HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    I contacted support yesterday concerning a licensing issue I was having. I understand about it being the weekend, but how long does it usually take for support to get back with a customer? I supplied the information support asked for and I am now waiting for a response.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    24 hours and they will respond.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That already has been addressed. It fails as there are no files being encrypted. However there was a hint they are looking at it.
     
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Changelog on 364 not much new, so maybe won't auto update to people.
     
  5. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    So basicly i gotta keep watching the thread to keep up to date with new builds? I was running 363 and this build gives the same no update available message in the tray icon. Maybe the "no updates available" should be changed into "check for updates"? I manually upgraded now.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yep, this is where you will here it first.
     
  7. guest

    guest Guest

  8. escalibur

    escalibur Registered Member

    Joined:
    Jun 29, 2013
    Posts:
    118
    I've just found pretty good PowerShell script which lists possible SMB shares which might be targeted by ransomware:
    https://www.youtube.com/watch?v=fx_vHfTbQM0

    Maybe in the future HitmanPro.ALERT could have a poosibility to list all visible shares by the current user in case you want to remove some you don't need?
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Ransomware does not need a mapped share to encrypt it. If user can access the remote share with the same credentials, ransomware will encrypt it.
    In any case, Alert protects the encryption. Even if a remote computer encrypts your local share. This feature is there since November 2013.
     
  10. sun88

    sun88 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    69
    Nice job debugging that problem. Yes, the Sports page you linked briefly freezes in Chrome. Running HMPA 364 & EIS.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    Did you see last PM?

    Pete
     
  12. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    My computer froze during boot today. I did a forced power off and then power on again. Then WSA said a new HMPA was running and if i wanted to allow it. When i saw the WSA message it explained why it froze during the morning boot to me based on recent HMPA updates. Now running build 363.
     
  13. escalibur

    escalibur Registered Member

    Joined:
    Jun 29, 2013
    Posts:
    118

    Didn't knew about protection from remote computer encryption. Thanks for clarification!
     
  14. 800ster

    800ster Registered Member

    Joined:
    Dec 1, 2006
    Posts:
    210
    Good to know a few others are seeing this, it is annoying when browsing, I'd like to know if it is a problem or just the way HMPA has to work.
     
  15. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    I've got a fully paid license, and I've found that HMPA doesn't seem to be offering any protection to Opera.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    If you're not seeing the Opera icon in the HMPA Advanced Interface do the following:

    1. Start Opera
    2. Click the HMPA Exploit Mitigation tile.
    3. Click Running applications

    You should see a list of protected and unprotected applications. If Opera is in the unprotected list select to add it using the Browsers Mitigation Template.
     
  17. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    Thanks Victek, I've now been able to add Opera as a protected item.
     
  18. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,638
    Hi Erik and Mark,

    About the very recent malvertising campaign in Holland:
    If (just if, as Fox-IT says they saw no infections) people's computer got infected, would HMP be able to disinfect? I think that I read at nu.nl (one of the sites being hit by this) that HMP would be able to disinfect.
    And would HMP.A have been able to prevent infection?

    Thread: https://www.wilderssecurity.com/thre...-campaign-hits-popular-dutch-websites.385121/
     
  19. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    81
    Location:
    Kissimmee, FL
    Office 2013 Word and Excel do this, why?
    Win 8.1 64 bit

    Mitigation ROP

    Platform 6.3.9600/x64 06_3a
    PID 7228
    Application C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
    Description Microsoft Excel 15

    Branch Trace Opcode To
    -------------------------------- -------- --------------------------------
    0x56291FCC MSO.DLL RET 0x56291EDD MSO.DLL

    0x578B115B MSO.DLL ~ RET 0x02F59BF1 (anonymous; EXCEL.EXE)

    0x5782B1F4 MSO.DLL RET 0x578B1145 MSO.DLL

    0x562826BC MSO.DLL RET 0x5782B1F3 MSO.DLL

    0x571E4790 MSO.DLL ~ RET 0x02F590E1 (anonymous; EXCEL.EXE)

    0x56C53BC5 MSO.DLL RET 0x571E477A MSO.DLL

    0x562826BC MSO.DLL RET 0x56C53BC4 MSO.DLL

    ?AuthHandlerSupportAutoLogonBasedOnURL@Http@Mso@@YAXXZ() RET 0x02F59550 (anonymous; EXCEL.EXE)
    0x5628A469 MSO.DLL

