HitmanPro.ALERT Support and Discussion Thread

No problems thus far. W7 x64 and MS Office 2013.

 

They're matching. When I select Cyberfox in the Alert GUI through Exploit Protection or Active Processes it also immediately shows a pop-up that the process needs to be restarted even though I didn't change any settings. Pressing Restart succesfully restarts Cyberfox but the problem doesn't change and Alert shows the restart pop-up again.
I also tried uninstalling Alert, rebooting and installing Alert again but that didn't help. Though it does after install it does pickup settings from before, such as Safety Notification at application startup and BadUSB protection enabled.

 

I am having a problem with HMP.A 3.1.9 Build 360, 363, 364 and 366 on one Windows 7 x64 laptop. I am not aware of any changes to this computer lately. HMP.A does not show a flyout for any of my browsers (IE11 x64, Firefox X64 45.0.2 and Chrome x64 50.0.2661.87) and I have no border that shows the protections nor does it show the encryption as I type. I have the flyout set to show every time for now and nothing shows up for browsers and some apps. Office 2013 apps show the flyout and border fine.

I have uninstalled HMP.A several times via the /uninstall switch and rebooted, then installed different versions (Build 366, 364, 360 and was updated to 363) with no change. I have a Windows 7 x64 VM that works and compared a lot of the registry settings and they are identical.

I have run scans from a few antimalware products, Emsisoft IS, Hitman Pro and some rootkit and other scanners with nothing found Also reviewed logs of EIS and Windows, no cause found. I just uninstalled HMP.A and Hitman Pro also then start from scratch after a reboot. No browser flyout or colored border.

I know this is not a problem with HMP.A as my Windows 10, Windows 8.1 and also my Windows 7 VM all work fine with the latest builds. I am open to suggestions on how to fix this one computer's behavior with HMP.A.

Edit: also using Process Explorer I don't see the named pipe in any of the browsers and no block events anywhere.

 

Start a registry editor and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert
and look if you can find cyberfox.exe at the left side.
Click on it, and at the right side you'll see the whole pathname listed for your cyberfox-executable.

The pathname in the registry should match the executable you are starting.

 

report
366 works well with office 2016, SSF and SBie in win10 x64 10586

 

366 in use here. No problems what so ever. (I'm using Office 2016 64bit too.)

 

Hello Erik.

I recently installed Nitro Pro 10; the software is automatically under protection of HPA .

When it is running, Nitro Pro is not protected.

Screenshot:

http://postimg.org/image/fg1ioqrgn/

http://postimg.org/image/hm50aq9on/

Also report a problem with the components of Office 2010 (Word, Excel, PowerPoint, and WordPad) for which is not shown protection board.

HPA version: 319 build 364 | OS: Windows 10 Enterprise 2015 LTSB N - 64 Bit

 

The problem is the 8.3 filename (with a ~) in it. We have fixed this in 3.5 (beta will hopefully go out soon). I'll try to port it back to 3.1. Keep an eye on this thread.

 

Yes, it's matching in both the GUI and the registry and Processes in Windows Task Manager.

It's just the standard path on standard drive letter: C:\Program Files\Cyberfox\Cyberfox.exe

I also tried Cyberfox in Safe Mode in case of an incompatible addon but that didn't help either.

 

Erik,

Will our current Alert licenses activate 3.5 when it is released?

Thanks.

 

Er.. the HMP/HMP.A licenses are good for 1, 2 (last November's Black Friday offer), or 3 years.
The licenses are not limited to a certain HMP/HMP.A version.
I cannot imagine why that would be different for HMP.A 3.5.
Am I missing the point, somehow?

 

Thanks "Erik".

Not all companies use a licence system that allow for major updates. I was hoping for conformation from the developers if this is or isn't the case for Alert.

 

Have you tried resetting the settings (via the gear icon on the top right of the GUI)?

 

I'm sorry. It was not my intention to speak for Erik, of course.
I was only pointing out what I think we know about HMP/HMP.A licensing.
And I wondered if I was missing the point in what you were asking. Thanks for elaborating.
Still, I cannot imagine the HMP/HMP.A license system wouldn't allow for major updates.
I hope Erik will confirm there's no issue and that HMP/HMP.A licenses are valid for major updates, for the duration of the license.

 

I would guess and hope you are correct, but as we all know, SurfRight has been bought by Sophos, so it may not be wise to assume anything with regards to licenses.

 

Come on, Krusty13!
Your fear, even if right, is simply unlikely (/exaggerated)...

 

With acquiring SurfRight and its products, Sophos also acquired the commitments that were made by SurfRight before the acquisition. I would think Sophos would not be legally allowed to break the commitments that were made by SurfRight. But well, I'm not a lawyer.
Perhaps Erik may answer your initial question, so you can be sure.

