HitmanPro.Alert BETA

I just manually updated from 3.8.9 Build 891 Release Candidate. No issues!

 

Hello @RonnyT ,

I am getting a ROP alert on LibreOffice due to a false positive with ESET Internet Security.

Spoiler: HMP.A ROP Alert

Mitigation ROP
Timestamp 2021-04-13T20:53:27

Platform 10.0.19042/x64 v893 06_9e
PID 11328
Feature 003D0A361FBF01B6
Application C:\Program Files\LibreOffice\program\soffice.exe
Created 2021-04-01T16:01:43
Description LibreOffice 7.1.2

Callee Type MapViewOfSection

Branch Trace Opcode To
---------------------------------------- -------- ----------------------------------------
0x00007FF8BCA7DE6E ebehmoni.dll ~ RET* +0x20330 ^0037
0x00007FF8E3980330 hmpalert.dll
4055 PUSH RBP
53 PUSH RBX
56 PUSH RSI
57 PUSH RDI
4156 PUSH R14
488dac24b0fdffff LEA RBP, [RSP-0x250]
4881ec50030000 SUB RSP, 0x350
488b05f36c0b00 MOV RAX, [RIP+0xb6cf3]
4833c4 XOR RAX, RSP
48898530020000 MOV [RBP+0x230], RAX
488b85a8020000 MOV RAX, [RBP+0x2a8]
4889442478 MOV [RSP+0x78], RAX
488b85b0020000 MOV RAX, [RBP+0x2b0]
48894d80 MOV [RBP-0x80], RCX
(E10A15ED3EF31E83)


0x00007FF8BCA6095D ebehmoni.dll RET 0x00007FF8BCA7E09F ebehmoni.dll ^0276

0x00007FF8BCA4832B ebehmoni.dll RET 0x00007FF8BCA4D0BF ebehmoni.dll ^0B0B

0x00007FF8BCA440A9 ebehmoni.dll RET 0x00007FF8BCA43A74 ebehmoni.dll ^0006

memset +0xe8 RET 0x00007FF8BCA4409C ebehmoni.dll ^0044
0x00007FF8E6513EA8 ntdll.dll

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FF8BCA7E0BA ebehmoni.dll
488da42458000000 LEA RSP, [RSP+0x58]
c3 RET

2 00007FF8BCA4D0DA ebehmoni.dll
3 00007FF8BCA4411C ebehmoni.dll
4 00007FF8BCA43AA8 ebehmoni.dll
5 00007FF8BCA42B93 ebehmoni.dll
6 00007FF8BCA7DDE8 ebehmoni.dll
7 00007FF8E6484D42 ntdll.dll
8 00007FF8E6484AAA ntdll.dll RtlIsCriticalSectionLockedByThread +0x21a
9 00007FF8E6484479 ntdll.dll
10 00007FF8E64DB1DD ntdll.dll

Loaded Modules (17)
-----------------------------------------------------------------------------
00007FF609C10000-00007FF609C44000 soffice.exe (The Document Foundation),
version: 7.1.2.2
00007FF8E6470000-00007FF8E6665000 ntdll.dll (Microsoft Corporation),
version: 10.0.19041.928 (WinBuild.160101.0800)
00007FF8E58A0000-00007FF8E595D000 KERNEL32.dll (Microsoft Corporation),
version: 10.0.19041.928 (WinBuild.160101.0800)
00007FF8E3960000-00007FF8E3A6D000 hmpalert.dll (SurfRight B.V.),
version: 3.8.10.893
00007FF8E3CB0000-00007FF8E3F78000 KERNELBASE.dll (Microsoft Corporation),
version: 10.0.19041.906 (WinBuild.160101.0800)
00007FF8E4880000-00007FF8E4FC2000 SHELL32.dll (Microsoft Corporation),
version: 10.0.19041.906 (WinBuild.160101.0800)
00007FF8E4400000-00007FF8E449D000 msvcp_win.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF8E4300000-00007FF8E4400000 ucrtbase.dll (Microsoft Corporation),
version: 10.0.19041.789 (WinBuild.160101.0800)
00007FF8E46D0000-00007FF8E4870000 USER32.dll (Microsoft Corporation),
version: 10.0.19041.906 (WinBuild.160101.0800)
00007FF8E44A0000-00007FF8E44C2000 win32u.dll (Microsoft Corporation),
version: 10.0.19041.906 (WinBuild.160101.0800)
00007FF8E5740000-00007FF8E576A000 GDI32.dll (Microsoft Corporation),
version: 10.0.19041.746 (WinBuild.160101.0800)
00007FF8E40E0000-00007FF8E41EB000 gdi32full.dll (Microsoft Corporation),
version: 10.0.19041.928 (WinBuild.160101.0800)
00007FF8DC620000-00007FF8DC6B2000 MSVCP140.dll (Microsoft Corporation),
version: 14.28.29334.0 built by: vcwrkspc
00007FF8DE7B0000-00007FF8DE7C9000 VCRUNTIME140.dll (Microsoft Corporation),
version: 14.28.29334.0 built by: vcwrkspc
00007FF8DE7D0000-00007FF8DE7DC000 VCRUNTIME140_1.dll (Microsoft Corporation),
version: 14.28.29334.0 built by: vcwrkspc
00007FF8E56B0000-00007FF8E56E0000 IMM32.DLL (Microsoft Corporation),
version: 10.0.19041.546 (WinBuild.160101.0800)
00007FF8BCA40000-00007FF8BCACD000 ebehmoni.dll (ESET),
version: 1.0.42.0

