HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    If all is well this should no longer occur.
     
  2. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Is this reproducible?
     
  3. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    HitmanPro.Alert 3.8.17 Build 915

    Changelog (compared tot build 907):

    Added LockdownLoadImage mitigation to applications under the Office protection category; mitigates e.g. CVE-2021-40444
    Added Extended information in alert when CookieGuard detects cookie grab by untrusted code in a web browser, e.g., hashes of remote owner process and owner module
    Fixed Compatibility of Enforce DEP with Norton Security
    Fixed Small memory leak that occurred when switching CryptoGuard modes
    Fixed Compatibility with Windows CET (Shadow Stack)
    Fixed Benefits Info button now lands on the correct page
    Improved HollowProcess (Main Thread Hijack; MTH) mitigation to detect Cobalt Strike Beacon installing over SMB
    Improved CookieGuard, fixed some small issues
    Improved Compatibility with Visual Studio triggering alerts

    Changed Re-enabled global Syscall mitigation. You can find in in the Advanced interface, under Risk reductions > Process Protection > Unexpected system calls (Stop evasion of security hooks).

    Syscall.OnOff.jpg

    Download
    https://dl.surfright.nl/hmpalert3b915.exe

    We'll be auto-updating 911 users, and a subset of stable users also today.
    Please let us know how this version runs on your machine :thumb:
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    It doesn't happen often, Ronny.
     
  5. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Has anyone ever figured out how to get HMP.A to work with Sandboxie without getting any firefox false positives?
     
  6. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Are you talking about Privguard alerts - sweep ?
    That's not an FP, Sandboxie really does that, it's up to the user to whitelist/suppress that
     
  7. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    Automatic update, no problem.
     
  8. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Ditto here.

    And a whoo-hoo! for re-enabling unexpected system calls.
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Did manual upgrade yesterday on Win10 x64 21H1, no problems so far.
     
  10. abbs

    abbs Registered Member

    Joined:
    Sep 14, 2018
    Posts:
    43
    Location:
    Nederlands
    After notification that HitmanPro-Alert was updated after reboot.
    I restarted the PC and HitmanPro-Alert had been updated to Version 3.8.17 Build 915.
    No problems encountered.



    Windows 11 Pro versie 21H2 Build 22000.282
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Cool that the Syscall mitigation is back. Can you perhaps give an example of malware that makes use of attacking security hooks and are specific anti-malware tools protected, or is this a global protection? And is CookieGuard now clearly mentioned in the GUI? But I will check it out, hopefully the problem with the ''GUI not loading when clicking on the tray-icon'' has been fixed.
     
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Double clicking the tray icon works here. Not for you? I kind of remember that I may have asked this once before... or maybe not.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, there's something weird going on, on my Win 10 system. It started after I used Windows Update, so never again. However, HMPA is the only third party app that can't launch from the tray. The other tray-icons that don't work are all related to Windows itself, think of the network, battery and volume icons. Luckily the Windows Security icon still works, although I don't use it that much anymore since I started using DefenderUI.
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    New to Sandboxie+ so I don't know if I need to tweak it, or how to if needed. I just opened MSEdge sandboxed and got this.
    Mitigation PrivGuard
    Timestamp 2021-10-27T11:21:01

    Platform 10.0.19043/x64 v915 06_5e
    PID 102648
    Application C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    Created 2021-05-22T21:58:37
    Description Microsoft Edge 95

