HitmanPro.ALERT Support and Discussion Thread

Thanks Erik, here's the content of the log. I use SRP as well - could that be having an impact? HMPA works fine in my UAC protected Admin account:

OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
Flyout in session 2
CreateProcessAsUser() failed with error 740
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5
OpenProcess 1872 failed with error 5

 

Process 1872 is audiodg.exe which is normal error,

The error 740 is indeed an elevation problem. Nice find! Will address this in the next Beta.

Thanks

 

Excellent. Thanks Erik

 

What SRP policies have you applied on hmpalert.exe? Maybe they are related.

 

Quite a few additional rules aside from the default deny in user space:

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
C:\Windows\debug\WIA\*
C:\Windows\regedit.exe
C:\Windows\Registration\CRMLog\*
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*
C:\Windows\System32\cmd.exe
C:\Windows\System32\com\dmp\*
C:\Windows\System32\COMMAND.COM
C:\Windows\System32\cscript.exe
C:\Windows\System32\debug.exe
C:\Windows\System32\format.com
C:\Windows\System32\FxsTmp\*
C:\Windows\System32\regedt32.exe
C:\Windows\System32\scrobj.dll
C:\Windows\System32\spool\drivers\color\*
C:\Windows\System32\spool\PRINTERS\*
C:\Windows\System32\Tasks\*
C:\Windows\System32\vbscript.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
C:\Windows\System32\wscript.exe
C:\Windows\Tasks\*
C:\Windows\Temp\*
C:\Windows\tracing\*
C:\Windows\winsxs\x86_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_386775c60308b366\powershell_ise.exe
C:\Windows\winsxs\x86_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_68ec54d7638638f5\powershell.exe
C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\cscript.exe
C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\scrobj.dll
C:\Windows\winsxs\x86_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_483ea93961ad86ec\wscript.exe
C:\Windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.16385_none_483059728f3a98ba\vbscript.dll
C:\Windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.16546_none_485c9d388f193c9b\vbscript.dll
C:\Windows\winsxs\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_6.1.7600.20662_none_48cc9903a84aaeeb\vbscript.dll

 

Thanks .

 

I'm not sure but it's probably AppGuard. Except even with protection level set to off, the alert still happens.

 

A signed beta

Only incident I noticed (Win7 x32 Ultimate)

After installation the EMET 3 notifier icon disappears. Windows says icon is not active, while process explorer shows EMET 3 Notifier is running. No other security programs installed other than EMET3 and HMP notifier.

After reboot icon is back again, everything functioning ok.

 

UI suggestion (not a high priority)

What about applying the corporate identity of hitmanpro. With your background it is a bit disappointing you launched a program in a different corporate identity. or better with no "house style". Maybe graphics are a problem, but even with a text fly out message, you could try to use the same color scheme as the opening panel of HitmanPro (white on green), or the scan progress panel (white on blue).

When something is found
Offer to run a HMP cloud scan on the changed dll's this has the advantage that your whitelist is filled automatically and increases cross selling opportunities.

Database update
Make it specific for the browsers found on the system, this will decrease delay on non-standard configurations. Maybe introduce a "default" policy (only allow default = naked browser configurations with known AV modules/extensions of your HitManPro supported engines only: Ikarus, Emsisoft, Gdata, Avast, Bitdefender, drWeb*) and a whitelist policy (check whether dll changes are known good/bad guys). Run a first scan in the installation process and offer the "default" policy only when there are no omissions. Report found changes and safe changes panel, just as with HitManPro (only for installation process, where you have program based control, not service based control). When someone uses a tight policy and a change is found, change setting automatically to whitelist policy. It would off course be nice to know whether Alert is operating in default or whitelist policy mode (startup flyout display).

* Because HitManPro cloud is based on these engines, all their browser extensions should be known and whitelisted, even in the default policy mode.

 

I'm able to create multiple hmpalert processes by selecting the flyout each time it shows on startup and selecting more info. Started new five times and have 5 processes that linger and don't go away. Also, the info web page does not get focus after selecting more information.

 

I'm seeing constant CPU usage of about 7% with Chrome. CPU is about 2% constant with other browsers (which is still too high for my liking). If I remove/disable some chrome extensions the CPU usage drops back, but there doesn't seem to be one specific extension causing the problem. Extensions I have include Adblock and Ghostery.

 

Nice software Is this specific for MitB attacks or does it also check for more traditional methods like keylogging etc?

 

Currently only MitB attacks. But we might add detection for other malware techniques in next versions like keylogging, clipboard stealers, and I/O hook detection. Depends on how many people use HitmanPro.Alert. Its free so that should help a bit

 

We'll have a look if we can reproduce. Extensions run in their own process in Chrome. Next Beta will likely be using less CPU due to improved scanning (we have a few ideas how to do this).

