HitmanPro.ALERT Support and Discussion Thread

No worries, this attack is intercepted on many layers. The Angler EK & TeslaCrypt / Alpha Crypt ransomware in the pcaps provided on the references on the link are blocked by Alert's Exploit Mitigations on Stack Pivot and ROP. When the ransomware becomes active it will be intercepted by CryptoGuard.

Update: To illustrate the layered approach of HitmanPro.Alert, I just created a short video (less than 2 minutes) with the above mentioned Angler exploit kit and its ransomware payload. In the video you can see that even when the attacker would bypass individual mitigations, the next layer would still disrupt the attack: https://www.youtube.com/watch?v=yBta0cflhIE

 

The HitmanPro.Alert Free is also free in a commercial use?

 

Thank you, very impressive!

 

I downloaded and installed HitmanPro.Alert, the build before 187, it did not appear to be working so I uninstalled it with REVO Uninstaller Pro. Today I downloaded build 187 and it appears to work but I can't activate it, it says I already did activate it. What do I do now? I thought the program was free am I mistaken. All replies will be appreciated and I thank you in advance.

John

 

Hi John,

Some of HitmanPro.Alert's features are free, some features are licensed.
See this specification of HitmanPro.Alert free and paid features. [source]

HitmanPro.Alert (and HitmanPro) come with a 30 day trial license.
30 days after you activated the trial licence, you'll need a commercial license if you want the licensed features.

If you activated the 30 day trial license the first time you tried the program, and that is longer than 30 days ago, you'll need a commercial license to use the licensed features.

 

That is quite impressive. Thank you for the demonstration. The YouTube video may gain you extra users.
I did respond to your DM

 

You mean what I said earlier? Unfortunately it's not Norton related as it turns out.

 

Laptop: W7-x64 Professional, Spybot S&D 2.4, Microsoft Security Essentials, licensed HP241, HPA187, IE32, IE64, FF38.0.5,..
Desktop: W7-x64 Home Premium, Spybot S&D 2.4, Microsoft Security Essentials, trial license HP241, HPA187, IE32, IE64, FF38.0.5,..

On both machines IE32 (consistently) does not show 'Green window border' and does not show the 'Keystroke Encryption flyout'.
HOWEVER IE32 actually performs keystroke encryption (as validated with the hmpalert testtool)
IE64 and FF38.0.5 are working fine.

Can I provide useful debug info?

 

Hi L10090,

What do you mean, regarding W7-x64 IE32 and IE64?
Previous versions had both IE 32 bit and IE 64 bit, but if you're talking about IE11 on Windows 7 64 bit, there should only be one IE installation, that uses iexplore.exe (64 bit) as well as iexplore.exe *32 (32 bit) processes.
I don't understand how you are able to test HMPA in separate IE 32 bit and IE 64 bit, unless you're not using IE11 but a previous IE version.

 

Hi Stupendous Man, Thank you for your reply.

I see two executable versions of IE11, one located in C:\Program Files (I have called IE64) and the other in C:\Program Files (x86) (I have called IE32).
HMPAlert 187 sees two versions of IE11 too.

Perhaps I totally misunderstand the IE11 concept, I am a Firefox user for many years!

Please see the attachments.

 

That is correct.
IE11 has components in both C:\Program Files and C:\Program Files (x86), and both 32 bit and 64 bit processes, and HMPA offers protection for both IE11 32 bit and 64 bit processes.

But there are no separate 32 bit and 64 bit IE11 browser versions.
That is why I don't understand how you can differentiate IE11 32 bit and 64 bit browser versions, were you said "IE32 (consistently) does not show 'Green window border' and does not show the 'Keystroke Encryption flyout'."
That seems to implicate that 'IE64' does show green window border and Keystroke Encryption flyout.
But to me that seems impossible to determine, as there is no single 'IE32' or 'IE64' browser, but there's IE11 ('32+64 in one') with it's iexplore.exe (64 bit) and iexplore.exe *32 (32 bit) processes.

Can you explain how you could make that IE32 and IE64 differentiation regarding green window border and Keystroke Encryption flyout?

 

On my W7-x64 Prof. taskbar there is a IE11 icon, the properties point to C:\Program File (x86).
If I click that icon, IE11 starts, no green border no encryption flyout (consistently).

If I click 'Start' -> 'All programs' there is a Internet Explorer icon with properties C:\Program Files.
If I click this icon, IE11 starts, with green border and encryption flyout (consistently).

I have this situation (default?) after reinstalling W7-x64 Prof. a couple of weeks ago on my laptop.

