Apparently not. Still crashing on v729. I have another dump and won't be sending it unless someone from Surfright/SOPHOS specifically requests it to show me there is interest. I also still have all the other dumps I sent. If you need more specifics just holler Spoiler referring to.
I can create as many dumps as you want, so if you need more, let me know. I have a feeling SOPHOS QA doesn't do much testing on 32-bit systems . Crashes consistently together with Shadow Defender when in shadow mode after shutting down on Win7 32-bit on ThinkPads L460 and T60 and with XP on T60. See your PM for the link. This dump is with v729 installed.
HitmanPro.Alert 3.7.4 Build 734 BETA Changelog (compared to build 729) Improved Credential Theft Protection, which now terminates applications that attempt to access LSASS in an offending way. Improved error handling when activating a trial or product key Improved startup time of the HitmanPro.Alert Service Improved mini-filter performance which speeds-up CryptoGuard Improved CryptoGuard to handle compressed PDF files more accurately Improved Application Lockdown with detailed thumbprint generation for script-based attacks and to block abuse of Certutil and Python Improved event logging of APC mitigation alerts Added Event ID 800 (malware detected) to the custom HitmanPro.Alert view in the Windows Event Log Added malware detections to the "Number of alerts" counter on the HitmanPro.Alert user interface Added support for Spectre mitigations; i.e. our binaries are now compiled with /Qspectre compiler switch Added offline indicator when the HitmanPro Anti-Malware Cloud is unreachable Fixed the "Scan failed" issue which could occur when pressing the "Scan Computer" or "Scan with HitmanPro" button Fixed unexpected behavior of Safe Browsing to improve detection and prevent false positives Fixed issue that prevented proper disabling of Exploit Mitigations on Java binaries Fixed rare issue that caused a hanging thread (locked a file) when CryptoGuard creates a file backup Fixed an issue with code injection on Windows XP Fixed an issue with the Reflective DLL Injection mitigation (part of Load Library mitigation) Fixed an issue with the Windows 10 Start Menu Fixed an issue when importing previously exported settings Fixed a rare issue that could cause a BSoD mentioning partmgr.sys Several other minor fixes and improvements Download (with drivers co-signed by Microsoft) http://test.hitmanpro.com/hmpalert3b734.exe Please let us know how this version runs on your machine. Thanks!
Just finished the reboot after installation and looked over all the settings. Noticed that Anti-Malware: Offline is evident. Is the cloud down, or should I be investigating whether it is only my PC that can't reach it?
After initiating a complete antivirus scan with Comodo Internet Security, HMP.A generated the following message. Please note I tried it both with and without SAM protection enabled. I also noticed that it popped up at the same time the Comodo scan generated a warning about a suspicious digital certificate. UPDATE: I see in the HMP.A changelog the first bullet is "Improved Credential Theft Protection, which now terminates applications that attempt to access LSASS in an offending way." Could a virus scan be accessing the LSASS in an offending way, and if so, what is the best way to remediate? Also, it always triggers 3 almost identical messages to the one below. The one obvious difference is the "Reading LSASS (856) process memory" line. Here are the three lines from the 3 separate entries in the Event Viewer: Reading LSASS (856) process memory: 00007FFB80C80000 L20480 Reading LSASS (856) process memory: 00007FFB622100000 L4096 Reading LSASS (856) process memory: 00007FFB3DCF0000 L65536 --------------------------------------------------------------------------------------------- Mitigation CredGuard Platform 10.0.16299/x64 v734 06_2a PID 188 Application C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe Description COMODO Internet Security 10.1 Reading LSASS (856) process memory: 00007FFB80C80000 L20480 Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FFB7DD465A4 KernelBase.dll ReadProcessMemory +0x14 2 00007FFB6DD23FE7 mem.cav 48397c2438 CMP [RSP+0x38], RDI 742c JZ 0x7ffb6dd2401a 488b542430 MOV RDX, [RSP+0x30] 4c8bce MOV R9, RSI 4d8bc4 MOV R8, R12 488bcd MOV RCX, RBP 897c2420 MOV [RSP+0x20], EDI e87b010000 CALL 0x7ffb6dd24180 85c0 TEST EAX, EAX 7411 JZ 0x7ffb6dd2401a 393e CMP [RSI], EDI 7408 JZ 0x7ffb6dd24015 488bce MOV RCX, RSI e8bb1b0000 CALL 0x7ffb6dd25bd0 bf01000000 MOV EDI, 0x1 488b4c2430 MOV RCX, [RSP+0x30] 3 00007FFB6DD23C85 mem.cav 4 00007FFB6DD22D1B mem.cav 5 00007FFB6DD22AEC mem.cav 6 00007FF6F655334E cavwp.exe 7 00007FF6F6554B11 cavwp.exe 8 00007FF6F65516D9 cavwp.exe 9 00007FF6F65820C9 cavwp.exe 10 00007FFB7F941FE4 kernel32.dll BaseThreadInitThunk +0x14 Process Trace 1 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe [188] "C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe" /ModeAvScanner -Embedding 2 C:\Windows\System32\svchost.exe [764] C:\Windows\system32\svchost.exe -k DcomLaunch -p Thumbprint 4748ed32fc6b9cefffbb1bc556d783bf958e298d8a02857c64df6c56f1fea82e
Disabling of the SAM protection (it protects the registry+disk) has no effect because the "CredGuard" mitigation is still protecting the memory which Comodo wants to scan ("Reading LSASS (856) process memory") For now the only solution would be to disable the "CredGuard" mitigation else further alerts will appear. Did it also happen with earlier HMP.A builds, or is it the first time?
