HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. Man van het noorden

    Man van het noorden Registered Member

    Joined:
    Jun 26, 2014
    Posts:
    12
    Location:
    NL
    Getting this FP with CTP4 doing a search in the registry with RegeditX Crawler. Second search performed no problem.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 13-06-17 23:29:47
    Gebeurtenis-id:911
    Taakcategorie: (9)
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: xxxxxxxx
    Beschrijving:
    Mitigation CredGuard

    Platform 6.1.7601/x86 v710 06_25
    PID 1544
    Application C:\Program Files\RegEditX\RxCrawler.exe
    Description RegEditX Crawler 3.0

    \REGISTRY\MACHINE\SAM\SAM

    Process Trace
    1 C:\Program Files\RegEditX\RxCrawler.exe [1544]
    "C:\Program Files\RegEditX\rxcrawler.exe" -SingleInstance
    2 C:\Windows\regedit.exe [4256]
    regedit.exe
    3 C:\Program Files\RegEditX\RegEditX.exe [3424]
    4 C:\Windows\explorer.exe [5164]
    5 C:\Windows\System32\userinit.exe [5576]
    6 C:\Windows\System32\winlogon.exe [5708]
    winlogon.exe
    7 C:\Windows\System32\smss.exe [1424]
    \SystemRoot\System32\smss.exe 00000000 0000004c

    Thumbprint
    eebfee85859808e7c4774d74e7e4095fd8f71735cd7abbf4ab79ce401862e5f2
    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-06-13T21:29:47.000000000Z" />
    <EventRecordID>20681</EventRecordID>
    <Channel>Application</Channel>
    <Computer>norbert-m</Computer>
    <Security />
    </System>
    <EventData>
    <Data>C:\Program Files\RegEditX\RxCrawler.exe</Data>
    <Data>CredGuard</Data>
    <Data>Mitigation CredGuard

    Platform 6.1.7601/x86 v710 06_25
    PID 1544
    Application C:\Program Files\RegEditX\RxCrawler.exe
    Description RegEditX Crawler 3.0

    \REGISTRY\MACHINE\SAM\SAM

    Process Trace
    1 C:\Program Files\RegEditX\RxCrawler.exe [1544]
    "C:\Program Files\RegEditX\rxcrawler.exe" -SingleInstance
    2 C:\Windows\regedit.exe [4256]
    regedit.exe
    3 C:\Program Files\RegEditX\RegEditX.exe [3424]
    4 C:\Windows\explorer.exe [5164]
    5 C:\Windows\System32\userinit.exe [5576]
    6 C:\Windows\System32\winlogon.exe [5708]
    winlogon.exe
    7 C:\Windows\System32\smss.exe [1424]
    \SystemRoot\System32\smss.exe 00000000 0000004c

    Thumbprint
    eebfee85859808e7c4774d74e7e4095fd8f71735cd7abbf4ab79ce401862e5f2</Data>
    </EventData>
    </Event>
     
  2. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    @Peter2150
    Btw.: Do you get a "Anti-VM" Mitigation after the tray-application (beta) from FIDES has been started? (see below)
     
  3. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    136
    Location:
    Philippines
    Mitigation PrivGuard

    Platform 10.0.14393/x64 v710 06_4e
    PID 9288
    Application C:\Program Files\Sandboxie\SandboxieCrypto.exe
    Description Sandboxie COM Services (CryptSvc) 5.20

    Sweep

    Code Injection
    00000000001E0000-00000000001E6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1980]
    00000000001F0000-00000000001F1000 4KB
    00007FFE60AF9000-00007FFE60AFA000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [1980]
    2 C:\Windows\System32\services.exe [932]
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,203
    Sorry, I haven't tried the tray application beta.
     
  5. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    The mitigation "Credential Theft Protection" is responsible for this. It is preventing you from accessing the credentials which are stored in the registry key \REGISTRY\MACHINE\SAM\SAM.
    To get no alert from HMP.A, try to turn the mitigation off before you do a search in the registry.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,533
    Location:
    The etherlands
    I've only seen it once (after an image restore to 603 beta), not since ... Also I don't use any VM.
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    495
    Did anyone on Windows 10 CU have trouble with patch tuesday?
    I needed to manually download and install the updates, and then it failed, with a BSOD.
    I uninstalled it, tried again without security softs, and it worked.
    Not sure if problem was HMPA 710, or Kaspersky Internet Security 2018
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,729
    Location:
    Among the gum trees
    No, not here.
     
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,005
    Location:
    Europe then Asia
    no, but i disabled HMPA 710 Process Protections beforehand.
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,533
    Location:
    The etherlands
    No problems, but I am on build 603 beta.
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Change Vaccination from Active to Passive.
     
