HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. Duotone

    Duotone Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    142
    Location:
    Philippines
    Ah I see... The first time I think I did, but still somehow update didn't go as smoothly for FCU.
     
  2. mrhex1

    mrhex1 Registered Member

    Joined:
    Jul 2, 2016
    Posts:
    19
    Location:
    Timbuktu
    I finally managed to upgrade to Windows 10 1703 Creators update on Saturday. I upgraded HMPA from 3.7.0 build 720 to 721 RC. I kept on noticing several instances in the HitMan Pro log file showing that a registry read was denied for SrTasks.exe. I turned off Credential Theft Protection & disabled Anti-Malware.
    I noticed five separate entries for Windows 10 1703 Creators update. I downloaded & ran the Windows update troubleshooter on my computer. I suspect that Credential Theft Protection may be blocking some sort of look up for the Windows update in the registry. I reset the computer a few times to get the Windows 10 1703 Creators update tab. The update took about 30 minutes on my laptop.
     
  3. Valdez

    Valdez Registered Member

    Joined:
    Apr 21, 2016
    Posts:
    30
    Location:
    ITALIA
    HitmanPro.Alert 3.7.0 build 721 RC
    Windows 7 Ultimate SP1

    Mitigation CredGuard

    Platform 6.1.7601/x64 v721 06_2a
    PID 4020
    Application D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe
    Description Kaspersky System Checker 1.2

    \REGISTRY\MACHINE\SAM\SAM\Domains\Account

    Process Trace
    1 D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe [4020]
    "D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc\ksc.exe" --service --flash
    2 D:\DATI\Programmi\Standalone\Kaspersky\Kaspersky System Checker v1.2.0.290\ksc_launcher.exe [5048]
    3 C:\Windows\explorer.exe [4316]
    4 C:\Windows\System32\userinit.exe [4252]
    5 C:\Windows\System32\winlogon.exe [912]
    winlogon.exe

    Thumbprint
    789efee4230955347f9fd7163decb5d3928d7339424a374a1d5df2f5b9158dc7
    ------------------------------------------------------------------------------------------------------------------------
    Mitigation CredGuard

    Platform 6.1.7601/x64 v721 06_2a
    PID 1696
    Application C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRWUI.exe
    Description EaseUS Data Recovery Wizard 11.5

    SAM access denied.

    Range = LBA 585016 :512
    Read = LBA 584960 :256

    Process Trace
    1 C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRWUI.exe [1696]
    DRWUI
    2 C:\Program Files\EaseUS\EaseUS Data Recovery Wizard\DRW.exe [4716]
    3 C:\Windows\explorer.exe [4228]
    4 C:\Windows\System32\userinit.exe [2512]

    Thumbprint
    e9aac23ec2da17b27038dcf4ceaa06f865c3bc3715d0a15d26ab3f0ee8557d1e
    -----------------------------------------------------------------------------------------------------------------------
    Mitigation WipeGuard

    Platform 6.1.7601/x64 v588 06_2a
    PID 5920
    Application C:\Program Files (x86)\AOMEI Backupper\MakeDisc.exe
    Description MakeDisc.exe

    Master Boot Record (MBR)

    Process Trace
    1 C:\Program Files (x86)\AOMEI Backupper\MakeDisc.exe [5920]
    MakeDisc.exe
    2 C:\Program Files (x86)\AOMEI Backupper\Backupper.exe [5996]
    3 C:\Windows\explorer.exe [4460]
    4 C:\Windows\System32\userinit.exe [4340]
    5 C:\Windows\System32\winlogon.exe [980]
    winlogon.exe

    Thumbprint
    aa2bdacb580d62da15435b17133f905a25289ad600c35cf50765224ad82e6954
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Valdez

    Two things. 1. CredGuard needs to be left off. It was defaulted off for a reason, and you just found one of them

    2. Anytime you create a boot disk you have to turn off the mbr protection create the disk and then turn it back on again.

    Pete
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    I tried installing HMPA first, and then Comodo. This time, I am not seeing any conflicts. Everything works smoothly. Or maybe it's because CFW issued a new build. Or maybe the whole issue was just a fluke.
     
  6. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    Quick question: under what circumstances/conditions is it advisable to enable CredGuard?
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Do you really feel you will be under attack to have your windows credentials stolen. If so enable it, but realize all the things that are broken.
     
  8. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    I dunno, that's why I asked nicely. Just seeking information. The description given here is not exactly brimming with details. Which "authentication passwords" -- all (including for websites, banks, etc.), any, only certain types?? :doubt:
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Jeam

    Sorry if I sounded harsh. It is all the windows credential stuff. Personally I don't worry as malware has to be able to get on the machine first.
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,422
    As long as you are willing to deal with any issues that may arise -- such as the well-known issue with macrium reflect not being able to image a disk -- by all means, go right ahead and enable that protection.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Actually from my test for them, I think they whitelisted Macrium so that might actually work.
     
