HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Why is sam disabled, and should i enable it.
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    See Mark's November 15 post in the beta thread:
    If you want, you can enable SAM, and see if you run into any issues, or if it works without issues for your system and for your needs.
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Within 10 minutes of upgrading today from 3.6.7 build 604 to 3.7.1 build 723, I began to get PrivGuard mitigation alerts (Attack Intercepted).
    I have encountered two of these alerts so far.
    These alerts were never present previously with older version, and happened right after upgrading.
    “Google Chrome 62 has been terminated to prevent execution of malicious code”
    I ran HMP scans as instructed and nothing found.
    I think it might have something to do with Sandboxie.
    Who do I see about this?
    TY!
     
  4. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    If you could add the full alert details, then Erik, Mark, or RonnyT can have a look at it.
    You can get alert details from Event Viewer:
    Open the HMPA user interface.
    If the HMPA user interface shows 1 or more alerts, clicking "Number of alerts" or "Last alert" in the HMPA user interface will open Windows Event Viewer and a "HitmanPro.Alert Events" module will be added to Windows Event Viewer. Be patient, as this takes a moment.
    As soon as the "HitmanPro.Alert Events" module is added to Event Viewer, opening that entry should show HMPA events.
    Take the entry regarding the specific alert.
    Select all text, use Ctrl+C to copy the selected text, and then you can paste the copied details in a reply in the thread.
     
  5. guest

    guest Guest

    If you are using a browser with Sandboxie, it is better to disable Local Privilege Mitigation. Or run it unsandboxed.
     
  6. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    @mood,
    Thanks very much for that information regarding Sandboxie and Local Privilege Mitigation.
    I should have remembered, but I was too much focused on how to get and add alert details. ;)
     
  7. guest

    guest Guest

  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Go to the orange box and click on Risk Reduction Then select Process Protection. Then untick Local Privilege Mitigation. That should solve the problem. It's because of Chrome Sandbox
     
  9. Armadax

    Armadax Registered Member

    Joined:
    Sep 13, 2015
    Posts:
    19
    Location:
    Zuid-Holland
    Not happy with the new update...
    I have Nicehash miner running on my win 10 computer (standard Win Defender and Hitman Pro Alert 3.7.1 723) and it blocks the application. It did not with the previous version and it does now with the update. I've excluded both the NiceHash Miner 2.exe in the program files folder and the actual miner exe in the appdata/roaming folder (excavator.exe), but the excavator keeps being blocked with a pop-up that the malware is blocked. I've also tried to change/remove the rules for the applications, but the strange thing is that with the 'mini icons' beneath the exploit protection it only shows the nicehash miner icon, not one for excavator. And if you click on the excluded Excavator, it only gives you the option to remove the exclusion...
    Also, is it correct that there is no mentioning of the blocking event? Not in the HMPA screen, nor in the event viewer....
     

    Attached Files:

  10. guest

    guest Guest

    The Real-time Antimalware protection is blocking it. To be able to run the executable you have to disable the Real-time Antimalware protection, because there is no option yet to exclude the executable.
     
  11. plat1098

    plat1098 Guest

    For the heck of it, I put Chrome (first time EVER) and Firefox 57 on here with Sbie and Alert, both release versions. I'm aware Chrome has its sandbox but I'm able to use Chrome just fine without disabling any mitigations in Alert for over one hour now. I do have to launch Chrome from "Run any program" in Sbie's context menu to avoid Sbie launch errors but otherwise, no problems. Dumb beginner's luck maybe? By the way, in terms of speed running both Alert and Sbie, Chrome is the fastest and most efficient on here, hands down. No contest re:Firefox Quantum.

    Chrome version on here is 62.0.3202.94.

    Screenshot (17).png

    Edit: Here, but with launching Internet Explorer, never happened before:

    hmpalert privguard.PNG

    Even with exclusions in HMP Alert, looks like I left out an exclusion.

    hmp exclude.PNG
     
    Last edited by a moderator: Nov 22, 2017
  12. guest

    guest Guest

    @plat1098 you have to add every Sbie processes especially snadoboxieDcomLaunch.exe and SandboxieRpcS.exe
     
  13. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Okay, I've followed the advice given here to disable LPM. TY, mood and Peter, for that. Please advise, what might be the downside of disabling that mitigation?

    Also, would adding full SBIE exclusions accomplish the same end?

    And thanks, StupendousMan, for your suggestion. I did include that info with my email to tech support, which so far has gone unanswered. :thumb:
     
  14. plat1098

    plat1098 Guest

    OK @guest, Sandboxie COM Services RpcSs was added to Alert exclusions. No mitigations disabled yet, might be a little premature but Chrome is running well so far. Thank you. :)

    Edit: Despite exclusions, still getting PrivGuard mitigations, this time clicking on a bookmark. Sbie Start exe was named and it's supposed to be excluded in Alert--? Bummer! Adding all the services to exclusions, as instructed.

    alert prviguard.PNG
     
    Last edited by a moderator: Nov 23, 2017
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You'd be better off taking out all the exclusions, use Sandboxie, and just uncheck the Local Privilege Mititgation in HMPA
     
  16. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Or leave LPM enabled and run Chrome unsandboxed with Sandboxie.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You may get the alerts with Sandboxie.
     
  18. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    But if Sandboxie isn't being used to sandbox any browser such as Chrome, it isn't doing anything so no HMP alerts, right?
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You can't always make that assumption. Drivers installed, services running etc.
     
  20. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Okay, fair enough. I was going by the comment from @markloman that @mood quoted in post #14352. Mark had said (bold part my emphasis): "Sandboxie is actually stealing tokens and elevating privileges with them so our mitigation is not wrong. Disable Local Privilege Mitigation if you insist on using Sandboxie around your browsers." I just thought if you didn't use Sandboxie with said browser, you shouldn't get the LPM alerts.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Tony

    May be true, but I am not sure what LPM does for me exactly. I do know from long time usage what SBIE does for me so that is the basis of my comment.
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Changelog is published:
     
  23. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    In Fall CU you don't need the font protection, because Windows handles fonts in a much more secure way. So it is overkill and possible issue to block untrusted fonts.
     
    Last edited: Nov 23, 2017
  24. guest

    guest Guest

    Excluding a process will only circumvent the exploit mitigations. Secure deleting a file will still be prevented by CryptoGuard, writing to the MBR isn't possible for the excluded application, and excluding also doesn't affect the new mitigations ("CredGuard", "PrivGuard", etc.)
    These mitigations are still active, system-wide.
     
  25. guest

    guest Guest

    Yes, it is now done by a User-mode process (fontdrvhost.exe), which runs in an AppContainer wich no Capabilities and also runs under a virtual account.
    The AppContainer mitigation has been there since the first release of Windows 10:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.