HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    Hello all,

    Last month we've announced HitmanPro.Alert and today we release the first BETA version of HitmanPro.Alert.

    HitmanPro.Alert is a free tool that mitigates Man-in-the-Browser attacks by informing you when a known or unknown Trojan infiltrated your browser. Keep your money and personal data safe during online banking, shopping, social networking, blogging, gaming and more.

    HitmanPro.Alert is is designed to run alongside installed antivirus products. It is not a browser plug-in but a small windows service that checks web browser's integrity.

    Supported Web Browsers
    • Google Chrome
    • Internet Explorer
    • Firefox
    • Safari
    • Opera
    • Most browsers based on the above list, like Maxthon, Pale Moon, TorBrowser, etc.
    More information here.

    HitmanPro.Alert shows a so-called Flyout window to notify the computer user that the browser integrity has been checked and that no anomalies have been found. When the Flyout window disappears HitmanPro.Alert keeps monitoring the browser in the background.

    Note: You can click on the grey Flyout window to get additional options (like suppressing the Flyout).

    FirefoxFlyout.png FirefoxFlyoutOptions.png

    If HitmanPro.Alert finds an anomaly in the web browser then an Alert Dialog is shown with an option to view the anomaly details. In addition there is a button to scan the computer with HitmanPro to remove the threat.

    FirefoxCompromised.PNG FirefoxCompromisedDetails.PNG


    You can uninstall HitmanPro.Alert using the standard Add/Remove Software control panel.

    Known Issues
    • Beta version is English only
    • Beta version is incompatible with Trusteer Rapport
    • HitmanPro.Alert icon
    • Some focus issues during an Alert
    • Limited support for Terminal Server environments (need more testing)

    32-bit: http://dl.surfright.nl/beta/hmpalert.exe (482KB)
    64-bit: http://dl.surfright.nl/beta/hmpalert_x64.exe (544KB)

    For Windows XP, Vista, 2003, 2008 and Windows 7.

    NOTE: This is a beta release so it is not recommended for use in production environments.

    Please let us know. What do you like. What needs improvement. Stuff like UI (text), performance, memory consumption, etc. Do you experience problems using HitmanPro.Alert. Let us know! :thumb:

    If HitmanPro.Alert does not show a Flyout for your browser, then please let us know so we can add support for it.
     
    Last edited: May 25, 2012
  2. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    125
    thank you :p
     
  3. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    854
    Location:
    Blue Ridge Mountains
    This is exciting news, Erik. Congrats. :cool: :thumb:
     
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,367
    While taking HMP Alert for a quick spin I get this message if AdMuncher is shut down.........
    0.png

    While I get this if AdMuncher v4.92 is active...........
    1.png
    2.png

    Scanning with HMP comes up clean.......FP maybe o_O
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    Confirmed. We will address this in the next beta (end of next week). HitmanPro.Alert has an updater so you should be automatically updated when we release a fix.

    Please keep the reports coming in :thumb:
     
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,367
    Thanks for the quick response and confirmation. :D :thumb:
     
  7. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,034
    Location:
    USA
    No problems with installation. Running 01 CPU and 1.8 K RAM on Windows 7 HP SP1 x86. No icon or way to close program. If integrated with HMP there should be ability to close this portion if user desires. Running scan with HMP from HMA works with no problem. Flyout works with Firefox 12.0. Uninstall shows up in control panel under "Uninstall HitmanAlert.beta" Flyout does not open if opening a second FF application. Not sure if this is problem or not.
     
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    Good eye (aka good tester to notice this)!

    The Flyout is only shown once per browsing session so that the Flyout is not shown too often.

    If the second Firefox application (window) is opened then Firefox ties it to the first browsing session. If you close all Firefox processes (close their windows and check in Task Manager) and then open Firefox again, you should see the Flyout again.
     
  9. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    674
    On XP/SP3 with FF 12, flyout shows briefly and then disappears. It seems to be minimizing to the start button on the left. No way to get to the options if you don't catch it at startup. Also the flyout shows up when starting Thunderbird.

    Edit:
    I'm also seeing 2 hmpalert.exe processes below the main service process that were started with the /flyout option. Is this normal?

    Al
     
    Last edited: May 25, 2012
  10. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,034
    Location:
    USA
    Forgot to mention working well with my other security software. Does HMA detect redirects?
     
  11. dlimanov

    dlimanov Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    204
    This may be just the most useful browser protection ever invented. Great job Erik and Hitman!
     
  12. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    674
    Has anyone found any tests that will trigger an Alert?
     
  13. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,034
    Location:
    USA
    tested with Tor (FF portable opened through Vadalia control panel) and no flyout screen. Does it protect while using Firefox portable.

    Also had one FP detected I believe it was related to EMET 2.1. I didn't do screen capture. It would be nice to have a log so you don't have to make an immediate decision and do further testing and have a log with the dll's listed to work with.

