HitmanPro.ALERT Support and Discussion Thread

Yeah I noticed that

 

No worries guys, we are still developing HitmanPro.Alert. We're working on a few new novel mitigations and are planning a release soon. Stay tuned!

 

Thanks for that reassurance Mark!

 

In the meantime, if you have 10 minutes, here's a good read on HitmanPro.Alert's Heap Heap Protect mitigation, called Dynamic Shellcode Protection in Sophos Intercept X:
Covert code faces a Heap of trouble in memory – Sophos News

 

Hey mark thank you good reading .say hello to Eric

 

Great news!

 

I have W10 ASLR and DEP enabled. Should i disable them in HMPA.

 

Probably not a real false positive but I'll report it to the developers for evaluation.

Spoiler: Alert

Mitigation ROP
Timestamp 2021-03-14T16:18:51

Platform 10.0.19042/x64 v889 06_25
PID 9776
Feature 003D1A345FBFB0B6
Application C:\Program Files\Mozilla Firefox\firefox.exe
Created 2021-03-11T22:28:35
Description Firefox 86.0.1

Callee Type LoadLibrary
C:\Program Files (x86)\0patch\Agent\0PatchLoaderX64.dll
0x00007FF88BDF0000 (8192 bytes)

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FF88BD904B6 (anonymous)

2 00007FF88BCAC1E8 ntdll.dll
a0c5b98bf87f000020 MOV AL, [0x2000007ff88bb9c5]
c3 RET


Loaded Modules (31)
-----------------------------------------------------------------------------
00007FF76C6B0000-00007FF76C748000 firefox.exe (Mozilla Corporation),
version: 86.0.1
00007FF88BB90000-00007FF88BD85000 ntdll.dll (Microsoft Corporation),
version: 10.0.19041.844 (WinBuild.160101.0800)
00007FF88B140000-00007FF88B1FD000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.19041.804 (WinBuild.160101.0800)
00007FF889110000-00007FF889210000 hmpalert.dll (SurfRight B.V.),
version: 3.8.8.889
00007FF8894F0000-00007FF8897B9000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.19041.804 (WinBuild.160101.0800)
0000000050060000-0000000050389000 IPSEng64.dll (Broadcom),
version: 17.2.4.24
00007FF88A100000-00007FF88A1AC000 ADVAPI32.dll (Microsoft Corporation),
version: 10.0.19041.610 (WinBuild.160101.0800)
00007FF88A1B0000-00007FF88A24E000 msvcrt.dll (Microsoft Corporation),
version: 7.0.19041.546 (WinBuild.160101.0800)
00007FF88AC30000-00007FF88ACCC000 sechost.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF88AA50000-00007FF88AB7B000 RPCRT4.dll (Microsoft Corporation),
version: 10.0.19041.746 (WinBuild.160101.0800)
00007FF88A250000-00007FF88A258000 PSAPI.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF8893F0000-00007FF8894F0000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF875180000-00007FF875210000 mozglue.dll (Mozilla Foundation),
version: 86.0.1
00007FF8897C0000-00007FF88991F000 CRYPT32.dll (Microsoft Corporation),
version: 10.0.19041.844 (WinBuild.160101.0800)
00007FF889B60000-00007FF889BC0000 WINTRUST.dll (Microsoft Corporation),
version: 10.0.19041.804 (WinBuild.160101.0800)
00007FF86C190000-00007FF86C221000 MSVCP140.dll (Microsoft Corporation),
version: 14.27.29112.0 built by: vcwrkspc
00007FF86C170000-00007FF86C189000 VCRUNTIME140.dll (Microsoft Corporation),
version: 14.27.29112.0 built by: vcwrkspc
00007FF888F10000-00007FF888F1A000 VERSION.dll (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF888CE0000-00007FF888EC4000 dbghelp.dll (Microsoft Corporation),
version: 10.0.19041.867 (WinBuild.160101.0800)
00007FF86C160000-00007FF86C16C000 VCRUNTIME140_1.dll (Microsoft Corporation),
version: 14.27.29112.0 built by: vcwrkspc
00007FF888930000-00007FF88893C000 CRYPTBASE.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF888A20000-00007FF888A32000 MSASN1.dll (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF888FE0000-00007FF88909E000 0PatchLoaderX64.dll (Acros Security),
version: 20.06.18.10800
00007FF88B7A0000-00007FF88B940000 USER32.dll (Microsoft Corporation),
version: 10.0.19041.746 (WinBuild.160101.0800)
00007FF889BC0000-00007FF889BE2000 win32u.dll (Microsoft Corporation),
version: 10.0.19041.867 (WinBuild.160101.0800)
00007FF88A2C0000-00007FF88A2EA000 GDI32.dll (Microsoft Corporation),
version: 10.0.19041.746 (WinBuild.160101.0800)
00007FF889920000-00007FF889A2B000 gdi32full.dll (Microsoft Corporation),
version: 10.0.19041.746 (WinBuild.160101.0800)
00007FF889300000-00007FF88939D000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF888C80000-00007FF888CAC000 dbgcore.DLL (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF889C60000-00007FF889C90000 IMM32.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF888C40000-00007FF888C73000 ntmarta.dll (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)

