HitmanPro.ALERT Support and Discussion Thread

Obviously, when the AtomBombing attack is targeting an application protected by Exploit Mitigations, like a web browser or productivity application, it is terminated by our HMPA. However, Dridex v4 does not use the AtomBombing trick in internet-facing applications. Instead it spawns svchost.exe, spoolsv.exe or another existing trusted program – that is core part of your operating system – to hide itself in. Also, Dridex v4 isn’t using a Stack Pivot to take over flow of code execution

 

txs a lot for your brief analysis

If you have something more to add (maybe a short movie??)...

Process hollowing does not play any role here?

 

news?
Have you whitelisted these "FPs" or is there something deeper to fix?

 

A fix is currently being tested internally. Stay tuned and sorry for the inconvenience.

 

I have three customers getting these on Word and Excel, one is claiming he lost his entire word document because of this. Windows 10

Mitigation IAF

Platform 10.0.14393/x64 v586 06_5e
PID 15128
Application C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Description Microsoft Word 16

Violation 04F7CBB3 is calling RECOVR32.CNV IAT funcptr kernel32.dll!GetProcAddress


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 04F7CBB3 WPFT532.CNV
ff1544e0f704 CALL DWORD [0x4f7e044]
8bf0 MOV ESI, EAX
85f6 TEST ESI, ESI
754e JNZ 0x4f7cc0d
ff155ce0f704 CALL DWORD [0x4f7e05c]
8b3578e1f704 MOV ESI, [0x4f7e178]
8945f0 MOV [EBP-0x10], EAX
85f6 TEST ESI, ESI
7416 JZ 0x4f7cbe8
8d45d0 LEA EAX, [EBP-0x30]
8bce MOV ECX, ESI
50 PUSH EAX
6a04 PUSH 0x4
ff1504e1f704 CALL DWORD [0x4f7e104]
ffd6 CALL ESI
8bf0 MOV ESI, EAX

2 04F7B933 WPFT532.CNV
3 04F614E4 WPFT532.CNV GetReadNames +0x1a
4 100BE05C WWLIB.DLL
5 100BD61D WWLIB.DLL
6 100BE0FD WWLIB.DLL
7 100BDD7B WWLIB.DLL
8 100BDC7A WWLIB.DLL
9 1010AAAC WWLIB.DLL
10 1010CA31 WWLIB.DLL

Process Trace
1 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [15128]
"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Commit\commit-shared\rotary\Golf2016\Income-and-Expenditure-Report-for-District-Grant.doc" /o ""
2 C:\Windows\explorer.exe [6308]
3 C:\Windows\System32\userinit.exe [7152]
4 C:\Windows\System32\winlogon.exe [96]
winlogon.exe

Thumbprint
75ac7d763978993127aed515d31787dbd24e2d75ce823c7200365613e7cbd0ed

 

Weird. Latest desktop version Skype (or second-latest) 7.33.0.105 seems to require me to disable "Control Flow Integrity" (prevents ROP attacks) to open/close.

 

Hi, I had one of these Black Screen of Deaths for Outlook. Twice.

Mitigation IAF

Platform 10.0.14393/x64 v586 06_3a
PID 13372
Application C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Description Microsoft Outlook 16

Violation 511BB2E9 is calling BitsProxy.dll IAT funcptr kernel32.dll!GetModuleHandleW


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 511BB2E9 mscss7en.dll
ff1588801e51 CALL DWORD [0x511e8088]
a390f81f51 MOV [0x511ff890], EAX
85c0 TEST EAX, EAX
7413 JZ 0x511bb30b
6850c11e51 PUSH DWORD 0x511ec150
50 PUSH EAX
ff1534801e51 CALL DWORD [0x511e8034]
a324f81f51 MOV [0x511ff824], EAX
eb05 JMP 0x511bb310

2 511A6D0B mscss7en.dll
3 5B685C5A msproof7.dll
4 5B685EFE msproof7.dll
5 635089B2 Mso98win32client.dll
6 63508893 Mso98win32client.dll
7 635084EC Mso98win32client.dll
8 63508438 Mso98win32client.dll
9 6980B8A5 WWLIB.DLL
10 6980AB0C WWLIB.DLL

Process Trace
1 C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [13372]
2 C:\Windows\explorer.exe [7688]
3 C:\Windows\System32\userinit.exe [7588]
4 C:\Windows\System32\winlogon.exe [980]
winlogon.exe

Thumbprint
b91e6bccb3009e5c52e62ebad0c04c237afdb15e1da57fba5a69d2133de4f652

--------------
Mitigation IAF

Platform 10.0.14393/x64 v586 06_3a
PID 11240
Application C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Description Microsoft Outlook 16

Violation 5B796B34 is calling zipfldr.dll IAT funcptr kernel32.dll!GetModuleHandleW


