HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    Yes this is indeed the part where "someone claims that there are too many configuration types and this and that for all to be tested". I have 130 users of HMP.A across several versions and variants of Windows, browsers and applications. It is a right mixed bag of users and hardware too. Out of 130 users I have had three issues with HMP.A, two reported and fixed by a new release a week later and the other is an obscure Java application that is badly coded.

    Do you really expect SurfRight to test every single possible combination of Windows, hardware, driver and application with all the varying combinations of versions? Add to that all the combination of settings a user may change and all the differing the applications and drivers being installed together or not. Then do you expect them to do that for every new release of HMP.A as well as new versions of Windows, applications, drivers and hardware? Plus add all the various combinations of security products and browser add-ons that people insist on running together when they really shouldn't.

    For me what matters is how responsive the developers are and for a tiny team with ONE part-time support person I find them to be very responsive. There will be occasions where the team are on holiday, or working on a major release. I am not entirely sure what it is you expect a small development team to do about that without vastly increasing costs of support and therefore licenses.
     
  2. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    hi eddie, don't waste your time, 'he got a refund, he is done' :rolleyes: (in italy we add 'and they lived happily ever after')
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Erik, as someone who has an issue with AU, can you shed a little light on what compatibility fix has been implemented?
     
  4. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    Hi paul, could you check EDGE to see if it trigger 'loadlibrary mitigation'?

    I don't know infact if it is due to the fact that my CPU has hardware-assisted CFI (so it could be more 'sensitive')...

    Sorry for my poor english..
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    No issue here on my Windows Defender protected machine.
     
  6. Assiste.com

    Assiste.com Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    18
    Location:
    Here and now
    Hello,
    I'm looking for by what means the average Joe can submit a file or URL to Hitman Pro, or report a false positive or a false negative.
    Online form
    Mail address
    I haven't found anything.
    Regards
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Never used Edge before, but no issue here either with 556 - but I am not on AU on this machine, still 1511.
     
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The whole chain looks invalid (notice the * behind the RET).
    Do you get this ROP over and over?
     
  9. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    CPU with HW-CFI??
    idem
    ok
     
  10. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    yes (but i haven't again rebooted, wait a minute)
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Child processes have never produced flyouts. For instance, when a browser starts it starts a lot of child processes. Showing a flyout for each of these would be overkill/annoying to the end user. Instead a flyout will only be shown once the process starts (eg. iexplore.exe) and it will only be shown again when all other iexplore.exe processes have ended and THEN you start iexplore.exe again.

    But perhaps you mean something else?
     
  12. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    i've just rebooted and now EDGE works as expected :confused:
     
    Last edited: Sep 6, 2016
  13. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    as i told you some time ago , i'm sure that before build 3.5 -as soon as i ran Gimp (or Sony MovieStudio just to make another little example)- child processes was also shielded even if they had not an active window (i remember infact perfectly the flyout notifying about it).

    Now, with 3.5 +, no more flyout so it's impossible to check if they are shielded or less...
     
    Last edited: Sep 6, 2016
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We are able to reproduce. Pulling the pre-release. It is related to hardware-assisted ROP mitigations.
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Should we rather go back to 553 beta?
     
  16. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    :thumb:

    So, for me??
    Shall i revert to previous build or can i safely remain with 556 since i don't use EDGE??


    * Ok, i'll wait for the next build (EDGE infact is NOT my browser so i can live calm even if it should trigger an alert ;) )

    ----
    Erik, i know it's not priority but Alert 3.5+ triggers an alert [FP!] every time AIMP 4 is launched: could it be solved remotely ASAP?? (i'm sure infact that hardware-assisted CFI is guilty also in this scenario)
    Txs (reference: 1 , 2)
     
    Last edited: Sep 6, 2016
  17. guest

    guest Guest

    build 556 installed , and no issues with Edge.
     
  18. guest

    guest Guest

    It's been officially pulled and if i had a CPU from Intel (and therefore support for "Hardware-assisted Control-Flow Integrity (CFI)") i would go back (just to be sure) and wait for a newer release :cautious:
     
  19. guest

    guest Guest

    i have an Intel CPU and no issues at all here.
     
  20. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    perhaps it is truly the best policy because i believe i have identified other anomalies concerning it (although i would have preferred a quick statement by erik), for eg testing Alert with its own tool i can easily observe that some branches are vanished from the attack description...

    ROP - Call precedeed VirtualProtect()/ROP - VirtualProtect() via Call gadgets → now stack trace alone (mitigation triggered: CallerCheck), before Stack+branch trace (mitigation triggered: ROP)

    Unpivot Stack → ROP (same as before 556, so Stack+Branch trace)
     
    Last edited: Sep 6, 2016
  21. CaptainLeonidasHMPA

    CaptainLeonidasHMPA Registered Member

    Joined:
    Aug 14, 2016
    Posts:
    42
    Location:
    The Netherlands
    If the beta 556 is officially pulled why can we still access it?
    Why 3.5.2 if a stable version for those with Windows 10 Pro AU (with secure boot enabled) is still not available?

    Last time I looked the beta's still downloaded an older version of Hitman Pro.
    Perhaps an idea to update the website to reflex this issue for others?
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    1) Please clarify/confirm with HitmanPro.Alert service Stopped. Exploits are blocked / Alert is functional and just Attack Intercepted dialog is suppressed.

    2) Please clarify Improved compatibility with Norton Security.

    3) 3.5.2 build 556 > KeePass master password window = no orange encryption bar.
     
    Last edited: Sep 6, 2016
  23. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,840
    Location:
    the Netherlands
    The SurfRight website doesn't offer HitmanPro.Alert beta's.
    The SurfRight website offers HitmanPro.Alert 3.5.0.546.
    The beta's that were offered through the links in this thread offered the correct HitmanPro.Alert beta's.

    Or are you referring to HitmanPro, not HitmanPro.Alert?
    This is HitmanPro.Alert thread, so referring to HitmanPro beta's would be confusing.
     
  24. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,840
    Location:
    the Netherlands
    What post or posts is it to which you are referring?
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    1) If service is stopped, exploits are NOT blocked.

    If service is stopped Ransomware IS blocked (it works at driver level).

    2) Norton could cause FP in ZoomPlayer triggering SysCall alert. This is fixed.

    3) Will have a look at it for next build.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.