HitmanPro.ALERT Support and Discussion Thread

Yes, I remember. HMPA blocks most attacks at their earliest stage so that they never make it onto the system, but HMPA monitors specific behaviors to catch other attacks in the event they do make it onto the system.

 

*sigh* never mind....

 

I have had a number of these lately, general FF browsing in Sandboxie. Build 593.

I think it is an FP, but is it fixable in HmP.A, or does it have to be from Sandboxie side?

Code:

Mitigation   ROP

Platform     10.0.15063/x64 v593 06_45
PID          17728
Application  C:\Program Files\Mozilla Firefox\firefox.exe
Description  Firefox 53.0.3

Callee Type  ProtectVirtualMemory
            0x000002A28BB91000 (12288 bytes)

Branch Trace                              Opcode  To                                     
---------------------------------------- -------- ----------------------------------------
_aligned_free +0xd4                          RET  0x00007FFBD2C22467 xul.dll             
0x00007FFC0EE15314 mozglue.dll                                                           

RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6                     
0x00007FFC15A9FF99 ntdll.dll                      0x00007FFC0EE152F6 mozglue.dll         

_aligned_free +0x201                         RET  _aligned_free +0x8c                     
0x00007FFC0EE15441 mozglue.dll                    0x00007FFC0EE152CC mozglue.dll         

memset +0xdb                                 RET  _aligned_free +0x7b                     
0x00007FFC0ED9C85B vcruntime140.dll               0x00007FFC0EE152BB mozglue.dll         

RtlEnterCriticalSection +0x2a                RET  _aligned_free +0x59                     
0x00007FFC15A8447A ntdll.dll                      0x00007FFC0EE15299 mozglue.dll         

0x00007FFBD2C206B6 xul.dll                   RET  0x00007FFBD2C2243E xul.dll             

_aligned_free +0xd4                          RET  0x00007FFBD2C206B2 xul.dll             
0x00007FFC0EE15314 mozglue.dll                                                           

RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6                     
0x00007FFC15A9FF99 ntdll.dll                      0x00007FFC0EE152F6 mozglue.dll         

_aligned_free +0x201                         RET  _aligned_free +0x8c                     
0x00007FFC0EE15441 mozglue.dll                    0x00007FFC0EE152CC mozglue.dll         

memset +0x51                                 RET  _aligned_free +0x7b                     
0x00007FFC0ED9C7D1 vcruntime140.dll               0x00007FFC0EE152BB mozglue.dll         

OpenProcessToken +0x17                     ~ RET* 0x000000000047C200 EventMon.dll         
0x00007FFC12967007 KernelBase.dll                                                         

NtOpenProcessToken +0x14                   ~ RET  OpenProcessToken +0xa                   
0x00007FFC15B17744 ntdll.dll                      0x00007FFC12966FFA KernelBase.dll       

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFC129B1735 KernelBase.dll           VirtualProtect +0x35

2  00007FFBD3102981 xul.dll                 
                   85c0                     TEST         EAX, EAX
                   743d                     JZ           0x7ffbd31029c2
                   488b0d64fb8c02           MOV          RCX, [RIP+0x28cfb64]
                   483bd9                   CMP          RBX, RCX
                   0f822a984d00             JB           0x7ffbd35dc1bf
                   4881c100000040           ADD          RCX, 0x40000000
                   483bf9                   CMP          RDI, RCX
                   0f871a984d00             JA           0x7ffbd35dc1bf
                   b001                     MOV          AL, 0x1
                   488b5c2438               MOV          RBX, [RSP+0x38]
                   4883c420                 ADD          RSP, 0x20
                   5f                       POP          RDI
                   c3                       RET         

3  00007FFBD2C206DA xul.dll                 
4  00007FFBD2C22486 xul.dll                 
5  00007FFBD2D3AE29 xul.dll                 
6  00007FFBD2CDDE9B xul.dll                 
7  00007FFBD2CDDDA2 xul.dll                 
8  00007FFBD2DD1D48 xul.dll                 
9  00007FFBD347BCCF xul.dll                 
10 00007FFBD2C6601B xul.dll                 

