HitmanPro.ALERT Support and Discussion Thread

@ erikloman
@ markloman
and also @ everyone else

In addition to my post earlier today,
stopping and restarting the hmpalertsvc service to fix the flyout issue seemed to work, for a while,
but after some time the issue was back, unrelated to sleep mode or anything else that I can think of.
Looks like stopping and restarting the hmpalertsvc service to fix the flyout issue was not enough, or the issue came back for some other reason.
Pity.
So I'll reboot.

Good luck fixing this darndest issue.


Best regards

 

@ erikloman
@ markloman

Here's another addition to the information regarding the HitmanPro.Alert flyout issue.

July 7th, I wrote, regarding the flyout issue:

I can add to that:
- Also, as the flyout issue occurs, opening multiple new browser tabs by clicking multiple URLs is notably sluggish. Opening multiple new browser tabs by clicking multiple URLs is slowed down considerably, and I need to wait to open some more tabs until the first bunch have completed opening. This happens only in connection with the flyout issue.
I think this symptom wasn't mentioned yet.

And as the flyout issue was back for the second or third time today (this time there could've been a connection with sleep mode),
and as especially the slowing down of opening new browser tabs was annoying me highly,
and as I was getting quite fed up with rebooting,
for now, I uninstalled HitmanPro.Alert.
I will try again later, when the version fixing the flyout issues is ready.


System information:
Windows Vista SP2 x86
IE9
G Data IS 2014
SpywareBlaster 5.0
EMET 4.0 with all EMET mitigations for iexplore.exe and also "Deep Hooks" enabled in EMET\ Apps\ Application Configuration.


Best regards

 

Noob question. This sounds like a good program to have but is Hitman Pro Alert compatible with Kaspersky Internet Security 2013/2014? I use Safe Pay but don't want a program that might interfere with Safe Pay's ability to protect me. Thankyou.

 

Yes, this is also caused by the same issue. Will make priority of this issue.

 

Yes it is fully compatible as of version 2.0.9.

 

Have some small questians.

Is the signatures/database of potential threats in the cloud? Is the signatures/database updated to new threats?

Is there any tests or something on the program? It claims that : "HitmanPro.Alert will instantly detect over 99% of all known and new banking Trojans." Is it something that has been investigated or is it just a taken number?

Has installed on a Win7 64bit with Qihoo360, Hitmanpro and Malwarebytes Anti-maleware Pro and no problem so far.

 

It doesn´t use any signatures, it just checks for certain changes in critical functions of the browser.

Most banking Trojans use the same technique to hijack browsers, that´s why these claims are made I suppose.

 

@ erikloman

One final try, can you perhaps respond to post #641?

Is guarding the memory of the browser (anti code injection) enough to stop these attacks?

https://www.wilderssecurity.com/showpost.php?p=2257012&postcount=641

 

Just intalled this. Nice light app with zip performance hit using IE9.

Since I use Emsisoft Antimalware that gives equal to better protection and using EMET 4.0 certificate pinning is this software redundant?

 

The app in the image filters WriteProcessMemory API. Thats not sufficient by a long shot. TDL3/4, ZeroAccess, Cridex (bootkits, rootkits) have free play on systems with those kind of protections.

When you have one of the above infections on a Trusteer system, the computer becomes unresponsive while Trusteer is battling the attack. Trusteer in most cases doesn't prevent the attack but tries to abort the attack. Trusteer is also incompatible with a lot of security software. And some AVs don't like other AVs on the same system either.

Some AVs like Kaspersky are indeed able to block, but they work on the standard browsers, not the derived browsers like Pale Moon, Comodo Dragon, Maxthon, etc.

And x64 systems have less capabilities to counter attacks due to PatchGuard; 32-bit systems can modify kernel code and structures while 64-bit cannot. This means that software X wont work as good on 64-bit systems. I guess that is why MRG choose to do tests on 32-bit systems?

So in order to work on all browsers and all systems, with all AVs (no conflicts) we choose to just Alert the user when browser is compromised. Compatibility is key.

