HitmanPro.Alert Support and Discussion Thread

[Scoobs72]

Thanks Erik, here's the content of the log. I use SRP as well - could that be having an impact? HMPA works fine in my UAC protected Admin account:

OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
Flyout in session 2
CreateProcessAsUser() failed with error 740
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5

[erikloman]

Quote:

Originally Posted by Scoobs72

Thanks Erik, here's the content of the log. I use SRP as well - could that be having an impact? HMPA works fine in my UAC protected Admin account:

OpenProcess 1872 failed with error 5
...
CreateProcessAsUser() failed with error 740

Process 1872 is audiodg.exe which is normal error,

The error 740 is indeed an elevation problem. Nice find! Will address this in the next Beta.

Thanks

[Scoobs72]

Quote:

Originally Posted by erikloman

Process 1872 is audiodg.exe which is normal error,

The error 740 is indeed an elevation problem. Nice find! Will address this in the next Beta.

Thanks

Excellent. Thanks Erik

[erikloman]

Quote:

Originally Posted by Scoobs72

Excellent. Thanks Erik

What SRP policies have you applied on hmpalert.exe? Maybe they are related.

[Scoobs72]

Quote:

Originally Posted by erikloman

What SRP policies have you applied on hmpalert.exe? Maybe they are related.

Quite a few additional rules aside from the default deny in user space:

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
C:\Windows\debug\WIA\*
C:\Windows\regedit.exe
C:\Windows\Registration\CRMLog\*
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*
C:\Windows\System32\cmd.exe
C:\Windows\System32\com\dmp\*
C:\Windows\System32\COMMAND.COM
C:\Windows\System32\cscript.exe
C:\Windows\System32\debug.exe
C:\Windows\System32\format.com
C:\Windows\System32\FxsTmp\*
C:\Windows\System32\regedt32.exe
C:\Windows\System32\scrobj.dll
C:\Windows\System32\spool\drivers\color\*
C:\Windows\System32\spool\PRINTERS\*
C:\Windows\System32\Tasks\*
C:\Windows\System32\vbscript.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\System32\wscript.exe
C:\Windows\Tasks\*
C:\Windows\Temp\*
C:\Windows\tracing\*
C:\Windows\winsxs\x86_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_386775c60308b366\powershell_ise.exe
C:\Windows\winsxs\x86_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_68ec54d7638638f5\powershell.exe
C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\cscript.exe
C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\scrobj.dll
C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\wscript.exe
C:\Windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.16385_none_483059728f3a98ba\vbscript.dll
C:\Windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.16546_none_485c9d388f193c9b\vbscript.dll
C:\Windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.20662_none_48cc9903a84aaeeb\vbscript.dll

[Cyrano2]

Quote:

Originally Posted by erikloman

First time I heard of this browser. Since its based on Chrome it should be supported. We'll have a look why the flyout is not showing.

Thanks .

[Brandonn2010]

Quote:

Originally Posted by erikloman

Wow. That browser is heavily modified. Will discuss with the team whether this configuration is supported. I assume its caused by AppGuard?

I'm not sure but it's probably AppGuard. Except even with protection level set to off, the alert still happens.

[Kees1958]

A signed beta

Only incident I noticed (Win7 x32 Ultimate)

After installation the EMET 3 notifier icon disappears. Windows says icon is not active, while process explorer shows EMET 3 Notifier is running. No other security programs installed other than EMET3 and HMP notifier.

After reboot icon is back again, everything functioning ok.

[Kees1958]

Quote:

Originally Posted by erikloman

Please let us know. What do you like. What needs improvement. Stuff like UI (text), performance, memory consumption, etc. Do you experience problems using HitmanPro.Alert. Let us know!

UI suggestion (not a high priority)

What about applying the corporate identity of hitmanpro. With your background it is a bit disappointing you launched a program in a different corporate identity. or better with no "house style". Maybe graphics are a problem, but even with a text fly out message, you could try to use the same color scheme as the opening panel of HitmanPro (white on green), or the scan progress panel (white on blue).

When something is found
Offer to run a HMP cloud scan on the changed dll's this has the advantage that your whitelist is filled automatically and increases cross selling opportunities.

Database update
Make it specific for the browsers found on the system, this will decrease delay on non-standard configurations. Maybe introduce a "default" policy (only allow default = naked browser configurations with known AV modules/extensions of your HitManPro supported engines only: Ikarus, Emsisoft, Gdata, Avast, Bitdefender, drWeb*) and a whitelist policy (check whether dll changes are known good/bad guys). Run a first scan in the installation process and offer the "default" policy only when there are no omissions. Report found changes and safe changes panel, just as with HitManPro (only for installation process, where you have program based control, not service based control). When someone uses a tight policy and a change is found, change setting automatically to whitelist policy. It would off course be nice to know whether Alert is operating in default or whitelist policy mode (startup flyout display).

