HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    312
    Location:
    USA
    I cannot seem to find this setting to disable.
     
  2. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    502
    It is under "process protection", the icon that looks like a carved-out pumpkin
     
  3. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    312
    Location:
    USA
    Thank you.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    Been doing some testing of the SAM protection. Terabytes Image for Windows is fine. Drive Snapshot failed. Eventviewer just said it couldn't access the SAM file. I'll retest Acronis for you. Nothing in event viewer from last time as I did a Macrium "uninstall"
     
  5. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    321
    I'm still on build 720. To install the new 723 RC, do I still have to jump through the above hoops (and which ones), or can I simply install 723 over 720?

    Thanks.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,102
    (1) Before the uninstallation of Build 720, disable "Block Untrusted Fonts"
    (2) then deinstall Build 720 and before rebooting remove the folder C:\ProgramData\HitmanPro.Alert
    (3) reboot
    (4) install Build 723
     
  7. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,113
    Location:
    Da mean streets of Brooklyn
    Yes, @mood, I followed your guide to install the 723RC--Block Untrusted Fonts tile was gone from the interface altogether. The Credential Theft Protection was enabled, so enabled the SAM as well. It's Halloween every day at HMPA, it seems.

    hmpa interface.PNG.jpg :)
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    More testing on the SAM file. Acronis True Image Home 2018 is good Full and incremental are fine. So far Drive snapshot is my only failure. If your curious about AOEMI just test it. Worst hat can happen is a failed backup. No other harm.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    What do you use for imaging?
     
  10. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,113
    Location:
    Da mean streets of Brooklyn
    On the secondary machine with the beta? Nothing, no imaging.

    On primary machine, I use no betas but have an SSD that doesn't have full compatibility with Creators Update. So, no imaging there either, and I really need it there. I'm looking at your review of Terabytes, I think I'll try that instead of Macrium, which had multiple errors in event viewer the two times I tried to use it. :)
     
  11. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,634
    Location:
    the Netherlands
    Do you have an idea why with the first test Acronis True Image Home 2018 was blocked, but not with the second test? What was different? Was SAM enabled with the first series of tests, but not with the second series of tests?
    And also, did IFW not fail the second test?
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    If you are happy with it you can use it on both machines, and be sure to check out Pandlouks scirpts. They are beyond awesome.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    I think they did some silent update on 721 4 hours after I tested.
     
  14. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,634
    Location:
    the Netherlands
    Ah, thanks.
    I forgot about that.
     
  15. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    321
    Good summary, thanks. I'll make my way through the open windows and tabs and then follow the updating procedure.
     
  16. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    524
    Location:
    USA
    Haven't been testing the HMPA betas, but thinking about trying out the RC. Still running HMPA 3.6.7 b604. Are there any known issues running HMPA RC 723 with VoodooShield 3.59?
     
  17. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,573
    Location:
    The etherlands
    Tested AOMEI Backupper and it failed with SAM ticked.

    @RonnyT Can you add Drive Snapshot and AOMEI Backupper to the exclusions?

    AOMEI Backupper mitigation result:

    Mitigation CredGuard

    Platform 10.0.16299/x64 v723 06_45
    PID 24240
    Application C:\Program Files (x86)\AOMEI Backupper\ABCore.exe
    Description AOMEI ABCore 4.0.4

    SAM access denied.

    Range = LBA 7264368 :272
    Read = LBA 7264256 :256

    Process Trace
    1 C:\Program Files (x86)\AOMEI Backupper\ABCore.exe [24240]
    2 C:\Program Files (x86)\AOMEI Backupper\ABService.exe [5376]

    Thumbprint
    139455c7ea5db93f4fbffc1571e18f6d717fecfa7def24dbfec34735e114207f
     
    Last edited: Nov 17, 2017
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,950
    Location:
    Outer space
    No problems so far with build 723 on Win7x64 :)
     
  19. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    463
    Location:
    italy
    the only issue i've encounter so far is clearing event logs in Event Viewer via command prompt* since it is so sloooow now :(

    10 RS3 (1709 build 16299.64)

    *
    for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"


     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314

    Hi Paul

    If you only image once a day or week, the you can just untick the one box, image and then retick. The reason it's so important to me is I Image with Macrium hourly and with IFW, not hourly but several times a day on my work machine, so it has to be transparanent. I may also go back to adding Acronis to the frequent list. You might note, all three of these programs have fast incremental imaging.


    Pete
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,573
    Location:
    The etherlands
    I get that. I generally image nightly, and before significant changes.

    I am happy to leave SAM unticked, but maybe they can add DS and AOMEI as they are used a lot.
     