    0x57278773 MSO.DLL ~ RET 0x02F59540 (anonymous; EXCEL.EXE)

    0x57658D8E MSO.DLL ~ RET* 0x562E1B10 MSO.DLL
    837d0800 CMP DWORD [EBP+0x8], 0x0
    8907 MOV [EDI], EAX
    7549 JNZ 0x562e1b61
    57 PUSH EDI
    8bce MOV ECX, ESI
    e8ed62f900 CALL 0x57277e0d
    a21e8ac044 MOV [0x44c08a1e], AL
    0000 ADD [EAX], AL
    d084c074358bce ROL BYTE [EAX+EAX*8-0x3174ca8c], 0x1
    e805d0d400 CALL 0x5702eb38
    8bc8 MOV ECX, EAX
    e81c4fd500 CALL 0x57036a56
    85c0 TEST EAX, EAX
    7813 JS 0x562e1b51
    6a00 PUSH 0x0
    8bce MOV ECX, ESI
    (87D23257ABEF258B)


    0x579110FC MSO.DLL ~ RET* 0x57658D8E MSO.DLL
    c20400 RET 0x4


    _MsoRegOpenKeyExW@16 +0x13a RET 0x02F50AE6 (anonymous; EXCEL.EXE)
    0x56282973 MSO.DLL

    0x562826BC MSO.DLL RET _MsoFreePv@4 +0xc0
    0x562881DA MSO.DLL

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 56291EE8 MSO.DLL
    8bce MOV ECX, ESI
    8986ac000000 MOV [ESI+0xac], EAX
    e8d8000000 CALL 0x56291fcd
    8bc6 MOV EAX, ESI
    5e POP ESI
    c3 RET

    2 02F59BF6 (anonymous; EXCEL.EXE)
    3 562E1B28 MSO.DLL
    4 564A2F1A MSO.DLL
    5 02F51859 (anonymous; EXCEL.EXE)
    6 564CF1E9 MSO.DLL
    7 564CD534 MSO.DLL
    8 562AEB95 MSO.DLL
    9 5629EBB9 MSO.DLL
    10 5629C929 MSO.DLL

    Process Trace
    1 C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE [7228]
    2 C:\Windows\explorer.exe [7044]
    3 C:\Windows\System32\userinit.exe [3792]
    4 C:\Windows\System32\winlogon.exe [3708]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    5 C:\Windows\System32\smss.exe [2960]
    \SystemRoot\System32\smss.exe 00000000 00000050 C:\WINDOWS\System32\WinLogon.exe -SpecialSession
     
  20. __simon__

    __simon__ Registered Member

    Joined:
    Apr 28, 2013
    Posts:
    14
    Location:
    UK
    I also see this problem on Win 8.1 64 bit. PowerPoint also triggers the same mitigation.
     
  21. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    81
    Location:
    Kissimmee, FL
    Yep I have already had two customers call with ROP alerts in Office 2013 Word, PowerPoint, and Excel on Win 8.1 64 bit on alert 3.1.9 363
     
  22. Faizal

    Faizal Registered Member

    Joined:
    Apr 12, 2016
    Posts:
    1
    Just like Peter and Mike, I also have the same problem trying to enter Word 2013. I'm running win 10 pro.
     
  23. Cory Windsor

    Cory Windsor Registered Member

    Joined:
    Apr 12, 2016
    Posts:
    3
    We had HitmanPro.Alert 2.6.77 and 3.1.9 Build 363 across a couple hundred computers. Yesterday we got a few reports of this issue with .Alert blocking Office programs via Exploit Mitigation. This morning we got tons of reports, to the point where we had to uninstall HitmanPro.Alert 2 and 3 across our entire client base. What's strange is it affected both versions, we were initially thinking it was just a 3.x thing. This was on a bunch of versions of Windows as well, 7, 8, 8.1.
     
  24. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    778
    Location:
    Oklahoma City
    Just a basic question. Does HMP Alert update automatically, or should I manually update it? I now have Build 363 and I notice Build 364 has been available several days now. I guess my question is should I WAIT for it to update, or should I manually update it myself when a new update is posted in here? I don't see an option for updating on the installed app. Appreciate any advice on this.
     
  25. Andra

    Andra Registered Member

    Joined:
    Jul 17, 2015
    Posts:
    13
    Just use a adblocker like uBlock or uBlock Origin, I never turn it off..
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.