HitmanPro.ALERT Support and Discussion Thread

I don't use Edge regularly, but I tried firing it up a few times today to see what would happen. HMP.A generated the same alert twice.

 

On a separate aside I have seen noscript + a combo of adblock plus prevent me from logging into paypal. I have two factor auth enabled with the Symantec/Verisign VIP style that gives me a 6 digit code that rotates every 30 seconds. It took me a while to figure that I just had to disable ABP + noscript on paypal.com.

(Not to get off topic here)

 

I received another alert, this time unrelated to MS Edge:

Mitigation CryptoGuard

Platform 10.0.14393/x64 v587 06_2a
PID 6468
Application C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1051_none_7f2bf7ea21d201b2\TiWorker.exe
Description Windows Modules Installer Worker 10

Filename C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1051_none_7f2bf7ea21d201b2\TiWorker.exe

C:\Windows\WinSxS\amd64_microsoft-windows-c..iser-inboxdatafiles_31bf3856ad364e35_10.0.14393.0_none_9eeac2cef7a25999\Appraiser_TelemetryRunList.xml
C:\Windows\WinSxS\amd64_microsoft-windows-c..iser-inboxdatafiles_31bf3856ad364e35_10.0.14393.953_none_ab4191367ee3fb3e\Appraiser_Data.ini
C:\Windows\WinSxS\amd64_microsoft-windows-c..iser-inboxdatafiles_31bf3856ad364e35_10.0.14393.953_none_ab4191367ee3fb3e\Appraiser_TelemetryRunList.xml


Process Trace
1 C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1051_none_7f2bf7ea21d201b2\TiWorker.exe [6468]
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1051_none_7f2bf7ea21d201b2\TiWorker.exe -Embedding
2 C:\Windows\System32\svchost.exe [100]
C:\Windows\system32\svchost.exe -k DcomLaunch

Thumbprint
13ce3522e7fa700aec518c42ddd4710b3104c268450306c21e6b36a17da83fff

 

Oops. Now also a cryptoguard build 587 RC/Norton Security 22.9.1.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 31-3-2017 7:33:04
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation CryptoGuard

Platform 10.0.14393/x64 v587 06_17*
PID 2368
Application C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\nsbu.exe
Description Norton Security with Backup 22.9.1

Filename C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\nsbu.exe

C:\Program Files (x86)\Norton Security with Backup\NortonData\22.5.4.24\Definitions\WebProtectionDefs\20170331.002\PopularSites.xml
C:\Program Files (x86)\Norton Security with Backup\NortonData\22.5.4.24\Definitions\WebProtectionDefs\20170331.002\Indicators.xml
C:\Program Files (x86)\Norton Security with Backup\NortonData\22.5.4.24\Definitions\WebProtectionDefs\20170331.002\Identifiers.xml


Process Trace
1 C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\nsbu.exe [2368]
"C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\NSBU.exe" /s "NSBU" /m "C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\diMaster.dll" /prefetch:1
2 C:\Windows\System32\services.exe [716]

Thumbprint
11b0f0b9d0445351a23d30406bd985222316a55b6a1e89823f4066fbb829e79c

Gebeurtenis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-03-31T05:33:04.161057100Z" />
<EventRecordID>20713</EventRecordID>
<Channel>Application</Channel>
<Computer>****</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\nsbu.exe</Data>
<Data>CryptoGuard</Data>
<Data>Mitigation CryptoGuard

Platform 10.0.14393/x64 v587 06_17*
PID 2368
Application C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\nsbu.exe
Description Norton Security with Backup 22.9.1

Filename C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\nsbu.exe

C:\Program Files (x86)\Norton Security with Backup\NortonData\22.5.4.24\Definitions\WebProtectionDefs\20170331.002\PopularSites.xml
C:\Program Files (x86)\Norton Security with Backup\NortonData\22.5.4.24\Definitions\WebProtectionDefs\20170331.002\Indicators.xml
C:\Program Files (x86)\Norton Security with Backup\NortonData\22.5.4.24\Definitions\WebProtectionDefs\20170331.002\Identifiers.xml


Process Trace
1 C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\nsbu.exe [2368]
"C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\NSBU.exe" /s "NSBU" /m "C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\diMaster.dll" /prefetch:1
2 C:\Windows\System32\services.exe [716]

Thumbprint
11b0f0b9d0445351a23d30406bd985222316a55b6a1e89823f4066fbb829e79c</Data>
</EventData>
</Event>

 

This is the fourth reported CryptoGuard mitigation.
The first one is here: #13260, second one: #13295, third one: #13287

IAF-issues seems to be gone now, but now CryptoGuard-issues arise ("Improved CryptoGuard by adding support for additional file types" #13258)

 

HitmanPro.Alert 3.6.4 Build 588 RC

Changelog

• Fixed CryptoGuard issue introduced in build 587

Notes
This build has Microsoft co-signed drivers!

