HitmanPro.Alert BETA

Same here.

 

Does the new beta contain a fix for the failed Windows updates issue?

 

Curious here too. +1

 

+1. No explicit mention of it in the 717b release notes. Guess we'll find out with Fall Creator's Update, unless there is another cumulative update before Oct 17?

Just checked: dism /online /cleanup-image /checkhealth and sfc /scannow are working with HMPA active (service running) in 717b. Which wasn't the case with 712b.
So if this is in any way related to the WU issue (which it appeared to be for me), maybe it's fixed.

@_CyberGhosT_ Did you also personally experience this issue?

 

Just installed this new beta (3.7.0 build 717) and on reboot of the pc, kaspersky antivirus 17 got shut down by credguard.

Mitigation CredGuard

Platform 10.0.15063/x64 v717 06_9e
PID 11400
Application C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 17.0.0\avp.exe
Description Kaspersky Anti-Virus 17

\REGISTRY\MACHINE\SAM\SAM\Domains\Account

Thumbprint
a606cfc5b2f09b5a49e8ea0f95716efc326f6709c3dc91fcaafdd7457e05afec

 

Is there a need for an AV with this beta HMP Alert?

 

No (if not for testing purpose).
At the same time, no need for an additional AE, period.

You have to choose what's better for you but if you can, avoid to duplicate function (even if this behaviour is quite usual)
Moreover, Alert (at least as pure AE), is way better than any other solution out there (except maybe the new EG embedded in FCU, who knows: Erik?)...

 

No I haven't, not this bug. a couple folks have though that I speak with daily.

 

HMPA doesn't do all the things that a regular AV does. It is recommended to run a simple AV alongside HMPA, unless you are one of those people who is against signature-based protection, on principle.
If you are running Windows 10, Windows Defender is a perfectly adequate complement to HMPA.

 

Nice post shmu26, the best combo I have found for HMPA on Win10 Pro x64 is,
EmsiSoft with HMPA, for me it just works very well and low resource usage.
For those with a "sig-free" bug like me, try DeepArmor & HMPA, a "Ultra-Lite"
config, that is for the brave of heart

 

PrivGuard sandboxed IE11.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 25-9-2017 9:14:04
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ******
Beschrijving:
Mitigation PrivGuard

Platform 10.0.15063/x64 v717 06_17*
PID 4284
Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description Internet Explorer 11

Sweep

Code Injection
0000000000920000-0000000000926000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3412]
0000000000930000-0000000000931000 4KB
00007FFFB8E89000-00007FFFB8E8A000 4KB

Process Trace
1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [4284]
2 C:\Program Files\Sandboxie\Start.exe [8780]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Users\******" /env:=Refresh "C:\Users\******\Desktop\Internet Explorer 11.lnk"
3 C:\Program Files\Sandboxie\SbieSvc.exe [3412]

Win10 1703 build 15063.608 x64/Norton Security v22.10.1.10/Sandboxie 5.20/HmP.Alert 717 beta

 

HMPA silent interference with WU Cumulative Updates, as reported by some, is not fixed here. Win 10 Pro x64 v1703 15063.608, HMPA build 717b.

Run WU, nothing found.
Stop and disable HMPA service.
Run WU, Cumulative Update KB4040724 found.

Now downloading.

 

For all that have issues with Windows Updates failing

Can you please stop the hmpalert service, rename c:\programdata\hitmanpro.alert\excalibur.db -> excalibur.db.old.
Then restart the machine and check for Windows Updates, next to that try to use sfc to see if that works as expected.
Open an admin command-box and execute "sfc /scannow" and see if that works as expected.

 

Dumped MBAE (don't ask); added HMPA. Is this action dumb, wise, or neither?

 

I have used both and have been using HMPA now for awhile. It has more 'stuff' than MBAE and works well with AppGuard and Emsisoft. I don't have the HMPA Anti-Malware module activated and also have turned off some of the unnecessary (to me) risk reductions.

 

Thanks Ronny. The issue for me is not so much Windows Updates failing, but Cumulative Updates not being detected (well, I suppose you could call that a failure ...).

The above solution was previously offered by Mark, but it's too late for me to test that it solves the WU issue as I have updated now (#562), with HMP.A service disabled.
That solution did previously did solve my 'sfc /scannow' not running though.

But, in my case, 'sfc /scannow' now was / is working fine with the HMP.A service running, but WU was not detecting the Cumulative Update KB4040724 (until I stopped the HMP.A service, and also disabled it because I did not want it to restart on reboot during the update).

Maybe @mood or @shmu26 can still test this, if they haven't upgraded KB4040724 yet, and are also still experiencing the WU detection issue.

 

Just noticed, my browsers are protected, and I get the green flyout, but no green border. Settings are correct.

