HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    I bet that in this week SurfRight will release a beta that fixes the IAF issue and that ensures full compatibility with the upcoming Creator Update so still a little patience :)...
     
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Yeah, the Creators Update. Get ready for another wave of havoc :) Job security for those of us who do I.T. support.
     
  3. guest

    guest Guest

    lol yes, lucky i left...i still remember nights of clean installation for dozen of dozen of machines, each having different hardwares and softs...
     
  4. Wellies

    Wellies Registered Member

    Joined:
    Jun 10, 2011
    Posts:
    49
    I am using Serif Affinity Photo on Windows 10. When I open one of my own photographs in this, I get an 'Attack intercepted' message. This being due to Affinity's exif tool or so it seems. Here are the details:

    Mitigation Lockdown

    Platform 10.0.14393/x64 v586 06_3c
    PID 4528
    Application C:\Users\myname\AppData\Local\Temp\par-myname\cache-exiftool-10.16\exiftool.exe
    Description 0.0

    Filename C:\Users\myname\AppData\Local\Temp\par-myname\cache-exiftool-10.16\exiftool.exe
    Created By C:\Program Files\Affinity\Affinity Photo\Resources\exiftool.exe

    Process Trace
    1 C:\Users\myname\AppData\Local\Temp\par-myname\cache-exiftool-10.16\exiftool.exe [4528]
    C:\Program Files\Affinity\Affinity Photo\Resources\exiftool C:\Users\myname\Pictures\Butterfly\butterfly-large.jpg -o -.XMP
    2 C:\Program Files\Affinity\Affinity Photo\Resources\exiftool.exe [3472]
    "C:\Program Files\Affinity\Affinity Photo\Resources\exiftool" "C:\Users\myname\Pictures\Butterfly\butterfly-large.jpg" -o -.XMP
    3 C:\Program Files\Affinity\Affinity Photo\Photo.exe [6520]
    4 C:\Windows\explorer.exe [6716]
    explorer.exe
    5 C:\Windows\System32\winlogon.exe [728]
    winlogon.exe

    Thumbprint
    0574788d33db43c222b7b24919788e21dfce9675c42379298278efe4ebc3b2e2

    No malware detected on a system scan with HitmanPro and Malwarebytes. A false positive that needs sorting, or should I turn off protection for such a program? (HitmanPro.Alert protected it by default) Change a setting perhaps?
     
  5. guest

    guest Guest

    Your protected applications is dropping an executable to a temporary directory and wants to execute it.
    The execution is prevented from HMP.A (and it has a lock on this file now)
    Try to disable Application Lockdown for the protected process and it's better to reboot or restart the service of HMP.A to "release the lock".
     
  6. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Yup, you are probably right about that part. If you bring a Trojan aboard and run it, that one's on you, LOL! And then you are going to have to rely on your main AV and malware defenses to deal with the problem.
     
  7. Wellies

    Wellies Registered Member

    Joined:
    Jun 10, 2011
    Posts:
    49
    Thank you mood for your reply and advice. I have done as suggested and HMPA no longer gives the alert. On thinking, I can see why it perhaps does. I suppose HMPA can't always know that a legitimate program is carrying out an action that is safe. It only knows something that could be a danger has been stopped from happening?
     
  8. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    This is something that has started happening in the latest version of HMP.A, I get plenty of IAF issues now with browsers and Microsoft Office etc. It's a bug not a feature!
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We are working on an update. The fix is already made but we are working towards a release. You can blame the Sophos PMs for stuffing us with so much overhead that we almost grind to a halt.
     
  10. guest

    guest Guest

    Regarding Application Lockdown, you might see those alerts for protected applications which are auto-updating: it is dropping an executable, which is then executed.
    Legitimate or not, it is blocked :)
     
  11. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Is there a plan to include Microsoft Mail (an MS app), and other MS apps other than Edge, to the default list of protected processes?

    I currently have it protected under "Other" category. :)
     
  12. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    The good thing about HMP.A is that I already knew you would be without asking, just patiently waiting for the fix. :thumb:
     
  13. Abdallah

    Abdallah Registered Member

    Joined:
    Oct 28, 2013
    Posts:
    124
    Location:
    N/A
    I also have the IAF message while using Word this morning.
     
  14. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    shall we talk with them?? :D
     
  15. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    I wouldn't raise a stink about their efforts to support the user base here. It might get political and impede their ability to provide an unofficial line of support here.
     
    Last edited: Mar 27, 2017
  16. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    HMP.A crashed twice (Event 1000) in the last hour...

    Code:
    Faulting application name: hmpalert.exe, version: 3.6.3.586, time stamp: 0x589db2fd
    Faulting module name: KERNELBASE.dll, version: 6.1.7601.23677, time stamp: 0x589c9620
    Exception code: 0xe06d7363
    Fault offset: 0x0000c54f
    Faulting process id: 0xbdc
    Faulting application start time: 0x01d2a2075c9bd21c
    Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
    Report Id: 098aace4-1335-11e7-bfe6-4c72b91da94f
    ...and disappeared from the Notification Area.

    Any ideas as to the possible cause?
     
  17. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.6.4 Build 587 RC

    We are working on a major new build. We have backported a few fixes so that we can release an update to the current 3.6 branch (the major build is taking too long because of all the overhead on our plate). I will write a post shortly on the new features coming in the next major release.

