HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. TS4H

    TS4H Registered Member

    Joined:
    Nov 5, 2013
    Posts:
    523
    Location:
    Australia
    My keyboard keys got scrambled again in Chrome straight after using Samsung SSD magician even when the Exploit Test tool was not running:( Closing and restarting Chrome fixed the problem.
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,223
    Location:
    Italy
    1.JPG

    1.JPG



    I tested MBAE on Windows XP:

    Stack Pivot - Passed
    Stack Exec - Passed
    SEHOP - Passed
    URL Mon - Passed


    EMET 4.1 Update 1:

    Stack Pivot - Passed
    Stack Exec - Passed
    Rop Win Exec - Passed
    SEHOP - Passed
    Heap Spray 1 - Passed
    Heap Spray 2 - Passed
    URL Mon 2 - Passed
    URL Mon 3 - Passed
    ROP Virtual Protect (No Pop-Up) Block
    ROP Nt Protect Virtual Memory (No Pop-Up) Block


    MBAE block the test "URL Mon" failed with EMET.
     
    Last edited: Jul 13, 2014
  3. wojtek

    wojtek Registered Member

    Joined:
    Jan 5, 2014
    Posts:
    33
    'Passed' means that the program failed? thank you!
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,223
    Location:
    Italy
    "Passed" means that the programs have blocked the exploit.
     
  5. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,318
    Location:
    the Netherlands
    Is that the same issue that deugniet reported?
    Did you also see the "Please wait" screen for a prolonged period as Windows was starting up, like deugniet reported?
     
  6. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,024
    I noticed this. Maybe it has nothing to do with above...

    Trefwoorden:
    Gebruiker: SYSTEM
    Computer: ****
    Beschrijving:
    Uw registerbestand is nog steeds in gebruik door andere toepassingen of services. Het bestand wordt nu verwijderd. De toepassingen en services die het registerbestand nu gebruiken, werken achteraf mogelijk niet meer goed.

    DETAIL -
    1 user registry handles leaked from \Registry\User\S-1-5-21-1139147123-4150390050-2674437762-1000_Classes:
    Process 440 (\Device\HarddiskVolume3\Program Files (x86)\HitmanPro.Alert\hmpalert.exe) has opened key \REGISTRY\USER\S-1-5-21-1139147123-4150390050-2674437762-1000_CLASSES

    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-07-13T09:39:01.171473500Z" />
    <EventRecordID>140926</EventRecordID>
    <Correlation />
    <Execution ProcessID="108" ThreadID="4016" />
    <Channel>Application</Channel>
    <Computer>****</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">1 user registry handles leaked from \Registry\User\S-1-5-21-1139147123-4150390050-2674437762-1000_Classes:
    Process 440 (\Device\HarddiskVolume3\Program Files (x86)\HitmanPro.Alert\hmpalert.exe) has opened key \REGISTRY\USER\S-1-5-21-1139147123-4150390050-2674437762-1000_CLASSES
    </Data>
    </EventData>
    </Event>
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Alert has a Software Radar to detect newly installed software. I see that it keeps a handle open to the registry keys it is monitoring.
    I'll see that it gets fixed in CTP2.
    Thanks for reporting :thumb:
     
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    As you noticed, simply switching window focus fixes the issue, but it is annoying and should not happen. We have this under investigation. Thanks for reporting :thumb:
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The hmpalert.exe is the Alert installer, service and GUI. It is 32-bit so that we have one single binary (in contrast to our on-demand scanner which comes in separate 32-bit and 64-bit files).

    The core of Alert is in hmpalert.dll which resides in System32 and SysWOW64 (64-bit and 32-bit respectively).

    Hope this helps.
     
  10. caiusilus

    caiusilus Registered Member

    Joined:
    Feb 14, 2013
    Posts:
    35
    Location:
    France
    Hi Stupendous Man,

    Yes, exactly same problems...
    Hope a new build will solve this trouble ;-)
     
  11. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,024
    Logfile (Ntbtlog.txt) of startup Windows 7 64 bits.

