HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    119
    Location:
    Philippines
    After deleting I restarted HMP.A service...
     
  2. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    If you can't see any HMP.A-related event in the Event Viewer then i don't know from where HMP.A is getting the number of alerts :cautious:
     
  3. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    389
    Location:
    sweden
    The antivirus in this version of HMP.A is Sophos, i guess, and according to tests Sophos is mediocre. Anyone testing this Av to see if it any better.
     
  4. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    684
    Location:
    Baden Germany
    Nope,
    in CTP4 it's still Bitdefender, Kaspersky and HitmanPro.
     
  5. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    634
    Multiple Sandboxie COM Services (DCOM) 5.20-alerts when starting Firefox 54.0 sandboxed.

    Code:
    Logboeknaam:   Application
    Bron:          HitmanPro.Alert
    Datum:         19-6-2017 12:56:54
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau:        Fout
    Trefwoorden:   Klassiek
    Gebruiker:     n.v.t.
    Computer:      ****
    Beschrijving:
    Mitigation   PrivGuard
    
    Platform     10.0.15063/x64 v710 06_17*
    PID          4696
    Application  C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
    Description  Sandboxie COM Services (DCOM) 5.20
    
    Sweep
    
    Code Injection
    00000000001B0000-00000000001B6000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    00000000001C0000-00000000001C1000    4KB
    00007FFB40F49000-00007FFB40F4A000    4KB
    1  C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    2  C:\Windows\System32\services.exe [692]
    3  C:\Windows\System32\wininit.exe [624]
    wininit.exe
    
    Process Trace
    1  C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [4696]
    2  C:\Program Files\Sandboxie\SandboxieRpcSs.exe [3060]
    3  C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    4  C:\Windows\System32\services.exe [692]
    5  C:\Windows\System32\wininit.exe [624]
    wininit.exe
    
    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-06-19T10:56:54.910282900Z" />
        <EventRecordID>4024</EventRecordID>
        <Channel>Application</Channel>
        <Computer>sjaak2-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe</Data>
        <Data>PrivGuard</Data>
        <Data>Mitigation   PrivGuard
    
    Platform     10.0.15063/x64 v710 06_17*
    PID          4696
    Application  C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
    Description  Sandboxie COM Services (DCOM) 5.20
    
    Sweep
    
    Code Injection
    00000000001B0000-00000000001B6000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    00000000001C0000-00000000001C1000    4KB
    00007FFB40F49000-00007FFB40F4A000    4KB
    1  C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    2  C:\Windows\System32\services.exe [692]
    3  C:\Windows\System32\wininit.exe [624]
    wininit.exe
    
    Process Trace
    1  C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [4696]
    2  C:\Program Files\Sandboxie\SandboxieRpcSs.exe [3060]
    3  C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    4  C:\Windows\System32\services.exe [692]
    5  C:\Windows\System32\wininit.exe [624]
    wininit.exe
    </Data>
      </EventData>
    </Event>
    
    And ~50% CPU usage hmpalert 710 CTP4. Erik, do you want the hmpalert.dmp (via wetransfer)?
    
    
    Win10 1703 build 15063.332 x64/Norton Security v22.9.4.8
     
    Last edited by a moderator: Jun 19, 2017
  6. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    634
    A sandboxed Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe-alert with Sandboxie 5.20 and build 710 CTP4.

    Code:
    Logboeknaam:   Application
    Bron:          HitmanPro.Alert
    Datum:         19-6-2017 13:23:02
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau:        Fout
    Trefwoorden:   Klassiek
    Gebruiker:     n.v.t.
    Computer:      ****
    Beschrijving:
    Mitigation   PrivGuard
    
    Platform     10.0.15063/x64 v710 06_17*
    PID          6640
    Application  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    Description  Adobe RdrCEF 17.9
    
    Sweep
    
    Code Injection
    0000000000940000-0000000000946000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    0000000000950000-0000000000951000    4KB
    00007FFB40F49000-00007FFB40F4A000    4KB
    1  C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    2  C:\Windows\System32\services.exe [692]
    3  C:\Windows\System32\wininit.exe [624]
    wininit.exe
    
    Process Trace
    1  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe [6640]
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --primordial-pipe-token=E782BF0AACF5E65C73BC61EF128A3712 --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.lo
    2  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe [5500]
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=5066061
    3  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [4472]
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\sjaak2\Desktop\Verlopenreisdocument.pdf"
    4  C:\Windows\explorer.exe [7420]
    5  C:\Windows\System32\userinit.exe [7412]
    6  C:\Windows\System32\winlogon.exe [8004]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    7  C:\Windows\System32\smss.exe [7564]
    \SystemRoot\System32\smss.exe 000000d0 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    
    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-06-19T11:23:02.722103100Z" />
        <EventRecordID>4049</EventRecordID>
        <Channel>Application</Channel>
        <Computer>****</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe</Data>
        <Data>PrivGuard</Data>
        <Data>Mitigation   PrivGuard
    
