HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    786
    Location:
    West Virginia (USA)
    This is on Windows 10x64 Pro, Build 16299.19 with Alert beta 720. It occurs when attempting to defrag the system registry using AVG's PC TuneUp. Anyway to whitelist ??


    - Provider
    [ Name] HitmanPro.Alert
    - EventID 911
    [ Qualifiers] 0
    Level 2
    Task 9
    Keywords 0x80000000000000
    - TimeCreated
    [ SystemTime] 2017-10-28T09:18:14.632557400Z
    EventRecordID 7297
    Channel Application
    Computer TomsSurfacePro
    Security
    -
    EventData
    C:\Program Files (x86)\AVG\AVG PC TuneUp\RegistryDefrag.exe
    CredGuard
    Mitigation CredGuard Platform 10.0.16299/x64 v720 06_3a PID 7904 Application C:\Program Files (x86)\AVG\AVG PC TuneUp\RegistryDefrag.exe Description AVG Registry Defrag 16.74.2 \REGISTRY\MACHINE\SAM\ Thumbprint 8529489fa92470b0e5adf9fafb47e74160e1904e4623d9e6d293ea74cdd2a7a71709
     
  2. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,044
    Location:
    Baden Germany
    Well done, Hitman :)
     
  3. CaptainLeonidasHMPA

    CaptainLeonidasHMPA Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    42
    Location:
    The Netherlands
    Seems to me HMP.Alert is breaking more then it protects.

    Well done, guys... Well done indeed.

    I removed HMP.A from my up-to-date Windows 10 systems so at least I can work properly again.
    What a shame.....
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    The Credential Theft Protection (CredGuard) is protecting a registry key which AVG PC TuneUp wants to access. Disabling of the mitigation should solve this issue.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It will solve the issues. Guys just turn off Credit Guard. Candidly I think they need to remove it.
     
  6. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    Allmost same problem here in FCU with 3.7.0.720Beta:
     

    Attached Files:

  7. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    115
    Location:
    Netherlands
    Today I'm getting a red fly-out, it relates to the KMS server I run:
    Code:
    MalwareBlocked
    Mitigation MalwareBlocked Platform 10.0.16299/x64 v720 06_5e PID 840
    Application C:\ProgramData\KMSAutoS\bin\KMSSS.exe Description App/Generic-
    AC Process Trace 1 C:\Windows\System32\services.exe [840] 2
    C:\Windows\System32\wininit.exe [756] wininit.exe  
    I've added the exe under the exceptions before but now it's showing up again. I know the file is clean. I'm using it for years.
    How to solve this?
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    The file was detected by the "Real-time Anti-Malware"-feature and it currently doesn't provide a way to exclude files but this is in preparation.
    The only solution is to disable the Real-time Antimalware protection if you want to execute the file.
     
  9. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    115
    Location:
    Netherlands
    Ah, ok. Where is the disable option? Can't find it in the GUI. :geek:
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    Click Settings icon, top right.
    Select Advanced Interface.
    Click Anti-Malware tile.
    Select Disabled.
     
  11. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,033
    PrivGuard-mitigation Build 720 beta, Firefox 56.0.2 and Sandboxie 5.22.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 31-10-2017 10:02:44
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation PrivGuard

    Platform 10.0.16299/x64 v720 06_17*
    PID 5456
    Application C:\Program Files\Mozilla Firefox\firefox.exe
    Description Firefox 56.0.2

    Sweep

    Code Injection
    0000000000570000-0000000000576000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [6640]
    0000000000580000-0000000000581000 4KB
    00007FF9A1719000-00007FF9A171A000 4KB

    Process Trace
    1 C:\Program Files\Mozilla Firefox\firefox.exe [5456]
    2 C:\Program Files\Sandboxie\Start.exe [7020]
    "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.2.lnk"
    3 C:\Program Files\Sandboxie\SbieSvc.exe [6640]

    Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
     
    Last edited: Oct 31, 2017
  12. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,033
    PrivGuard mitigation Build 720 beta, Firefox 56.0.2 and Sandboxie beta 5.21.7.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 30-10-2017 12:56:05
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation PrivGuard

