HitmanPro.ALERT Support and Discussion Thread

Is the crash reproducible if you re-enable the mitigations on the Office apps?

Regarding Outlook you can add it manually. Run Outlook, click on the Exploit Mitigation tile in HMPA advanced interface, select "Running applications", and you should see Outlook.exe in the list under "Not Protected". Use the Office template.

 

I have since both reset then re-installed .alert and today re-enabled full protection, I will let you know if there are any more problems.

For Outlook 2010, I guessed that it was omitted deliberately because there may be some stability issues or fine-tuning of settings required? Even after re-install it does not auto-detect Outlook. I will enable it but would like to be aware of why it does not auto-detect and if you have any suggestions for a stable existence, or is Office default setting fine, as you suggest?

 

I have a question regarding .alert and the claim to provide "safe browsing". In simple terms, does it offer some isolation of the browser session from malware that might already be residing undetected on the PC, for example through detection of keyloggers which I know is a function of .alert? Or does it mainly focus like Sandboxie in some ways in helping keep the bad stuff out?

The reason for my question is that I'm trying to get more of an understanding of whether .alert can be a replacement for a standalone tool such as Safepay from Bitdefender which although it creates a kind of virtual container, still uses a version of Chrome in the free version that's nearly 2 years old! I know I'm not comparing like with like exactly, but how much protection does .alert offer against intercepting / watching say an online banking session, other than encrypting keystrokes?

 

yes...even if 'isolation' isn't the proper term (definition?).
Safe Browser should be interpreted as a kind of alarm that alert you about compromized surfing (it's a sort of defence ex-post)...

no, absolutely

i don't know Safepay but anyway i'll rely solely on Surfright software...

 

.... and presume, Windows Defender + Windows Firewall ....

 

I don't know why HMPA didn't pickup Outlook automatically in your case; it did on my two systems. I'm not aware of the need for special settings. If I needed to add it manually I would just use the Office template. Individual mitigations, etc, can be toggled manually afterward if necessary.

Regarding Bitdefender Safepay when I last tried it it did not allow browser plugins. Of course that is part of its protection philosophy, but I find that too restrictive.

 

HitmanPro.Alert alerted me of webcam access that came from a legitimate anti-theft software. I hope there's a way for HMP.A not to interfere because that alert might just cause my laptop to be in danger more.
What happened was that I tried to test (simulate) Prey to see if it was operational. Then, when it activated, HMP.A alerted me that Prey wants to access the webcam. The problem is when my laptop would really be stolen. If the thief would be aware of Prey because of HMP.A's alert, then finding my laptop might get more difficult.

Is there anything I can do?

 

Problems with HitmanPro.Alert 3.0 Build 360 + Tom Clancy's The Division (Ubisoft)
(Sorry my english is bad)

Hi, ...

I'm using HitmanPro.Alert 3.0 Build 360 on 3 PCs (Windows 10 Pro X64)

If I have HitmanPro.Alert 3.0 Build 360 installed, I could not play Tom Clancy's The Division on all 3 PCs.

Starting the Game, logging in, .... and ingame i can't do anything. If I use my keyboard: no moving by pressing WASD, no interactions, ... nothing happens by pressing a key.

I have tried to disable all possible features ... (incl. "Keystroke Encryption") really ALLE Features are disabled
I have tried to set all executables from Tom Clancy's The Division (incl. Ubisoft-Launcher) on the exceptions list

Nothing happens! Further (Ingame) no moving by pressing WASD, no interactions, ... nothing happens by pressing a key.

The only working solution was uninstalling HitmanPro.Alert 3.0 Build 360

The error is repeatable

 

HMPA is blocking the latest version of Keepass that was released today. Instal was fine but can't run the program.
Have gone back to the previous version of Keepass.
HMPA 3.1.8 build 360
Keepass version being blocked 2.32

 

What is the message?

 

Sorry. Is this too much? I'll delete if so.
Attack intercepted. Keepass 2.32 has been terminated to prevent execution of malicious code.
Mitigation Caller Check
Platform 10.0.10586/x64 06_25
PID 6276
Application C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
Description KeePass 2.32

Callee Type CreateProcess
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFD94ECC9E6 KernelBase.dll CreateProcessW +0x66
2 00007FFD974C3B53 kernel32.dll CreateProcessW +0x53

3 00007FFD14BBA916 (anonymous; clr.dll)
488b9588000000 MOV RDX, [RBP+0x88]
c6420c01 MOV BYTE [RDX+0xc], 0x1
48bae4051574fd7f0000 MOV RDX, 0x7ffd741505e4
833a00 CMP DWORD [RDX], 0x0
7406 JZ 0x7ffd14bba936
ff154262595f CALL QWORD [RIP+0x5f596242]
8bf0 MOV ESI, EAX
e8e391ca5e CALL 0x7ffd73863b20
85f6 TEST ESI, ESI
0f95c1 SETNZ CL
0fb6c9 MOVZX ECX, CL
898d94000000 MOV [RBP+0x94], ECX
488b8dd8000000 MOV RCX, [RBP+0xd8]
4885c9 TEST RCX, RCX

