HitmanPro.Alert Support and Discussion Thread

[erikloman]

Hello all,

Last month we've announced HitmanPro.Alert and today we release the first BETA version of HitmanPro.Alert.

HitmanPro.Alert is a free tool that mitigates Man-in-the-Browser attacks by informing you when a known or unknown Trojan infiltrated your browser. Keep your money and personal data safe during online banking, shopping, social networking, blogging, gaming and more.

HitmanPro.Alert is is designed to run alongside installed antivirus products. It is not a browser plug-in but a small windows service that checks web browser's integrity.

Supported Web Browsers

• Google Chrome
• Internet Explorer
• Firefox
• Safari
• Opera
• Most browsers based on the above list, like Maxthon, Pale Moon, TorBrowser, etc.

More information here.

HitmanPro.Alert shows a so-called Flyout window to notify the computer user that the browser integrity has been checked and that no anomalies have been found. When the Flyout window disappears HitmanPro.Alert keeps monitoring the browser in the background.

Note: You can click on the grey Flyout window to get additional options (like suppressing the Flyout).



If HitmanPro.Alert finds an anomaly in the web browser then an Alert Dialog is shown with an option to view the anomaly details. In addition there is a button to scan the computer with HitmanPro to remove the threat.




You can uninstall HitmanPro.Alert using the standard Add/Remove Software control panel.

Known Issues

• Beta version is English only
• Beta version is incompatible with Trusteer Rapport
• HitmanPro.Alert icon
• Some focus issues during an Alert
• Limited support for Terminal Server environments (need more testing)

32-bit: http://dl.surfright.nl/beta/hmpalert.exe (482KB)
64-bit: http://dl.surfright.nl/beta/hmpalert_x64.exe (544KB)

For Windows XP, Vista, 2003, 2008 and Windows 7.

NOTE: This is a beta release so it is not recommended for use in production environments.

Please let us know. What do you like. What needs improvement. Stuff like UI (text), performance, memory consumption, etc. Do you experience problems using HitmanPro.Alert. Let us know!

If HitmanPro.Alert does not show a Flyout for your browser, then please let us know so we can add support for it.

[Nizarawi]

thank you :p

[Blues7]

This is exciting news, Erik. Congrats.

[LoneWolf]

While taking HMP Alert for a quick spin I get this message if AdMuncher is shut down.........


While I get this if AdMuncher v4.92 is active...........



Scanning with HMP comes up clean.......FP maybe

[erikloman]

Quote:

Originally Posted by LoneWolf

While taking HMP Alert for a quick spin I get this message if AdMuncher is shut down.........
Attachment 233016

While I get this if AdMuncher v4.92 is active...........
Attachment 233017
Attachment 233018

Scanning with HMP comes up clean.......FP maybe

Confirmed. We will address this in the next beta (end of next week). HitmanPro.Alert has an updater so you should be automatically updated when we release a fix.

Please keep the reports coming in

[LoneWolf]

Quote:

Originally Posted by erikloman

Confirmed. We will address this in the next beta (end of next week). HitmanPro.Alert has an updater so you should be automatically updated when we release a fix.

Please keep the reports coming in

Thanks for the quick response and confirmation.

[G1111]

No problems with installation. Running 01 CPU and 1.8 K RAM on Windows 7 HP SP1 x86. No icon or way to close program. If integrated with HMP there should be ability to close this portion if user desires. Running scan with HMP from HMA works with no problem. Flyout works with Firefox 12.0. Uninstall shows up in control panel under "Uninstall HitmanAlert.beta" Flyout does not open if opening a second FF application. Not sure if this is problem or not.

[erikloman]

Quote:

Originally Posted by G1111

Flyout does not open if opening a second FF application. Not sure if this is problem or not.

Good eye (aka good tester to notice this)!

The Flyout is only shown once per browsing session so that the Flyout is not shown too often.

If the second Firefox application (window) is opened then Firefox ties it to the first browsing session. If you close all Firefox processes (close their windows and check in Task Manager) and then open Firefox again, you should see the Flyout again.

[Adric]

On XP/SP3 with FF 12, flyout shows briefly and then disappears. It seems to be minimizing to the start button on the left. No way to get to the options if you don't catch it at startup. Also the flyout shows up when starting Thunderbird.

Edit:
I'm also seeing 2 hmpalert.exe processes below the main service process that were started with the /flyout option. Is this normal?

Al

[G1111]

Forgot to mention working well with my other security software. Does HMA detect redirects?

[dlimanov]

This may be just the most useful browser protection ever invented. Great job Erik and Hitman!

[Adric]

Has anyone found any tests that will trigger an Alert?

[G1111]

tested with Tor (FF portable opened through Vadalia control panel) and no flyout screen. Does it protect while using Firefox portable.

