HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
  2. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
  3. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    a very good reading!

    Luckily 'HA-CFI' was implemented long time ago by Alert (https://www.wilderssecurity.com/thr...discussion-thread.324841/page-71#post-2389909)...

    :)
     
  4. mrhex1

    mrhex1 Registered Member

    Joined:
    Jul 2, 2016
    Posts:
    19
    Location:
    Timbuktu
    @erikloman
    @markloman

    Hi gentleman,

    I am have found that I will get the following while playing the Sega Classics game emulator. The emulator is available through Steam. If I set up an exception on HitmanPro.Alert then the emulator will run properly. I can consistently get this error until an exception is set manually.



    Code:
    Mitigation   CallerCheck
    
    Platform     10.0.10586/x64 06_45
    PID          216
    Application  C:\Program Files (x86)\Steam\steamapps\common\Sega Classics\SEGAGameRoom.exe
    
    Callee Type  LoadLibrary
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  73C41D1A hmpalert.dll             +0x31d1a
    
    2  06C295E4 (anonymous; mono.dll)   
                8bf8                     MOV          EDI, EAX
                8b0570591f10             MOV          EAX, [0x101f5970]
                85c0                     TEST         EAX, EAX
                750f                     JNZ          0x6c295ff
                8bc7                     MOV          EAX, EDI
                8b55dc                   MOV          EDX, [EBP-0x24]
                8b4de0                   MOV          ECX, [EBP-0x20]
                8911                     MOV          [ECX], EDX
                8b7df0                   MOV          EDI, [EBP-0x10]
                c9                       LEAVE       
                c3                       RET         
    
    3  06C2952E (anonymous; mono.dll)   
    4  06C29386 (anonymous; mono.dll)   
    5  06C28D18 (anonymous; mono.dll)   
    6  06C191D2 (anonymous; mono.dll)   
    7  06C18CF7 (anonymous; mono.dll)   
    8  06C1667F (anonymous; mono.dll)   
    9  06C00654 (anonymous; mono.dll)   
    10 06BFFE15 (anonymous; mono.dll)   
    
    Process Trace
    1  C:\Program Files (x86)\Steam\steamapps\common\Sega Classics\SEGAGameRoom.exe [216]
    2  C:\Program Files (x86)\Steam\Steam.exe [7368]
    "C:\Program Files (x86)\Steam\Steam.exe" -silent
    3  C:\Windows\explorer.exe [5560]
    4  C:\Windows\System32\userinit.exe [5528]
    
     
  5. Bowhunter26

    Bowhunter26 Registered Member

    Joined:
    Jun 22, 2016
    Posts:
    39
    Location:
    Arkansas, USA
    Does anyone know how to temporarily disable |HitmanPro.Alert ? I'm trying to make a bootable Windows 10 USB recovery tool, and it keeps blocking the creation of the tool to the usb drive.

    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          7/15/2016 12:10:29 PM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Brian-PC
    Description:
    Mitigation   WipeGuard
    
    Platform     10.0.10586/x64 06_25
    PID          960
    Application  C:\Windows\System32\vds.exe
    Description  Virtual Disk Service 10
    
    Master Boot Record (MBR)
    
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-07-15T17:10:29.777637400Z" />
        <EventRecordID>16969</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Brian-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Windows\System32\vds.exe</Data>
        <Data>WipeGuard</Data>
        <Data>Mitigation   WipeGuard
    
    Platform     10.0.10586/x64 06_25
    PID          960
    Application  C:\Windows\System32\vds.exe
    Description  Virtual Disk Service 10
    
    Master Boot Record (MBR)
    </Data>
      </EventData>
    </Event>
     
  6. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    try in first place to disable MBR mitigation (Risk reduction→ Cryptoguard→ ...).

    Anyway you should avoid to speak about 3.5 since it's a private beta...
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Perhaps I should read it again, but I didn't understand all of it. If ROP is dying, then what other techniques are being used? AFAIK, both MBAE and HMPA are mostly focused on blocking exploits that are using ROP. The difference is that HMPA is using "Hardware Assisted CFI", to make it harder for exploits to bypass anti-exploit tools.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I've watched the video, and it seems that HMPA could spot the injection into explorer.exe and Firefox. So I assume that InfoStealer can only steal passwords after code injection. But what about the ransomware that bypassed HMPA? What type of technique was it using, and have you already shared this info with the developers?
     
  9. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    They are aware of it.
     
  10. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    yeah I forgot to pm erik about it.

    I posted about it on steam and futuremark forums but their dev's are been a bit anal about it.