Process Trace
1 C:\Program Files\LibreOffice\program\soffice.exe [11328] 2021-04-13T20:53:17
"C:\Program Files\LibreOffice\program\soffice.exe" -o "D:\WinRAR Files\Extractions\Documents\Images.ods"
2 C:\Program Files\Biniware Run\brun.exe [7616] 2021-04-13T20:11:30
3 C:\Windows\explorer.exe [5592] 2021-04-13T20:11:11
4 C:\Windows\System32\userinit.exe [5488] 2021-04-13T20:11:11 23.2s
5 C:\Windows\System32\winlogon.exe [916] 2021-04-13T20:10:56
winlogon.exe
6 C:\Windows\System32\smss.exe [808] 2021-04-13T20:10:56 174ms
\SystemRoot\System32\smss.exe 00000144 00000084
7 C:\Windows\System32\smss.exe [452] 2021-04-13T20:10:51
\SystemRoot\System32\smss.exe

Dropped Files

Thumbprints
c31d5663d13c3c8876b5d671654fedf1fced9bb764f1f8861a58eeb857f62f91

 

Is that structural or incidental?

 

OK cool, I figured that since most browsers are based on Chromium it shouldn't be this hard?

 

Hello @RonnyT ,

I am not quite sure what you mean by this question, so maybe this will help.
I have a LibreOffice Calc file that I use often. Every time that it is launched, I get the same ROP alert along with the opening of the file being blocked. (Note that I use a program called Biniware Run to launch the file.)
If that does not answer your question, please explain it in a simpler way for this feeble mind to understand ...
Thanks in advance .

 

Build 983 running fine now for a few days on Windows 1909 x64. (Apart from the Brave keystroke encryption issue reported in the other thread, but that is not specific to this new version.)

 

Sorry what I meant was does it trigger the ROP everytime you open 'a' document, or just sometimes e.g. once a couple of days?
Does it also ROP why you open Calc and then open the sheet? (so not using Biniware).
Does it also ROP on any other Calc file?

In general, you could allow this alert if it's a FP:
To be able to allow this please open HitmanPro.Alert -> Click on "Last event" find the offending alert(s) -> Action -> Suppress Alert
Make sure all offending alerts for the detected application now have the "Suppressed" message behind them and you should be good to go!
(In case of CryptoGuard alerts also make sure to Unblock the application before trying again, on the main windows click Blocked Items and unblock).

 

Hello @RonnyT ,

Yes, the ROP is triggered every time.

Yes, it does. It happens whether using Biniware Run or not. It happens any way that I try to open the sheet.
I can not open Calc as this triggers the ROP every time. No chance to try to open the sheet.
I can not open LibreOffice as this triggers the ROP every time. No chance to open the sheet.
If I try to open the sheet directly, this triggers the ROP every time.
In fact, the ROP is triggered with anything that I try to do with LibreOffice.

