HitmanPro.ALERT Support and Discussion Thread

I would try to temporarily disable Crypto-Guard.
I case this works, it will not be a good solution on the long run, because you will get tired of doing,
and possibly forget to turn Crypto-Guard back on.

I guess @erikloman will kick in and suggest a solution soon.

 

Figured as much. Your problem is because of RollBack Rx. It was only recently that I reported that kind of issue to Erik, and he said that it's because of that recovery/backup software.

What you should do is set HitmanPro (the scanning software) to "Compatible Disk Access". Scanning will be fine afterwards.

 

Thanks, XhenEd. That was exactly the problem. Also, RollbackRX If you choose to allow RollbackRX disable system restore, you should uncheck "create a restore point before deleting files" in Hitmanpro settings or HTMP will hang when it tries to delete files.

 

I already unchecked it because I don't want it to create a restore point. But it's good to know that enabling it while RollBack Rx disabled System Restore will have an adverse effect to the OS. Thanks for that info! @erikloman should check that.

 

The fact that the item has an icon tells me that all those Firefoxes are on the computer. If you enable exploit mitigation you can see where these are located and there is also an option to open an explorer to that location.

 

I am able to reproduce this! Please expect a fix very soon.

 

Forgive me for my laziness about searching, but to use this w/ SBIE, still do I need to add exception rule?
Thx in advance.
And happy to see old friends here being fine.

 

Okay, except for 47.0.0, the rest are portable apps that I've used for building my Win7 Boot PE. I normally don't use these apps on my active system and did not think about them also being protected by HMPA. I guess it's time to do some house cleaning.

 

anyone know why I occasionally get this HMPA alert:

Is it anything to worry about?

Log Name: Application
Source: HitmanPro.Alert
Date: 7/28/2016 3:37:52 PM
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: me15
Description:
Mitigation CryptoGuard

Platform 10.0.10586/x64 06_3f
PID 6816
Application C:\Windows\System32\dasHost.exe
Description Device Association Framework Provider Host 10

Filename C:\Windows\System32\dasHost.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_5.jpg
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_4.jpg
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_0.png


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-07-28T22:37:52.337978500Z" />
<EventRecordID>35016</EventRecordID>
<Channel>Application</Channel>
<Computer>me15</Computer>
<Security />
</System>
<EventData>
<Data>C:\Windows\System32\dasHost.exe</Data>
<Data>CryptoGuard</Data>
<Data>Mitigation CryptoGuard

Platform 10.0.10586/x64 06_3f
PID 6816
Application C:\Windows\System32\dasHost.exe
Description Device Association Framework Provider Host 10

Filename C:\Windows\System32\dasHost.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_5.jpg
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_4.jpg
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_0.png

</Data>
</EventData>
</Event>

 

I tried searching and browsing thru this thread but did not find an answer for a few newbie questions. My apologies if these are already discussed somewhere...

1. What is the difference between the various mitigation templates in practice (e.g. "Media" vs. "Office" vs. "Other"). At first glance it seems to me that whatever mitigation template I choose for a new application, it always gets all the 7 code mitigations and 5 memory mitigations enabled...
2. What does the "Safe Browsing" do in addition to "Exploit mitigation" (and on the other hand - why should I NOT introduce all new applications as "Browsers" to HMPA when configuring new applications for protection)?
3. Active vaccination is the recommended setting but IIRC Passive vaccination was on by default when I first started the software after installation. Why so (or do I just memorize it erroneously)? As a matter of fact I think that there was also at least one other recommended setting which was not enabled by default...
   
4. HitmanPro has some settings that can be changed via its user interface. Is HMPA aware of these settings so that it uses them, or does HMPA download another copy of HitmanPro and use it with the default settings when I click "Scan computer" in HMPA?
5. When playing around with the HMPA test tools (32-bit and 64-bit) I made some observations:
   1. In a Windows 7 (64-bit) workstation HMPA seems to prevent the exploits targeted to the 64-bit test application itself by default (i.e. without it being listed in the protected applications list), but the 32-bit test tool is vulnerable to the exploits when running it the same way - unless I explicitly introduce the 32-bit test tool to HMPA for protection. Is this the expected behavior and if so, why?
   2. In another workstation running Windows 10 LTSB without installing HMPA but running some other security software I was able to exploit the 64-bit test tool but was unable to exploit e.g. Firefox or VLC media player. Is there a straightforward explanation for this difference ("I was able to shoot myself but unable to shoot another process")?

Generally speaking this looks like a very promising piece of software; I'm seriously considering to purchase a whole bunch of licenses...

 

Some very good questions there mike83 and as a newbie to HMPA, I would also be very interested in the answers.
I can confirm that passive vaccination is on by default and I believe that BadUSB is disabled by default although Enabled is recommended. EDIT: Just realised that BadUSB is disabled on my laptop because I use a USB keyboard. Clever..

I have just added Thunderbird manually as a "Browser" but am not sure if "Browser" is the correct category. Also I cannot see why this was not added automatically like most of my other applications . Perhaps it was not running when I set up HMPA?

 

Email clients should be added under the "Office" template.

I don`t know why this is the case but it was mentioned somewhere in this megathread, so that`s what I did. Edit: HERE

Portable Thunderbird here, I had to add it manually.

