HitmanPro.Alert BETA

The user interface showing that one or more mitigations are disabled for a certain application, or that certain system protections are partly disabled, that would be welcome, indeed.
However, if mitigations are disabled with good reason for a certain application by default, that should be clear, so that the user knows it is not recommended to enable those mitigations.

 

That is another argument since neither the first one is ever taken into account ...

 

The Realtime Anti-Malware Protection is calculating the hash of executables and is checking it with the cloud. There can be a small delay.
For example after switching to my Downloads-directory with my filemanager, there is a delay while executables are displayed in the window.
After turning the Protection off, the delay is gone.

 

Running regedit:

 

This is expected, you have accessed the registry tree: "HKEY_LOCAL_MACHINE\SAM\SAM"
If you want to access the registry tree, disable the Credential Theft Protection temporarily.

 

So it's possible to turn only this component off? I'm not into real-time scanning no matter if it's cloud based or not.

 

mood, I just closed the Alert screen and continued editing registry without disruption. Are we supposed to report false alerts like this in here? If not, I'll stop posting these things.

 

After malware was detected, there is a flyout and the file can't be executed.
But the feature can be turned off.

Don't stop posting
I also had this mitigation, it prevents you from accessing the registry keys. But editing other registry keys is still possible after the alert.

 

hi, installed CTP2 everything went well, no problems so far thankfully, thank you,

 

Can this 708 CTP2 just be installed over 602 beta?

 

I reset the settings before reporting, did again. Same results. I will uninstall/reinstall to see if that fixes.

Edit: Uninstall/reinstall fixed it.

About MPC-BE, it was already in my exclusion list. Did check all mitigations and found it can be opened only when both "Hollow Process Mitigation" and "Credential Theft Protection" are disabled. Also under protected applications, all other mitigations except null page can be enabled. No need to exclude.

 

Ok, thanks.

 

Where is the option for doing that in HMPA?

 

Some tools are identified as malware, but the user need to execute them. Or some installer are identified as malware, for example Process Hacker.
In this case the feature must be turned off temporarily.

 

Exploit Mitigations - Applications - Your applications, now scroll to the right, there you can see "Add exclusion":

 

Thank you! They may want to put that somewhere easier to find, like on the Window you receive when you first click on Exploit Mitigation, or in the settings at the top right corner.

 

Had this suddenly while only gmail was opened in incognito in FF.

Spoiler: Firefox Crash

Mitigation ROP

Platform 6.1.7601/x64 v708 06_2a
PID 7260
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 53.0.3

Callee Type ProtectVirtualMemory
0x0000025E884EE000 (4096 bytes)

Branch Trace Opcode To
---------------------------------------- -------- ----------------------------------------
0x000007FED907E7F9 xul.dll RET 0x000007FED9005562 xul.dll

0x000007FED96D1B26 xul.dll RET 0x000007FED907E7E4 xul.dll

0x000007FED9166259 xul.dll RET 0x000007FED90053B6 xul.dll

0x000007FED96D1B26 xul.dll RET 0x000007FED916624C xul.dll

0x000007FED9003B39 xul.dll RET 0x000007FED9005348 xul.dll

0x000007FED90F528A xul.dll RET 0x000007FED9005334 xul.dll

0x000007FED90F5951 xul.dll RET 0x000007FED90F523F xul.dll

memcpy +0x104 RET 0x000007FED90F599A xul.dll
0x000007FEE71CC434 vcruntime140.dll

memcpy +0x12f RET 0x000007FED90F58FD xul.dll
0x000007FEE71CC45F vcruntime140.dll

0x000007FED90F5A7E xul.dll RET 0x000007FED90F5875 xul.dll

PeekMessageW +0xa7 RET* 0x000000013FF64664 firefox.exe
0x000000007777907B user32.dll
498b5b10 MOV RBX, [R11+0x10]
498b6b18 MOV RBP, [R11+0x18]
498b7320 MOV RSI, [R11+0x20]
498be3 MOV RSP, R11
5f POP RDI
c3 RET


SleepEx +0xfb ~ RET* 0x000000013FF64689 firefox.exe
0x000007FEFD93124B KernelBase.dll
57 PUSH RDI
488d6c24f9 LEA RBP, [RSP-0x7]
4881ece0000000 SUB RSP, 0xe0
488b0573b90100 MOV RAX, [RIP+0x1b973]
4833c4 XOR RAX, RSP
488945f7 MOV [RBP-0x9], RAX
4c8b7d6f MOV R15, [RBP+0x6f]
418bf1 MOV ESI, R9D
488b5d77 MOV RBX, [RBP+0x77]
498bf8 MOV RDI, R8
4c8b657f MOV R12, [RBP+0x7f]
4c8bf2 MOV R14, RDX
83f903 CMP ECX, 0x3
740b JZ 0x13ff646c9
c703220000c0 MOV DWORD [RBX], 0xc0000022
e9ba000000 JMP 0x13ff64783
( 493BE98F1B77559)


NtDelayExecution +0xa ~ RET SleepEx +0xb3
0x00000000779CC07A ntdll.dll 0x000007FEFD931203 KernelBase.dll

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 000007FEFD941413 KernelBase.dll VirtualProtectEx +0x33
2 000007FEFD9413CB KernelBase.dll VirtualProtect +0x1b

3 000007FED93D2981 xul.dll
85c0 TEST EAX, EAX
743d JZ 0x7fed93d29c2
488b0d64fb8c02 MOV RCX, [RIP+0x28cfb64]
483bd9 CMP RBX, RCX
0f822a984d00 JB 0x7fed98ac1bf
4881c100000040 ADD RCX, 0x40000000
483bf9 CMP RDI, RCX
0f871a984d00 JA 0x7fed98ac1bf
b001 MOV AL, 0x1
488b5c2438 MOV RBX, [RSP+0x38]
4883c420 ADD RSP, 0x20
5f POP RDI
c3 RET

4 000007FED8EF06DA xul.dll
5 000007FED900544F xul.dll
6 000007FED90013AA xul.dll
7 000007FED908EB04 xul.dll
8 0000025E87B37583 (anonymous; xul.dll)

Code Injection
00030000-00031000 4KB n/a [7268]
00990000-00991000 4KB

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [7260]
2 C:\Windows\explorer.exe [2576]

Thumbprint
33ed0b010ee8a49431cfbc1392c0971b5045db7221b0fae432079737d9e0cdfd

 

Just installed CTP2 over CTP1 and rebooted; all good. I ran a malware scan from the HMPA Scan tile and toward the end HMPA intercepted - CredGuard Mitigation. Rebooted the PC and ran another scan from HMPA; it was again intercepted at the end with a CredGuard mitigation.

 

See first page of this thread:

 

Ah, I see Erik is already aware of the CredGuard FP on HMP, thanks

 

Was wondering about the same thing, except in my case from CTP1. A few posts downthread from yours, Victek reported doing exactly that, but I haven't heard what the recommended method is ("install over" or "uninstall then install").

 

Well, a plus with CTP2 is as if by magic I got the HitmanPro Antimalware to show the right-click scan for folders. I used the new desktop icon to open it, the box to enable the Shell Integration was clickable, and there you are.

 

The only way I could enable Shell Integration was to use this new icon which mysteriously appeared on my desktop. I don't know how it got there, it's probably something very simple that I don't know about. lol. But now you can scan folders with HMP and this was bugging me and some others on the HMP thread previously.

.

Edit: I have the other HMP shortcut pinned to taskbar and via that, you still can't enable Shell Integration. I could only do it with the new desktop shortcut.