HitmanPro.ALERT Support and Discussion Thread

There is a another way to get the alert details. That is to copy the alert details from Event Viewer.
Next time, to get alert details from Event Viewer:
Open the HMPA user interface, and click "Number of alerts", or "Last alert", that will open Windows Event Viewer.
This takes a moment as a HMPA module is added to Event Viewer.
In Event Viewer, in the HitmanPro.Alert Events section, information can be seen regarding HMPA events.
Take the entry regarding the specific alert.
Select all text, use Ctrl+C to copy the selected text, and then you can past the copied details in your reply in the thread.

 

That screenshot shows "Firefox 43.0.4". The current version is "Firefox 55.0.2". Maybe try updating it?

Firefox is also now available in 64-bit, in addition to 32-bit, if you download the installer directly. The new installer will install the correct version for your platform.

Mozilla's plan is to get all users with 64-bit Windows onto 64-bit Firefox by version 57 this fall.

 

Cool, I didn't know I could open Event Viewer directly this way.

Here's the full entry (after removing some extra blank lines for readability):

 

I knew somebody would hone in on that.

IIRC, FF 43 was the last version that allowed me to enable valuable add-ons/plug-ins. After that, FF began to act like malware, unceremoniously disabling extensions such as the Adobe Convert Webpage to PDF function that I use, and taking away the option to re-enable it.

 

Don't want to go off-topic here but just that we are on the same page: You really care about "FF acting like malware" while using a browser with hundreds of known vulnerabilities? Literally hundreds.

FF44 has been released on Jan 2016. Only between 2016-01-01 and 2016-10-01 there have been 133 vulnerabilities in Firefox: https://www.cvedetails.com/cvss-sco...=3264&startdate=2016-01-01&enddate=2016-10-01
(After this the newer CVEs unfortunately have not yet been catalogued since MITRE is swamped with vulnerabilites: https://www.cso.com.au/article/621650/closing-cve-gap-mitre-up-it/)

Simply go here and scroll up. You are vulnerable to all of this: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox43.0.2

 

Actually, I haven't used Firefox very much lately, precisely because Mozilla has been limiting the user's ability to customize it. And the situation is about to get worse. So, from my perspective, that is a 100% chance of unwanted results, vs. the unknown probability of being affected by any of those hundreds of vulnerabilities.

In any case, I use FF for very limited, specific purposes; IE11 and Pale Moon are my main browsers, and I could just as easily uninstall FF completely and consign them to the dustbin. What you saw above was merely the result of my testing whether and how the Foxit Reader plugin works in FF. Then HMP.A got in the way and I reported it here for investigation. Can we focus on that, please.

 

Some injection issues to iron out before RS3 (Fall Creators Update) releases in the next month or two with regard to Code Integrity Guard mitigation (blocks injection of non-Microsoft signed DLLs). Just FYI for any users updating to RS3. Looks as though Loman brothers will smooth this out soon.

Source: https://twitter.com/markwo/status/899698090063536129

Source: https://twitter.com/mattifestation/status/899699968268619776

 

Hope Erik comes back soon. Want to test, but it says my license has run out. Anyone know of any discounts by chance?

 

I haven't heard of any special offers recently, sorry.
Do you have another computer that you might test on with a new download?

 

No worries.

 

So this could be problematic not just for HMPA. May be wise to delay RS3 ...

 

Previously Erik has been kind enough to issue licenses to Wilders members, if you PM him.

But he is not responding right now, though it does look like he is around (see first tweet in WBD's post above).

 

An update, see: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-19#post-2701148

 

The issue that I'd reported here does not seem to be occurring with the same Foxit PhantomPDF on FF 43 (yes ) in Vista HP x64 SP2.

Just realized I forgot to specify in my first report: that earlier one was with HMP.A build 712, whereas now I'm reporting on build 604.

Maybe I'll link to these posts over on the beta thread.

 

I noticed that they are giving away a free 3 PC/1 Year license key for HMPA over at MT.

 

Saw that. Signed up for the contest as well.

 

Software devs are going to be limited in their time and resources to ensure that their products are tested and fully compatible with current "supported" OS and applications. I believe that one can run obsolete software if they choose to (I still run a Win XP system), but it's not reasonable to expect new security software to remain compatible with old OS and browser configurations forever. It will never be tested on old platforms, so you use at your own risk.

 

Curiously, the HMP.A + FF43 + Foxit PDF combo is working fine in my Vista PC, but not in my Windows 7 PC. FWIW, the Vista system is running Norton 360 and HMP.A b604, while the 7 system is running NIS (current versions in both cases) and HMP.A b712.

FF43 is little used in either computer, but ironically it may survive longer in the Vista box because the Foxit PDF Creator extension works there without objection from HMP.A.

Hoping that Erik or Mark will see this and offer up a quick hypothesis as to why it might be working in one case but not in the other, and hopefully a recommendation for adjusting the settings. Who knows, the differential outcome might even provide some useful further insight into the workings of 712 vs. 604. But don't worry, I'm not expecting them to spend time getting deep into this situation.

 

@Trooper Mark graciously extended mine, which was due to expire.

They do value their Wilders members, but have priorities to clear:
Sorry for the delay. We are very much caught up in work for Sophos (upcoming release of Intercept X 2.0). This work comes to an end soon so we're going to focus HitmanPro.Alert again - thus also our Wilder Security friends (Yay! At last!)

 

Thanks. I am ok with waiting for Erik to return.