    Sweep

    Code Injection
    0000000000B20000-0000000000B26000 24KB C:\Program Files\Sandboxie-Plus\SbieSvc.exe [98108]
    0000000000B30000-0000000000B32000 8KB
    00007FF967224000-00007FF967225000 4KB
    000001BACCBAB000-000001BACCBAC000 4KB C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    00007FF96724D000-00007FF96724E000 4KB
    00007FF96724F000-00007FF967250000 4KB
    00007FF96724C000-00007FF96724D000 4KB
    1 C:\Program Files\Sandboxie-Plus\SbieSvc.exe [98108]
    2 C:\Windows\System32\services.exe [816]
    3 C:\Windows\System32\wininit.exe [472]
    wininit.exe
    1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    2 C:\Program Files\Sandboxie-Plus\Start.exe [100792]
    "C:\Program Files\Sandboxie-Plus\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\WINDOWS\system32" /env:=Refresh "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3 C:\Program Files\Sandboxie-Plus\SbieSvc.exe [98108]
    4 C:\Windows\System32\services.exe [816]
    5 C:\Windows\System32\wininit.exe [472]
    wininit.exe

    Process Trace
    1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [102648]
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --display-capture-permissions-policy-allowed --field-trial-handle=2512,4126397004671540256,10552882301610586721,131072 --enable-features=V8VmFuture,msHttpsUpgr
    2 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    3 C:\Program Files\Sandboxie-Plus\Start.exe [100792]
    "C:\Program Files\Sandboxie-Plus\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\WINDOWS\system32" /env:=Refresh "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    4 C:\Program Files\Sandboxie-Plus\SbieSvc.exe [98108]
    5 C:\Windows\System32\services.exe [816]
    6 C:\Windows\System32\wininit.exe [472]
    wininit.exe

    Services
    98108 SbieSvc

    Dropped Files
    1 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Temp\3fbe1689-7f19-462b-8442-b228a60a4348.tmp
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    2 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kmcfomidfpdkfieipokbalgegidffkal\LOG.old~RF1f2c9e1.TMP
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    3 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Temp\d76385bd-7a60-4555-8620-dfa2b25abc2a.tmp
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    4 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kmcfomidfpdkfieipokbalgegidffkal\LOG.old
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    5 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kmcfomidfpdkfieipokbalgegidffkal\LOG
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    6 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kmcfomidfpdkfieipokbalgegidffkal\LOCK
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    7 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kmcfomidfpdkfieipokbalgegidffkal\MANIFEST-000001
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    8 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\kmcfomidfpdkfieipokbalgegidffkal\000003.log
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    9 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Temp\4b6cea3b-6e4a-400f-a52b-1d3646d3dab8.tmp
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    10 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Sync Extension Settings\eimadpbcbfnmbkopoojfekhnkhdbieeh\LOG
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    11 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Collections\collectionsSQLite
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    Read by \Device\HarddiskVolume4\Program Files\Sandboxie-Plus\SbieSvc.exe [98108]
    12 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Temp\8ed0239c-4daf-4768-afcd-5359e1f6e86a.tmp
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    13 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Sync Extension Settings\eimadpbcbfnmbkopoojfekhnkhdbieeh\LOG.old
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    14 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Sync Extension Settings\eimadpbcbfnmbkopoojfekhnkhdbieeh\LOG.old~RF1f2d28c.TMP
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    15 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Sync Extension Settings\eimadpbcbfnmbkopoojfekhnkhdbieeh\LOCK
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    16 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Sync Extension Settings\eimadpbcbfnmbkopoojfekhnkhdbieeh\MANIFEST-000001
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    17 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Sync Extension Settings\eimadpbcbfnmbkopoojfekhnkhdbieeh\000003.log
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    18 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Temp\3b9a9438-804d-46bc-a915-ba700c504f73.tmp
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    19 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\lckanjgmijmafbedllaakclkaicjfmnk\LOG
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]
    20 C:\Sandbox\David\DefaultBox\user\current\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\lckanjgmijmafbedllaakclkaicjfmnk\LOG.old
    Dropped by \Device\HarddiskVolume4\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [100888]

    Thumbprints
    18817d9faf4974c97d2a9e7b81175619c5314b6437d9c20102e76abe3a2db4bc
    Any and all help will be greatly appreciated.
     
  15. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,933
    Location:
    UK
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
  17. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    I replaced Windows 10 with Windows 11. Hitmanpro.Alert and HitmanPro work perfectly.
     