    Service Pack 1 7 13 2014 12:22:54.375
    Loaded driver \SystemRoot\system32\ntoskrnl.exe
    Loaded driver \SystemRoot\system32\hal.dll
    Loaded driver \SystemRoot\system32\kdcom.dll
    Loaded driver \SystemRoot\system32\mcupdate_GenuineIntel.dll
    Loaded driver \SystemRoot\system32\PSHED.dll
    Loaded driver \SystemRoot\system32\CLFS.SYS
    Loaded driver \SystemRoot\system32\CI.dll
    Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
    Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
    Loaded driver \SystemRoot\system32\drivers\ACPI.sys
    Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
    Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
    Loaded driver \SystemRoot\system32\drivers\pci.sys
    Loaded driver \SystemRoot\system32\drivers\vdrvroot.sys
    Loaded driver \SystemRoot\System32\drivers\partmgr.sys
    Loaded driver \SystemRoot\system32\DRIVERS\compbatt.sys
    Loaded driver \SystemRoot\system32\DRIVERS\BATTC.SYS
    Loaded driver \SystemRoot\system32\drivers\volmgr.sys
    Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
    Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
    Loaded driver \SystemRoot\system32\DRIVERS\iaStor.sys
    Loaded driver \SystemRoot\system32\drivers\atapi.sys
    Loaded driver \SystemRoot\system32\drivers\ataport.SYS
    Loaded driver \SystemRoot\system32\drivers\msahci.sys
    Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS
    Loaded driver \SystemRoot\system32\drivers\amdxata.sys
    Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
    Loaded driver \SystemRoot\system32\drivers\NISx64\1504000.00D\SYMDS64.SYS
    Loaded driver \SystemRoot\system32\drivers\fileinfo.sys
    Loaded driver \SystemRoot\system32\drivers\NISx64\1504000.00D\SYMEFA64.SYS
    Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
    Loaded driver \SystemRoot\System32\Drivers\msrpc.sys
    Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
    Loaded driver \SystemRoot\System32\Drivers\cng.sys
    Loaded driver \SystemRoot\System32\drivers\pcw.sys
    Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.sys
    Loaded driver \SystemRoot\system32\drivers\ndis.sys
    Loaded driver \SystemRoot\system32\drivers\NETIO.SYS
    Loaded driver \SystemRoot\System32\Drivers\ksecpkg.sys
    Loaded driver \SystemRoot\System32\drivers\tcpip.sys
    Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys
    Loaded driver \SystemRoot\system32\drivers\volsnap.sys
    Loaded driver \SystemRoot\System32\Drivers\spldr.sys
    Loaded driver \SystemRoot\System32\drivers\rdyboost.sys
    Loaded driver \SystemRoot\System32\Drivers\mup.sys
    Loaded driver \SystemRoot\System32\drivers\hwpolicy.sys
    Loaded driver \SystemRoot\System32\DRIVERS\fvevol.sys
    Loaded driver \SystemRoot\system32\DRIVERS\disk.sys
    Loaded driver \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    Loaded driver \SystemRoot\system32\DRIVERS\spvdbus.sys
    Loaded driver \??\C:\Windows\system32\Drivers\spvve.sys
    Loaded driver \SystemRoot\system32\drivers\cdrom.sys
    Loaded driver \SystemRoot\system32\drivers\NISx64\1504000.00D\ccSetx64.sys
    Loaded driver \SystemRoot\system32\drivers\NISx64\1504000.00D\SRTSPX64.SYS
    Loaded driver \SystemRoot\system32\drivers\NISx64\1504000.00D\Ironx64.SYS
    Loaded driver \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
    Loaded driver
    Loaded driver
    Loaded driver \SystemRoot\System32\Drivers\NISx64\1504000.00D\SRTSP64.SYS
    Loaded driver \SystemRoot\System32\Drivers\Null.SYS
    Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
    Loaded driver \SystemRoot\System32\drivers\vga.sys
    Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
    Loaded driver \SystemRoot\system32\drivers\rdpencdd.sys
    Loaded driver \SystemRoot\system32\drivers\rdprefmp.sys
    Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
    Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
    Loaded driver \SystemRoot\system32\DRIVERS\tdx.sys
    Loaded driver \SystemRoot\system32\drivers\afd.sys
    Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
    Loaded driver \SystemRoot\system32\DRIVERS\wfplwf.sys
    Loaded driver \SystemRoot\system32\DRIVERS\pacer.sys
    Loaded driver \SystemRoot\system32\DRIVERS\vwififlt.sys
    Loaded driver \SystemRoot\system32\DRIVERS\SymIMv.sys
    Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
    Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
