HitmanPro.ALERT Support and Discussion Thread

Hello Erik and Mark

When do you expect to release Beta 3.5 ?(Of zijn jullie te druk met de 4-daagse ?)

 

Misschien morgen (perhaps tomorrow). Everyday we are evaluating whether the build is good enough for beta release.

Maar ben idd ook druk met de 4-daagse (10km) dus de werkdagen zijn iets korter deze week. Ook veel overleg met Sophos elke week. Maar we naderen 3.5.

 

Hmm, I have some odd behaviour I am not sure if HMPA is the cause but let me explain what is happening, I may also email you erik as I not sure if will reply here.

So earlier I loaded battle.net and as I havent ran it for ages all the games on it needed updating.

Whilst been updated HMPA was using high cpu usage, no idea why unless it scans network traffic since blizzard makes many connections for updating, and then I observed the HMPA service was restarting every minute or so, which I was alerted to by nod32 HIPS. On every restart all network connections were terminated, so I lost all my ssh sessions and battle.net had to relogin. In addition when I checked the running processes in HMPA all processes were listed as unprotected, this includes web browsers. I dont know if it was misinformation or they were genuinly not protected. Relaunching the web browsers they were protected again.

Let me know if you need more information.

Battle.net has no specific configuration in HMPA so it was not manually added and it also wasnt manually excluded.

 

Mitigation SysCall while testing the (sandboxed) portable browser SRWare Iron 51 x64. HmpA build 373, Sandboxie beta 5.11.10, Win10 1511 build 10586.318 x64.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 8-6-2016 21:33:47
Gebeurtenis-id:911
Taakcategorie: (9)
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation SysCall

Platform 10.0.10586/x64 06_17*
PID 5164
Application C:\Users\****\Desktop\IronPortable\IronPortable\Iron\chrome.exe
Description SRWare Iron 51

Reason NTDLL32 Bypass
Callee Type ProtectVirtualMemory

0x005C01F6 c21400 RET 0x14

Code Injection
00000000001A0000-00000000001A6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2164]
00000000001B0000-00000000001B1000 4KB
00007FFC8C916000-00007FFC8C917000 4KB
00000000005AA000-00000000005AB000 4KB C:\Users\****\Desktop\IronPortable\IronPortable\Iron\chrome.exe [5524]
0000000076F97000-0000000076F98000 4KB
0000000076F96000-0000000076F97000 4KB
1 C:\Users\****\Desktop\IronPortable\IronPortable\Iron\chrome.exe [5524]
"C:\Users\****\Desktop\IronPortable\IronPortable\Iron\chrome.exe" -user-data-dir="C:\Users\****\Desktop\IronPortable\IronPortable\Profile"
2 C:\Users\****\Desktop\IronPortable\IronPortable\IronPortable.exe [2656]
3 C:\Program Files\Sandboxie\Start.exe [4236]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Users\****\Desktop\IronPortable\IronPortable" /env:=Refresh "C:\Users\****\Desktop\IronPortable\IronPortable\IronPortable.exe"
4 C:\Program Files\Sandboxie\SbieSvc.exe [2164]

Process Trace
1 C:\Users\****\Desktop\IronPortable\IronPortable\Iron\chrome.exe [5164]
"C:\Users\****\Desktop\IronPortable\IronPortable\Iron\chrome.exe" --type=renderer --enable-features=AutomaticTabDiscarding<AutomaticTabDiscarding,DocumentWriteEvaluator<DocumentWriteEvaluator,RenderingPipelineThrottling<RenderingPipelineThrottling,V8_Ser
2 C:\Users\****\Desktop\IronPortable\IronPortable\Iron\chrome.exe [5524]
"C:\Users\****\Desktop\IronPortable\IronPortable\Iron\chrome.exe" -user-data-dir="C:\Users\****\Desktop\IronPortable\IronPortable\Profile"
3 C:\Users\****\Desktop\IronPortable\IronPortable\IronPortable.exe [2656]
4 C:\Program Files\Sandboxie\Start.exe [4236]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Users\****\Desktop\IronPortable\IronPortable" /env:=Refresh "C:\Users\****\Desktop\IronPortable\IronPortable\IronPortable.exe"
5 C:\Program Files\Sandboxie\SbieSvc.exe [2164]

 

Do you see crash info in the Windows Event Log? Service should never crash.

 

HMPA 3.1.10 b 373 has been running fine for me on Win10 Preview build 14342 for a little while now and also running without issue on Win 8.1 Pro x64

 

Got some problems when starting AcdSee 3 quickviewer, it will be blocked. This occurs only when an associated image is opened

Not sure if this is exactly the executable:
http://s33.postimg.org/vjw5l45jj/unnamed.png

 

Is/was there a HMP.A alert when ACDSee is/was blocked?
If so, open the HMP.A user interface, click "Number of alerts". In a moment HMP.A adds a module to Windows Event Viewer (that takes some time), and then Windows Event Viewer opens, showing the concerning event. In Event Viewer you can select all text, and then copy it using Ctrl+C, and then you can paste that text in a new post in this thread, so that Erik or Mark can have a look at it.