  18. Kakanisa

    Kakanisa Registered Member

    Joined:
    Nov 1, 2021
    Posts:
    1
    Location:
    SWE
    Mitigation SysCall
    Timestamp 2021-11-01T15:22:00

    Platform 10.0.19043/x64 v915 06_5e
    PID 8356
    WoW x86
    Feature 007D0A30000001A6
    Application C:\Riot Games\League of Legends\Game\League of Legends.exe
    Created 2021-10-31T06:34:18
    Description League of Legends (TM) Client 11.21

    Reason NTDLL32 Bypass

    0x2029AB7A
    Loaded Modules (20)
    -----------------------------------------------------------------------------
    001A0000-0344A000 League of Legends.exe (Riot Games, Inc.),
    version: 11.21.403.3002
    76FC0000-77163000 ntdll.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    75200000-752F0000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    632E0000-633F2000 hmpalert.dll (SurfRight B.V.),
    version: 3.8.17.915
    757D0000-759E4000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    517A0000-52D3A000 stub.dll (),
    version:
    76AB0000-76C46000 USER32.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    75410000-75428000 win32u.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    751D0000-751F3000 GDI32.dll (Microsoft Corporation),
    version: 10.0.19041.746 (WinBuild.160101.0800)
    75540000-7561C000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    76460000-764DB000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    759F0000-75B10000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    756E0000-757C3000 ole32.dll (Microsoft Corporation),
    version: 10.0.19041.746 (WinBuild.160101.0800)
    752F0000-753B0000 RPCRT4.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    74F20000-751A2000 combase.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    60C80000-60E08000 dbghelp.dll (Microsoft Corporation),
    version: 10.0.19041.867 (WinBuild.160101.0800)
    6F7A0000-6F7AF000 WTSAPI32.dll (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    75620000-756DF000 msvcrt.dll (Microsoft Corporation),
    version: 7.0.19041.546 (WinBuild.160101.0800)
    63A20000-63A46000 dbgcore.DLL (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    76C50000-76C75000 IMM32.DLL (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)

    Process Trace
    1 C:\Riot Games\League of Legends\Game\League of Legends.exe [8356]
    "C:/Riot Games/League of Legends/Game/League of Legends.exe" "162.249.73.170 5158 3uxNIMt5bEAika8JI3iMaw== 19600509" "-PlayerID=19600509" "-GameID=5531318478" "-GameBaseDir=C:\Riot Games\League of Legends" "-Region=EUW" "-PlatformID=EUW1" "-Locale=en_GB" "
    2 C:\Riot Games\League of Legends\LeagueClient.exe [6544]
    "C:/Riot Games/League of Legends/LeagueClient.exe" --riotclient-auth-token=4REVywsi_RZkKmPk66tfgw --riotclient-app-port=49897 --no-rads --disable-self-update --region=EUW --locale=en_GB
    3 C:\Riot Games\Riot Client\RiotClientServices.exe [9928]
    "C:\Riot Games\Riot Client\RiotClientServices.exe" --launch-product=league_of_legends --launch-patchline=live
    4 C:\Windows\explorer.exe [5576]

