HitmanPro.ALERT Support and Discussion Thread

Can you please be more specific?

I've already disabled Keystroke Encryption as I found this was slowing my general browsing down.

 

Outlook 2013 works fine for me. When you added Outlook to Alert did you choose the Office template? Not sure how it would work under another one.

 

Yes, it was the Office template. My provider uses SSL (port 465) for outgoing SMTP mail and it seems to be something to do with the encryption that is clashing with HMPA.

 

I typically use port 587 for TLS vs 465 for SSL but I just changed it back to SSL and port 465 and it worked fine. No errors and successfully sent email to another email address on different ISP. Not sure what to tell you. Has to be some other difference for mine to work fine and not yours. I even removed Outlook from Alert and added Outlook back to Alert and restarted Outlook and still no problem. If I think of something will post here but nothing in there at the moment.

 

Really think this is a FP. I don't see any easy way to deal with these, as a user.

This one was Firewall App Blocker.

 

This has been addressed by a newer build (not yet out). I will send a private build to you to see if it was fixed.

 

The file was downloaded from an application with Application Lockdown enabled. If you the try to start it, it is blocked because of the Application Lockdown. Via what application did you download FAB? That application should NOT have Application Lockdown enabled.

 

What category did you put Directory Opus under? You should put it under Browsers, as it is a file browser.

 

Try disabling Network Lockdown to see if that has an effect.

 

Cool! Thanks Erik.

Waiting patiently.

 

I haven't usb keyboard. only ps/2 keyboard
HitmanPro.Alert found usb handwriter device in the USB keyboard device list.
I do not connect Handwriting Tablet .


http://i.imgur.com/P9xEzjS.jpg

 

keystroke encryption can't work on chinese input.such as Google Pinyin IME \ sogou Pinyin IME

 

I downloaded FAB with Chrome. Directory Opus was under "Other". The problem with all of these settings is that it's not clear how they work.

After having this issue, I noticed Alert crashing (and silently restarting itself) again. Then I saw several applications with mitigations enabled showing as "not protected" and that was enough for me. I decided to remove HMPA. Thanks for the replies.

 

These issues can occur because Alert is still in beta. We are still working with the testers here at Wilders to resolve issues. Thanks for reporting.

 

I just tried, adding Outlook 2013 under the Office template, which initially failed as previously mentioned, then I disabled Network Lockdown, restarted Outlook 2013 & it worked perfectly.

I don't really want to leave Network Lockdown disabled by default, so can this be somehow included under the office template etc...?

 

PUBLIC APOLOGY TO THE STAFF OF WILDERS SECURITY FORUM.

Hello to all

After having further reviewed, in a totally conscious and aware state of mind, the posts I previously made in this thread about the the issues I experienced on my system after having used Hit Man Pro Licensed Version to attempt to remove Riskware, I have concluded that I MUST offer a formal apology to the Modererators and to The Administrartor of Wilders Securtity Forum and to erikloman, the developer of Hit Man Pro. Contrary to an earlier mistaken and unfortunate comment I included in one of my posts, NONE OF MY POSTS IN THIS THREAD THAT I HAD PREVIOUSLY POSTED, OR REPLIES MADE TO THEM BY OTHER MEMBERS WHO HAD OFFERED TO ASSIST ME, HAD BEEN DELETED EITHER BY A MODERATOR OR BY AN ADMINISTRATOR OF Wilders Security Forum. Most likely, due to the very late/early AM hour, the hours I had to stay up to restore my system, and my fatigue and high level of stress at the time, the posts that I believed I was no longer able to see had not been deleted at all.

I have also sent erikloman an extensive private communication describing my experience. I lack the technological knowledge to determine for certain if the critical problem I encountered on my PC's system was caused by HitMan Pro or the "Riskware" that HitMan Pro had detected, quarantined, and had attempted to comleteley remove on a reboot. Those items were a FireFox 35.0.0.1 browser home-page and search engine hi-jacker named Tapika, and some likely scam PC cleaner program that would on its own frequently start-up, scan my system, and find hundreds of issues that it claimed needed to be fixed. The cost of purchasing the the licensed version of that software that supposedly had the ability to repair my system software was $79/yr on an auto-renewal basis. LOL. As far as I could tell, the program, if it did anything at all, did little, if anything, more than the free version of CC Cleaner.

I am looking forward to elkemon's reply to my private message to hear his/her opinion on the most likely cause of my critical system failure issue.

Sincerely,

hawki

"The weak can never forgive. Forgiveness is the attribute of the strong."

Mahatma Gandhi


>----------->

"There's a crack in everything
That's how the light gets in"

"Anthem", Leonard Cohen, poet/singer/script-writer/novelist, Nov, 2010,
Hanging Rock Recreation Reserve,Victoria, Australia

>>>------------------>

 

http://i.imgur.com/jjuHP8n.png
Any idea why hearthstone is being blocked?

