HitmanPro.ALERT Support and Discussion Thread

Because the MS Office apps are actually using ROP. The quick fix is to turn off the "control flow integrity" code mitigation for the Office apps. Hopefully down the road a workaround can be implemented (white list maybe?) so that settings don't have to be changed in HMPA.

 

Is there a way to script or change this behavior at installation? What is the best way to make this change across multiple devices short of manually logging in to make the change?

 

Not that I'm aware of, but perhaps others will chime in.

 

We have noticed a ROP being triggered in Office since a recent update of Office. You may retry starting the Office application to resolve (it seems that the ROP is not triggered in some occasions). If it does not help, temporarily disable Control Flow Integrity on Word or Excel. Meanwhile we are looking at the issue. We are trying to resolve from either the cloud or via an update. In Alert 3.5 there are whitelisting options so that in the future this can be resolved automatically. Sorry for the inconvenience.

Erik

 

As noted elsewhere, I'm running HitmanPro.Alert 2.6.5.77 for reasons of my choice. I also have a paid 3 PCs license for HMP 3.x (including HMPA), so, please don't suggest to upgrade to that version.

Question: as of yesterday, when starting Firefox, I'm getting a forced upgrade attempt from the free HPA 2.6.5.77 to HPA 3.1.9.363. This happens both on my legacy XP computer and a laptop running Windows 7. In the case of the XP, the installation fails .. but, that's not the issue here. On my W7 laptop, the setup was messed up and I had to do some re-installs. Thanks guys!

What is this? A new policy of Sophos-Surfright to force-upgrade (silently) people still using the free version 2 to the paid for version 3? Again, I have a paid license for version 3 however use version 2 for reasons of my choice. Any way to stop/control this behavior? TIA.

 

a nice feature would be to add an "exclude" button on the alert pop-up.

 

This is a mistake!

The 2.x binary was replaced by the 363 binary on the update server by a colleague. I have personally corrected the problem but already a few people were updated to 3.x build. Sadly the 2.x branch has no way to suppress the updater while the 3.x branch does have the /noupdate command line switch and NoUpdate registry key.

My sincere apologies.

Erik

 

Apology accepted! But, I do hope that the correction is in place next time I fire up my W7 laptop. I'm sure I'll do the upgrade to 3.x later on, but on my whim .. not by force. Thanks.

 

CVE-2016-1019 (April 2016) vs HitmanPro.Alert 3.0 (April 2015)

https://www.youtube.com/watch?v=l270kRf7Iv4

 

OK - I went ahead and manually updated HitmanPro Alert from 363 to 364. It seems to be running ok except I now am getting Event Viewer Warnings like the attached regularly. Something seems wrong and needs to be corrected. Can anyone tell me how to stop this short of uninstalling HMP Alert?

 

Today HMP.A auto-updated on 12 out of 14 machines, from build 360 to build 363.
It failed on one machine, where auto-update failed several times before, on previous builds, for unknown reason.
HMP.A was still installed, but not running. When manually started, it showed degraded UI, missing all mitigations and licence.
I installed build 364 over defective build 360, an now it's fine again...
This particular machine has different software installed and running. For example a Go1984 client, that often caused trouble in the past.

One machine hasn't updated yet, but shows no signs of failed update.
I will not force update, nor manually install the latest build (364), maybe this machine wasn't rebooted for a while...

 

This is normal behavior, and does mean that there is now update available/rolled out yet.

Build 363 ist the latest build, that is deployed over auto-update.

 

Thank you for that explanation - that relieves my concerns. I appreciate your post.

 

Under what circumstances does HMPA put files in \Windows\CryptoGuard and when do these files get purged?

I have about 41 files there right now and some are a few weeks old. One example of files being placed there is when I install Shadow Defender. The eula.rtf ends up there and I'm curious as to why.

Code:

(FOLDER) C:\Windows\CryptoGuard
  (+)(FILE) 3F89E6E4 = 3/21/2016 23:45, 10131 bytes, A

 

Files are put there when an existing file is being opened for write. They should be deleted automatically.

 

Just checked -- I have 4,090 items in that folder and they're all dated 6/6/2015.

 

Here 117 items, latest 13-8-2014.

 

Checked mine. There's nothing else except 3 files in a folder created because of a Cryptoguard action against a shady program which happened almost 2 months ago.

 

Build 363. Two 7x64 computers. Zero files in the CryptoGuard folder on one PC, four files on the other PC.
Files are from Feb and April of this year.

 

I'm guessing it must be safe to delete such old files.

 

Yikes. Just checked mine - 90,312 files, 12.3GB all from 2016-01-04!
Not sure what caused that, not aware that I was possibly hit by ransomware.
Taking some time to delete

 

I've got 429 files in this folder dating back to July 2014 to the present week.

I've also got about a dozen sub-folders all starting with "reverted_"

Can I delete them all safely?

 

I have 12 files all less than 1 mb

 

yes, you can (delete it safely)...