    Dropped Files
    1 C:\Riot Games\League of Legends\Logs\LeagueClient Logs\2021-11-01T16-21-02_6544_LeagueClient.log
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    2 C:\Riot Games\League of Legends\TMP_6544
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    3 C:\RIOT GAMES\LEAGUE OF LEGENDS\CONFIG\LEAGUECLIENTSETTINGS.YAML
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    4 C:\Riot Games\League of Legends\Logs\LeagueClient Logs\2021-11-01T16-21-02_6544_LeagueClient-tracing.json
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    Read by \Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MsMpEng.exe [3144]
    5 C:\Riot Games\League of Legends\lockfile
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    6 C:\Riot Games\League of Legends\lockfile_
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    7 C:\Riot Games\League of Legends\patchline.json
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    8 C:\Riot Games\League of Legends\DATA\CFG\defaults\SettingsToPersist.json
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    Read by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    9 C:\Riot Games\League of Legends\Config\LCUAccountPreferences.yaml
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    Read by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    10 C:\Riot Games\League of Legends\Game.db-journal
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    11 C:\Riot Games\League of Legends\Config\PersistedSettings.json
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    Read by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    12 C:\Riot Games\League of Legends\Config\PerksPreferences.yaml
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    Read by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    13 C:\Riot Games\League of Legends\Config\LCULocalPreferences.yaml
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    1 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Logs\Launcher\2021-11-01T16-20-53_9928_Launcher.log
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    2 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Config\lockfile
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    3 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Config\lockfile_
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    4 C:\PROGRAMDATA\RIOT GAMES\RIOTCLIENTINSTALLS.JSON
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    5 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Logs\Riot Client Logs\2021-11-01T16-20-55_9928_Riot Client.log
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    6 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Crashes\Riot Client\b868beb8-37e6-47c6-24ee-9283230907cc.run.lock
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    7 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Crashes\Riot Client\e52ede43-fb09-40c3-2ba3-fe7ec9b095e7.run.lock
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    8 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Crashes\Riot Client\b868beb8-37e6-47c6-24ee-9283230907cc.run\__sentry-event
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    9 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Crashes\Riot Client\b868beb8-37e6-47c6-24ee-9283230907cc.run\__sentry-breadcrumb1
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    10 C:\Users\KAka\AppData\Local\Riot Games\Riot Client\Crashes\Riot Client\b868beb8-37e6-47c6-24ee-9283230907cc.run\__sentry-breadcrumb2
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    11 C:\USERS\KAKA\APPDATA\LOCAL\RIOT GAMES\RIOT CLIENT\CONFIG\RIOTCLIENTSETTINGS.YAML
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    Read by \Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.2109.6-0\MsMpEng.exe [3144]
    12 C:\USERS\KAKA\APPDATA\LOCAL\RIOT GAMES\RIOT CLIENT\CONFIG\CLIENTCONFIGURATION.JSON
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    13 C:\USERS\KAKA\APPDATA\LOCAL\RIOT GAMES\RIOT CLIENT\DATA\RIOTCLIENTPRIVATESETTINGS.YAML
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    14 C:\ProgramData\Riot Games\Metadata\league_of_legends.live\league_of_legends.live.product_settings.yaml
    Dropped by \Device\HarddiskVolume3\Riot Games\Riot Client\RiotClientServices.exe [9928]
    1 C:\Users\KAka\AppData\Local\Microsoft\Windows\Explorer\NotifyIcon\Microsoft.Explorer.Notification.{ECD66F63-9381-98AC-09A9-97E616231B1C}.png
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [5576]

    Thumbprints
    97e83cd763f1c96addbbd996f097474f87d24277651f19161c18891745ce3b19


    Mitigation SysCall
    Timestamp 2021-11-01T15:34:54

    Platform 10.0.19043/x64 v915 06_5e
    PID 11236
    WoW x86
    Feature 007D0A30000001A6
    Application C:\Riot Games\League of Legends\Game\League of Legends.exe
    Created 2021-10-31T06:34:18
    Description League of Legends (TM) Client 11.21

    Reason NTDLL32 Bypass

    0xD897274A
    Loaded Modules (20)
    -----------------------------------------------------------------------------
    001A0000-0344A000 League of Legends.exe (Riot Games, Inc.),
    version: 11.21.403.3002
    76FC0000-77163000 ntdll.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    75200000-752F0000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    632E0000-633F2000 hmpalert.dll (SurfRight B.V.),
    version: 3.8.17.915
    757D0000-759E4000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    508A0000-51E3A000 stub.dll (),
    version:
    76AB0000-76C46000 USER32.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    75410000-75428000 win32u.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    751D0000-751F3000 GDI32.dll (Microsoft Corporation),
    version: 10.0.19041.746 (WinBuild.160101.0800)
    75540000-7561C000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    76460000-764DB000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    759F0000-75B10000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    756E0000-757C3000 ole32.dll (Microsoft Corporation),
    version: 10.0.19041.746 (WinBuild.160101.0800)
    752F0000-753B0000 RPCRT4.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    74F20000-751A2000 combase.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    60C80000-60E08000 dbghelp.dll (Microsoft Corporation),
    version: 10.0.19041.867 (WinBuild.160101.0800)
    6F7A0000-6F7AF000 WTSAPI32.dll (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    75620000-756DF000 msvcrt.dll (Microsoft Corporation),
    version: 7.0.19041.546 (WinBuild.160101.0800)
    63A20000-63A46000 dbgcore.DLL (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    76C50000-76C75000 IMM32.DLL (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)

