HitmanPro.ALERT Support and Discussion Thread

See: HitmanPro.Alert Support and Discussion Thread

 

Maybe similar problem (post #990): HitmanPro.Alert Support and Discussion Thread

 

Hi there,

Hope this is the right forum; I recently installed HitmanPro.Alert. However, it keeps thinking Dropbox.exe is a virus:

Is there a way to configure it to ignore Dropbox?

P.

 

Hi and welcome to the forum. What kind of files are you synchronizing? In our testing we tested dropbox and did not find issues. What kind of files are in the C:\Windows\CryptoGuard\ folder? Can you send one of the files to erik(at]surfright.com?

 

@ erikloman

I have been reading about ransomware, and I recall that the "Enumerate files" feature in Online Armor could stop certain ransomware trojans proactively. Could you perhaps test it against the newest CryptoLocker versions? And would it make sense to add such a feature to HitmanPro.Alert, or is it already robust enough?

 

Any ETA on HitmanPro.Alert, version 3.0?

 

2Q2014

 

Alert detects and prevents mass encryption of files. That already includes detection "enumeration" of files by malicious process.

Or do you mean something different? Maybe you can provide more details about what is meant by "enumerate files" feature (I have no knowledge of Online Armor).

 

Thanks erikloman

 

Hi Erik,

Checking that folder, there's approximately 200 files in there, all with names of 8 random alphanumerics. Sizes from a few bytes to 13MB.

There's also a few folders with names like reverted_20140421_1804_7104. Looking in these folders, I see JPGs with zero bytes (aka 2014-04-20 19.06.08.jpg). The naming looks like the photo naming scheme used with iPhone, which Dropbox syncs to my desktop. I note with relief the original "2014-04-20 19.06.08.jpg" file is still in C:\Users\{account}\Dropbox\Camera Uploads and still looks OK. I'm going to uninstall HitmanPro for now. Is there a particular file I should send?

EDIT: I note that once I deleted HitmanPro, Dropbox has stopped continually updating and is now in sync.
P.

 

Can you send one JPG file FROM the reverted_nnn folder? (A non-zero file).

 

Will do. I've also been analysing the 8-character files without an extension using TRID (http://mark0.net/soft-tridnet-e.html). The biggest is a DOCX file, others look like JPGs too.

EDIT: So looking at those files, the vast majority are JPGS - and all are from my SkyDrive (ONeDrive) folder which is even stranger.

P.

 

Hi,

Can I use HMPA with Sandboxie? Will HMPA work fully in a sandboxed Firefox? Will it compromise any of the Sbie's functions?

 

No problems with Sandboxie. Only when you want to secure delete a sandbox using for example Sdelete.exe HmP.Alert you could get an alert.

Edit: read this if you encounter a problem with HmP.Alert and Sandboxie: https://www.wilderssecurity.com/thre...discussion-thread.324841/page-50#post-2341351

 

Ah thanks.

 

I was just wondering if you were using the same technique, apparently you do.

I read about it in this old thread:

https://www.wilderssecurity.com/threads/gpcode-trojan-versus-hips.298048/

 

Can someone please explain the differences between HiitmanPro Alert, Malwarebytes Anti-Exploit, and CryptoPrevent? Should/can all 3 of these be used together or is one duplicating protection in some instances? Are all 3 effective against Cryptolocker? Thank you.

 

@ BlackHawk1

They all use different methods trying to stop ransomware. If I´m correct all 3 can be used together.

HitmanPro.Alert monitors all processes for suspicious behavior, so if ransomware tries to modify files, it tries to stop it. The question is how robust this method is, so far I haven´t found any extensive anti-ransomware tests.

Malwarebytes Anti-Exploit tries to stop your browser (and some other vulnerable apps) from being hijacked, because if your browser gets compromised, it might be able to launch ransomware. However, if you launch ransomware yourself, it can´t stop it, it´s not designed to do this.

CryptoPrevent tries to do the same as MBAE, but in a different way. It can´t stop your browser from being hijacked, but it can probably still stop ransomware from loading. I´m not a fan of this method.

 

@ erikloman
@ markloman

Dear Erik and Mark Loman, SurfRight,

March 23, I reported a HitmanPro.Alert Windows Vista logoff issue.
March 28, the same issue was reported by pimjoosten.
April 8, SurfRight fixed that HMP.A Vista logoff issue.

