HitmanPro.ALERT Support and Discussion Thread

I just tried it and confirmed what you're seeing. My guess is it works in Keypass and not in TeamViewer because KP has a standard window and TV does not, but we will need Erik to say for certain.

My understanding is HMPA injects the HMPA.dll into all processes, not just those it's actively protecting. This caused issues for a few apps and so the exclusion option was added.

 

HMP.A 3.5.0 b546. I've just upgraded to W10 x64 & noticed that "Block Untrusted Fonts" & "BadUSB" is set to Disabled.
Is this setting a carry over from when I had W8.1 as it specifies it's only for W10 ?

VLC is not listed under "Media"
Is it advisable to add it to this template?

 

Can't you manually enable them? You will need to restart your machine after enabling Untrusted Fonts.

 

I can, but should I ??
It may be set to disabled for a reason?

 

After a clean Win10 install very recently and on first installing HMP.A they were disabled for me too along with Vaccination set to Passive. I've enabled all without any problems, but with Untrusted Fonts enabled a few sites look a little odd [including this one] if you visit with IE.

 

Info about blocking untrusted fonts:

https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-290#post-2538056

 

Block Untrusted Fonts is a Windows 10 only feature and it basically toggles a Windows 10 setting that blocks fonts that are not installed in the %windir%/Fonts folder. As you might know, fonts are rendered by the kernel and a known or unknown vulnerability, triggered by a malicious font from the web, can lead to escalation of privilege (EoP). More here: https://support.microsoft.com/en-us/kb/3053676. After you turn this feature on, users might experience reduced functionality in following situations:

• Sending a print job to a shared printer server that uses this feature (Block Untrusted Fonts) and where the spooler process has not been specifically excluded. In this situation, any fonts that are not already available in the server's %windir%/Fonts folder will not be used.
• Printing using fonts provided by the installed printer's graphics .dll file, outside the %windir%/Fonts folder. For more information, see Introduction to Printer Graphics DLLs.
• Using first or third-party apps that use memory-based fonts.
• Using Internet Explorer to view websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all the characters, so the website might render differently.
• Using desktop Office to view documents that have embedded fonts. In this situation, content is displayed by using a default font picked by Office.

BadUSB is nowadays disabled by default because the threat is minimal while it might cause problems with legitimate keyboards that were not manufactured according to the proper guidelines (and thus BadUSB may lock your keyboard). Users who do enable the protection are more conscious about it when their keyboard does locks up, as they now know where they can reverse the setting.

Regarding VLC, yes, if you watch content from the internet with VLC, you should add it to the Media category.

 

TeamViewer is not protected by HMPA, but you can practically add any application that a user can interact with (has a window). If you add Team viewer to HMPA under the Browsers category, it also receives Safe browsing, which is the green tile in HMPA and therefor receives a green Colored Window Border. Safe browsing's green border shows you that it is safe to use the browser, that critical functions have not been redirected to processes or memory areas that do not belong to the web browser. If the border turns red, HMPA will show an Intruder alert and the border of the web browser will be painted red and shown continuously; normally, when the browser is safe it automatically fades, and only returns when you hover the mouse pointer above the window title. When the green border is shown, in the lower right corner it shows the security features that are actively protecting the browser. Normally, it should also show Exploit mitigation (blue) and Keystroke encryption (orange).
If you add TeamViewer to a category other than Browsers, the Colored Window Border will be blue (no Safe browsing). The blue color represents Exploit mitigations, just like the blue tile.

For more information, see page 5 (chapter 3.1) of our Getting Started manual: http://dl.surfright.nl/HitmanPro Alert Getting Started.pdf

Password managers like KeePass should be protected by Keystroke encryption and are therefor automatically protected by HMPA. If e.g. a keylogger gets hold of your master password, all your passwords are in the hands of the attacker. Not every application is protected by Keystroke encryption as some tools 'legitimately' sniff your keystrokes for the purpose of changing what you type. E.g. when you type "fyi" a tool might turn that on-the-fly into "for your information". By default only application in the Browsers and Other categories receive Keystroke encryption.

