HitmanPro.Alert BETA

W7x64: Installed build 718 Beta over build 604, No issues what so ever!

 

@markloman - with 719 beta pulled, is it it OK to go back to 718 beta? Or is a fixed beta imminent?

 

Build 720 will be out on Monday.

 

First little run-in w/Sandboxie. I run a bad browser (Internet Explorer) due to very limited C space (80 gb). I've excluded some of Sbie stuff in HMP Alert's interface. After scan was complete, Alert unfortunately froze and had to be force-closed. Only browser was open.





This is Alert beta 719; I see an updated Alert beta is coming out in a few days. OK.

 

PrivGuard-mitigation build 718 beta, Firefox 56.0 and Sandboxie beta 5.21.6.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 22-10-2017 13:22:30
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation PrivGuard

Platform 10.0.16299/x64 v718 06_17*
PID 1912
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 56

Sweep

Code Injection
0000000000460000-0000000000466000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [10932]
0000000000470000-0000000000471000 4KB
00007FFF78F79000-00007FFF78F7A000 4KB
1 C:\Program Files\Sandboxie\SbieSvc.exe [10932]
2 C:\Windows\System32\services.exe [772]

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [1912]
2 C:\Program Files\Sandboxie\Start.exe [5444]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.lnk"
3 C:\Program Files\Sandboxie\SbieSvc.exe [10932]
4 C:\Windows\System32\services.exe [772]

Gebeurtenis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-10-22T11:22:30.237691700Z" />
<EventRecordID>369</EventRecordID>
<Channel>Application</Channel>
<Computer>****</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files\Mozilla Firefox\firefox.exe</Data>
<Data>PrivGuard</Data>
<Data>Mitigation PrivGuard

Platform 10.0.16299/x64 v718 06_17*
PID 1912
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 56

Sweep

Code Injection
0000000000460000-0000000000466000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [10932]
0000000000470000-0000000000471000 4KB
00007FFF78F79000-00007FFF78F7A000 4KB
1 C:\Program Files\Sandboxie\SbieSvc.exe [10932]
2 C:\Windows\System32\services.exe [772]

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [1912]
2 C:\Program Files\Sandboxie\Start.exe [5444]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.lnk"
3 C:\Program Files\Sandboxie\SbieSvc.exe [10932]
4 C:\Windows\System32\services.exe [772]
</Data>
</EventData>
</Event>

Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41

 

Hmm, wonder which monday ....

No "http://test.hitmanpro.com/hmpalert3b720.exe" so far.

 

HitmanPro.Alert 3.7.0 build 720 BETA

Changelog (compared to build 718)

• Added automatic protection of Microsoft Outlook (under the Office category) to defend against e.g. DDE attacks embedded in the body of malicious emails or calendar invites. More info here: https://nakedsecurity.sophos.com/2017/10/22/office-dde-attack-works-in-outlook-too-heres-what-to-do/
• Fixed compatibility issue with certain .NET applications (incl. AdGuard and SimpleDNSCrypt).
• Fixed Application Lockdown which accidentally no longer blocked e.g. malicious PowerShell scripts launched from e.g. Microsoft Word or Internet Explorer. It was broken since beta build 714.

Download

• http://test.hitmanpro.com/hmpalert3b720.exe

This build includes Microsoft co-signed drivers and runs on Secure Boot as well.

Please let us know how this build runs on your machine. Thanks

 

Cuckoo Build 720: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-26#post-2714274

 

Upgraded to the new beta:
Guess not fixed yet.

