HitmanPro.ALERT Support and Discussion Thread

@erikloman @markloman
Apparently someone reported that there was an incompatibility with Dr.Web Katana.
https://malwaretips.com/threads/dr-web-katana-free-for-90-days.53734/#post-455125

I don't have it so I can't confirm whether it's true or not. But I thought someone here might be willing to test it.
Note: According to that post "it crashes Windows".

 

Any comments on this?

Here is VirusTotal report: https://www.virustotal.com/en/file/...3a33c69e11c1e085a5d70252/analysis/1449035142/

File can be downloaded from here: https://support.rockstargames.com/h...nual-Link-to-Social-Club-Application-Download

 

already provided @markloman

did @markloman and @erikloman have a look into it? i have some logs extracted if you want...

 

From the looks of the evidence provided by the intruder alert thrown by HitmanPro.Alert (HMPA), the Steam application (steam.exe) is protected by HMPA.
I am assuming you added Steam manually to HMPA? Because, normally, Steam is not automatically shielded by HMPA.
If you would like to protect Steam, remove it from HMPA and add it again but now select the Browsers category. Steam is a software downloader, like a web browser. Do not put it in a different category.

 

Mark,

Would the same be true for Secunia PSI?

 

Hi

How do i manually add programs to be protected by HMP.A ?

 

Thanks to the built-in Software Rader, registered web browsers (and their plug-ins), Java, productivity applications (incl. Office and PDF tools) and media players are automatically protected by HitmanPro.Alert. This is visualised by the Colored Windows Border around these applications.
To manually add a program to HitmanPro.Alert, follow these steps:

1. First, open the application that you want to protect and leave its window open. Rule of thumb, only protect and internet-facing application.
2. Now open HitmanPro.Alert, e.g. from its tray icon or from the Start menu.
3. Click on the gear icon in the top right corner of HitmanPro.Alert's window.
4. Select Advanced interface
5. Click on the blue tile called Exploit mitigation
6. From the menu, select Running applications
7. The application you want to protect is listed under Not protected. Select it.
8. From the template menu, select the approriate category. For example, if the application is a downloader or software installer, select Browsers. For productivity applications, select Office. Note that the Browsers and Other categories also receive Keystroke Encryption.

That's it.

 

Thanks for the explanation! One thing though: maybe I missed it, but where can we find the Exploit Test Tool?

 

You can find the latest Exploit Test Tool on our Downloads page on our website. Direct download (32-bit): http://dl.surfright.nl/hmpalert-test.exe

 

Tried the HMPA 64-bit Exploit Test Tool with all my security active, and HMPA passed all tests except 3.24 URLMon: 'Exploit Test Tool (64-bit) has stopped working'. Same with IE when launching test from IE 11.
Would that be that be due to some other security soft - no other notification popped up.
In any case, I guess the dummy.dll was not downloaded, and calc.exe not executed ...
Edit: Screenshot attached.

 

Some compatibility stuff to report, not sure how much Surfright can do about it, but still useful to report I think.
Oh and a suggestion that Surfright can do something about: make the Test tool window larger so you don't have to scroll down as much everytime(because you have to do it a lot )

(System is Win7x64 with hardware supported Intel CPU, Alert 3.1 b140, WSA 9.0.6.18 and MBAM Pro 2.2.0)

The ROP Alert I reported some time ago with Youtube videos in Firefox combined with WSA's Identity Shield is still there:

And I don't think this has been mentioned here before, but there also seem to be compatibility problems with WSA's Identity Shield and Alerts Exploit protection. Using the 32 bit test tool on itself, HMPA blocks everything. But when I set the test tool to use Firefox 42 it doesn't block everything anymore. Some techniques that successfully launched Calculator: Stack Exec, ROP - NtProtectVirtualMemory(),ROP - system() in msvcrt, Heap Spray 1, Heap Spray 3. Heap Spray 2 just freezes Firefox, doesn't launch calc. Doing these again with Identity Shield disabled, HMPA successfully blocks them all. Note that I didn't do all tests, because of all the termination and crashing Firefox regularly comes up with the Safe Mode/Refresh Firefox prompt which stops the test from happening and you need even more patience to test it all

 

Got it, thank you !

 

Thanks for checking, @faircot. OS? Browser(s), HMPA(paid)? I hope this isn't one of those hidden indirect effects caused by still another product.

 

Another of those pesky problems that plague some of us (Phil_S) but not others (800ster). Perhaps others who weigh in would include OS, browser(s), and HMPA free/paid to help define the problem. Thanks, @Phil_S, @800ster, and @Victek.

 

Very educational, thank you

 

Perhaps this thread should a subforum instead? The crisscross threads make it hard to follow. While I see advantages to one large thread, I think they are outweighed by the disadvantages.

 

Is there a document that explains every exploit mitigation in detail? I'm most interested in knowing what "Application lockdown" is and how it works. I had it enabled for Spotify which resulted in it not being able to install updates so I then removed Spotify from being protected at all but update still got blocked even though Spotify wasn't running (i.e it didn't retain the protections because it was still running.. because it wasn't running) Had to reboot my computer to finally get Spotify to update and launch again.

So I'm not sure what "Application lockdown" is and what it does and how it works, any information on this?

 

I have WSA and am aware of HMPA Keystroke Encryption indicator not working with WSA Identity Shield On, so I tried to replicate your test above to confirm your findings. I set the 32-bit test tool to Firefox 42 (32-bit) and tried Stack Exec, Heap Spray 2, also ROP - WinExec() and Stack Pivot 1 ... OK, so only four, but in each case the tool launched a new instance of FF (protected by HMPA), no Calculator launch as expected for ROP and Heap Spray 2, and produced no 'Attack Intercepted' with WSA running, either with Identity Shield On or Off! So I am bemused ...
Edit: Had no such issues with the 64-bit tool - see post #7836 above. And testing 32-bit tool on itself also works.

 

See here:

https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-304#post-2542391

 

But that doesn't make sense to me considering my web browsers also seem to have "Application Lockdown" on and yet I can still download and execute applications with them.. Also Spotify was protected in the same way for maybe one or two months and previous updates have worked just fine, it was just this one that triggered "Application Lockdown" .. So it must be something more than just downloading and launching an application? I'd personally be interested in something like a help file for HMPA that explains what each setting does and how it works in more detail than what I can currently find.

 

Hmm strange. I also checked the 64 bit tool, works fine on itself, though I only have 32 bit Firefox installed so I can't test the 64 bit tool with Firefox.

EDIT: Note that hmpalert.exe and hmpalert-test.exe were still set as Monitor under WSA's Control Active Processes so I set them to Allow in case any activity was being blocked.
They were not listed under Application Control from ID Shield and I didn't add them.

 

I just tried this:

1. Launched Vivaldi while protected as "Browsers" (Checking settings reveals "Application Lockdown" is enabled)
2. Went to download ccleaner installer and chose "Open" when asked what to do.
3. ccleaner installer opened.
4. Switched Vivaldi from "Browsers" to "Other" and then launched it again.
5. Went to download ccleaner installer and chose "Open" when asked what to do.
6. ccleaner installer opened.

 

Win 8.1 x64, IE11 and HMPA licensed for me.