HitmanPro.ALERT Support and Discussion Thread

It will be optional feature or forced for all ?

 

uh?

 

Build 365 seems to have no problems in my laptop. Will report if an issue arises.
But, I haven't experienced the "false positives on Office" previously, anyway.

 

I don't use Office so didn't have the false positive but 365 installed and working fine here.

Cool to see the cloud update too!

 

So build 365 fixes an issue with Office 365?

 

After installing build 365 and re-enabling CFI on Office 2013 apps HMPA terminated Excel stating ROP mitigation.

 

Can you post the tech details?

 

Didn't save them, sorry. I have re-enabled CFI and if I can replicate the crash will post the details.

 

Whenever I launch Ability Write 6, HMP terminates it.



My question again, is there any way to get HMP to prompt for what action to take, rather than terminating processes it sees as being harmful automatically?

 

No...
You can switch (globally) to audit mode via gear icon in advanced interface (not recommended) or disable (in the meantime) the 'interfering' mitigation per-process...

 

@test Thanks. I figured that it was not possible, which is a shame.

 

Erik, don't forget to check the issue that some have encountered with Chrome (freezes of around 5 seconds when loading pages that contain embedded video or widgets as stated here and confirmed in these sentence: 1, 2, 3).

Txs in adv

my pleasure

 

I was able to replicate the intercept with Publisher 2013 and HMPA build 365. I'm not certain, but it only seems to happen when opening an Office application for the first time. After that the apps open without incident.

Here are the technical details:

Mitigation ROP

Platform 10.0.10586/x64 06_5e
PID 9900
Application C:\Program Files\Microsoft Office 15\root\office15\MSPUB.EXE
Description Microsoft Publisher 15

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x5A891FCC MSO.DLL RET 0x5A891EDD MSO.DLL ^00A3

0x5AAA7A96 MSO.DLL ~ RET 0x5AAA9035 MSO.DLL

?AuthHandlerSupportAutoLogonBasedOnURL@Http@Mso@@YAXXZ() RET 0x5AAA902E MSO.DLL ^038C
0x5A88A469 MSO.DLL

0x5A8E1B8A MSO.DLL ~ RET 0x5AAA2F1A MSO.DLL ^0001

_MsoRegOpenKeyExW@16 +0x13a RET 0x5A8E1B8A MSO.DLL ^01E5
0x5A882973 MSO.DLL

0x5BC58D8E MSO.DLL ~ RET* 0x5A8E1B28 MSO.DLL ^0196
84c0 TEST AL, AL
7435 JZ 0x5a8e1b61
8bce MOV ECX, ESI
e805d0d400 CALL 0x5b62eb38
8bc8 MOV ECX, EAX
e81c4fd500 CALL 0x5b636a56
85c0 TEST EAX, EAX
7813 JS 0x5a8e1b51
6a00 PUSH 0x0
8bce MOV ECX, ESI
e81f845401 CALL 0x5be29f66
53 PUSH EBX
0100 ADD [EAX], EAX
a0171d0630 MOV AL, [0x30061d17]
8907 MOV [EDI], EAX
57 PUSH EDI
(A6CB9F9717C50949)


0x5B5B7596 MSO.DLL ~ RET* 0x5BC58D8E MSO.DLL ^07E6
c20400 RET 0x4


0x5BEB115B MSO.DLL ~ RET 0x025D92DA (anonymous; MSPUB.EXE) ^001C

0x5BF8C717 MSO.DLL RET 0x5BEB1145 MSO.DLL ^0001

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 5A891EE8 MSO.DLL
8bce MOV ECX, ESI
8986ac000000 MOV [ESI+0xac], EAX
e8d8000000 CALL 0x5a891fcd
8bc6 MOV EAX, ESI
5e POP ESI
c3 RET

2 5AAA9146 MSO.DLL
3 5AAA903A MSO.DLL
4 5AAA2F2C MSO.DLL
5 025D11F1 (anonymous; MSPUB.EXE)
6 5AACF1E9 MSO.DLL
7 5AACD534 MSO.DLL
8 5A8AEB95 MSO.DLL
9 5A89EBB9 MSO.DLL
10 5A89C929 MSO.DLL

Process Trace
1 C:\Program Files\Microsoft Office 15\root\office15\MSPUB.EXE [9900]
2 C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [5744]
"C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /restart:0389654F46F80671
3 C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1396]
"C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /service

 

Win 10 64bit.F-Secure. Appguard.
Upgrade to 365 works flawlessly. No problems with Excel and Word. I didn't have problems with them on 364 either.

 

On 3.1.9-363, had to disable ROP mitigation for this app ...

