HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I've been using the clock and cpu/ram gadget ever since I've been using Windows 10 and I am constantly suffering malware and hacker attacks... Oh wait, no I haven't - ever!
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You forgot to post the thumbprint.

    I did whitelist a few IAF alerts a few moments ago. Why these tools steal memory pointers from other the modules for use in their own libraries is beyond me.
     
    Last edited: Mar 4, 2017
  3. mrhex1

    mrhex1 Registered Member

    Joined:
    Jul 2, 2016
    Posts:
    19
    Location:
    Timbuktu
    I have received one or two detections on a few browsers about the IAT table. I will post the error message in the next day or so for Erik's perusal(as work & school take up a lot of my time). I have to disable IAT filtering on both firefox & IE.
     
  4. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    HI Eric

    Just to let you know. For the same MS WORD file

    Sometimes it happens and I need to restart the laptop then it becomes ok. Sometimes I just ran a HMP scan and then it becomes ok

    Look like an intermittent problem or it may clash with some other programs.
     
  5. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Here is what the error from Mailwasher Pro shows. If you could add it to the whitelist that would be great.


    Mitigation IAF

    Platform 10.0.14393/x64 v586 06_3c
    PID 6552
    Application C:\Program Files (x86)\Firetrust\MailWasher\MailWasherPro.exe
    Description MailWasher 2017.7.9

    Violation 671D3661 is calling usbperf.dll IAT funcptr kernel32.dll!GetProcAddress


    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 671D3661 msvcr90.dll _decode_pointer +0x5a
    ff1510101b67 CALL DWORD [0x671b1010]
    85c0 TEST EAX, EAX
    7408 JZ 0x671d3673
    ff7508 PUSH DWORD [EBP+0x8]
    ffd0 CALL EAX
    894508 MOV [EBP+0x8], EAX
    8b4508 MOV EAX, [EBP+0x8]
    5e POP ESI
    5d POP EBP
    c3 RET

    2 671D36D6 msvcr90.dll __set_flsgetvalue +0x20
    3 671D2D5E msvcr90.dll __p__tzname +0x1d4
    4 76F4E58E ntdll.dll RtlDecompressBuffer +0xee
    5 76F20E46 ntdll.dll
    6 76F210F0 ntdll.dll
    7 76F47636 ntdll.dll LdrInitializeThunk +0xb6
    8 76F47590 ntdll.dll LdrInitializeThunk +0x10

    Process Trace
    1 C:\Program Files (x86)\Firetrust\MailWasher\MailWasherPro.exe [6552]
    2 C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [8376]
    "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /restart:6190A6636A115BAD
    3 C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1420]
    "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /service

    Thumbprint
    04698ba932c5e9e0045a328c885c1bda05c5a45a7d667a3df6f3d954966d8e24
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    If you have some time, perhaps you can check this out, I would like to know why HMPA didn't pass.

    https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-524#post-2656848

    Yes, and this shouldn't be the case, so this is definitely something that should be fixed.
     
  7. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    60
    Media Player Classic (installer: MPC-HC.1.7.10.x86.exe) crashes under build 586 running on W7-32. Had to remove it from mitigation and add the program (mpc-hc.exe) to the exclusion list. Any suggestions?
     
    Last edited: Mar 5, 2017
  8. guest

    guest Guest

    With v3.1 and older releases of HMP.A it was possible to protect Media Player Classic, but not with newer releases.
    There is no workaround, it must be excluded from protection:
     
  9. CeeBee

    CeeBee Registered Member

    Joined:
    Nov 20, 2015
    Posts:
    60
    So it seems! Of course, if I also run MBAE .. that program would protect MPC instead. But, as I'm trying to reduce the footprint, that makes no sense either.

    For an average user like myself (not having the latest/greatest hardware), I think HPMA is a bit too aggressive at default. The way I see it, default should be a 'set and forget' setting suitable to most situations and users. As I said before: as little as possible, but as much as necessary. Maybe an oxymoron of sorts.

    Frankly, I'm reluctant to install the current HMPA on, for example, my wife's laptop, as she would be lost if something like the MPC situation happened. For her, HMPA 2.6.5.77 and MBAE remain a fair compromise (plus frequent image backups)!

    Thanks for the clarification.
     