 

That is my only question. I was never suggesting licenses would not be honoured, I just want clarification that 3.5 will be activated with our current licence.

Is it that unreasonable to ask? Gees!

 

No, of course not.
That's why I said, I hope Erik can answer your question, so you can be sure.

 

@test , @Stupendous Man ,

The point probably is moot anyway as Erik has already posted in this thread since I asked so would have seen my question. By choosing not to answer I guess that IS the answer.

Question withdrawn, your Honour.

 

Another ROP false positive in Outlook 2013
*******************************

Mitigation ROP

Platform 10.0.10586/x64 06_5e
PID 6100
Application C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE
Description Microsoft Outlook 15

Branch Trace Opcode To
-------------------------------- -------- --------------------------------
0x6B2321DC MSO.DLL RET 0x6B2320ED MSO.DLL ^0074

0x6B44ABE9 MSO.DLL ~ RET 0x6B44C55A MSO.DLL

?AuthHandlerSupportAutoLogonBasedOnURL@Http@Mso@@YAXXZ() RET 0x6B44C553 MSO.DLL ^0350
0x6B22B4B9 MSO.DLL

0x6B2827E0 MSO.DLL ~ RET 0x6B4451D7 MSO.DLL ^0001

_MsoRegOpenKeyExW@16 +0x13a RET 0x6B2827E0 MSO.DLL ^02BB
0x6B222963 MSO.DLL

0x6B7EDB6E MSO.DLL ~ RET* 0x6B28277E MSO.DLL ^017A
84c0 TEST AL, AL
7435 JZ 0x6b2827b7
8bce MOV ECX, ESI
e83b87d400 CALL 0x6bfcaec4
8bc8 MOV ECX, EAX
e8e907d500 CALL 0x6bfd2f79
85c0 TEST EAX, EAX
7813 JS 0x6b2827a7
6a00 PUSH 0x0
8bce MOV ECX, ESI
e893f6f800 CALL 0x6c211e30
e327 JECXZ 0x6b2827c6
06 PUSH ES
f0a90000d089 TEST EAX, 0x89d00000
07 POP ES
57 PUSH EDI
(28A2DAC93E03C905)


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 6B2320F8 MSO.DLL
8bce MOV ECX, ESI
8986ac000000 MOV [ESI+0xac], EAX
e8d8000000 CALL 0x6b2321dd
8bc6 MOV EAX, ESI
5e POP ESI
c3 RET

2 6B44C67E MSO.DLL
3 6B44C55F MSO.DLL
4 6B4451E9 MSO.DLL
5 00493A7C (anonymous; OUTLOOK.EXE)
6 6B4749E4 MSO.DLL
7 6B473652 MSO.DLL
8 6B24D464 MSO.DLL
9 6B23EF1E MSO.DLL
10 6B23B45C MSO.DLL

Process Trace
1 C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE [6100]
2 C:\Windows\explorer.exe [5904]
3 C:\Windows\System32\userinit.exe [5792]

 

Erik, I did do the reset earlier today. No change. I think my next step is to restore the system disk to earlier in the week.

I did restore, back to 9 April. HMP.A was working again. After I installed the April patch Tuesday updates, HMP.A is back to not working for the browsers, even after another reset. The build running is 364.

Not sure which update is causing this, but it seems something bigger may be messed up. Other Window 7 computers here are fine, one physical and one virtual. Perhaps it's about that time to reinstall windows again unless you might have other suggestions Erik.

 

It seems my problem with 64 bit Cyberfox affects all 64 bit programs. LibreOffice and SumatraPDF are also affected. When I installed 32 bit Cyberfox it worked fine. Reinstalling the 64 bit version did not help.
When I don't see a flyout and colored border, Process Explorer also shows no sign of hmpalert.dll
IE11 by default has a 64 bit parent process with Medium integrity and a 32 bit child process with Low integrity. hmpalert.dll is only present in the 32 bit child process.
Since older version of Alert had compatibility problems with Outpost Firewall, I uninstalled it but it didn't help either.

 

"Installing QuickTime Essentials (and deselecting the player) should by-pass the vulnerability" The QuickTime web browser plug-in is no longer installed by default and is removed if you have a previous version of QuickTime on your PC. If you still need this legacy plug-in, you can add it back using the custom setup option in the installer.

https://feedback.photoshop.com/phot...no-longer-supported-by-apple?topic-reply-list[settings][filter_by]=all

 

For the moment, I've uninstalled HMP.Alert. It was regularly using too much CPU time for my liking.

I've only got a Core 2 Duo processor in my laptop. If I had a fast processor then I'm sure the CPU use would be less and woudn't be an issue. But, for at least the next few years, I'm going to stick with my aging Core 2 Duo Thinkpad, as it's more than fast enough for everything I need to use it for when security software isn't slowing it down.