    Their reply is more or less " we will only support clean pc's with no other software installed".

    Also as a warning to those who lock down programdata ,the new 3dmark generates random named dll's in a subfolder everytime it starts up. I had to whitelist the folder in SRP.
     
  11. Anguel

    Anguel Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    75
    Just wondering if this looks like a real attack or a false alarm:

    Code:
    Mitigation   ROP
    
    Platform     10.0.10586/x64 06_2a
    PID          6948
    Application  C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Description  Firefox 47.0.1
    
    Branch Trace                      Opcode To
    -------------------------------- -------- --------------------------------
    +0x1bf7d                             RET +0x1c18b
    0x73BFBF7D hmpalert.dll                   0x73BFC18B hmpalert.dll
    
    +0x6ed3f                           ~ RET  0x67674968 dxgi.dll
    0x73C4ED3F hmpalert.dll
    
    +0x1c149                           ~ RET* 0x73E0EA4F user32.dll
    0x73BFC149 hmpalert.dll
                41                       INC          ECX
                ffa7f8000000             JMP          DWORD [EDI+0xf8]
    
    
    MsgWaitForMultipleObjectsEx +0x1ab   ~ RET  0x00E562D2 firefox.exe
    0x73DEC4AB user32.dll
    
    SetManipulationInputTarget +0xd6     RET MsgWaitForMultipleObjectsEx +0x1a8
    0x73E08576 user32.dll                     0x73DEC4A8 user32.dll
    
    InvalidateRect +0x1c               ~ RET MsgWaitForMultipleObjectsEx +0x184
    0x73E0895C user32.dll                     0x73DEC484 user32.dll
    
    Wow64SystemServiceEx +0x257        ~ RET TurboDispatchJumpAddressEnd +0xb
    0x5FF06347 wow64.dll                      0x5FE71C87 wow64cpu.dll
    
    0x5FF18404 wow64.dll                 RET  Wow64SystemServiceEx +0x244
                                              0x5FF06334 wow64.dll
    
    0x5FE88610 wow64win.dll            ~ RET  Wow64SystemServiceEx +0x155
                                              0x5FF06245 wow64.dll
    
    0x5FE93804 wow64win.dll            ~ RET  0x5FE8860B wow64win.dll
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  67674977 dxgi.dll
                6894296667               PUSH         DWORD 0x67662994
                57                       PUSH         EDI
                894670                   MOV          [ESI+0x70], EAX
                ff1524316c67             CALL         DWORD [0x676c3124]
                68b4296667               PUSH         DWORD 0x676629b4
                57                       PUSH         EDI
                894674                   MOV          [ESI+0x74], EAX
                ff1524316c67             CALL         DWORD [0x676c3124]
                68d4296667               PUSH         DWORD 0x676629d4
                57                       PUSH         EDI
                894678                   MOV          [ESI+0x78], EAX
                ff1524316c67             CALL         DWORD [0x676c3124]
                68ec296667               PUSH         DWORD 0x676629ec
                57                       PUSH         EDI
                898680000000             MOV          [ESI+0x80], EAX
                ff1524316c67             CALL         DWORD [0x676c3124]
    
    2  67673334 dxgi.dll
    3  6767D298 dxgi.dll
    4  5D0AE284 xul.dll
    5  5CC19936 xul.dll
    6  5C8117DA xul.dll
    7  5C811ECB xul.dll
    
    Process Trace
    1  C:\Program Files (x86)\Mozilla Firefox\firefox.exe [6948]
    2  C:\Windows\explorer.exe [6856]
    3  C:\Windows\System32\userinit.exe [4300] 
     
  12. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
  13. Jacob Woodruff

    Jacob Woodruff Registered Member

    Joined:
    Jul 21, 2016
    Posts:
    3
    Location:
    Earth
    Hello,

    New to the forum and require assistance in fixing the following issue:

    HitmanPro.Alert 3.1.11 (HPA) was installed as a second security layer along Sandboxie running IceDragon. However, installing HPA on Sandboxie prompts the msgbox "Failed to install program . Error 0.".

    Because of the error occurring, should HPA be executed separately to Sandboxie? Or for maximum protection is HPA required to be installed in Sandboxie and if so how?
     