    Platform     10.0.15063/x64 v710 06_17*
    PID          6640
    Application  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    Description  Adobe RdrCEF 17.9
    
    Sweep
    
    Code Injection
    0000000000940000-0000000000946000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    0000000000950000-0000000000951000    4KB
    00007FFB40F49000-00007FFB40F4A000    4KB
    1  C:\Program Files\Sandboxie\SbieSvc.exe [3612]
    2  C:\Windows\System32\services.exe [692]
    3  C:\Windows\System32\wininit.exe [624]
    wininit.exe
    
    Process Trace
    1  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe [6640]
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --primordial-pipe-token=E782BF0AACF5E65C73BC61EF128A3712 --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.lo
    2  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe [5500]
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=5066061
    3  C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [4472]
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\sjaak2\Desktop\Verlopenreisdocument.pdf"
    4  C:\Windows\explorer.exe [7420]
    5  C:\Windows\System32\userinit.exe [7412]
    6  C:\Windows\System32\winlogon.exe [8004]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    7  C:\Windows\System32\smss.exe [7564]
    \SystemRoot\System32\smss.exe 000000d0 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    </Data>
      </EventData>
    </Event>
     
    Last edited by a moderator: Jun 19, 2017
  7. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    389
    Location:
    sweden

    Source on that!

    That their scanner consists of them is a long known fact but that their Av would be the same now when they are owned by Sophos. Well, i don`t know ;).
     
  8. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    398
    Location:
    Earth
    That's a very good point.
     
  9. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    448
    Location:
    Hengelo
    No, there is no antivirus inside HitmanPro.Alert, it's in the cloud. And the cloud contains Sophos, Kaspersky and Bitdefender.
    Sophos scores pretty good lately: https://www.av-test.org/en/antivirus/business-windows-client/windows-10/
    Details: https://www.av-test.org/en/antiviru...os-endpoint-security-and-control-10.7-171502/
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
  11. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    389
    Location:
    sweden
    Thanks for clearing that up.

    Do you see the boot up time as an issue to fix, for me it went from 34sec to 52 when i tried these beta versions.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,659
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
    I was wondering if they will issue a CTP5 fix soon. If so, I may stay on 603 till then.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,659
    Why? You don't have that protection in 603, so just turn it off
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    1,913
    Location:
    Cape Town, South Africa
    I can confirm that Macrium Reflect now works for me on 710 CTP4, with Credential Theft Protection disabled.
     
  16. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    Yep, turning it off is fixing the issue. :)

    There are also some issues after sandboxed applications have been started ("Mitigation PrivGuard"). This should be fixed with turning off the Process Protection: "Local Privilege Mitigation".
    But we'll see if they implement a fix with the next version, so that the user doesn't have to turn it off/on every time:
     
  17. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    398
    Location:
    Earth
  18. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,434
    Is there a way to white list my keyboard so I don't get a notification of the USB keyboard module with every login? Even if I disable the module I still get the screen alert
    I have a IR USB connected to a USB slot of the keyboard, that is used for the wireless mouse
    ?

    The beta is about to expire how are you still testing it?
     
  19. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    805
    Location:
    Da mean streets of Brooklyn
    No, I would not say all Alerts are CredGuard. In fact, the CodeCave mitigation I got a while ago seems to be legit or at least a warning sign, and reminds me that even though this is a test software, it's a security layer on my machine.The website whose downloader triggered it is still having issues, with no internet problems on my end. It is not possible to "sign in" on this site.

    forbidden @2.png .
     
  20. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,285
    The website of the game developer?
     
  21. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    805
    Location:
    Da mean streets of Brooklyn
    mood, I have sent you a PM with the requested information and some additional details about the issue.
     
  22. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,434
    I had to uninstall
     
  23. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    254
    HMP.A build 603 is showing very high RAM usage on a Vista HP SP2 x64 system:

    HMPA more high RAM.jpg

    and:

    HMPA more high RAM 2.jpg

    Memory leak? Killing the two processes often (but not always) requires a reboot in order to bring HMP.A back to life. In the present case, they came back on their own, currently using 8,000K and 5,000K of RAM respectively.
     
  24. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    398
    Location:
    Earth
    Wow that's insane usage for HMP.A Mem Leak is what would come to mind for sure.
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,121
    Location:
    Among the gum trees
    Uninstalled CTP 4, reinstalled Build 604 and my Start up tone, plus other tones, are now working again.

    Weird that I am the only person who reported this but I don't know what's special about this machine.