HitmanPro.ALERT Support and Discussion Thread

@adamgibbo
Please ignore really positive and helpful reactions like the one below.

These are fine examples of what one could qualify as a False Post.

 

There is a false positive uninstalling Opera from the Windows "Programs and Features" dialog.

Code:

Mitigation   Lockdown

Platform     10.0.10586/x64 06_2a
PID          27396
Application  C:\Program Files (x86)\Opera\37.0.2178.32\installer.exe
Description  Opera Installer 37

Filename     C:\Program Files (x86)\Opera\37.0.2178.32\installer.exe
Created By   C:\Windows\Temp\opera autoupdate\CProgram Files (x86)Opera\installing\installer.exe


Process Trace
1  C:\Program Files (x86)\Opera\37.0.2178.32\installer.exe [27396]
"C:\Program Files (x86)\Opera\37.0.2178.32\installer.exe" /uninstall
2  C:\Program Files (x86)\Opera\launcher.exe [26388]
"C:\Program Files (x86)\Opera\Launcher.exe" /uninstall
3  C:\Windows\SysWOW64\dllhost.exe [21164]
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}

 

my laptop with HMPA installed looks like it has been owned today :/

https://www.wilderssecurity.com/threads/weird-behaviour-from-cmd-exe-on-startup.385643/

Also remember the debate about how everyone was telling me intrusions are done via browsers? windows was only clean installed on the laptop about 5 days ago and I have done zero browsing on it yet.

My guess is it has happened via skype since that fetches data over http.

Also observed the HMPA icon is missing from the system tray, but it is still installed as I can load it from the start menu.

 

You write, "windows was only clean installed on the laptop about 5 days ago and I have done zero browsing on it yet."
But you also mention it has HMPA and Skype installed, and in your other post you mention Comodo.
And perhaps you have more software installed and did some configuration?
I guess you know what you've installed and what configurations you made after the clean install, but we do not.
I guess one of the things you installed or one of your configurations is the reason for what you described.
Hard for us to tell what you have done and what can be the cause for what you're seeing.

Regarding the HMPA icon that is missing from the system tray -
What is your OS?
In Windows 7 certain system tray icons are hidden by default, I don't know about HMPA.
You can change the system tray behavior and show the system tray icons you want to have in the system tray.
See: Change how icons appear in the notification area
This may be different for Windows 8.1 and Windows 10, I don't know about that.

 

There is some other software installed but nothing that I havent been using for a while.

What information do you want?

Interestingly if I protect cmd.exe in HMPA the network attempts stop on boot.

 

I do not know. I can only say that for me it is hard to say anything based on the information you provided.
By the way, I edited my previous post, as you edited your previous post.

 

I already have set to have no icons hidden, thats a very basic setting I have on all my machines.

I will disable cmd.exe protection again in HMPA to see if network access attempts reappear.

All scans are coming clean as well, I will just reinstall windows later today. Further investigation seems to point to adware, this time around I wont install lenova utilities (that is the one new thing on this laptop).

 

As far as I can tell the Ccleaner "uninstaller" only shows the list of installed applications; it's just a front end and has no additional functionality. If you click an entry it just calls the application's own uninstall routine.

 

Lenovo utilities call home before booting. Well known issue.

 

@Hiltihome ok thanks

@Victek Yes, you're right. The problem is with the k.bat which is part of the uninstall process for Opera. Even if it is ran manually the false positive occurs.

 

You have to reboot to lift the lockdown on a file. Or restarting the Alert Service.

 

Reverted back to Firefox 45.0.2 (32 bits), hmpa cpu-usage is 0-0.5%. With Firefox 46.0.1 (32 bits) the hmpa cpu-usage sometimes up to 15%.

 

Is there any benefit to using CryptoPrevent in addition to HMP.A ?

I've been running both for years, but if it's redundant when using HMP.A I'd rather know and then I'll remove it from my system.

