HitmanPro.ALERT Support and Discussion Thread

@erikloman

Check pm concerning CTP1.

 

Thanks for the detailed explanation.
But what would happened if the power shell command comes from a normal executable ? Probably there is nothing in the wild like this and that executable can be classified as malware but still it could happend, and I guess this mitigation of HPA works only with the browsers, office and a few other apps.
But indeed HPA is in a very good shape.

 

No worries Pete.

 

This is nice to know, as I didn't know how mature their powershell based protection was. Nice

 

Running Win 8.1 x64 and HPA 3.6.4.588 - to day as I was patching the system with AutoPatcher 6.2.22 I got the following:

Type : Error
Date : 08/05/2017
Time : 12:19:01
Event : 300
Source : HitmanPro.Alert
Category : CryptoGuard
User : N/A
Computer : DESKTOPDaniele
Description:
The following process is trying to attack your personal files:
PID: 324
Application: C:\Windows\System32\svchost.exe

List of files:
C:\Windows\SoftwareDistribution\ScanFile\a71a65d1-9634-4957-bdca-382619e015b0\Source.cab
C:\Windows\SoftwareDistribution\ScanFile\dcdc2a77-3f5f-4417-a5e4-21e76c6d2adf\Source.cab
C:\Windows\SoftwareDistribution\ScanFile\67fc073b-4d02-4acb-be01-07f9607c4c5c\Source.cab


HitmanPro.Alert has intercepted and blocked this attack.
You are strongly advised to immediately scan this computer with HitmanPro and remove the detected threats.


Type : Error
Date : 08/05/2017
Time : 12:19:01
Event : 911
Source : HitmanPro.Alert
Category : Mitigation
User : N/A
Computer : DESKTOPDaniele
Description:
Mitigation CryptoGuard

Platform 6.3.9600/x64 v588 6f_10
PID 324
Application C:\Windows\System32\svchost.exe
Description Host Process for Windows Services 6.3

Filename C:\Windows\System32\svchost.exe

C:\Windows\SoftwareDistribution\ScanFile\a71a65d1-9634-4957-bdca-382619e015b0\Source.cab
C:\Windows\SoftwareDistribution\ScanFile\dcdc2a77-3f5f-4417-a5e4-21e76c6d2adf\Source.cab
C:\Windows\SoftwareDistribution\ScanFile\67fc073b-4d02-4acb-be01-07f9607c4c5c\Source.cab


Process Trace
1 C:\Windows\System32\svchost.exe [324]
C:\Windows\system32\svchost.exe -k netsvcs
2 C:\Windows\System32\services.exe [640]

Thumbprint
3871354fffd2dec0a24da928baaec2ef9a2a1804c35dbfe214619aae14c4d9e5

 

Anyone know if there's any leaked pricing for the new Sophos Home Premium that has HMPA functionality combined with it? My 3-PC HMPA license is expiring in about 2 weeks.

 

Ah, didn't know it was so new. I'll re-subscribe to HMPA for another year.

 

Looks like opting into the Sophos Home Premium beta removes the ability of HMPA + Sophos Home to coexist since they're merged. I'll have to bid adieu to contributing to this thread for a while then.

 

Yeah, that's a given seeing you would not want to run two instances of the same software on your PC

 

One would think a decent programmer would check for this and not allow it, no?

 

Agreed.

 

Code:

Mitigation   ROP

Platform     10.0.15063/x64 v588 06_45
PID          146976
Application  C:\Program Files\Mozilla Firefox\firefox.exe
Description  Firefox 53.0.2

Callee Type  ProtectVirtualMemory
             0x00000280B8C01000 (4096 bytes)

Branch Trace                              Opcode  To                                    
---------------------------------------- -------- ----------------------------------------
_aligned_free +0xd4                          RET  0x00007FFE27073357 xul.dll            
0x00007FFE5FEC5294 mozglue.dll                                                          

RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6                    
0x00007FFE72A5FF99 ntdll.dll                      0x00007FFE5FEC5276 mozglue.dll        

_aligned_free +0x201                         RET  _aligned_free +0x8c                    
0x00007FFE5FEC53C1 mozglue.dll                    0x00007FFE5FEC524C mozglue.dll        

memset +0x19f                                RET  _aligned_free +0x7b                    
0x00007FFE5E5BC91F vcruntime140.dll               0x00007FFE5FEC523B mozglue.dll        

RtlEnterCriticalSection +0x2a                RET  _aligned_free +0x59                    
0x00007FFE72A4447A ntdll.dll                      0x00007FFE5FEC5219 mozglue.dll        

0x00007FFE2721BEA6 xul.dll                   RET  0x00007FFE2707332E xul.dll            

0x00007FFE292FF57C xul.dll                   RET  0x00007FFE27073322 xul.dll            

0x00007FFE27129A10 xul.dll                   RET  0x00007FFE27073312 xul.dll            

0x00007FFE27129C8D xul.dll                   RET  0x00007FFE270732E2 xul.dll            

0x00007FFE27739F86 xul.dll                   RET* 0x00000000005B160C EventMon.dll        
                    cc                       INT 3      


SleepEx +0x10e                             ~ RET* 0x00000000005B1604 EventMon.dll        
0x00007FFE6EFA72EE KernelBase.dll                                                        
                    cc                       INT 3      


NtDelayExecution +0x14                     ~ RET  SleepEx +0xa7                          
0x00007FFE72AD5A34 ntdll.dll                      0x00007FFE6EFA7287 KernelBase.dll      

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFE6EFB1735 KernelBase.dll           VirtualProtect +0x35

