HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Yes, normal. Have a look in Services to see if the HMPAlert is starting automatically.
     
  2. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    702
    Location:
    Europe
    I have hmpalert.exe process and hmpalertsvc service running.

     
  3. brunos

    brunos Registered Member

    Joined:
    Jan 5, 2008
    Posts:
    23


    Well, users from this great Forum says that this is "strange", that they also have Microsoft Office or Word 2010, running pretty OK with HitmanPro Alert.
    - Do not get me wrong, I am completely sure that you telling the truth and that you are right! :)

    But, unfortunately, it is not in my case, as I perfectly describe the procedure which I took to found culprit problemo all here - HitmanPro Alert: immediately after I installed it, I get this Office 2010 crashing errors, and it completely vanished, immediately after I Uninstall completely the HitmanPro Alert software from this PC.
    An again, when I install it back, Office 2010 crashing errors immediately starts back again, and..., this Office crashing problemos completely vanished again, just immediately after I completely Uninstall back the HitmanPro Alert software from this PC.
    So, I do not know how to explain more vivid and this quite perfectly. :)

    Of course, I do not know why this happening, but I am also know that I am not certainly the only one having, maybe a similar problemo:

    https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-196#post-2478518
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    What other security software do you have installed?
     
  5. brunos

    brunos Registered Member

    Joined:
    Jan 5, 2008
    Posts:
    23
    Thank You for your kindest Reply! :)
    In this PC case, is the ESS v8.0.312.0.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I am running EIS,Appguard, and SBIE, along with HMPA 187, and I have no issues with any MS Office 2010 Professional programs at all.
     
  7. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Peter2150,
    I knew you ran Sandboxie, and Appguard, but what is EIS? Excuse my ignorance. I'm on the Linux side of the line and am unfamiliar with these abbreviations. Also, I thought you used Execute Radar Pro?

    Later...

    Bob
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    HI Bob

    You are correct, I do run ERP. EIS is Emsisoft Internet Security.

    Pete
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Now it intercepts the "malicious attack" of the latest version of Dolphin Emulator... Seriously, there needs to be an option to disable everything w/o uninstalling it completely. Or at least whitelist this "Lockdown" mitigation.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It's not really an option as such but you can shut it down with uninstalling. Just stop the service.
     
  11. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Well I may actually have to do that. Found another Lockdown FP, this time it's Atomic Bomberman which I was going to try out.
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Can you copy/paste the technical details here?

    Note: If you get a Lockdown then the issue is frequently a configuration error. If an application has Application Lockdown, then all files the application is outputting are not allowed to start. So if you mitigate for example WinRAR with Application Lockdown then all executables it is extracting are not allowed to run. This is not an false positive, but a configuration error.
     
    Last edited: May 7, 2015
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    The Dophin Emulator is not automatically protected by HitmanPro.Alert, so I assume you added it manually?
    You should never need to disable the HitmanPro.Alert Service. We deliberately added detailed per-application controls, just for you guys who like to add custom software and make individual tweaks to the mitigation settings.
    As mentioned by @erikloman, you can easily correct the problem by changing the configuration. Simply disable the Application Lockdown mitigation on the Dolphin Emulator:
    1. Open HitmanPro.Alert
    2. Go to the Advanced interface by clicking on the gear icon in the top right corner of the window
    3. Click on the Dolphin Emulator icon beneath the blue tile called Exploit mitigation
    4. Uncheck Application Lockdown
    Dolphin.PNG

    Done.
     
  14. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    I've poked and prodded at 187
    What ever happened to Firefox encrypting is being stubborn....
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Interesting, this appears to have been fixed after a reboot. Before then, it always locked down even if I disabled Exploit Mitigation altogether...

    This wasn't the first time it happened (and isn't Dolphin-specific), but next time I'll remember to copy the details.
     
  16. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    This changes the situation a bit. To me, it now looks like that the Dolphin Emulator itself is not in the mitigation list of HitmanPro.Alert at all, and I think the Application Lockdown was caused by a program that is _NOT_ allowed to create & run new executables. With what program did you unpack the zip archive that contained the Dolphin Emulator? Did you e.g. add WinRAR, WinZIP or other archiver to HitmanPro.Alert?