This is the first time. That's why I believe it is related to the first bullet in the changelog. I mentioned the SAM protection because antivirus scans usually trigger a HMP.A mitigation alert.
No problems (re)installing build 734 BETA. Win10 1709 build 16299.214 x64/Norton Security v22.11.0.104
Hello, A similar issue is happening when trying to run a scan with Emsisoft Emergency Kit. The scan will start, run for a bit, and then HMP.A intercepts an attack and EEK is shutdown. Spoiler: Mitigation CredGuard Mitigation CredGuard Platform 10.0.16299/x64 v734 06_9e PID 12232 Application C:\Program Files\EEK\BIN64\a2emergencykit.exe Description Emsisoft Emergency Kit 2017.12 Reading LSASS (752) process memory: 0000000000000000 L1128 Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 00007FFD943165A4 KernelBase.dll ReadProcessMemory +0x14 2 00007FFD9439BD86 KernelBase.dll GetModuleFileNameExA +0x2a6 3 00007FFD9439BBD0 KernelBase.dll GetModuleFileNameExA +0xf0 4 00007FFD9439B954 KernelBase.dll EnumProcessModulesEx +0x84 5 00007FFD84A0B933 a2engine.dll 85c0 TEST EAX, EAX 0f8473020000 JZ 0x7ffd84a0bbae 448bf7 MOV R14D, EDI f74500f8ffffff TEST DWORD [RBP+0x0], 0xfffffff8 0f8663020000 JBE 0x7ffd84a0bbae 0f1f440000 NOP DWORD [RAX+RAX+0x0] 418bd6 MOV EDX, R14D 41b904010000 MOV R9D, 0x104 4c8d8550200000 LEA R8, [RBP+0x2050] 488b54d550 MOV RDX, [RBP+RDX*8+0x50] 498bcc MOV RCX, R12 ff15a27d0200 CALL QWORD [RIP+0x27da2] 85c0 TEST EAX, EAX 6 00007FFD84A0C15C a2engine.dll 7 00007FFD84A0C97B a2engine.dll 8 00007FFD84A0CFCA a2engine.dll 9 00007FFD84A105CD a2engine.dll 10 00007FFD84990B40 a2engine.dll Process Trace 1 C:\Program Files\EEK\BIN64\a2emergencykit.exe [12232] 2 C:\Program Files\EEK\Start Emergency Kit Scanner.exe [2468] 3 C:\Windows\explorer.exe [6212] 4 C:\Windows\System32\userinit.exe [5292] Thumbprint 3172805b62144b24359be9a9c93d7e9c9ae094500e2546589d850c1ce167799d Note that this happens with SAM disabled but the scan will run normally with CredGuard (Credential Theft Protection) disabled. This may be an issue that will affect several anti-virus and/or anti-malware scanners that scan computer memory.
Is it still showing offline? it cloud take some time before it discovers that the connection with the cloud servers is restored.
Mark, does build 734 resolve the BSOD and other issues on Windows Vista? I've been reluctant to move from build 604, as I am not eager to repeat the experience. Thanks!
