The user interface showing that one or more mitigations are disabled for a certain application, or that certain system protections are partly disabled, that would be welcome, indeed. However, if mitigations are disabled with good reason for a certain application by default, that should be clear, so that the user knows it is not recommended to enable those mitigations.
The Realtime Anti-Malware Protection is calculating the hash of executables and is checking it with the cloud. There can be a small delay. For example after switching to my Downloads-directory with my filemanager, there is a delay while executables are displayed in the window. After turning the Protection off, the delay is gone.
This is expected, you have accessed the registry tree: "HKEY_LOCAL_MACHINE\SAM\SAM" If you want to access the registry tree, disable the Credential Theft Protection temporarily.
So it's possible to turn only this component off? I'm not into real-time scanning no matter if it's cloud based or not.
mood, I just closed the Alert screen and continued editing registry without disruption. Are we supposed to report false alerts like this in here? If not, I'll stop posting these things.
After malware was detected, there is a flyout and the file can't be executed. But the feature can be turned off. Don't stop posting I also had this mitigation, it prevents you from accessing the registry keys. But editing other registry keys is still possible after the alert.
Why would you want to do that. It detects and blocks a high percentage of malware, and I've yet to see a false positive. All the exploit protection is also essentially real time scanning.
I reset the settings before reporting, did again. Same results. I will uninstall/reinstall to see if that fixes. Edit: Uninstall/reinstall fixed it. About MPC-BE, it was already in my exclusion list. Did check all mitigations and found it can be opened only when both "Hollow Process Mitigation" and "Credential Theft Protection" are disabled. Also under protected applications, all other mitigations except null page can be enabled. No need to exclude.
Some tools are identified as malware, but the user need to execute them. Or some installer are identified as malware, for example Process Hacker. In this case the feature must be turned off temporarily.
Exploit Mitigations - Applications - Your applications, now scroll to the right, there you can see "Add exclusion":
Thank you! They may want to put that somewhere easier to find, like on the Window you receive when you first click on Exploit Mitigation, or in the settings at the top right corner.
Had this suddenly while only gmail was opened in incognito in FF. Spoiler: Firefox Crash Mitigation ROP Platform 6.1.7601/x64 v708 06_2a PID 7260 Application C:\Program Files\Mozilla Firefox\firefox.exe Description Firefox 53.0.3 Callee Type ProtectVirtualMemory 0x0000025E884EE000 (4096 bytes) Branch Trace Opcode To ---------------------------------------- -------- ---------------------------------------- 0x000007FED907E7F9 xul.dll RET 0x000007FED9005562 xul.dll 0x000007FED96D1B26 xul.dll RET 0x000007FED907E7E4 xul.dll 0x000007FED9166259 xul.dll RET 0x000007FED90053B6 xul.dll 0x000007FED96D1B26 xul.dll RET 0x000007FED916624C xul.dll 0x000007FED9003B39 xul.dll RET 0x000007FED9005348 xul.dll 0x000007FED90F528A xul.dll RET 0x000007FED9005334 xul.dll 0x000007FED90F5951 xul.dll RET 0x000007FED90F523F xul.dll memcpy +0x104 RET 0x000007FED90F599A xul.dll 0x000007FEE71CC434 vcruntime140.dll memcpy +0x12f RET 0x000007FED90F58FD xul.dll 0x000007FEE71CC45F vcruntime140.dll 0x000007FED90F5A7E xul.dll RET 0x000007FED90F5875 xul.dll PeekMessageW +0xa7 RET* 0x000000013FF64664 firefox.exe 0x000000007777907B user32.dll 498b5b10 MOV RBX, [R11+0x10] 498b6b18 MOV RBP, [R11+0x18] 498b7320 MOV RSI, [R11+0x20] 498be3 MOV RSP, R11 5f POP RDI c3 RET SleepEx +0xfb ~ RET* 0x000000013FF64689 firefox.exe 0x000007FEFD93124B KernelBase.dll 57 PUSH RDI 488d6c24f9 LEA RBP, [RSP-0x7] 4881ece0000000 SUB RSP, 0xe0 488b0573b90100 MOV RAX, [RIP+0x1b973] 4833c4 XOR RAX, RSP 488945f7 MOV [RBP-0x9], RAX 4c8b7d6f MOV R15, [RBP+0x6f] 418bf1 MOV ESI, R9D 488b5d77 MOV RBX, [RBP+0x77] 498bf8 MOV RDI, R8 4c8b657f MOV R12, [RBP+0x7f] 4c8bf2 MOV R14, RDX 83f903 CMP ECX, 0x3 740b JZ 0x13ff646c9 c703220000c0 MOV DWORD [RBX], 0xc0000022 e9ba000000 JMP 0x13ff64783 ( 493BE98F1B77559) NtDelayExecution +0xa ~ RET SleepEx +0xb3 0x00000000779CC07A ntdll.dll 0x000007FEFD931203 KernelBase.dll Stack Trace # Address Module Location -- ---------------- ------------------------ ---------------------------------------- 1 000007FEFD941413 KernelBase.dll VirtualProtectEx +0x33 2 000007FEFD9413CB KernelBase.dll VirtualProtect +0x1b 3 000007FED93D2981 xul.dll 85c0 TEST EAX, EAX 743d JZ 0x7fed93d29c2 488b0d64fb8c02 MOV RCX, [RIP+0x28cfb64] 483bd9 CMP RBX, RCX 0f822a984d00 JB 0x7fed98ac1bf 4881c100000040 ADD RCX, 0x40000000 483bf9 CMP RDI, RCX 0f871a984d00 JA 0x7fed98ac1bf b001 MOV AL, 0x1 488b5c2438 MOV RBX, [RSP+0x38] 4883c420 ADD RSP, 0x20 5f POP RDI c3 RET 4 000007FED8EF06DA xul.dll 5 000007FED900544F xul.dll 6 000007FED90013AA xul.dll 7 000007FED908EB04 xul.dll 8 0000025E87B37583 (anonymous; xul.dll) Code Injection 00030000-00031000 4KB n/a [7268] 00990000-00991000 4KB Process Trace 1 C:\Program Files\Mozilla Firefox\firefox.exe [7260] 2 C:\Windows\explorer.exe [2576] Thumbprint 33ed0b010ee8a49431cfbc1392c0971b5045db7221b0fae432079737d9e0cdfd
Just installed CTP2 over CTP1 and rebooted; all good. I ran a malware scan from the HMPA Scan tile and toward the end HMPA intercepted - CredGuard Mitigation. Rebooted the PC and ran another scan from HMPA; it was again intercepted at the end with a CredGuard mitigation.
Was wondering about the same thing, except in my case from CTP1. A few posts downthread from yours, Victek reported doing exactly that, but I haven't heard what the recommended method is ("install over" or "uninstall then install").
Well, a plus with CTP2 is as if by magic I got the HitmanPro Antimalware to show the right-click scan for folders. I used the new desktop icon to open it, the box to enable the Shell Integration was clickable, and there you are.
The only way I could enable Shell Integration was to use this new icon which mysteriously appeared on my desktop. I don't know how it got there, it's probably something very simple that I don't know about. lol. But now you can scan folders with HMP and this was bugging me and some others on the HMP thread previously. . Edit: I have the other HMP shortcut pinned to taskbar and via that, you still can't enable Shell Integration. I could only do it with the new desktop shortcut.