    Loaded driver \SystemRoot\system32\drivers\termdd.sys
    Loaded driver \SystemRoot\System32\Drivers\NISx64\1504000.00D\SYMNETS.SYS
    Did not load driver \??\C:\Users\****\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS
    Did not load driver \??\C:\Users\****\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS
    Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
    Loaded driver \SystemRoot\system32\drivers\nsiproxy.sys
    Loaded driver \SystemRoot\system32\drivers\mssmbios.sys
    Loaded driver
    Loaded driver \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    Loaded driver \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
    Loaded driver \SystemRoot\System32\drivers\discache.sys
    Loaded driver \SystemRoot\System32\Drivers\dfsc.sys
    Loaded driver \SystemRoot\system32\DRIVERS\blbdrive.sys
    Loaded driver
    Loaded driver \SystemRoot\system32\DRIVERS\tunnel.sys
    Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
    Loaded driver \SystemRoot\System32\drivers\dxgkrnl.sys
    Loaded driver \SystemRoot\system32\DRIVERS\igdkmd64.sys
    Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
    Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
    Loaded driver \SystemRoot\system32\drivers\HDAudBus.sys
    Loaded driver \SystemRoot\system32\DRIVERS\L1C62x64.sys
    Loaded driver \SystemRoot\system32\DRIVERS\Netwsw00.sys
    Loaded driver \SystemRoot\system32\DRIVERS\vwifibus.sys
    Loaded driver \SystemRoot\system32\drivers\i8042prt.sys
    Loaded driver \SystemRoot\SysWOW64\Drivers\DKbFltr.sys
    Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
    Loaded driver \SystemRoot\system32\DRIVERS\SynTP.sys
    Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
    Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys
    Loaded driver \??\C:\Windows\system32\drivers\UBHelper.sys
    Loaded driver \??\C:\Windows\system32\drivers\NTIDrvr.sys
    Loaded driver \SystemRoot\system32\drivers\wmiacpi.sys
    Loaded driver \SystemRoot\system32\drivers\CompositeBus.sys
    Loaded driver \SystemRoot\system32\DRIVERS\AgileVpn.sys
    Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
    Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
    Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
    Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
    Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
    Loaded driver \SystemRoot\system32\DRIVERS\rassstp.sys
    Loaded driver \SystemRoot\system32\drivers\swenum.sys
    Loaded driver \SystemRoot\system32\DRIVERS\circlass.sys
    Loaded driver \SystemRoot\system32\drivers\umbus.sys
    Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
    Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
    Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
    Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
    Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
    Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
    Loaded driver \SystemRoot\system32\drivers\RTKVHD64.sys
    Loaded driver \SystemRoot\system32\drivers\ksthunk.sys
    Loaded driver \SystemRoot\system32\drivers\IntcHdmi.sys
    Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys
    Loaded driver \SystemRoot\system32\drivers\hidusb.sys
    Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys
    Loaded driver \SystemRoot\system32\DRIVERS\monitor.sys
    Loaded driver \SystemRoot\system32\drivers\luafv.sys
    Loaded driver \??\C:\Windows\system32\drivers\hmpalert.sys
    Loaded driver \SystemRoot\system32\DRIVERS\lltdio.sys
    Loaded driver \SystemRoot\system32\DRIVERS\nwifi.sys
    Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
    Loaded driver \SystemRoot\system32\DRIVERS\rspndr.sys
    Loaded driver \SystemRoot\system32\drivers\HTTP.sys
    Loaded driver \SystemRoot\System32\DRIVERS\srvnet.sys
    Loaded driver \SystemRoot\system32\DRIVERS\bowser.sys
    Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
    Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    Loaded driver \SystemRoot\System32\DRIVERS\srv2.sys
    Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
    Did not load driver \SystemRoot\System32\DRIVERS\srv.sys
    Loaded driver \SystemRoot\system32\drivers\peauth.sys
    Loaded driver \SystemRoot\System32\Drivers\secdrv.SYS
    Loaded driver \??\C:\Program Files\Sandboxie\SbieDrv.sys
    Loaded driver \SystemRoot\System32\drivers\tcpipreg.sys
     