2  00007FFE2720E769 xul.dll                
                    85c0                     TEST         EAX, EAX
                    743d                     JZ           0x7ffe2720e7aa
                    488b0d4c3db002           MOV          RCX, [RIP+0x2b03d4c]
                    483bd9                   CMP          RBX, RCX
                    0f82b8776600             JB           0x7ffe27875f35
                    4881c100000040           ADD          RCX, 0x40000000
                    483bf9                   CMP          RDI, RCX
                    0f87a8776600             JA           0x7ffe27875f35
                    b001                     MOV          AL, 0x1
                    488b5c2438               MOV          RBX, [RSP+0x38]
                    4883c420                 ADD          RSP, 0x20
                    5f                       POP          RDI
                    c3                       RET        

3  00007FFE26EFE1B2 xul.dll                
4  00007FFE27073376 xul.dll                
5  00007FFE26F03595 xul.dll                
6  00007FFE2702930E xul.dll                
7  00007FFE277B3AC6 xul.dll                
8  00007FFE26F31A5C xul.dll                
9  00007FFE26F3B61D xul.dll                
10 00000280B71CBEBD (anonymous; xul.dll)  

Code Injection
0000000000530000-0000000000536000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3604]
0000000000540000-0000000000541000    4KB
00007FFE72AA9000-00007FFE72AAA000    4KB

Process Trace
1  C:\Program Files\Mozilla Firefox\firefox.exe [146976]
2  C:\Program Files\Mozilla Firefox\firefox.exe [142328]
3  C:\Windows\explorer.exe [9964]
4  C:\Windows\System32\userinit.exe [9444]
5  C:\Windows\System32\winlogon.exe [1284]
winlogon.exe

Thumbprint
4dc38dac7a603ec076cdde33f91b79d263efd90ae3c2310257db23ca11a9362e

 

The problem is that I believe the cname/wildcard DNS record is pointing to the provider where the brother's live in the Netherlands. The www.hitmanpro.com already has the Sophos edgekey CDN along with the akamai CDN in it. Depends on how the DNS is configured on their end. I am using Google DNS on my end. https://www.hitmanpro.com is definitely reachable. Here is a dump from nslookup:

Code:

> hitmanpro.com
Server:  DD-WRT
Address:  192.168.11.1

Non-authoritative answer:
Name:    hitmanpro.com
Address:  87.249.108.118

> www.hitmanpro.com
Server:  DD-WRT
Address:  192.168.11.1

Non-authoritative answer:
Name:    e6203.b.akamaiedge.net
Address:  23.214.15.163
Aliases:  www.hitmanpro.com
          www.sophos.com.edgekey.net

>

 

I'm fine with this but an up-front dialog about it would have helped. I'll submit feedback to Sophos.

Goodness knows this forum has enough overly-paranoid tinfoil-hat-wearing people running 2-10+ different programs all at once against imaginary threats. This thread is full of them demanding Surfright/Sophos "fix" their products to account for all the other bizarre nonsense they're running simultaneously.

 

I have some issues with HMP.A: Some apps just don't work if it's enabled. Processes are running, they are listed in the task manager but the GUI is missing. I guess HMP.A blocks them while they are loading.
Adding such apps as exceptions doesn't fix the issue, i also tried to disable every feature in HMP.A with no luck. They only thing which fixes the issue is disabling the HMP.A service and reboot the pc, after that all is working fine.
Below the apps that aren't working with HMP.A

NAPS2(Not another pdf scanner 2)
ADOBE DIGITAL EDITION
AMAZON CLOUD DRIVE APP(This is somehow different from the other 2, the app works only the first time after the setup, obviously disabling HMP.A makes it working correctly every time i launch it)

 

The above do work with HMPA. It is likely that you have a 3rd party component that conflicts with HMPA.
What security products are you using?

 

Thank you for your promptly reply. You are absolutely right about the conflit, i use bitdefender internet security. After your reply i investigated and found that disabling the active thread control in bitdefender also fixes the issues. Moreover i can leave that feature enabled because adding those apps as exceptions in bitdefender works too! Again, thank you for your help: great product, fast support, very happy to have renewed my license for another year! Have a nice day

 

HitmanPro.Alert 3.6.5 build 592

A small update to the stable release.

Changelog

• Fixed CryptoGuard false positive

Notes
This build contains drivers that are co-signed by Microsoft.

Download
http://test.hitmanpro.com/hmpalert3b592.exe

Please let me know how this build runs

 

Hi Erik,

After installing and restarting I was informed there was an update available that would be installed next restart. That reinstalled 588!

Rienstalled 592 and same thing.

 

Installed OK over the top of 588 on Win 10 Pro x64 v1703 15063.296.

But after reboot, a flyout and message appeared that an update was available and had to reboot again.

Edit: Yes, same as @Krusty, back to 588!

 

Same here.
HMP.A reverted to build 588, after reboot.

 

Same here. 588 > 592 > 588.

 

I have fixed this issue in our cloud. It should now stick to 592.

 

No issues so far on my Windows 7 x64 system (see signature).

And as the changelog mentions "Fixed CryptoGuard false positive", I decided to check for the CryptoGuard and LibreOffice x86 on Windows x64 issue that I reported January 24 and February 3, even though February 27 Erik replied "We are working on a new major version of CryptoGuard which should solve the LibreOffice issue", so I wasn't expecting a fix for the LibreOffice issue in this minor update, but only in the major release 3.7.

But guess what - according to my tests, the CryptoGuard and LibreOffice x86 on Windows x64 issue looks to be fixed in 3.6.5.592.
Nice!

Tested with LibreOffice x86 version 5.2.7.2

 

Yes, fixed now.