 

Thanks Fad - I've now corrected to Office.

 

I used the browser template at first as well, it seemed the obvious choice to me at the time.

(I thought "office" was for office suites and similar programs that had internet access)

 

It's definitely not clear where email clients should go and it looks as though they are not added automatically for some reason. Also, as mike83 mentions above in his Q1, "whatever mitigation template I choose for a new application, it always gets all the 7 code mitigations and 5 memory mitigations enabled...", so it would be interesting to hear the expert view as to why we need to differentiate.

 

I only recently discovered that if you click the big green safe browsing button, then click web browsers, then click on any of the browsers, you will see two boxes on the right wehich should be ticked. These may give an idea what that protection does.

One box says intruder monitor and says it detects browser malware. My guess is it scans plugins and extensions loaded by the browser.
The second box says keyboard encryption, this one is odd because HMPA does encrypt my typing when safe browsing is disabled, so I guess its a duplicated function thats also available in the exploit mitigation (not redundant when someone only has the free version of HMPA).

I have the bad usb devices option disabled, but interestingly enough when I swapped my keyboard HMPA detected this and asked me to approve the change, so there is still some USB type protection in existance with that option unticked.

I am also interested in the 64bit vs 32bit question.

 

Keystroke Encryption can also be toggled under "Risk Reduction". Whether or not it's implemented on a specific program may depend on which template is used though (not sure about this).

Can you say more about this? I couldn't find an earlier reference in the thread.

 

And on the other hand HMPA seems to automatically recognize e.g. KeePass which it puts into category "Other" but without displaying its icon below the big blue "Exploit Mitigation" button. However, when you click the blue icon and then "Applications", you will find KeePass under the title "OTHER". If you then go further and click KeePAss's icon you will find the standard 12 mitigations.

BUT when you start and open KeePass, you will find also the "Keyboard Encryption" notification visible at the lower right corner of KeePass window...

So I wonder why Firefox Keyboard encryption can be switched on and off under the big green button, but this is not so for KeePass (is it only a matter of implementing some of the missing features in the HMPA user interface or is there something else behind this difference...)

I hope that Erik will have the time to shed some light into this and the other questions I presented a few messages ago...

 

Yes I know, but the reason I asked is because in the past HMPA has sometimes failed to block ransomware. If I understood it correctly, the CryptoDrop developers managed to block them all. The only difference is that they can't stop encryption of all files, but I rather lose a couple of files, than to lose them all. So I wonder if HMPA works about the same or is CryptoDrop using a different method.

 

Not sure if this has been reported before (it is new for me and a long thread to comb through) but Cryptoguard on 3.5.0 546 terminates Privazer when using Empty recycle bin without a trace option. Understandable I suppose as the deletion routine is overwriting data but.........

Thanks

 

It's been mentioned before that secure deleting, ie writing ones and zeros over deleted files, looks like active file encryption and so CryptoGuard jumps in to stop it. IIRC the advice has been to temporarily disable CryptoGuard, do the secure deleting and then re-enable CryptoGuard.

 

Thanks! Its what I've been doing. Will keep that going.

Cheers

 

Yet one more observation that I do not fully understand: TeamViewer (a remote desktop session application) is not protected in HMPA by default. If I add TeamViewer into the web browsers, it will get a green border - and respectively a blue one should I add it in another mitigation category.

However, there will be no "Keystroke Encryption" label or "Safe Browsing" label or "Exploit Mitigation" label at the TeamViewer application windows lower right corner regardless of how I configure it. On the other hand KeePass displays a "Keystroke encryption" label without any user configuration... why the difference?

I also do not understand the meaning of "Add exclusion" in the Exploit mitigation settings... or is is meant only for the applications that are "built-in" in the HMPA like Firefox, VLC media player etc? (If not, what is the difference between not configuring TeamViewer at all in HMPA and configuring it in the exclusion list)?

Sorry for asking so many basic questions... somehow I feel that I'd like to see a similar kind of a user manual for HMPA that exists for the HMPA test applications.

I actually wonder if that document already exists somewhere but I just have not found it yet - if so, please tell me where to search for it ...

 

@mike83

"Browsers" and the template "Other" have an additional keystroke encryption.
If you look in the registry you'll see that "KbdGuard" is enabled for only these profiles:

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_templates_\Other]
"KbdGuard"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_templates_\Browsers]
"KbdGuard"=dword:00000001

As you already mentioned, for "Browsers" it can be changed in the GUI, but not for "Other".

There can be problems with specific programs, even if you do not have added them to HMPA.
Good example: MPC-HC (Media Player Classic Home Cinema) (It was mentioned earlier in this thread)
If you have one of these "problematic" applications you have to add it to the Exclusion list.

Better don't add all new applications to the category "Browsers".
Put Media Players to "Media", Office Applications to "Office", Browsers to "Browsers", and so on ...
Even if the templates "look the same"
if you don't know where to put a specific applications, just use "Other" first.

I think because of more false positives with active vaccination. But i'm not sure.
Changelog 3.1.3 Build 353 PreRelease: Changed Vaccination default from Active to Passive on fresh installs

If you have HitmanPro installed and configured, Alert is launching it and therefore is using "your" already configured settings.