When opening "Device Manager":
Mitigation APCViolation

Platform 10.0.16299/x64 v720 06_3f
PID 11180
Application C:\Windows\SysWOW64\dllhost.exe
Description COM Surrogate 10

APC intercepted:
003F0080 55 PUSH EBP
003F0081 8bec MOV EBP, ESP
003F0083 8b4d08 MOV ECX, [EBP+0x8]
003F0086 83ec08 SUB ESP, 0x8
003F0089 85c9 TEST ECX, ECX
003F008B 7439 JZ 0x3f00c6
003F008D 0fb711 MOVZX EDX, WORD [ECX]
003F0090 6685d2 TEST DX, DX
003F0093 7431 JZ 0x3f00c6
003F0095 56 PUSH ESI
003F0096 8b7104 MOV ESI, [ECX+0x4]
003F0099 83fe18 CMP ESI, 0x18
003F009C 7227 JB 0x3f00c5
003F009E 8b4108 MOV EAX, [ECX+0x8]
003F00A1 0b410c OR EAX, [ECX+0xc]
003F00A4 741f JZ 0x3f00c5

Thumbprint
efc68f679465dc215fe731acb0a43efff0760166631a49fee7cdf039f07ae0d0


When starting "Windows Device Recovery Tool":
Mitigation APCViolation

Platform 10.0.16299/x64 v720 06_3f
PID 12196
Application C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool\WindowsDeviceRecoveryTool.exe
Description Windows Device Recovery Tool 3.12

APC intercepted:
00D10080 55 PUSH EBP
00D10081 8bec MOV EBP, ESP
00D10083 8b4d08 MOV ECX, [EBP+0x8]
00D10086 83ec08 SUB ESP, 0x8
00D10089 85c9 TEST ECX, ECX
00D1008B 7439 JZ 0xd100c6
00D1008D 0fb711 MOVZX EDX, WORD [ECX]
00D10090 6685d2 TEST DX, DX
00D10093 7431 JZ 0xd100c6
00D10095 56 PUSH ESI
00D10096 8b7104 MOV ESI, [ECX+0x4]
00D10099 83fe18 CMP ESI, 0x18
00D1009C 7227 JB 0xd100c5
00D1009E 8b4108 MOV EAX, [ECX+0x8]
00D100A1 0b410c OR EAX, [ECX+0xc]
00D100A4 741f JZ 0xd100c5

Process Trace
1 C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool\WindowsDeviceRecoveryTool.exe [12196]
2 C:\Windows\explorer.exe [7904]
3 C:\Windows\System32\userinit.exe [7612]

Thumbprint
1d904e3163b2645b8f5aa2bb1225d0a3b02bdf4d72ce039ebde062340a206c8d


The .NET I mentioned usually would pop up after a certain time when the PC was not in active use so no idea if that is fixed.

Wonders if these are EMT64/AMD64 related issue's.
Just to add: all my systems run 64bits versions of the OS.

 

In order to start Cyberghost VPN Service or Zemana AM Service, is needed to add CG6Service.exe and zam.exe to Mitigation Exploit Exclusions.

 

W7x64 Prof.: Installed build 720 Beta over build 718 Beta, No issues what so ever!

 

Upgraded build 720 Beta over 718. All working well.

Win 10 64 F-secure Appguard.

 

No problems upgrading build 720 beta.

Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41

 

can anyone try to use the Windows Backup & Restore with it, and tell me if the backup is blocked during its course or not?

 

I've just released a new data update for HitmanPro.Alert. You should get it automatically within the next 4 hours. The issues you mentioned should automatically get fixed. You could also restart the machine to force an update of the data file.

 

No issue opening device manager, on my notebook.
Maybe WIN8.1 is not effected, or I already got the data update.

Version number does not change, right?

 

Build 720 installs without issue on Win 10 Pro x64 v1709 16299.19.

+1

I am not using that, but it opens OK ...

 

Just requesting some clarification here w/Alert 720: Sandboxie.exe was excluded; however, the Sbie icon is showing up under "exploit mitigations." Why is it displayed there with the protected apps?

 

Currently that is a known 'feature'

 

Can you please explain what the issue is?

Did you add these applications to Exploit mitigations and/or which alerts/behavior do they cause that you need to exclude them? Please post including thumbprint.

 

Not just opened, i need you to run it and see if the backup is not interrupted, thanks by the way for testing

 

If I turn it on, 'Backing up your data ...' so it seems to be working (?), but I have cancelled it now because I don't want the Windows backup.

 

@paulderdash you can cancel anytime, i just need to know if "backing up C" is proceeding.