HitmanPro.ALERT Support and Discussion Thread

If I turn OFF Identity Shield then the live encryption indicator displays consistently when typing in the browser. When I turn Identity Shield back ON the encryption indicator stops showing.

 

With the border set to "auto hide" if I move the window the border will briefly appear but there is no activity in the encryption indicator when typing. The only way to get the live encryption indicator to respond to keystrokes is to turn off Identity Shield in Webroot SecureAnywhere.

 

YES it does!

 

And by my observe... lack of indicator correlates to lack of encrypting. YMMV

 

Yes,.....at least I'm not hallucinating.

 

Nah, sorry..
It's still happening.
Idk; Does HMP.A log events?
I can get a screen capture of most, but not all, details. It crashed FB again.

 

But see @bjm_ post above. Hmm - maybe I didn't check thoroughly enough ... will try again.

 

Not when I tested 3.1 again now. Yet after typing some text here the Test Tool does show as attached, so I guess encryption is working? But no orange keystroke indicator.
Unless I turn off Identity Shield in WSA, then it immediately shows again. As it does when using HMP.A 3.0.

 

Oh no, My stupidity. I thought the special expired ON November 11th 2015 CST, not November 10th at 11:59 PM. Dang it.

 

Don't blame you, SurfRight deserves full price for Alert 3!

 

@ erikloman:

if you have spare time, don't forget to fix this before the finale release of 3.1 branch:

Txs in adv

 

I kindly ask the developer to add a "stop/suspend protection" feature to the menu that appear on right clicking the HMP.A icon on the tray bar.
This to temporary disable the protection.

Also adding Thunderbird email client in the exploit mitigation and/or keyboard encryption list could be interesting.

 

Feature request:
Password protection for settings and uninstalling.

 

+ 1

 

Yes, my mistake too. I thought the sale would be active through today. Perhaps they will run it again on Black Friday/Cyber Monday (hint, hint).

 

Yes, I get random evidence by Test Tool with 3.1. Operative word is random. And random for me is accompanied in approx. order with random orange bar.
I'll observe random character presentation/orange bar that is not evident when Shield is Off.
I've observed a similar number of test tool characters as displayed in your image, stopped typing, then continued typing to find no added characters. Like now I have orange bar perhaps because I have Protect set to Allow and I started session at Allow. Now, back to Protect and once again random orange.
With Identity Shield Off when I type a message like this message, test tool character presentation/orange bar offers strong convincing evidence that encryption occurred.
Type a real message, don't just bang characters. With Identity Shield On there is such a difference by test tool character presentation/orange bar character presentation. That I remain convinced 3.1 Alert steps aside for Webroot. Type more than one message with 3.0, 3.1, Identity Shield On, Off, Protect, Allow.
Alert provides man-in-the-browser protection and Webroot offers man-in-the-browser prevention.
My question as an Alert user/tester remains... is step aside solely for Keylogger Protection.
I'm simply offering my user/tester observations with 3.1.0 build 332.
Respectfully submitted,
Ran new WoW64 exploit test w Chrome 32bit

 

Question1: How may I clean install Alert. CP uninstall along with clearing out left files. New install offers pre-loaded Alert control panel. Applications, number of Alerts, Settings are as pre-uninstall.
Where does Alert config reside.

Question2: I did clean install 3.0 after moving C:\Windows\CryptoGuard folder to recycle bin. 20 or so files with different Date modified.
I've been told Alert saves backup of certain files for future "what if".
When/How does this backup occur. CryptoGuard folder is empty after install.

 

Hi @erikloman,
Another ROP, got this one opening a PDF file from my desktop (Windows 10 Pro x64, Foxit Reader 7.2.2.929).
Disabling ROP for Foxit did the trick for now.

Code:

Mitigation   ROP

Platform     10.0.10240/x64 06_5e
PID          2752
Application  C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FOXITREADER.EXE
Description  Foxit Reader 7.2

Branch Trace                      Opcode  To                             
-------------------------------- -------- --------------------------------
GetHotPatchInfo                       RET GetHotPatchInfo                
0x6C866DE9 SS2OSD.dll                     0x6C85326C SS2OSD.dll          

GetHotPatchInfo                       RET GetHotPatchInfo                
0x6C86717C SS2OSD.dll                     0x6C866DE6 SS2OSD.dll          

InterlockedIncrement +0x11            RET GetHotPatchInfo                
0x77647531 kernel32.dll                   0x6C853202 SS2OSD.dll          

LoadLibraryA +0x5                   * RET GetHotPatchInfo                
0x7764D8D5 kernel32.dll                   0x6C852BB0 SS2OSD.dll          
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            83e4f8                   AND          ESP, -0x8
            6aff                     PUSH         -0x1
            686eda876c               PUSH         DWORD 0x6c87da6e
            64a100000000             MOV          EAX, [FS:0x0]
            50                       PUSH         EAX
            64892500000000           MOV          [FS:0x0], ESP
            51                       PUSH         ECX
            a1742e896c               MOV          EAX, [0x6c892e74]
            a801                     TEST         AL, 0x1
            752c                     JNZ          0x6c852c01
            83c801                   OR           EAX, 0x1
            a3742e896c               MOV          [0x6c892e74], EAX
            6a00                     PUSH         0x0
            c744241000000000         MOV          DWORD [ESP+0x10], 0x0
                                 (54CFC3DFAD8EE718)


