HitmanPro.ALERT Support and Discussion Thread

Mitigation Lockdown Teamviewer. HmpA build 369 or 370.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 4-5-2016 8:26:19
Gebeurtenis-id:911
Taakcategorie: (9)
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation Lockdown

Platform 10.0.10586/x64 06_17*
PID 1184
Application C:\Users\****\AppData\Local\Temp\TeamViewer\update.exe
Description TeamViewer Remote Control Application Installer 11

Filename C:\Users\****\AppData\Local\Temp\TeamViewer\update.exe
Created By C:\Program Files (x86)\TeamViewer\TeamViewer.exe


Process Trace
1 C:\Users\****\AppData\Local\Temp\TeamViewer\update.exe [1184]
"C:\Users\****\AppData\Local\Temp\TeamViewer\update.exe" --RemoveOld
2 C:\Program Files (x86)\TeamViewer\TeamViewer.exe [440]
"C:\Program Files (x86)\TeamViewer\TeamViewer.exe" --dre
3 C:\Program Files (x86)\TeamViewer\TeamViewer.exe [5092]
4 C:\Windows\explorer.exe [1180]
5 C:\Windows\System32\userinit.exe [6912]
6 C:\Windows\System32\winlogon.exe [5920]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
7 C:\Windows\System32\smss.exe [5352]
\SystemRoot\System32\smss.exe 000000a8 00000074 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

Btw no Hmpa-alert screen when the mitigation lockdown occured.

 

Did you add Teamviewer manually to exploit mitigations? I don't think Alert protects it by default. The solution in your case would be to disable lockdown for Teamviewer. Further, if you intend to add applications to Alert's mitigations, it's to important to understand how they work, especially lockdown. I mean, I see people here all the time enabling lockdown for applications which's sole purpose it is to do stuff that lockdown prohibits. And then they wonder why lockdown pops up.

 

Could be. Added Teamviewer like a year ago, maybe longer. First time a mitigation lockdown. Using Teamviewer very often.

 

I have just installed Hitmanpro.alert and my banking users get a false positive when starting Internet Explorer.

It is IBM Security Trusteer Rapport and they do need to have it installed so uninstalling is not an option! It isn't a simple case of adding an exe to the exceptions list either.

Any workaround for Rapport?

 

There are actually some banks that mandate TR be installed to do online banking with them .....................

 

Can you post the details of the false positive?

 

@Peter2150, @itman

Due to the relative large increase of banking fraud in 2009 - 2010 (93%), some banks tried to make a case that for online banking the same responsibility applied to consumers as for online shopping and door-to-door sales. They made this because the EU (and probable also the US) higher courts had decided that security was so cloudy or "non-transparant" (don't know the correct english word) that consumers could not be held responsible and most (nearly all) all the risk was put at the banking corporations.

With online sales, a consumer has the responsibility to verify the webshop which he/she is doing business with "looks" credible. So a company offering prices only 10% of the prices of goods compared to brick and mortar outlets, would not be credible. Using the same line of thought some banks obliged their customers to use software which reduced the risk of online fraud. They reasoned that the same loss defense precautions of other high risk area's would be applicable to online bank fraud also (e.g. mopeds/scooters are stolen a lot in the Netherlands, when your moped/scooter is stolen and you can't hand over a key of a certified extra lock, the insurance company is not liable to pay the loss). In the Netherlands a consumer has to guard/check his goods/purchases as a "good parent".

So they added rules that when you were hit by bank fraud and did not had bank supplied software installed (Trusteer), the risk would be at the customer and not the bank corporation.

From 2011 to 2011 the bank fraud increase/growth rate dropped to below 30 percent and in (I believe) 2013 the EU court determined that the banks could not held their customers responsible when they had not installed bank supplied software (e.g. Trusteer), since online banking from home could not treated differently from any other place (like for instance an internet cafe).

Since this news fact did not hit the front page, many banking corporations still have this in their conditions (but when you fight this and would go to court they would eventually lose, you just have to have enough cash and time to initiate a court trial).

Don't know what the situation is outside the EU. I quit doing business with Postbank (now ING bank) in the Netherlands (they had the worst online banking system with security codes send by text message on your phone anyway) Since the rebrand to ING bank the Postbank now also use the dual token verification system. The postbank concept was introduced as ING Direct in North America (NN, Postbank and ING were in the same holding) that is probably the reason one can still download Trusteer for free from ING Netherlands.

 

How do I capture what you'd like to see?

Cheers.

 

Perhaps get a screenshot of the message or copy/paste the text into notepad; then upload here.

 

The alert message detail isn't something that can be selected, copy and paste won't work. It's a long list of dlls that spills off the screen so a screen shot would not capture it either. It really needs a copy to clipboard option adding!

I was assuming that it was logged somewhere and that you were going to tell me how to capture the detail.

 

Try this?

 

Hi, thanks I will on return to work Monday.

 

That's a known bug already. And according to @erikloman they have it in investigation.

As a work-around you can disable "Keystroke Encryption".

My assumption what happens in the background:
Keyboard sends keystrokes. --> HMPA catches and encrypts them. --> Encrypted keystrokes get sent to the browser. --> HMPA decrypts them inside the protected browser.
Either during encryption or decryption something goes wrong. I could imagine that accidently the [CTRL]-key also got included into the [ALT]+[TAB] combination which would create this behaviour.

 

Erik, what is this problem ?