    Explanation: When you e.g. add WinRAR to HitmanPro.Alert and use (let's say) the Office template for the mitigations, any executable that you extract with WinRAR will trigger an Application Lockdown when you try to run any of the extracted files. This lockdown is system-wide, even applications that are not protected by HitmanPro.Alert cannot run these files (to limit the abilities of creative attackers that e.g. hijack or abuse trusted legitimate software to achieve their objectives). So it is very important to use the correct template when you manually add applications to HitmanPro.Alert. When you need to protect e.g. WinRAR or other archiver, select the Browser template.
     
    Last edited: May 8, 2015
  17. toad258

    toad258 Registered Member

    Joined:
    Jul 24, 2005
    Posts:
    12
    Location:
    The Netherlands
    I noticed that HmP Alert showed an update available in the program and it would install after an reboot. From 183 to 187.

    Normally I shutdown my PC and expected that HmP alert would be updated after the shutdown and startup but it didn't.
    Only after rebooting my PC HmP Alert updated to the latest version.

    Can you make HmP alert to update on shutdown - restart also?
     
  18. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    Probably due to my lack of knowledge, I do not understand the above (very interesting) Explanation.
    Now it looks to me that executable files, resulting from the WinRAR extracting process, are not executable anymore and why is this so different for the Browser template?

    Is there any documentation I can read to get a better understanding?
     
    Last edited: May 8, 2015
  19. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    It is important to understand that WinRAR and other archivers are not default protected by HitmanPro.Alert, so normally users do not need to do anything to prevent inadvertent lockdowns.

    If you do want to protect an archiver like WinRAR, put it in the Browser template. The Browser template behaves differently because a browser is designed to download (create) and run new executables (installation/setup files) on your computer.

    The philosophy behind our Application Lockdown is that it aims to limit applications to what they are designed for, which in-turn limits an attacker's abilities when they bypass all other mitigations and do succeed at hoisting-in threats onto your computer. This means that e.g. an Office application, like Adobe Acrobat or Microsoft Word (which are designed to only create, print, view or edit documents), cannot create and run new programs on your computer. An attacker cannot even use macros or hijack and abuse other file or memory objects to install or run malware on your computer, which is a huge advantage. Alert doesn't have any threat signatures and does not need any prior knowledge of vulnerabilities, exploits or malware to prevent attacks. It doesn't matter what attackers come up with, Alert simply doesn't allow productivity applications to run files created by the application, or associate registry objects to these files (which e.g. prevents attackers from simply dropping a file on the machine and start it automatically on next reboot by creating an autorun registry entry for it). Compared to other solutions, Alert's Application Lockdown is a bit tougher to bypass, but you do need to put your own applications in the right category.

    A manual is coming but it's still a few weeks away.
     
    Last edited: May 8, 2015
  20. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    @markloman,
    Thank you very much for your fast and clear response.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I use a template that does enable application lock down for winrar. A nuisance to some extent as it requires me to turn off application lockdown to unpack a legit application. BUT with so much bad stuff coming in zip files, as disquised executables, I consider the application lockdown on winrar, and extra level of protection against surprises.

    I consider this a valuable feature.

    Pete
     
  22. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Excellent Pete! Awesome use of the available features! :thumb:
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Excellent Software!!!
     
  24. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    Got this message when trying to print a Steam receipt via DoPDF and then open it in Foxit Reader.
    Code:
    Mitigation   ROP
    
    Platform     6.3.9600/x64 06_3c
    PID          300
    Application  C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FOXITREADER.EXE
    Description  Foxit Reader 7.0
    
    Branch Trace                      Opcode  To                             
    -------------------------------- -------- --------------------------------
    +0x5545f                              RET 0x00DE0BC3 FoxitReader.exe     
    0x74C3545F hmpalert.dll                                                  
    
    +0xf207                               RET +0x5545c                       
    0x74BEF207 hmpalert.dll                   0x74C3545C hmpalert.dll        
    
    +0x227f5                              RET +0xf1e5                        
    0x74C027F5 hmpalert.dll                   0x74BEF1E5 hmpalert.dll        
    