4 00007FFD14BB5CD8 (anonymous; clr.dll)
5 00007FFD14BB5928 (anonymous; clr.dll)
6 00007FFD14BB537F (anonymous; clr.dll)
7 00007FFD14BB4DEE (anonymous; clr.dll)
8 00007FFD14BB1095 (anonymous; clr.dll)
9 00007FFD14BB0C30 (anonymous; clr.dll)
10 00007FFD1499A507 (anonymous; clr.dll)

Process Trace
1 C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [1884]
2 C:\Windows\explorer.exe [3504]
3 C:\Windows\System32\userinit.exe [3344]

 

BTW, I have another question. Isn't it true that it doesn't matter if reflective code injection is used to inject code into the browser, HMPA should always be able to detect API hooking, correct?

https://github.com/stephenfewer/ReflectiveDLLInjection

 

Did you add KeePass to the exploit protection list? If so, you need to remove it, it doesn't need exploit protection.

 

I didn't add it. It was already there as far as I can remember. Never caused a problem until now.

 

I can not confirm this behaviour, keepass 2.32 works fine with hmpA!

 

Hmm don't know why it dislikes mine then. Is yours guarded under exploit mitigation?

 

Hey,

I can not confirm this kind of problem.
I was running the trial for a few days and everything worked fine.
Today I bought HMPA and the game is still running fine. I have all features enabled.
I am running Win10 Pro X64 also. HMPA is Version 3.1.8 build 360.

However. I had a big issue with MSI Afterburner and RivaTuner on this game. The game was freezing when I pressed a key on the keyboard, after I stopped pressing the key the game continued. Maybe you are using these programs also to watch your GPU temperature ingame?

 

OK, so has the problem been fixed when you removed it?

 

@erikloman or
@markloman

Could you take a look at this post and see if you can tell what's going on?

Thanks!

 

KeePass is added by Alert to Other. Why wouldn't I want master password encryption. Why wouldn't I want KeePass in Other. Enpass is also added by Alert to Other. Why don't KeePass and Enpass need exploit protection..? Each has desktop client with browser extension.

 

I am able to play "The Division", but I have been crashing a considerable amount today. Only one error in event viewer related to the game...

Faulting application name: TheDivision.exe, version: 1.0.0.0, time stamp: 0x56d052b7
Faulting module name: hmpalert.dll, version: 3.1.8.360, time stamp: 0x56cdc923
Exception code: 0xc00000fd
Fault offset: 0x000000000000c6a3
Faulting process id: 0x89c
Faulting application start time: 0x01d17a9c64fd70ca
Faulting application path: C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\games\Tom Clancy's The Division\TheDivision.exe
Faulting module path: C:\Windows\system32\hmpalert.dll
Report Id: 4f8cf9fa-8c39-44de-b190-f42176d4de8b
Faulting package full name:
Faulting package-relative application ID:

 

I can't even get The Division to launch with hmpa installed, even with exploit mitigation turned off globally and all the other preventions turned off. Everytime I get something like the error log below, the fault module and exception code are the same each time. This is on Win 8.1. After uninstalling hmpa, the game launches without issues. Perhaps the Denuvo anti-tamper is acting up with this game. I don't have any other game that use Denuvo so maybe others can try whether those games also don't work with hmpa.

Code:

Faulting application name: TheDivision.exe, version: 1.0.0.0, time stamp: 0x56d052b7
Faulting module name: ntdll.dll, version: 6.3.9600.18202, time stamp: 0x569e7d02
Exception code: 0xc0000005
Fault offset: 0x00000000000546fb
Faulting process id: 0x21e0
Faulting application start time: 0x01d179f554f54342
Faulting application path: F:\Ubisoft\Tom Clancy's The Division\TheDivision.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 97b96153-e5e8-11e5-84eb-e82aea034ea8
Faulting package full name:
Faulting package-relative application ID: 

As to the Keepass not launching with the mitigation Caller Check, I have had this too. It seems if you disable hmpa mitigations for Keepass and let Keepass run once without it, you can then re-enable the mitigations and it will continue to work fine.

 

time to play videogame for Surfright ...

 

I just bought The Division because of this issue Happy times!

 

KeePass should be in Other because this profile includes Keystroke Encryption which is important to protect the master password against keyloggers.
I am investigating this issue. Stay tuned.