Add exclusion is for applications that do not work when HMPA is on the machine. These applications/games actively prevent security software from doing its job. E.g. the game Overwatch doesn't run when you have antivirus software on your machine, like Trend Micro, or other security software like HMPA; it probably does this to stop cheaters from manipulating the game, but it cannot determine good from bad injections. With normal software, you do not need to add exclusions. Add exclusion just there for the rare event an application or game won't start.

 

An e-mail application is a productivity application, that can be used for both home and work related communication, and should therefor be added under the Office category.
But for example Microsoft Outlook or Mozilla Thunderbird are not default protected by HMPA because of the Application Lockdown mitigation. This mitigation prevents you from running new code or programs that you've received by e-mail in an attachment (e.g. in a ZIP-archive). In a business environment, this is probably a wanted side effect, but since Application Lockdown also affects legitimate use cases we decided not to protect e-mail clients by default.

The reason for categories in HMPA is actually not because of the many individual mitigations. It is mainly because of the Application Lockdown mitigation (an important mitigation that e.g. Microsoft EMET does not have). For every category, this mitigation behaves differently. E.g. Microsoft Word, an Office application, is designed to view, create and edit documents. So MS Word is not meant to introduce new software on your PC, while Internet Explorer, Chrome or Firefox are typically used to download and run new software. So Browsers should still allow this. But Firefox Plugins, like Adobe Flash Player, should again not be allowed to introduce new binaries on your PC.

Hope this helps.

 

Recently updated to HMP.A 3.5.0 b546 and noticed I have issues with corrupted downloads. I narrowed down the issue to Avira AV Pro Web Protection, but interestingly it all works fine on my other machine with older HMP.A 3.1. Once I uinstalled HMP.A 3.5, all gets back to normal on my PC again (I can leave HMP.A and turn Avira Web Protection too). Reinstalled HMP.A 3.5 and file corruption is back (though, interestingly, now the file sizes are different yet again).

Below the details I sent to Avira Support (so again, file sizes are different today, but the files are still corrupted):
http://www.foobar2000.org/files/6e0b8b2a7c242905a043f677c97ae0dc/foobar2000_v1.3.11_beta_4.exe (if the link expires, find a new one from: http://www.foobar2000.org/download)

Size and SHA-256 hash when downloaded with Web Protection on
3 912 220 (won't install - installers integrity check has failed; Avira would also scan it with its cloud technology)
D80C718AACCD77A4D4D76433732471CF186D292DE55ADC66732735740AE3D029

Size and SHA-256 hash when downloaded with Web Protection off
3 918 215 (installs fine, Avira does not run its cloud scan)
70706A7C9E1C07B2B3D6724AF48A60D7A49CBF9F7B1F046375DE44E4593997C4


http://swupdl.adobe.com/updates/oobe/aam20/win/AdobeLightroom-6.0/6.6.1/setup.zip

Size and SHA-256 hash when downloaded with Web Protection on
255 889 086 (CRC error when unpacking the ZIP; after the download has completed it takes well over a minute for the file to appear as if it was being repacked or scanned)
9119F9E3CE7183AA02E4C7A6474030264F38332D3ADB59CF842BEB2859FEF6C1

Size and SHA-256 hash when downloaded with Web Protection off
255 982 302 (unzips and installs fine)
D0A8AFAD18475C083A018F0960532A65A6BFE7FA59735BE057761921EA7B4D38


http://download.documentfoundation.org/libreoffice/stable/5.1.4/win/x86_64/LibreOffice_5.1.4_Win_x64.msi

Size and SHA-256 hash when downloaded with Web Protection on
249 427 784 (installer would run, but at one point it will complain *.cab file is corrupted and advise to redownload the file)
1927ED87093B542E152AD16A74A0DBA3B4B85EAC4EB4EA423DCA6046D3948D6F

Size and SHA-256 hash when downloaded with Web Protection off
249 442 304 (completes the installation just fine)
1E5E5EC355AC2F64A7937E7C9859CA59E428302591DDAC7E48E484D4E00D4E4D

Anyone else noticed this? As it was a non issue with 3.1, I guess 3.5 must have introduced the bug, but maybe there is something else at play here.