  12. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,318
    Location:
    the Netherlands
    @ caiusilus,
    You reported "sometimes it became impossible to log on my LUA."
    Did you get a "Windows could not connect to the System Event Notification Service" error notification when trying to login to your LUA (Least-privilege User Account, Standard User Account)?
    Login to your Administrator account would succeed, I suppose, but did you see an "Windows could not connect to the System Event Notification Service" error notification after login?
    (I'm curious, as I had such an issue earlier on, with HMP.A 2.6.5.77.)

    @ deugniet,
    Related to the issue that you reported,
    did you have any issue logging in to a Standard User Account (Least-privilege User Account, LUA)?
    Did you get a "Windows could not connect to the System Event Notification Service" error notification when trying to login to a Standard User Account, or after login to an Administrator account?

    Anyway,
    if the issue was the same as what deugniet reported next, than I guess that Erik found the cause of the issue and it will be fixed in CTP2, as Erik said.
     
  13. caiusilus

    caiusilus Registered Member

    Joined:
    Feb 14, 2013
    Posts:
    35
    Location:
    France
    I see the notification before login on my Least-privilege User Account but not after.
    HMP 3 makes my pc freeze but I am quite sure it's not a serious bug and I hope to be able to add HMP.
    HMP should replace EMET in my config, as I have a hitman pro licence active ;-)
     
  14. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,318
    Location:
    the Netherlands
    That is correct.
    Regarding this type of issue, the "Windows could not connect to the System Event Notification Service" notification occurs when trying to login to a Standard User Account (Least-privilege User Account, LUA), and login fails, and a hang occurs.
    In case someone does not try to login to a Standard User Account (Least-privilege User Account, LUA) but instead to an Administrator Account, then login succeeds, but in that case a "Windows could not connect to the System Event Notification Service" error notification is show after login.
    That was also my experience with that type of issue, earlier on, with HMP.A 2.6.5.77, of which I wasn't sure if it was or was not related to HMP.A.

    As you mention you get that type of "Windows could not connect to the System Event Notification Service" notification with the HMP.A 3 CTP1 issue, perhaps it might be useful if SurfRight takes another look at what I reported earlier on regarding HMP.A 2.6.5.77 (again: of which I wasn't sure if it was or was not related to HMP.A).

    But as I said, if your issue was the same as what deugniet reported, then I guess that Erik found the cause of the issue and it will be fixed in CTP2, as Erik said.
     
    Last edited: Jul 13, 2014
  15. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,024
    You refer to this Stupendous Man?

    Logboeknaam: Security
    Bron: Microsoft-Windows-Security-Auditing
    Datum: 13-7-2014 16:23:48
    Gebeurtenis-id:4625
    Taakcategorie: Aanmelden
    Niveau: Informatie
    Trefwoorden: Controle mislukt
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Het aanmelden van een account is mislukt.

    Onderwerp:
    Beveiligings-id: ****\****
    Accountnaam: ****
    Accountdomein: ****
    Aanmeldings-id: 0x38030

    Aanmeldingstype: 4

    Account waarvoor het aanmelden is mislukt:
    Beveiligings-id: NULL SID
    Accountnaam: ****
    Accountdomein:

    Gegevens over mislukte bewerking:
    Reden van mislukken: Onbekende gebruikersnaam of ongeldig wachtwoord.
    Status: 0xc000006d
    Substatus: 0xc000006a

    Procesgegevens:
    Proces-id van aanroeper: 0xb34
    Procesnaam van aanroeper: C:\Windows\System32\taskhost.exe

    Netwerkgegevens:
    Naam van werkstation: ****
    Netwerkadres van bron: -
    Poort van bron: -

    Gedetailleerde verificatiegegevens:
    Aanmeldingsproces: Advapi
    Verificatiepakket: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Doorgezette services: -
    Pakketnaam (alleen NTLM): -
    Sleutellengte: 0

    Deze gebeurtenis wordt gegenereerd wanneer een aanmeldingsaanvraag mislukt. De gebeurtenis wordt gegenereerd op de computer waartoe wordt geprobeerd toegang te verkrijgen.

    De velden Onderwerp bevatten de account op het lokale systeem waardoor de aanmelding is aangevraagd. Dit is meestal een service zoals de Server-service, of een lokaal proces zoals Winlogon.exe of Services.exe.

    In het veld Aanmeldingstype ziet u het type aanmelding. De meest algemene typen zijn 2 (interactief) en 3 (netwerk).

    In de velden met procesgegevens ziet u door welke account en door welk proces de aanmelding is aangevraagd.

