HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I have it. Thanks!
     
  2. Sven Keizer

    Sven Keizer Registered Member

    Joined:
    Oct 13, 2015
    Posts:
    2
    Location:
    The Netherlands
    Not sure if this fits in here, but has anybody got experience with running Hmp Alert on W2K8 R2 or more specific Terminal Server. At the moment we are testing a beta version(3.1 build 31:cool: with only cryptoguard running. But we would like to run HMP Alert with all the options.
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Try running build 206. First uninstall the Beta build.
    http://test.hitmanpro.com/hmpalert3b206.exe
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I'm pretty sure this is a false positive as I was using Windows Defender without issue but I have just installed Norton Security 22.5.4 and now every time I open IE 11 I get this:
    Capture.PNG
    There is no entry in Event Viewer and even HMP.A UI shows no Alerts:

    Capture 1.PNG

    I have scanned with HMP + NS and nothing is found.

    Win10 x64
    IE 11
    NSwB22.5.4
    HMP.A Beta Build 318

    Thanks.
     
  5. Giannis121

    Giannis121 Registered Member

    Joined:
    Oct 14, 2015
    Posts:
    1
    Can build 318 be used for Windows 7 as well or only Windows 10?
     
  6. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Yes. You can use version 3.1 on Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10.
    We update the older 3.0 branch only with bug fixes while we introduce new features only in 3.1. I'd recommend using the 3.1 branch if you want the latest and greatest (build 322 is coming up). If you do not want to test new features, use the 3.0 branch (build 207 is coming up).
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Out-of-band update!

    Norton released update 22.5.4.x causing an Intruder Alert with (unknown) listed at various wininet and urlmon APIs (see here). Norton now hooks these APIs (new in 22.5.4).

    Norton 22.5.4 is bypassing the memory monitoring functions of Alert. Due to this bypass, Alert can no longer attribute the wininet and urlmon API hooks to Norton. Hence, the reason for the Intruder Alert.

    Norton 22.5.4 is copying various NTDLL APIs like ntdll.NtAllocateVirtualMemory, ntdll.NtProtectVirtualMemory, ntdll.NtFreeVirtualMemory, etc. With these copies Norton skips the NTDLL API (and potential 3rd party hooks) to dive straight into kernel space.

    This poses a problem for many security products, including anti-exploit solutions. This as there are now two ways to dive into the kernel (1) ntdll.NtProtectVirtualMemory and (2) norton.NtProtectVirtualMemory.

    If an exploit can find Norton's copy (eg. via array length overwrite) no security solution is able to block it. I was able to find Norton's stub in a few seconds:
    Code:
    0:037> s 00000000 L7700000 b8 c6 00 00 00 e8 03 00 00 00 c2 14 00
    003f01ea  b8 c6 00 00 00 e8 03 00-00 00 c2 14 00 8b d4 0f  ................
    0:037> u 003f01ea
    003f01ea b8c6000000      mov     eax,0C6h  <-- NtProtectVirtualMemory (syscall index)
    003f01ef e803000000      call    003f01f7
    003f01f4 c21400          ret     14h
    003f01f7 8bd4            mov     edx,esp
    003f01f9 0f34            sysenter
    003f01fb c3              ret
    
    Special thanks to Krusty13 for helping us unravel the situation.

    If you use Norton and HitmanPro.Alert, please update to the below version of HitmanPro.Alert.

    Version 3.0 - install this if you run build 196
    http://test.hitmanpro.com/hmpalert3b207.exe

    Version 3.1 BETA - install this if you already run existing 3.1
    http://test.hitmanpro.com/hmpalert3b323.exe

    Please let me know how this build runs on your computer :thumb:
     
    Last edited: Oct 14, 2015
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Installed 3b322 on test machine. So far so good.
     
  9. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    Installed hmpa 3.0 build 207 over build 206, so far no issues.
     
  10. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Ditto.

    App-crash WER build 318. No dmp.

    (W10 build 10240 64 bits/Norton Security with Backup v22.5.4.24)
     

    Attached Files:

  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    318 beta gave me a warning that an update was available and would be installed on next boot. In spite of setting AG in Install mode, as well as ERP, the update message seemed to reoccur on reboot i.e. a loop.
    Maybe just a peculiarity to my Win 8.1 setup.
    Downloaded 322 beta manually and installed, rebooted. Working without problems now.
     
  12. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    I am not sure if I understand the bottom line in this HMPA/Norton 22.5.4 issue:
    1. Users of Norton 22.5.4 are now exposed to exploits that cannot be stopped by security software?
    2. Hmpa 3.0 build 207 and 3.1 build 322 are updated to avoid/suppress the 'Intruder Alert' message (Krusty13)?
     
    Last edited: Oct 14, 2015
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    It could be that the auto-updater in the 3.1 branch is not yet fully operational. A manual install is the remediation. We have it in investigation. The 3.0 branch should update hassle-free.
     
  14. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I am also running 318 beta and received the update notification. I tried rebooting, but the program did not automatically update and the message reappeared after the reboot. I never noticed this before, but there is a hmpalert_update.exe process running. I will manually upgrade.
     
  15. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Oh, and to put paulderdash's mind to rest, I am running W7-64bit.
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    3.1.0 build 322 :) via manual install.
    thanks Krusty13
     
    Last edited: Oct 14, 2015
  17. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Go the notification that a new build was available and would be installed on a reboot. Rebooted 4 times but no install and so have resorted to doing it manually re. Version 3.1 BETA.

    Regards, Baldrick
     
  18. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    After boot this morning HMPA message that a new update was available after restart. So i restarted and was updated from 196 to 207. Everthing went bad after that. Everything was hung up and could not get to the internet. After another restart nothing was better so uninstalled 207. Installed 196 again which wanted a restart to update to 207 again. After restart everything seems to be normal. I thought i might have to call and pay for computer help to fix this..lmao
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Same scenario for me. After rebooting didn't install the update I just downloaded and ran the installer which worked fine.
     
  20. DouweG

    DouweG Registered Member

    Joined:
    Jan 30, 2013
    Posts:
    13
    Location:
    Netherlands
    Same problem and solution here (W10 64 bit pc).
     
  21. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Is HMPA 207 the new Stable because that is what i have now.
     
  22. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    :thumb: (3.0.48.196→3.0.57.207 via automatic update)

    No problem to report so far (10Pro X64)

    :)
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes the 207 is the new stable. Will post release notes shortly. We had to move quickly due to the Norton issue above.
     
  24. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    Got a BSOD following manual upgrade (318 to 322), and found HMP.A install consequently corrupted. Haven't done a re-install yet but can provide dump if wanted. Thanks.

    HMPAbsodB.PNG
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    BETA users: update 322 is now replaced by 323. This version should be able to upgrade smoothly.

    NOTE: 322 are also updated to 323. Please let me know whether upgrade goes smoothly.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.