HitmanPro.ALERT Support and Discussion Thread

Yes, that is what I'm seeing. I knew it would happen holding down a letter key, I was just surprised to see it happens with the SHIFT-key.
What really surprises me is that the encrypted digits shown continue on from the previously shown digits. For example: I opened Wilders from a bookmark in Firefox, logged in and the last sequence of the encrypted digits was Y631M - I then signed out and opened Amazon from amazi7p0rk. <that rubbish there just came up as I tried to type 'a bookmark'! To continue: started to sign in to Amazon and the first encrypted digit was an 'N' which followed the Y631M from the Wilders login. I then closed Firefox and opened Chrome. Opened the Think Broadband site from a bookmark and when I started to type to sign in the first encrypted digit was ''0" which followed on from the Y631MN shown when I logged in to Amazon in the Firefox browser. Are the encrypted digits stored on the computer somewhere? How else would what you type follow exactly where you finished previously. How does it carry across from one browser to another?

 

The UI shows the visible windows, not the running tasks. So I think this is correct.

 

It still protects the other processes though, right? Perhaps it would be beneficial to list the number of processes rather than windows protected? Just my personal opinion.

 

That number only indicates the number of applications (= process with dialog) it is going to close and restart. Not the amount of processes it is protecting. But I can see why it is confusing. Expect it to change in an upcoming build.

 

Shouldn't it be changed to "active windows" then? I think it's really confusing.

Edit: Missed the message above. Then what are you going to do? Rename it to "windows" (this would mean that I need to update the translation once more) or start to calculate the number of processes?

 

@erikloman :

I sent you 2 PM, please check it, thank you !

 

Question: Will the Active Vaccination not conflict with Kaspersky products?
Active vaccination fools all processes by letting them know that they are in a sandbox. And so, sandbox-aware malwares will auto-stop.
However, Kaspersky has a technology that does the opposite of active vaccination of HMP.A. Kaspersky wants the files to run in an emulated environment to be tested and let them believe that they are in a "real" environment.

Source: http://www.kaspersky.com/about/news...-lab-patents-emulation-enhancement-technology


Also, a good read: http://allcompanies.website/2015/09...combating-drugs-bypass-anti-virus-protection/
And, http://webcache.googleusercontent.c...-counter-anti-malware-evasion-techniques.aspx



Do I misunderstand both? WIll they coexist peacefully without conflicts? I really hope so.

 

I gave up on using bitdefender 2016 on my windows 10 64 bits pc. I had many BSOD's
By using verifier I found that the blue screens may have been caused by AVC3.sys, which is main part of bitdefender.
Installing the free month use of the new Eset 9.0 might give more answers. So I hope that this software doesn't crash. But it is still to early to tell.
Firstly I noticed the Eset save banking doesn't work now. The Eset save banking browser will not open.

HMPA and Eset save banking don't work together:
https://forum.eset.com/topic/5480-cannot-use-banking-protection-in-ess-v9/
In HMPA I excluded all .exe files from Eset with no result.
In HMPA I disabled keystroke encryption with no result.
The Eset save banking browser doesn't react at all (in a viewable way).
Only uninstalling HMPA makes that browser working.

Marcos from Eset says:
It's not clear yet if it will be possible to make B&PP compatible with all the mentioned antikeyloggers in future versions.

So is there anything that can be done to keep HMPA and still use Eset save banking browser?
Or is using such a browser completely unnecessary or foolish when using HMPA (I could use safepay from Bitdefender together with HMPA)?

 

Unexpected Alert while reading MS Kb article. Other than reading the text, I did a copy of the KB-title to the clipboard. I could not reproduce the error.

Spoiler

Code:

Mitigation  DEP

Platform  6.3.9600/x86 06_17*
PID  3696
Application  C:\Toolbx\Firefox\firefox.exe
Description  Firefox 41.0.1

EIP = 0C9E0010, State = 0x1000, Type = 0x20000, Protect = 0x4

Stack Trace
#  Address  Module  Location
-- -------- ------------------------ ----------------------------------------
1  0FED04BC xul.dll  ??0JSAutoStructuredCloneBuffer@@QAE@XZ
  8b442434  MOV  EAX, [ESP+0x34]
  83c420  ADD  ESP, 0x20
  85c0  TEST  EAX, EAX
  0f8543474e00  JNZ  0x103b4c0e
  8d8c24b8000000  LEA  ECX, [ESP+0xb8]
  e806030000  CALL  0xfed07dd
  8d4c2438  LEA  ECX, [ESP+0x38]
  e8b4000000  CALL  0xfed0594
  84c0  TEST  AL, AL
  7506  JNZ  0xfed04ea
  38442448  CMP  [ESP+0x48], AL
  7571  JNZ  0xfed055b
  8b0e  MOV  ECX, [ESI]
  56  PUSH  ESI
  e817dee4ff  CALL  0xfd1e309
  8bc8  MOV  ECX, EAX