Mitigation ROP

Platform 6.1.7601/x86 06_3a
PID 1184
Application C:\Program Files\Adobe\Photoshop Elements 14\PhotoshopElementsEditor.exe
Description Photoshop Elements 14 Editor 14

Callee Type LoadLibrary

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 75C2B2AE KernelBase.dll
2 75C0BD2D KernelBase.dll LoadLibraryExA +0x26
3 7662DE47 kernel32.dll LoadLibraryA +0x32

4 3936CAD8 (anonymous; PhotoshopElementsEditor.exe)
8945dc MOV [EBP-0x24], EAX
837ddc00 CMP DWORD [EBP-0x24], 0x0
681e5a3639 PUSH DWORD 0x39365a1e
52 PUSH EDX
e9cd2cedff JMP 0x3923f7b7

5 393C9F53 (anonymous; PhotoshopElementsEditor.exe)
6 0095043A PhotoshopElementsEditor.exe
7 03C537CB PhotoshopElementsEditor.exe
8 03C516DD PhotoshopElementsEditor.exe
9 03C5164B PhotoshopElementsEditor.exe
10 03E28DBB PhotoshopElementsEditor.exe

Process Trace
1 C:\Program Files\Adobe\Photoshop Elements 14\PhotoshopElementsEditor.exe [1184]
"C:\Program Files\Adobe\Photoshop Elements 14\PhotoshopElementsEditor.exe" -specifier pseeditor-14.0 -nostartupscreen
2 C:\Program Files\Adobe\Elements 14 Organizer\PhotoshopElementsOrganizer.exe [3464]
3 C:\Program Files\Adobe\Photoshop Elements 14\WelcomeScreen\Adobe Photoshop Elements 14.0.exe [3248]
4 C:\Windows\explorer.exe [3700]
5 C:\Windows\System32\userinit.exe [2176]

 

HitmanPro.Alert 3.1.9 Build 366 PreRelease

It was a bit hard to reproduce yet we found another false positive triggered in Microsoft Office. This build introduces a fix for it. If you had issues starting Microsoft Word or Excel, please update to this build.

Changelog

• Fixed ROP false positive in Microsoft Office.

Download
http://test.hitmanpro.com/hmpalert3b366.exe

 

Are we talking of a feature coming in version 3.5?

 

No issues here when trying Microsoft Office 2016 ( word,excel ) with HMP.A Build 364

 

Build 366 doesn't seem to have a noticeable problem right now. Will report if something bad happens.
I haven't encountered the MS Office FP, anyway.

 

• 
  
  Cannot reproduce the ROP false positive with Office 2013 apps using build 366; looking good

 

I'm sure this must be a false positive, but a scan of c:\windows\system32\drivers\hmpnet.sys (HitmanPro.Alert TDI Driver) at VirusTotal came back with 8 of 56 positive, including ESET-NOD32 and McAfee. I am used to seeing the occasional 1-offs from obscure AV companies, but this is puzzling ...

~ Removed VirusTotal Results as per Policy - PM Developer ~

 

Installing over the top does not work good for me anymore, so i uninstalled first this time and then installed 366.

 

Thanks, was not aware of the policy, and understand the reason for such policy. But as a licensed user of HMPA, my post was related to the use of HitmanPro.Alert, not to either praise or bash the anti-virus scanners involved.

Thought the info could be useful to other users or to the devs, that C:\windows\system32\drivers\hmpnet.sys (HitmanPro.Alert TDI Driver) potentially conflicts with other security software. About 15% of the AV scanners at VirusTotal flagged it, so not pointing at just one AV company.

If you run any of the affected AV scanners realtime on your PC, it probably would not be a bad idea to check out your exclusion settings ...

 

Hi, getting a false positive If I try to start Awesomenauts 3.1 Beta (3.0 is working)

Starting through Steam:
Mitigation Lockdown

Platform 10.0.10586/x64 06_4e
PID 15080
Application C:\Program Files (x86)\Steam\Steam.exe
Description Steam Client Bootstrapper 1.0

Filename C:\Program Files (x86)\Steam\steamapps\common\Awesomenauts\Beta\AwesomenautsLauncher.exe
Created By C:\Program Files (x86)\Steam\Steam.exe

Command line:
"C:\Program Files (x86)\Steam\steamapps\common\Awesomenauts\Beta\AwesomenautsLauncher.exe"

Process Trace
1 C:\Program Files (x86)\Steam\Steam.exe [15080]
"C:\Program Files (x86)\Steam\Steam.exe" -silent
2 C:\Windows\explorer.exe [15268]
3 C:\Windows\System32\userinit.exe [11008]
4 C:\Windows\System32\winlogon.exe [8724]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [9072]
\SystemRoot\System32\smss.exe 000000fc 00000074 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

Startig through exe:
Mitigation Lockdown

Platform 10.0.10586/x64 06_4e
PID 14016
Application C:\Windows\explorer.exe
Description Windows-Explorer 10

Filename C:\Program Files (x86)\Steam\steamapps\common\Awesomenauts\Beta\AwesomenautsLauncher.exe
Created By C:\Program Files (x86)\Steam\Steam.exe

Command line:
"C:\Program Files (x86)\Steam\steamapps\common\Awesomenauts\Beta\AwesomenautsLauncher.exe"