    Changelog
    • Fixed IAT Filtering (IAF) false positive when starting an application (occured randomly)
    • Fixed Intruder false positive caused when DLLs are frequently loaded/unloaded
    • Fixed ROP while handling an exception in 64-bit applications
    • Fixed 32-bit binaries no longer require an SSE capable CPU
    • Improved CryptoGuard by adding support for additional file types
    Notes
    This build does not have Microsoft co-signed drivers yet.

    Download
    http://test.hitmanpro.com/hmpalert3b587rc.exe

    Please let us know how this version runs on your computer :thumb:
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    So far so good, but...
    ... I can only test on one machine for now.
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    False Positive here.

    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          28/03/2017 10:39:00 PM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      Dave-PC
    Description:
    Mitigation   CryptoGuard
    
    Platform     10.0.14393/x64 v587 06_25
    PID          2708
    Application  C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe
    Description  Norton Identity Safe 2014.7.11
    
    Filename     C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe
    
    C:\Program Files (x86)\Norton Identity Safe\NortonData\2014.7.11.42\Definitions\WebProtectionDefs\20170328.006\PopularSites.xml
    C:\Program Files (x86)\Norton Identity Safe\NortonData\2014.7.11.42\Definitions\WebProtectionDefs\20170328.006\Indicators.xml
    C:\Program Files (x86)\Norton Identity Safe\NortonData\2014.7.11.42\Definitions\WebProtectionDefs\20170328.006\Identifiers.xml
    
    
    Process Trace
    1  C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe [2708]
    "C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe" /s "NCO" /m "C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\diMaster.dll" /prefetch:1
    2  C:\Windows\System32\services.exe [804]
    
    Thumbprint
    85b3c35ecc918d8c87921e24f671a0833a26b84c2252e96a2ecfa65cda23f42d
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2017-03-28T11:39:00.115932400Z" />
        <EventRecordID>37293</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Dave-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe</Data>
        <Data>CryptoGuard</Data>
        <Data>Mitigation   CryptoGuard
    
    Platform     10.0.14393/x64 v587 06_25
    PID          2708
    Application  C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe
    Description  Norton Identity Safe 2014.7.11
    
    Filename     C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe
    
    C:\Program Files (x86)\Norton Identity Safe\NortonData\2014.7.11.42\Definitions\WebProtectionDefs\20170328.006\PopularSites.xml
    C:\Program Files (x86)\Norton Identity Safe\NortonData\2014.7.11.42\Definitions\WebProtectionDefs\20170328.006\Indicators.xml
    C:\Program Files (x86)\Norton Identity Safe\NortonData\2014.7.11.42\Definitions\WebProtectionDefs\20170328.006\Identifiers.xml
    
    
    Process Trace
    1  C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe [2708]
    "C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe" /s "NCO" /m "C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\diMaster.dll" /prefetch:1
    2  C:\Windows\System32\services.exe [804]
    
    Thumbprint
    85b3c35ecc918d8c87921e24f671a0833a26b84c2252e96a2ecfa65cda23f42d</Data>
      </EventData>
    </Event>
     

    Attached Files:

  20. guest

    guest Guest

    If it hasn't happened with previous versions, then i guess it is caused now by the "improved" CryptoGuard which is perhaps protecting .xml-files :cautious:
     
  21. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Can you send me the contents of the C:\Windows\CryptoGuard\reverted_xxx\ folder in a ZIP?

    Correct.
     
  22. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    After installing build 587 RC and restarting the laptop Norton Secuirty did not start. After the second restart no problems.

    New features? Promising :)

    Win10 1607 build 14393.969 x64/Norton Security v22.9.1.12
     
  23. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    464
    False positive today - running build 586

    Mitigation IAF

    Platform 6.3.9600/x64 v586 06_3d
    PID 11912
    Application C:\Program Files (x86)\Skype\Phone\Skype.exe
    Description Skype 7.29

    Violation 5C4CA760 is calling DefaultDeviceManager.dll IAT funcptr kernel32.dll!GetProcAddress


    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 5C4CA760 devenum.dll
    ff1554004d5c CALL DWORD [0x5c4d0054]
    a30cf74c5c MOV [0x5c4cf70c], EAX
    85c0 TEST EAX, EAX
    0f84c2000000 JZ 0x5c4ca835
    683ca84c5c PUSH DWORD 0x5c4ca83c
    ff7604 PUSH DWORD [ESI+0x4]
    ff1554004d5c CALL DWORD [0x5c4d0054]
    a310f74c5c MOV [0x5c4cf710], EAX
    85c0 TEST EAX, EAX
    0f84a7000000 JZ 0x5c4ca835
    685ca84c5c PUSH DWORD 0x5c4ca85c
    ff7604 PUSH DWORD [ESI+0x4]
    ff1554004d5c CALL DWORD [0x5c4d0054]

    2 5C4C46FB devenum.dll
    3 5C4C43C6 devenum.dll DllUnregisterServer +0x106
    4 5C4C2D70 devenum.dll
    5 74D837F0 combase.dll
    6 74D822C4 combase.dll
    7 74D83A4E combase.dll
    8 74D8396D combase.dll
    9 74D83340 combase.dll
    10 74D8362A combase.dll

    Process Trace
    1 C:\Program Files (x86)\Skype\Phone\Skype.exe [11912]
    2 C:\Windows\explorer.exe [3352]
    3 C:\Windows\System32\userinit.exe [3692]

    Thumbprint
    3c2a7e0123ab1e36b2c8fd679d6bde58a510602bed8743c7005b20d708f533c1
     
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    I have 587 RC on one desktop Will spread it out later.

    Looks good sofar.

    Pete
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.