 

Very valuable info. Which OS do you run?

 

HitmanPro.Alert is looking good here

 

Is HitmanPro.Alert really needed in presence of wsa since both claim to have protection against the so-called man-in-the-middle attacks? Or maybe even if HitmanPro.alert does a very specific, different and extra job than wsa's browser protection feature in identity shield, will there not be any overlapping?

 

Thanks

HitmanPro.Alert is free software, WSA is not and the standalone free Identity Shield probably won't arrive in the near future.

 

So you think the answer to my first question is no.

We use HitmanPro antimalware scanner free with our already existent av and am right? So I was asking what would users of wsa do if they wanted to use HitmanPro.alert just like the way they use HitmanPro antimalware free with wsa. Both HitmanPro scanner and alert are free and wsa is not. But I think we wanna use both of them. And as alert will be implemented into the scanner in the future I think most who used scanner would accept alert.

 

HitmanPro.Alert detects man-in-the-browser attacks and not man-in-the-middle attacks. The difference between MITB and MITM is that MITM is generally geared towards stealing information further down the line (foiled SSL, phishing site, IP/name mismatch, etc.) wheras MITB specifically concentrates on the browser that is altered by malware so that it can modify webpages or add/alter transactions to steal information and money. Currently only a few tools exist to detect MITB attacks, like Trusteer Rapport, G Data BankGuard and Kaspersky 2013 Safe Money (part of KAV/KIS).

See also: http://en.wikipedia.org/wiki/Man-in-the-browser

 

But the problem is WSA also protects against MITB.

Website protection options

Block phishing and known malicious websites : Alerts you to phishing sites and other malicious sites listed in our Webroot database. Phishing is a fraudulent method used by criminals to steal personal information. Typical scams might include websites designed to resemble legitimate sites, such as PayPal or a banking organization, which trick you into entering your credit card number.

Protect cookies and saved website data : Alerts you if a malicious program attempts to gather personal data from cookies installed on your computer. Cookies are small bits of text generated by a web server and then stored on your computer for future use. Cookies can contain everything from tracking information to your personal preferences.

Detect and prevent man-in-the middle attacks : Alerts you if a server is redirecting you to a malicious website (man-inthe-middle attack). This is a method of intercepting communications between two systems and stealing data.

Protect against keyloggers: Stops keyloggers from recording keystrokes on your computer. Keyloggers may monitor emails, chat room dialogue, instant message dialogue, websites visited, usernames, passwords, programs run, and any other typed entries. They have the ability to run in the background, hiding their presence.

Protect sensitive clipboard data : Stops malware programs from capturing clipboard data. The clipboard is a utility that allows you to cut and paste stored data between documents or applications.

Protect against URL grabbing attacks : Hides your web browsing activity from malware that attempts to log the websites you visit.

Protect browser components from external access : Hides your web browsing activity from malware that attempts to modify your browser with memory injection and other behind-the-scenes attacks.

Protect against Manin-the-Browser attacks : Blocks a malicious toolbar from stealing data. A man-in-the-browser attack is a Trojan that infects a web browser. It can modify pages and the content of your transactions without being detected.

Isolate untrusted browser add-ons from data : Blocks a browser add-on (browser helper object) from stealing data. While most browser add-ons are legitimate, some can display ads, track your Internet activity, or hijack your home page.

Block browser process modification attempts : Analyzes browser memory to see if code injection is taking place.

Protect against screen grabbing attacks : Blocks a malicious program from viewing and capturing your screen content.

Block suspicious access to browser windows Blocks a malicious program from viewing and capturing data in Windows components.

 

Ah I didn't read it right, WSA Identity Shield does indeed protect from Man in the Browser attacks, so then you don't need HMP.Alert, though they seem to work together fine in my VM. If I'm correct Identity Shield tries to block every method to log the browsers keystrokes, screenshots, MitB etc whereas HitmanPro.Alert detects if the browser is being tampered with and then gives a warning, so they shouldn't conflict as their methods are different.

 

Getting this message in the log, but everything seems normal:
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
Flyout in session 1
C:\Program Files\HitmanPro.Alert\hmpalert.exe started with PID 19312
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OpenProcess 9424 failed with error 5
OnFlyoutExit exit code 0
OpenProcess 9424 failed with error 5

 

This is a normal log. 9424 is audiodg.exe, a protected process that can only be made by Microsoft.

 

Thank you for the reply. I don't use WSA. I was just curious. I use EAM and OA. Do you think I need HitmanPro.alert with them? I could not find feature in either OA or EAM that would protect me from MITB.