    Process Trace
    1 C:\Riot Games\League of Legends\Game\League of Legends.exe [11236]
    "C:/Riot Games/League of Legends/Game/League of Legends.exe" "185.40.67.11 5131 BqK0nv+dlj5yalFpQIP7sg== 19600509" "-PlayerID=19600509" "-GameID=5533265304" "-GameBaseDir=C:\Riot Games\League of Legends" "-Region=EUW" "-PlatformID=EUW1" "-Locale=en_GB" "-S
    2 C:\Riot Games\League of Legends\LeagueClient.exe [6544]
    "C:/Riot Games/League of Legends/LeagueClient.exe" --riotclient-auth-token=4REVywsi_RZkKmPk66tfgw --riotclient-app-port=49897 --no-rads --disable-self-update --region=EUW --locale=en_GB
    3 C:\Riot Games\Riot Client\RiotClientServices.exe [9928]
    "C:\Riot Games\Riot Client\RiotClientServices.exe" --launch-product=league_of_legends --launch-patchline=live
    4 C:\Windows\explorer.exe [5576]

    Dropped Files
    1 C:\Riot Games\League of Legends\Config\LeagueClientSettings.yaml
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    2 C:\Riot Games\League of Legends\Config\PerksPreferences.yaml
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    3 C:\Riot Games\League of Legends\Config\LCULocalPreferences.yaml
    Dropped by \Device\HarddiskVolume3\Riot Games\League of Legends\LeagueClient.exe [6544]
    1 C:\Users\KAka\AppData\Local\Microsoft\Windows\Explorer\NotifyIcon\Microsoft.Explorer.Notification.{ECD66F63-9381-98AC-09A9-97E616231B1C}.png
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [5576]
    2 C:\Users\KAka\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.db
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [5576]
    3 C:\Users\KAka\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db
    Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [5576]

    Thumbprints
    97e83cd763f1c96addbbd996f097474f87d24277651f19161c18891745ce3b19

    Always occurs when loading from champion select to active match
     
  19. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Is build 915 a beta version ? Because the hitmapro alert site still distributes build 907.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    If you open Alert and on the left hand side click on "Last event" under "Action" you should be able to "Suppress" those alerts.
     
  21. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    We'll be releasing 917 soon which will mitigate this
     
  22. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Nope, it's stable, but we halted roll-out, and will be bringing 917 soon as we would like to iron out a few things that showed up.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Hi @markloman and @RonnyT ,

    I think I've asked this before but I don't recall getting a definitive answer, so if you don't mind me asking again; Should or should not a VPN client be protected by HMP.A? And if so, to which template?

    Your feedback as always, will be greatly appreciated.

    Thanks.
     
  24. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    If you like you can add it I'd suggest adding it to Other and see what happens, if nothing breaks it's extra protection for the VPN software against exploitation.
    Don't think it's a matter of should/should not, it's not a regular venue of attack to expoit something in the VPN client from 'remote' for VPN's weak passwords and MiTM attacks are more likely an attack route if that fit's in your risk profile.
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Thank you @RonnyT .

    I wasn't sure if it was a possible weak spot and an avenue of attack or not but I have successfully added Kaspersky VPN to Other template and so far nothing has broken. :)

    Cheers,
    Dave
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.