    Last edited: Nov 17, 2017
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    Up until yesterday I always left it unticked. Since they have Macrium, Acronis, and IFW, I'll bet they will add the others.
     
  23. saenta

    saenta Registered Member

    Joined:
    Mar 29, 2016
    Posts:
    4
    Location:
    Germany
    Hello,
    I'm on build 723, Windows 10 Insider Preview 17035, when trying to update to 17040 via Windows Update I get following message:

    Mitigation CredGuard

    Platform 10.0.17035/x64 v723 06_4e
    PID 2688
    Application C:\Windows\System32\wuauclt.exe
    Description Windows Update 10

    SAM access denied.

    Range = LBA 131635960 :136
    Read = LBA 131636088 :7

    Process Trace
    1 C:\Windows\System32\wuauclt.exe [2688]
    "C:\WINDOWS\system32\wuauclt.exe" /RunHandlerComServer
    2 C:\Windows\System32\svchost.exe [3636]
    c:\windows\system32\svchost.exe -k netsvcs​



    After that windows update will initiaize again and try to install the update till it gets killed again.



    Also trying to update Visual Studio Enterprise 2017 I'll get:

    Mitigation Lockdown

    Platform 10.0.17035/x64 v723 06_4e
    PID 10684
    Application C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe
    Description 1.1.31

    Filename c:\windows\syswow64\\windowspowershell\v1.0\powershell.exe

    Command line:
    "c:\windows\syswow64\\windowspowershell\v1.0\powershell.exe" -NonInteractive -NoLogo -NoProfile -ExecutionPolicy Bypass -InputFormat None "$ErrorActionPreference="""Stop"""; $VerbosePreference="""Continue"""; $CeipSetting="""on"""; $ScriptPath="""C:\ProgramData\Microsoft\VisualStudio\Packages\Win10SDK_10.0.16299.Desktop,version=10.0.16299.0\WinSdkInstall.ps1"""; $SetupExe="""winsdksetup.exe"""; $SetupLogFolder="""windowssdk"""; $PackageId="""Win10SDK_10.0.RS3.Desktop"""; $LogFile="""C:\Users\marku\AppData\Local\Temp\dd_setup_20171117133109_001_Win10SDK_10.0.16299.Desktop.log"""; $SetupParameters="""/features OptionId.DesktopCPPx64 OptionId.DesktopCPPx86 OptionId.MSIInstallTools /quiet /norestart /uninstall"""; (gc $ScriptPath | out-string) | Invoke-Expression; if (!$?) { exit 1603 } elseif ($LastExitCode) { exit $LastExitCode }"

    Process Trace
    1 C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe [10684]
    "C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe" desktopClr$C94B8CFE-E3FD-4BAF-A941-2866DBB566FE 1b16677f6367f916c0dbb40c42df1b8f
    2 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe [11920]
    "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe" ./node_modules/microsoft-servicehub/host/HubController.js 6d789abbbd89ce2759078e46506ec4bc22605ad12b5507a276d9fa170de022ea
    3 C:\Windows\SysWOW64\cmd.exe [13524]
    C:\WINDOWS\system32\cmd.exe /s /d /c call "C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\node_modules\microsoft-servicehub\launchController.cmd" "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe" ./nod
    4 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe [17376]
    vs_installershell.exe --in "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_201711171328345163.json" update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece
    5 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe [19080]
    "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe" --in "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_201711171328345163.json" update --installPath "C:\Program Files (x86)\Microsoft Visual Stu
    6 C:\Users\marku\AppData\Local\Temp\b859cd64881610083f\vs_bootstrapper_d15\vs_setup_bootstrapper.exe [17220]
    "C:\Users\marku\AppData\Local\Temp\b859cd64881610083f\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --update update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece-ba7d-43470a21fb64 /final
    7 C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_bootstrapper.exe [18280]
    "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_bootstrapper.exe" --update update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece-ba7d-43470a21fb64 /finalizeinstall
    8 C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe [14088]
    "C:\program files (x86)\microsoft visual studio\installer\resources\app\ServiceHub\Hosts\Microsoft.ServiceHub.Host.CLR\vs_installerservice.exe" desktopClr$C94B8CFE-E3FD-4BAF-A941-2866DBB566FE 1be7f90b277c671aaf7a0c692b081652
    9 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe [3936]
    "C:\program files (x86)\microsoft visual studio\installer\vs_installershell.exe" ./node_modules/microsoft-servicehub/host/HubController.js 7e254e4bbaec911d4aacac9455a21df0eda4d3a6a3948caab4f1c971933ff1f5
    10 C:\Windows\SysWOW64\cmd.exe [9964]
    C:\WINDOWS\system32\cmd.exe /s /d /c call "C:\program files (x86)\microsoft visual studio\installer\resources\app\node_modules\microsoft-servicehub\launchController.cmd" "C:\program files (x86)\microsoft visual studio\installer\vs_installershell.exe" ./nod
    11 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installershell.exe [7224]
    vs_installershell.exe update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece-ba7d-43470a21fb64
    12 C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe [10808]
    "C:\program files (x86)\microsoft visual studio\installer\vs_installer.exe" update --installPath "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise" --activityId 8493574a-2583-4ece-ba7d-43470a21fb64
    13 C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise\Common7\IDE\devenv.exe [15808]
    "C:\Program Files (x86)\Microsoft Visual Studio\Preview\Enterprise\Common7\IDE\devenv.exe" "C:\Users\marku\OneDrive\Documents\Techniker\Priv_Sonstiges\TINF\C\171117_Zinsen\EmptyProject\EmptyProject.sln"
    14 C:\Windows\explorer.exe [7304]
    C:\WINDOWS\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding

