HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    The exploit technique performed using system() in msvcrt requires an older version of msvcrt.dll than 7.0.9600.17415. If your system is up-to-date, you currently cannot perform this exploit test. We'll update the tester to be a bit more informative about this. Thanks!
     
  2. Cch123

    Cch123 Registered Member

    Joined:
    Oct 27, 2013
    Posts:
    15
    Next time try encrypting it in a password protected zip file :)
     
  3. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Hi All

    Am having a problem when trying to use AxCrypt (by Axantum). When I try encrypting some miscellaneous files, i.e., Word docs, Excel, doc, .eml docs, etc. I get HMP.A popping up and intercepting the encryption process (I assume) as a malicious attack. Is there anything that I can do to get HMP.A to either accept that AxCrypt and what it is trying to do is legitimate or have it excluded from the protection.

    I appreciate that HMP.A is most probably reacting in terms of what may be construed as a ransomeware attack hence my question as to how I could indicate that it is not such an attack.

    Many thanks in anticipation.

    Regards, Baldrick
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    My understanding is that HMPA's CryptoGuard works by recognizing and blocking the encryption process, and does not take into account what application is initiating the encrypting. The answer is to just turn it off temporarily. Perhaps others can say more?
     
  5. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    This exact same issue has been mentioned in the past, disabling CryptoGuard is the only solution.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Just go to Risk Reduction (orange box) and temporarily turn of cryptoguard. Encrypt your files and then turn it back on. Also you might try doing the files one at a time(assuming you are trying multiple files) That might work.
     
  7. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Thanks Guys

    Perfect...I thought that there must be a simple answer...not sure why I did not think of it myself...doh! :confused:

    Cheers, Baldrick
     
  8. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    278
    Anyone mind explaining this one?

    Mitigation Lockdown

    Platform 10.0.10586/x64 06_3c
    PID 11580
    Application C:\Program Files (x86)\Steam\Steam.exe
    Description Steam Client Bootstrapper 1.0

    Filename C:\Program Files (x86)\Steam\steamapps\common\The Binding of Isaac Rebirth\isaac-ng.exe
    Created By C:\Program Files (x86)\Steam\Steam.exe

    Command line:
    "C:\Program Files (x86)\Steam\steamapps\common\The Binding of Isaac Rebirth\isaac-ng.exe"

    Process Trace
    1 C:\Program Files (x86)\Steam\Steam.exe [11580]
    2 C:\Windows\explorer.exe [4368]
    3 C:\Windows\System32\userinit.exe [4216]

    Thing is.. [See file: Untitled 2.png] ... and it's not even listed in "Applications" ... And I've started that game several times, even earlier today!

    Edit: Reboot solved it, probably because it cleared some cache or something that HMPA didn't know the application was downloaded.. I don't know, either way I decided to add Steam as "Browser" hoping it won't happen again... Additionally, if "Browsers" aren't affected by the "Application Lockdown" then why is it shown as enabled for browser profiles? Finding it hard to get a clear answer about these things, mostly because this feature seems awfully inconsistent in practice... Also, the fact you need to reboot to be able to launch the downloaded executable in question is kind of very infuriating, especially when it seems to be active for applications that aren't even specified to be protected...
    Wish: Proper documentation of features.
     

    Attached Files:

    Last edited: Dec 6, 2015
  9. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    130
    Location:
    Australia
    After a auto update of Daum Potplayer i got the "Attack Intercepted" below :

    Code:
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-12-07T02:46:55.000000000Z" />
    <EventRecordID>90781</EventRecordID>
    <Channel>Application</Channel>
    <Computer>ronald739-PC</Computer>
    <Security />
    </System>
    - <EventData>
    <Data>C:\Users\ronald739\AppData\Local\Temp\PotUpdate\PotPlayerSetup64_48.exe</Data>
    <Data>Lockdown</Data>
    <Data>Mitigation Lockdown Platform 6.1.7601/x64 06_17* PID 10716 Application C:\Users\ronald739\AppData\Local\Temp\PotUpdate\PotPlayerSetup64_48.exe Description PotPlayer Setup File Filename C:\Program Files\DAUM\PotPlayer\SetTime.exe Created By C:\Users\ronald739\AppData\Local\Temp\PotUpdate\PotPlayerSetup64_48.exe Command line: C:\Program Files\DAUM\PotPlayer\SetTime.exe C:\Program Files\DAUM\PotPlayer\ Process Trace 1 C:\Users\ronald739\AppData\Local\Temp\PotUpdate\PotPlayerSetup64_48.exe [10716] "C:\Users\RONALD~1\AppData\Local\Temp\PotUpdate\PotPlayerSetup64_48.exe" /UAC:60488 /NCRC /S /NoFLink /NoCleaner /NoHomePage /DefRun 2 C:\Users\ronald739\AppData\Local\Temp\PotUpdate\PotPlayerSetup64_48.exe [7336] "C:\Users\RONALD~1\AppData\Local\Temp\PotUpdate\PotPlayerSetup64_48.exe" /S /NoFLink /NoCleaner /NoHomePage /DefRun 3 C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe [4120] 4 C:\Windows\explorer.exe [1728] 5 C:\Windows\System32\userinit.exe [2136]</Data>
    </EventData>
    </Event>
    

    Potplayer did update.
     

    Attached Files:

  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Just as a matter of interest, is HMPA compatible with BitLocker?
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes it is. Bitlocker works at the disk level. HMPA works at the file system level.
     
  12. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Stick with the default configuration and you're fine.
    Don't add every random executable you can find to HMPA if you don't know what you're doing.
     
  13. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    if i'm not wrong, it is already several times that you repeat that 'concept' but the 'challenge' seems to prevail :D...
     
  14. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    out-of-the-box, infact, Alert 3 (thanks to its Software Radar technology) is ready to go!...but it's useless, many fall on it...:rolleyes:
     
  15. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
  16. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    130
    Location:
    Australia
    I have not added this myself, and do not add any random exe. This is under "Exploit Mitigation" as "Media" which is protected by HMP.A by default ?
     
    Last edited: Dec 7, 2015
  17. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    I am totally missing the purpose of this post. Please explain!
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Because I know a thing or two about this subject. Anti-exploit is quite aggressive, also depending on how it's implemented. The reason why MBAE is causing less problems, is because it injects code only into protected apps. But Mark Loman has already explained that they chose this method, because it's also used for the "risk reduction" features, but I still doubt if this is really necessary.

    No answer on this, means that it will not be offered, I assume?
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I believe they inject info a bunch of the processes, so they know what is normal for the system and therefore can detect when something is injected into the browser. I like it


    I think the comments Mark did make pretty answered. It will not be offered.
     
  20. haakon

    haakon Guest

    It would seem to be a demonstration of the member's skills at formatting text.
     
  21. hitman_user

    hitman_user Registered Member

    Joined:
    Nov 25, 2015
    Posts:
    18
    his username is "test"...:D :isay:
     
  22. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    No!
    right...;)
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I was responding to your own comment, ie "I don't know the details, but I'm assuming this incompatibility is caused by the anti-exploit component".

    I get that you're unhappy with the direction of the product, but why trouble yourself?
     
  24. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    No problems with Flash 20.0.0.235 (Firefox only atm) and build 342.

    Win10 1511 build 10586.17 x64/Norton Security with Backup v22.5.5.15
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    :thumb: Thanks for the heads up about the new Flash Player.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.