  12. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    Some applications want to find out if they are running in a VM or in a sandbox (="sandbox-aware"). If this happens, the mitigation Vaccination triggers an alert.
    It happened only once so i guess you can leave it that way. Or follow the advice mentioned above: #286
     
  13. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    +1 :thumb:
     
  14. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    311
    I spoke too soon. Yesterday there were four "application errors" within a 60-minute time span, all like the following:
    Code:
    Faulting application name: IEXPLORE.EXE, version: 11.0.9600.18639, time stamp: 0x58d6bb0d
    Faulting module name: hmpalert.dll, version: 3.7.0.709, time stamp: 0x59316cee
    Exception code: 0xc0000005
    Fault offset: 0x0004e26f
    Faulting process id: 0x314
    Faulting application start time: 0x01d2e52a137b3c6c
    Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    Faulting module path: C:\Windows\SysWOW64\hmpalert.dll
    Report Id: 529c5d9c-5150-11e7-b9a9-4c72b91da94f
     
  15. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    You are still running CTP3, maybe you can try it again with the newer beta: CTP 4
     
  16. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    +1 yeah he wasn't updated, good catch :thumb:
     
  17. tonino

    tonino Registered Member

    Joined:
    Jan 2, 2017
    Posts:
    58
    Location:
    somewhere
    Hi Erik!

    Mitigation CredGuard

    Platform 10.0.14393/x64 v710 06_25
    PID 5852
    Application C:\Program Files (x86)\Soft Organizer\HelperFor64Bits.exe
    Description HelperFor64Bits.exe

    \REGISTRY\MACHINE\SAM\SAM

    Process Trace
    1 C:\Program Files (x86)\Soft Organizer\HelperFor64Bits.exe [5852]
    RpcCapture RegSnapShot64CallParamsMmf-5116-74334976-103444527733
    2 C:\Program Files (x86)\Soft Organizer\SoftOrganizer.exe [5116]
    3 C:\Windows\explorer.exe [3680]
    4 C:\Windows\System32\userinit.exe [3412]

    Thumbprint
    6b4190af73c2d017cf3d7aa463df5c565f3cf041397d2b6db246a1cd41d0ee0b
     
  18. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,473
    Is there a way to white list my keyboard so I don't get a notification of the USB keyboard module with every login? Even if I disable the module I still get the screen alert
    I have a IR USB connected to a USB slot of the keyboard, that is used for the wireless mouse
     
  19. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    311
    I am updated now to 710 and the crashes continue. :rolleyes:
    Code:
    Problem signature:
      Problem Event Name:    APPCRASH
      Application Name:    hmpalert.exe
      Application Version:    3.7.0.710
      Application Timestamp:    593adfaa
      Fault Module Name:    hmpalert.exe
      Fault Module Version:    3.7.0.710
      Fault Module Timestamp:    593adfaa
      Exception Code:    40000015
      Exception Offset:    0023c9f1
      OS Version:    6.1.7601.2.1.0.768.3
      Locale ID:    1033
      Additional Information 1:    202e
      Additional Information 2:    202ebd24078c8a8d508d256df40c3e2d
      Additional Information 3:    78ce
      Additional Information 4:    78ce6fce26317a4c02a360aaa8d5d037
    
    From the Event Viewer:
    Code:
    Faulting application name: hmpalert.exe, version: 3.7.0.710, time stamp: 0x593adfaa
    Faulting module name: hmpalert.exe, version: 3.7.0.710, time stamp: 0x593adfaa
    Exception code: 0x40000015
    Fault offset: 0x0023c9f1
    Faulting process id: 0xd74
    Faulting application start time: 0x01d2e6609fc2014e
    Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Faulting module path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Report Id: ea7d12aa-52e3-11e7-854a-4c72b91da94f
     
  20. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    136
    Location:
    Philippines
    Anyway to reset the Alert counter?! Its pilling up due to SBIE blocking...
     
  21. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    The only way to clean the number of Alerts is to clear the Windows Application Log in Windows Event Viewer.
     
  22. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    136
    Location:
    Philippines
    I've tried that but it after checking the # alert count is still there... maybe I'm doing it wrong
     
  23. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    Strange. Do you have rebooted after clearing of the log?
     
  24. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,198
    Location:
    USA
    Alert when visiting flickr.com. F.P.? Using HMPA 3.7.0 710 CTP4.
     

    Attached Files:

  25. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    136
    Location:
    Philippines
    Only with chrome and SBIE:

    Platform 10.0.14393/x64 v710 06_4e
    PID 12140
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 59

    Sweep

    Code Injection
    00000000008C0000-00000000008C6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1532]
    00000000008D0000-00000000008D1000 4KB
    00007FFAB9A19000-00007FFAB9A1A000 4KB
    000001C5A6940000-000001C5A6941000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164]
    00007FFAB9A46000-00007FFAB9A47000 4KB
    00007FFAB9A48000-00007FFAB9A49000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [1532]
    2 C:\Windows\System32\services.exe [932]
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164]
    2 C:\Windows\explorer.exe [5608]
    3 C:\Windows\System32\userinit.exe [5260]

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [12140]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604 --primordial-pipe-token=0D4BA418C5F3C900700B2A1B687DD6EB --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visi
    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7164]
    3 C:\Windows\explorer.exe [5608]
    4 C:\Windows\System32\userinit.exe [5260]
     
Loading...