  10. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    362
    I have been getting this alert with Microsoft Word since the autoupdate, I could not type more than a few minutes before HMPA would shut down Word. I had to change HMPA to log the event only to finish my work;


    Mitigation IAF

    Platform 10.0.14393/x64 v586 06_3f
    PID 928
    Application C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    Description Microsoft Word 16

    Violation 0F275800 is calling msconv97.dll IAT funcptr kernel32.dll!GetProcAddress


    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 0F275800 WPFT632.CNV
    ff1550b0270f CALL DWORD [0xf27b050]
    8bf0 MOV ESI, EAX
    85f6 TEST ESI, ESI
    754e JNZ 0xf27585a
    ff155cb0270f CALL DWORD [0xf27b05c]
    8b3578b1270f MOV ESI, [0xf27b178]
    8945f0 MOV [EBP-0x10], EAX
    85f6 TEST ESI, ESI
    7416 JZ 0xf275835
    8d45d0 LEA EAX, [EBP-0x30]
    8bce MOV ECX, ESI
    50 PUSH EAX
    6a04 PUSH 0x4
    ff1504b1270f CALL DWORD [0xf27b104]
    ffd6 CALL ESI
    8bf0 MOV ESI, EAX

    2 0F27458B WPFT632.CNV
    3 0F2514C0 WPFT632.CNV GetReadNames +0x1a
    4 0FD9E05C WWLIB.DLL
    5 0FD9D61D WWLIB.DLL
    6 0FD9E0FD WWLIB.DLL
    7 0FD9DD7B WWLIB.DLL
    8 0FD9DC7A WWLIB.DLL
    9 0FDEAAAC WWLIB.DLL
    10 0FDECA31 WWLIB.DLL

    Process Trace
    1 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [928]
    2 C:\Windows\explorer.exe [6336]
    3 C:\Windows\System32\userinit.exe [5892]
    4 C:\Windows\System32\winlogon.exe [1140]
    winlogon.exe

    Thumbprint
    ef48aae6ae2bee51b07c060941bd5b4fb0f09912d747c5885cb356f096011fed</Data>
    </EventData>
    </Event>
     
  11. mrhex1

    mrhex1 Registered Member

    Joined:
    Jul 2, 2016
    Posts:
    19
    Location:
    Timbuktu
    Mitigation IAF

    Platform 10.0.14393/x64 v586 06_5e
    PID 6016
    Application C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
    Description Microsoft Word 16

    Violation 1D4ADCA4 is calling FunDisc.dll IAT funcptr KernelBase.dll!GetProcAddress


    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 1D4ADCA4 msftedit.dll
    ff15b8106d1d CALL DWORD [0x1d6d10b8]
    8903 MOV [EBX], EAX
    33c9 XOR ECX, ECX
    e8ec810000 CALL 0x1d4b5e9f
    8b08 MOV ECX, [EAX]
    85c9 TEST ECX, ECX
    7f37 JG 0x1d4adcf0
    33c9 XOR ECX, ECX
    893d10f36c1d MOV [0x1d6cf310], EDI
    e8ba810000 CALL 0x1d4b5e80
    50 PUSH EAX
    ff15dc116d1d CALL DWORD [0x1d6d11dc]
    5f POP EDI
    5e POP ESI
    5b POP EBX
    5d POP EBP

    2 1D4ADB8B msftedit.dll
    3 1D4D947B msftedit.dll
    4 1D4DD261 msftedit.dll
    5 1D4DBC2E msftedit.dll
    6 1D500620 msftedit.dll
    7 1D4FAFA9 msftedit.dll
    8 1D500D65 msftedit.dll
    9 5BF84BCA ExplorerFrame.dll
    10 5BF84EAE ExplorerFrame.dll

    Process Trace
    1 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [6016]
    2 C:\Windows\explorer.exe [5624]
    3 C:\Windows\System32\userinit.exe [5548]
    4 C:\Windows\System32\winlogon.exe [916]
    winlogon.exe

    Thumbprint
    993900250846c2d2aa0c44018f4698535b155edcc783fb2567a9f315b5791701


    Here is the next one:

    Mitigation IAF

    Platform 10.0.14393/x64 v586 06_5e
    PID 14976
    Application C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    Description Firefox 51.0.1

