HitmanPro.ALERT Support and Discussion Thread

Did a test: no ROP with IE11, Horizon.tv, hmpa build 369 and Win10 1511 build 10586.218 x64/Norton Security with Backup v22.6.0.142.

 

Did you login at Horizon.tv, as I think loekverhees did or tried to do?
I visited the Horizon.tv page that loekverhees mentioned (https://www.horizon.tv/nl_nl/tv-gids.html), and I selected NPO1 and the current tv program, but lacking a Ziggo account, I cannot login, as I think loekverhees did or tried to do.
No HMP.A alert mitigation ROP.
For what it's worth, I used Windows 7 x64, HMP.A 3.1.9.360, IE11, no Silverlight.

 

Affirmative. No ROP and also no stream.

Both IE11 and FF 46.0.1 the same error-message

De video is onderbroken. Onze excuses voor het ongemak.

Druk op de afspeelknop om de video opnieuw te starten.

 

Question regarding adding programs through registry:
I'm assuming that you have to add a corresponding string to the Data section of the value, in the XXXX-XXXX format, but when I look at those registry keys in the Profile key I find multiple have the same Template value, for example I see 7 keys which all have the Office template, and looking at the other values all of the enabled migitations are the same. So does it matter which of those 7 I use, and why are there multiple anyway when they're the same?

 

The XXXX-XXXX is something we use internally for consistency. You are absolutely free to use your own names, for example you may use "Andijvie" or "Hutspot" for names.

 

I tried again, this time after an update that HMPA offered (now I am on 3.1.9 build 368 ). Everything is working fine now; the video starts to play without HMPA giving any message. So it seems the update resolved the issue. By the way, I indeed had to login, otherwise the video does not start playing. With the previous HMPA version, the false positive came up just before the video started playing.

Update: I see now the trial version is over, so that may explain why I did not see the issue anymore today.

 

Any news about the cpu-usage? Not again Norton?

 

By the way I am not so fussed about the %temp% issue now, since adding your signed certificate to SRP the issue is no longer annoying, as well as also installing HMP permanently on the system.

I suggest if you cannot add a variable temp folder setting, to make a proper install of HMP, the first time scan is clicked instead of a temporary binary in %temp%.

 

This is Firefox W^X logging to our service. This will be addressed in either the next or the one after that.

 

@markloman
@erikloman
As I mentioned a week ago, Tuesday, May 3, there were some reports that KB3146706 is offered by Microsoft for automatic install, again. See Woody Leonhard's report and see emmjay's report.
Since then, there has not been issued (another?) new version of KB3146706.
The KB3146706 knowledge base article still mentions the 05/03/2016 19:53:00 version, revision 2.0.
I hope SurfRight is still looking into the issue concerning HMP.A and Windows 7 x64 with KB3146706 installed, taking the good things that HMP.A build 369 did to fix the KB3146706 issue, but fixing the issue with build 369 that Peter2150 reported.

 

Expect a new build tomorrow.

 

Great, thanks very much. I'm looking forward to testing that one.

 

Thanks Erik for info.

 

Also, esp. to see if resolving Firefox W^X issue has an impact on FF speed, if it's in this release.

 

HitmanPro.Alert 3.1.10 Build 370 PreRelease

Changelog

• Improved compatibility with Windows 7 KB3146706
• Improved compatibility with Firefox 46

Download
http://test.hitmanpro.com/hmpalert3b370.exe

Please let me know how this version runs on your computer

 

Upgraded build 370. Much smoother. Firefox 46.0.1 (32 bits) shows normal hmpa cpu-usage 0 -0,5%. With plugin-container (flash 21.0.0.213) hmpa cpu-usage 1-3%. Sometimes higher.

 

No issues, Win 8.1 x64.
Can't say for sure as my FF46 x64 tends to degrade over time, but it does seem faster at the outset, based on perception only
Hope you've cracked it

 

Not my imagination.
I think my FF46 speed and memory issue is solved.
Well done guys!

 

Ah ah, TOP!

 

Working good here.

 

Haha thanks, working great here

 

false positive on flashfxp

Code:

Mitigation   Shellcode

Platform     6.3.9600/x64 06_3c
PID          5136
Application  C:\Program Files (x86)\FlashFXP 5\FlashFXP.exe
Description  FlashFXP 5.3

08149211    60                       PUSHA     
            e800000000               CALL         0x8149217
            58                       POP          EAX
            055a0b0000               ADD          EAX, 0xb5a
            8b30                     MOV          ESI, [EAX]
            03f0                     ADD          ESI, EAX
            2bc0                     SUB          EAX, EAX
            8bfe                     MOV          EDI, ESI
            66ad                     LODSW     
            c1e00c                   SHL          EAX, 0xc
            8bc8                     MOV          ECX, EAX
            50                       PUSH         EAX
            ad                       LODSD     
            2bc8                     SUB          ECX, EAX
            03f1                     ADD          ESI, ECX
            8bc8                     MOV          ECX, EAX

Process Trace
1  C:\Program Files (x86)\FlashFXP 5\FlashFXP.exe [5136]
2  C:\Windows\explorer.exe [7128]
3  C:\Windows\System32\userinit.exe [3232]
4  C:\Windows\System32\winlogon.exe [4444]
winlogon.exe
5  C:\Windows\System32\smss.exe [1540]
\SystemRoot\System32\smss.exe 00000000 00000050

Also where is the shellcode detection on/off in application options?

Testing mitigations one at a time. network library detection is the culprit, I can confirm flashfxp is not trying to load modules over a network. It happens when trying to access the explorer right click menu in the app.

 

No FP, definitely shellcode! You can disable this by unchecking LoadLibrary mitigation.

 

where is the shellcode in the output?

This worked fine a few days ago with loadlibrary ticked.