HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    Don't feel alone, mine is mute too, I just haven't noticed it till now.
    I am ok with it not playing, but this is interesting that HMP.A would have that effect on the start or boot tone.
    Did you have to re-load them or did switching to 604 just remedy the issue ?
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,729
    Location:
    Among the gum trees
    As soon as I uninstalled CTP4 it asked for a restart and the tone worked straight away after that.

    I had also noticed my daily scheduled HMP scan didn't produce a tone and my scheduled weekly backup with Macrium Reflect was the same.
     
  3. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    311
    Yep.

    And now, some hours later, HMP.A has crashed again, this time to the point where the "SYSTEM" process didn't respawn (the one associated with my PC's name is still listed in Task Manager):

    Code:
    - System
    
      - Provider
    
       [ Name]  Application Error
     
      - EventID 1000
    
       [ Qualifiers]  0
     
       Level 2
     
       Task 100
     
       Keywords 0x80000000000000
     
      - TimeCreated
    
       [ SystemTime]  2017-06-26T03:30:30.000Z
     
       EventRecordID 151780
     
       Channel Application
     
       Computer         -PC
     
       Security
     
    
    - EventData
    
       hmpalert.exe
       3.6.7.603
       593adfa1
       hmpalert.exe
       3.6.7.603
       593adfa1
       c0000005
       001fd8c0
       880
       01d2ed74376d4170
    
     
  4. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    Ok, Thanks Krusty for the info.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,533
    Location:
    The etherlands
    Two recent PrivGuard alerts, both while opening Sandboxied Firefox:
    Code:
    Mitigation   PrivGuard
    
    Platform     10.0.15063/x64 v710 06_45
    PID          16820
    Application  C:\Windows\SysWOW64\dllhost.exe
    Description  COM Surrogate 10
    
    Sweep
    
    Code Injection
    0000000000760000-0000000000766000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3512]
    0000000000770000-0000000000771000    4KB
    00007FFA4DD89000-00007FFA4DD8A000    4KB
    
    Process Trace
    1  C:\Windows\SysWOW64\dllhost.exe [16820]
    C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{1EF75F33-893B-4E8F-9655-C3D602BA4897}
    2  C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [18004]
    3  C:\Program Files\Sandboxie\SandboxieRpcSs.exe [13992]
    4  C:\Program Files\Sandboxie\SbieSvc.exe [3512]
    
    Code:
    Mitigation   PrivGuard
    
    Platform     10.0.15063/x64 v710 06_45
    PID          22844
    Application  C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome-nm-host.exe
    Description  rf-chrome-nm-host 8
    
    Sweep
    
    Code Injection
    00000000009F0000-00000000009F6000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3656]
    0000000000D00000-0000000000D01000    4KB
    00007FFB8ECA9000-00007FFB8ECAA000    4KB
    
    Should I untick Local Privilege Mitigation? It only happens occasionally.

    Edit: Btw this is CTP4. And @mood I reread your post #316 now, so I'll switch that off for now.
     
    Last edited: Jun 26, 2017
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,533
    Location:
    The etherlands
  7. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    136
    Location:
    Philippines
    Every time with Chrome:

    Mitigation PrivGuard

    Platform 10.0.14393/x64 v710 06_4e
    PID 22304
    Application C:\Program Files\Sandboxie\SandboxieCrypto.exe
    Description Sandboxie COM Services (CryptSvc) 5.20

    Sweep

    Code Injection
    00000000001F0000-00000000001F6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [1908]
    0000000000520000-0000000000521000 4KB
    00007FFBE7159000-00007FFBE715A000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [1908]
    2 C:\Windows\System32\services.exe [940]
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,005
    Location:
    Europe then Asia
    Add it to HMPA exceptions
     
  9. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    136
    Location:
    Philippines
    @Umbra Thanks... Already added it after I got the warning, hopefully it would be fix in the next update.
     
  10. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    746
     
  11. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    @subhrobhandari
    #335
    Do you have protected Windows Firewall Control with HMP.A?
    WFC was prevented from executing a dropped file in the temporary folder. If it is protected, this could explain the Lockdown Mitigation.
    The Credential Theft Protection is preventing the application from accessing \REGISTRY\MACHINE\SAM\SAM
    This is expected if the Mitigation is enabled.
    Is PrivaZer or any other application in the Process Trace a protected application?
     
  12. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    746
    Nope, WFC isn't protected there. In Privazer trace, only explorer is a protected application.
     
  13. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    I assume that the protection of Explorer.exe is leading to these kind of Mitigations.
    You don't need to add explorer.exe to the list of Protected Applications:
     
  14. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    +1 I missed this one, very good to know :thumb:
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,533
    Location:
    The etherlands
    I use a utility WSCC (Windows System Control Center) to download and maintain Sysinternals and Nirsoft utilities.