Not sure when this started, whether it was with 717b. Just updated to Sandboxie 5.21.4 beta, dunno if that has something to do with it, but I only sandbox Firefox. Other browsers show no green border.

Win 10 Pro x64 v1703 15063.632, HMP.A build 717 beta.

Edit: Also no keystroke encryption indicator.

 

Sandboxed Firefox 55.0.3 and IE11 (Sandboxie 5.21.4 beta/Hmp.Alert build 717 beta): no problems.

 

Thanks. Rebooted now, and it seems to have resolved itself.

 

Just installed the beta (For some reason I had been using the stable release for quite some time when I thought I was using Beta >_<) and came across the issue of not being able to make images with Macrium Reflect. Disabled Credential Theft Protection and it started working again, though I noticed that the Credential Theft Protection icon didn't get marked like other disabled protections, still grey as opposed to black, guessing GUI issue.

Speaking of which, what actually is this "SAM" thing?

 

This didn't work for me w/sfc at least. There are several excalibur files, maybe I got the wrong one. Regardless, when I restarted, another excalibur file loaded and naturally, sfc didn't complete. No problem with 604



Windows 10 Pro 15063.632. VoodooShield release 3.59 Windows Defender with heuristics, behavior monitoring and Application Guard enabled. Strange issue with Defender's updates showing as updated when def were created and machine wasn't even on, yet updates were received properly and it is current.

 

Based on your screen capture, I suppose you don't have "File name extensions" checked, or "Hide extensions for known file types" un-checked.
If you check "File name extensions", or un-check "Hide extensions for known file types", excalibur.db is shown with the .db extension.
excalibur.db was the file you wanted to rename.
Based on your screen capture, I think you successfully renamed the correct excalibur(.db) file.
If you want to be sure, check "File name extensions", or un-check "Hide extensions for known file types", to see if the excalibur file is the correct excalibur.db

 

HMP.A is preventing the access to it (file/registry/memory).

 

This used to only happen occasionally, but I just upgraded to the latest version of Opera and now I cannot launch Opera at all. I am running HMP.A 3.6.7 build 604. Please assist.

Here is the output from the Event Viewer for when I try to launch Opera within a Comodo sandbox:

Mitigation Lockdown

Platform 10.0.14393/x64 v604 06_2a
PID 12636
Application C:\Users\xxx\AppData\Local\Programs\opera x64\launcher.exe
Description Opera Internet Browser 48

Filename C:\Users\xxx\appdata\local\programs\opera x64\48.0.2685.32\opera.exe
Created By D:\TMP\opera autoupdate\CUsersxxxAppDataLocalProgramsOpera x64\installing\installer.exe

Command line:
"C:\Users\xxx\appdata\local\programs\opera x64\48.0.2685.32\opera.exe" --ran-launcher

Process Trace
1 C:\Users\xxx\AppData\Local\Programs\Opera x64\launcher.exe [12636]
2 C:\Program Files\COMODO\COMODO Internet Security\virtkiosk.exe [5600]
"C:\Program Files\COMODO\COMODO Internet Security\virtkiosk.exe" -v "c:\users\xxx\appdata\local\programs\opera x64\launcher.exe"
3 C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [3748]
4 C:\Windows\System32\svchost.exe [1396]
C:\Windows\system32\svchost.exe -k netsvcs
5 C:\Windows\System32\services.exe [896]
6 C:\Windows\System32\wininit.exe [768]
wininit.exe

Thumbprint
403913a0983db0854bdd1ac6e89a3cf72306e887d661e940766c214bec03dc69

And here is the output when I launch Opera outside of the sandbox:

Mitigation Lockdown

Platform 10.0.14393/x64 v604 06_2a
PID 16352
Application C:\Users\xxx\AppData\Local\Programs\Opera x64\48.0.2685.32\opera.exe
Description Opera Internet Browser 48

Filename C:\Users\xxx\AppData\Local\Programs\Opera x64\48.0.2685.32\opera.exe
Created By D:\TMP\opera autoupdate\CUsersxxxAppDataLocalProgramsOpera x64\installing\installer.exe


Process Trace
1 C:\Users\xxx\AppData\Local\Programs\Opera x64\48.0.2685.32\opera.exe [16352]
"C:\Users\xxx\AppData\Local\Programs\Opera x64\48.0.2685.32\opera.exe" --ran-launcher --started-from-shortcut
2 C:\Users\xxx\AppData\Local\Programs\Opera x64\launcher.exe [10884]
3 C:\Windows\explorer.exe [4208]
4 C:\Windows\System32\userinit.exe [4112]
5 C:\Windows\System32\winlogon.exe [852]
winlogon.exe
6 C:\Windows\System32\smss.exe [760]
\SystemRoot\System32\smss.exe 000000c0 0000007c

Thumbprint
f43248ef2ee3ae2da9c134939256c97f1aabff421ccfa3a4204d9411bbab978f