 

Personally I don't feel they're redundant; CyptoPrevent 7.X blocks access to folders where ransomware typically executes while HMP.A provides real-time behavior monitoring. Since CryptoPrevent creates zero overhead I don't see any benefit in removing it. There is supposedly going to be a version 8 of CryptoPrevent though (someday RSN), which may have new features, so we'll see.

 

The fact that everything has to go through a very long list of blocking rules that CryptoPrevent creates is surely going to be even a slight slowdown?

Why doesn't everyone on here use this in addition to HMP.A then as it's free & portable & there isn't any negative & adds to your protection?

 

Is this real or false positive? I had Chrome open, three tabs, one empty, one facebook, one youtube. Facebook tab was killed after this message so some junk tried to come trough Facebook? HitmanPro found only few tracking cookies.

Spoiler: HitmanPro.Alert alert

Mitigation DEP

Platform 10.0.10586/x64 06_3d
PID 13240
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 50

EIP = 11D1E2E0, State = 0x1000, Type = 0x20000, Protect = 0x4

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 77DDB652 ntdll.dll RtlConvertUlongToLargeInteger +0xc2
2 77DDB624 ntdll.dll RtlConvertUlongToLargeInteger +0x94
3 77DC8E7F ntdll.dll KiUserExceptionDispatcher +0xf

4 6DA52EFC chrome_child.dll
83c418 ADD ESP, 0x18
8bc3 MOV EAX, EBX
5f POP EDI
5e POP ESI
5b POP EBX
8be5 MOV ESP, EBP
5d POP EBP
c3 RET

5 6DA2E81B chrome_child.dll
6 6DA2E1C8 chrome_child.dll
7 6DA2DF12 chrome_child.dll
8 6DA195D1 chrome_child.dll
9 6DA1925D chrome_child.dll
10 6DA191B4 chrome_child.dll

Code Injection
0109E000-0109F000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [3312]
77DC7000-77DC8000 4KB
77DC6000-77DC7000 4KB
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [3312]
2 C:\Windows\explorer.exe [4508]
3 C:\Windows\System32\userinit.exe [4440]

Process Trace
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [13240]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-features=AutomaticTabDiscarding<AutomaticTabDiscarding,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,UpdateRendererPriorityOnStartup<U
2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [3312]
3 C:\Windows\explorer.exe [4508]
4 C:\Windows\System32\userinit.exe [4440]

 

Looks like a crash of Chrome.

 

I should have been more specific; when I said zero overhead I meant that CryptoPrevent does not have a real-time component which uses CPU cycles and would be easy to monitor. I guess it's possible that the changes it implements require some additional processing, but it is not apparent. Perhaps someone can figure out a way to benchmark it?

I have no idea who is or isn't using CryptoPrevent along with HMPA. If others are intentionally not using it perhaps they will chime in and say why...

 

I'm using CryptoPrevent along with HMP.A.
I believe what @Victek said.
It should be noted, however, that CryptoPrevent has other protections other than the classic blacklisting of system locations.

 

Both Firefox (x86) and Cyberfox (x86) 46.02 keep randomly crashing every time HMPA is active on my Win10x64 system. This was never and issue with version 45. Anyone have an ideas at all how to fix this? I know I can add it to the exclusions, but honestly what would be the doing in running HMPA at all if that needs to be done? Windows crash log below:

 

I use both also for the same reasons. No issues.

 

simply because i'm not used to run every piece of code i find on my way (i bought infact an Alert3 key to take basically advantage of its antiexploit talent)*...


*CryptoGuard, then, is just another layer i can leverage using Alert as my primary line of defence (in SUA with UAC maxed and full awareness about every consent-prompt i receive)...but again, i'm not used to open e-mail messily/haphazardly/scrappily (in Italy we say ''ALLA CAZZO DI CANE''...or dick of dog )...

 

I also have the same Firefox 46.0.1 + HPA 368 problem, at home and at work. I hope you guys can figure it out.

Thanks BTW for HPA, it's such a great product!

 

by first part > do you mean General Tab...? Hi-lite, CtrlC/P works on General Tab.