HitmanPro.ALERT Support and Discussion Thread

Thanks, but I already answered this.

 

Hi Guys,

I'm having some trouble with chrome and hmpa. i had this issue on my win 7 and did a clean install of win10 and issue is still there. hmpa often says there is an intrusion (even just after boot) but there is not. i'm guessing it has something to do with bitdefender antivirus plus that was on both my os'es. Any known issues that iv'e missed?

Grtz

 

Seeing this thread has over 7,800 posts to date, it's not that surprising some comments may get missed. One solution to this is to tag the username which I think you almost did in your post here. Consequently Eric or Mark may have missed it. Tagging like this - @Rasheed187 - may draw their attention directly to your question. Alternatively, you could send them a private message.

 

Why no support for CyberFox?

 

Exactly the same issue reported by myself earlier. WIn 10, hmpa, bit defender. Chrome intrusion.

I can now add that clicking download links in firefox crashes firefox while hmpa safe browsing is on for firefox.

For now I'm running without chrome and firefox safe browsing...

 

I should think that CyberFox can be added manually.
1. Start Cyberfox
2. Changed HMPA to the Advanced UI
3. Click in the blue Exploit Mitigation tile
4. Click running applications
5. Select Cyberfox
6. Select the Browser template.

 

Indeed. I have added Cyberfox this way.

 

Has anyone else encountered conflicts between:
Screenshot Captor and HitmanPro.Alert?
LastPass and Encryption?

Issue 1: Screenshot Captor (just snipping via scrolling window feature) by DonationCoder and HitmanPro.Alert conflict. I have to stop Screenshot Captor in order to cancel the .Alert warning (canceling many more times might work eventually). Excluding the main process via Exploit Mitigation was not sufficient. (Win7, multiple browsers, .Alert all features except encryption)

To reproduce, install SC trial and show Quick Capture Bar; with browser open to a page that scrolls, click on scrolling window button; loop the error message a few times; cancel snipping request via the tray icon.

Issue 2: LastPass browser plugin eventually fails when encryption is enabled in HitmanPro.Alert. The combination may work for a while but eventually I just get the encrypted string when typing in LP. This behavior is most easily seen in the note field. Using the note field may even be necessary to initiate the behavior but once the problem occurs other fields are affected. Just disabling encryption resolves the problem immediately without reopening the browser or other tricks. (I do immediately close the open LP account details before disabling encryption.)

Ancillary Question: Generally, how does one exclude applications from Risk Reduction and, very specifically, LastPass from Encryption?

 

Just tried Screenshot Captor here. Works flawlessly, as it has done in the past. Don't know about LastPass though - don't use it.
Good luck.

 

Both work fine together for me, not seeing the issue you describe and have tested playing with note field first. Using Chrome with HMPA paid alongside Emsisoft.

 

That is unproven...My system is OK, and I run several snapshots. I only have a problem with this one snapshot which has HMP.A installed on it.

 

I believe if you turn off keystroke encryption it's off everywhere.

 

Yes, I have the same issue with LastPass. I can't edit any entries unless I disable Keyboard Encryption as everything I type is garbled. I just disable encryption whilst I edit the entry and enable it again as soon as I've finished, but it would be nice to have a fix.

I don't have any similar problems with KeyPass.

 

Good point, but I thought that quoting a person will normally also attract their attention. It's a bit hard to believe that they didn't read my posts about this subject. And yes they are quite busy, but like I said, it doesn't take that much time to give some feedback about this idea.

I'm just saying that because HMPA integrates quite deeply into the system, you shouldn't be surprised to get problems, especially with all your tools installed. On top of that, Win XP doesn't have "PatchGuard", so your kernel is probably also modified.

 

We use Estos CtiClient ProCall 4.1.9 on several office machines, that are running HMP.A 3.1 build340.

With proCall you can mark a phone number, press F9 and it dials.

Unfortunately HMP.A block this function within Chrome Browser, when Keystroke Encryption is enabled.

Is there a way to whitelist ProCall, without disabling keystroke encryption at all ?

 

Regardless, that XP does not have Patchguard, HMP.A does support my version according to SurfRight's website, so I don't see the relevance. Perhaps, it a lack of support from the developer is more the issue?

 

No, I'd guess that issues which arise from comedy section bloated security setups cannot take a top priority. I'm wondering whether they regret making this available to home users. It must be nice for corporate competitors not to deal with this stuff and charge more on top of it.

 

I asked about IE6 because I thought it might be why you were getting an error. In order to troubleshoot it would make sense to try again using a fully current version of a different browser.

 

Thank you, for that unsolicited advice... What, you are a saying to me it is blame the user, i.e. me, and never the software....I have been beta testing for years, and if you looked, here at Wilders, that would be evident to you from my posting history. And, some developers have appreciated my efforts!

