First little run-in w/Sandboxie. I run a bad browser (Internet Explorer) due to very limited C space (80 gb). I've excluded some of Sbie stuff in HMP Alert's interface. After scan was complete, Alert unfortunately froze and had to be force-closed. Only browser was open. This is Alert beta 719; I see an updated Alert beta is coming out in a few days. OK.
PrivGuard-mitigation build 718 beta, Firefox 56.0 and Sandboxie beta 5.21.6. Logboeknaam: Application Bron: HitmanPro.Alert Datum: 22-10-2017 13:22:30 Gebeurtenis-id:911 Taakcategorie: Mitigation Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: **** Beschrijving: Mitigation PrivGuard Platform 10.0.16299/x64 v718 06_17* PID 1912 Application C:\Program Files\Mozilla Firefox\firefox.exe Description Firefox 56 Sweep Code Injection 0000000000460000-0000000000466000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [10932] 0000000000470000-0000000000471000 4KB 00007FFF78F79000-00007FFF78F7A000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [10932] 2 C:\Windows\System32\services.exe [772] Process Trace 1 C:\Program Files\Mozilla Firefox\firefox.exe [1912] 2 C:\Program Files\Sandboxie\Start.exe [5444] "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.lnk" 3 C:\Program Files\Sandboxie\SbieSvc.exe [10932] 4 C:\Windows\System32\services.exe [772] Gebeurtenis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>9</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2017-10-22T11:22:30.237691700Z" /> <EventRecordID>369</EventRecordID> <Channel>Application</Channel> <Computer>****</Computer> <Security /> </System> <EventData> <Data>C:\Program Files\Mozilla Firefox\firefox.exe</Data> <Data>PrivGuard</Data> <Data>Mitigation PrivGuard Platform 10.0.16299/x64 v718 06_17* PID 1912 Application C:\Program Files\Mozilla Firefox\firefox.exe Description Firefox 56 Sweep Code Injection 0000000000460000-0000000000466000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [10932] 0000000000470000-0000000000471000 4KB 00007FFF78F79000-00007FFF78F7A000 4KB 1 C:\Program Files\Sandboxie\SbieSvc.exe [10932] 2 C:\Windows\System32\services.exe [772] Process Trace 1 C:\Program Files\Mozilla Firefox\firefox.exe [1912] 2 C:\Program Files\Sandboxie\Start.exe [5444] "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.lnk" 3 C:\Program Files\Sandboxie\SbieSvc.exe [10932] 4 C:\Windows\System32\services.exe [772] </Data> </EventData> </Event> Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
HitmanPro.Alert 3.7.0 build 720 BETA Changelog (compared to build 718) Added automatic protection of Microsoft Outlook (under the Office category) to defend against e.g. DDE attacks embedded in the body of malicious emails or calendar invites. More info here: https://nakedsecurity.sophos.com/2017/10/22/office-dde-attack-works-in-outlook-too-heres-what-to-do/ Fixed compatibility issue with certain .NET applications (incl. AdGuard and SimpleDNSCrypt). Fixed Application Lockdown which accidentally no longer blocked e.g. malicious PowerShell scripts launched from e.g. Microsoft Word or Internet Explorer. It was broken since beta build 714. Download http://test.hitmanpro.com/hmpalert3b720.exe This build includes Microsoft co-signed drivers and runs on Secure Boot as well. Please let us know how this build runs on your machine. Thanks
Cuckoo Build 720: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-26#post-2714274
