HitmanPro.ALERT Support and Discussion Thread

Can you run AppCrashView?

What version of Windows and which AV are you running?

 

HitmanPro.Alert 3 Build 139 Release Candidate

Changelog

• Fixed Windows XP support
• Improved IAF mitigation (reduced false positives)
• Improved ROP mitigation
• Added support for Intel Broadwell processors (hardware-assisted Exploit Mitigations)
• Added Window Border auto-hide option
• Added Window Border keystroke encryption indicator option

Download
http://test.hitmanpro.com/hmpalert3b139.exe

Please let me know how this version runs on your computer

 

@erikloman

Very nice, could you shed some light on the improvements of the ROP mitigation?

 

Mostly solved some false positives.

 

Erik, I'm still getting ROP mitigation in Windows Media Player with build 139. I also get encrypted keystrokes in the address/URL bar in both IE11 and Chrome 39 but not Firefox 35. I am using Enhanced Protected Mode in IE11 and 64-bit Chrome 39. Running Windows 7 x64 SP1 with Emsisoft Internet Security, AppGuard and HitmanPro Alert. Willing to provide any data needed.

This is occurring on 2 different laptops with same security configuration and Windows/browser versions.

 

Really coming together now....Good to have an option for permanent border.

 

Erik,

The issue with Windows Live mail and Adobe Reader have been resolved with this build.

I too received a ROP alert when opening Windows Media Player. Please see below.

Code:

Log Name:  Application
Source:  HitmanPro.Alert
Date:  21/01/2015 9:42:41 AM
Event ID:  911
Task Category: (9)
Level:  Error
Keywords:  Classic
User:  N/A
Computer:  David-HP
Description:
Mitigation  ROP

Platform  6.1.7601/x64 06_3a
PID  4000
Application  C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Description  Windows Media Player 12

Branch Trace  Opcode  To  
-------------------------------- -------- --------------------------------
Sysprep +0x4f857  * RET MakeEscapedURL +0x16ef  
0x597E3062 drmv2clt.dll  0x597F9338 drmv2clt.dll  
  838dc8fbffffff  OR  DWORD [EBP-0x438], -0x1
  83c40c  ADD  ESP, 0xc
  68f07d7459  PUSH  DWORD 0x59747df0
  ff157c127459  CALL  DWORD [0x5974127c]
  e88484feff  CALL  0x597e17d6
  90  NOP  
  0000  ADD  [EAX], AL
  a028050e90  MOV  AL, [0x900e0528]
  2c05  SUB  AL, 0x5
  0e  PUSH  CS
  90  NOP  
  6599  CDQ  
  0270e8  ADD  DH, [EAX-0x18]
  84cf  TEST  BH, CL
  (B68A20973F29C574)


0x5975E9CA drmv2clt.dll  RET MakeEscapedURL +0x16da  
  0x597F9323 drmv2clt.dll  

Stack Trace
#  Address  Module  Location
-- -------- ------------------------ ----------------------------------------

1  597F934D drmv2clt.dll  MakeEscapedURL +0x1704
  e88484feff  CALL  0x597e17d6
  90  NOP  
  0000  ADD  [EAX], AL
  a028050e90  MOV  AL, [0x900e0528]
  2c05  SUB  AL, 0x5
  0e  PUSH  CS
  90  NOP  
  6599  CDQ  
  0270e8  ADD  DH, [EAX-0x18]
  84cf  TEST  BH, CL

2  5976016E drmv2clt.dll  CreateDRMRightsManager +0x2af
3  59993D5B msscp.dll  DllUnregisterServer +0x4012d
4  599A93C0 msscp.dll  DllUnregisterServer +0x55792
5  5995F35B msscp.dll  DllUnregisterServer +0xb72d
6  5995800D msscp.dll  DllUnregisterServer +0x43df
7  599582C3 msscp.dll  DllUnregisterServer +0x4695
8  5995A25D msscp.dll  DllUnregisterServer +0x662f
9  599546F7 msscp.dll  DllUnregisterServer +0xac9
10 5769FF5B wmp.dll  

Event Xml:
<Event xmlns="[URL]http://schemas.microsoft.com/win/2004/08/events/event[/URL]">
  <System>
  <Provider Name="HitmanPro.Alert" />
  <EventID Qualifiers="0">911</EventID>
  <Level>2</Level>
  <Task>9</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2015-01-20T22:42:41.000000000Z" />
  <EventRecordID>11594</EventRecordID>
  <Channel>Application</Channel>
  <Computer>David-HP</Computer>
  <Security />
  </System>
  <EventData>
  <Data>C:\Program Files (x86)\Windows Media Player\wmplayer.exe</Data>
  <Data>ROP</Data>
  <Data>Mitigation  ROP

Platform  6.1.7601/x64 06_3a
PID  4000
Application  C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Description  Windows Media Player 12

Branch Trace  Opcode  To  
-------------------------------- -------- --------------------------------
Sysprep +0x4f857  * RET MakeEscapedURL +0x16ef  
0x597E3062 drmv2clt.dll  0x597F9338 drmv2clt.dll  
  838dc8fbffffff  OR  DWORD [EBP-0x438], -0x1
  83c40c  ADD  ESP, 0xc
  68f07d7459  PUSH  DWORD 0x59747df0
  ff157c127459  CALL  DWORD [0x5974127c]
  e88484feff  CALL  0x597e17d6
  90  NOP  
  0000  ADD  [EAX], AL
  a028050e90  MOV  AL, [0x900e0528]
  2c05  SUB  AL, 0x5
  0e  PUSH  CS
  90  NOP  
  6599  CDQ  
  0270e8  ADD  DH, [EAX-0x18]
  84cf  TEST  BH, CL
  (B68A20973F29C574)