 

Here

Nome registro: Application
Origine: HitmanPro.Alert
Data: 09/06/2016 13:15:28
ID evento: 911
Categoria attività9)
Livello: Errore
Parole chiave: Classico
Utente: N/D
Computer: Dafne
Descrizione:
Mitigation LoadLib

Platform 6.1.7601/x86 06_17*
PID 1404
Application C:\Program Files\ACD Systems\ACDSee Pro\3.0\ACDSeeQVPro3.exe
Description ACDSee Pro 3

Callee Type ProtectVirtualMemory
0x03A10000 (327680 bytes)

Allocated by (unknown)

Process Trace
1 C:\Program Files\ACD Systems\ACDSee Pro\3.0\ACDSeeQVPro3.exe [1404]
"C:\Program Files\ACD Systems\ACDSee Pro\3.0\ACDSeeQVPro3.exe" "C:\Users\Babs\Desktop\maritozzo.JPG"
2 C:\Windows\explorer.exe [340]
3 C:\Windows\System32\userinit.exe [1828]

XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-06-09T11:15:28.000000000Z" />
<EventRecordID>50190</EventRecordID>
<Channel>Application</Channel>
<Computer>Dafne</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files\ACD Systems\ACDSee Pro\3.0\ACDSeeQVPro3.exe</Data>
<Data>LoadLib</Data>
<Data>Mitigation LoadLib

Platform 6.1.7601/x86 06_17*
PID 1404
Application C:\Program Files\ACD Systems\ACDSee Pro\3.0\ACDSeeQVPro3.exe
Description ACDSee Pro 3

Callee Type ProtectVirtualMemory
0x03A10000 (327680 bytes)

Allocated by (unknown)

Process Trace
1 C:\Program Files\ACD Systems\ACDSee Pro\3.0\ACDSeeQVPro3.exe [1404]
"C:\Program Files\ACD Systems\ACDSee Pro\3.0\ACDSeeQVPro3.exe" "C:\Users\Babs\Desktop\maritozzo.JPG"
2 C:\Windows\explorer.exe [340]
3 C:\Windows\System32\userinit.exe [1828]
</Data>
</EventData>
</Event>

 

no, but around the same time is errors related to windows running out of resources, so it looks like if HMPA did restart it was because windows had a problem. The resource saturation I dont know why it happened, it wasnt due to ram, the machine has 16 gig + a 8 gig swap file and process explorer showed the utilisation around 40%. So I am guessing it might be gdi handlers, system pages or paged pool memory related.

I will leave it be for now and next time is a battle.net update will see what happens.

 

This is from a few weeks ago, is b373 supposed to fix this as I've just installed Rapport and HMPA throws an alert when I start Chrome. Disabling Control-Flow Integrity as before fixes this but should that be necessary now?

 

373 should have fixed this, I think.

 

If you reboot, does ACDSee then still throw the alert?

 

Erik,

It looks like HMP.A was involved with IE11 crashing.

Code:

Source
Internet Explorer

Summary
Stopped working

Date
‎10/‎06/‎2016 10:41 AM

Status
Report sent

Description
Faulting Application Path:    C:\Program Files (x86)\Internet Explorer\iexplore.exe

Problem signature
Problem Event Name:    APPCRASH
Application Name:    IEXPLORE.EXE
Application Version:    11.0.10586.20
Application Timestamp:    56541caa
Fault Module Name:    StackHash_a72d
Fault Module Version:    0.0.0.0
Fault Module Timestamp:    00000000
Exception Code:    c000041d
Exception Offset:    PCH_D5_FROM_hmpalert+0x00052F86
OS Version:    10.0.10586.2.0.0.768.101
Locale ID:    3081
Additional Information 1:    a72d
Additional Information 2:    a72d1765b56ebdedae156d672bb4854b
Additional Information 3:    8204
Additional Information 4:    820407ed387c242668cd018b5f09341d

Extra information about the problem
Bucket ID:    392b723a56d73db034d4c8b567a89f36 (107814735807)

Win10 x64
HMP.A Build 373

This happened at the same time.

Code:

Source
Internet Explorer

Summary
Stopped working

Date
‎10/‎06/‎2016 10:41 AM

Status
Report sent

Description
Faulting Application Path:    C:\Program Files (x86)\Internet Explorer\iexplore.exe

Problem signature
Problem Event Name:    BEX
Application Name:    IEXPLORE.EXE
Application Version:    11.0.10586.20
Application Timestamp:    56541caa
Fault Module Name:    StackHash_bd71
Fault Module Version:    0.0.0.0
Fault Module Timestamp:    00000000
Exception Offset:    PCH_79_FROM_ntdll+0x0007718C
Exception Code:    c0000005
Exception Data:    00000008
OS Version:    10.0.10586.2.0.0.768.101
Locale ID:    3081
Additional Information 1:    bd71
Additional Information 2:    bd71e8e8260a3d3e74ff6f7206915760
Additional Information 3:    2757
Additional Information 4:    275777679e642b3b1066033ce15f597e

Extra information about the problem
Bucket ID:    42f210a39cebe870ec21760dcc2dad62 (116175278014)

Thanks.