 

Thank you mark, those are very helpful replies explaining many of the detailed settings of HMPA.

I found the explanations of the different mitigations in the various categories particularly useful, especially the Application Lockdown mitigations and how they differ between categories.

Thank you for taking the time to answer our queries. I think someone requested a User Guide and it would be a great help if the "Getting Started" guide could be extended to include these and other detailed settings, that is if time allows!

 

Mark, you can also PM me if you want to. I basically wonder if these CryptoDrop guys are really on to something.

https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-422#post-2605698

 

CryptoDrop is a poor man's implementation of CryptoGuard from 2013. With CryptoDrop you lose data, with CryptoGuard you're not loosing a single file.

 

Mark, I will send you a PM.

 

It appears Avira Web Protection doesn't work nice with HMPA's network filter. Thanks for letting us know, we'll look into it.

 

@Krusty13 Um, re > "few sites look a little odd".....by "a little odd" do you mean perhaps #10413 (with Firefox).

 

Thank you for your explanation, Mark! It sheds very well light on the subject at the general level.

However I still feel that I'd need more information to be able to categorize various applications (that HMP.A does not protect by default) in the best way...

1. Would it be possible for you to give a list of the current differences between all the mitigation templates (Like some of the mentioned examples of the Application lockdown: "Browser: Downloads are allowed"; "Office: Downloads are prevented"; "Email client: Use the Office template"; "If you want keyboard encryption, use template X"...)?
2. Do I understand correctly that the only difference between the two "categories" in the main window ("Safe browsing" and "Exploit mitigation") is that the applications in Safe browsing use the "Browsers" mitigation template and the applications under "Exploit mitigation" belong in one of mitigation templates Java/Media/Office/Other/Plugins/Test?
3. How should I understand the fact that after configuring protection for TeamViewer on, I get blue borders but none of the three "HMP.A labels" in the lower right corner of the TeamViewer user interface? (And how can I see afterwards which mitigation template I had selected for it?)
4. Was the reason to change to Passive vaccination by default due to false alarms or is there some other reason (it's still the "Recommended" setting in the user interface)
5. What is the reason that mitigation template "Other" has keyboard encryption always on but with "Browsers" it can be manually disabled?

 

Yeah similar to that but I do not see it with FF, only IE.

 

With Windows 7 x64, HMP.A 3.5.0.546, G Data IS 25.1.0.12 (and a few security settings as shown in signature),
using IE11,
visiting http://www.infoworld.com/blog/woody-on-windows/,
clicking the Woody Leonhard link,
and then clicking the AskWoody.com link,
I get a HMP.A alert, Mitigation HeapSpray.
I can't reproduce this alert each time, but I got one a few days ago, July 26, and I got an alert today, July 31.

Here's the Windows Event Viewer details.
Is there some (new?) HMP.A - G Data incompatibility? (See Code Injection details.)

Code:

Mitigation   HeapSpray

Platform     6.1.7601/x64 06_17*
PID          4288
Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description  Internet Explorer 11

#00 19F60000 L00020000; Javascript array
70 F7 4E 70 00 28 C1 17 ..00(*9).. B0 DF C6 27 64 75 42 ..00(*80).. 10 3C 35 0F 00 00 00 
#01 19F40000 L00020000; Javascript array
70 F7 4E 70 00 28 C1 17 ..00(*9).. A0 DF C6 27 64 75 42 ..00(*80).. 10 3C 35 0F 00 00 00 
#03 19F00000 L00020000; Javascript array
70 F7 4E 70 00 28 C1 17 ..00(*9).. A0 DF C6 27 64 75 42 ..00(*80).. 10 3C 35 0F 00 00 00 
#04 19EE0000 L00020000; Javascript array
70 F7 4E 70 00 28 C1 17 ..00(*9).. 90 DF C6 27 64 75 42 ..00(*80).. 10 3C 35 0F 00 00 00 
#05 19EC0000 L00020000; Javascript array
70 F7 4E 70 00 28 C1 17 ..00(*9).. 90 DF C6 27 64 75 42 ..00(*80).. 10 3C 35 0F 00 00 00 
#07 19E80000 L00020000; Javascript array
70 F7 4E 70 00 28 C1 17 ..00(*9).. 80 DF C6 27 64 75 42 ..00(*80).. 10 3C 35 0F 00 00 00 
#08 19E60000 L00020000; Javascript array
70 F7 4E 70 00 28 C1 17 ..00(*9).. 80 DF C6 27 64 75 42 ..00(*80).. 10 3C 35 0F 00 00 00 

