Those are 923 alerts Do you have Winrar on protection? this is collateral of Application lockdown in this case, the extracted AND executed application dropped by WinRar is attempting to abuse a LolBIN. If you start HD Sentinel via the start menu (and it's not on protection) this should not happen.
Strange, I've reproduced the crash, and we've fixed the reproduction, can you send me the SHA256 hashes of the files you excluded and your setup + vbox version in a DM?
This was suppressed centrally hence the first machine should no longer trigger regardless of the suspend alert state
HitmanPro.Alert 3.8.20 Build 937 Release Candidate 2 Changelog (compared to build 935) Fixed crash in Spyware blaster caused by RemoteThreadGuard Fixed crash in VirtualBox caused by Syscall64 Some small changes under the hood Download https://dl.surfright.nl/hmpalert3b937.exe Please let us know how this build runs on your machine *Beware some sites are leeching this build and posting it on their downloads pages as Stable release, so no 923 is still the Stable.
I just opened TOR on my other machine and got the same Alert. I suspect it is 0Patch injecting its .DLL. I have suppressed for now.
HitmanPro.Alert 8.20 Build 937 Yes. Spoiler: Mitigation SysCall Mitigation SysCall Timestamp 2022-03-19T16:05:25 Platform 10.0.22000/x64 v937 06_9e PID 10820 Feature 007D0A30000001A2 Application C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe Created 2022-03-17T17:41:58 Description C++ Application Development Framework 5.15.2 SecLvl: 1 Direct Syscall originating from: 0000025279751734 *** RemoteAllocator *** remoteOwnerProcessName: C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe remoteOwnerModuleName: C:\Program Files\AMD\CNext\CNext\Qt5WebEngineCore.dll remoteOwnerPID: 8476 remoteOwnerProcess is signed remoteOwnerModule is not signed 0x0000025279751734 c3 RET ----- SNIP HERE ----- AAICAQAQdXlSAgAANBd1eVICAAAAEHV5UgIAAAAQAAACAAACAAACAAACAADgAwIGAKADAgYAiOvv6mkCAwAOAgMAAgT/TIvRuFUCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDMCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuD0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuEwBAgIA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bgnAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bg0AQICAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4JgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4LgECAgD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuA0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCQCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDACAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuC8CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCgCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCoCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAoUA ----- END SNIP ----- Loaded Modules (72) ----------------------------------------------------------------------------- 00007FF7C4850000-00007FF7C48EB000 QtWebEngineProcess.exe (The Qt Company Ltd.), version: 5.15.2.0 00007FFB26CA0000-00007FFB26DBA000 hmpalert.dll (SurfRight B.V.), version: 3.8.20.937 00007FFAFEBC0000-00007FFAFF1C6000 Qt5Core.dll (The Qt Company Ltd.), version: 5.15.2.0 00007FFADFB00000-00007FFAE5F24000 Qt5WebEngineCore.dll (The Qt Company Ltd.), version: 5.15.2.0 00007FFAEFC10000-00007FFAF002A000 Qt5Quick.dll (The Qt Company Ltd.), version: 5.15.2.0 00007FFAEEF30000-00007FFAEF5E2000 Qt5Gui.dll (The Qt Company Ltd.), version: 5.15.2.0 00007FFB05900000-00007FFB05925000 Qt5WebChannel.dll (The Qt Company Ltd.), version: 5.15.2.0 00007FFAEEB70000-00007FFAEEF29000 Qt5Qml.dll (The Qt Company Ltd.), version: 5.15.2.0 00007FFAEE0A0000-00007FFAEE1B5000 Qt5Network.dll (The Qt Company Ltd.), version: 5.15.2.0 00007FFAF4860000-00007FFAF48B4000 Qt5Positioning.dll (The Qt Company Ltd.), version: 5.15.2.0 00007FFAF4770000-00007FFAF47E1000 Qt5QmlModels.dll (The Qt Company Ltd.), version: 5.15.2.0 - MS skipped (61) - Code Injection 0000025279751000-0000025279752000 4KB C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476] 00007FFB29CA4000-00007FFB29CA5000 4KB 00007FFB29CA3000-00007FFB29CA4000 4KB 00007FFB29CA6000-00007FFB29CA7000 4KB 00007FFB29CA5000-00007FFB29CA6000 4KB Process Trace 1 C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe [10820] "C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMo 2 C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476] "C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe" atlogon Dropped Files 1 C:\Users\Asrock\AppData\Local\AMD\CN\restreamserverlist.json Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476] 2 C:\Users\Asrock\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG.old~RF625ab.TMP Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476] 3 C:\Users\Asrock\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476] Thumbprints 810af5e5b485b6aece639827e26999389ee9125ea60cc65e554a0da29cf75939 (pfn)
"Do you have Winrar on protection?" Yes. HD Sentinel start via Task Scheduler (and it is not protection). It's really the older (923) alert, it was just today and I thought it was the 935. I installed 935 today. Sorry.
Browser protection does not work with ESET Banking & Payment protection in 937. It worked on the older 923, if I turned off ESET's keyboard protection within Banking & Payment protection. Now it doesn't work even if it's turned off. see at 923: Firefox 98.0.1 (64 bit)
https://dl.surfright.nl/hmpalert3b937.exe only displays the Hitmanpro.alert UI on the screen. It does not appear to install anything.
I just got this False Positive: Spoiler: NVT FP Mitigation MalwareBlocked Timestamp 2022-03-20T00:56:42 Platform 10.0.19044/x64 v937 06_5e PID 968 Application C:\Program Files (x86)\NoVirusThanks\NVT License Manager\NVTLicenseManager.exe Created 2022-03-20T00:56:38 Description Generic ML PUA Process Trace 1 C:\Windows\System32\services.exe [968] 2 C:\Windows\System32\wininit.exe [824] wininit.exe Dropped Files Thumbprints 3dde7f92c3b3acb1e591e978c04fd34216b713825d2647246acdbf6168ea2d18
I really need more details, see previous post, I have a Win7x86 machine running inside VBox without crashes or exclusions. On the old build the Vbox service would terminate on the moment you start a "machine" didn't even have a Guest OS installed, this works fine, and I have a default next, next, finish Guest OS running now without crashes.
This is a know issue on our end, and in general a thing because you can't have two products protecting your browser in that banking/secure mode, they'll fight and lessen security. I'd advise to activate on or the other for now.
Doesn't really matter, this works as designed and would have triggered also on 937. WinRar introduces new executable code and tries to execute it, because application lockdown is active on WinRar and inherit is forced this is not allowed.
What extra Details do you need? I am running Windows 11 with the latest update available via the regular update service. I have not signed up for the Windows Insider program.
See here please: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-81#post-3073821
Looks like ESET blacklisted us for their Banking & Payment protection settings, so there is not a lot we can do, on the other hand you don't want to have two products fighting over this anyway. If I only protect the default browser with ESET the others seem to work fine with Safebrowsing
HitmanPro.Alert 3.8.20 Build 939 Release Candidate 3 Changelog (compared to build 937) Fixed crash in VirtualBox caused by Syscall on Win11 Improved Syscall on certain applications e.g. WhatsApp / Mullvad VPN / Torbrowser Improved RemoteThreadGuard Download https://dl.surfright.nl/hmpalert3b939.exe *Auto-update enabled for 935 and higher. Please let us know how this build runs on your machine *Beware some sites are leeching this build and posting it on their downloads pages as Stable release, so no 923 is still the Stable.