 

Will HMPA block this new banking malware ?
hxxp://securityaffairs.co/wordpress/33250/malware/new-dyre-banking-malware-wild.html

 

Wow, hawki, that is an extensive apology and a nicely written one too. But I just keep staring at the line "elkemon's reply to my private message to hear his/her opinion". Is that a typo for erikloman?

 

We have this FP solved in the next build. Should be out this week.

 

Yes it does block this malware.

 

I manually had to add thunderbird as protectes file (I added to browser without problems).

I then tried to add "SyncbackPro" to "other" but it then gets blocked my HMPA RC143:

Code:

Mitigation   ROP

Platform     6.3.9600/x64 06_3c
PID          6544
Application  C:\Program Files (x86)\2BrightSparks\SyncBackPro\SyncBackPro.exe
Description  SyncBackPro 7.0.32

Callee Type  LoadLibrary

Branch Trace                      Opcode  To                             
-------------------------------- -------- --------------------------------
RtlInitUnicodeStringEx +0x4a          RET LoadLibraryExW +0x48           
0x76FE9FDA ntdll.dll                      0x749B30F8 KernelBase.dll     

TMethodImplementationIntercept +0x3384a3    * RET LoadLibraryW()                 
0x0081781F SyncBackPro.exe                0x7686A820 kernel32.dll       
            8bff                     MOV          EDI, EDI
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            6a00                     PUSH         0x0
            6a00                     PUSH         0x0
            ff7508                   PUSH         DWORD [EBP+0x8]
            ff1510058d76             CALL         DWORD [0x768d0510]
            5d                       POP          EBP
            c20400                   RET          0x4
                                 (D1CEE03E7402A2CD)


0x00410E9A SyncBackPro.exe            RET TMethodImplementationIntercept +0x33849e
                                          0x0081781A SyncBackPro.exe     

+0x4e5bf                             RET 0x00410E21 SyncBackPro.exe     
0x746BE5BF hmpalert.dll                                                 

+0xd117                              RET  +0x4e5bc                     
0x7467D117 hmpalert.dll                   0x746BE5BC hmpalert.dll       

+0x1c665                             RET  +0xd0f5                       
0x7468C665 hmpalert.dll                   0x7467D0F5 hmpalert.dll       

RtlLeaveCriticalSection +0x37         RET  +0x1c64d                     
0x76FE1517 ntdll.dll                      0x7468C64D hmpalert.dll       

SetEvent +0x1c                        RET  +0x1c642                     
0x749B126C KernelBase.dll                 0x7468C642 hmpalert.dll       

NtSetEvent +0xc                       RET SetEvent +0x10                 
0x76FDCA1C ntdll.dll                      0x749B1260 KernelBase.dll     

TurboDispatchJumpAddressEnd +0x598      RET TurboDispatchJumpAddressEnd +0x55e
0x76F22352 wow64cpu.dll                   0x76F22318 wow64cpu.dll       

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  749B3176 KernelBase.dll           LoadLibraryExW +0xc6
2  7686A832 kernel32.dll             LoadLibraryW +0x12

3  008276B1 SyncBackPro.exe          TMethodImplementationIntercept +0x348335
            e8f6e9ffff               CALL         0x8260ac
            8945f8                   MOV          [EBP-0x8], EAX
            68a07b8200               PUSH         DWORD 0x827ba0
            8b45f8                   MOV          EAX, [EBP-0x8]
            50                       PUSH         EAX
            e82d02ffff               CALL         0x8178f4
            e8f0e9ffff               CALL         0x8260bc
            8bd8                     MOV          EBX, EAX
            85db                     TEST         EBX, EBX
            0f844e040000             JZ           0x827b24
            8d45f4                   LEA          EAX, [EBP-0xc]
            50                       PUSH         EAX
            6a00                     PUSH         0x0
            6a00                     PUSH         0x0
            a1d09e3901               MOV          EAX, [0x1399ed0]
            8b00                     MOV          EAX, [EAX]
            50                       PUSH         EAX
            a16c8b3901               MOV          EAX, [0x1398b6c]
            8b00                     MOV          EAX, [EAX]
            50                       PUSH         EAX
            ffd3                     CALL         EBX

4  011D0C88 SyncBackPro.exe          TMethodImplementationIntercept +0xcf190c
5  011CEA90 SyncBackPro.exe          TMethodImplementationIntercept +0xcef714
6  006CCDB7 SyncBackPro.exe          TMethodImplementationIntercept +0x1eda3b
7  006CC9BB SyncBackPro.exe          TMethodImplementationIntercept +0x1ed63f
8  00409794 SyncBackPro.exe       
9  006CC96C SyncBackPro.exe          TMethodImplementationIntercept +0x1ed5f0
10 006D7825 SyncBackPro.exe          TMethodImplementationIntercept +0x1f84a9

Disabing "ROP" makes SyncbackPro work again.


Also: How can I change some app from "Safe browsing" to just "media" or "other" ? E.g. I added mIRC to "browsers" and it works but it should be "media" oder "office" I guess ?

 

To change the template of a program you need to remove mitigations on that program, open the program, then go to Running Applications and re-add the program to whatever you need, restart program.

Cheers.