The ROP is triggered on every Calc file that I try to open.
The ROP is triggered with any of the apps in the LibreOffice Suite that I try to open.
The ROP is triggered with any type file that I try to open in LibreOffice.
Basically, any thing that I try to do with LibreOffice triggers the ROP.

The problem with this is I have to create an allow (suppressed) rule for every app in LibreOffice Suite and also for every different file that I try to open. The only easy way to get by this issue is to disable ROP for LibreOffice entirely.
I hope that this helps...

 

That was just as a workaround, we'll be looking in to this combo and see why it triggers, probably ESET changed some magic.

 

Hello @RonnyT ,

I pretty much thought this was the case. It has been a while but I have had this issue before with ESET and HMP.A, and your team did something on your end to fix the issue with ESET.
Thank you for your help and for looking into this...

 

Did you tweak any settings on ESET, by default the deep behavior inspection dll is not loaded on my setups (ebehmoni.dll) in LibreOffice processes

 

Hello @RonnyT ,

Sorry for the delayed response. Since your results were different then mine, I decided to do a complete uninstall of ESET and start new with a fresh install to verify all settings would be at default.

Unfortunately, I still have the same ROP alerts being triggered in LibreOffice and am at a loss as to why we are seeing two different scenarios/situations...

Note: In the ESET GUI, if you go to "Help and Support > About ESET Internet Security > Installed components", I have:
Deep behavioral inspection support module: 1111 (20210407)
as the current installed module.

 

At the new version (driverbooster v. 8.4.0.432) the false alarm will reappear. Please correct. Thanks! HitmanPro.Alert v. 3.8.10 build 893.

 

I've fixed this, you can also allow this locally (As the sophos engine will flag it again with the next update);

To be able to allow this please open HitmanPro.Alert -> Click on "Last event" find the offending alert(s) -> Action -> Suppress Alert
Make sure all offending alerts for the detected application now have the "Suppressed" message behind them and you should be good to go!
(In case of CryptoGuard alerts also make sure to Unblock the application before trying again, on the main windows click Blocked Items and unblock).

 

Thanks! I'm going to do this.

 

HitmanPro.Alert 3.8.11 Build 897 Release Candidate

Changelog (compared to build 893):

• Fixed a rare crash in BackgroundTaskHost.exe caused by our new CookieGuard mitigation (part of Credential Theft Protection)
• Added support for more Chromium based web browsers to CookieGuard, including Brave, Opera, Vivaldi, Comodo Dragon, Edge Canary, Beta and Dev channel.
• Improved compatibility with games that perform tricks that trigger our main thread hijacking protection (part of Hollow Process Mitigation).

Download:
https://dl.surfright.nl/hmpalert3b897.exe

Please let us know how this version runs on your machine. Thanks

 

Besides a Microsoft SmartScreen-alert no further problems upgrading build 897.

Win10 21H1 build 19043.985

 

a note on 897, should your browser throw a CookieGuard alert at startup it's probably on the wrong protection profile.

• Check Exploit Mitigations to see if it's under something else then Browsers, and if so click and 'Remove mitigations'
• Disable Credential Theft Protection
• Start browser
• Click Exploit Mitigations -> Running applications -> click browser and add to Template "Browsers"
• Enable Credential Theft Protection
• Done

 

Manually uninstalled and waited for a few days and no problems.

Windows 10 Pro Versie 21H1 Build 190453.985

 

Yesterday, I manually upgraded from 3.8.10 Build 893 Release Candidate to 3.8.11 Build 897 Release Candidate. No issues to report and no CookieGuard alerts.

 

HitmanPro.Alert 3.8.12 Build 899 Release Candidate

Changelog (compared to build 897)

• Fixed another crash that could occur in BackgroundTaskHost caused by CookieGuard
• Improved compatibility of Hollow Process mitigation with Rockstar games

Download
https://dl.surfright.nl/hmpalert3b899.exe

Let us know if how this version runs on your machine. Thanks

Update: As mentioned by colleague @RonnyT, we're now auto-updating users on build 897 to build 899.

 

Manual install, no problem.

 

All good here, Mark (still on Win 19042.985).

 

Yet another Microsoft SmartScreen-alert. No further problems upgrading.

 

For those still on 897 I have just turned on the automatic update to 899 so if you could sit this one out and wait for the update, we have changed the fly-out -> notification to update so any feedback on that would be nice.