And now I wonder, can the way that Vista logoff issue was fixed in HMP.A be linked to a new login/logoff issue that I have been experiencing since then and that only occurs with the (first and/or second?) reboot after Windows Updates?
That issue occurred after the May 1 and after the May 13 Windows Updates.
The issue is the "Windows could not connect to the System Event Notification Service" issue.

Symptoms:
Windows login fails and results in a "Windows could not connect to the System Event Notification Service" message. A forced reboot is required.
Or Windows login succeeds, but the Windows Aero environment is missing, and a "Windows could not connect to the System Event Notification Service" message pops up from the Windows System Tray, and logoff results in a long hang.

What I did to try to correct this "Windows could not connect to the System Event Notification Service" issue:
1.
Boot with Vista DVD and run Startup Repair.
(No issues were found.)
Reboot.
2.
netsh winsock reset
netsh winsock reset catalog
netsh int ip reset reset.log hit
Reboot.
3.
C:\Windows\ServiceProfiles\LocalService\AppData\Local
Rename FontCache-System.dat --> FontCache-System.old
Reboot.
4.
sfc /scannow
(No issues were found.)

With some luck, step 2 or 3 resolved the issue.
However, for now, I cannot be sure the issue won't be back after the June 10 Windows Updates.

If the issue is somehow related to the HMP.A Vista fix of April 8, the issue may be back again June 10.

Another possible cause may be G Data 2015's new "Exploit Protection".
For now, I can't rule out that possibility, either.

I must see whether the "Windows could not connect to the System Event Notification Service" issue will reoccur after the June 10 Windows Update.
If so, then I can disable HMP.A for the July 8 Windows Update and see if the issue does or does not reoccur.
If the issue would reoccur with HMP.A disabled, then I can disable G Data 2015's Exploit Protection for the August 12 Windows Update and see if the issue does or does not reoccur.
But you can imagine that if by any chance there might be a relation with HMP.A, I would like to know sooner, without the need to wait till July 8 to be sure.

It would be nice if SurfRight could see if the April 8 HitmanPro.Alert fix for the earlier Vista logoff issue could be the cause of this new "Windows could not connect to the System Event Notification Service" issue that I have been experiencing.


Thank you very much
and best regards.


---------
System:

Windows Vista Ultimate SP2 x86

HitmanPro.Alert 2.6.5.77

G Data Internet Security 2015, with its new "Exploit Protection"

EMET 4.1 Update 1:
--
DEP: Application Opt Out (though without any applications opted out from DEP)
SEHOP: Always On
ASLR: Application Opt In
Pinning: Enabled
--
Protection Profile: Popular Software
--
Application Configuration\ Mitigation Settings: Deep Hooks, Anti Detours, Banned Functions

 

I purchased HitmanPro little over a year ago and just renewed. I also have HitmanPro Alert installed. When I went up on the HitmanPro web site I read that HitmanPro Alert now includes CryptoPrevent. I had installed CryptoPrevent well before I ever installed HitmanPro or HitmanPro Alert and just plain forgot about it. Should I uninstall it seeing how HitmanPro Alert now includes this feature? Is there any possible interaction?

 

HitmanPro Alert includes CryptoGuard not CryptoPrevent - different software, similar goal.

 

HitmanPro.Alert includes CryptoGuard, that is not the same as CryptoPrevent.

I'm not sure.
I think Erik or Mark can best answer that.

 

Hello........

In event logs ..auditing...is correct ??

http://111.imagebam.com/download/omQf1Ki1mXb80ZtBmiov5w/32877/328764531/Sin%20t%C3%83%C2%ADtulo.png


Windows 7 sp1, Malwarebytes 2 premiun ,Malwarebytes antiexploit ,Hitman pro,Avast Internet Security


Hitamnpro alert work ok, but in event logs , can see this image

 

Hello Stupendous Man,

I have Vista Ultimate 32-bit, HMPA 2.6.5 and have experienced no issue at all with the Windows Updates you mention. Everything works and went fine. I have even applied the Windows Updates twice, as at a certain moment I had to rollback my computer using an image from before the May 13 Windows Updates. In my case HMPA does not seem to cause any issues.

Best regards.

 

Thanks very much for your reply, pimjoosten.

That doesn't rule out the possibility that on my Vista system the April 8 HMP.A fix for the earlier Vista logoff issue could be a factor in the recent login/logoff issue that I mentioned, but it certainly makes it less likely.
If the issue would be back, G Data 2015's new "Exploit Protection" may potentially be the cause and would need further investigation.

Thanks again for your reply.