Code Injection
03F30000-03F31000    4KB C:\Program Files (x86)\G DATA\InternetSecurity\AVKTray\AVKTray.exe [3828]
1  C:\Program Files (x86)\G DATA\InternetSecurity\AVKTray\AVKTray.exe [3828]
2  C:\Program Files (x86)\G DATA\InternetSecurity\AVK\AVKWCtlx64.exe [1212]

Process Trace
1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [4288]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5092 CREDAT:267521 /prefetch:2
2  C:\Program Files\Internet Explorer\iexplore.exe [5092]
3  C:\Windows\explorer.exe [3844]
4  C:\Windows\System32\userinit.exe [3488]

 

Thanks, I was head scratching over what's a "font".

 

https://www.google.com.au/search?q=...O46Z7OAhVHG5QKHZJLAgcQsAQIMw&biw=1366&bih=659

Here's an example of the Norton forums visited with IE 11 with Alert's Block Untrusted Fonts setting enabled. See the strange characters that look like Asian calligraphy? Compare that with IE 11 without that setting enabled.

 

Yes, strange characters from Firefox too. Was not thinking buttons #10413. Was thinking "font" only as alpha-numeric characters. Thanks

 

With Windows 7 x64, HMP.A 3.5.0.546 and other security softs as per signature (primary) below, while browsing Infoworld article:

Mitigation HeapSpray

Platform 10.0.10586/x64 06_45
PID 374604
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 47.0.1

#01 000002045FA02000 L00010000; CycleLen=404; NumDetections=159
44 6F 63 75 6D 65 6E 74 50 72 6F 74 6F 2F 3C 2E 76 61 6C 75 65 40 68 74 74 70 3A 2F 2F 77 77 77 2E 69 6E 66 6F 77 6F 72 6C 64 2E 63 6F 6D 2F 61 72 74 69 63 6C 65 2F 32 39 37 32 32 39 38 2F 6D 69 63 72
#02 0000020488163000 L00010000; CycleLen=404; NumDetections=159
6E 66 6F 77 6F 72 6C 64 2E 63 6F 6D 2F 61 72 74 69 63 6C 65 2F 32 39 37 32 32 39 38 2F 6D 69 63 72 6F 73 6F 66 74 2D 77 69 6E 64 6F 77 73 2F 31 30 2D 72 65 61 73 6F 6E 73 2D 79 6F 75 2D 73 68 6F 75 6C

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [374604]
2 C:\Program Files\Mozilla Firefox\firefox.exe [374340]
3 C:\Windows\explorer.exe [6188]
4 C:\Windows\System32\userinit.exe [5984]

.

 

I have a question about KeePass. I have keystroke encryption enabled in HMPA and when I use it to login via Firefox, I see the orange notification indicating that my inputs are encrypted. This is as expected.

However, when I initially start KeePass and input my master password, I get no indication at all that this most important password of all is encrypted.

Is this normal behaviour and can anyone confirm whether of not my master password in fact gets encrypted?

If it's relevant, I am using Webroot and have Identity Shield on. However I tried turning it off, and still get no indication from HMPA when inputting the Master pass.

 

Thanks, paulderdash.
I wonder if this may be related to my yesterday, July 31 report, that described a HeapSpray alert that I got navigating on/from InfoWorld.