  12. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    Thanks @Peter2150 and @shmu26. I'll go back and review the CredGuard discussion.
     
  13. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    598
    Location:
    Far East
    Hi

    Would the real-time malware protection of HMPA (with BD/Kaspersky/Sophos engines) conflict with Emsisoft Antimalware (with BD/self engines) real-time protection?

    Also, I supposed I'll need to disable the Windows default exploit protection if I'll to use HMPA?

    Thanks
     
  14. guest

    guest Guest

    Not i am aware of any, in my case i didn't suffered any issues (yet), the scanner on in HMPA seems purely cloud-based, so i guess it may be just redundant.

    From what i heard from the Loman brothers, HMPA will take over the one offered by Win10.
     
  15. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    HitmanPro.Alert build 723 Release Candidate

    Screenshot
    Credential Theft Protection.PNG

    Changelog (compared to build 721)
    • Added protection against dropping shellcode straight into memory from VBA macro code. This mitigation is part of Load Library and triggers a Shellcode alert.
    • Added protection against compilation of arbitrary code straight into memory from an application under exploit mitigations, like Office. Such attacks can bypass whitelisting based protection like Windows Defender Device Guard.
    • Improved Credential Theft Protection by separating LSASS (memory) and SAM protection (disk and registry).
      LSASS memory protection is now enabled by default. SAM protection (disk and registry) is optional, meaning it is disabled by default to allow system backups. We recommend you to enable the protection of the SAM database (Security Account Manager) from the Credential Theft Protection mitigation so its structures in the Windows Registry and local disk are shielded against dumping.
    • Improved Code Cave mitigation.
    • Improved Import Address Table Address Filtering (IAF) mitigation.
    • Improved logging to the Windows Event Log from the Anti-Malware mitigation.
    • Improved Hollow Process mitigation to block hijacking of a remote main thread to run arbitrary code.
    • Fixed generation of Thumbprints for the Credential Theft Protection module with regard to catalog signed files.
    • Fixed a ROP technique detection on pidgenx.dll when trying to activate Microsoft Office.
    • Fixed a CallerCheck alert associated with Microsoft Power Query and CLR.DLL.
    • Fixed a rare BSOD caused by the Anti-Malware mitigation.
    • Fixed a compatibility issue with Microsoft Hyper-V on Windows 10 version 1709 (Fall Creators Update).
    • Fixed a minor memory leak originating from the CryptoGuard anti-ransomware mitigation.
    Unless mentioned otherwise, from now on all our builds contain drivers co-signed by Microsoft so they also works on machines with Secure Boot enabled.

    Download

    http://test.hitmanpro.com/hmpalert3b723.exe

    Please let us know how this build runs on your machine. All users running a 7xx beta build are currently automatically updated. Users running build 604 are expected to receive an automatic update early next week (no exact date yet).

    Thanks everybody! :thumb:
     
    Last edited: Nov 15, 2017
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Mark

    I am assuming if we check the disk par it will still block backups, correct?

    Pete
     
  17. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    Yes. Protection of the Security Account Manager (SAM database) on the disk and in the registry is disabled by default to allow system backups. If you enable it, you might run into issues with backup software although we have put effort into making more common backup solutions work, including Macrium Reflect and Acronis True Image. Let us know if you have a backup application that doesn't work in the presence of Credential Theft Protection.
     
  18. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    Is this tested only with current Macrium Reflect and Acronis True Image versions, or is it also tested with older versions?
    (Like, for instance, Acronis True Image 2010 update 3 build 7160, that still works with Windows 7.)
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Another popular imaging program at least here is Terabytes Image for Windows and also Drive Snapshot.
     
  20. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,267
    Location:
    USA
    So far no problems here, Windows 7 SP1 Pro x64.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Re credguard. I tested Macrium and it's still good. I then tested Acronis Trueimagehome 2018. Credit Theft Prevention blocks it unless SAM is turned off. Also IFW fails with it. Still splitting out LSASS is a good improvement.
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,658
    Location:
    Among the gum trees
    Just installed this RC and running along side Norton. No problems so far.

    @Peter2150 , do you have Security Account Manager enabled, or have you test MR backups with it enabled?

    Thanks.

    Edit: Haha, I see you had posted while I was composing my message.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,658
    Location:
    Among the gum trees
    I haven't really been following this thread closely, but how does the Anti-Malware mitigation (real-time protection) work? Is it likely to interfere with other AVs or security programs?

    Thanks.
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,635
    Before a file is executed, HMP.A calculates the hash of the file and checks it in the HitmanPro Cloud. If the file is malware, the execution of this file is denied and you should see a red flyout.
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,658
    Location:
    Among the gum trees
    Thanks as always, mood. It sounds like there is potentially an avenue for conflict with other security solutions.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.