Code Injection
00000177E6668000-00000177E6669000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [2472]
00007FF88BC2D000-00007FF88BC2E000 4KB
00007FF88BC2F000-00007FF88BC30000 4KB
00007FF88BC2C000-00007FF88BC2D000 4KB
00000000005F0000-00000000005F1000 4KB
1 C:\Program Files\Mozilla Firefox\firefox.exe [2472] 2021-03-14T16:15:30
2 C:\Program Files\Mozilla Firefox\firefox.exe [2976] 2021-03-14T16:15:30 2.5s
3 C:\Windows\explorer.exe [7188] 2021-03-14T03:34:53
4 C:\Windows\System32\userinit.exe [7044] 2021-03-14T03:34:52 29.3s
5 C:\Windows\System32\winlogon.exe [748] 2021-03-14T03:33:57
winlogon.exe
6 C:\Windows\System32\smss.exe [664] 2021-03-14T03:33:57 193ms
\SystemRoot\System32\smss.exe 000000c4 00000084
7 C:\Windows\System32\smss.exe [372] 2021-03-14T03:33:51
\SystemRoot\System32\smss.exe

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [9776] 2021-03-14T16:18:49
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2472.122.100061356\1938641499" -childID 17 -isForBrowser -prefsHandle 9416 -prefMapHandle 10216 -prefsLen 9402 -prefMapSize 258803 -parentBuildID 20210310152336 -appdir "C:\Program File
2 C:\Program Files\Mozilla Firefox\firefox.exe [2472] 2021-03-14T16:15:30
3 C:\Program Files\Mozilla Firefox\firefox.exe [2976] 2021-03-14T16:15:30 2.5s
4 C:\Windows\explorer.exe [7188] 2021-03-14T03:34:53
5 C:\Windows\System32\userinit.exe [7044] 2021-03-14T03:34:52 29.3s
6 C:\Windows\System32\winlogon.exe [748] 2021-03-14T03:33:57
winlogon.exe
7 C:\Windows\System32\smss.exe [664] 2021-03-14T03:33:57 193ms
\SystemRoot\System32\smss.exe 000000c4 00000084
8 C:\Windows\System32\smss.exe [372] 2021-03-14T03:33:51
\SystemRoot\System32\smss.exe

