HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Running 2 keystroke encrypters does not make sense. I'll see if we can detect Zemana and disable the keystroke encryption in HMPA for that process.
     
  2. guest

    guest Guest

    Thanks for wanting to help :thumb: but i only wanted to know some information about the status of the feature.
    Thanks, good to know.
     
  3. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    Just got a (false) alert when starting a (replay) broadcast from Ziggo Go:

    Code:
    Mitigation   ROP
    
    Platform     10.0.14393/x64 v574 06_5e
    PID          4524
    Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Description  Internet Explorer 11
    
    Branch Trace                      Opcode  To                             
    -------------------------------- -------- --------------------------------
    RtlEnterCriticalSection +0x2b        RET  0x624772E0 SLMSPRBootstrap.dll ^022B
    0x776DFF4B ntdll.dll                                                     
    
    0x6240125A SLMSPRBootstrap.dll     ~ RET* 0x6247721E SLMSPRBootstrap.dll ^0019
                8d0440                   LEA          EAX, [EAX+EAX*2]
                8d0485a8c44762           LEA          EAX, [EAX*4+0x6247c4a8]
                8945d0                   MOV          [EBP-0x30], EAX
                8b30                     MOV          ESI, [EAX]
                8b78fc                   MOV          EDI, [EAX-0x4]
                83c0fc                   ADD          EAX, -0x4
                81e6ffffff0f             AND          ESI, 0xfffffff
                81c600003f62             ADD          ESI, 0x623f0000
                8975b8                   MOV          [EBP-0x48], ESI
                81e7ffffff0f             AND          EDI, 0xfffffff
                897da8                   MOV          [EBP-0x58], EDI
                b8fb132641               MOV          EAX, 0x412613fb
                8b855cffffff             MOV          EAX, [EBP-0xa4]
                3bf0                     CMP          ESI, EAX
                8b8d60ffffff             MOV          ECX, [EBP-0xa0]
                                     (A45C3A33FA8A8213)
    
    
    0x62403106 SLMSPRBootstrap.dll       RET  0x62401244 SLMSPRBootstrap.dll ^0001
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  62477308 SLMSPRBootstrap.dll     
                3bc3                     CMP          EAX, EBX
                7511                     JNZ          0x6247731d
                e83838feff               CALL         0x6245ab49
                1800                     SBB          [EAX], AL
                00f0                     ADD          AL, DH
                0000                     ADD          [EAX], AL
                0020                     ADD          [EAX], AH
                29a9034089bd             SUB          [ECX-0x4276bffd], EBP
                6c                       INS          BYTE [ES:EDI], DX
    
    2  6247607E SLMSPRBootstrap.dll     
    3  62479298 SLMSPRBootstrap.dll     
    4  624731C6 SLMSPRBootstrap.dll     
    5  62404822 SLMSPRBootstrap.dll     
    6  5A64F891 agcore.dll             
    7  5A650CB7 agcore.dll             
    8  5A575237 agcore.dll             
    9  5A582866 agcore.dll             
    10 5A582232 agcore.dll             
    
    Process Trace
    1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [4524]
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:75009 /prefetch:2
    2  C:\Program Files\Internet Explorer\iexplore.exe [908]
    3  C:\Windows\explorer.exe [11416]
    4  C:\Windows\System32\userinit.exe [9992]
    5  C:\Windows\System32\winlogon.exe [252]
    C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    6  C:\Windows\System32\smss.exe [6880]
    \SystemRoot\System32\smss.exe 000000e4 0000007c C:\WINDOWS\System32\WinLogon.exe -SpecialSession
    7  C:\Windows\System32\smss.exe [424]
    \SystemRoot\System32\smss.exe
    8   [4]
    
    Thumbprint
    e470d2bb0a3a9409438daa70b3118004c4ab46af384033f2ab7635b681b00ca8
     
  4. PeZzy

    PeZzy Registered Member

    Joined:
    Apr 2, 2011
    Posts:
    56
    For some reason, Sophos emailed me a discount to renew only Hitman Pro. The only reason I have that license is because of HitmanPro Alert.
     
  5. guest

    guest Guest

    Now is running well together with MBAE
     
  6. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    I had same snafu, Erik fixed mine aok.
     