On my desktop, running W7-x64 Home Premium, I see the same IE11 situation:
The taskbar icon points to C:\Program Files (x86) and 'Start' -> 'All programs' icon points to C:\Program Files.

 

Ah, that's interesting, thanks very much.

On my Windows 7 x64 system, in both the task bar IE shortcut and the 'Start', 'All programs' IE shortcut the target in Properties is C:\Program Files\Internet Explorer\iexplore.exe
I don't know why in your task bar IE shortcut the target in Properties is C:\Program Files\Internet Explorer (x86)\iexplore.exe

Did you do a clean re-install from an original Windows 7 installation medium, or did you re-install from an image of an installation that may have had modified settings?

Nevertheless, regardless of the above, and regardless of how IE is started, I would think HMPA's green border and encryption flyout should be working. If they don't, that's a bug, I suppose, and something for SurfRight to look at.

The same applies to what I reported earlier (April 11 and May 4), the fact that colored borders do not show with IE9 and IE11 InPrivate Browsing.
There's quite a few reported bugs still pending. As I said before, I really hope that SurfRight has all reported bugs listed, also the reports that Erik nor Mark responded to (like J_L's 9 May report, for instance), and I hope all important stuff will be fixed in the next build(s).

 

SSPremium encryption was disabled. This issue were not with HMPro Alert v183.

 

Yes, I was referring to your post. How did you determine that NS wasn't a factor?

 

I reinstalled W7-x64 over the existing W7-x64, using the original/genuine W7 installation DVD. So a number of settings are most likely reused!
However what should the default be after a clean W7-x64 install:
Both the taskbar IE11 icon and the 'Start' -> 'All programs' IE11 icon pointing to C:\Program Files\Internet Explorer\iexplore.exe ??

 

To my knowledge - yes.
In x64 Windows, IE11 '32+64 in one' is default, so I would think C:\Program Files\Internet Explorer\iexplore.exe would be default. (It's the shortcut that you find in 'Start', 'All programs'.)
I don't know why on your task bar you find a shortcut to C:\Program Files (x86)\Internet Explorer\iexplore.exe. Could this be a remnant of an earlier IE installation? Earlier IE versions had separate x86 and x64 browsers. If I'm not mistaken, IE11 was the first with '32+64 in one' as default. (Or was it IE10? IE9 had separate x86 and x64 browsers for sure.) The earlier IE versions that had separate x86 and x64 browsers had IE x86 as default, and the default shortcut was the x86 version. That's why I think your x86 task bar shortcut may be a remnant from an earlier IE version.

My Windows 7 x64 is a recent installation (installed November 2014), installed from Windows 7 SP1 installation medium.
And now I'm wondering - was there a default task bar IE shortcut? If so - what did I do with that? Did I keep the default task bar IE shortcut, or did I remove it, and create a new task bar shortcut from 'Start', 'All programs'?
I'm not sure, I don't remember. So I can't tell for sure if there was a default task bar shortcut for C:\Program Files\Internet Explorer\iexplore.exe, or if perhaps there was a default task bar shortcut for C:\Program Files (x86)\Internet Explorer\iexplore.exe that I removed.

But anyhow, as I said before, regardless of how IE is started, x86 or x64, I would think HMPA's green border and encryption flyout should be working, and if it doesn't, it's something for SurfRight to look at.

 

Stupendous Man,

Thank you very much for your reply('s), I agree with your 'remnant' thought.

 

I'm sure NS isn't a factor. Works fine on my laptop with NS. Does not work on my desktop, which also had NS. I suspected the same thing when I had the problem on the desktop, but when the laptop worked I had to rule it out.

 

After I installed HitmanPro.Alert my Skype program will no longer load. It will not load when the computer starts, as it always did, nor will it load when I click on its icon. Has anyone experienced problems with Skype loading while using HitmanPro.Alert? If so, were you able to correct it? And, if you could explain what steps you took to correct this problem I would very much appreciate it. As always I appreciate all replies and would thank you in advance.

John

 

No I never encountered Skype (currently v7.4) problems while using HMPalert187 and previous (beta) versions. Skype is standard a hmpalert protected application.

Did you try 'disable mitigations' for Skype, just to see if Skype starts?

 

Not sure if this will make a difference or not but I am still using Windows XP Pro SP3. And, I have not activated HitmanPro.Alert, I am using it in the free mode. Maybe something with my system as I didn't have any success with Malwarebytes Anti-Exploit either; could never get it to load after installation. So at least for now I believe I will remove HitmanPro.Alert. Anyway, thanks for the replies I do appreciate it.

John

 

This was a clue.