* Because HitManPro cloud is based on these engines, all their browser extensions should be known and whitelisted, even in the default policy mode.

[Adric]

Quote:

Originally Posted by erikloman

The 2 hmpalert.exe processes are normal. One is the service, the other with the /flyout runs in user session. But this should close after a few seconds. If it is lingering then you've found a bug? When no flyout is visible you should only see one hmpalert.exe process.

Thanks

I'm able to create multiple hmpalert processes by selecting the flyout each time it shows on startup and selecting more info. Started new five times and have 5 processes that linger and don't go away. Also, the info web page does not get focus after selecting more information.

[Scoobs72]

I'm seeing constant CPU usage of about 7% with Chrome. CPU is about 2% constant with other browsers (which is still too high for my liking). If I remove/disable some chrome extensions the CPU usage drops back, but there doesn't seem to be one specific extension causing the problem. Extensions I have include Adblock and Ghostery.

[BoerenkoolMetWorst]

Nice software Is this specific for MitB attacks or does it also check for more traditional methods like keylogging etc?

[erikloman]

Quote:

Originally Posted by BoerenkoolMetWorst

Nice software Is this specific for MitB attacks or does it also check for more traditional methods like keylogging etc?

Currently only MitB attacks. But we might add detection for other malware techniques in next versions like keylogging, clipboard stealers, and I/O hook detection. Depends on how many people use HitmanPro.Alert. Its free so that should help a bit

[erikloman]

Quote:

Originally Posted by Scoobs72

I'm seeing constant CPU usage of about 7% with Chrome. CPU is about 2% constant with other browsers (which is still too high for my liking). If I remove/disable some chrome extensions the CPU usage drops back, but there doesn't seem to be one specific extension causing the problem. Extensions I have include Adblock and Ghostery.

We'll have a look if we can reproduce. Extensions run in their own process in Chrome. Next Beta will likely be using less CPU due to improved scanning (we have a few ideas how to do this).

[erikloman]

Quote:

Originally Posted by Adric

I'm able to create multiple hmpalert processes by selecting the flyout each time it shows on startup and selecting more info. Started new five times and have 5 processes that linger and don't go away. Also, the info web page does not get focus after selecting more information.

Very valuable info. Which OS do you run?

[jmonge]

HitmanPro.Alert is looking good here

[Amit]

Is HitmanPro.Alert really needed in presence of wsa since both claim to have protection against the so-called man-in-the-middle attacks? Or maybe even if HitmanPro.alert does a very specific, different and extra job than wsa's browser protection feature in identity shield, will there not be any overlapping?

[BoerenkoolMetWorst]

Quote:

Originally Posted by erikloman

Currently only MitB attacks. But we might add detection for other malware techniques in next versions like keylogging, clipboard stealers, and I/O hook detection. Depends on how many people use HitmanPro.Alert. Its free so that should help a bit

Thanks

Quote:

Originally Posted by ams963

Is HitmanPro.Alert really needed in presence of wsa since both claim to have protection against the so-called man-in-the-middle attacks?

HitmanPro.Alert is free software, WSA is not and the standalone free Identity Shield probably won't arrive in the near future.

[Amit]

Quote:

Originally Posted by BoerenkoolMetWorst

HitmanPro.Alert is free software, WSA is not and the standalone free Identity Shield probably won't arrive in the near future.

So you think the answer to my first question is no.

We use HitmanPro antimalware scanner free with our already existent av and am right? So I was asking what would users of wsa do if they wanted to use HitmanPro.alert just like the way they use HitmanPro antimalware free with wsa. Both HitmanPro scanner and alert are free and wsa is not. But I think we wanna use both of them. And as alert will be implemented into the scanner in the future I think most who used scanner would accept alert.

[erikloman]

Quote:

Originally Posted by ams963

Is HitmanPro.Alert really needed in presence of wsa since both claim to have protection against the so-called man-in-the-middle attacks? Or maybe even if HitmanPro.alert does a very specific, different and extra job than wsa's browser protection feature in identity shield, will there not be any overlapping?

HitmanPro.Alert detects man-in-the-browser attacks and not man-in-the-middle attacks. The difference between MITB and MITM is that MITM is generally geared towards stealing information further down the line (foiled SSL, phishing site, IP/name mismatch, etc.) wheras MITB specifically concentrates on the browser that is altered by malware so that it can modify webpages or add/alter transactions to steal information and money. Currently only a few tools exist to detect MITB attacks, like Trusteer Rapport, G Data BankGuard and Kaspersky 2013 Safe Money (part of KAV/KIS).