Download
http://test.hitmanpro.com/hmpalert3b588rc.exe

Please let us know how this build runs on your computer

 

it seems to run smoothly also on Win10 CU! (build 15063.0) (+ Secure Boot, etc)

Nice work, guys

 

At the time of this post everything is fine on my w7 test box.

 

So far so good on Win 10 Pro x64 v1607 14393.970

 

No issues so far on my Windows 7 x64 system (see signature).

N.B.
I haven't tested for the CryptoGuard and LibreOffice x86 on Win x64 issue that I reported January 24 and February 3, as February 27 Erik replied "We are working on a new major version of CryptoGuard which should solve the LibreOffice issue", and March 28 Erik wrote "We are working on a major new build." So that is for later, I suppose.

 

The change has been pushed around. It is very hard for us when something will end up in the product. We do our best to squeeze in as much as possible.

 

No problems upgrading build 588 RC.

Win10 1607 build 14393.969 x64/Norton Security v22.9.1.12

 

Hi Erik,
What exactly do you mean, it has been "pushed around"?
I suppose you mean it will be later, and you cannot tell when.

I understand that, Erik.
When, at a given moment, the fix for the CryptoGuard and LibreOffice x86 on Win x64 issue makes it to a HMPA build, please clearly specify, so I can test it.

 

588 working good for me on Windows 10 Pro x64 (Build 15063 (Creators Update), Release Preview version of Windows)

 

Smooth update from 587 to 588. No issues to report

 

Hello, my father has been receving this alert constantly since a month ago when he tries to save a Word document as another file. He loses all the work done.

C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

IAF

Mitigation IAF Platform 10.0.14393/x64 v586 06_3c PID 12512
Application C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Description Microsoft Word 16
Violation 0A184C1F is calling msconv97.dll IAT funcptr KernelBase.dll!GetProcAddress Stack Trace #

Address Module Location -- -------- ------------------------ ---------------------------------------- 1 0A184C1F dui70.dll ?_MarkElementForLayout@Element@DirectUI@@SGHPAV12@I@Z +0x1bf ff157c63270a CALL DWORD [0xa27637c] 8bf0 MOV ESI, EAX 85f6 TEST ESI, ESI 741e JZ 0xa184c49 8935984b270a MOV [0xa274b98], ESI ebbe JMP 0xa184bf1 2 0A184DD7 dui70.dll 3 0A184C79 dui70.dll ?_MarkElementForLayout@Element@DirectUI@@SGHPAV12@I@Z +0x219 4 0A17EF29 dui70.dll ??0ElementProvider@DirectUI@@QAE@XZ +0x2c9 5 0A18A5EC dui70.dll InitProcessPriv +0x5c 6 0A18A5A9 dui70.dll InitProcessPriv +0x19 7 6C43CB75 ExplorerFrame.dll 8 6C4010ED ExplorerFrame.dll 9 75C0D722 comdlg32.dll 10 75C13322 comdlg32.dll Process Trace 1 C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE [12512] 2 C:\Windows\explorer.exe [10800] 3 C:\Windows\System32\userinit.exe [1196] 4 C:\Windows\System32\winlogon.exe [9452] C:\WINDOWS\System32\WinLogon.exe -SpecialSession 5 C:\Windows\System32\smss.exe [15428] \SystemRoot\System32\smss.exe 000000d8 0000002c C:\WINDOWS\System32\WinLogon.exe -SpecialSession 6 C:\Windows\System32\smss.exe [476] \SystemRoot\System32\smss.exe

Thumbprint cc8d66b9e6b4dba80a74d0749d0df541bbc94243b873cf83cfc2c0a814bc2f58
​

I really appreciate any prompt assistance, as this is hampering his work.

Thank you in advance,

Santiago.

 

Try to install the build 588. This version should fix your issue.

 

Three machines all seem happy with Build 588.

 

No problems here.

 

HitmanPro.Alert 3.6.4 Build 588 RC
Really very good. Thank you!

 

Build 588 works with no problem

 

Yes correct, HMPA might be able to interfere with certain malicious operations. But it should always alert about browsers that are hijacked by banking trojans. And of course it's also capable of blocking ransomware. But it won't block code injections, either standard or advanced.

 

Within a few minutes both build 587 and 588 lock up my system so badly that even the Windows key and Ctrl-Alt-Del don't do a thing.

Reinstalled the last official release and everything is fine again.