HitmanPro.ALERT Support and Discussion Thread

Is this new? Do you have a firewall?
The scan runs HitmanPro. The binary for HitmanPro is downloaded and then started from the temp (if HitmanPro is not installed).

 

I have an extensive NGFW on the network, and that includes dual AV scanning, and deep packet inspection Layer 8 firewall. Why would it be blocking, right now I have outbound originations from the LAN on mostly a pass-through, and unless it's malware, or advertisements, it won't be blocked.

Suggestions?

 

Hi,

The free version of HitmanPro.Alert will alert us when the browser is being exploited, with the "Safe Browsing" feature enabled?

Thanks

 

No,

Safe browsing is will only indicate whether a MITB is being performed. You've to get to license in order to enable the exploit mitigations.

 

It appears HMPA isn't compatible with Sophos Endpoint Security (managed by UTM 9x) in the slightest. I had to uninstall HMPA after installing SES. Totally locked up most processes, Chrome crashed and was locked into processes, etc.

 

Thanks.

I thought the free version only alert us about an exploit, and the paid also mitigate the exploit...

 

I'm also interested to know this...

Thanks

 

We will have a look. Thanks for reporting.

 

I'm delighted to report that the same program recording was NOT blocked this week. In fact, the Hauppauge TV tuner is no longer listed under webcams in the Risk Reduction category.

Thanks very much for the fix!

 

Trying to add Plex Home Theater(1.3.5) to Exploit protection, but it isn't listed under running applications :S
(Latest Alert build 155 of course)

 

The developers will release more info when the final version is released, if I understood correctly. I'm not sure why this has never been explained clearly.

Have you already looked at the "IE 11 getting terminated" problem when running sandboxed?

 

No, exploits are always mitigated and exploit protection is not offered in the Free version at all. In the free version you get "safe browsing" and some other features. So as soon your browser is infected with a banking trojan, HMPA will alert you not to use the browser, and will offer you to remove the malware with the HitmanPro 3 scanner.

 

Protecting against and mitigating can still be seen as the same thing. (sort of)

 

Does this look right. Will Firefox be allowed to write to cryptoguard now ?

 

Since, Firefox has to write to cryptoguard. How do I get sandbox'd FF data to cryptoguard folder.

 

Add the Cryptoguard folder as a direct access folder in Sandboxie.
http://www.sandboxie.com/index.php?ResourceAccessSettings

 

OK... added c:\windows\cryptoguard\ to Direct File Access.

* Now, what about the drive by hole I made by adding c:\windows\cryptoguard -- read write exception.

I think I connected the dots enough to understand that cryptoguard holds backups if a roll back is required do to cryptolock ransomware. What still confuses is what does Firefox writing to cryptoguard have to do with Documents. c:\users\bjms\documents\myprivatefolder is still Private Deny Access by default in AG.

* EDIT: Cryptoguard folder has 28 files. Does that mean I have 28 files that HMPA protects from crypto type ransomware ? Anyway to know what the cryptoguard files relate to...?

 

@erikloman / @markloman

I was wondering whether there will be some sort of acknowledgement page for people who find flaws in HMPA.
Something like what Microsoft and Malwarebytes are doing.

(https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/)
(http://blogs.technet.com/b/srd/archive/2014/11/10/emet-5-1-is-available.aspx)

 

I just noticed that when you install HMPA, it disables various tunneling interfaces used for connectivity using IPV6 transition technologies. I understand there is a security risk with this kind of tunneling, but I just hate it when apps decide it's better to disable stuff on your system without telling you about it. On top of that it leaves and error in device mananager that a certain interface is not working (error 10). I went on a wild goose chase trying to fix that. I normally just disable the IPHelper service which I understand needs to run for IPv6 transition technologies such as ISATAP, Teredo, and 6to4 to function on the computer, but it does not break anything in device manager. Adding the DisabledComponents to the registry if a tunneling adapter is already enabled gives the error below.

 

@Adric Yes, thanks very much for that info which seems to explain what I had a lot of trouble trying to figure out about a month back.

 

Alert indeed disables Teredo. It has to be disabled because it can cause BSODs. Teredo is somewhat buggy. Google 'teredo bsod'.
I will see if we can fix the error 10.

 

@Adric,
Thanks for your 'Teredo post'. Now I finally know what caused me so much trouble last February and I finally had to give up!

 

Ditto!

I was thinking it was probably Norton.

 

Adric made a good point. HMPA should still inform the user what services it is disabling. It could cause problems for the user if they are using something that requires the services being disabled. HMPA should give a prompt informing the user what is being disabled.

 

Not the point, it seems like rdsu was a bit confused about the difference between safe browsing and anti-exploit, and of course it would not make sense to only alert about an exploit attack, that would be quite silly.