HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    @erikloman
    @markloman

    Probably false positive:
    Code:
    Mitigation   DEP
    
    Platform     6.0.6002/x86 06_17*
    PID          5464
    Application  C:\Program Files\Internet Explorer\iexplore.exe
    Description  Internet Explorer 9
    
    IP = 04A55E82, State = 0x1000, Type = 0x20000, Protect = 0x4 
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  76EC84DE user32.dll               EnumDisplayMonitors +0x92
                8945e4                   MOV          [EBP-0x1c], EAX
                8d45d8                   LEA          EAX, [EBP-0x28]
                50                       PUSH         EAX
                8d45e4                   LEA          EAX, [EBP-0x1c]
                50                       PUSH         EAX
                57                       PUSH         EDI
                53                       PUSH         EBX
                56                       PUSH         ESI
                ff7510                   PUSH         DWORD [EBP+0x10]
                ff150498f176             CALL         DWORD [0x76f19804]
                33db                     XOR          EBX, EBX
                e951790000               JMP          0x76ecfe4d
    
    2  76EC9D6A user32.dll               ReleaseDC +0x7d
    3  76EC119C user32.dll               CharNextW +0x2f5
    4  771A5A7E ntdll.dll               
    5  76EC12D5 user32.dll               CharNextW
    6  76EC1338 user32.dll               CreateWindowExW +0x33
    7  695C005F ieframe.dll              CreateExtensionGuidEnumerator
    8  0585A4ED WOT.dll                  DllCanUnloadNow
    9  058582C2 WOT.dll                  DllCanUnloadNow
    10 05854AC2 WOT.dll                  DllCanUnloadNow
    
    Process Trace
    1  C:\Program Files\Internet Explorer\iexplore.exe [5464]
       "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4712 CREDAT:137560
    
    2  C:\Program Files\Internet Explorer\iexplore.exe [4712]
    3  C:\Windows\explorer.exe [1624]
    4  C:\Windows\System32\userinit.exe [5796]
    
    
    Provider Name  HitmanPro.Alert
    EventID        911
    Qualifiers     0
    Level          2 [= Error]
    Task           9
    Keywords       0x80000000000000
    EventRecordID  202145
    
    

    Edit
    Changed info in uploaded image to info in code
     
    Last edited: May 27, 2015
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Your transfer has not been downloaded yet...

    This is a friendly reminder that your transfer will expire within 2 days and it has not been downloaded yet. If you want to keep your transfer available for longer, you can upgrade to a WeTransfer Plus account.

    (Report.wer.txt, to supportathitmanpro.com, sent on 20 May)
     
  3. gaslad

    gaslad Registered Member

    Joined:
    Feb 18, 2007
    Posts:
    117
    Location:
    Toronto, Ontario
    1) My real-time protection includes Panda Free AV, MBAM Premium, Outpost Firewall Pro, Zemana AntiLogger Free, and WinPatrol Plus.

    2) I did reboot, and the problem does recur if I re-enable the "Enforce DEP".
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
  5. gaslad

    gaslad Registered Member

    Joined:
    Feb 18, 2007
    Posts:
    117
    Location:
    Toronto, Ontario
    Thanks for that link. I didn't know FF had its own Safe Mode.

    But I cannot open FF to put it into Safe Mode with "Enforce DEP" enabled. Not even if I press the Shift key while I start FF. I can put FF into Safe Mode with "Enforce DEP" disabled, but when I re-enable it I am told to re-start FF, which takes me back to square one.
     
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Sorry that didn't help. I suggested it to eliminate the possibility that an extension was causing the problem, but apparently not.

    Edit: Build 188 has been released.
     
    Last edited: May 27, 2015
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.0.42 build 188 BETA

    Changelog
    • Improved Stack Pivot exploit mitigation (kudos to @ropchain for reporting).
    • Improved VBScript God Mode exploit mitigation now honors security zone settings.
    • Improved rendering of icon strip on computers with Display on Larger DPI setting.
    • Fixed memory leak in HitmanPro.Alert service.
    • Added Turkish language (thanks to Bekir Ucarci).
    Download
    http://test.hitmanpro.com/hmpalert3b188.exe

    You can upgrade an existing installation by just running this build. No need to uninstall first.

    Please let me know how this version runs on your computer :thumb:
     
    Last edited: May 28, 2015
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Regarding keystroke encryption issue, I am looking for people who are willing to test a specific version that provides feedback to find the culprit. Please PM me if you are frequently experiencing the issue and are willing to run a version of Alert 3 that outputs information in DebugView.
     
  9. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    It is probably silly, but can someone please tell me how to sent a PM(=Personal Mail?), the PM option it is not linked to the members avatar.
     
    Last edited: May 27, 2015
  10. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Click on the avatar and then on "Start a conversation".
     
  11. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    Thanks Erik...and you forgot the ".Alert" bit in your title, lol...easily done! :)

    Anyway, upgraded smoothly here (from build .187), with all settings, and running great on 3 browsers here (Pale Moon, FF, IE11) with all fly-outs etc. on W7 32-bit.
    Running a little lighter than previous build perhaps, and showing about 6.7MB RAM consumption for the two processes presently.
     
    Last edited: May 27, 2015
  12. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    Thank you Victek, I saw that option but misinterpreted it as an option for group discussions.
     