    Platform 10.0.16299/x64 v720 06_17*
    PID 9020
    Application C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
    Description Sandboxie COM Services (DCOM) 5.21.7

    Sweep

    Code Injection
    0000000000D50000-0000000000D56000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [3296]
    0000000000D60000-0000000000D61000 4KB
    00007FF9A1719000-00007FF9A171A000 4KB

    Process Trace
    1 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [9020]
    2 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [9788]
    3 C:\Program Files\Sandboxie\SbieSvc.exe [3296]

    Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
     
    Last edited: Oct 31, 2017
  13. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,033
    CredGuard build 718 beta.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 30-10-2017 10:43:12
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation CredGuard

    Platform 10.0.16299/x64 v718 06_5e
    PID 5476
    Application C:\Windows\System32\SrTasks.exe
    Description Achtergrondtaken voor Microsoft® Windows Systeembeveiliging. 10

    SAM access denied.

    Range = LBA 1616856 :224
    Read = LBA 1616920 :56

    Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
     
  14. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    Not sure what is going on here, was trying to install Astah as I need it for my studies.

    Mitigation CodeCave

    Platform 10.0.16299/x64 v717 8f_01
    PID 7836
    Application C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp
    Description Setup/Uninstall

    Intersectional control flow detected!

    Process Trace
    1 C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp [7836]
    "C:\Users\sanya\AppData\Local\Temp\is-0GDP6.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp" /SL5="$30A72,92158849,569856,C:\Users\sanya\Downloads\astah-professional-7_2_0-1ff236-jre-64bit-setup.exe"
    2 C:\Users\sanya\Downloads\astah-professional-7_2_0-1ff236-jre-64bit-setup.exe [16140]
    3 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [10500]
    4 C:\Windows\explorer.exe [11704]
    5 C:\Windows\System32\userinit.exe [13780]
    6 C:\Windows\System32\winlogon.exe [7492]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    7 C:\Windows\System32\smss.exe [7500]
    \SystemRoot\System32\smss.exe 000001d8 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

    Thumbprint
    37a1c59855a4c83de118d54424ab6cf74b1bf93f6de08b0a37bff1e7659618d2

    Is it safe to ignore this (false positive or benign)?

    Edit: I just created a new console application (c++) in Visual Studio and tried running a super basic application and I got another CodeCave alert. I'll just disable this mitigation considering the headache it's going to cause otherwise.
     
    Last edited: Nov 1, 2017
  15. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,033
    PrivGuard mitigation build 720 beta, Acrobat Reader DC and Sandboxie 5.22.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 1-11-2017 15:48:14
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation PrivGuard

    Platform 10.0.16299/x64 v720 06_5e
    PID 10176
    Application C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    Description Adobe RdrCEF 17.12

    Sweep

    Code Injection
    0000000000DF0000-0000000000DF6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2360]
    0000000001140000-0000000001141000 4KB
    00007FFCD12C9000-00007FFCD12CA000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [2360]
    2 C:\Windows\System32\services.exe [884]
    3 C:\Windows\System32\wininit.exe [796]
    wininit.exe

    Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
     
  16. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    115
    Location:
    Netherlands
    Thanks.

    This evening EAM updated, everything looks to be ok. Although the Event viewer mentioned:
    Code:
    Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v720 06_5e
    PID          1480
    Application  C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
    Description  Emsisoft Protection Service 2017.9
    
    SAM access denied.
    
    Range = LBA 12498272 :128
    Read  = LBA 12498384 :8
    
    Thumbprint
    c5b6c71bb03e77b3bf36844029caf3a9e17aa21d7cea861a1a34cd3fdc7118bf
    Should I report this also to Emsisoft?
     
  17. plat1098

    plat1098 Guest

    No. When I ran Emsisoft, I mutually excluded the other in each interface, specifically also running the Alert beta. Then, they ran very quietly and nicely together.
     