 

I have a problem and not be from me when it happens.

I've noticed that Hitman pro does not work well.

It only protects me Internet Explorer and Edge, but appears in other applications as unprotected.

I have uninstalled it, deleted folders and records, and at that time all good works, but to restart the pc, again same thing happen.

I have tried it several times and always the same.


I have not done any change of software or anything on your pc


Windows 10 pro 64 bits, Hitman pro last version


Any idea?

 

Have you tried Reset Settings from the gear icon top right corner of the GUI?

Make sure you run build 373.

 

Just tested again, with 373 I get this alert with Chrome

Code:

Log Name:      Application
Source:        HitmanPro.Alert
Date:          10/06/2016 08:29:14
Event ID:      911
Task Category: (9)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      BLACK
Description:
Mitigation   ROP

Platform     10.0.10586/x64 06_5e
PID          3384
Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description  Google Chrome 51

Callee Type  CreateProcess
             C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FF9B331C873 KernelBase.dll           CreateProcessAsUserW +0x63
2  00007FF9B40C7F6F advapi32.dll             CreateProcessAsUserW +0x5f

3  000007FEFFC00000 (anonymous; rooksdol_x64.dll)
                    ff350a000000             PUSH         QWORD [RIP+0xa]
                    f04883250100000000       LOCK AND     QWORD [RIP+0x1], 0x0
                    c3                       RET         

4  00000253169BDF50 (anonymous)             
5  000000CB2CFFD4B0 (anonymous)             
6  000000000008040C (unknown)               
7  000000CB2CFFD4A0 (anonymous)             

Process Trace
1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [3384]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://rapport.trusteer.com/installer/post_install?ak=19E6E379F2E4C982F93940E05428211689A91709E0183069009E738AD5BC3486&ubv=3.5.1609.65-standard-release&iz=0&o=trusteer
2  C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe [668]
"C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe" -servicelaunch=true
3  C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe [5864]
"C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe" -start -servicelaunch
4  C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [5628]

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-06-10T07:29:14.179902800Z" />
    <EventRecordID>5747</EventRecordID>
    <Channel>Application</Channel>
    <Computer>BLACK</Computer>
    <Security />
  </System>
  <EventData>
    <Data>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
    <Data>ROP</Data>
    <Data>Mitigation   ROP

Platform     10.0.10586/x64 06_5e
PID          3384
Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description  Google Chrome 51

Callee Type  CreateProcess
             C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FF9B331C873 KernelBase.dll           CreateProcessAsUserW +0x63
2  00007FF9B40C7F6F advapi32.dll             CreateProcessAsUserW +0x5f

3  000007FEFFC00000 (anonymous; rooksdol_x64.dll)
                    ff350a000000             PUSH         QWORD [RIP+0xa]
                    f04883250100000000       LOCK AND     QWORD [RIP+0x1], 0x0
                    c3                       RET         

4  00000253169BDF50 (anonymous)             
5  000000CB2CFFD4B0 (anonymous)             
6  000000000008040C (unknown)               
7  000000CB2CFFD4A0 (anonymous)             

Process Trace
1  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [3384]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://rapport.trusteer.com/installer/post_install?ak=19E6E379F2E4C982F93940E05428211689A91709E0183069009E738AD5BC3486&amp;ubv=3.5.1609.65-standard-release&amp;iz=0&amp;o=trusteer
2  C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe [668]
"C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe" -servicelaunch=true
3  C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe [5864]
"C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe" -start -servicelaunch
4  C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [5628]
</Data>
  </EventData>
</Event>

 

Is the 3.5 beta going to be open to everyone?

 

Yes..all..and nothing

Uninstall with Revo and nothing also

just a detail, clean install, the interface shows the number of alerts that I had

Only protect Internet Explorer and Edge....

 

Can you verify whether the injection succeeded? Run Process Explorer and look for hmpalert.dll in eg. Firefox.exe.

 

HitmanPro.Alert 3.5 Private Beta Invite

Before we release to a wider audience I would like to invite some of you who are willing and able to test HitmanPro.Alert 3.5. I will post a changelog shortly.

Please send me a PM if you want to be included in the private beta round!

 

a very gooood news

 

@miguelgrado
To do so,
open all applications for which you want to check if HMP.A protection is active,
and run Process Explorer, then use keyboard shortcut Ctrl+F (that's the shortcut for Find, Find Handle or DLL), type or paste hmpalert.dll and then click Search, this will get you an overview of all active processes in which hmpalert.dll is injected.

If applications are opened, and should be protected according to HMP.A user interface\ Advanced interface\ Exploit mitigation\ Applications, but Process Explorer Search finds no hmpalert.dll injection in the corresponding processes, then there may be something wrong.

 

pm sent

 

In Internet Explorer and Edge, hmpalert.dll is ok....in Firefox, Media player, Foxit reader.etc...hmpalert.dll not is


When I reinstall it works perfect, but if you reboot the pc, is when the problem arises.

Not is from when it happens, but long ago, that you have no clear... not is if from latest version