See also: http://en.wikipedia.org/wiki/Man-in-the-browser

[Amit]

Quote:

Originally Posted by erikloman

HitmanPro.Alert detects man-in-the-browser attacks and not man-in-the-middle attacks. The difference between MITB and MITM is that MITM is generally geared towards stealing information further down the line (foiled SSL, phishing site, IP/name mismatch, etc.) wheras MITB specifically concentrates on the browser that is altered by malware so that it can modify webpages or add/alter transactions to steal information and money. Currently only a few tools exist to detect MITB attacks, like Trusteer Rapport, G Data BankGuard and Kaspersky 2013 Safe Money (part of KAV/KIS).

See also: http://en.wikipedia.org/wiki/Man-in-the-browser

But the problem is WSA also protects against MITB.

Website protection options

Block phishing and known malicious websites : Alerts you to phishing sites and other malicious sites listed in our Webroot database. Phishing is a fraudulent method used by criminals to steal personal information. Typical scams might include websites designed to resemble legitimate sites, such as PayPal or a banking organization, which trick you into entering your credit card number.

Protect cookies and saved website data : Alerts you if a malicious program attempts to gather personal data from cookies installed on your computer. Cookies are small bits of text generated by a web server and then stored on your computer for future use. Cookies can contain everything from tracking information to your personal preferences.

Detect and prevent man-in-the middle attacks : Alerts you if a server is redirecting you to a malicious website (man-inthe-middle attack). This is a method of intercepting communications between two systems and stealing data.

Protect against keyloggers: Stops keyloggers from recording keystrokes on your computer. Keyloggers may monitor emails, chat room dialogue, instant message dialogue, websites visited, usernames, passwords, programs run, and any other typed entries. They have the ability to run in the background, hiding their presence.

Protect sensitive clipboard data : Stops malware programs from capturing clipboard data. The clipboard is a utility that allows you to cut and paste stored data between documents or applications.

Protect against URL grabbing attacks : Hides your web browsing activity from malware that attempts to log the websites you visit.

Protect browser components from external access : Hides your web browsing activity from malware that attempts to modify your browser with memory injection and other behind-the-scenes attacks.

Protect against Manin-the-Browser attacks : Blocks a malicious toolbar from stealing data. A man-in-the-browser attack is a Trojan that infects a web browser. It can modify pages and the content of your transactions without being detected.

Isolate untrusted browser add-ons from data : Blocks a browser add-on (browser helper object) from stealing data. While most browser add-ons are legitimate, some can display ads, track your Internet activity, or hijack your home page.

Block browser process modification attempts : Analyzes browser memory to see if code injection is taking place.

Protect against screen grabbing attacks : Blocks a malicious program from viewing and capturing your screen content.

Block suspicious access to browser windows Blocks a malicious program from viewing and capturing data in Windows components.

[BoerenkoolMetWorst]

Quote:

Originally Posted by ams963

So you think the answer to my first question is no.

We use HitmanPro antimalware scanner free with our already existent av and am right? So I was asking what would users of wsa do if they wanted to use HitmanPro.alert just like the way they use HitmanPro antimalware free with wsa. Both HitmanPro scanner and alert are free and wsa is not. But I think we wanna use both of them. And as alert will be implemented into the scanner in the future I think most who used scanner would accept alert.

Ah I didn't read it right, WSA Identity Shield does indeed protect from Man in the Browser attacks, so then you don't need HMP.Alert, though they seem to work together fine in my VM. If I'm correct Identity Shield tries to block every method to log the browsers keystrokes, screenshots, MitB etc whereas HitmanPro.Alert detects if the browser is being tampered with and then gives a warning, so they shouldn't conflict as their methods are different.

[G1111]

Getting this message in the log, but everything seems normal:
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
Flyout in session 1
C:\Program Files\HitmanPro.Alert\hmpalert.exe started with PID 19312
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OnFlyoutExit exit code 0
OpenProcess 9424 failed with error 5

[erikloman]

Quote:

Originally Posted by G1111

Getting this message in the log, but everything seems normal:
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
Flyout in session 1
C:\Program Files\HitmanPro.Alert\hmpalert.exe started with PID 19312
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OnFlyoutExit exit code 0
OpenProcess 9424 failed with error 5

This is a normal log. 9424 is audiodg.exe, a protected process that can only be made by Microsoft.

[Amit]

Quote:

Originally Posted by BoerenkoolMetWorst

Ah I didn't read it right, WSA Identity Shield does indeed protect from Man in the Browser attacks, so then you don't need HMP.Alert, though they seem to work together fine in my VM. If I'm correct Identity Shield tries to block every method to log the browsers keystrokes, screenshots, MitB etc whereas HitmanPro.Alert detects if the browser is being tampered with and then gives a warning, so they shouldn't conflict as their methods are different.

Thank you for the reply. I don't use WSA. I was just curious. I use EAM and OA. Do you think I need HitmanPro.alert with them? I could not find feature in either OA or EAM that would protect me from MITB.