 

Hi, I have just the other day tried to make Opera, my default browser, but it won't accept it. IE6 is stubbornly entrenched. I even followed a step-by-step guide from 'Bleeping Computer', if I remember, correctly, on how to do do that.

 

@Rasheed187: We do not endorse the use of multiple security solutions as it potentially impedes the ability of these solutions to detect exploits, or adversely affect the capabilities of other installed security products. This is one of the reasons why we created our Exploit Test Tool, to determine if all detection features still work when e.g. HMPA, MBAE or EMET is installed in the presence of another security solution.

Obviously, we currently have no plans to downgrade our solution or remove a major feature. HMPA already offers the ability to disable individual modules or even exclude a particular process or program.

I would also like to mention that from the hundreds of thousands of systems that HMPA is currently protecting, the vast majority of protection events were made thanks to our Exploit Mitigation technologies. Not Safe Browsing, not CryptoGuard. When one of the Exploit Mitigations is triggered, e.g. crypto-ransomware is not even delivered - in most of today's ransomware attacks, Exploit Mitigations cuts the ground away for CryptoGuard, which is a good thing.

When HMPA detects an attack (e.g. a Stack Pivot) it also means that these third-party security services have failed:

1. Network-based Web Filter (URL)
2. Network-based Web Filter (Content Scanning)
3. Host-based Antivirus Software (URL)
4. Host-based Browser Filter (URL)
5. Host-based Antivirus Software (Content Scanning)

And in case of a spam or spear-phishing e-mail with a malicious attachment (e.g. a weaponised Word document with macro that downloads the payload from the web), HMPA had to step in because even more security services failed:

1. Network-based Spam Filter (Content Scanning)
2. Host-based Email Client Junk Mail Filter (Content Scanning)
3. Network-based Web Filter (URL)
4. Network-based Web Filter (Content Scanning)
5. Host-based Antivirus Software (URL)
6. Host-based Browser Web Filter (URL)
7. Host-based Antivirus Software (Content Scanning)

Remember that attackers have infinite possibilities to hide their attacks (e.g. on trusted services) and obfuscate their malware to bypass Web Filters and Antivirus Software. This is evidenced by the many victims that the hundreds of thousands of new malware samples make every day. But did you know that attackers must always use the exact same techniques to deliver their malware? And that there are only two dozen of them and only (maybe) 1 new technique (like the recent Wow64 exploit) is discovered every year?
These core techniques are mandatory and attackers must and will use these techniques to exploit any known and future vulnerability, yes even the vulnerabilities that do not exist or haven't been discovered yet! The core techniques to exploit a vulnerability are called e.g. Stack Pivot, Return-Oriented Programming (ROP) and Heap Spray, but could also be a logic-flaw technique like a VBA script. And especially in case of a memory corruption vulnerability, two, three or more techniques must be used in sequence in order for the attack to be successful and deliver malware.
When a security application, like HMPA, is capable of detecting and blocking the core techniques, attacks are successfully stopped, even if you are singled-out in a spear-phishing attack, are served a unique URL, script, or are attacked with targeted plain or obfuscated malware.
Since these core techniques are essential for any exploit-based attacker, HMPA seriously raises the bar as attackers can no longer employ any these techniques. Of course, there is also a big difference how anti-exploit solutions detect these techniques and hands down, our HMPA has by far the most comprehensive technique prevention. In order to bypass HMPA, attackers basically have to be insanely good and come up with a completely new attack method that doesn't use ANY of the known core techniques!

I would like to mention that the exploit prevention features in AV solutions are not nearly of the same quality or level as EMET or MBAE, let alone HMPA's. Current exploit prevention in AV does not revolve around exploit technique prevention at all (although I have seen some AVs that do detect a straight forward Stack Pivot, ROP or buffer overflow). This is also one of the reasons why we created the Exploit Test Tool, to illustrate that AV is hardly capable in this field. You can check it yourself.

So don't dismiss Exploit Mitigations so fast. It's the rain on every remote attacker's parade.

(Note that network-oriented security solutions, like Web Filter / UTM appliances, are loosing visibility now the web goes more and more to HTTPS/SPDY. To inspect secure communication, network appliances have to break the secure link. But in the presence of certificate pinning on the endpoint, network-oriented appliances are becoming more and more useless even though big companies and even governments are currently endorsing them. Remember that from an attacker's perspective, the endpoint was always and still is the target; a user's PC or a server that holds the documents. The endpoint is where it all happens and where data is decrypted, readable for the end user and for attackers to potentially access).

Anyway, hope this helps.

 

@erikloman : Check you PM, please. Thanks in advance

 

Thank you for this educational post as a reply to Rasheed187!

 

me too +1