    Thumbprint
    8d29374bb423f24d25e9872a2bb18637ea386987f431b540651c5b8792ced26a​



    Third I'll get from time to time:

    Mitigation CredGuard

    Platform 10.0.17035/x64 v723 06_4e
    PID 4624
    Application C:\Program Files\Windows Defender\MsMpEng.exe
    Description Antimalware Service Executable 4.12

    SAM access denied.

    Range = LBA 131635960 :136
    Read = LBA 131636088 :7

    Thumbprint
    46d27ce21097ef2efd740f09eec4868478ec9b94740c0671138d5a29fef09820

    regards,
    saenta​
     
    Last edited: Nov 17, 2017
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,314
    Hi Saenta

    Go to the yellow box, and then to Credential protection. Untick the SAM box and you will be fine.
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,882
    Location:
    Among the gum trees
    I've had these:
    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          18/11/2017 11:28:49 AM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Dave-PC
    Description:
    Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_25
    PID          3488
    Application  C:\Program Files\Windows Defender\MsMpEng.exe
    Description  Antimalware Service Executable 4.12
    
    SAM access denied.
    
    Range = LBA 2413824 :256
    Read  = LBA 2413824 :64
    
    Process Trace
    1  C:\Program Files\Windows Defender\MsMpEng.exe [3488]
    2  C:\Windows\System32\services.exe [632]
    
    Thumbprint
    9da789ccc11105df09903bbc7a0afad3c6ff71bbe77d993d239fefdae48fbaa8
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-18T00:28:49.088407200Z" />
        <EventRecordID>7530</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Dave-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files\Windows Defender\MsMpEng.exe</Data>
        <Data>CredGuard</Data>
        <Data>Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_25
    PID          3488
    Application  C:\Program Files\Windows Defender\MsMpEng.exe
    Description  Antimalware Service Executable 4.12
    
    SAM access denied.
    
    Range = LBA 2413824 :256
    Read  = LBA 2413824 :64
    
    Process Trace
    1  C:\Program Files\Windows Defender\MsMpEng.exe [3488]
    2  C:\Windows\System32\services.exe [632]
    
    Thumbprint
    9da789ccc11105df09903bbc7a0afad3c6ff71bbe77d993d239fefdae48fbaa8</Data>
      </EventData>
    </Event>
    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          18/11/2017 11:28:49 AM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Dave-PC
    Description:
    Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_25
    PID          9308
    Application  C:\Windows\System32\SrTasks.exe
    Description  Microsoft® Windows System Protection background tasks. 10
    
    SAM access denied.
    
    Range = LBA 2413824 :256
    Read  = LBA 2413824 :144
    
    Process Trace
    1  C:\Windows\System32\SrTasks.exe [9308]
    C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation
    2  C:\Windows\System32\svchost.exe [1104]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
    3  C:\Windows\System32\services.exe [632]
    
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-18T00:28:49.283578900Z" />
        <EventRecordID>7531</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Dave-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Windows\System32\SrTasks.exe</Data>
        <Data>CredGuard</Data>
        <Data>Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_25
    PID          9308
    Application  C:\Windows\System32\SrTasks.exe
    Description  Microsoft® Windows System Protection background tasks. 10
    
    SAM access denied.
    
    Range = LBA 2413824 :256
    Read  = LBA 2413824 :144
    
    Process Trace
    1  C:\Windows\System32\SrTasks.exe [9308]
    C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation
    2  C:\Windows\System32\svchost.exe [1104]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
    3  C:\Windows\System32\services.exe [632]
    </Data>
      </EventData>
    </Event>
    Disabling SAM on this machine for now.
     
Loading...