HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    You seem an advocate of the cat and mouse game, where something only should be protected if there is first known exploits?
     
  2. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Bye, bye...
    Seems Like You do not understand the game...
     
  3. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,983
    http://www.surfright.nl/en/whatsnewalert
     
  4. guest

    guest Guest

    "Other"
     
  5. gattacadna

    gattacadna Registered Member

    Joined:
    Feb 13, 2016
    Posts:
    2
    Could you please elaborate how "tightly" my HMPA license is tied to my pHW? Why? I'm concerned HMPA will now cause me problems during my catastrophic failure backup routines for my Windows 10 laptop. See below for the routine.

    1) FULL shutdown of the W10 system (none of this partial sleep stuff)
    2) Full cold boot with Paragon's drive imaging utilities on USB key
    3) Image the current drive (0) to another physical drive (+1) (both are SDD)
    4) Power down, swap in the newly imaged drive (+1) for the old (0)
    5) Store that image (0) in another safe location which is a rotating stack of drives (0, -1, -2, -3, ..)
    6) Boot and run w/ the newly imaged drive (+1) 30 - 60 days
    7) Repeat monthly.

    Drives are cheap, my time and recovery of a full system are not.

    I just installed and licensed HMPA. Wil it now freak when I swap in the new drive after imaging and booting?

    Thanks.
     
  6. gattacadna

    gattacadna Registered Member

    Joined:
    Feb 13, 2016
    Posts:
    2
    On a related note.. I need some guidance on how to get an exception setup for this scenario. I would love for "Add exception" to be an option on the HMPA alerts / popups. This is on my home machine for which sometimes I need to login to work.

    1) My company provides access to their network via a Juniper setup. So when I'm working at home, I need to connect in. Until I installed HMPA, I did not have an issue with their setup. I also run several other layers of anti-bug ware, none of which seem to have issues with this arrangement.. (good or bad depending on your PoV)
    2) From what I can tell, when I browse to the access site, then login and hit connect, this web page then launches jp2launcher.exe to connect to a control point and then download an executable into c:\..\tmp+randomnumbers+JuniperExt.exe into the browser's \tmp\ folder. From there I assume it uses Java to run that Juniper.exe to provide my connection.
    3) Of course now that I installed and licensed HMPA, it immediately blocks this as an exploit and I agree, it sure would be but it is not. (While using Free it did not seem to care).

    Because I must access work from home at times, I need this work and I would prefer using FF (latest) rather than resorting to IE.

    Any advice on how to exception this,... hoping that the "Add exception" to the HMPA popup surfaces sooner than later.

    Thanks.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    LOL, he still doesn't understand how to use HMPA, even after that other discussion.
     
  8. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    what are the rules?
     
  9. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    now I dont know how to use HMPA? wow, whats this a trash campaign?

    Seems some of my posts have upset some people in regards to the narrow focus just on web browsers.

    Piece of advise, my question was nothing to do with the merits of assuming something isnt a security risk or not because I have never heard of it been exploited before. But was simply a technical question regarding instability for typing in a symbol as data. you do realise right? that the cause of the crash could affect all sorts of software combinations including web browsers and as such finding the cause can benefit everyone. My advice is if someone says something you dont like, ignore them, dont attack them. Treat people with respect.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    People have already explained to you numerous of times that it doesn't make any sense to protect certain processes like cmd.exe and svchost.exe, and the reason why they warned you is because it can trigger unexpected behavior. It's also not a smart thing to protect other security tools for example. Yet you dismissed this and now you even start to post about this unexpected behavior as if it's some kind of bug in HMPA. So it's a bit annoying and also a bit amusing at the same time.
     
  11. hjlbx

    hjlbx Guest

    @chrcol

    I know you just want to know why it happens.

    No one can explain why - and it is probable that the developers are not going to put forth the effort to determine the cause(s).

    Of course, any process shipped with Windows can potentially be exploited. So your wish to protect cmd.exe is not without merit.

    However, even though your concerns regarding exploitation of cmd.exe are valid, protecting it with HMP.A isn't recommended practice since problems can occur - obviously. It is precisely because of this that the developers did not intend users to protect cmd.exe with HMP.A.