Upgraded to the new beta: Guess not fixed yet. When opening "Device Manager": Mitigation APCViolation Platform 10.0.16299/x64 v720 06_3f PID 11180 Application C:\Windows\SysWOW64\dllhost.exe Description COM Surrogate 10 APC intercepted: 003F0080 55 PUSH EBP 003F0081 8bec MOV EBP, ESP 003F0083 8b4d08 MOV ECX, [EBP+0x8] 003F0086 83ec08 SUB ESP, 0x8 003F0089 85c9 TEST ECX, ECX 003F008B 7439 JZ 0x3f00c6 003F008D 0fb711 MOVZX EDX, WORD [ECX] 003F0090 6685d2 TEST DX, DX 003F0093 7431 JZ 0x3f00c6 003F0095 56 PUSH ESI 003F0096 8b7104 MOV ESI, [ECX+0x4] 003F0099 83fe18 CMP ESI, 0x18 003F009C 7227 JB 0x3f00c5 003F009E 8b4108 MOV EAX, [ECX+0x8] 003F00A1 0b410c OR EAX, [ECX+0xc] 003F00A4 741f JZ 0x3f00c5 Thumbprint efc68f679465dc215fe731acb0a43efff0760166631a49fee7cdf039f07ae0d0 When starting "Windows Device Recovery Tool": Mitigation APCViolation Platform 10.0.16299/x64 v720 06_3f PID 12196 Application C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool\WindowsDeviceRecoveryTool.exe Description Windows Device Recovery Tool 3.12 APC intercepted: 00D10080 55 PUSH EBP 00D10081 8bec MOV EBP, ESP 00D10083 8b4d08 MOV ECX, [EBP+0x8] 00D10086 83ec08 SUB ESP, 0x8 00D10089 85c9 TEST ECX, ECX 00D1008B 7439 JZ 0xd100c6 00D1008D 0fb711 MOVZX EDX, WORD [ECX] 00D10090 6685d2 TEST DX, DX 00D10093 7431 JZ 0xd100c6 00D10095 56 PUSH ESI 00D10096 8b7104 MOV ESI, [ECX+0x4] 00D10099 83fe18 CMP ESI, 0x18 00D1009C 7227 JB 0xd100c5 00D1009E 8b4108 MOV EAX, [ECX+0x8] 00D100A1 0b410c OR EAX, [ECX+0xc] 00D100A4 741f JZ 0xd100c5 Process Trace 1 C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool\WindowsDeviceRecoveryTool.exe [12196] 2 C:\Windows\explorer.exe [7904] 3 C:\Windows\System32\userinit.exe [7612] Thumbprint 1d904e3163b2645b8f5aa2bb1225d0a3b02bdf4d72ce039ebde062340a206c8d The .NET I mentioned usually would pop up after a certain time when the PC was not in active use so no idea if that is fixed. Wonders if these are EMT64/AMD64 related issue's. Just to add: all my systems run 64bits versions of the OS.
In order to start Cyberghost VPN Service or Zemana AM Service, is needed to add CG6Service.exe and zam.exe to Mitigation Exploit Exclusions.
can anyone try to use the Windows Backup & Restore with it, and tell me if the backup is blocked during its course or not?
I've just released a new data update for HitmanPro.Alert. You should get it automatically within the next 4 hours. The issues you mentioned should automatically get fixed. You could also restart the machine to force an update of the data file.
No issue opening device manager, on my notebook. Maybe WIN8.1 is not effected, or I already got the data update. Version number does not change, right?
Build 720 installs without issue on Win 10 Pro x64 v1709 16299.19. +1 I am not using that, but it opens OK ...
Just requesting some clarification here w/Alert 720: Sandboxie.exe was excluded; however, the Sbie icon is showing up under "exploit mitigations." Why is it displayed there with the protected apps?
Can you please explain what the issue is? Did you add these applications to Exploit mitigations and/or which alerts/behavior do they cause that you need to exclude them? Please post including thumbprint.
Not just opened, i need you to run it and see if the backup is not interrupted, thanks by the way for testing
If I turn it on, 'Backing up your data ...' so it seems to be working (?), but I have cancelled it now because I don't want the Windows backup.
I am betting windows back up will also fail, but if you are going to test it you have to run it ALL the way thru. Most of the imaging failures I have seen happen at the very end.