    Edit: Happened again. See below possible FP
     

    Attached Files:

    Last edited: May 25, 2012
  14. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,820
    Got alerts as soon as I opened IE and Chrome:


    Google Chrome
    Process ID 600
    C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

    user32.dll
    SetWinEventHook 000d01f8
    SetWindowsHookExA 000d0600
    SetWindowsHookExW 000d0804
    UnhookWinEvent 000d03fc
    UnhookWindowsHookEx 000d0a08

    ntdll.dll
    LdrLoadDll 000c01f8
    LdrUnloadDll 000c03fc
    NtAllocateVirtualMemory 000c0600
    NtFreeVirtualMemory 000c0804
    NtProtectVirtualMemory 000c0a08
    NtTerminateProcess 000c0c0c
    ZwAllocateVirtualMemory 000c0600
    ZwFreeVirtualMemory 000c0804
    ZwProtectVirtualMemory 000c0a08
    ZwTerminateProcess 000c0c0c

    Google Chrome
    Process ID 2424
    C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

    user32.dll
    SetWinEventHook 004401f8
    SetWindowsHookExA 00440600
    SetWindowsHookExW 00440804
    UnhookWinEvent 004403fc
    UnhookWindowsHookEx 00440a08

    ntdll.dll
    LdrLoadDll 004201f8
    LdrUnloadDll 004203fc
    NtAllocateVirtualMemory 00420600
    NtFreeVirtualMemory 00420804
    NtProtectVirtualMemory 00420a08
    NtTerminateProcess 00420c0c
    ZwAllocateVirtualMemory 00420600
    ZwFreeVirtualMemory 00420804
    ZwProtectVirtualMemory 00420a08
    ZwTerminateProcess 00420c0c

    Google Chrome
    Process ID 2864
    C:\Users\Brandon\AppData\Local\Google\Chrome\Application\chrome.exe

    user32.dll
    SetWinEventHook 003001f8
    SetWindowsHookExA 00300600
    SetWindowsHookExW 00300804
    UnhookWinEvent 003003fc
    UnhookWindowsHookEx 00300a08

    ntdll.dll
    LdrLoadDll 002e01f8
    LdrUnloadDll 002e03fc
    NtAllocateVirtualMemory 002e0600
    NtFreeVirtualMemory 002e0804
    NtProtectVirtualMemory 002e0a08
    NtTerminateProcess 002e0c0c
    ZwAllocateVirtualMemory 002e0600
    ZwFreeVirtualMemory 002e0804
    ZwProtectVirtualMemory 002e0a08
    ZwTerminateProcess 002e0c0c



    Also the scan doesn't work. It gets about a 1/3 of the way and just stops. I have to hit Ignore to finish it. Also would be nice to have an icon in the browser showing it's running.
     
  15. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    570
    Here's my quick feedback:

    1. ZScaler SES addon does not work when hmpalert is running.

    http://research.zscaler.com/2010/07/new-firefox-add-on-to-protect-against.html

    2. If hmpalert.exe is closed while the browser is running, then it does not reopen automatically next time a browser session is started.

    3. I dont know if this is actually an issue, but looks like hmpalert.exe is reading the browser and writing a file \Device\HarddiskVolume1\log\mitb.log continuously but i can't seem to find the log file (I tried search Everything).

    Let me know when you need Bengali Bengali translations, I will be happy to help.
     
  16. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,198
    Location:
    Los Angeles, California
    Mighty nice :thumb:
     
  17. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Anyone tested it if it works if the browser is sandboxed by Sandboxie?
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    Wow. That browser is heavily modified. Will discuss with the team whether this configuration is supported. I assume its caused by AppGuard?
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    1. That is weird because HitmanPro.Alert is a passive scan. Does not alter anything.

    2. Browser processes tend to linger in memory for a few seconds so if you open another then it belongs to the still lingering process.

    3. If you create C:\Log\ folder then the log file will be written. The Beta has this feature so we can request a log file in case of issues.

    Thank you for testing :thumb:
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    I think Portable Apps are currently not supported. TorBrowser is supported though.

    About the FP, its confirmed that while closing a browser the alert is triggered due to some sort of race condition (scanning the browser process while it is closing). Bit hard to reproduce. Its not related to EMET as EMET is supported.

    Will be fixed in next Beta.
     
  21. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    The minimizing effect should not happen, will address this in next Beta. Also we'll add more ways to get to options.

    Thunderbird has a browser to display the HTML email. Also iTunes will trigger the flyout as you can login/make purchases in iTunes (webkit based).

    The 2 hmpalert.exe processes are normal. One is the service, the other with the /flyout runs in user session. But this should close after a few seconds. If it is lingering then you've found a bug? When no flyout is visible you should only see one hmpalert.exe process.

    Thanks :thumb:
     
  22. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,104
    Location:
    Sofa (left side)
    Great application Erik. A couple of initial comments:

    1. HMPA doesn't appear to work in a standard user account/limited user account. Correct?

    2. The flyout window appears for browsers running under Sandboxie but does HMPA have full functionality in this instance?

    Thanks
     
  23. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    120
    Location:
    Spain
    No Comodo Dragon support? :(
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    1. Should work. Can you send me the log file? A log file is created when you create the folder C:\Log\ .

    2. Yes fully functional. HitmanPro.Alert is a passive scanner so should work fine under Sandboxie.
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    2,382
    Location:
    Hengelo, The Netherlands
    First time I heard of this browser. Since its based on Chrome it should be supported. We'll have a look why the flyout is not showing.