Also had one FP detected I believe it was related to EMET 2.1. I didn't do screen capture. It would be nice to have a log so you don't have to make an immediate decision and do further testing and have a log with the dll's listed to work with.

Edit: Happened again. See below possible FP

[Brandonn2010]

Got alerts as soon as I opened IE and Chrome:


Google Chrome
Process ID 600
C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

user32.dll
SetWinEventHook 000d01f8
SetWindowsHookExA 000d0600
SetWindowsHookExW 000d0804
UnhookWinEvent 000d03fc
UnhookWindowsHookEx 000d0a08

ntdll.dll
LdrLoadDll 000c01f8
LdrUnloadDll 000c03fc
NtAllocateVirtualMemory 000c0600
NtFreeVirtualMemory 000c0804
NtProtectVirtualMemory 000c0a08
NtTerminateProcess 000c0c0c
ZwAllocateVirtualMemory 000c0600
ZwFreeVirtualMemory 000c0804
ZwProtectVirtualMemory 000c0a08
ZwTerminateProcess 000c0c0c

Google Chrome
Process ID 2424
C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

user32.dll
SetWinEventHook 004401f8
SetWindowsHookExA 00440600
SetWindowsHookExW 00440804
UnhookWinEvent 004403fc
UnhookWindowsHookEx 00440a08

ntdll.dll
LdrLoadDll 004201f8
LdrUnloadDll 004203fc
NtAllocateVirtualMemory 00420600
NtFreeVirtualMemory 00420804
NtProtectVirtualMemory 00420a08
NtTerminateProcess 00420c0c
ZwAllocateVirtualMemory 00420600
ZwFreeVirtualMemory 00420804
ZwProtectVirtualMemory 00420a08
ZwTerminateProcess 00420c0c

Google Chrome
Process ID 2864
C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

user32.dll
SetWinEventHook 003001f8
SetWindowsHookExA 00300600
SetWindowsHookExW 00300804
UnhookWinEvent 003003fc
UnhookWindowsHookEx 00300a08

ntdll.dll
LdrLoadDll 002e01f8
LdrUnloadDll 002e03fc
NtAllocateVirtualMemory 002e0600
NtFreeVirtualMemory 002e0804
NtProtectVirtualMemory 002e0a08
NtTerminateProcess 002e0c0c
ZwAllocateVirtualMemory 002e0600
ZwFreeVirtualMemory 002e0804
ZwProtectVirtualMemory 002e0a08
ZwTerminateProcess 002e0c0c



Also the scan doesn't work. It gets about a 1/3 of the way and just stops. I have to hit Ignore to finish it. Also would be nice to have an icon in the browser showing it's running.

[subhrobhandari]

Here's my quick feedback:

1. ZScaler SES addon does not work when hmpalert is running.

http://research.zscaler.com/2010/07/...t-against.html

2. If hmpalert.exe is closed while the browser is running, then it does not reopen automatically next time a browser session is started.

3. I dont know if this is actually an issue, but looks like hmpalert.exe is reading the browser and writing a file \Device\HarddiskVolume1\log\mitb.log continuously but i can't seem to find the log file (I tried search Everything).

Let me know when you need Bengali Bengali translations, I will be happy to help.

[KelvinW4]

Mighty nice

[kupo]

Anyone tested it if it works if the browser is sandboxed by Sandboxie?

[erikloman]

Quote:

Originally Posted by Brandonn2010

Got alerts as soon as I opened IE and Chrome:


Google Chrome
Process ID 600
C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

user32.dll
SetWinEventHook 000d01f8
SetWindowsHookExA 000d0600
SetWindowsHookExW 000d0804
UnhookWinEvent 000d03fc
UnhookWindowsHookEx 000d0a08

ntdll.dll
LdrLoadDll 000c01f8
LdrUnloadDll 000c03fc
NtAllocateVirtualMemory 000c0600
NtFreeVirtualMemory 000c0804
NtProtectVirtualMemory 000c0a08
NtTerminateProcess 000c0c0c
ZwAllocateVirtualMemory 000c0600
ZwFreeVirtualMemory 000c0804
ZwProtectVirtualMemory 000c0a08
ZwTerminateProcess 000c0c0c

Google Chrome
Process ID 2424
C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

user32.dll
SetWinEventHook 004401f8
SetWindowsHookExA 00440600
SetWindowsHookExW 00440804
UnhookWinEvent 004403fc
UnhookWindowsHookEx 00440a08

ntdll.dll
LdrLoadDll 004201f8
LdrUnloadDll 004203fc
NtAllocateVirtualMemory 00420600
NtFreeVirtualMemory 00420804
NtProtectVirtualMemory 00420a08
NtTerminateProcess 00420c0c
ZwAllocateVirtualMemory 00420600
ZwFreeVirtualMemory 00420804
ZwProtectVirtualMemory 00420a08
ZwTerminateProcess 00420c0c

