965099000-000002A96509A000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10512] 00007FF9E86B6000-00007FF9E86B7000 4KB 00007FF9E86B8000-00007FF9E86B9000 4KB Still having issues with SBIE @ random
I got a credentials shield block, when installing Kaspersky Internet Security 2018 on top of HMPA 3.7.0.709. It happened immediately after the actual installation was completed, so it did not mess up the installation.
Not sure if you got my PM, the Asynchronus Process Call mitigation false positive in svchost from CTP1 has been fixed as of CTP2
Mitigation PrivGuard Platform 10.0.14393/x64 v709 06_4e PID 12188 Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Description Google Chrome 58 Sweep Code Injection 0000000000B90000-0000000000B96000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1832] 0000000000BA0000-0000000000BA1000 4KB 00007FF9E8689000-00007FF9E868A000 4KB 000001CF86C27000-000001CF86C28000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10952] 00007FF9E86B6000-00007FF9E86B7000 4KB Process Trace 1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [12188] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088 --primordial-pipe-token=611D9D2D043A7BFAAB72AFCE396DA019 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visi 2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10952] Again @ random... But with added process trace
@Duotone: SandBoxie 5.20 is out: https://www.sandboxie.com/index.php?DownloadSandboxie Give it a try, it should fix your issue...
HMP.A CTP3 Trying to play the game Atlas Reactor from the Glyph Launcher. https://www.atlasreactorgame.com/en/ https://www.trionworlds.com/glyph/download/en/ Code: Log Name: Application Source: HitmanPro.Alert Date: 8/06/2017 4:00:02 PM Event ID: 911 Task Category: Mitigation Level: Error Keywords: Classic User: N/A Computer: DESKTOP-LPQ76IG Description: Mitigation CallerCheck Platform 10.0.15063/x64 v709 7f_00 PID 9316 Application C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe Description Atlas Reactor 5.4.3 Callee Type LoadLibrary Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 056DEDEC (anonymous; mono.dll) 8945d8 MOV [EBP-0x28], EAX e81c627771 CALL 0x76e55010 83ec0c SUB ESP, 0xc 50 PUSH EAX e8afffffff CALL 0x56dedac 83c410 ADD ESP, 0x10 8b45d8 MOV EAX, [EBP-0x28] 8bf8 MOV EDI, EAX 8b0588691f10 MOV EAX, [0x101f6988] 85c0 TEST EAX, EAX 750f JNZ 0x56dee1e 8bc7 MOV EAX, EDI 8b55dc MOV EDX, [EBP-0x24] 8b4de0 MOV ECX, [EBP-0x20] 8911 MOV [ECX], EDX 8b7df0 MOV EDI, [EBP-0x10] 2 056DE91F (anonymous; mono.dll) 3 056DE843 (anonymous; mono.dll) 4 056DE823 (anonymous; mono.dll) 5 056C02F3 (anonymous; mono.dll) 6 100F1716 mono.dll 7 1005D82C mono.dll mono_runtime_invoke +0x51 8 100603FB mono.dll mono_array_new +0x232 9 10060281 mono.dll mono_array_new +0xb8 10 100F12A2 mono.dll Process Trace 1 C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe [9316] "C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe" -s wss://208.94.26.102 -t "C:/Users/lukec/AppData/Local/Temp/Glyph.bZ1300" -o EnableLogging=true -l en 2 C:\Program Files (x86)\Glyph\GlyphClientApp.exe [1300] 3 C:\Program Files (x86)\Glyph\GlyphCrashHandler.exe [6196] "C:\Program Files (x86)\Glyph\GlyphCrashHandler.exe" -launch "C:\Program Files (x86)\Glyph\GlyphClientApp.exe" "C:\Program