HitmanPro.ALERT Support and Discussion Thread

Yes, Thank you. I have come to that understanding....that files are rollbacks. I'd like to know how to test cryptoguard temp files are updated as a real document file is updated. I've made changes to my Document files but, CryptoGuard files Date modified does not change. How may I invoke a change to CryptoGuard temp files. Are CryptoGuard temp / rollback files under a maintenance protocol. I have 36 files that don't appear to change / update ?

I've made suggested CryptoGuard Exception in AppGuard and Direct Access in SBoxie.
I'd like to test if my AG and SBoxie setup satisfy CryptoGuard temp files.

How may I invoke creation / update of CryptoGuard temp files.

 

Trying to run Microsoft Update from XP. Disabled DEP Mitigation to get it to work. .

 

Build 167?

 

Yes, 167. I edited my post above. I thought disabling only DEP did not work. I tried disabling it again after rebooting and that worked.

 

I can't reproduce it in any of my Windows XP SP3 environments. What other security software is installed on this machine?

 

Winpatrol, HMP, Mbam and SAS on demand. I just had another DEP alert with FF out of the blue just starting it. I also have Shadow Defender on demand.

 

My system is running with the POSReady 2009 Updates for XP. IE8 fixes are as follows:

Spoiler

Windows XP Hotfix Validation Report for \\2082-52G
Report Date: 3/14/2015 9:46pm

Current Service Pack Level: Service Pack 3

Hotfixes Identified:
KB2598845-IE8: Current on system.
KB2632503-IE8: Current on system.
KB3032359-IE8: Current on system.

I get the same alert for the Microsoft Update Catalog as I did previously with Microsoft Update. Disabling only DEP causes IE to open and then immediately close again with no alert. If I disable both DEP and Mandatory ASLR, IE stays open and displays the Microsoft Update Catalog website without problems.

 

@ markloman

Did you check out the Sandboxie + HMPA combo on Win 8.1, to see if there are any problems? Like I said before, IE 11 running inside the sandbox gets terminated immediately. And I also experienced other weird things that I reported earlier in this thread.

 

Sorry about giving you incorrect information. I wasn't aware of the rollback feature.

 

Appcrash build 167 (W7 64 bits/Norton Security 2015).

Logboeknaam: Application
Bron: Windows Error Reporting
Datum: 18-3-2015 8:03:31
Gebeurtenis-id:1001
Taakcategorie: Geen
Niveau: Informatie
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Foutbucket 916070808, type 17
Naam van gebeurtenis: APPCRASH
Antwoord: Niet beschikbaar
Id van CAB-bestand: 0

Handtekening van probleem:
P1: hmpalert.exe
P2: 3.0.32.167
P3: 55005fb5
P4: ntdll.dll
P5: 6.1.7601.18247
P6: 521ea8e7
P7: c0000005
P8: 00038e19
P9:
P10:

Bijgevoegde bestanden:
C:\Windows\Temp\WER3403.tmp.appcompat.txt
C:\Windows\Temp\WER3FC7.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER58C5.tmp.WERDataCollectionFailure.txt

Deze bestanden zijn mogelijk hier beschikbaar:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hmpalert.exe_d8c0c4f36127485268266ac5fec37f5ad41ca26_017cf4d9

Analysesymbool:
Opnieuw zoeken naar oplossing: 0nRapport-id: 7d2c0db7-ccc8-11e4-8c13-001f16aa0c13
Rapportstatus: 0
Gebeurtenis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-03-18T07:03:31.000000000Z" />
<EventRecordID>163986</EventRecordID>
<Channel>Application</Channel>
<Computer>****</Computer>
<Security />
</System>
<EventData>
<Data>916070808</Data>
<Data>17</Data>
<Data>APPCRASH</Data>
<Data>Niet beschikbaar</Data>
<Data>0</Data>
<Data>hmpalert.exe</Data>
<Data>3.0.32.167</Data>
<Data>55005fb5</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7601.18247</Data>
<Data>521ea8e7</Data>
<Data>c0000005</Data>
<Data>00038e19</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
C:\Windows\Temp\WER3403.tmp.appcompat.txt
C:\Windows\Temp\WER3FC7.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER58C5.tmp.WERDataCollectionFailure.txt</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hmpalert.exe_d8c0c4f36127485268266ac5fec37f5ad41ca26_017cf4d9</Data>
<Data>
</Data>
<Data>0</Data>
<Data>7d2c0db7-ccc8-11e4-8c13-001f16aa0c13</Data>
<Data>0</Data>
</EventData>
</Event>

 

I know. I had to pick at the bones to learn about the files. Now, I trying to learn. How I can invoke the creation / update of CryptoGuard temp files. Cheers

 

In my attempt to reproduce this, I do sometimes get a DEP message too but only after restoring my virtual machine from a snapshot, and running IE withing a few seconds after restoring the snapshot. I think this might be caused by my VMware.
Is yours a virtual environment too? Do you get the DEP message immediately after starting the machine or do you get it every single time?