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 5B796B34 mce.dll
ff1588817e5b CALL DWORD [0x5b7e8188]
50 PUSH EAX
ff158c817e5b CALL DWORD [0x5b7e818c]
85c0 TEST EAX, EAX
740d JZ 0x5b796b52
56 PUSH ESI
8d4dfc LEA ECX, [EBP-0x4]
51 PUSH ECX
ffd0 CALL EAX
83f87a CMP EAX, 0x7a
7501 JNZ 0x5b796b52
46 INC ESI
893518f1835b MOV [0x5b83f118], ESI
33c0 XOR EAX, EAX
85f6 TEST ESI, ESI
0f9fc0 SETG AL

2 5B7C49B8 mce.dll
3 5B7C4D7C mce.dll
4 5B7C4AAF mce.dll
5 5B7C5296 mce.dll
6 5B7C31E9 mce.dll
7 5B7BCBE6 mce.dll
8 5B7A84BA mce.dll
9 5B7A8472 mce.dll
10 5B78F090 mce.dll

Process Trace
1 C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE [11240]
2 C:\Windows\explorer.exe [9940]
3 C:\Windows\System32\userinit.exe [16616]
4 C:\Windows\System32\winlogon.exe [15820]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
5 C:\Windows\System32\smss.exe [19888]
\SystemRoot\System32\smss.exe 00000110 0000007c C:\WINDOWS\System32\WinLogon.exe -SpecialSession
6 C:\Windows\System32\smss.exe [456]
\SystemRoot\System32\smss.exe

Thumbprint
6b50a24daa4176ece7b227c246b1b963115004f6a9ce3f8b6137eacc54548b01

 

I also had a Black Screen of Death when trying to print using Microsoft's PDF Driver inside an Adobe PDF document.

Mitigation IAF

Platform 10.0.14393/x64 v586 06_3a
PID 17052
Application C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Description Adobe Acrobat Reader DC 15.23

Violation 7566B51C is calling coml2.dll IAT funcptr KernelBase.dll!GetModuleHandleW


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 7566B51C coml2.dll
ff152c416a75 CALL DWORD [0x756a412c]
85c0 TEST EAX, EAX
7423 JZ 0x7566b549
8b45fc MOV EAX, [EBP-0x4]
8b00 MOV EAX, [EAX]
ff30 PUSH DWORD [EAX]
ff3594306a75 PUSH DWORD [0x756a3094]
ff1550606a75 CALL DWORD [0x756a6050]
8b4dfc MOV ECX, [EBP-0x4]
85c0 TEST EAX, EAX
74c6 JZ 0x7566b506
c60598306a7501 MOV BYTE [0x756a3098], 0x1
ebbd JMP 0x7566b506

2 7565ACC2 coml2.dll
3 7565970C coml2.dll StgOpenStorageOnILockBytes +0x1ac
4 75E06B7B windows.storage.dll
5 75E06CF1 windows.storage.dll
6 75E069A3 windows.storage.dll
7 75DA5DEA windows.storage.dll
8 75DA4D3C windows.storage.dll
9 75D6E2EB windows.storage.dll
10 75D6E20E windows.storage.dll

Process Trace
1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [17052]
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\AAAA\BBBB\Good (Interactive).pdf"
2 C:\Windows\explorer.exe [8364]
C:\WINDOWS\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
3 C:\Windows\System32\svchost.exe [544]
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
4 C:\Windows\System32\services.exe [376]

Thumbprint
791143e53d9d8286798db0a39472f03c2eaa204ac927ed20ea0f8745e923d3b7

-----------
All of this on the latest 586 Build.

 

Hello,

Mitigation Lockdown

Platform 6.1.7601/x64 v586 06_2a
PID 6164
Application C:\Program Files (x86)\Opera\launcher.exe
Description Opera Internet Browser 43

Filename C:\Windows\TEMP\opera autoupdate\installer.exe
Created By C:\Program Files (x86)\Opera\launcher.exe

Command line:
"C:\Windows\TEMP\opera autoupdate\installer.exe" --version

Process Trace
1 C:\Program Files (x86)\Opera\launcher.exe [6164]
"C:\Program Files (x86)\Opera\launcher.exe" --scheduledautoupdate $(Arg0)
2 C:\Windows\System32\taskeng.exe [5068]
taskeng.exe {AC38EE92-C750-4AC6-BC11-FAF72C624E1D} S-1-5-18:NT AUTHORITY\System:Service:
3 C:\Windows\System32\svchost.exe [1120]
C:\Windows\system32\svchost.exe -k netsvcs

Thumbprint
404fdae13ef6be263d6175f6bdbfce27118e178f5ca74c08bf40597d21dc0bdc

 

Is there any way to block automatic product updates, if you wish to always update HMPA manually

 

maybe via firewall (if you can, avoid this road)...

1, 2, 3
Hope this help

 

Yes, it is possible. But if you block it with a firewall, HMP.A isn't able to connect to the cloud.
For example: "false positives like this will be solved from the cloud so that no program update is needed #9399 / #12926"
You can modify the registry for blocking of product updates (see below)

 

Thanks for the info! I tested the firewall control, and one thing is for sure, HMPA fails to download the HitmanPro scanner if you block the network. If you install HitmanPro locally, it will run OK with HMPA blocked at the firewall.

But I'm not actually planning to block the upgrades at this time, as I have been installing the RC versions for HMPA anyway. I was just wondering how to do it, so if at some point I felt the need to lock my PC down I could do it.