Sorry, but Build 734 is a no no for me as it is intercepting Kerish Doctor v4.65 as an issue which clearly it is not being a well known & reputable applicaiton. Running WIndows 10 Pro 64bit. Baldrick Mitigation CredGuard Platform 10.0.16299/x64 v734 06_1e PID 11856 Application C:\Program Files (x86)\Kerish Doctor\KerishDoctor.exe Description Kerish Doctor 4.65 Reading LSASS (732) process memory: 771A7BEC L4 Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 771427FB ntdll.dll RtlpQueryProcessDebugInformationRemote +0x1ab 2 7713BDF8 ntdll.dll 3 7713B3B5 ntdll.dll LdrQueryModuleServiceTags +0x95 4 7713B808 ntdll.dll 5 77142133 ntdll.dll RtlQueryProcessLockInformation +0x223 6 77141B85 ntdll.dll 7 73B20B31 kernel32.dll Module32Next +0x221 8 73B1F932 kernel32.dll CreateToolhelp32Snapshot +0xa2 9 00A22E00 KerishDoctor.exe 8b1dd0104000 MOV EBX, [0x4010d0] 8bf0 MOV ESI, EAX ffd3 CALL EBX 8d85c0fbffff LEA EAX, [EBP-0x440] 8d8d80f9ffff LEA ECX, [EBP-0x680] 50 PUSH EAX 51 PUSH ECX 68ecff4600 PUSH DWORD 0x46ffec 8975ec MOV [EBP-0x14], ESI c785c0fbffff24020000 MOV DWORD [EBP-0x440], 0x224 ff1570124000 CALL DWORD [0x401270] 50 PUSH EAX 56 PUSH ESI e845d5a4ff CALL 0x47037c 8985a8fbffff MOV [EBP-0x458], EAX ffd3 CALL EBX 10 00A20C29 KerishDoctor.exe Process Trace 1 C:\Program Files (x86)\Kerish Doctor\KerishDoctor.exe [11856] 2 C:\Windows\explorer.exe [4560] 3 C:\Windows\System32\userinit.exe [3956] 4 C:\Windows\System32\winlogon.exe [708] winlogon.exe 5 C:\Windows\System32\smss.exe [596] \SystemRoot\System32\smss.exe 000000fc 00000080 Thumbprint 542aa3f8e8353e25ee849d4e623444edbb43410b54b06143bdf21af757c42393
There is an incompatibility with Media Player Classic-HC. It was crashing with build 723 so it's not specific to the 734. I have already added MPC-HC to HMPAs exclusion list (all mitigations are disabled). Here is a crash report from MPC-HC: WARNING: Following frames may be wrong. hmpalert!A3+0x41a54 hmpalert!A3+0x41859 hmpalert!A3+0x43fd0 hmpalert!A3+0x1f468 hmpalert!CVCCP+0x5493 hmpalert!CVCCP+0x3cff kernelbase!ReadProcessMemory+0x1c mpc_hc!Mine_NtQueryInformationProcess+0x5b kernelbase!GetProcessId+0x1b hmpalert!CVCCP+0x1f43 Repeated 661 times: hmpalert!CVCCP+0x1dbd hmpalert!CVCCP+0x78b9 hmpalert!CVCCP+0x3d8e kernelbase!ReadProcessMemory+0x1c mpc_hc!Mine_NtQueryInformationProcess+0x5b kernelbase!GetProcessId+0x1b hmpalert!CVCCP+0x1f43 hmpalert!CVCCP+0x1dbd hmpalert!CVCCP+0x78b9 hmpalert!CVCCP+0x3d8e kernelbase!ReadProcessMemory+0x1c mpc_hc!Mine_NtQueryInformationProcess+0x5b kernelbase!GetExitCodeProcess+0x1b kernel32!GetExitCodeProcessImplementation+0x12 quartz!CResourceManager::CheckProcessExists+0x3a quartz!CResourceManager::CheckProcessTable+0x36 quartz!CResourceManager::OnThreadInit+0x3d quartz!CFGControl::CGraphWindow::OnReceiveMessage+0x38 quartz!WndProc+0xb6 user32!_InternalCallWinProc+0x2b user32!InternalCallWinProc+0x20 user32!UserCallWinProcCheckWow+0x1be user32!DispatchClientMessage+0x1b3 user32!__fnINLPCREATESTRUCT+0xa5 ntdll!KiUserCallbackDispatcher+0x4d user32!VerNtUserCreateWindowEx+0x244 user32!CreateWindowInternal+0x2ce user32!CreateWindowExW+0x38 quartz!CBaseWindow:oCreateWindow+0xc9 quartz!CBaseWindow:repareWindow+0xa4 quartz!CFGControl::CFGControl+0x242 quartz!CFilterGraph::CFilterGraph+0x426 quartz!CFilterGraph::CreateInstanceInternal+0x27 quartz!ObjectThread+0x66 kernel32!BaseThreadInitThunk+0x24 ntdll!__RtlUserThreadStart+0x2f ntdll!_RtlUserThreadStart+0x1b
Do you mean MPC-HC still crashes even if MPC-HC is added to HMPA's exclusion list? Do you mean with both HMPA build 723 and 734? I don't know about beta 734, but on my system with HMPA 723 stable, MPC-HC does not crash if it is added to HMPA's exclusion list. I don't know what is different. For specs, see my signature. Is it with specific file types that MPC-HC crashes?
Yes, MPC-HC crashes instantly when trying to play an MP4 video with builds 723 and 734 after adding it to the HMPA exclusions list. For security I'm using Windows Defender, MBAM and HMPA, which over time has proven to be very stable and compatible with all of my applications. This is the first time I've had an app completely fail with this setup.
Thanks, Victek. As I said, I don't know about beta 734, but on my system with HMPA 723 stable, MPC-HC does not crash if it is added to HMPA's exclusion list. I wonder what the differentiating factor or factors may be. Your Windows 10, Windows Defender and MBAM are different from my system specs. Are there other HMPA + MPC-HC users that see MPC-HC crashing, even if it is added to HMPA's exclusion list?
Good question. I like MPC-HC but for now I've switched to VideoLAN which has the same features I need and works without issue on my system (well, so far ) It would be interesting to hear from others. Also, since the MPC-HC crash logs are uploaded to their site there may be a fix eventually.