 

I think this new added mitigation is causing some false positives.
regsvr32.exe jscript.dll /s
#9918
#9777

 

Will be fixed in next build.

 

I upgraded to Build 370, and Firefox 46.0.1 64-bit is, once again, a pleasure to use. Thanks for the quick fix!

 

It feels like others concerns get addressed and I now get ignored

no comment on my failed ASR test in word.

 

Firefox 46.0.1 crashed and most modules are highlighted in red.

Signature: Firefox 46.0.1 Crash Report [@ shutdownhang | ntdll.dll@0xa5164 ]

ntdll, kernelbase, user 32, hmpalert.dll, iphlpapi.dll. etc. Pm'd you the reports.

[@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::jit::ICStubCompiler::newStub<T> ]

These are new: PM'd you the reports

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Also, out of sole curiosity is this legit or false: (PC name replaced with: 'Username"

Mitigation ROP

Platform 10.0.10586/x64 06_4e
PID 8584
Application C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
Description Microsoft Word 15

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x60A121DC MSO.DLL RET 0x60A120ED MSO.DLL ^00EE

0x60C2ABE9 MSO.DLL ~ RET 0x60C2C55A MSO.DLL

?AuthHandlerSupportAutoLogonBasedOnURL@Http@Mso@@YAXXZ() RET 0x60C2C553 MSO.DLL ^0108
0x60A0B4B9 MSO.DLL

0x60A627E0 MSO.DLL ~ RET 0x60C251D7 MSO.DLL ^0001

_MsoRegOpenKeyExW@16 +0x13a RET 0x60A627E0 MSO.DLL ^01DD
0x60A02963 MSO.DLL

0x60FCDB6E MSO.DLL ~ RET* 0x60A6277E MSO.DLL ^01D9
84c0 TEST AL, AL
7435 JZ 0x60a627b7
8bce MOV ECX, ESI
e83b87d400 CALL 0x617aaec4
8bc8 MOV ECX, EAX
e8e907d500 CALL 0x617b2f79
85c0 TEST EAX, EAX
7813 JS 0x60a627a7
6a00 PUSH 0x0
8bce MOV ECX, ESI
e893f6f800 CALL 0x619f1e30
e327 JECXZ 0x60a627c6
06 PUSH ES
f0a90000d089 TEST EAX, 0x89d00000
07 POP ES
57 PUSH EDI
(28A2DAC93E03C905)


0x619B9BFB MSO.DLL ~ RET* 0x60FCDB6E MSO.DLL ^06C7
c20400 RET 0x4


0x61CAC516 MSO.DLL ~ RET 0x02C40FAE (anonymous; WWLIB.DLL) ^0017

0x61F1DEFF MSO.DLL RET 0x61CAC500 MSO.DLL ^0001

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 60A120F8 MSO.DLL
8bce MOV ECX, ESI
8986ac000000 MOV [ESI+0xac], EAX
e8d8000000 CALL 0x60a121dd
8bc6 MOV EAX, ESI
5e POP ESI
c3 RET

2 60C2C67E MSO.DLL
3 60C2C55F MSO.DLL
4 60C251E9 MSO.DLL
5 02C44D60 (anonymous; WWLIB.DLL)
6 60C549E4 MSO.DLL
7 60C53652 MSO.DLL
8 60A2D464 MSO.DLL
9 60A1EF1E MSO.DLL
10 60A1B45C MSO.DLL

Process Trace
1 C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE [8584]
"C:\Program Files\Microsoft Office 15\Root\Office15\WINWORD.EXE" /n "C:\Users\Username\Desktop\Spring 15\Username Resume.docx" /o ""
2 C:\Windows\explorer.exe [4604]
3 C:\Windows\System32\userinit.exe [4112]
4 C:\Windows\System32\winlogon.exe [9856]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [1036]
\SystemRoot\System32\smss.exe 000000e0 00000078 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

 

Hi.
The latest version working fine in Windows 10 x64 and FF 46.0.1
Greetings.

 

erikloman

Are you going to do anything about HitmanPro Alert's blocking System Mechanic and it's shutting down Microsoft Register Server as an additional response? There has been no response from Sophos/Surf Right respecting this reported issue.

System Mechanic is PC Mag's Utility Editor's Choice and and while many Wilders folks frown about it, lots of peeps use it.

http://www.pcmag.com/article2/0,2817,2371043,00.asp

I have had to uninstall it prefering the security of HMPA over the convenience and performance enhancements of System Mechanic but I would like to use both.

"Microsoft(c) Register Server has been terminated to prevent execution of malicious code.
Mitigation Lockdown
Platform 6.3.9600/x64 06_3c
PID 4412
Application C:\Windows\SysWOW64\regsvr32.exe
Description Microsoft(C) Register Server 6.3
Filename C:\WINDOWS\SYSTEM32\jscript.dll
Process Trace
1 C:\Windows\SysWOW64\regsvr32.exe [4412]
/s "C:\WINDOWS\SysWOW64\jscript.dll"
2 C:\Windows\System32\regsvr32.exe [5404]
"C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\SysWOW64\jscript.dll"
3 C:\Program Files (x86)\iolo\System Mechanic\SysMech.exe [3400]
"C:\Program Files (x86)\iolo\System Mechanic\SysMech.exe" /Launch

 

See my reply https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-397#post-2588232

 

Thanks erikloman

Missed that one - it was a little over my head, which isn't saying much. Even manhole covers are over my head.