Latest Armory (5.2.12.0 ) causing malware alert (Hitman Pro)

[cindernat]

I don't usually upgrade Armoury as I've had issues doing that before. But unfortunately Armoury decided to upgrade itself. The install of course failed, so I had to use uninstall tool and reinstall. The reinstall worked, however upon launching Armoury I get a pop-up from Hitman Pro (anti-malware) with the following info:

Mitigation CookieGuard
Timestamp 2022-08-02T22:38:57

Platform 10.0.19044/x64 v945 06_a5
PID 4324
Feature 037D1A30000011B6
Application C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Created 2021-04-01T19:18:23
Description Microsoft Edge 103

Remote debugging port enabled for this browser

Loaded Modules (12)
-----------------------------------------------------------------------------
00007FF7228A0000-00007FF722C20000 msedge.exe (Microsoft Corporation),
version: 103.0.1264.77
00007FF8AA4F0000-00007FF8AA6E8000 ntdll.dll (Microsoft Corporation),
version: 10.0.19041.1806 (WinBuild.160101.0800)
00007FF8AA240000-00007FF8AA2FD000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.19041.1806 (WinBuild.160101.0800)
00007FF8A78A0000-00007FF8A79BB000 hmpalert.dll (SurfRight B.V.),
version: 3.8.21.945
00007FF8A7D40000-00007FF8A800E000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.19041.1826 (WinBuild.160101.0800)
00007FF85EAC0000-00007FF85EC15000 msedge_elf.dll (Microsoft Corporation),
version: 103.0.1264.77
00007FF8A9F40000-00007FF8A9FEE000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.19041.1682 (WinBuild.160101.0800)
00007FF8A9240000-00007FF8A92DE000 msvcrt.dll (Microsoft Corporation),
version: 7.0.19041.546 (WinBuild.160101.0800)
00007FF8A9E90000-00007FF8A9F2C000 sechost.dll (Microsoft Corporation),
version: 10.0.19041.1586 (WinBuild.160101.0800)
00007FF8A9D50000-00007FF8A9E75000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.19041.1806 (WinBuild.160101.0800)
00007FF8A74C0000-00007FF8A74CC000 CRYPTBASE.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF8A8310000-00007FF8A8392000 bcryptPrimitives.dll (Microsoft Corporation),
version: 10.0.19041.1415 (WinBuild.160101.0800)

Process Trace
1 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe [4324]
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe http://127.0.0.1:1042/6318?cmd=alert --headless --disable-gpu --remote-debugging-port=0
2 C:\Program Files (x86)\ASUS\ArmouryDevice\asus_framework.exe [15204]
3 C:\Windows\System32\svchost.exe [1788]
C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s Schedule
4 C:\Windows\System32\services.exe [1172]
5 C:\Windows\System32\wininit.exe [1100]
wininit.exe

Services
1788 Schedule

Dropped Files

Thumbprints
538d38646d7dab691c8a58fdca5ee27ee1610c76f73f451396 cb953790cf1354 (pfn-rd -> asus_framework.exe)
815d5b79944a3162126afe6e135ce1b37b93a7324c89050923 4cf448ac593f32 (pfn-rd -> svchost.exe)

____________________________

Armoury still loads, but when I try going to the Ryujin device, I get the same issue and hence can't access the device.

Here are my software levels:

Item Version
---- -------
Armoury Crate UWP App 5.2.12.0
ROG Live Service 1.5.10.0
Aura Service (Lighting Service) 3.05.66
Armoury Crate lite service 5.2.10
Aura Wallpaper Service Not installed
ASUS AIOFan HAL 1.1.47.0
ASUS AURA Extension Card HAL 1.1.0.18
ASUS AURA Motherboard HAL 1.3.4.0
AacVGA 0.0.5.2
KingstonDram 1.1.12
AURA DRAM Component 1.1.18
ENE RGB HAL 1.1.39.18
ENE_EHD_M2_HAL 1.0.9.12
PHISON HAL 1.0.9.0
Patriot Viper DRAM RGB 1.0.9.4
Patriot Viper M2 SSD RGB 1.1.0.2
Universal Holtek RGB DRAM 1.0.0.3
WD_BLACK AN1500 1.0.14.0

Please let me know if you need any further info. System is Windows 10. I have also contacted Hitman Pro support about this.

Thanks.

[iicycube]

+1, me too have this while using hitman pro alert that pops up when using this version of Armory 5.2.12.0.
It is like a backdoor edge activates when launching armory that the alert stops it from running, not sure why Asus implement edge in the installation.

[cindernat]

+1, me too have this while using hitman pro alert that pops up when using this version of Armory 5.2.12.0.
It is like a backdoor edge activates when launching armory that the alert stops it from running, not sure why Asus implement edge in the installation.

Thanks for confirming. Yeah I won't be uninstalling Hitman as it's a great tool. I have no idea how to alert Asus support, I thought they monitored these forums, but not a word from anyone on this thread :/

[MasterC@ROG]

We'll look into it, thanks for letting us know.

[cindernat]

We'll look into it, thanks for letting us know.

Great, appreciate it. No response from Hitman as yet.

[cindernat]

This is Hitman's response:

"It seems ARMOURY CRATE Lite Service is starting the browser with a so called Remote debugging option, this makes it possible for this application to read your authentication cookies and passwords for the edge browser."

That's not ideal. I believe Armoury should remove this functionality. I certainly won't be adding it to the Allow list as I use Edge for work.

[MasterC@ROG]

Update: The latest version of Armoury Crate has a different architecture for viewing HTML pages, we can assure you that your working environment is safe. We are reaching out to Hitman Pro as well to work this out.

[cindernat]

Update: The latest version of Armoury Crate has a different architecture for viewing HTML pages, we can assure you that your working environment is safe. We are reaching out to Hitman Pro as well to work this out.

Thanks for the update, looking forward to a resolution whether that be Hitman adding Armoury to it's white list or some other solution.

[cindernat]

Hi MasterC@ROG.

Rick from Hitman hasn't been contacted by anyone at Asus, can you be sure they are using support@hitmanpro.com. Thanks.

[MasterC@ROG]

Update: We will be updating the Armoury Crate architecture in the next major update to address some of the recent install and security concerns. The team will focus on releasing the new update as soon as possible rather than releasing patches for the current architecture.