Files (x86)\Glyph" "" 4 C:\Program Files (x86)\Glyph\GlyphClientApp.exe [2480] GlyphClientApp.exe 5 C:\Program Files (x86)\Glyph\GlyphClient.exe [7704] 6 C:\Windows\explorer.exe [5448] 7 C:\Windows\System32\userinit.exe [5424] 8 C:\Windows\System32\winlogon.exe [812] winlogon.exe 9 C:\Windows\System32\smss.exe [700] \SystemRoot\System32\smss.exe 000000ac 0000006c Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-06-08T06:00:02.293401200Z" /> <EventRecordID>6337</EventRecordID> <Channel>Application</Channel> <Computer>DESKTOP-LPQ76IG</Computer> <Security /> </System> <EventData> <Data>C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe</Data> <Data>CallerCheck</Data> <Data>Mitigation CallerCheck Platform 10.0.15063/x64 v709 7f_00 PID 9316 Application C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe Description Atlas Reactor 5.4.3 Callee Type LoadLibrary Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 056DEDEC (anonymous; mono.dll) 8945d8 MOV [EBP-0x28], EAX e81c627771 CALL 0x76e55010 83ec0c SUB ESP, 0xc 50 PUSH EAX e8afffffff CALL 0x56dedac 83c410 ADD ESP, 0x10 8b45d8 MOV EAX, [EBP-0x28] 8bf8 MOV EDI, EAX 8b0588691f10 MOV EAX, [0x101f6988] 85c0 TEST EAX, EAX 750f JNZ 0x56dee1e 8bc7 MOV EAX, EDI 8b55dc MOV EDX, [EBP-0x24] 8b4de0 MOV ECX, [EBP-0x20] 8911 MOV [ECX], EDX 8b7df0 MOV EDI, [EBP-0x10] 2 056DE91F (anonymous; mono.dll) 3 056DE843 (anonymous; mono.dll) 4 056DE823 (anonymous; mono.dll) 5 056C02F3 (anonymous; mono.dll) 6 100F1716 mono.dll 7 1005D82C mono.dll mono_runtime_invoke +0x51 8 100603FB mono.dll mono_array_new +0x232 9 10060281 mono.dll mono_array_new +0xb8 10 100F12A2 mono.dll Process Trace 1 C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe [9316] "C:\Program Files (x86)\Glyph\Games\Atlas Reactor\Live\Win32\AtlasReactor.exe" -s wss://208.94.26.102 -t "C:/Users/lukec/AppData/Local/Temp/Glyph.bZ1300" -o EnableLogging=true -l en 2 C:\Program Files (x86)\Glyph\GlyphClientApp.exe [1300] 3 C:\Program Files (x86)\Glyph\GlyphCrashHandler.exe [6196] "C:\Program Files (x86)\Glyph\GlyphCrashHandler.exe" -launch "C:\Program Files (x86)\Glyph\GlyphClientApp.exe" "C:\Program Files (x86)\Glyph" "" 4 C:\Program Files (x86)\Glyph\GlyphClientApp.exe [2480] GlyphClientApp.exe 5 C:\Program Files (x86)\Glyph\GlyphClient.exe [7704] 6 C:\Windows\explorer.exe [5448] 7 C:\Windows\System32\userinit.exe [5424] 8 C:\Windows\System32\winlogon.exe [812] winlogon.exe 9 C:\Windows\System32\smss.exe [700] \SystemRoot\System32\smss.exe 000000ac 0000006c </Data> </EventData> </Event>
Been running build 709 for three days now. The multiple crashes (especially on IE11) that plagued my Windows 7 system with earlier builds, have stopped completely. (Knock on wood.)
At the moment temporarily disabling of the Anti-Malware Protection is the only "solution". But would be nice if executables or whole folders could be excluded.
I resolved this, just didn't want to face the facts that it was my machine. I'll stick with 708 for the time being. CredGuard alerts during regedit are infrequent; although HMPA "remembered" not to run a malware scan after re-installation of 708, when I ran one manually, again, I got a CredGuard mitigation. Again, not enough for me to justify disabling it and then risk forgetting about it.