    RtlLeaveCriticalSection +0x37         RET +0x227dd                       
    0x77551017 ntdll.dll                      0x74C027DD hmpalert.dll        
    
    SetEvent +0x1c                        RET +0x227d2                       
    0x7511126C KernelBase.dll                 0x74C027D2 hmpalert.dll        
    
    RtlLeaveCriticalSection +0x37       * RET 0x00C64C09 FoxitReader.exe     
    0x77551017 ntdll.dll                                                     
                55                       PUSH         EBP
                cc                       INT 3      
    
    
    RtlEnterCriticalSection +0x2d       * RET 0x00C64B24 FoxitReader.exe     
    0x77550FCD ntdll.dll                                                     
                0000                     ADD          [EAX], AL
                2b48fc                   SUB          ECX, [EAX-0x4]
                2bd7                     SUB          EDX, EDI
                0bca                     OR           ECX, EDX
                7d08                     JGE          0xc64b37
                57                       PUSH         EDI
                8bce                     MOV          ECX, ESI
                e889ead4ff               CALL         0x9b35c0
                660fbe4508               MOVSX        AX, [EBP+0x8]
                8b0e                     MOV          ECX, [ESI]
                66890459                 MOV          [ECX+EBX*2], AX
                8b06                     MOV          EAX, [ESI]
                3b78f8                   CMP          EDI, [EAX-0x8]
                7fcb                     JG           0xc64b14
                8978f4                   MOV          [EAX-0xc], EDI
                8b16                     MOV          EDX, [ESI]
                                     (D30DA1095D319EC9)
    
    
    WaitForMultipleObjects +0x1a        * RET 0x00C63A6B FoxitReader.exe     
    0x772C7B8A kernel32.dll                                                  
                bfe0000000               MOV          EDI, 0xe0
                00751f                   ADD          [EBP+0x1f], DH
                dd87d8000000             FLD          QWORD [EDI+0xd8]
                8d55ec                   LEA          EDX, [EBP-0x14]
                52                       PUSH         EDX
                83ec08                   SUB          ESP, 0x8
                dd1c24                   FSTP         QWORD [ESP]
                ffd3                     CALL         EBX
                85c0                     TEST         EAX, EAX
                7409                     JZ           0xc63a92
                0fb745ee                 MOVZX        EAX, WORD [EBP-0x12]
                8945d4                   MOV          [EBP-0x2c], EAX
                eb07                     JMP          0xc63a99
                                     ( F868EE007231DDA)
    
    
    GetModuleHandleExW                    RET WaitForMultipleObjects +0x19   
    0x75111167 KernelBase.dll                 0x772C7B89 kernel32.dll        
    
    GetModuleHandleExW                    RET GetModuleHandleExW             
    0x75111177 KernelBase.dll                 0x7511114C KernelBase.dll      
    
    NtWaitForMultipleObjects +0xc         RET GetModuleHandleExW +0x2ef      
    0x7754CA2C ntdll.dll                      0x7511112F KernelBase.dll      
    
    TurboDispatchJumpAddressEnd           RET TurboDispatchJumpAddressEnd +0xac
    0x74CA2352 wow64cpu.dll                   0x74CA1E66 wow64cpu.dll        
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  00DE0BD1 FoxitReader.exe        
                8b4e54                   MOV          ECX, [ESI+0x54]
                687cae1902               PUSH         DWORD 0x219ae7c
                51                       PUSH         ECX
                894660                   MOV          [ESI+0x60], EAX
                ffd7                     CALL         EDI
                8b5654                   MOV          EDX, [ESI+0x54]
                6868ae1902               PUSH         DWORD 0x219ae68
                52                       PUSH         EDX
                894664                   MOV          [ESI+0x64], EAX
                ffd7                     CALL         EDI
                894668                   MOV          [ESI+0x68], EAX
                8b4654                   MOV          EAX, [ESI+0x54]
                6854ae1902               PUSH         DWORD 0x219ae54
                50                       PUSH         EAX
                ffd7                     CALL         EDI
                8b4e54                   MOV          ECX, [ESI+0x54]
    
