HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,891
    Location:
    Among the gum trees
    I just got this while running a scan with SUPERAntiSpyware. Yeah, I know, I know. :isay:
    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          19/11/2017 8:07:17 AM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      David-HP
    Description:
    Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_5e
    PID          3468
    Application  C:\Program Files\SUPERAntiSpyware\SASCore64.exe
    Description  Core Service 6
    
    SAM access denied.
    
    Range = LBA 1328464 :224
    Read  = LBA 1328464 :8
    
    Process Trace
    1  C:\Program Files\SUPERAntiSpyware\SASCore64.exe [3468]
    2  C:\Windows\System32\services.exe [780]
    3  C:\Windows\System32\wininit.exe [664]
    wininit.exe
    
    Thumbprint
    57c90e4bc46240f0d225530dd45c3dc5669c6f9b15fce6506e787a251ed1eccd
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-11-18T21:07:17.020639300Z" />
        <EventRecordID>4252</EventRecordID>
        <Channel>Application</Channel>
        <Computer>David-HP</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files\SUPERAntiSpyware\SASCore64.exe</Data>
        <Data>CredGuard</Data>
        <Data>Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_5e
    PID          3468
    Application  C:\Program Files\SUPERAntiSpyware\SASCore64.exe
    Description  Core Service 6
    
    SAM access denied.
    
    Range = LBA 1328464 :224
    Read  = LBA 1328464 :8
    
    Process Trace
    1  C:\Program Files\SUPERAntiSpyware\SASCore64.exe [3468]
    2  C:\Windows\System32\services.exe [780]
    3  C:\Windows\System32\wininit.exe [664]
    wininit.exe
    
    Thumbprint
    57c90e4bc46240f0d225530dd45c3dc5669c6f9b15fce6506e787a251ed1eccd</Data>
      </EventData>
    </Event>
    SAM is disabled on my other two machines for now.
     
  2. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    579
    I even get a CredGuard error when I open the Windows 10 task manager, if SAM is enabled...

    Am I wrong in thinking that default OS components should be whitelisted out of the box?
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,321
    Yep. Creditguard blocks that SAM file from everything.
     
  4. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    The problem with whitelisting OS components is that it doesn't actually help as most attacks initiated from whitelisted binaries, including ransomware. Whitelisting is dead.
     
  5. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    579
    Oh, bummer. What's the alternative?

    How can I enable SAM, yet don't get any errors when opening the task manager?
     
  6. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    Is the Task Manager throwing errors when you open it? That's not SAM related.
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,950
    Location:
    Outer space
  8. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,577
    Location:
    The etherlands
    Yeah, it sounds like every one can just chuck their hardware :eek:.

    But I've also read that one needs physical access to the computer, like via a USB.
     
  10. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,637
    Location:
    the Netherlands
    Most of the mentioned vulnerabilities are AV:L (Attack Vector: Local),
    but CVE-2017-5712 is AV:N (Attack Vector: Network), and Intel writes: "allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege."
     
  11. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    579
    Yes. I thought I saw the text SAM in the report.

    Will try to reproduce this and post the exact message.
     
  12. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    579
    Code:
    Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v723 06_17*
    PID          7596
    Application  C:\Windows\System32\Taskmgr.exe
    Description  Task Manager 10
    
    SAM access denied.
    
    Range = LBA 124392040 :256
    Read  = LBA 124392168 :8
    
    Process Trace
    1  C:\Windows\System32\Taskmgr.exe [7596]
    "C:\WINDOWS\System32\Taskmgr.exe" /3
    2  C:\Windows\System32\LaunchTM.exe [7036]
    launchtm.exe /3
    3  C:\Windows\System32\winlogon.exe [768]
    winlogon.exe
    It does mention SAM. Can you please explain?
     
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    Wat are you doing specifically with the Task Manager before this alert appears? I can't reproduce.
     
  14. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    579
    Nothing at all... I only pressed Ctrl+Alt+Del to open it.

    Is it possible that my antivirus software (Emsisoft Anti-Malware) interferes?
     
  15. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    53
    Hi Mark,

    Can you provide a more specific timeframe for the automatic update to build 723 for users running build 604?
     
  16. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,637
    Location:
    the Netherlands
    Build 723 is offered now, to users running build 604.
    Offered on my two Windows 7 systems.
    Also see plat1098's post in the HitmanPro.Alert (non beta) thread.
     
  17. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    53
    Hi Stupendous Man,

    Thanks for your input. I am aware that build 723 is already available to users running build 604. However, since this is the second Release Candidate and the automatic upgrade timeframe was short, I decided to wait for the general rollout.
     
  18. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,637
    Location:
    the Netherlands
    What I meant was that the general rollout with automatically updating build 604 to 723 has started.
     