    Violation 6AE24C1F is calling pwrshsip.dll IAT funcptr KernelBase.dll!GetProcAddress


    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 6AE24C1F dui70.dll ?_MarkElementForLayout@Element@DirectUI@@SGHPAV12@I@Z +0x1bf
    ff157c63f16a CALL DWORD [0x6af1637c]
    8bf0 MOV ESI, EAX
    85f6 TEST ESI, ESI
    741e JZ 0x6ae24c49
    8935984bf16a MOV [0x6af14b98], ESI
    ebbe JMP 0x6ae24bf1

    2 6AE24DD7 dui70.dll
    3 6AE24C79 dui70.dll ?_MarkElementForLayout@Element@DirectUI@@SGHPAV12@I@Z +0x219
    4 6AE1EF29 dui70.dll ??0ElementProvider@DirectUI@@QAE@XZ +0x2c9
    5 6AE2A5EC dui70.dll InitProcessPriv +0x5c
    6 6AE2A5A9 dui70.dll InitProcessPriv +0x19
    7 5C4BCB65 ExplorerFrame.dll
    8 5C4810DD ExplorerFrame.dll
    9 73BED722 comdlg32.dll
    10 73BF3322 comdlg32.dll

    Process Trace
    1 C:\Program Files (x86)\Mozilla Firefox\firefox.exe [14976]
    2 C:\Windows\explorer.exe [5652]
    3 C:\Windows\System32\userinit.exe [5536]
    4 C:\Windows\System32\winlogon.exe [916]
    winlogon.exe

    Thumbprint
    8f3d4d795e7894c345eec8c24d815dd4eebb27fca436576611142975b1ff482f


    Here is the 3rd one:

    Mitigation IAF

    Platform 10.0.14393/x64 v586 06_5e
    PID 15680
    Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Description Internet Explorer 11

    Violation 04A3405A is calling resourcepolicyclient.dll IAT funcptr IEShims.dll!IEShims_SetRedirectRegistryForThread


    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 04A3405A nvinit.dll
    ff153cc4a304 CALL DWORD [0x4a3c43c]
    8bf0 MOV ESI, EAX
    85f6 TEST ESI, ESI
    7413 JZ 0x4a34079
    56 PUSH ESI
    e8216affff CALL 0x4a2aa8d
    59 POP ECX
    8703 XCHG [EBX], EAX
    ebb9 JMP 0x4a3402a

    2 04A34202 nvinit.dll
    3 04A325B8 nvinit.dll
    4 04A2ABE5 nvinit.dll
    5 04A2B135 nvinit.dll
    6 04A2B378 nvinit.dll
    7 04A2B40B nvinit.dll
    8 0F08F8B0 IEShims.dll
    9 7710E58E ntdll.dll RtlDecompressBuffer +0xee
    10 770E0E46 ntdll.dll

    Process Trace
    1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [15680]
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:14256 CREDAT:82945 /prefetch:2
    2 C:\Program Files\Internet Explorer\iexplore.exe [14256]
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging -suspended -debug http://localhost:54192/
    3 C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\devenv.exe [6184]
    "C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\devenv.exe" "C:\Users\mrhex1\Desktop\CIS233N\Week8\Demo 8\Demo 8\demo8.sln"
    4 C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\VSLauncher.exe [16284]
    "C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\VSLauncher.exe" "C:\Users\mrhex1\Desktop\CIS233N\Week8\Demo 8\Demo 8\demo8.sln"
    5 C:\Windows\explorer.exe [5652]
    6 C:\Windows\System32\userinit.exe [5536]
    7 C:\Windows\System32\winlogon.exe [916]
    winlogon.exe

    Thumbprint
    bee8bd4597be3a1275b67fc7249695c5368ce5f48321723f2d7b824e95b92841
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Afaik the discontinuation of gadgets is based on 2 things.
    -People will likely search for and install new gadgets for handy functionality, and there may have been the assumption that adding new gadgets is harmless. But gadgets should be treated as standard programs because they have the same rights as the user, so untrusted gadgets can compromise your PC. Also, I think gadgets are auto-updated, so an attacker can spread a normal, good behaving gadget and add malicious functionality in a later version.
    -Gadgets like any software can contain vulnerabilities, and it seems to me exploitation is unlikely unless you're using a gadget that connects to the internet or needs to open/parse files for it's functionality.