    If a cmd.exe exploit does resurface, then I am sure the developers will do something about it.

    Until then, sometimes that is just how it goes...
     
  12. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    acrobat updater failing.

    acrobat reader protection I havent manually touched incase someone says anything in that regard.

    Mitigation Lockdown

    Platform 6.3.9600/x64 06_3c
    PID 6364
    Application C:\ProgramData\Adobe\ARM\Reader_11.0.00\19728\AcrobatUpdater.exe
    Description Adobe Reader and Acrobat Manager Helper 1.802.11

    Filename C:\ProgramData\Adobe\ARM\Reader_11.0.00\19728\AcrobatUpdater.exe
    Created By C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe


    Process Trace
    1 C:\ProgramData\Adobe\ARM\Reader_11.0.00\19728\AcrobatUpdater.exe [6364]
    2 C:\Windows\explorer.exe [2040]
    C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    well obviously after the issue was discovered I have had cmd.exe mitigation disabled, whilst it would be nice to have, I dont insist on it. The issue got blown up when people started mocking me for just asking the question.
    For instance what is different between having mitigation enabled with everything unticked and having it disabled (I thought hmpa hooked onto everything anyway).
     
  14. hjlbx

    hjlbx Guest

    I am not sure if there is a difference between unticking all the mitigations and disabling mitigations for an app.

    By the way, getting lambasted on security forum is not ununsual - even if it is just innocent question... LOL.

    It is part of the territory... LOL.

    I get it all the time.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What acrobat stuff have you protected. If you have the updater protected then that is the problem. It doesn't need to be.
     
  16. hjlbx

    hjlbx Guest

    @erikloman
    @markloman

    Does HMP.A protect against shellcode exploits ?

    Apologies. Probably not correctly phrased - my knowledge in this area is limited.

    More specifically, I need protection against shellcode execution to cover a weakness of white-listing.

    White-listing should handle anything dropped to system, but what of the case in which shellcode doesn't drop an executable ? I know, I know... someone will mention it is rare. It is rare only because it is easier for the attacker to implement this way - but still it remains viable for user session attack.

    Does HMP.A protect in such a case ?
     
    Last edited by a moderator: Feb 14, 2016
  17. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
  18. hjlbx

    hjlbx Guest

  19. hjlbx

    hjlbx Guest

  20. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Build 357 stops me loading VirtualBox virtual machines, uninstalling HMPA allows VM's to be started again

    Error returned when starting :
    Error -104 in supR3HardenedWinReSpawn! (enmWhat=5)

    In the VBoxHardening.log file (for any VM I attempt to start) :

    65c4.55d8: supR3HardenedScreenImage/LdrLoadDll: cache hit (VINF_SUCCESS) on \Device\HarddiskVolume4\Windows\System32\kernel32.dll [lacks WinVerifyTrust]
     
  21. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    I want to investigate this but before I do I'd like to know if HitmanPro.Alert is protecting VirtualBox; i.e. have you manually added VirtualBox to HMPA?
    Looking forward getting to the bottom of this! Thank you!

    Update: I am encountering similar problems but they are not related to HMPA:
    VirtualBox-Error.png
    This is on a Windows 10 (64-bit) build 14251 Redstone machine without HMPA. What version of Windows are you running?
     
    Last edited: Feb 15, 2016
  22. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    605
    Location:
    Australia
    Hi,
    I have not manually added Virtualbox so it is a standard install
    The machine I first encountered the error on was/is running with no license for HMPA
    This one has Sophos Enterprise AV

    I tested on my desktop also (that has a license) and got the same error
    My desktop has Eset Endpoint Security

    Both PC's are running Windows 10 build 10240
     
  23. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    I have been able to reproduce it on build 10586 of Windows 10:
    VirtualBox-Error.PNG
    Looking into it!
     
    Last edited: Feb 15, 2016
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    HI Mark

    I had all kinds of strange things with build 14251. It killed EIS for example. Upgrade to 14257 and see what happens. Fixed all my weird stuff.

    Pete
     
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Are you referring to the latest version of Virtual Box or the latest Windows 10 insider build (which is 14257)?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.