I have a few other applications where the developers have made this option hard to find. I suppose it's thanks to the dummies who never update

 

If needed, upgrades can be blocked for HitmanPro too:

Or it can't be deactivated from the user.
Sometimes blocking it with a firewall is the only solution.

 

I get it. I have performed my share of hacks to control unruly software. But don't you think it would be great if all developers were to adopt some code of conduct that they would make all auto starts, data collection, and auto upgrades, on an opt-in basis only

 

"False Positive" Excel under XP-SP3

Typ: Fehler
Quelle: HitmanPro.Alert
Ereignis-ID: 911
Ereigniszeit: 16.03.2017 10:01:55
Benutzer: n/z
Computer: PCVH049
Beschreibung:
Mitigation IAF
Platform 5.1.2600/x86 v586 06_2a
PID 496
Application C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE
Description Microsoft Office Excel 11
Violation 04D0603F is calling WINSPOOL.DRV IAT funcptr kernel32.dll!WinExec
Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 04D0603F LMACBC4Z.DLL
ff151811ce04 CALL DWORD [0x4ce1118]
8b8d08ffffff MOV ECX, [EBP-0xf8]
51 PUSH ECX
ff154811ce04 CALL DWORD [0x4ce1148]
837df800 CMP DWORD [EBP-0x8], 0x0
740a JZ 0x4d06062
8b55f8 MOV EDX, [EBP-0x8]
52 PUSH EDX
ff154811ce04 CALL DWORD [0x4ce1148]
83bd04ffffff00 CMP DWORD [EBP-0xfc], 0x0
740d JZ 0x4d06078
8b8504ffffff MOV EAX, [EBP-0xfc]
50 PUSH EAX
ff154811ce04 CALL DWORD [0x4ce1148]
837df000 CMP DWORD [EBP-0x10], 0x0
740a JZ 0x4d06088

2 04D04C96 LMACBC4Z.DLL
3 04CF1E0A LMACBC4Z.DLL
4 7E5A9711 unidrvui.dll
5 7E5A9786 unidrvui.dll DrvDocumentEvent +0x65
6 04FA6E4C winspool.drv DeviceCapabilitiesW +0x1a8
7 04FA6DB2 winspool.drv DeviceCapabilitiesW +0x10e
8 77F086FD gdi32.dll
9 77F25FD1 gdi32.dll
10 303781D4 EXCEL.EXE
Process Trace
1 C:\Programme\Microsoft Office\OFFICE11\EXCEL.EXE [496]
2 C:\WINDOWS\explorer.exe [240]
3 C:\WINDOWS\system32\userinit.exe [4080]
4 C:\WINDOWS\system32\winlogon.exe [656]
winlogon.exe
Thumbprint
802d3193e0d5240cd14c0f31c4c30dcb316b685d56ecbfccf999d4ff243840a8

 

How does it work: "false positives will be solved from the cloud"
Automatic in the Background or by clicking "Scan with HitmanPro" in HMPA?

Thanks!

 

Automatic...but in this specific scenario we have to wait for a patch (maybe IAF mitigation in 586 is too much sensitive and this behaviour cannot be merely solved from the cloud)...

Scan with HitmanPro in Alert = just a kind of AV ex-post

 

Thank You for your Reply.
How offen will the "Automatic-Process" take place? Once a day? Or

Thanks!

 

@erikloman : Check your pm. Almost 2 weeks of awaiting your reply.

 

I think that too. They have to fix the root of the problem, which is causing these IAF-alerts.
But they are already working on a fix, which will be soon available.

 

I work with FITS files used for astronomical images. If I try to insert a file with Windows Media Player, it is blocked with the following message. Since your program is incorrectly recognizing FITScodec.dll and the associated action as an attack, I'd like to be able to add an exception, but there seems to be no way to do so. Could you correct HitmanPro.Alert to add exceptions or correct it so it will not recognize this as malicious code?
Thanks, Dick

 

Which app are you using, FITS4Win? Have you tried DS9?

 

Hello. I currently own a 3-PC 3-Year license to hitman pro I purchased in June 2016. I installed it on my PC running Windows 10, and used it up until and including the present. I also downloaded and activated HitmanPro.Alert with my HitmanPro license key. Yesterday I obtained a new hard drive and reinstalled windows 10 onto it, and then downloaded and activated HitmanPro (not .Alert) without issue. However, when I tried to install HitmanPro.Alert and activate it with my license key, it just says "A generic error occurred" and will not activate. Remember, I already had it working on my previous install, and when I put in my old hard drive, it says I have it activated, and does not expire until 2019. I believe this may be because the HitmanPro servers have already registered three total activations with my key, (HitmanPro on my old and new hard drives, and HitmanPro.Alert on my old hard drive). I was hoping you would be able to help me out. I tried searching the forums for a PM function; however, I could not find one, so I am posting here. I am still using HitmanPro and HitmanPro.Alert on only one computer, so I think I should still be able to use it if I reinstall Windows. I tried the quoted step 1.) of yours quoted above, but HitmanPro.Alert still throws a "generic error".

Thank you in advance for your assistance!