HitmanPro.ALERT Support and Discussion Thread

I'm still getting a lot of ROP alerts on Youtube on Firefox with build 193 and WSA ID shield. Btw, I didn't mention before that it's a supported i3 processor.

 

As an addition, MBAE and HMPA should offer roughly the same level of protections. Running both tools alongside of each other will probably not result in additional exploit protection.

 

Manually updated to v3.0.45 build 193, and rebooted to complete installation. All seeems OK.

Those two unexpected detections from a HMP scan at boot that I reported here yesterday, are no longer showing.

 

No problems with Flash 18.0.0.194 and Sandboxie beta 4.19.4 (W7 64 bits/build 193).

 

The webcam notifier hasn't even whitelisted the Windows 10 Skype app... Once the notification didn't show up and I ended up with an empty screen.

 

Java Blocked Process False Positive

Description:
When downloading a SWF file using a browser and JPEXS Free Flash Decompiler is configured to directly open SWF files when you click one and a downloaded SWF file is opened directly from the browser then an alert will be triggered.

This issue has been verified using IE11, Chrome and Firefox. (It may be necessary to enable an extra confirmation prompt on download so you can change an extension to .swf)

How to reproduce:
1. Make sure that JPEXS Free Flash Decompiler has been installed and that a SWF file will be opened in the decompiler when you double click on it in File Explorer.
2. Download a SWF file using any webbrowser. (In my case I was downloading a sample from malwr.com and renamed it from XXX.bin to XXX.swf)
3. Open the downloaded SWF file directly from the browser.
4. A 'BlockedProcess' alert will now be shown when JPEXS Free Flash Decompiler tries to start.



Trace from analysis machine:
Mitigation BlockedProcess

Platform 6.3.9600/x64 06_3c
PID 5332
Application C:\Program Files\Java\jre1.8.0_45\bin\javaw.exe
Description Java(TM) Platform SE binary 8.0.45

Filename of the process blocked:
C:\Users\<SNIP>\AppData\Local\Temp\javactivex_1435164784704.exe

Command line:
"C:\Users\<SNIP>\AppData\Local\Temp\javactivex_1435164784704.exe" 1435164785051

Process Trace
1 C:\Program Files\Java\jre1.8.0_45\bin\javaw.exe [5332]
"C:\Program Files\Java\jre1.8.0_45\bin\javaw.exe" -Xmx4937m -Djava.net.preferIPv4Stack=true -jar "C:\Program Files (x86)\FFDec\ffdec.jar" "C:\Users\<SNIP>\Downloads\<SNIP>.swf"

2 C:\Program Files (x86)\FFDec\ffdec.exe [7696]
"C:\Program Files (x86)\FFDec\ffdec.exe" "C:\Users\<SNIP>\Downloads\<SNIP>.swf"

3 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7272]
4 C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.130\delegate_execute.exe [7912]
"C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.130\delegate_execute.exe" -Embedding

 

No problems with Sandboxie 4.20 (W7 64 bits/build 193).

 

I updated 5 different windows 7 pro dell computers today. All 5 had 2.6.5.77 and I installed 3.0.45.193 on top of the old version. On two of the computers when I rebooted, I could only type one character of the password at the login screen then the keyboard would no longer respond. On those two I had to restart in safe mode and uninstall HMPA 2.6.5.77, reboot and install HMPA 193 again. They all had dell wired usb keyboards one was model kb212-b, other was KB113

 

I had the exactly same behavior on one PC that had a Cherry mid-size keyboard, without separate F11 and F12 keys.

I reported this and it was fixed with build 187.

Your Dell Keyboard seems to have standard layout, at least modell kb212-b

 

Erik,
I've just restored my machines to factory condition and I just heard the alert sound when a device isn't working properly on one so I checked Device Manager and there wasn't any problems, but I did notice that the Teredo Tunneling Pseudo-interface was not included with Network Adapters. I remember HMP.A used to disable the adapter and I'm wondering if newer versions of HMP.A remove the adapter all together?
Thanks.

 

The adapter isn't remove, only disabled.

 

After the uninstall of 2.6 and reinstall of 3.0 did the issue resolve?

 

Confirmed. We are debating on how we can solve this without punching a hole in the protection.

 

Yes

 

Running build 193 and yesterday while on banking/insurance site got warning that Chrome x64 43.0.2357.130 was compromised and not to enter any personal or financial data after I had already logged in. I did not capture the screen (will always do from here forward ). I did the scan with Hitman Pro and nothing. Then closed Chrome and used Firefox 38.0.5 with no problem or warning on the same site. The HitmanPro.Alert GUI shows no alerts and there is nothing in the event logs about this happening.

Second thing is my PDF editor, NitroPDF Pro 9, will not show the flyout nor the colored border regardless of the template I use for it, and I tried them all including the test template. I seem to recall some issues with PDF readers/editors mention in the past but was unable to find it, only the mentions of PDFExchange issue. So is this a known issue that I missed seeing?

 

Hi Erik, did you receive my PM sent last week?

Edit: Received, thank you very much!

 

Im getting errors in the event log regarding HMPA checks for update. " Checks for update has failed try again in 120 min" The problem is regardless of how long my PC is on for, I still get there event. ie, over 6 hours of pc runtime, 3 errors. Not sure why this is happening. Im currently using build 190, which is the latest. I reformatted my PC a week ago and I reinstalled build 190, so im not sure the update mechanism of HMPA actually works regardless of the error.

regards.

 

Is there a chance this feature might be coming soon? I haven't updated from build 187, hoping the auto updater would do its magic.

In case the auto updater isn't ready to be rolled out yet -- is it better, currently, to manually update over 187, or to uninstall 187 and then install 190?

Thanks!

 

OK, thanks.

It just odd that the adapter isn't listed in Device Manager now on my two machines where before it was there with a yellow exclamation point.

 

The update feature is already in HMPA.
But it's up to SurfRight to decide if and when new builds are offered by auto update.
I don't know if HMPA 3.0.45.193 was offered for auto update as Erik announced for Friday June 18 or Monday June 22, or that that update was put on hold for some reason.
If you don't want to wait, you can update by manually installing build 193 over 187 (you will be asked to reboot). There is no need to uninstall 187 first.

 

The latest build is HMPA 3.0.45.193.
However, it's up to SurfRight to decide if and when new builds are offered by auto update.
If you don't want to wait for auto update, you can update by manually installing build 193 over 190 (you will be asked to reboot).

 

Have you tried View -> Show hidden devices?

 

Ah thanks for that. I had no idea. eriklomans' tag still says 190. I wonder if mine will auto update considering I have issues as mentioned earlier.

Thanks again. Ill wait and see what it does.

regards.

 

I'm running HMP.Alert 3.0.41.187 and have had no auto-update since it was released on SurfRight's download page. I installed manually then to find out there was an issue related to the AZERTY keyboard which I mentioned here a week ago.

I will not manually install updates anymore, even if made available on SurfRight's download page. I'll wait for the auto-update considering that the delay between the official release and that of the auto-update may be valuable for last minute concerns. In my case it would have been better to wait since 193 is problematic.

 

Thanks very much for the info!