HitmanPro.ALERT Support and Discussion Thread

See message #3755 from Erik in this thread:

"A secure erase first overwrites the files with random data before it deletes the file (random and encrypted data look pretty much the same).
This triggers CryptoGuard as it protected your files against malicious overwrite.

Best is to disable CryptoGuard before performing a secure erase of your images and documents files."

https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-151#post-2452945

 

Thanks Victek. That was the exact post I was looking for too

 

Finally, I am trying HMP.A 3 (build 181).
I installed it on my Windows 7 x64 notebook.
My desktop still has Vista on it, which will be changed to Windows 7 in some weeks, after which I will install HMP.A 3 to that system as well.

Back to the Windows 7 x64 notebook. A couple of observations:
1.
The installed HMP.A mentions "Exploit protection Assisted by hardware". I think that's odd.
That notebook has an Intel Pentium P6200 processor.
I understood the hardware assisted exploit protection was only for modern Intel processors, the Intel Core i3, i5 and i7 Processors.
That would mean "Exploit protection Assisted by hardware" is not correct for this P6200 processor, so that would be a bug. Or did I misunderstand?
2.
I notice that the colored borders don't show with all maximized windows. Is that correct? (The flyouts show as expected.)
For instance, the colored borders do show with maximized IE11 and WordPad, but don't show with maximized LibreOffice Writer, PDF-XChange Viewer and Windows Media Player.
To me it's fine that the colored borders don't show with certain maximized windows, but I wonder if it's a bug.

Oh, and one more observation:
It is great to see how HMP.A doesn't slow the browser, as EMET does. Nice!

 

P6200 is an Arrandale CPU. This CPU is supported:
http://en.m.wikipedia.org/wiki/Arrandale

I will checkout the maximized border issue.

 

PLS help,
to sort out a problem with an older computer, running WIN7-32-home, Pentium dual-core cpu.
Windows was setup several years ago and running fine, until I upgraded from build178 to 181.
Since that I lost my keyboard and can't logon.
Uninstalling and reinstalling didn't help, nor did the unistall-tool, that is buried in this thread somewhere.
Disabling keystroke encryption and bad-usb protection didn't help either.

What to do?

 

Done, see what happens, thanks.

 

Hey, that's nice.
I think that in some earlier post you or Mark mentioned Arrandale support, but other posts i3, i5 and i7 were mentioned and I forgot about Arrandale and just thought P6200 wasn't supported. Nice that it is supported!
No hope for my Core2 Duo E8600, though.

Great, thanks very much.

 

Congrats with the release, looks very exciting.

I would still like to have more technical info about, "Network Lockdown", how does it work exactly. Also, if I buy HMPA, I assume I don't have to install HitmanPro? Another thing, I was a bit annoyed by the article about HMPA on tweakers.net, perhaps you can make it clear to them that HMPA is a separate product.

http://tweakers.net/nieuws/102378/h...e-intel-cpus-om-gebruikers-te-beschermen.html

 

I had HMPA say it blocked an exploit attempt last night. Firefox, Java, and Flash are up to date on my machine. The log entry in Windows Event Viewer looked like the exploit was exploiting Firefox directly, or maybe Java Script. They were both up to date. I think I may have found a zero day exploit, but I lost the link to the page. It killed my browser, and I had multiple tabs open. Below is the entry from Windows Event Viewer.

General View

Mitigation ROP

Platform 6.1.7601/x64 06_1a
PID 31360
Application C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Description Firefox 37.0.1

Callee Type AllocateVirtualMemory
0x07550000 (65536 bytes)

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z RET ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z
0x60C327B3 xul.dll 0x60C32A28 xul.dll

?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z RET ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z
0x60C32AE4 xul.dll 0x60C327A1 xul.dll

?ProfilingGetPC@js@@YAPAEPAUJSRuntime@@PAVJSScript@@PAX@Z RET ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z
0x60D5735F xul.dll 0x60C32AE1 xul.dll

?ProfilingGetPC@js@@YAPAEPAUJSRuntime@@PAVJSScript@@PAX@Z * RET RtlCopyMemory()
0x60D572D1 xul.dll 0x77A4E6F0 ntdll.dll
4c DEC ESP
8bd9 MOV EBX, ECX
48 DEC EAX
2bd1 SUB EDX, ECX
0f829e010000 JB 0x77a4e89a
49 DEC ECX
83f808 CMP EAX, 0x8
7262 JB 0x77a4e764
f6c107 TEST CL, 0x7
7437 JZ 0x77a4e73e
f6c101 TEST CL, 0x1
740c JZ 0x77a4e718
8a040a MOV AL, [EDX+ECX]
49 DEC ECX
ffc8 DEC EAX
8801 MOV [ECX], AL
(E69D515EF37CBB33)