But hang around this thread for future announcements

Hope this helps.

 

Maybe I spoke to soon about this software. Anyone want to explain what these invalid hashes are about? I just downloaded and installed from HMP web site this morning.

 

The DLL uses Page Hashes for integrity.
http://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx

Can you right-click the DLL and go to Properties, then Digital Signature tab?

 

Sorry. Cannot do. Already uninstalled from my PC.

 

I just checked mine out of curiosity and saw I have the same entries in Event Viewer. Digital Signature is OK though, here's the SHA-256 of the file:
9B8FDA2AAD871D3AFFD03463CA7A1756CB1395ABF507701F1053913B642EBCDF
v2.0.10.45 (x64)
EDIT: Almost all Audit Failures in Event Viewer are about hmpalert.dll and always the one in \System32, never the one in \SysWOW64

 

Where can I find which version of HMP.Alert I have installed?

 

I've started using this since it is out of beta. I appears to work, but I was wondering if it is necessary since I use AppGuard. Can my browser even be compromised since I use AppGuard?

 

@ erikloman welcome back from you're enjoyable holiday and I hope it was long enough for you to relax, just asking if you remember the bug you found during remote access from my laptop just making sure you haven't forgotten. Take you're time doing the complete bug investigation before releasing the new version.

Cheers.

 

I've been using this a few days, and I think there is some sort of conflict with Malwarebytes Ant-Exploit Beta. The day I installed it, I would occasionally get a popup from MBAE saying it had blocked an exploit, right after opening Chrome. However, checking MBAE shows no information on any exploit blocked. I think it has to be something to do with HMPA since it didn't happen until I installed it.

 

I've already posted that in 3 different threads:
https://www.wilderssecurity.com/showthread.php?p=2259923#post2259923
https://www.wilderssecurity.com/showpost.php?p=2259927&postcount=654
https://www.wilderssecurity.com/showpost.php?p=2267378&postcount=50

It seem ZeroVulnLabs is still working on it.

 

How can I tell which version/build of HMP.Alert I'm using?

Apparently, HMP.Alert auto updates just like HMP. However, because I use NVT ERP in lockdown mode, all of the updates are blocked. What do you suggest as a workaround for this?

If there were a way to track the versions, I could probably manually update as necessary.

 

Open "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe", and look at title bar. Or right-click > properties > details on "hmpalert.exe".

You have to whitelist the path "C:\Users\TomAZ\AppData\Local\Temp\hmpalert_update.exe". Unfortunately, it's a temporary file (disappears right after update), so hash rules are extremely hard.

SUMo (download lite or portable version) supports this software, like any other with detectable version in file properties and active users.

 

Thanks for the info. Because it's a temporary file, does this mean that each subsequent update will be blocked?

 

Not if NVT ERP allows file path rules (like the format I used) where the file doesn't have to exist or be a specific hash. You can try a dummy file if it just doesn't need the same hash.

Otherwise, you could try Recuva or training mode, but both require luck or at least a day's effort, and the file may change in future updates. This update only occurs on some browser startups, so I don't know when to expect it.

 

I also noticed the multiple popup issue when the service is running properly. It is after I enabled "Enhanced Protected Mode" in Internet Explorer 10. I'm using Internet Explorer 10 in Windows 8 x64.

 

Wait a minute, so basically you´re saying that just about all HIPS on WinXP 32 bit can´t stop these banking trojans?
And what about HIPS on Win7/8 64 bit?

Just to clarify, I´m not talking about systems who are already infected, I can imagine it´s quite hard for HIPS to protect a heavily infected machine. But HIPS should be able to stop banking trojans from infecting the system in the first place.

It´s clear to me that all these banking trojans make use of code injection, trying to hijack (or "hook") the browser, but sadly enough, in all these technical papers it´s never explained how (and if) HIPS can stop this kinda stuff.

Which areas should HIPS be monitoring? That´s what I wonder about.

http://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf
http://www.autosectools.com/IAT-Hooking-Revisited.pdf