0x5975E9CA drmv2clt.dll  RET MakeEscapedURL +0x16da  
  0x597F9323 drmv2clt.dll  

Stack Trace
#  Address  Module  Location
-- -------- ------------------------ ----------------------------------------

1  597F934D drmv2clt.dll  MakeEscapedURL +0x1704
  e88484feff  CALL  0x597e17d6
  90  NOP  
  0000  ADD  [EAX], AL
  a028050e90  MOV  AL, [0x900e0528]
  2c05  SUB  AL, 0x5
  0e  PUSH  CS
  90  NOP  
  6599  CDQ  
  0270e8  ADD  DH, [EAX-0x18]
  84cf  TEST  BH, CL

2  5976016E drmv2clt.dll  CreateDRMRightsManager +0x2af
3  59993D5B msscp.dll  DllUnregisterServer +0x4012d
4  599A93C0 msscp.dll  DllUnregisterServer +0x55792
5  5995F35B msscp.dll  DllUnregisterServer +0xb72d
6  5995800D msscp.dll  DllUnregisterServer +0x43df
7  599582C3 msscp.dll  DllUnregisterServer +0x4695
8  5995A25D msscp.dll  DllUnregisterServer +0x662f
9  599546F7 msscp.dll  DllUnregisterServer +0xac9
10 5769FF5B wmp.dll  
</Data>
  </EventData>
</Event>

 

Nothing is crashing I think. Is AppCrashView still helpful in this case?

I run Windows 7 SP1 x64 English and I use Emsisoft Internet Security 9.

 

Yes thanks, this makes sense.

Perhaps because of auto-update? Maybe an idea to give an option to turn this off.

 

Updated to build 139.

Currently no gibberish (KeePass, Firefox).

 

No such issues seen with the upgrade this time, and running fine here

 

Testing HMPA 3 build 139RC and no issues to report. Everything so far looking good. Thanks for the fix.

 

Thank you.

 

Just installed http://test.hitmanpro.com/hmpalert3b139.exe . At first I thought the hidden Fx 35 window was fixed, but it's not. Since installing HMP.Alert, I've been having issues with Fx hanging when closed. I get that annoying "Firefox is running but not responding" dialog when I try running it after having closed it recently. Then, I can see multiple instances of plugin-container.exe and firefox.exe running (all under my user context and the same Fx profile).

I'm also having an issue with HMP.Alert and EMET, as shown below. The workarounds are obvious (reconfigure/remove EMET or disable ROP for Fx in HMP.Alert), but those are all less appealing than being able to exclude EMET.dll from the ROP detection for Fx. I suppose if all goes well with HMP.Alert, I will be removing EMET anyway.



Win8.1 Pro x64
HMP.Alert 3.0.23.build 139 RC
Qihoo 360 Total Security 6.0.0.1108
Firefox 35.0

 

Pseudo bump. Thank you.

 

Sent you a PM.

 

Looks like the TrackMeNot 0.8.13 extension was at least partially at fault for the Firefox behavior I mentioned. What I don't get is why it was never an issue until I installed HMP.Alert--and then remained a problem afterward, until I disabled that extension.

 

32(!) alerts during Java update 8u31 with build 137. Despite CLOSE again and again same alert. Will update to latest build 139.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 21-1-2015 8:22:33
Gebeurtenis-id:911
Taakcategorie: (9)
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation Lockdown
Platform 6.1.7601/x64 06_17*
PID 3276
Application C:\Users\****\AppData\Local\Temp\jre-8u31-windows-au.exe
Description Java Platform SE binary 8
Filename C:\Users\****\AppData\LocalLow\Sun\Java\AU\LZMA_EXE
Command line:
"C:\Users\****\AppData\LocalLow\Sun\Java\AU\\LZMA_EXE" d "C:\Users\****\AppData\LocalLow\Sun\Java\AU\au.msi" "C:\Users\****\AppData\LocalLow\Sun\Java\AU\\msi.tmp"
Gebeurtenis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-01-21T07:22:33.000000000Z" />
<EventRecordID>158928</EventRecordID>
<Channel>Application</Channel>
<Computer>*****</Computer>
<Security />
</System>
<EventData>
<Data>C:\Users\****\AppData\Local\Temp\jre-8u31-windows-au.exe</Data>
<Data>Lockdown</Data>
<Data>Mitigation Lockdown
Platform 6.1.7601/x64 06_17*
PID 3276
Application C:\Users\****\AppData\Local\Temp\jre-8u31-windows-au.exe
Description Java Platform SE binary 8
Filename C:\Users\****\AppData\LocalLow\Sun\Java\AU\LZMA_EXE
Command line:
"C:\Users\*****\AppData\LocalLow\Sun\Java\AU\\LZMA_EXE" d "C:\Users\*****\AppData\LocalLow\Sun\Java\AU\au.msi" "C:\Users\*****\AppData\LocalLow\Sun\Java\AU\\msi.tmp"
</Data>
</EventData>
</Event>

 

With build 139 again an alert (2x) with Java-update 8u31 JRE.

 

No alert updating via the downloaded file (http://www.oracle.com/technetwork/java/javase/downloads/index.html)

Build 139/W7 64 bits.

 

How did you initiate the update?

 

See jpg.

 

Is that process mitigated? (Lockdown)

 

Yes. Despite CLOSE again and again an alert. With downloaded file no problem.

 

Same here.

However, I first tried to uninstall update 25 and that stalled. Not sure whether it is related to HPA though...