    But now with CTP4, some Nirsoft utilities fail to install or update. I get a red 'Malware Blocked' fly-out top-right for about 9 utilities. Didn't happen with build 603. Is HMPA now doing a cloud scan?

    How can I bypass this check, or exclude these utilities (preferably at folder level)? I have tried unticking all Process Protection mitigations.

    Edit: Found it. Temporarily disabled Anti-Malware Protection. Doh.
     
    Last edited: Jul 1, 2017
  16. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    Yes this feature has been added with CTP 1.
    Excluding isn't possible but it will be added:
     
  17. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    HMP.A is now detecting WFC (Windows Firewall Control) as Razzy infection and borking it's service.
    I added it to exclusion and rebooted and it grabbed it again and trashed the service for WFC so needless
    to say I had to kill HMP.A to get my internet connectivity back working.
    Easy to replicate just install WFC with HMP.A 710 CTP 4 and watch the detection.
    For now, even though I am a paid subscriber I am uninstalling HMP.A and patiently
    await a solution. Keep up the awesome work guys :thumb:
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,568
    Location:
    USA
    No doubt this will be worked out in the new v3.7 build, but for now if you run the stable release (3.6.7 build 604) you will not have this problem. :thumb:
     
  19. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    I didn't know 604 is minus this issue I will try it, Thanks brother.
     
  20. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,895
    Is the Realtime Protection of HMP.A detecting it? I think you have seen something like this: "Gen:Variant.Razy" :doubt:
    If yes, this is caused by the Realtime Protection of HMP.A. You can't make exclusions for it but it will be soon possible.
    Switch to Build 604 (which doesn't have the Realtime Protection), or you can install CTP 4 and try to disable the Realtime Protection.
    After they have released a new build you will be able to exclude the file or even the whole folder.
     
  21. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    Ok will do, thanks for that valuable heads up mood :thumb:
    I will switch to 604 till the update then I will switch back to the CPT builds. PeAcE
     
  22. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    252
    Location:
    united kingdom
    Hey bro, I'm using WFC with CTP4 and not getting this issue.

    Update: My mistake, not running latest ver. of wfc, 4.9.9.1. updated and immediately got the same problem as @CyberGhosT.
    As per @mood advice I disabled Anti-Malware in CTP4 and _wfc service could be started.
     
    Last edited: Jul 2, 2017
  23. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    49
    I rebooted into Build 604 a couple of days ago and have not experienced any issues.
     
  24. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    451
    Location:
    MalwareTips "Your Security Advisor"
    +1 :thumb:
     
  25. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    660
    Back to build 604 (from 710). Getting into a(n) (infinite?) loop with Sandboxie COM Services (DCOM) 5.20 PrivGuard-alerts. Alert > Close > Alert > Close >Alert > Close...

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 8-7-2017 8:38:56
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation PrivGuard

    Platform 10.0.15063/x64 v710 06_17*
    PID 5696
    Application C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
    Description Sandboxie COM Services (DCOM) 5.20

    Sweep

    Code Injection
    0000000000710000-0000000000716000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2984]
    0000000000720000-0000000000721000 4KB
    00007FF80E889000-00007FF80E88A000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [2984]
    2 C:\Windows\System32\services.exe [688]
    3 C:\Windows\System32\wininit.exe [620]
    wininit.exe

    Process Trace
    1 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [5696]
    2 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [5172]
    3 C:\Program Files\Sandboxie\SbieSvc.exe [2984]
    4 C:\Windows\System32\services.exe [688]
    5 C:\Windows\System32\wininit.exe [620]
    wininit.exe

    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-07-08T06:38:56.729886200Z" />
    <EventRecordID>4289</EventRecordID>
    <Channel>Application</Channel>
    <Computer>****</Computer>
    <Security />
    </System>
    <EventData>
    <Data>C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe</Data>
    <Data>PrivGuard</Data>
    <Data>Mitigation PrivGuard

    Platform 10.0.15063/x64 v710 06_17*
    PID 5696
    Application C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
    Description Sandboxie COM Services (DCOM) 5.20

    Sweep

    Code Injection
    0000000000710000-0000000000716000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2984]
    0000000000720000-0000000000721000 4KB
    00007FF80E889000-00007FF80E88A000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [2984]
    2 C:\Windows\System32\services.exe [688]
    3 C:\Windows\System32\wininit.exe [620]
    wininit.exe

    Process Trace
    1 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [5696]
    2 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [5172]
    3 C:\Program Files\Sandboxie\SbieSvc.exe [2984]
    4 C:\Windows\System32\services.exe [688]
    5 C:\Windows\System32\wininit.exe [620]
    wininit.exe
    </Data>
    </EventData>
    </Event>
     
Loading...