    Last edited: Jul 22, 2016
  14. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Why would you want HMP.A be installed in a sandbox environment?
    HMP.A, other security software and some other software, must be installed in a real-user environment.
    The error is very much understandable. :)
     
  15. Jacob Woodruff

    Jacob Woodruff Registered Member

    Joined:
    Jul 21, 2016
    Posts:
    3
    Location:
    Earth
    Because I'm exploring the methodology of implementing Hitman.Pro.Alert for a sandboxed web browser as discussed here:

    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=21573&start=15
    https://malwaretips.com/threads/how-to-run-chrome-in-sandboxie.57770/
    https://www.wilderssecurity.com/thr...o-alert-chrome-and-sandboxie-together.378725/

    Second forum expresses that a Sandbox protects you from malware, while hitman.pro.alert prevents information leaks.

    Currently, I've added SandBoxie to Hitman.Pro.Alert as an application under exploit mitigation and is working. However, Hitman.Pro.Alert is not protecting IceDragon when Sandboxed.
     
  16. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Your problem indicates a compatibility issue with HMP.A and Sandboxie.
    And that compatibility issue cannot be solved by sandboxing HMP.A. :)
    Worse, you'll get an unstable computer system.

    Supposing that there is no compatibility issue, both HMP.A and Sandboxie, installed normally, should work together to protect a browser (e.g. Chrome). But since that is not the case, then either that's a known issue or that should be reported to the devs. :)
     
  17. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I run cyberfox sandboxed and HMPA protects it. Sandbox is not a virtual machine so the processes are still windows processes.

    Install HMPA outside of sandboxie.
     
  18. Jacob Woodruff

    Jacob Woodruff Registered Member

    Joined:
    Jul 21, 2016
    Posts:
    3
    Location:
    Earth
    HMP.A and Sandboxie misconfiguration was suspected. However, for confirmation second opinions were required.

    So for those that posted thank you.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    A good rule of thumb: Never install security software in Sandboxie.
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.5 Build 546 Released

    After a (too long) private beta period we now release HitmanPro.Alert version 3.5. I want to take to opportunity to thank everybody who participated in the private beta. Thank you!
    If you are still running a 3.5 beta you are encouraged to upgrade to this release.

    CryptoGuard 4th generation
    Major new feature is the addition of the 4th generation of CryptoGuard (est. 2013). It is now capable of detecting "imperfect" crypto-ransomware families. These types of crypto-ransomware simply create encrypted copies of your files and then delete the originals. If you use an undelete tool like Recuva you can get much of your data back. Hence why we call these families imperfect. Getting hit by these types is still highly annoying so we added support for protecting against these families.

    CryptoGuard v4 also improves the rollback mechanism that restores encrypted files to their original state. And we have vastly improved the cleanup of the temp files in the CryptoGuard rollback folder.

    Since 2013, CryptoGuard not only protects against locally running crypto-ransomware, but also provides protection against infected endpoints trying to encrypt your locally shared data from remote.

    WipeGuard

    With the advent of Master Boot Record based ransomware (Petya and Mischa), we have added a new mitigation called WipeGuard (currently part of CryptoGuard). This mitigation protects your critical disk sectors from being overwritten. This is the first release of WipeGuard, future releases will enhance this mitigation. Stay tuned.

    WipeGuard.png

    Improvements
    Next to new features we have also improved performance across the board. Mitigations are now faster and alerts provide more information.

    You can read the full changelog below.

    Changelog (compared to build 374)
    • Added CryptoGuard 4th generation
    • Added WipeGuard mitigation
    • Added DLL hijack mitigation on browser downloaded binaries
    • Added Hardware-Assisted IAT filtering
    • Added Import and Export of settings
    • Improved Hardware-Assisted Control-Flow Integrity (CFI) mitigation
    • Improved ROP mitigation
    • Improved CallerCheck mitigation
    • Improved Heap Spray mitigation
    • Improved Hollow Process mitigation
    • Improved Application Lockdown
    • Improved Colored Window Border
    • Improved overall mitigation performance
    • Improved reporting details
    • Improved compatibility hooks
    • Improved 3rd party trampoline handling
    • Improved support for binaries with Intel® MPX instructions
    • Fixed Software Radar incorrectly detecting 64-bit applications
    • Various minor improvements
    Download
    http://dl.surfright.nl/hmpalert3.exe

    Please let us know how this version runs on your computer :thumb:

    NOTE: The automatic update will go online next week.
     
    Last edited: Jul 22, 2016
  21. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    Erik, congratulations on this milestone release. Do you recommend a clean install of 3.5, or is it just as good to install on top of build .374? Thanks.
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Upgrade should go smooth.
     
  23. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    Thank you Erik...I'm off to sample the new version :)
     
  24. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    697
    Location:
    EU
    Thank you for this new release, running smooth on my 7_x64.:thumb:

    Rules.
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Upgraded release 3.5 build 546 over private beta 535.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.