    2  00DE0F62 FoxitReader.exe        
    3  00E12A43 FoxitReader.exe        
    4  00DE5C24 FoxitReader.exe        
    5  00C0ADEB FoxitReader.exe        
    6  00C0CF55 FoxitReader.exe        
    7  00E9C25B FoxitReader.exe        
    8  009EDC13 FoxitReader.exe        
    9  00D2AD82 FoxitReader.exe        
    10 00D3CE68 FoxitReader.exe        
    
    Process Trace
    1  C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe [300]
       "C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FOXITREADER.EXE" "C:\Users\Richard\Desktop\STEAM - receipt for your key subscription.pdf"
    
    2  C:\Windows\System32\spool\drivers\x64\3\dopdfcl7.exe [2568]
       C:\Windows\system32\spool\DRIVERS\x64\3\dopdfcl7.exe 2460 1492 1904 "doPDF v7" 3 "C:\Users\Richard\Desktop\STEAM - receipt for your key subscription.pdf" "Default Profile" 0 0 0
    
    3  C:\Windows\splwow64.exe [2460]
       C:\Windows\splwow64.exe 8192
    
    4  D:\Games\Steam\bin\steamwebhelper.exe [1492]
       "D:\Games\Steam\bin\steamwebhelper.exe" -cefhost -cachedir "C:\Users\Richard\AppData\Local\Steam\htmlcache" -steampid 1904 -buildid 1428965940 -steamid "0"  --blacklist-accelerated-compositing --process-per-tab --disable-accelerated-video-decode --enable-direct-write
    
    5  D:\Games\Steam\Steam.exe [1904]
    6  C:\Windows\explorer.exe [1992]
    7  C:\Windows\System32\userinit.exe [1972]
     
  25. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    81
    Location:
    Kissimmee, FL
    HMPA build 187 blocks Internet explorer 11 and Chrome 42 immediately when you open the browser
    Attack Intercepted Mitigation IAF

    If I kill his nielsenonline.exe process beforehand, the browsers work.
    The customer has to use the Nielson program, so in the meantime I turned off IAT Filtering for the two browsers
    Nielson netrating
    "C:\Program Files (x86)\NetRatingsNetSight\NetSight\nielsenonline.exe"

    Adding nielsenonline.exe process to the exceptions did not work

    Windows 7 64 bit - MSE antivirus, MBAM Premium,

    Mitigation IAF

    Platform 6.1.7601/x64 3f_01
    PID 1288
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 42

    Violation 03CC8D72 is calling ole32.dll IAT funcptr KernelBase.dll!GetProcAddress


    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 03CC8D72 nphooks.dll ?UserActivityTrkConstructor@@YGIAAPAUIMProcessor@@@Z
    ffd0 CALL EAX
    8985e8feffff MOV [EBP-0x118], EAX
    85c0 TEST EAX, EAX
    0f846a010000 JZ 0x3cc8eec
    3d0040d203 CMP EAX, 0x3d24000
    720b JB 0x3cc8d94
    3d0050d203 CMP EAX, 0x3d25000
    0f8258010000 JB 0x3cc8eec
    6a00 PUSH 0x0
    685cccd103 PUSH DWORD 0x3d1cc5c
    ff153490d003 CALL DWORD [0x3d09034]
    85c0 TEST EAX, EAX
    0f8543010000 JNZ 0x3cc8eec
    ff15ac90d003 CALL DWORD [0x3d090ac]

    2 75DB1504 ole32.dll IsValidPtrIn
    3 75DB6005 ole32.dll CoGetComCatalog +0x2a0
    4 75DB5C87 ole32.dll PropVariantClear
    5 75DB5D77 ole32.dll CoGetComCatalog +0x12
    6 75DB5CFF ole32.dll PropVariantClear
    7 75DBAB70 ole32.dll CoCreateInstanceEx
    8 75DB9F1E ole32.dll CoCreateInstanceEx +0x1d0
    9 75DB9E25 ole32.dll CoCreateInstanceEx +0xd7
    10 75DB9D86 ole32.dll CoCreateInstanceEx +0x38

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1288]
    2 C:\Windows\explorer.exe [3740]
    3 C:\Windows\System32\userinit.exe [3428]
     
    Last edited: May 8, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.