HitmanPro.ALERT Support and Discussion Thread

Hi markloman,

I was wondering if this update has a fix for the issue that HMPA blocks unity mono dll with CallerCheck function.
As you might know, current public version of HMPA blocks unity games when its core engine mono.dll allocate its code on heap memory and call LoadLibraryW. (tested on 3.6.5 build 592)
So all the unity based game will be affected from this false positive.
However, I've installed 3.6.7 build 600 BETA and it looks like this issue is not happening again.
If this issue is obviously fixed, when are you going to push this fix to public?

Thanks,

 

I make sure to always have backups even when using stable releases. There's too many different environmental variables that can trigger bugs that are not discovered during test periods. Beta testers should certainly always keep regular image backups, and expect to have to use them. It has to be really easy to include critical bugs in your code when coding on something as high tech as HMPA, so it's no surprise to me that testers run into bugs like these with HMPA.

 

I've been checking back here regularly in the hope of obtaining assistance to get HMPA working on my system and was disappointed to see that the developer had checked in without offering any suggestions.

 

You're absolutely right.
I create system images monthly. But even so, in cases that issues may seem more likely, like in this specific case, I create a fresh image before testing, so that I'm sure I don't need to redo any recent adjustments and updates.

 

Confirmed:
W7-x64 after upgrade to hmp.alert 3.6.7 build 600 BETA

 

I had to uninstall it because it was blocking the public digital signature software used in Spain

 

Any details? Did it trigger an alert?

 

http://firmaelectronica.gob.es/Home/Ciudadanos/Aplicaciones-Firma.html#autofirma

This is the software, it triggered an alert during installation, so I reinstalled it just in case.
During the use the software was supposed to be called from the browser to be used, this wasn't happening and it didn't produced any alert.
I tried edge and chrome.

After uninstall and restart it worked

If you need more details let me know.
I doubt you can reproduce it because you need a valid ID

 

Which HMPA version did you use?
HMPA 3.6.5.592 stable, or 3.6.6.593 beta, or 3.6.7.600 beta?

Providing the alert details may be useful to Mark or Erik, perhaps.
You can copy alert details from Event Viewer.
To get Alert details from Event Viewer:
Open the HMPA user interface, and click "Number of alerts", or "Last alert", that will open Windows Event Viewer.
This takes a moment as a HMPA module is added to Event Viewer.
In Event Viewer, in the HitmanPro.Alert Events section, information can be seen regarding HMPA events.
Take the entry regarding the specific alert.
Select all text, use Ctrl+C to copy the selected text, and past in a next reply in this thread.

And have you tried if adding the regarding application exe as exclusion(s) in HMPA helps?
To exclude an executable from HMPA exploit mitigation:
open the HMPA user interface,
in settings, choose Advanced interface,
click the blue Exploit mitigation tile, and then Applications,
scroll to the right, and under Exclude, choose Add exclusion, navigate to the regarding application exe, and add it as exclusion.

 

I was using the latest stable version.
I will try to recover the logs once I get in front of the PC.
I didn't tried to exclude it but I think the application is based on Java.

 

The website ghacks.net has a table comparing a variety of ransomware-fighting tools, including HMP.A.

The comparison chart contains what sound to me like several inaccuracies with respect to HMP.A:

• Under "Beta", it says "no" (I'm running beta build 704 on this PC right now);
• The table says that HMP.A supports Windows XP to Windows 7 -- no mention of 8.x or 10;
• The last column claims that the program "requires HitmanPro."

Mark or Erik may want to contact ghacks.net to get the chart corrected. The "Beta" column could be clearer, for example to state that both stable and beta versions are available.

 

I guess "Beta: Yes" = product is only available as a beta.
A stable version of HMP.A is available, so "Beta = No" is correct.

 

I see how it could be read that way, thanks.

 

It's an old article, but it was updated today, so I suppose Martin Brinkmann may be interested in your suggestions.
I doubt that Erik or Mark have time to spare to contact gHacks, but you could contact Martin Brinkmann. Contact information is on the website.

 

Does HMPA protect from UIWIX?
And what if another computer on the network was already infected -- will HMPA prevent spread of worm?

 

yes...starting from build 600 txs to the new APC mitigation (a generic protection, 1-2)

 

The post you linked to was about WannaCry. I am asking about UIWIX, which uses a variety of exploits, not just DoublePulsar.
In a way, UIWIX is easier to block, because it is sandbox-sensitive, so I am guessing that the "vaccination" mitigation would cause it to stay inert.
But I am asking more about the actual exploits involved -- can HMPA detect them and stop them?

 

Kernel mode exploits must be fixed through patches even if the new Alert mitigations could somehow hinder some mechanisms as in the case of DP ...

 

I have just contacted ghacks to point out HitmanPro.Alert is available for Windows 8.1 and 10 as well, and included a link to substantiate my statement.

 

Is also ghacks a serious* source?

SUPER-LOL!

*respected

 

I'm giving the latest stable build (HMPA 3.6.5.592) a try with Eset Internet Security 10, and AppGuard. So far, so good.

I think it would be amazing if a behavior blocker similar to Emsisoft's was integrated into HMPA that focused on all types of threats rather than primarily focusing on Crypto-malware. HMPA would be a permanent addition to my setup then.

 

Crypto-ransomware protection is one feature of HMPA, and it's a nice feature, but HMPA is much more than that.
Have you seen HMPA's feature overview on the HMPA product page?

 

Yes, I have seen it. It offers a lot, but i'm looking for a BB that monitors for all malicious behavior.