2  0FF35C0F xul.dll  ?proxy_GetProperty@js@@YA_NPAUJSContext@@V?$Handle@PAVJSObject@@@JS@@1V?$Handle@Ujsid@@@4@V?$MutableHandle@VValue@JS@@@4@@Z
3  1031A7C6 xul.dll  ??4ContextOptions@JS@@QAEAAV01@ABV01@@Z
4  0FD2C43C xul.dll  ??1ElementAdder@js@@QAE@XZ
5  101D7E73 xul.dll  ?JS_BasicObjectToString@@YAPAVJSString@@PAUJSContext@@V?$Handle@PAVJSObject@@@JS@@@Z
6  0FD2C3F3 xul.dll  ??1ElementAdder@js@@QAE@XZ
7  0FF34835 xul.dll  ?proxy_GetProperty@js@@YA_NPAUJSContext@@V?$Handle@PAVJSObject@@@JS@@1V?$Handle@Ujsid@@@4@V?$MutableHandle@VValue@JS@@@4@@Z
8  1031A7C6 xul.dll  ??4ContextOptions@JS@@QAEAAV01@ABV01@@Z
9  0FD2C43C xul.dll  ??1ElementAdder@js@@QAE@XZ
10 0FE4A94C xul.dll  ?GetFunctionNativeReserved@js@@YAABVValue@JS@@PAVJSObject@@I@Z

Process Trace
1  C:\Toolbx\Firefox\firefox.exe [3696]
"C:\Toolbx\Firefox\firefox.exe" -osint -url "http://support.microsoft.com/kb/3034348"

2  C:\Windows\explorer.exe [1740]
3  C:\Windows\System32\userinit.exe [1664]

 

Not sure why, because Spotify Desktop v1.0.16 isn't even in the protected list of HMPA, but since today I'm getting the following alert, even though I've been running this version of Spotify for a couple of days now:

Code:

Mitigation   Anti-VM

Platform     10.0.10240/x64 6f_13
PID          8700
Application  C:\Users\useraccount\AppData\Roaming\Spotify\Spotify.exe
Description  Spotify 1.0.16

VMware
Process Trace
1  C:\Users\useraccount\AppData\Roaming\Spotify\Spotify.exe [8700]
2  C:\Windows\explorer.exe [4320]
3  C:\Windows\System32\userinit.exe [4272]

I'm running HMPA v3.0.57 build 207 on Windows 10 Pro x64 without a virtual machine.
Here's the download for Spotify: http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.0.16.104.g3b776c9e-267.exe

 

@denniz
This issue is already reported, please see:

https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-284#post-2535012
and
https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-284#post-2535060[/QUOTE]

 

HitmanPro.Alert 3.0 Build 208

Changelog

• Fixed compatibility with Spotify 1.0.16.

Exisiting users are automatically updated.

 

HitmanPro.Alert 3.1 Build 324 BETA

Changelog

• Improved keystroke encryption modifier key handling
• Fixed compatibility with Spotify 1.0.16
• Added Danish language
• Updated Polish language

Existing 3.1 beta users are automatically updated to this beta.

 

Updated on my Win7 x64 machine without issue.

Successfully updated on my Win10 x64 machine.

Nice!

 

@erikloman
Please confirm this: https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-285#post-2535848
Thanks!

 

Thx both!

Really happy with HMPA!

 

The vaccination feature in Alert is entirely different and will not conflict with Kaspersky.
We took a similar, though more advanced, approach to this:
https://community.rapid7.com/commun.../vaccinating-systems-against-vm-aware-malware

Hope this helps.

 

W7-x64:
Auto update from 3.0 build 207 to 208 and the update from 3.1 build 323 to 324 all went fine, no issues so far.

Note: The "shift key encryption issue" is now 'solved'

 

Yay! Thank you for the confirmation!

 

Feature request: Good old "Check for updates" button to manually search for new updates instead of waiting for it to automatically do it. (Unless there is one and I'm missing it)

 

It's in the HMPA system tray icon.
If you right-click it, there's the option "Check for update".

 

Thanks, although it seems like that is set to "No updates available" if no updates are found (Had no internet on system start which means it didn't find the update) so then a new feature request: Make that clickable to check again, so have it say something like "No updates available (Check again)"

 

Wait 5 minutes for it to re-enable.