 

No VM running although I have VMWare installed. I can reproduce the alert every time I launch Microsoft Update or Microsoft Update Catalog from the XP Start Menu

 

Attack Intercepted build 167 + NIS 21.7 + W8.1 64bit + scan clean
C:\Program Files (x86)\Internet Explorer\iexplore.exe
ROP
Mitigation ROP Platform 6.3.9600/x64 06_45 PID 10604 Application C:\Program Files (x86)\Internet Explorer\iexplore.exe Description Internet Explorer 11 Branch Trace Opcode To -------------------------------- -------- -------------------------------- strspn RET 0x012C1E46 iexplore.exe 0x7719AA5D ntdll.dll GetStartupInfoW +0x86 RET 0x012C1F5E iexplore.exe 0x749D0FE6 KernelBase.dll 0x012C1EE5 iexplore.exe RET 0x012C1F4C iexplore.exe 0x012C24FC iexplore.exe RET 0x012C24B5 iexplore.exe 0x6EAE1076 SbieDll.dll * RET 0x012C24B0 iexplore.exe e80a000000 CALL 0x12c24bf e986faffff JMP 0x12c1f40 SbieDll_RegisterDllCallback RET 0x6EAE1065 SbieDll.dll 0x6EB0DFCB SbieDll.dll SbieDll_Hook +0x23e RET SbieDll_RegisterDllCallback 0x6EAE8B3E SbieDll.dll 0x6EB0DFCA SbieDll.dll SbieDll_StartCOM +0x4b RET SbieDll_Hook +0x23e 0x6EB0407B SbieDll.dll 0x6EAE8B3E SbieDll.dll SbieDll_IsOpenCOM RET SbieDll_StartCOM +0x48 0x6EB03F0E SbieDll.dll 0x6EB04078 SbieDll.dll CloseHandle +0x2b RET SbieDll_IsOpenCOM 0x7499EF9B KernelBase.dll 0x6EB03F06 SbieDll.dll SbieDll_GetHandlePath RET CloseHandle +0x1a 0x6EAF67F6 SbieDll.dll 0x7499EF8A KernelBase.dll SbieDll_Hook RET SbieDll_GetHandlePath 0x6EAED957 SbieDll.dll 0x6EAF67E6 SbieDll.dll Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 012C23E1 iexplore.exe 85c0 TEST EAX, EAX 741c JZ 0x12c2401 50 PUSH EAX e820000000 CALL 0x12c240b 85c0 TEST EAX, EAX 7412 JZ 0x12c2401 0fb7485c MOVZX ECX, WORD [EAX+0x5c] 6a02 PUSH 0x2 58 POP EAX 663bc8 CMP CX, AX 0f8554080000 JNZ 0x12c2c53 5d POP EBP c3 RET 2 012C2366 iexplore.exe 3 012C1FB9 iexplore.exe 4 75EF7C04 kernel32.dll BaseThreadInitThunk +0x24 5 771CB54F ntdll.dll RtlInitializeExceptionChain +0x8f 6 771CB51A ntdll.dll RtlInitializeExceptionChain +0x5a
EDIT: SBoxie 4.16

 

Can you disable LoadLib on the browser and try again?

 

You forgot to mention you are running Sandboxie. Does the ROP trigger everytime or only at random?

 

That's what I reported weeks ago, but for some reason I am being ignored, not cool guys. It happened constantly on my system. If you run IE 11 outside the sandbox there is no problem. So HMPA definitely interferes with SBIE's hooks.

 

I wouldn't think you are being ignored.
It seems to me that quite a few reports are not being replied to by Erik or Mark.
It may be that they are just too busy and need to prioritize, or it may be oversight, Erik and Mark not noticing some of the reported issues here.

 

You were running a new beta version of Sandboxie. I deliberately choose not to pursue the issue because of this. We already have enough work on our hands with published software. If we also have to include beta software then we can never release.

What version are you running now?

 

The problem with security software can also be the one of its users when they add, ad, and add one defense to another. Not to mention tests held on old OSs such as Windows prior to Seven which should not be eligible for pertinent results : XP is out, finished.
A clean system with a minimum of security but the right one, non-redundant, basic and well thought and organized leads to no problem for a swift running HitmanPro.Alert.
Nowadays 20% of users don't care and among the 80% left half choose the wrong apps and the other half choose too many, bundling one security with another. Too much is the enemy of good.

 

I have this ... SBoxie 4.16 + HMPA 167 + W8.1 + IE11 ~ terminated immediately with Attack Intercepted

 

32-bit or 64-bit version of Windows 8.1?

Can you send me the contents of the alert via PM? (just copy/paste from the Windows Event Log).

 

Good point.
I second this.

Although I'm running sandboxie, I do not expect to use it without conflicts. It's only for testing purpose.

HMP.Alert should run together with common used AV und antimalware solutions, than it's fine to be released.