Code Injection
00000000003F0000-00000000003F6000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [2996]
0000000000400000-0000000000401000    4KB
00007FFC15AE9000-00007FFC15AEA000    4KB

Process Trace
1  C:\Program Files\Mozilla Firefox\firefox.exe [17728]
2  C:\Program Files\Mozilla Firefox\firefox.exe [5028]
3  C:\Windows\explorer.exe [9304]
4  C:\Windows\System32\userinit.exe [10060]
5  C:\Windows\System32\winlogon.exe [1248]
winlogon.exe

Thumbprint
c5f166778e8b91080be7c392e74ba96d0be39b00e37feae785f0d0a2f417ae08

 

I was updated to this build yesterday by stable channel. No problems so far.

 

hi, HitmanPro. Alert is a Great product thank you, may I ask any idea when the new build 706 will be available for public Beta testing? Thank you.

 

I registered for the new sophos product which I will probably play around with in a virtual machine, I prefer to use HMPA on my live systems tho.

 

I got this false positive when using Eraser 6.2.0.2979 to empty the recycle bin by way of the recycle bin context menu. I think it's a false positive anyway since the mitigation module triggered was CryptoGuard. I've never had anything encrypted by Eraser before lol

Log Name: Application
Source: HitmanPro.Alert
Date: 5/28/2017 2:48:14 AM
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: XXXXXXXXXXXXXX
Description:
Mitigation CryptoGuard

Platform 10.0.14393/x64 v593 06_1a
PID 5924
Application C:\Program Files\Eraser\Eraser.exe
Description Eraser 6.2

Filename C:\Program Files\Eraser\Eraser.exe

C:\$Recycle.Bin\S-1-5-21-4076120051-554345056-2228693993-1001\$II0H9YA.jpg
C:\$Recycle.Bin\S-1-5-21-4076120051-554345056-2228693993-1001\$IHIAUXZ.jpg
C:\$Recycle.Bin\S-1-5-21-4076120051-554345056-2228693993-1001\$I6TRTWA.JPG


Process Trace
1 C:\Program Files\Eraser\Eraser.exe [5924]
"C:\Program Files\Eraser\Eraser.exe" /quiet
2 C:\Program Files\Eraser\Eraser.exe [5200]
"C:\Program Files\Eraser\Eraser.exe" shell /quiet /parent=65852 recyclebin
3 C:\Windows\explorer.exe [4492]
4 C:\Windows\System32\userinit.exe [564]
5 C:\Windows\System32\winlogon.exe [4548]
C:\Windows\System32\WinLogon.exe -SpecialSession
6 C:\Windows\System32\smss.exe [5560]
\SystemRoot\System32\smss.exe 00000104 0000007c C:\Windows\System32\WinLogon.exe -SpecialSession
7 C:\Windows\System32\smss.exe [496]
\SystemRoot\System32\smss.exe
8 [4]

Thumbprint
8768378b772a4fca664a810c9c7943c347bc999b004e551b2adda99a6d2ac18c
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-05-28T06:48:14.715325200Z" />
<EventRecordID>12621</EventRecordID>
<Channel>Application</Channel>
<Computer>DESKTOP-JKKV020</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files\Eraser\Eraser.exe</Data>
<Data>CryptoGuard</Data>
<Data>Mitigation CryptoGuard

Platform 10.0.14393/x64 v593 06_1a
PID 5924
Application C:\Program Files\Eraser\Eraser.exe
Description Eraser 6.2

Filename C:\Program Files\Eraser\Eraser.exe

C:\$Recycle.Bin\S-1-5-21-4076120051-554345056-2228693993-1001\$II0H9YA.jpg
C:\$Recycle.Bin\S-1-5-21-4076120051-554345056-2228693993-1001\$IHIAUXZ.jpg
C:\$Recycle.Bin\S-1-5-21-4076120051-554345056-2228693993-1001\$I6TRTWA.JPG