  7. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    absolutely since it is a core component (for eg, it should handle which app must be shielded at runtime and so on)

    i think it is the only reasonable solution

    Erik?
     
    Last edited: Feb 6, 2017
  8. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    778
    Location:
    Oklahoma City
    HitmanPro.Alert 3.6.3 Build 582 RC1. Mine still shows 3.63.Build 582 BETA. Is that a problem?

     
  9. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    yes, a serious issue :ninja:
     
  10. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    I see the same.
    Strictly spoken, a release candidate is not the same as a beta, but it is not a final release, of course.
    I wouldn't worry about that release candidate vs. beta inconsistency.

    (What I would worry about, is if it was released as final, when the LibreOffice x86 on Win x64 issue wasn't fixed, as that could cause too many support requests.)
     
  11. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada

    No issues since upgrading to Build 582 RC1.
     
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    You have the correct build. They just didn't change he name from beta to RC1 in the UI.
     
  13. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Why ?
    why would you run 2 anti loggers at a time, are you serious ?
     
  14. JohnBurns

    JohnBurns Registered Member

    Joined:
    Jul 4, 2004
    Posts:
    778
    Location:
    Oklahoma City
    Thanks, Victek.
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Is everyone here who is running Build 582 RC1 have SecureBoot disabled?
    I am waiting for the build which will have the Microsoft co-signed drivers.
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Paul,

    Yep. One machine doesn't have Secure Boot so no problem. On another I disabled Secure Boot in the BIOS and installed 582. I'm also waiting for the next version to install on machine #3.
     
  17. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Secure boot disabled here too.
     
  18. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    Switching keyboard with the PC on I throw a BSOD.
     
  19. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Which HMPA build?
    Which Windows version?
    Which other security software is on your PC?
    Which keyboard(s)?
     
  20. solitarios

    solitarios Registered Member

    Joined:
    Mar 28, 2016
    Posts:
    230
    1-581
    2-8.1
    3-ZAL, App check
    4-generics
     
  21. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    1 - Where did you get build 581? Do you mean 580, or 582?
    2 - Windows 8.1 x64, I suppose?

    I'll try to test later (build 582), I don't need a potential BSOD right now.
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    HMPA 3.6.3.582
    Windows 7 x64
    (other details, see my signature)
    I unplugged my Logitech Deluxe 250 keyboard (Y-UT76), waited a few seconds, and plugged it back in again. No issues.
     
  23. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I believe I just got a false positive running HitmanPro.Alert 3.6.3 Build 582 RC1:

    Mitigation Lockdown

    Platform 10.0.14393/x64 v582 06_2a
    PID 5652
    Application C:\Windows\System32\config\systemprofile\Downloads\opera autoupdate\installer.exe
    Description Opera Installer 43

    Filename C:\Windows\System32\config\systemprofile\Downloads\opera autoupdate\installer.exe
    Created By C:\Users\XXX\AppData\Local\Programs\Opera x64\launcher.exe


    Process Trace
    1 C:\Windows\System32\config\systemprofile\Downloads\opera autoupdate\installer.exe [5652]
    "C:\Windows\system32\config\systemprofile\Downloads\opera autoupdate\installer.exe" --version
    2 C:\Users\XXX\AppData\Local\Programs\Opera x64\launcher.exe [8680]
    "C:\Users\XXX\AppData\Local\Programs\Opera x64\launcher.exe" --scheduledautoupdate $(Arg0)

    Thumbprint
    9073f3da213bc1ff5109e312542db243c064d5059c8e078049834a49a28e74a3
     
  24. guest

    guest Guest

    "Mitigation Lockdown"
    A protected program has dropped "C:\Windows\System32\config\systemprofile\Downloads\opera autoupdate\installer.exe" and the execution of it was prevented from HMP.A
    Try to disable Application Lockdown temporarily for Opera.

    See also here: #12740
     
  25. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Thanks for your input. Despite the fact that I received the notification from HMP.A, Opera was still able to automatically update to the latest version 43.0.2442.806 (PGO). As a matter of fact, the notification popped up after Opera updated, so it didn't adversely affect Opera, but I wanted to report that I received the message..
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.