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 75E5EFA9 KernelBase.dll VirtualAllocEx +0x44
2 75E5F01A KernelBase.dll VirtualAlloc +0x18

3 60F5FD33 xul.dll ?GetBaseURI@LoadInfo@mozilla@@UAG?AW4tag_nsresult@@PAPAVnsIURI@@@Z
833dec677a6200 CMP DWORD [0x627a67ec], 0x0
8bf0 MOV ESI, EAX
7409 JZ 0x60f5fd47
f7451000200000 TEST DWORD [EBP+0x10], 0x2000
7512 JNZ 0x60f5fd59
833da06e7b6200 CMP DWORD [0x627b6ea0], 0x0
740e JZ 0x60f5fd5e
f7451000100000 TEST DWORD [EBP+0x10], 0x1000
7405 JZ 0x60f5fd5e
e8c4b4ffff CALL 0x60f5b222
8bc6 MOV EAX, ESI
5e POP ESI
5d POP EBP
c21000 RET 0x10

4 60C32A33 xul.dll ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z

Process Trace
1 C:\Program Files (x86)\Mozilla Firefox\firefox.exe [31360]
2 C:\Windows\explorer.exe [3724]
3 C:\Windows\System32\userinit.exe [3468]
4 C:\Windows\System32\winlogon.exe [1020]
winlogon.exe

Details View

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

ROP

Mitigation ROP Platform 6.1.7601/x64 06_1a PID 31360 Application C:\Program Files (x86)\Mozilla Firefox\firefox.exe Description Firefox 37.0.1 Callee Type AllocateVirtualMemory 0x07550000 (65536 bytes) Branch Trace Opcode To -------------------------------- -------- -------------------------------- ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z RET ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z 0x60C327B3 xul.dll 0x60C32A28 xul.dll ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z RET ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z 0x60C32AE4 xul.dll 0x60C327A1 xul.dll ?ProfilingGetPC@js@@YAPAEPAUJSRuntime@@PAVJSScript@@PAX@Z RET ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z 0x60D5735F xul.dll 0x60C32AE1 xul.dll ?ProfilingGetPC@js@@YAPAEPAUJSRuntime@@PAVJSScript@@PAX@Z * RET RtlCopyMemory() 0x60D572D1 xul.dll 0x77A4E6F0 ntdll.dll 4c DEC ESP 8bd9 MOV EBX, ECX 48 DEC EAX 2bd1 SUB EDX, ECX 0f829e010000 JB 0x77a4e89a 49 DEC ECX 83f808 CMP EAX, 0x8 7262 JB 0x77a4e764 f6c107 TEST CL, 0x7 7437 JZ 0x77a4e73e f6c101 TEST CL, 0x1 740c JZ 0x77a4e718 8a040a MOV AL, [EDX+ECX] 49 DEC ECX ffc8 DEC EAX 8801 MOV [ECX], AL (E69D515EF37CBB33) Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 75E5EFA9 KernelBase.dll VirtualAllocEx +0x44 2 75E5F01A KernelBase.dll VirtualAlloc +0x18 3 60F5FD33 xul.dll ?GetBaseURI@LoadInfo@mozilla@@UAG?AW4tag_nsresult@@PAPAVnsIURI@@@Z 833dec677a6200 CMP DWORD [0x627a67ec], 0x0 8bf0 MOV ESI, EAX 7409 JZ 0x60f5fd47 f7451000200000 TEST DWORD [EBP+0x10], 0x2000 7512 JNZ 0x60f5fd59 833da06e7b6200 CMP DWORD [0x627b6ea0], 0x0 740e JZ 0x60f5fd5e f7451000100000 TEST DWORD [EBP+0x10], 0x1000 7405 JZ 0x60f5fd5e e8c4b4ffff CALL 0x60f5b222 8bc6 MOV EAX, ESI 5e POP ESI 5d POP EBP c21000 RET 0x10 4 60C32A33 xul.dll ?UnmarkGrayGCThingRecursively@JS@@YA_NVGCCellPtr@1@@Z Process Trace 1 C:\Program Files (x86)\Mozilla Firefox\firefox.exe [31360] 2 C:\Windows\explorer.exe [3724] 3 C:\Windows\System32\userinit.exe [3468] 4 C:\Windows\System32\winlogon.exe [1020] winlogon.exe

 

Well, I found a bug mentioned in Firefox online when I did a search on UnmarkGrayGCThingRecursively. It was 2013 though. I wonder if a similar bug has appeared in the latest build of FF that triggered HMPA, or if maybe a hacker figured out a way to exploit an unknown bug in FF. There's always a chance of a false positive. I did not think so in this case, but maybe I was wrong.