0x008F501C FoxitReader.exe            RET 0x009373C4 FoxitReader.exe     

0x008F4E6F FoxitReader.exe            RET 0x008F5018 FoxitReader.exe     

0x008F3B8E FoxitReader.exe            RET 0x008F4E6B FoxitReader.exe     

0x008F8FD1 FoxitReader.exe            RET 0x008F3B8C FoxitReader.exe     

0x008F8D66 FoxitReader.exe            RET 0x008F8FD0 FoxitReader.exe     

0x008F8DC4 FoxitReader.exe            RET 0x008F8D61 FoxitReader.exe     

0x006AF21A FoxitReader.exe            RET 0x008F8DC2 FoxitReader.exe     

RtlFreeHeap +0x2f                     RET 0x006AF1FD FoxitReader.exe     
0x7790C72F ntdll.dll                                                     

wcstok_s                              RET RtlFreeHeap +0x2c              
0x7794C65B ntdll.dll                      0x7790C72C ntdll.dll           

RtlFreeHeap +0x135                    RET wcstok_s                       
0x7790C835 ntdll.dll                      0x7794C63A ntdll.dll           

RtlFreeHeap                           RET RtlFreeHeap +0xe1              
0x7790CBCD ntdll.dll                      0x7790C7E1 ntdll.dll           

0x008F3FA5 FoxitReader.exe            RET 0x008F4E64 FoxitReader.exe     

0x008FB2A2 FoxitReader.exe            RET 0x008F3F9E FoxitReader.exe     

0x008FB2A2 FoxitReader.exe            RET 0x008F3F8C FoxitReader.exe     

0x008F3B78 FoxitReader.exe            RET 0x008F3F79 FoxitReader.exe     

0x008F8E62 FoxitReader.exe            RET 0x008F3B60 FoxitReader.exe     

0x008F8BEE FoxitReader.exe            RET 0x008F8E60 FoxitReader.exe     

0x008F8D84 FoxitReader.exe            RET 0x008F8BAE FoxitReader.exe     

0x006B28DC FoxitReader.exe            RET 0x008F8D82 FoxitReader.exe     

RtlAllocateHeap +0x2b                 RET 0x006B2894 FoxitReader.exe     
0x7790DABB ntdll.dll                                                     

RtlAllocateHeap +0x147                RET RtlAllocateHeap +0x28          
0x7790DBD7 ntdll.dll                      0x7790DAB8 ntdll.dll           

RtlAllocateHeap                       RET RtlAllocateHeap +0x118         
0x7790DEF7 ntdll.dll                      0x7790DBA8 ntdll.dll           

0x008F8DF0 FoxitReader.exe            RET 0x008F8E42 FoxitReader.exe     

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  6C855217 SS2OSD.dll               GetHotPatchInfo
            85c0                     TEST         EAX, EAX
            7461                     JZ           0x6c85527c
            0fb64608                 MOVZX        EAX, BYTE [ESI+0x8]
            8b4e04                   MOV          ECX, [ESI+0x4]
            8801                     MOV          [ECX], AL
            0fb64609                 MOVZX        EAX, BYTE [ESI+0x9]
            8b4e04                   MOV          ECX, [ESI+0x4]
            884101                   MOV          [ECX+0x1], AL
            0fb6460a                 MOVZX        EAX, BYTE [ESI+0xa]
            8b4e04                   MOV          ECX, [ESI+0x4]
            884102                   MOV          [ECX+0x2], AL
            0fb6460b                 MOVZX        EAX, BYTE [ESI+0xb]
            8b4e04                   MOV          ECX, [ESI+0x4]
            884103                   MOV          [ECX+0x3], AL
            0fb6460c                 MOVZX        EAX, BYTE [ESI+0xc]
            8b4e04                   MOV          ECX, [ESI+0x4]


Process Trace
1  C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe [2752]
"C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\FOXITREADER.EXE" "C:\Users\Richard\Desktop\1DF_Invoice_1418964.pdf"
2  C:\Windows\explorer.exe [3800]
3  C:\Windows\System32\userinit.exe [8144]
4  C:\Windows\System32\winlogon.exe [4396]
C:\Windows\System32\WinLogon.exe -SpecialSession
5  C:\Windows\System32\smss.exe [2728]
\SystemRoot\System32\smss.exe 000000f8 00000074 C:\Windows\System32\WinLogon.exe -SpecialSession

 

I think this MAY not be helped due to how the Identity Shield works. We are still investigating.

Your ROPs are all caused by one single component: SS2OSD.dll
That component is performing a ROP. Maybe you can update it?
As stated above, we will whitelist this ROP in the next build.

 

Ah, again. Sorry I didn't read and just dumped it here.
Asus released a beta of the new suite yesterday. I'll test to see if it solves it.

 

Hello!

I´m using the latest stable version of HitmanPro.Alert (3.0.59 build 209) and I wonder why the new Exploit-Test-Tool says that I´m already protected against the new Wow64-Exploit?

I was assuming that only the new betaversions are able to protect against these new attacks. Any ideas?

Kind regards

 

Being in business for a long time, my recommendation is not to install any of the bundled software, that comes with mainboards.
ASUS AI-suite 3 is another example for causing issues, that you do not expect.
Just install the latest drivers, and you should be fine.

Issues with bundled software are present across all brands, especially on notebooks.

 

Alert might catch it still on the WinExec("calc.exe"), but not on the original memory allocation;

 

I, too, got burned by this detail. I had it on my Outlook to remind me to make the purchase on November 10 (to beat the November 11 deadline) and I went to do it around 7PM Eastern Time. But the link was already dead (led to an error message).

In future, it might help to indicate both the hour and the time zone when an offer expires. To minimize the potential for confusion, some vendors will even say that it expires at "11:59 PM" on such-and-such a date in such-and-such a time zone.

 

@JEAM:
Don't blame Surfright, for not having a countdown timer.
Blame yourself, for not getting the deal, while you can.