Process Trace
1 C:\Program Files\Eraser\Eraser.exe [5924]
"C:\Program Files\Eraser\Eraser.exe" /quiet
2 C:\Program Files\Eraser\Eraser.exe [5200]
"C:\Program Files\Eraser\Eraser.exe" shell /quiet /parent=65852 recyclebin
3 C:\Windows\explorer.exe [4492]
4 C:\Windows\System32\userinit.exe [564]
5 C:\Windows\System32\winlogon.exe [4548]
C:\Windows\System32\WinLogon.exe -SpecialSession
6 C:\Windows\System32\smss.exe [5560]
\SystemRoot\System32\smss.exe 00000104 0000007c C:\Windows\System32\WinLogon.exe -SpecialSession
7 C:\Windows\System32\smss.exe [496]
\SystemRoot\System32\smss.exe
8 [4]

Thumbprint
8768378b772a4fca664a810c9c7943c347bc999b004e551b2adda99a6d2ac18c</Data>
</EventData>
</Event>

 

Firefox Browser has been randomly freezing, and becoming unrecoverable. The last time it happened I tried disabling Safe Browsing, and Firefox immediately recovered. I think it is likely the Safe Browsing causing the problem.

 

That is not a false positive, but a consequence of what Eraser does and what CryptoGuard is meant to prevent.
If you like to use Eraser or similar to shred files or folders, first disable CryptoGuard, then shed what you like, and after that re-enable CryptoGuard.

 

Did Erik, or Mark already address this issue before in the past? Are you sure?

 

Yes, absolutely. It's here in the thread somewhere.

 

#13904 is correct, and this is expected:

 

Ok, thank you guys! I don't use Eraser very often so it's not that big of a burden. I'm actually looking for a replacement for Eraser for Windows 10 X64. I've had issues with it on Windows 10. The Eraser installer starts out trying to install a version of Microsoft .Net Framework that is already installed on Windows 10 so it fails. I worry this could cause data corruption. Eraser has also failed on several occasions to finish erasing the recylce bin, giving back errors.

 

Ok, thank you guys.

 

It sounds like you may already have some OS corruption going on.
I employ Eraser Pro on my Win10 x64 setup and often with HMP.A and have no issues at all shredding or cleaning.

 

It could be. I recently had a botched Eset upgrade, and have not rolled my machine back yet. My machine has been acting funny since the failed upgrade. I wish Eset would get their act together. Upgrading issues has been an ongoing problem with Eset for years now.

Btw.. the problem with Eraser started long before the failed Eset upgrade though. Their probably not related.

Edited 5/18/17 @ 3:54

 

CCleaner Free has a secure delete function. https://www.piriform.com/ccleaner

You can also add the option "Open CCleaner" to the Recycle Bin context menu. I just generally steer clear of the registry cleaner, but the rest of it is very useful!

 

Ever since I auto updated to 366. build 593 the "scan" feature does not work I hit the button and get "failed"

How can I fixed this?

Thanks

 

You can download and install HitmanPro (Trial button).
After the first time running HitmanPro there is the option to install it. It will probably automatically apply your HitmanPro.Alert license.
After that, if you start a scan with HitmanPro.Alert, it will start the HitmanPro scan, as intended.

 

That's what i did because i wanted a separate hmp app for scanning apart from hmpa. I really like the separate hmp app.

 

Any word on a new 7xx beta? I'm still on 704 but I seem to recall Erik/Mark had announced a new one for last week. Maybe I missed the memo.

 

I have been using CCleaner for a long time. Do you think it's secure delete function is comparably as good as Eraser?

 

Same with 600 beta, of which last week Erik said two issues he found would be addressed the next day.
I suppose Sophos is keeping Erik and Mark and the team busy with the additional products and all the overhead.
For us, nothing else to do than being patient.