  18. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    115
    Location:
    Netherlands
    Usually I exclude EAM etc. also, this I missed.
    Never had any trouble before so it never caught my attention. I'm going to exclude it :thumb:
     
  19. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    HitmanPro.Alert 3.7.0 build 721 Release Candidate

    Changelog (compared to build 720)
    • Improved Code Cave Mitigation.
    • Improved Software Radar so it now also scans 'App path' for browsers. This will put Opera under Browsers instead of Office. It now also detects web browser that allow to be installed by less-privileged normal users.
    • Improved VBScript God Mode protection on Windows 10 Creators Update (Redstone 2) and newer.
    • Improved Control Flow Integrity (CFI) on Windows 10 64-bit.
    • Fixed an incompatibility with an Internet Explorer browser plugin from Agricultural Bank of China.
    • Fixed an incompatibility with Internet Explorer browser plugins from South Korean SoftForum XecureWeb.
    • Fixed an incompatibility between our APC Mitigation, that thwarts e.g. DoublePulsar and AtomBombing code injection, and Avast / AVG on Windows 10 Fall Creators Update only (Redstone 3). This also only affected specific applications installed by the enduser. Note: Requires a secondary update in our cloud before this fix is completely operational. Please allow us until next week to complete this - no further manual update by enduser needed. Most Avast / AVG user wouldn't have noticed this incompatibility issue.
    • Fixed real-time protection against prevalent malware (anti-malware) on Windows XP.
    • Fixed a BSOD caused by BadUSB Protection, which could occur on specific hardware coming out of sleep.
    • Fixed several other minor issues.
    Important notices
    1. Before uninstalling the existing 7xx build or upgrading to this build, please disable the Block Untrusted Fonts mitigation (which is default disabled). This because we removed the Block Untrusted Fonts mitigation, which is only available on Windows 10. This mitigation relied on a structure in Windows 10 which is no longer supported by Microsoft. More information: https://blogs.technet.microsoft.com...dropping-the-untrusted-font-blocking-setting/
    2. Furthermore, to start fresh, we recommend that you uninstall the existing version of HitmanPro.Alert and that you remove this folder from your machine before rebooting: C:\ProgramData\HitmanPro.Alert
    3. Credential Theft Protection is now default disabled. If you'd like to enable it, please do, as it protects against Mimikatz and similar attacks. But remember that if you want to make a full system backup of your Windows, you might need to temporarily disable this protection or your backup software may be unable to backup the Windows SAM database. We'll improve this in a future version.
    Download
    http://test.hitmanpro.com/hmpalert3b721.exe

    This version includes drivers co-signed by Microsoft and thus also runs on systems with Secure Boot enabled.

    Please let us know how this version runs on your system. Thanks! :thumb:
     
    Last edited: Nov 4, 2017
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Couple of excellent changes.


    Pete
     
  21. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    376
    Location:
    Planet Earth
    Can you retry this with the new build see if it still triggers an alert?
     
  22. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,033
    No problems upgrading build 721 RC.

    Win10 1709 build 16299.19 x64/Norton Security v22.11.0.41
     
  23. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,033
    PrivGuard mitigation build 721 RC, Firefox 56.0.2 and Sandboxie 5.22.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 3-11-2017 19:51:52
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation PrivGuard

    Platform 10.0.16299/x64 v721 06_17*
    PID 8168
    Application C:\Program Files\Mozilla Firefox\firefox.exe
    Description Firefox 56.0.2

    Sweep

    Process Trace
    1 C:\Program Files\Mozilla Firefox\firefox.exe [8168]
    2 C:\Program Files\Sandboxie\Start.exe [7588]
    "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\Public\Desktop\Firefox 56.0.2.lnk"
    3 C:\Program Files\Sandboxie\SbieSvc.exe [1976]
    4 C:\Windows\System32\services.exe [712]
     
  24. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    I suppose where it says HitmanPro, it should say HitmanPro.Alert.
    Does this recommended cleanup apply to HitmanPro.Alert 3.7.0 beta only, or also to updating/upgrading 3.6.7.604 stable?
    If this recommended cleanup also applies to updating/upgrading 3.6.7.604 stable, the mentioned cleanup should be done automatically when later on the Release version is offered by automatic update.
     
  25. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    376
    Location:
    Planet Earth
    1) Yes that should read HitmanPro.Alert
    2) Only applies to beta testers (normally it's not advised to stack beta's on beta's as internal changes can cause unexpected issues).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.