HitmanPro.ALERT Support and Discussion Thread

It does have a tray icon if that is what you mean.

 

There was a RCE vulnerability in the "Cisco WebEx" Chrome extension, also in Firefox (the version for IE apparently was not exploitable since it's implemented via ActiveX).
https://bugs.chromium.org/p/project-zero/issues/detail?id=1096

@erikloman & @markloman:
Would HMPA have helped against this? By for example blocking the spawned processes with Application Lockdown? Or would it allow all spawned processes of "ciscowebexstart.exe" since it's considered "trusted"/signed?
...maybe also through Safe Browsing?

(If you want to test it: You can download a copy of the still vulnerable v1.0.1: https://crx.dam.io/ext/jlhmfgmfgeifomenelglieieghnjghma.html. Manually install it in Chrome like it says here https://dede.help.webex.com/docs/DOC-8177, a PoC is on the bug-report page.)

 

If you see the application as a tray-icon but not in the taskbar then it isn't shown in HMP.A and can't be added.
If it's possible, unmimize the application from the tray - Rightclick: "Show Window" or "Show", and if you can see it now in the taskbar, it can be added in HMP.A

 

Thanks, I understand now. No it does not have an icon on the Task Bar. Anyway, Erik has a copy of the installer so if it can be added I'm sure he'll get it to work, but it is an uncommon program that not many people would be using so it may not be worth his time. We'll see.

Thanks.

 

@erikloman,
@markloman,

Have you noticed my yesterday report regarding CryptoGuard blocking LibreOffice soffice.bin?
(Plus seven more observations regarding HMPA 3.6.3.580 beta.)

Today, I made two edits in that report.
First, I described more clearly what I did that led to CryptoGuard blocking LibreOffice soffice.bin.
Secondly, I tested again, this time first disabling G Data's anti-ransomware module (with which there was no conflict before), but there was no difference with G Data's anti-ransomware module disabled.

See my yesterday report for full details.

If you have any suggestions for me for things to test, I will do so.
Otherwise, I will revert to HMPA 3.6.1.574 stable.


P.S.
@other forum members,
Are you able to reproduce what I described in my yesterday report?
(See details to see what I did that led to CryptoGuard blocking LibreOffice soffice.bin)

 

The last time i have used LibreOffice was some weeks ago, so i decided to give it a try.
I don't have Win7, but maybe i was affected too...
But i couldn't reproduce it, so the CryptoGuard-problem with LibreOffice seems to be OS-specific.

We surely know it, after more people see the same problem with LibreOffice+CryptoGuard on Windows 7.
Edit: LibreOffice 5.4.2 x64

 

no (specs in my signature)

 

Thanks, mood,
thanks, test.

To be certain, did you use the same LibreOffice version that I use?
LibreOffice 5.2.4 x86 (on Windows x64),
or did you use another LibreOffice version, or the LibreOffice x64 version?

I don't know if those details are relevant, but I could imagine they can be.

 

LibreOffice 5.2.4 x64 on Windows x64.
Edit: Typo

 

Idem (5.2.4 64bit)

 

Thanks, mood,
thanks, test.

So that's different from my LibreOffice 5.2.4 x86 on Windows x64.
As I said, I don't know if that is relevant, but I can imagine it could be.
I'm looking forward to Erik's or Mark's analysis.

(By the way, mood, where you wrote "5.4.2", I suppose you mean 5.2.4, as there is no LibreOffice version 5.4.2)

 

Typo
When i have some time later, i can try it again with the 32bit-version. If i can reproduce it, i'll report it here.

 

FWIW I don't have any LibreOffice issues using the latest PortableApps.com version: 5.2.4.2 Build ID: 3d5603e1122f0f102b62521720ab13a38a4e0eb0 on Win 10 Pro x64 v1607 14393.693.
I do not know if the PortableApps.com version is x86 or x64.

 

We have currently _one_ detection record of LibreOffice triggering CryptoGuard.

Is anyone else seeing this issue with LibreOffice?

 

I haven't installed HMPA on my Surface Book, yet. I still have HMPA on my XP desktop, but that hasn't had a version update for quite awhile.

 

Thanks, Erik.
That one detection record of LibreOffice triggering CryptoGuard, is that my Tuesday January 24 report, or was there another detection reported? I guess you refer to my report only.

Have you or your colleagues tried to reproduce the issue, using HMPA 3.6.3.580 beta, LibreOffice 5.2.4 x86 on Windows 7 x64, in the way that I described in my Tuesday January 24 report?
Perhaps even in combination with G Data 25.3.0.1?

If no one else should have tested with LibreOffice 5.2.4 x86 on Windows 7 x64, but only LibreOffice x64 on Windows x64, and no one was able to reproduce the issue, one might say, "why not upgrade to LibreOffice x64?"
I could do that, but there should be no issue with LibreOffice x86, of course.
Many users use LibreOffice x86 on Windows x64, as LibreOffice x86 is the default download.
And even more, not long ago, LibreOffice x86 was still more stable than x64, so x86 on Win x64 was the preferred choice because of that.

 

@erikloman,
@markloman,

I edited my Tuesday January 24 report some more:

I changed the previous X,Y,Z notation to A,B,C, to differentiate from the XXXXX.
And I corrected the notation in Process Trace, where file A is the file mentioned in Process Trace (not C, nor Z, as I erroneously noted, before).