  19. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    53
    Oh, OK, sorry for misunderstanding. I attempted a right click "Check for update" and nothing happened, hence my post. However, I just tried it again, and it prompted me for the update. Go figure.
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,637
    Location:
    the Netherlands
    Yes, that is something I've seen before.
    Perhaps there is some limitation build in the auto update mechanism, to ease the update servers.
     
  21. Sand

    Sand Registered Member

    Joined:
    Apr 28, 2016
    Posts:
    9
    Code:
    Mitigation   PrivGuard
    
    Platform     10.0.16299/x64 v723 06_45
    PID          11332
    Application  C:\Program Files\Mozilla Firefox\firefox.exe
    Description  Firefox 57
    
    Sweep
    
    Code Injection
    00000000007A0000-00000000007A6000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [1892]
    00000000007B0000-00000000007B1000    4KB
    00007FFEDC0C9000-00007FFEDC0CA000    4KB
    0000017852816000-0000017852817000    4KB C:\Program Files\Mozilla Firefox\firefox.exe [12604]
    00007FFEDC0F0000-00007FFEDC0F1000    4KB
    00007FFEDC0F2000-00007FFEDC0F3000    4KB
    00007FFEDC0EF000-00007FFEDC0F0000    4KB
    1  C:\Program Files\Sandboxie\SbieSvc.exe [1892]
    2  C:\Windows\System32\services.exe [904]
    3  C:\Windows\System32\wininit.exe [828]
    wininit.exe
    1  C:\Program Files\Mozilla Firefox\firefox.exe [12604]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.kcsoftwares.com/?page=postinstall&sw=SUMo"
    2  C:\Sandbox\Marine\DefaultBox\user\current\AppData\Local\Temp\is-6OV9L.tmp\sumo.tmp [9708]
    "C:\Users\Marine\AppData\Local\Temp\is-6OV9L.tmp\sumo.tmp" /SL5="$1C0BD2,1219898,162816,C:\Users\Marine\Desktop\sumo.exe" /SPAWNWND=$2409D8 /NOTIFYWND=$C0C8E
    3  C:\Users\Marine\Desktop\sumo.exe [2032]
    "C:\Users\Marine\Desktop\sumo.exe" /SPAWNWND=$2409D8 /NOTIFYWND=$C0C8E
    4  C:\Program Files\Sandboxie\SbieSvc.exe [9336]
    "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00000F28_00000000_7FE58384_00000142_
    5  C:\Program Files\Sandboxie\Start.exe [12092]
    "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00000F28_00000000_7FE58384_00000142_
    6  C:\Program Files\Sandboxie\SbieSvc.exe [1892]
    7  C:\Windows\System32\services.exe [904]
    8  C:\Windows\System32\wininit.exe [828]
    wininit.exe
    
    Process Trace
    1  C:\Program Files\Mozilla Firefox\firefox.exe [11332]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="12604.13.459363129\1140960185" -childID 2 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124
    2  C:\Program Files\Mozilla Firefox\firefox.exe [12604]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://www.kcsoftwares.com/?page=postinstall&sw=SUMo"
    3  C:\Sandbox\Marine\DefaultBox\user\current\AppData\Local\Temp\is-6OV9L.tmp\sumo.tmp [9708]
    "C:\Users\Marine\AppData\Local\Temp\is-6OV9L.tmp\sumo.tmp" /SL5="$1C0BD2,1219898,162816,C:\Users\Marine\Desktop\sumo.exe" /SPAWNWND=$2409D8 /NOTIFYWND=$C0C8E
    4  C:\Users\Marine\Desktop\sumo.exe [2032]
    "C:\Users\Marine\Desktop\sumo.exe" /SPAWNWND=$2409D8 /NOTIFYWND=$C0C8E
    5  C:\Program Files\Sandboxie\SbieSvc.exe [9336]
    "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00000F28_00000000_7FE58384_00000142_
    6  C:\Program Files\Sandboxie\Start.exe [12092]
    "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Windows\system32" /env:=Refresh "C:\Program Files\Sandboxie\SbieSvc.exe" Sandboxie_UacProxy:00000F28_00000000_7FE58384_00000142_
    7  C:\Program Files\Sandboxie\SbieSvc.exe [1892]
    8  C:\Windows\System32\services.exe [904]
    9  C:\Windows\System32\wininit.exe [828]
    wininit.exe
     
  22. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,853
    Excuse me, what's the error / alert you get ?
     
  23. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,637
    Location:
    the Netherlands
    @markloman,
    November 15, you wrote,
    To which I asked,
    Now that 604 is auto updated to 723 for all users, this is even more relevant to know.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,321
    Just test it. No harm done if it fails.
     
  25. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    For once i don't have (yet) any "FPs" with this version :D
     
Loading...