 

You don't have to install HitmanPro....but, why not. HitmanPro UI has access to Settings and Kickstart. One license satisfies both. My experience is that HitmanPro scan is more informative than scan within HitmanPro.Alert. Granted, I haven't had a noteworthy detection....

 

Or it is just a false positive
Trust me, finding a zero-day that is being exploited in the wild is not very good for your heart :/

 

How many are multiple? If you have browsing history enabled simply check the latest pages. Considering it really was a wild zero-day it could be hard to find it again though if it has been triggered through some third-party ads.

 

Yeah, that's why I said there's always the chance it's a false positive. I'm not really worried about zero day exploits unless they are kernel level exploits. I think my security software would stop them, but I did just lose Online Armor. I have felt kind of naked without it. I never was able to find anything that could bypass OA. Even though OA did not block the exploit in the memory it always would block it before it was able to drop any binary payload. If the payload only infects the memory of the process it exploits then i'm not sure how much it could do. It would have a hard time spreading with my other security software.

 

I think I had in the neighborhood of 8 tabs open. I was bored, and looking for a malicious site. I have my browser configured to delete all history when it closes so I could not check the history. I think I did recover 4 tabs without any hit on those pages. It could have been just a bug, but I was on sites that was giving me redirrects to links to other domains. I had a good feeling I was going to find something. I did not really think of a zero day exploit at the time. It could have been a false positive, but you know sometimes when you have found a site that is going to have something malicious on it by all the redirects it throws at you.

 

Any discounted license I can take advantage of, in India? Being a student, funds are tight.

 

Search this forum thread on 'keyboard', several others had this problem too, me included.
I did (if I remembered well):

1.Uninstall the old hpa
2.Reboot
3.Install new hpa build (b181)
4.Immediately after install do a RESET settings (on hpa General settings menu)
5.Reboot again

That solved my keyboard problem when I went from b155 to I think b172!

 

I run licensed HMPA, with MBAE Free and WSA and have this issue as well (as do others - see post #5032). Not everyone seems to have this issue, but in my case the issue is as follows. The issue is not MBAE because uninstalling this makes no difference. The issue is with WSA. One has to go to Identity Protection / Application Protection in WSA and change Chrome.exe from 'Protect' to 'Allow' (this is not necessary for FF and IE though), something I'd rather avoid as I would prefer default WSA 'Protect' status. The incompatibility is between HMPA and WSA Identity Protection. It would be good if Erik / Mark could check it out? (Incidentally hmpalert.exe is set to 'Deny' here also and has to be set to 'Protect' with every update).

 

Yay, finally out of beta! Installed, and still running fine.

 

THX.
Forgot to mention, that I already did the above procedure.
Today I used Revo unistaller, but this didn't help either.

Using another keyboard works fine, but is not an option.

Where does HMP.Alert store information, about already allowed keyboards?

Is there an uninstaller, that removes all of HMP.Alert?

 

I run WSA along with HMPA and with every update I go through Identity Protection, PC Security, and Utilities/System Control/Active Processes to "allow" HMPA; WSA will block/deny/protect each new build. FWIW I set HMPA to "allow" not "protect" because I don't want WSA interfering with HMPA (this is something we could discuss more in the WSA thread). Regarding Chrome I don't remember needing to remove WSA protection, but I'll check again.

Edit: Chrome is protected in WSA on my Windows 7 x64 system and runs without problems.

 

I am also curious about discounts.

 

Pretty stable build 181. No crashes till now. Older versions used to crash quite often (see jpeg).

 

You should be able to uninstall via Add/Remove Software or use hmpalert3.exe /uninstall

 

Yes, but did not solve the keyboard issue.
When re-installed HMP.Alert remembers my licence and leaves my keyboard nonfunctional.

How to clear the known keyboard?