HitmanPro.ALERT Support and Discussion Thread

thanks. wasn't that i doubt you, just in the habit of asking for sources (a good habit, in my experience). add that to the fact that emsi works with hmpa and doesn't ask me if i want it to decrypt ssl, and i'm sold.

i actually imagine that'll leave me with a rather common security setup: emsisoft, hmpa, voodooshield. hopefully that'll cover me.

 

Voodooshield in your setup is redundant, Emsisoft has a behavior blocker which does what VS does, but if you really like VS , you can still keep it, but make sure to add exclusions properly to minimize any potential conflict.

 

thought the advantage of voodooshield is that it doesn't let things run (aka whitelist-style), as opposed to watching for specific behaviors. am i wrong there?

 

I don't think VS is redundant. VS acts as a pre-execution block, while Emsisoft may cover the post-execution. In fact, Dan, himself, would recommend Emsi as a companion of VS.

Edit: we're off-topic, already.

 

you are correct. note that Emsi BB is also cloud based.

True, my point was more that both will block the suspicious file at some point.

clearly lol

 

@erikloman

HMPro Alert block Internet Explorer.
Reason : Attack intercept

Check PM.

 

Thanks! @Victek @XhenEd

 

You're welcome!

 

Hi Eric

I'm using HMPA 3.6.3 build 586

2 issues

1) It always identify NoBot as a trojan during HMP scanning. NoBot is available as below

https://toolslib.net/downloads/viewdownload/302-nobot/

2) Many of my MS WORD documents are now 'Attack Intercepted' by HMPA after I changed and tried to save them. End result is changes not saved. It says

'Microsoft Word 16' has being terminated to prevent execution of malicious code. Please check your computer for malware and software updates. When I expanded the Technical Details it shows a long page of programming text

When I scanned with HMP it identify NoBot as trojan (see item 1 above)

Zemana, Emsisoft and MalwareBytes Antimalware does not detect NoBot as a malware nor presence of any other malware.

FYI, I have no such problem with the earlier version and my MS Office 365 is of latest update

Can help?

Thanks

 

Hi NiteRanger,

Regarding that second issue,
it may be helpful to the Erik if you could indicate
what your Windows version is, exactly,
what antivirus program you use,
if you use any other realtime security applications, and if so, which,
and the exact alert you get - You can copy alert details from Event Viewer.

To get Alert details from Event Viewer:
Open the HMPA user interface, and click "Number of alerts", or "Last alert", that will open Windows Event Viewer.
This takes a moment as a HMPA module is added to Event Viewer.
In Event Viewer, in the HitmanPro.Alert Events section, information can be seen regarding HMPA events.
Are there entries to be found regarding the mentioned issue?
If so, please select all text, use Ctrl+C to copy the selected text, and past it in a personal message to @erikloman (or in a next reply in this thread, whatever you prefer).
That information can be helpful to Erik to find out what exactly is the issue.
N.B.
When pasting the copied text from Event Viewer in a personal message to Erik (or in a next reply in this thread), probably best put it between [CODE] [/CODE]

 

Thanks and doing now

 

OK, here's the capture from Event Viewer

I'm using Windows 10 Pro 64-bit

Real-time security programs are Comodo Firewall + Emsisoft Anti-Malware (Paid) + Zemana AntiLogger (Paid) + AppGuard (Paid) + VS (Free)

My Windows OS and ALL my security programs are of the latest updates

 

Thanks!

 

Thanks mood and hamo for your answers.
Another question: does Safe Money working well with HMP.A ?

 

HMP.A and kis_2017 run ok together on my win7x64.

 

Yes on my win7.

 

BTW, can you perhaps comment on the new ASLR bypass method, will it make it easier to bypass exploit mitigations, or doesn't it really matter?

https://www.vusec.net/projects/anc/

 

I'm getting conflicting, contradictory answers from Sophos Support support agents who don't seem to know their InterceptX module well on the Sophos Central product so I thought I'd try asking here in hopes of a semi-official answer from Erik.

We have corporate document scanning/conversion software that is being temporarily flagged by Sophos Central's HMPA-cum-InterceptX product as "ransomware-like" (only for a few hours and then it unflags the executable). I know precisely why it is being flagged as such: the document conversion software is mass-converting scanned images into PDF file. Apparently doing less than 40 pages worth of PDF conversion (over the network) won't set off the InterceptX flagging it as a ransomware risk but doing 40+ will. However, the 40 page threshold at which it triggers is much too low a number to allow our staff to be productive.

Without disabling anti-ransomware InterceptX entirely, is it possible to whitelist the EXE? We've been told Global Scanning Exclusions whitelisting does NOT apply to InterceptX/anti-ransomware by well-meaning but sort of clueless tier 1 support people, only for virus/malware-scanning.

 

CryptoGuard in HMPA responds to encryption-like behavior. I don't believe it matters what is triggering the behavior which is why white-listing doesn't help. Maybe PM Erik to get a definitive response

 

What about turning off Network Lockdown? Does that help?

 

Yeah it's the "converting PDF over the network" behaviour that's being flagged. I'm hoping to get a public answer on if it's possible before having to.bother Erik via PM.

 

Sounds like a good idea, it should be possible to white-list certain apps.

 

While this is a HMPA option that can be disabled, I don't think the Sophos Central usage of the HMPA engine allows for something this granular to be toggled.

 

I've checked our Sophos installation and the only network related setting which can be controlled is:

Not sure if this would turn off Lockdown or not