HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,881
    Location:
    Among the gum trees
    I just got this with Build 723.
    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          16/11/2017 4:41:42 PM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      David-HP
    Description:
    Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_5e
    PID          3416
    Application  C:\Windows\System32\svchost.exe
    Description  Host Process for Windows Services 10
    
    SAM access denied.
    
    Range = LBA 1328464 :224
    Read  = LBA 1328256 :224
    
    Process Trace
    1  C:\Windows\System32\svchost.exe [3416]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
    2  C:\Windows\System32\services.exe [780]
    3  C:\Windows\System32\wininit.exe [664]
    wininit.exe
    
    Thumbprint
    bbd5384dfb0088568607a4d6a193393774dc834fad764e38529ca1ad3fd671f8
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-16T05:41:42.840554200Z" />
        <EventRecordID>2879</EventRecordID>
        <Channel>Application</Channel>
        <Computer>David-HP</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Windows\System32\svchost.exe</Data>
        <Data>CredGuard</Data>
        <Data>Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_5e
    PID          3416
    Application  C:\Windows\System32\svchost.exe
    Description  Host Process for Windows Services 10
    
    SAM access denied.
    
    Range = LBA 1328464 :224
    Read  = LBA 1328256 :224
    
    Process Trace
    1  C:\Windows\System32\svchost.exe [3416]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
    2  C:\Windows\System32\services.exe [780]
    3  C:\Windows\System32\wininit.exe [664]
    wininit.exe
    
    Thumbprint
    bbd5384dfb0088568607a4d6a193393774dc834fad764e38529ca1ad3fd671f8</Data>
      </EventData>
    </Event>
    I wasn't doing anything other than reading ealier posts in this thread using Firefox 57.

    Win10 x64 1709
    Norton Security 22.11.2.7
    Malwarebytes 3.3.1
     
  2. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    Do you have any alert details about the block? It should be in the Windows Event Log.
     
  3. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    I'll eat my shoe if that EVER happens. Our Anti-Malware is the lightest on the planet ;)
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,881
    Location:
    Among the gum trees
    :argh: Can I hold you to that, Mark? :D
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,572
    Location:
    The etherlands
    I deleted the HMPA Event Log but the HMPA interface still shows the events? I must have done something incorrectly.
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    Running smoothly over here.
    I enabled SAM and I am presently running a Macrium Reflect backup job without hitch.:)
     
  7. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    Do not delete the HMPA Event Log but the Applications log in the Windows Event Log.
     
  8. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    666
    Does build 723 RC fix the mitigations caused by Sandboxie?
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    I think Sandboxie is the one that needs to fix the issues.
     
  10. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    Sandboxie is actually stealing tokens and elevating privileges with them so our mitigation is not wrong. Disable Local Privilege Mitigation if you insist on using Sandboxie around your browsers.
    Note that most browsers already run in a sandbox, like Microsoft Edge and Google Chrome, so adding another sandbox might be overkill on top of the native sandbox and all our mitigations.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    I got an interception from SAM. It seems to have blocked Windows Defender (Win 10 x64 fall creators):

    Capture.PNG
     
  12. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    Did you enable protection of the Security Account Manager (SAM)?
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    Yes
     
  14. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    You may want to reboot your system so HitmanPro.Alert receives a data update which solves the alert you are having.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    This happened shortly after installing 723.
    Will 723 receive an update?
     
  16. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    All users, whatever build they are running, receive silent data updates. A new one went out two hours ago but HMPA only checks it once every 4 hours.
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    Thanks for that info.
    The block I saw was immediately preceded by the one pasted below, I am assuming that also this was covered by the data update:

    C:\Windows\System32\SrTasks.exe
    CredGuard
    Mitigation CredGuard Platform 10.0.16299/x64 v723 06_5e PID 8884 Application C:\Windows\System32\SrTasks.exe Description Microsoft® Windows System Protection background tasks. 10 SAM access denied. Range = LBA 178212384 :16 Read = LBA 178212384 :16 Process Trace 1 C:\Windows\System32\SrTasks.exe [8884] C:\WINDOWS\system32\srtasks.exe ExecuteScheduledSPPCreation 2 C:\Windows\System32\svchost.exe [1168] c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule 3 C:\Windows\System32\services.exe [856]
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,881
    Location:
    Among the gum trees
    Hi Mark,

    Will that have any affect on my issue too?

    Thanks.
     
  19. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    Yes it should.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,881
    Location:
    Among the gum trees
    :thumb: Nice! Thanks.
     
  21. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    666
    Ok. And is it possible to EXCLUDE Sandboxie?
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    The times that I have tried to combo HMPA with SBIE, I didn't see HMPA blocking anything. I rather saw SBIE complaining that it could not communicate with sandboxed browser. And I never found a solution, other than to hide the error message.
    Is this a different issue?
     
  23. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    666
    Laptop A lots of PrivGuard mitigations caused by Sandboxie and with laptop B no problems at all.

    Example of a PrivGuard mitigation: HitmanPro.Alert BETA

    Both laptops: Win10 1709 build 16299.64 x64/Norton Security v22.11.2.7
     
  24. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    666
    No problems upgrading build 723 (laptop B).
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,572
    Location:
    The etherlands
    No problems installing or using build 723 RC on Win 10 Pro x64 v1709 16299.64.

    But I have left SAM unticked. One imaging program I use is AOMEI Backupper, not sure if that one is covered (over and above Macrium and Acronis) - would have to test.
     
Loading...