HitmanPro.Alert Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman
    Online

    erikloman Developer

    Hello all,

    Last month we've announced HitmanPro.Alert and today we release the first BETA version of HitmanPro.Alert.

    HitmanPro.Alert is a free tool that mitigates Man-in-the-Browser attacks by informing you when a known or unknown Trojan infiltrated your browser. Keep your money and personal data safe during online banking, shopping, social networking, blogging, gaming and more.

    HitmanPro.Alert is is designed to run alongside installed antivirus products. It is not a browser plug-in but a small windows service that checks web browser's integrity.

    Supported Web Browsers
    • Google Chrome
    • Internet Explorer
    • Firefox
    • Safari
    • Opera
    • Most browsers based on the above list, like Maxthon, Pale Moon, TorBrowser, etc.
    More information here.

    HitmanPro.Alert shows a so-called Flyout window to notify the computer user that the browser integrity has been checked and that no anomalies have been found. When the Flyout window disappears HitmanPro.Alert keeps monitoring the browser in the background.

    Note: You can click on the grey Flyout window to get additional options (like suppressing the Flyout).

    FirefoxFlyout.png FirefoxFlyoutOptions.png

    If HitmanPro.Alert finds an anomaly in the web browser then an Alert Dialog is shown with an option to view the anomaly details. In addition there is a button to scan the computer with HitmanPro to remove the threat.

    FirefoxCompromised.PNG FirefoxCompromisedDetails.PNG


    You can uninstall HitmanPro.Alert using the standard Add/Remove Software control panel.

    Known Issues
    • Beta version is English only
    • Beta version is incompatible with Trusteer Rapport
    • HitmanPro.Alert icon
    • Some focus issues during an Alert
    • Limited support for Terminal Server environments (need more testing)

    32-bit: http://dl.surfright.nl/beta/hmpalert.exe (482KB)
    64-bit: http://dl.surfright.nl/beta/hmpalert_x64.exe (544KB)

    For Windows XP, Vista, 2003, 2008 and Windows 7.

    NOTE: This is a beta release so it is not recommended for use in production environments.

    Please let us know. What do you like. What needs improvement. Stuff like UI (text), performance, memory consumption, etc. Do you experience problems using HitmanPro.Alert. Let us know! :thumb:

    If HitmanPro.Alert does not show a Flyout for your browser, then please let us know so we can add support for it.
    Last edited: May 25, 2012
  2. Nizarawi
    Offline

    Nizarawi Registered Member

    thank you :p
  3. Blues7
    Offline

    Blues7 Registered Member

    This is exciting news, Erik. Congrats. :cool: :thumb:
  4. LoneWolf
    Offline

    LoneWolf Registered Member

    While taking HMP Alert for a quick spin I get this message if AdMuncher is shut down.........
    0.png

    While I get this if AdMuncher v4.92 is active...........
    1.png
    2.png

    Scanning with HMP comes up clean.......FP maybe o_O
  5. erikloman
    Online

    erikloman Developer

    Confirmed. We will address this in the next beta (end of next week). HitmanPro.Alert has an updater so you should be automatically updated when we release a fix.

    Please keep the reports coming in :thumb:
  6. LoneWolf
    Offline

    LoneWolf Registered Member

    Thanks for the quick response and confirmation. :D :thumb:
  7. G1111
    Offline

    G1111 Registered Member

    No problems with installation. Running 01 CPU and 1.8 K RAM on Windows 7 HP SP1 x86. No icon or way to close program. If integrated with HMP there should be ability to close this portion if user desires. Running scan with HMP from HMA works with no problem. Flyout works with Firefox 12.0. Uninstall shows up in control panel under "Uninstall HitmanAlert.beta" Flyout does not open if opening a second FF application. Not sure if this is problem or not.
  8. erikloman
    Online

    erikloman Developer

    Good eye (aka good tester to notice this)!

    The Flyout is only shown once per browsing session so that the Flyout is not shown too often.

    If the second Firefox application (window) is opened then Firefox ties it to the first browsing session. If you close all Firefox processes (close their windows and check in Task Manager) and then open Firefox again, you should see the Flyout again.
  9. Adric
    Offline

    Adric Registered Member

    On XP/SP3 with FF 12, flyout shows briefly and then disappears. It seems to be minimizing to the start button on the left. No way to get to the options if you don't catch it at startup. Also the flyout shows up when starting Thunderbird.

    Edit:
    I'm also seeing 2 hmpalert.exe processes below the main service process that were started with the /flyout option. Is this normal?

    Al
    Last edited: May 25, 2012
  10. G1111
    Offline

    G1111 Registered Member

    Forgot to mention working well with my other security software. Does HMA detect redirects?
  11. dlimanov
    Offline

    dlimanov Registered Member

    This may be just the most useful browser protection ever invented. Great job Erik and Hitman!
  12. Adric
    Offline

    Adric Registered Member

    Has anyone found any tests that will trigger an Alert?
  13. G1111
    Offline

    G1111 Registered Member

    tested with Tor (FF portable opened through Vadalia control panel) and no flyout screen. Does it protect while using Firefox portable.

    Also had one FP detected I believe it was related to EMET 2.1. I didn't do screen capture. It would be nice to have a log so you don't have to make an immediate decision and do further testing and have a log with the dll's listed to work with.