    Last edited: May 27, 2015
  13. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Not only that, also it's not 3.0.41 build 188, it's 3.0.42 build 188
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Actually it can be used for group discussions as well. The new forum software doesn't have a separate private messaging system.
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    HMPA version 3.0.42.188 beta
    probably false positive detection
    (in YouTube, selecting another clip to open in a new browser tab)
    Code:
    Mitigation   Lockdown
     
    Platform     6.0.6002/x86 06_17*
    PID          4768
    Application  C:\Program Files\Internet Explorer\iexplore.exe
    Description  Internet Explorer 9
     
    VBScript God Mode
    res://ieframe.dll/imageppg.ppg
     
    Process Trace
    1  C:\Program Files\Internet Explorer\iexplore.exe [4768]
       "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2016 CREDAT:137530
     
    2  C:\Program Files\Internet Explorer\iexplore.exe [2016]
    3  C:\Windows\explorer.exe [2600]
    4  C:\Windows\System32\userinit.exe [4244]
     
     
    Provider Name  HitmanPro.Alert
    EventID        911
    Qualifiers     0
    Level          2 [= Error]
    Task           9
    Keywords       0x80000000000000
    EventRecordID  202253
     
    

    P.S.
    In yesterday's HMPA 3.0.41.187 false positive report, I changed info in uploaded image to info in code, as I think that may be more convenient.
     
    Last edited: May 27, 2015
  16. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    That one was fixed pretty quickly :)

    For the people who are interested: I will publish a blog post about this mitigation bypass in the following weeks.
     
  17. Cactus5

    Cactus5 Registered Member

    Joined:
    Jan 17, 2015
    Posts:
    28
    Location:
    Southwest USA
    No issues with update to build 188. No issues with IE11, Firefox 38 or Chrome 43. Everything works great and has for many, many builds for me.

    @ropchain I am definitely interested in the mitigation bypass info.
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Version 3.0.42 build 188 :)
     
  19. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    565
    Strange. After upgrade and restart, CTRL + TAB is not switching windows properly. Is it only me?
    W8.1 x64
     
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    W8.1 x64 ~~ ctrl + tab working for me w 188
     
  21. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    I have what appears to be a new bug with the new 188 beta...
    First off, here is how I understand the keystroke encryption. It is only applied to the "browser" and "other" templates, and if HMP.A detects keystroke encryption already on your system then it is automatically disabled. Since HMP.A only does keystroke encryption to these two templates (if you have the app added to the protection list), I have disabled keystroke encryption in HMP.A as I have SpyShelter Premium and use its global keystroke encryption. Also note that I have not seen the issue below in any prior HMP.A versions until the 188 beta.
    With the settings as described above (HMP.A 188 beta keystroke encryption disabled and SpyShelter Premium keystroke encryption enabled), I now get an encryption fly-out with LibreOffice showing HMP.A is encrypting the keystrokes. This should not be occurring as I have keystroke encryption disabled in HMP.A and as I understand it it should not be encrypting keystrokes in the "office" template anyways...
    Two observations on the above issue:
    First, The HMP.A encryption fly-out shows the actual text that I am typing, and
    Second, the HMP.A test tool shows the text is encrypted by SpyShelter Premium...
    All seems to be working but it is alarming to see HMP.A is encrypting when it should not be and displaying the actual text being typed in, even if the test tool shows encryption is being done by SpyShelter Premium...
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    I don't use SpyShelter, so I can't confirm anything regarding HMPA and SpyShelter, but I can confirm the strange HMPA Keystroke Encryption behavior.
    When I enable "Show colored window border around protected applications" and "Show live Keystroke Encryption in colored window border" in HMPA 3.0.42.188 beta, in LibreOffice I get a HMPA "Encrypting" flyout, showing the unencrypted keystrokes.
    When I disable HMPA's Keystroke Encryption module, nothing changes, in LibreOffice I still get a HMPA "Encrypting" flyout, showing unencrypted keystrokes.
    So, yes, definitely some bug, I suppose.
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Yep, don't know if related. I've lost encrypting to 'Other' w 188
    Update: I've lost all encrypting. Oh bother...
    I had encrypting in all except Firefox w 187
    Now, no Browser encrypt no Other encrypt.
    Reset n' Reboot = No encrypting.
    No encrypting flyout. No encrypting. Test Tool no encrypting.
    Browser has green border. Other no green border.
    Notification at recommended n' Colored border three checks.
    Oh bother... W8.1 x64
     
    Last edited: May 27, 2015
  24. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    I tested with Windows Vista x86 IE9 and Windows 7 x64 IE11 and I see no HMPA "Encrypting" flyout (that's with "Show colored window border around protected applications" and "Show live Keystroke Encryption in colored window border" enabled).
    However, I see the bogus HMPA "Encrypting" flyout in LibreOffice, as mentioned before.
    Moreover, disabling "Auto-hide colored windows border" doesn't seem to work for IE9 and IE11, the border auto-hides even with that setting disabled.
    Another reboot did not change anything for Windows 7 x64. I haven't tried it for the Vista x86 system.
     
    Last edited: May 27, 2015
  25. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    With W7-x64 Prof. and hmp.alert b188 I still have correct encryption in 'Other' BUT unexpectedly also encryption flyouts for 'Office'
    (Wordpad, Office 2003 Word, Excel ..) all showing clear text in the flyouts and no actual encryption done!

    The 'Browsers' IE11 and FF 38.0.5 both show proper encryption flyouts and actual encryption is done (hmp.alert testtool).

    EDIT: I uninstalled build 188 and reinstalled build 187, everything is again working as expected.
     
    Last edited: May 27, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.