I updated LibreOffice to version 5.2.5 x86 and tested again,
also I tested in another user account (in case the first account might have a corrupted LibreOffice user profile),
and also I tested with three other .odt files (in case the first files were corrupted somehow),
but the outcome was the same, every time,
CryptoGuard blocked C:\Program Files (x86)\LibreOffice 5\program\soffice.bin

 

I was experiencing a lot of CryptoGuard triggers late 2016 on in-app software updaters, but haven't had any issues at all this past month. So far, so good.

 

No problems build 580 and Win10 1607 build 14393.726 x64 (KB3216755).

See Ghacks.net: https://www.ghacks.net/2017/01/27/windows-10-kb3216755-update-catalog-exclusive/

Win10 1607 build 14393.726 x64/Norton Security v22.8.1.14

 

Code:

Intruder

PID          2464
Application  C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
Description  Microsoft Edge Content Process 11

Detour Report
#  Address             Owner                    Disassembly
-- ------------------  ------------------------ ------------------------
EncryptMessage *
 1 0x00007FFBE18A5880  SspiCli.dll              JMP 0x7ffbe2120688
 2 0x00007FFBE2120688  (anonymous)              

FilterConnectCommunicationPort
 1 0x00007FFBE1B420A0  fltlib.dll               JMP 0x7ffbe2120180
 2 0x00007FFBE2120180  (anonymous)              

FilterSendMessage
 1 0x00007FFBE1B422D0  fltlib.dll               JMP 0x7ffbe21201b8
 2 0x00007FFBE21201B8  (anonymous)              

CreateDCA
 1 0x00007FFBE2F038A0  GDI32.dll                JMP 0x7ffbe2120228
 2 0x00007FFBE2120228  (anonymous)              

CreateDCW
 1 0x00007FFBE2F04190  GDI32.dll                JMP 0x7ffbe2120260
 2 0x00007FFBE2120260  (anonymous)              

DeleteDC
 1 0x00007FFBE2F02080  GDI32.dll                JMP 0x7ffbe2120340
 2 0x00007FFBE2120340  (anonymous)              

GdiAlphaBlend
 1 0x00007FFBE2F05450  GDI32.dll                JMP 0x7ffbe2120308
 2 0x00007FFBE2120308  (anonymous)              

GdiTransparentBlt
 1 0x00007FFBE2F054E0  GDI32.dll                JMP 0x7ffbe21202d0
 2 0x00007FFBE21202D0  (anonymous)              

GetPixel
 1 0x00007FFBE2F04660  GDI32.dll                JMP 0x7ffbe2120298
 2 0x00007FFBE2120298  (anonymous)              

EndTask
 1 0x00007FFBE2FA3370  USER32.dll               JMP 0x7ffbe21201f0
 2 0x00007FFBE21201F0  (anonymous)              

GetMessageA
 1 0x00007FFBE2F5E8B0  USER32.dll               JMP 0x7ffbcd020d0e
 2 0x00007FFBCD020D0E  (unknown)                

GetMessageW
 1 0x00007FFBE2F64840  USER32.dll               JMP 0x7ffbcd020cce
 2 0x00007FFBCD020CCE  (unknown)                

IsDialogMessage
 1 0x00007FFBE2FA61F0  USER32.dll               JMP 0x7ffbe2120538
 2 0x00007FFBE2120538  (anonymous)              

IsDialogMessageW
 1 0x00007FFBE2F541F0  USER32.dll               JMP 0x7ffbe2120570
 2 0x00007FFBE2120570  (anonymous)              

PeekMessageA
 1 0x00007FFBE2F5E300  USER32.dll               JMP 0x7ffbcd020c8e
 2 0x00007FFBCD020C8E  (unknown)                

PeekMessageW
 1 0x00007FFBE2F5E430  USER32.dll               JMP 0x7ffbcd020c4e
 2 0x00007FFBCD020C4E  (unknown)                

SetWindowsHookExA
 1 0x00007FFBE2F42730  USER32.dll               JMP 0x7ffbe21205a8
 2 0x00007FFBE21205A8  (anonymous)              

SetWindowsHookExW
 1 0x00007FFBE2F67490  USER32.dll               JMP 0x7ffbe21205e0
 2 0x00007FFBE21205E0  (anonymous)              

SetWinEventHook
 1 0x00007FFBE2F67D70  USER32.dll               JMP 0x7ffbe2120618
 2 0x00007FFBE2120618  (anonymous)              

TranslateMessage
 1 0x00007FFBE2F55330  USER32.dll               JMP 0x7ffbe2120500
 2 0x00007FFBE2120500  (anonymous)              


Thumbprint
8a8bebeaa4abb76d5f77f0be47af2da9fcf42ba701c5344f46a964e401514f12

Just had an "Intruder Alert" by opening up Microsoft Edge.

 

Hello, I am new to this forum and I want to ask how is HMPA dealing with Wallet ransomware?

Regards

 

I can confirm that this ransomware family is blocked by HitmanPro.Alert.

 

You have a hook on the cryptography API in Edge. Specifically EncryptMessage().

 

We are investigating. Stay tuned.

 

Great, thanks.