    Edit: Happened again. See below possible FP

    Attached Files:

    Last edited: May 25, 2012
  14. Brandonn2010
    Offline

    Brandonn2010 Registered Member

    Got alerts as soon as I opened IE and Chrome:


    Google Chrome
    Process ID 600
    C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

    user32.dll
    SetWinEventHook 000d01f8
    SetWindowsHookExA 000d0600
    SetWindowsHookExW 000d0804
    UnhookWinEvent 000d03fc
    UnhookWindowsHookEx 000d0a08

    ntdll.dll
    LdrLoadDll 000c01f8
    LdrUnloadDll 000c03fc
    NtAllocateVirtualMemory 000c0600
    NtFreeVirtualMemory 000c0804
    NtProtectVirtualMemory 000c0a08
    NtTerminateProcess 000c0c0c
    ZwAllocateVirtualMemory 000c0600
    ZwFreeVirtualMemory 000c0804
    ZwProtectVirtualMemory 000c0a08
    ZwTerminateProcess 000c0c0c

    Google Chrome
    Process ID 2424
    C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

    user32.dll
    SetWinEventHook 004401f8
    SetWindowsHookExA 00440600
    SetWindowsHookExW 00440804
    UnhookWinEvent 004403fc
    UnhookWindowsHookEx 00440a08

    ntdll.dll
    LdrLoadDll 004201f8
    LdrUnloadDll 004203fc
    NtAllocateVirtualMemory 00420600
    NtFreeVirtualMemory 00420804
    NtProtectVirtualMemory 00420a08
    NtTerminateProcess 00420c0c
    ZwAllocateVirtualMemory 00420600
    ZwFreeVirtualMemory 00420804
    ZwProtectVirtualMemory 00420a08
    ZwTerminateProcess 00420c0c

    Google Chrome
    Process ID 2864
    C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

    user32.dll
    SetWinEventHook 003001f8
    SetWindowsHookExA 00300600
    SetWindowsHookExW 00300804
    UnhookWinEvent 003003fc
    UnhookWindowsHookEx 00300a08

    ntdll.dll
    LdrLoadDll 002e01f8
    LdrUnloadDll 002e03fc
    NtAllocateVirtualMemory 002e0600
    NtFreeVirtualMemory 002e0804
    NtProtectVirtualMemory 002e0a08
    NtTerminateProcess 002e0c0c
    ZwAllocateVirtualMemory 002e0600
    ZwFreeVirtualMemory 002e0804
    ZwProtectVirtualMemory 002e0a08
    ZwTerminateProcess 002e0c0c



    Also the scan doesn't work. It gets about a 1/3 of the way and just stops. I have to hit Ignore to finish it. Also would be nice to have an icon in the browser showing it's running.
  15. subhrobhandari
    Offline

    subhrobhandari Registered Member

    Here's my quick feedback:

    1. ZScaler SES addon does not work when hmpalert is running.

    http://research.zscaler.com/2010/07/new-firefox-add-on-to-protect-against.html

    2. If hmpalert.exe is closed while the browser is running, then it does not reopen automatically next time a browser session is started.

    3. I dont know if this is actually an issue, but looks like hmpalert.exe is reading the browser and writing a file \Device\HarddiskVolume1\log\mitb.log continuously but i can't seem to find the log file (I tried search Everything).

    Let me know when you need Bengali Bengali translations, I will be happy to help.
  16. KelvinW4
    Offline

    KelvinW4 Registered Member

    Mighty nice :thumb:
  17. kupo
    Offline

    kupo Registered Member

    Anyone tested it if it works if the browser is sandboxed by Sandboxie?
  18. erikloman
    Online

    erikloman Developer

    Wow. That browser is heavily modified. Will discuss with the team whether this configuration is supported. I assume its caused by AppGuard?
  19. erikloman
    Online

    erikloman Developer

    1. That is weird because HitmanPro.Alert is a passive scan. Does not alter anything.

    2. Browser processes tend to linger in memory for a few seconds so if you open another then it belongs to the still lingering process.

    3. If you create C:\Log\ folder then the log file will be written. The Beta has this feature so we can request a log file in case of issues.

    Thank you for testing :thumb:
  20. erikloman
    Online

    erikloman Developer

    I think Portable Apps are currently not supported. TorBrowser is supported though.

    About the FP, its confirmed that while closing a browser the alert is triggered due to some sort of race condition (scanning the browser process while it is closing). Bit hard to reproduce. Its not related to EMET as EMET is supported.

    Will be fixed in next Beta.
  21. erikloman
    Online

    erikloman Developer

    The minimizing effect should not happen, will address this in next Beta. Also we'll add more ways to get to options.

    Thunderbird has a browser to display the HTML email. Also iTunes will trigger the flyout as you can login/make purchases in iTunes (webkit based).

    The 2 hmpalert.exe processes are normal. One is the service, the other with the /flyout runs in user session. But this should close after a few seconds. If it is lingering then you've found a bug? When no flyout is visible you should only see one hmpalert.exe process.

    Thanks :thumb:
  22. Scoobs72
    Offline

    Scoobs72 Registered Member

    Great application Erik. A couple of initial comments:

    1. HMPA doesn't appear to work in a standard user account/limited user account. Correct?

    2. The flyout window appears for browsers running under Sandboxie but does HMPA have full functionality in this instance?

    Thanks
  23. Cyrano2
    Offline

    Cyrano2 Registered Member

    No Comodo Dragon support? :(
  24. erikloman
    Online

    erikloman Developer

    1. Should work. Can you send me the log file? A log file is created when you create the folder C:\Log\ .

    2. Yes fully functional. HitmanPro.Alert is a passive scanner so should work fine under Sandboxie.
  25. erikloman
    Online

    erikloman Developer

    First time I heard of this browser. Since its based on Chrome it should be supported. We'll have a look why the flyout is not showing.