    So if you don't add new gadgets and just use simple default ones like the CPU meter, clock etc you should be fine.

    You can actually run MPC-HC protected with all migitations enabled, but you have to disable Process Hollowing protection in the systemwide settings. Of course then you're without that protection, so it would be nice to have a way to exclude individual applications from Process Hollowing Protection.
     
  13. Bobbin85

    Bobbin85 Registered Member

    Joined:
    Mar 6, 2017
    Posts:
    1
    Location:
    Finland
    Hi I'm having trouble watching videos on facebook, and I have narrowed it down to HitmanPro.Alert. The videos starts playing just fine, but in a random amount of time, usually just a few seconds, the video stops and you cannot continue to play without reloading the page. This is not browser specific since it doesn't work in either chrome (64bit) or firefox, however strangely in edge browser it works. I have also encountered problems with other sites videos too, but not youtube, that works fine. The problem occured in version 574 (my first version of HitmanPro.Alert since I'm a new user) and also in this new one 586. Another problem I have encountered is that when downloading nvidia drivers for my graphics card, the download sometimes get corrupted, but when I kill HitmanPro processes the download works just fine, this issue is occuring in the same browsers as above. Other info about my system: I run Windows 10 Pro, F-Secure Internet Security, Hardware: Intel i7 980X, 12gb ram, 2x Nvidia GTX 580 in SLI, SSD boot disk (for all programs and os), These same problems occured also on my laptop in a similar or exactly the same way. (Laptop: Intel i5 6300HQ, 8gb ram, SSD, Nvidia GTX 950, with Windows 10 Home and F-Secure Internet Security) All problems disapear when I kill the HitmanPro.Alert processes in task manager. Otherwise great software, hope this bug is straitened out soon.
     
  14. Valdez

    Valdez Registered Member

    Joined:
    Apr 21, 2016
    Posts:
    50
    Location:
    Italien
    Test: http://www.cpcheckme.com/checkme/

    Windows 7 SP1 x64 Ultimate
    Mozilla Firefox x64 v51.0.1
    Kaspersky Internet Security 2017 v17.0.0.611 patch c
    HitmanPro.Alert v3.6.3 build 586

    Test.png

    :(:(:(
     
    Last edited: Mar 6, 2017
  15. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
  16. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    Seems to be a (yet another) worthless cosmetic page with the interest of selling/pitching this specific vendor's appliance product.
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Indeed - bogus test :ninja:
     
  18. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Look at how the ransomware test works:

    Ransomware
    This test downloads a test infected file (EICAR virus) through your network.
    https://www.cpcheckme.com/check/testsAssets/e.txt
    http://www.cpcheckme.com/check/testsAssets/e.bz2
    http://www.cpcheckme.com/check/testsAssets/e.zip

    Note: This test is not supported for SMB appliances running Gaia Embedded OS (600 / 700 / 1100 / 1200R / 1400).
    EICAR is designed to test the response of computer antivirus (AV) programs. It is a text file. It has nothing to do with ransomware.
    And so are each of the other tests. Total BS. I'm having a good laugh because of this, thanks ^_^
     
  19. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    Yeah, the RanSim test is vendor-agnostic except with the end result of trying to sell you their training SaaS from KnowBe4.
     
  20. Valdez

    Valdez Registered Member

    Joined:
    Apr 21, 2016
    Posts:
    50
    Location:
    Italien
    Thanks Mark! :):):):thumb::thumb::thumb:
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Oh why do I even waster my time on such foolishness. My reward for trying that link BSOD
     
  22. guest

    guest Guest

    Yes, it would be better if it can be disabled for specific applications.
    In the end it's better to exclude MPC-HC instead of disabling Process-Protection which is affecting all applications.
     
  23. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Your not the only one :p roflmao
     
  24. tonino

    tonino Registered Member

    Joined:
    Jan 2, 2017
    Posts:
    62
    Location:
    somewhere
    No way!

    HMP.A rules!:thumb:
     
  25. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    HMP.A 3.6.3 build 586 working great on Windows Vista HP x64 SP2 and Windows 7 HP x64 SP1. All is well. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.