Dropped Files
1 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\F871DBE4233D940C2DC3A4B9C6765BEDAF9F2F9B
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
2 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\A6A1A7A5C110892C3057EABAEB5DB2CF96ABA255
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
3 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\8C92DD0873444A54B80C12C79487ECBBC5DD16C7
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
4 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\0F56DF54EC2C8FF96A10CA74BEFD6D470C7FBF81
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
5 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\1D1E925D0C56AB8BC90B88E2CF674397E2F7B7B8
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
6 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\F1A62B43C981012A58CB597C2F101CEEEE9A2D7F
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
7 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\DCF9245B0B0A62FEDFE7912E6669CA6B77A02A0B
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
8 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\D06751DD239E60466791C2697AF7C569EF8BB706
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
9 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\D252D3ECABAE82B31E570A65DB449F9F92DB1D00
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
10 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\DB70FED8F4CAC941DF942723BFEE56913BB11500
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
11 C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\335r9c8v.default\addonStartup.json.lz4.tmp
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
12 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\C734FBC065CECA394B00EAB4EEF7E4D92B0B8169
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
13 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\2495CB6C1E6E02B4E004A4B9BE34D3704408E21F
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
14 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\533592FE04497A613CD084672F1B9CC01E1CB4B0
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
15 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\906F274E040F5FED77EBA2F873C9210501B8905F
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
16 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\9584C50E5DEFB24DFEC840471A1E7DB3F4A6E5C2
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
17 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\02015648FCB1E078D1169756860343655D9D93C7
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
18 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\7861A4D98490D41C15A6923E50F396F71D72FC1B
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
19 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\9E4B6E4DE78163895948DA1ED04E2F09B672D903
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
20 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\98ADA06CE66084B34664DF16BE0BEDE1B253742C
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
21 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\497522EE4FC0F8563204632CA09A0276BFDB7D7A
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
22 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\CA59C73A08E7249D939E4B43C54ABB80D79A0ECE
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
23 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\CE0B57BADCE2260EB83D501B49D883E2896B225D
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
24 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\F7D1BEBA1D14FD685B5F3E0DDF22A91FEEF43325
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
25 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\F150E3EFE82BF7F745643FF006FF9A59F5AAD356
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
26 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\1992DCC4D492520B558CBF031A095B2C22FA882B
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
27 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\15E939F6FE89AD065BCD4F8B7E584F2707554091
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
28 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\27C2FAB4317FF53C6459D0C27DE6D8E10C7A8E1F
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
29 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\E0452CB5C064E25BA8C8000918D2ECE6F61730A5
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
30 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\9B30713E9A17799610139811FBFF5C0986AF7A49
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
31 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\C0D01D2237ECED7397B156FF2572F305E1F3111C
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
32 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\67339E0570A415437CD22DD70A10CFB6EA964038
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
33 C:\Users\Dave\AppData\Local\Mozilla\Firefox\Profiles\335r9c8v.default\cache2\entries\CB92A427B86C3DA1176831AA8A262E29A5E4D1B2
Dropped by \Device\HarddiskVolume2\Program Files\Mozilla Firefox\firefox.exe [2472]
1 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
2 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
3 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
4 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
5 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
6 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
7 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
8 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
9 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
10 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
11 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
12 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
13 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
14 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
15 C:\Users\Dave\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
16 C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1366_768_POS4.jpg
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
17 C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\Transcoded_000
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
18 C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
19 C:\Users\Dave\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
20 C:\$RECYCLE.BIN\S-1-5-21-3520406671-1429368665-1498003777-1001\desktop.ini
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
21 C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]
22 C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [7188]

Thumbprints
N/A

I have since uninstalled 0Patch from my machines.

 

Hi, how many days in advance can you put the new license?
It expires in 29 days.
Thank you!

 

I have 11 days left for my license. I think i will lose those 11 days if i activate a new license today.

 

That is indeed the case, Dragon. The advice from SurfRight is to only activate the new license on the last day before expiry.

 

You will lose any days remaining on the previous license if you activate a new one. I waited till the last day for mine.

 

I got it.
Thank you guys!

 

Yes, when I bought a new license, the email also said to wait with activating it, as the time left will not combine with the new license.

 

I would like to see password protection of the UI and un-installation as well. The current tamper protection doesn't cover a guest user acting maliciously.

Also the notification about a blocked threat is very annoying. I'd like to see the notification pop up in the top right corner like other notifications it gives to the user.

 

We "inherited" a Windows 7 PC and I am whipping it into shape. Among the first things I did was to install HMP.A on it.