Google Chrome
Process ID 2864
C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

user32.dll
SetWinEventHook 003001f8
SetWindowsHookExA 00300600
SetWindowsHookExW 00300804
UnhookWinEvent 003003fc
UnhookWindowsHookEx 00300a08

ntdll.dll
LdrLoadDll 002e01f8
LdrUnloadDll 002e03fc
NtAllocateVirtualMemory 002e0600
NtFreeVirtualMemory 002e0804
NtProtectVirtualMemory 002e0a08
NtTerminateProcess 002e0c0c
ZwAllocateVirtualMemory 002e0600
ZwFreeVirtualMemory 002e0804
ZwProtectVirtualMemory 002e0a08
ZwTerminateProcess 002e0c0c



Also the scan doesn't work. It gets about a 1/3 of the way and just stops. I have to hit Ignore to finish it. Also would be nice to have an icon in the browser showing it's running.

Wow. That browser is heavily modified. Will discuss with the team whether this configuration is supported. I assume its caused by AppGuard?

[erikloman]

Quote:

Originally Posted by subhrobhandari

Here's my quick feedback:

1. ZScaler SES addon does not work when hmpalert is running.

http://research.zscaler.com/2010/07/...t-against.html

2. If hmpalert.exe is closed while the browser is running, then it does not reopen automatically next time a browser session is started.

3. I dont know if this is actually an issue, but looks like hmpalert.exe is reading the browser and writing a file \Device\HarddiskVolume1\log\mitb.log continuously but i can't seem to find the log file (I tried search Everything).

Let me know when you need Bengali Bengali translations, I will be happy to help.

1. That is weird because HitmanPro.Alert is a passive scan. Does not alter anything.

2. Browser processes tend to linger in memory for a few seconds so if you open another then it belongs to the still lingering process.

3. If you create C:\Log\ folder then the log file will be written. The Beta has this feature so we can request a log file in case of issues.

Thank you for testing

[erikloman]

Quote:

Originally Posted by G1111

tested with Tor (FF portable opened through Vadalia control panel) and no flyout screen. Does it protect while using Firefox portable.

Also had one FP detected I believe it was related to EMET 2.1. I didn't do screen capture. It would be nice to have a log so you don't have to make an immediate decision and do further testing and have a log with the dll's listed to work with.

Edit: Happened again. See below possible FP

I think Portable Apps are currently not supported. TorBrowser is supported though.

About the FP, its confirmed that while closing a browser the alert is triggered due to some sort of race condition (scanning the browser process while it is closing). Bit hard to reproduce. Its not related to EMET as EMET is supported.

Will be fixed in next Beta.

[erikloman]

Quote:

Originally Posted by Adric

On XP/SP3 with FF 12, flyout shows briefly and then disappears. It seems to be minimizing to the start button on the left. No way to get to the options if you don't catch it at startup. Also the flyout shows up when starting Thunderbird.

Edit:
I'm also seeing 2 hmpalert.exe processes below the main service process that were started with the /flyout option. Is this normal?

Al

The minimizing effect should not happen, will address this in next Beta. Also we'll add more ways to get to options.

Thunderbird has a browser to display the HTML email. Also iTunes will trigger the flyout as you can login/make purchases in iTunes (webkit based).

The 2 hmpalert.exe processes are normal. One is the service, the other with the /flyout runs in user session. But this should close after a few seconds. If it is lingering then you've found a bug? When no flyout is visible you should only see one hmpalert.exe process.

Thanks

[Scoobs72]

Great application Erik. A couple of initial comments:

1. HMPA doesn't appear to work in a standard user account/limited user account. Correct?

2. The flyout window appears for browsers running under Sandboxie but does HMPA have full functionality in this instance?

Thanks

[Cyrano2]

No Comodo Dragon support?

[erikloman]

Quote:

Originally Posted by Scoobs72

Great application Erik. A couple of initial comments:

1. HMPA doesn't appear to work in a standard user account/limited user account. Correct?

2. The flyout window appears for browsers running under Sandboxie but does HMPA have full functionality in this instance?

Thanks

1. Should work. Can you send me the log file? A log file is created when you create the folder C:\Log\ .

2. Yes fully functional. HitmanPro.Alert is a passive scanner so should work fine under Sandboxie.

[erikloman]

Quote:

Originally Posted by Cyrano2

No Comodo Dragon support?

First time I heard of this browser. Since its based on Chrome it should be supported. We'll have a look why the flyout is not showing.