HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    81
  2. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    HMPA should have protection against this anti-ROP bypass since v3.1, as it was one of the anti-ROP bypass techniques that I shared privately with SurfRight back in June 2015.

    The sample that @r41p41 analyzed in his blog looks to use the same anti-ROP bypass technique described earlier in a blog post of FireEye [link].
    FireEye noticed the first use of that exploit - that used that syscall anti-ROP bypass technique - on 11/26/2015 [link]. As a "coincidence" SurfRight burned published the exact same technique on their blog on 11/10/2015 [link] (Technique is mentioned under "Attack #1").

    This might just be a coincidence, but I am only aware of 1 instance (from 2012) in which a researcher published about bypassing EMET using the ZwProtectVirtualMemory syscall and up to the FireEye EPS blog post I have not seen any documented cases of it being used in the wild. So I don't hope that Surfright's blog post was a source of inspiration for the developer of that CVE-2015-2545 exploit.
     
    Last edited: Feb 6, 2016
  3. rs11

    rs11 Registered Member

    Joined:
    Jun 23, 2009
    Posts:
    52
    I have HMP.A and Spyshelter Firewall both have keystroke encryption will they conflict or is it okay to run both?
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Have you turned on the colored border and live keystroke encryption indicator in HMPA? You should be able to observe if HMPA is encrypting keystrokes.
     
  5. PeZzy

    PeZzy Registered Member

    Joined:
    Apr 2, 2011
    Posts:
    56
    Since installing this version, update checks are always failing - "Check for update has failed. Trying again in 120 minutes."
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    That is normal behavior. Maybe we should make it an informal message.
     
  7. BeltandSuspenders

    BeltandSuspenders Registered Member

    Joined:
    Feb 4, 2016
    Posts:
    3
    That is why I posted to the HMP.A thread, who better than HMP.A testing experts to root out security weaknesses, vulnerabilities and incompatibilities. MBARW is an early beta product and currently offered at no cost.

    If HMP.A protections can be targeted and bypassed then MBARW may be valued as a potential backup, provided the two do not conflict. Given that crypto ransomware has become such a menace all possible protections should be welcome.
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Fair enough. There may be users who are willing to give that configuration a try. I'm not setup for it at the moment (virtual machine, etc), but I'm interested in what you learn.
     
  9. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    looks like this is breaking lightning returns a PC steam game.

    The reason I believe so is the following.

    1 - the game has a blue border round it if I play in windowed mode.
    2 - when I launch it I see the blue notifier appear but its very brief, it dissapears very quickly so I cannot read what it says.

    I tried excluding lrff13.exe but to no success.

    Ok it seems unchecking the application lockdown for steam client stops games been interfered with but now it no longer protects steamwebhelper client (which is a web browser). Any tips how to get steamwebhelper protected without application lockdown on steam client?
     
  10. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    @erikloman - any chance this might be addressed in a future release? it's super annoying, and still occurs with build *.357.

     
  11. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Can't confirm ALT+TAB issue.
    ALT+TAB is working like it should and always did.

    But I'm using WIN8.1, not WIN10
     
  12. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    Strange. I decided to upgrade to "HitmanPro.Alert 3.1.7 Build 357" today as others have said it seems to be a decent build, but my "licence expires in..." count suddenly changed for no reason during the upgrade from 12 days to 120 days and then back to 12 days after 3 reboots just to make sure I wasn't going mad!!!

    I cannot think of a reason why this may have happened?? Everything else seems to be working fine and I've done as much testing with this build as I can think of on W8.1 Pro x64.

    Has anyone else experienced this weird behaviour with this build?
     
  13. hjlbx

    hjlbx Guest

    @erikloman
    @markloman

    HMP.A 3.1.7 build 357
    Windows 8.1 Home 64-bit - Clean Install
    • AppGuard 4.3.9.1
    • Sandboxie 5.07.6
    • NoVirusThanks Exe Radar Pro 3.1.0.0
    • Adguard 6.0.188.974
    • Windows Firewall Control 4.6.0.0
    No conflicts with any of the above after weeks of running the various HMP.A beta builds.

    The Safety Notification > Colored Window Border can misbehave with various softs; a GUI issue and not a protection issue.

    Other than that, I have experienced no major problems on my specific system.
     
  14. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    someone else already confirmed it earlier in the thread (they're also on win10). i just wanted to make sure @erikloman was aware because it's still occurring.

    *EDIT* it appears *.357 also breaks Virtualbox 5.0.14. I have no problems at all with current stable release (*.351) or the previous beta, but with *.357, I can't start a VM. Issue occurs regardless of whether or not the PC has been rebooted after install.

    to reproduce:
    install hmp.alert beta *.357
    try to start a vm in virtualbox
    uninstall hmp.alert and reboot to get VMs working again
     
    Last edited: Feb 9, 2016
  15. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Out of curiosity, does HMP.A protect against this?
     
  16. max2

    max2 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    374
    Do you suppose to run and install HitMan Pro and Hitman Pro Alert together ?
     
  17. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Having some issue with crashes in multimedia apps and games, will do some testing with HMPA uninstalled to see if is related.

    I think the crashes are unrelated, I have confirmed in regards to the game, but not windows media player yet.
     
    Last edited: Feb 9, 2016
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    In the HitmanPro.Alert UI if you click the "Scan" button it will download and install HitmanPro.
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Are you running other security products? Or just Alert?
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Media Player Classic is notoriously incompatible with mitigations. Could also be a specific DRM codec causing an issue (we covered most; but we could have missed one). Looking forward to see your investigation.
     
  21. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    Alert + ESS 9
     
  22. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    MPC doesnt crash, but the OS shipped WMP has had some memory address related crashes.

    Given I dont normally use the shipped WMP I may never do a full investigation, I already now changed the assigned media program to either VLC or MPC-HC depending on the media type. Neither of those 2 have been crashing.

    The game in question I was double hooking dll's which isnt usual practice, I initially thought it was HMPA as was a memory read error but the same issue occurs with HMPA uninstalled, and doesnt occur with only single hooking regardless if installed or not. So HMPA is fine on that.

    Any solution to get steamwebhelper mitigated without mitigating games launched by steam?
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Is this an executable with a GUI? If yes then add via Running Applications. If not, then you could add a registry key. Its pretty straight forward.
    There will likely be a manual add option in v3.5 (point to executable).
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That doesn't seem to be a true exploit, so it's out of HMPA's scope.
     
  25. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I will need to do the registry key route as it doesnt have its own gui? do you have some steps to do this please?

    good news regarding 3.5 :)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.