I happened to install an older version of HMP.A that I had on a flash drive, then I ran a manual scan. To judge from the scan results, it looks like HMP.A suffers from some self-hatred (see the topmost result):

 

Maybe I'm seeing this wrong but if not is this for real? A Security App Leaving BaseNamedObjects Security Open for anyone to grab? Tested using 3.8.8 build889

https://ibb.co/YWHyQWT
https://ibb.co/tLBC28Q
https://ibb.co/d5nyTFs

All have the same lack of permissions set and result in the same warning:

 

As such I've decided to reply, yet again, so that I can add a document which helps support why I think this is such a horrible practice for HMP.A. Granted I can't, yet, be sure what checks or controls you use via the driver or service but at first glance this is not a good look!

https://techcommunity.microsoft.com...of-the-insecure-security-software/ba-p/723569

 

That article was first published 14 years ago.

 

If keystroke encryption is enabled for Brave, CTLR+W(close current tab) doesn't work half the time. No problems when keystroke encryption is disabled for Brave.

 

Do you have the same with Chrome? and with CTRL+F for 'find'

 

@RonnyT

I sent you the links for the requested files via PM since they were a bit big to send via e-Mail. Hope they help.

 

Sorry I don't have Chrome installed. CTRL+F also seems to fail sometimes, but not as much as CTRL+W. The strange thing is that when CTRL+W fails repeatedly, and I try CTLR+F, then CTRL+W is working again.

 

I use ScreenConnect Client every day in my profession to manage Remote Support sessions with my customers. I also use HMPA on their computers too. It looks bad that HMPA is flagging my professional support tool as Malware. I have lost a client over this (an accountant that did not like alerts coming up for my support tools!), I can suppress the alert on a client's machine if I see it in history, but when the new version of ScreenConnect client tries to install, it gets blocked in the temp folder again. Can this be permanently whitelisted, or should I stop using HMPA? I also get the malware block on ConnectWiseControl.ClientSetup.exe



Mitigation MalwareBlocked
Timestamp 2021-03-24T11:56:27

Platform 10.0.19042/x64 v889 06_9e
PID 3932
Service ScreenConnect Client (d285fbbafdb4d833)
Application C:\Windows\Temp\ScreenConnect\21.2.2159.7699\ScreenConnect.ClientSetup.exe
Created 2021-03-22T15:31:40
Description Generic ML PUA


Process Trace
1 C:\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.ClientService.exe [3932] 2021-03-23T15:20:03
"C:\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-vaxh2v-relay.screenconnect.com&p=443&s=dde2b1fc-ad0a-451e-88dc-32311c2d9dfd&k=BgIAAACkAABSU0ExAAgAAAEAAQBdKtCd5XIncf0TXyO%2bT01wB
2 C:\Windows\System32\services.exe [868] 2021-03-23T15:20:00
3 C:\Windows\System32\wininit.exe [764] 2021-03-23T15:20:00
wininit.exe
4 C:\Windows\System32\smss.exe [664] 2021-03-23T15:19:59 1.3s
\SystemRoot\System32\smss.exe 00000170 00000084
5 C:\Windows\System32\smss.exe [592] 2021-03-23T15:19:58
\SystemRoot\System32\smss.exe

Services
3932 ScreenConnect Client (d285fbbafdb4d833)

Dropped Files
1 C:\ProgramData\ScreenConnect Client (d285fbbafdb4d833)\4vmk3yu1.tmp
Dropped by \Device\HarddiskVolume4\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.ClientService.exe [3932]
2 C:\ProgramData\ScreenConnect Client (d285fbbafdb4d833)\4vmk3yu1.newcfg
Dropped by \Device\HarddiskVolume4\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.ClientService.exe [3932]
3 C:\WINDOWS\TEMP\ScreenConnect\21.2.2159.7699\ScreenConnect.ClientSetup.exe
Dropped by \Device\HarddiskVolume4\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.ClientService.exe [3932]
Read by \Device\HarddiskVolume4\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.4-0\MsMpEng.exe [4972]

Thumbprints
8dcef8cd708dd449614f30c3ae147d023bdb3b60a15ccf6699edb09cf8d00ba5

 

I just wanted to say again. The new tamper protection doesn't cover a guest user acting maliciously. HMPA needs password protection.

Make it so that once the password is set, you can't open the UI and can't uninstall it either.