    In de netwerkvelden ziet u de bron van een externe aanmeldingsaanvraag. Naam van werkstation is niet altijd beschikbaar en kan in sommige gevallen leeg zijn.

    De velden met verificatiegegevens bevatten gedetailleerde informatie over die aanmeldingsaanvraag.
    - In Doorgezette services ziet u welke tussentijdse services voor deze aanmeldingsaanvraag zijn gebruikt.
    - Pakketnaam geeft aan welk subprotocol van de NTLM-protocollen is gebruikt.
    - Sleutellengte geeft de lengte van de gegenereerde sessiesleutel aan. Dit veld is 0 als er geen sessiesleutel is aangevraagd.
    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-07-13T14:23:48.728509300Z" />
    <EventRecordID>198058</EventRecordID>
    <Correlation />
    <Execution ProcessID="580" ThreadID="944" />
    <Channel>Security</Channel>
    <Computer>****</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-1139147123-4150390050-2674437762-1000</Data>
    <Data Name="SubjectUserName">****</Data>
    <Data Name="SubjectDomainName">****</Data>
    <Data Name="SubjectLogonId">0x38030</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">****</Data>
    <Data Name="TargetDomainName">
    </Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">4</Data>
    <Data Name="LogonProcessName">Advapi </Data>
    <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="WorkstationName">****</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xb34</Data>
    <Data Name="ProcessName">C:\Windows\System32\taskhost.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
    </EventData>
    </Event>
     
  16. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,318
    Location:
    the Netherlands
    Er.. no, I never found such Event Log entry in relation to the issue that I mentioned before. The Event ID that I found in relation to the issue that I mentioned before were 6003 and 6005.
    Did you get a "Windows could not connect to the System Event Notification Service" notification in connection with Windows login?
    If not, the issue you experienced may have been different to caiusilus', and may probably have been completely different to the issue that I mentioned before.
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,101
    Location:
    USA
    By the way, is the recommendation to uninstall before updating to a new v3 build? (just as it was with v2 :) )
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    EMET does not block the heap spray but the ROP attack that comes directly after the heap spray. So only one layer there instead of 2.

    As you noticed, MBAE does not have a ROP blocking layer.
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Upgrade from v2 to v3 should work.
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,101
    Location:
    USA
    Thanks! I upgraded from v3 build 59 to CTP1 without incident. By the way, where in the Alert UI can the build be determined? I can't find an "about" item.
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,223
    Location:
    Italy
    TH for the clarification.:thumb:
    Yes,no ROP blocking.


    ___________________________________

    EMET (Deselected SimExecFlow) + MBAE

    *** Test HPA3 ***

    Stack Pivot - MBAE
    StackExec - EMET
    ROP WinExec - Failed *
    ROP VirtualProtect - EMET
    ROP NtProtectVirtualMemory -Failed *
    ROP Virtual Protect via CALL Gadget - Failed
    SEHOP - EMET
    HEAP Spray 1 - Failed *
    HEAP Spray 2 - EMET
    HEAP Spray 3 - Failed
    HEAP Spray 4 - Failed
    URL Mon - MBAE
    URL Mon 2 - Failed *
    URL Mon 3 - EMET


    * No good EMET + MBAE
     
    Last edited: Jul 14, 2014
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,223
    Location:
    Italy
    @erikloman

    Why in some tests there is a single intervention?

    EMET + MBAE

    Test "Stack Pivot" is active MBAE

    EMET + HPA3:

    test:

    "StackExec"
    "SEHOP"

    is active EMET.
     
    Last edited: Jul 14, 2014
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    I wanted to use the tests against my other security software, & system in general. The tests wouldn't run on my XP/SP2 without installing the Beta, so i tried to.

    The initial install phase advised me to upgrade from v2, which wasn't working but installed, & after clicking, it needed to reboot. This resulted in my comp reaching the log in, then rebooting before the desktop appeared. After about 5 attempts i realised something had gone wrong, so i used System Restore to go back to before it happened.

    Don't know what the problem/s were, but not a good experience !
     
  24. Antimalware18

    Antimalware18 Registered Member

    Joined:
    Dec 12, 2008
    Posts:
    417
    Maybe there's something wrong with my setup, because when I throw all the test exploits at my machine with EMET 4.1 they all run fine with no blocks whatsoever o_O
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,223
    Location:
    Italy
    You must enter the HPA3-test.exe in the applications list of EMET.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.