 

Mark is back: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-19#post-2701619

 

Short info: Got a ROP Mitigation after updating Skype to 7.40. It didn't happend after the installer re-started Skype, but after closing the program and re-opening it. Interestingly, this only happend once. The scan with HMP showed nothing. The second attempt was successful. Probably a FP?

Spoiler: HMPA Log Skype 7.40

Mitigation ROP

Platform 10.0.15063/x64 v604 06_3a
PID 10104
Application C:\Program Files (x86)\Skype\Phone\Skype.exe
Description Skype 7.40

Callee Type LoadLibrary

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
RtlInitUnicodeStringEx +0x46 RET LoadLibraryExW +0x4c
0x773020F6 ntdll.dll 0x7553755C KernelBase.dll

InterlockedIncrement +0x11 RET 0x57F8C109 nhAsusPhoebusDevProps.dll
0x752A7431 kernel32.dll

InterlockedIncrement +0x11 RET 0x57F8C100 nhAsusPhoebusDevProps.dll
0x752A7431 kernel32.dll

0x57F8CD70 nhAsusPhoebusDevProps.dll RET 0x57F8C02B nhAsusPhoebusDevProps.dll

RtlInterlockedCompareExchange64 +0x3d RET* 0x00F5C5FE Skype.exe
0x7733605D ntdll.dll
20746965 AND [ECX+EBP*2+0x65], DH
6d INS DWORD [ES:EDI], DX
706f JO 0xf5c674
20636f AND [EBX+0x6f], AH
6e OUTS DX, BYTE [ESI]
20746172 AND [ECX+0x72], DH
6a65 PUSH 0x65
7461 JZ 0xf5c672
7320 JAE 0xf5c633
6465206372 AND [EBX+0x72], AH
c3 RET
(B4BC072C34611825)


WaitForMultipleObjects +0x19 ~ RET* 0x00F5C63F Skype.exe
0x75542AD9 KernelBase.dll
637561 ARPL [EBP+0x61], SI
6e OUTS DX, BYTE [ESI]
646f OUTS DX, DWORD [FS:ESI]
206573 AND [EBP+0x73], AH
74c3 JZ 0xf5c60d
a973206c65 TEST EAX, 0x656c2073
6a6f PUSH 0x6f
7320 JAE 0xf5c673
6465206361 AND [EBX+0x61], AH
7361 JAE 0xf5c6bb
3b20 CMP ESP, [EAX]
7369 JAE 0xf5c6c7
6d INS DWORD [ES:EDI], DX
706c JO 0xf5c6cd
656d INS DWORD [ES:EDI], DX
656e OUTS DX, BYTE [GS:ESI]
(3C2E18B0A540C803)


WaitForMultipleObjectsEx +0x144 ~ RET WaitForMultipleObjects +0x18
0x75542C34 KernelBase.dll 0x75542AD8 KernelBase.dll

PerfIncrementULongLongCounterValue +0x138 RET WaitForMultipleObjectsEx +0x141
0x75552248 KernelBase.dll 0x75542C31 KernelBase.dll

WaitForMultipleObjectsEx +0x1a6 RET WaitForMultipleObjectsEx +0x11f
0x75542C96 KernelBase.dll 0x75542C0F KernelBase.dll

NtWaitForMultipleObjects +0xc ~ RET WaitForMultipleObjectsEx +0x103
0x773222CC ntdll.dll 0x75542BF3 KernelBase.dll

0x626B21CC wow64cpu.dll ~ RET TurboDispatchJumpAddressEnd +0x9e
0x626B1D26 wow64cpu.dll

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 75537654 KernelBase.dll LoadLibraryExW +0x144

2 57F8C1A5 nhAsusPhoebusDevProps.dll
89442410 MOV [ESP+0x10], EAX
ff159000fa57 CALL DWORD [0x57fa0090]
8b0b MOV ECX, [EBX]
89442414 MOV [ESP+0x14], EAX
8b4904 MOV ECX, [ECX+0x4]
c1e906 SHR ECX, 0x6
f6c101 TEST CL, 0x1
7552 JNZ 0x57f8c212
8b93e8000000 MOV EDX, [EBX+0xe8]
f7c200100000 TEST EDX, 0x1000
7544 JNZ 0x57f8c212
85ff TEST EDI, EDI
7440 JZ 0x57f8c212
b8948dfa57 MOV EAX, 0x57fa8d94
668b0f MOV CX, [EDI]
663b08 CMP CX, [EAX]

3 57F8B394 nhAsusPhoebusDevProps.dll
4 6F613C8B dxgi.dll
5 6F61468C dxgi.dll
6 6F6188C2 dxgi.dll
7 635AA58D mshtml.dll
8 635AA506 mshtml.dll
9 632BAE40 mshtml.dll
10 632B9891 mshtml.dll

Process Trace
1 C:\Program Files (x86)\Skype\Phone\Skype.exe [10104]
2 C:\Windows\explorer.exe [9444]
3 C:\Windows\System32\userinit.exe [9628]
4 C:\Windows\System32\winlogon.exe [6584]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [14648]
\SystemRoot\System32\smss.exe 00000100 00000080 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

Thumbprint

 

I notice "Thumbprint" info is blank.
If there was thumbprint info available, it would probably be welcome if you could add that thumbprint info.
The thumbprint info is used by Erik/ Mark/ the HMPA team to diagnose and fix false positives or other issues.

 

Is this why Foxit Reader is not automatically added to protected apps?
If so, then I guess the workaround would be to manually download and install Foxit Reader when a new version is issued.