HitmanPro.ALERT Support and Discussion Thread

It would be helpful to know exactly what build of HitmanPro.Alert you installed.

 

I am running HMPA 3.6.7 build 604, and it has never interfered with any software installer.

 

It was downloaded directly from their website last night and is HitmanPro.Alert 3.6.7.604. From the next comment that version appears to be ok. So this may be an interaction between the different software.

I am just working through setting up a test VM to see if I can narrow this down (although the test VM is Windows 10). Any other suggestions welcomed.

 

Do you recall what the alert was, that you got?
Was it "Mitigation Lockdown", or something else?

You can get alert details from Event Viewer:
Open the HMPA user interface, and click "Number of alerts", or "Last alert", that will open Windows Event Viewer.
This takes a moment as a HMPA module is added to Event Viewer.
In Event Viewer, in the HitmanPro.Alert Events section, information can be seen regarding HMPA events.
Take the entry regarding the specific alert.
Select all text, use Ctrl+C to copy the selected text, and then you can past the copied details in a reply in the thread.

If the alert was "Mitigation Lockdown", this happens when an updater tries to execute dropped executable file(s).
This happens with some software updaters.
I don't know if this is the case for the mentioned Skype, WinSCP and/or Malwarebytes.

 

There was a conflict a while back between Bitdefender Threat Control and HMPA

https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-547#post-2673865

I don't know if this is still the case but you could try turning it off.

 

Thanks everyone. Of course NOW it is working, although I don't know why. My intent is to buy a HMPA license if I have no further issues.

I did various actions including uninstalling/reinstalling HMPA, rebooting, updating all definitions etc. Not sure exactly what was broken before or what changed. Now I can successfully update multiple applications including one that failed last night. I also tested all three applications in a new clean Win 10 VM without any issue either (my laptop is WIn 7).

Just for reference from last night I could not find any HMPA events, but did find the Skype install error. Multiple events like this. Other applications that failed were similar. Again, now working this afternoon.

Log Name: Application
Source: MsiInstaller
Date: 9/10/2017 10:20:21 AM
Event ID: 11406
Task Category: None
Level: Error
Keywords: Classic
User: Laptop\User
Computer: Laptop
Description:
Product: Skype™ 7.40 -- Error 1406. Could not write value to key \Skype.Content\shell\open\command. System error . Verify that you have sufficient access to that key, or contact your support personnel.​

 

If there are any HMPA alerts, the HMPA user interface shows the number of alerts under "Number of alerts".
In case the HMPA user interface shows zero alerts, no HMPA events show in Windows Event Viewer.
If the HMPA user interface shows 1 or more alerts, clicking "Number of alerts" or "Last alert" in the HMPA user interface will open Windows Event Viewer and a "HitmanPro.Alert Events" module will be added to Windows Event Viewer. Be patient, as this takes a moment. As soon as the "HitmanPro.Alert Events" module is added to Event Viewer, opening that entry should show any HMPA alerts.
But again, if the HMPA user interface shows no alerts, no HMPA events show in Windows Event Viewer.

 

What is the *practical* benefit of using Intercept X opposed to HitmanPro.Alert?
Thanks.

 

@erikloman Is it possible that running an automatically generated ransomware is not caught by HitmanPro?
See https://www.barkly.com/stackhackr

My custom malware: ~ Removed VirusTotal Results as per Policy ~

 

Intercept X is an enterprise product, while HitmanPro.Alert is a home product. Thus, they cannot be directly compared.

 

Intruder alert build 604. Btw licence expired recently. Win10 1703 build 15063.540 x64/Norton Security v22.10.1.10.

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 12-9-2017 08:42:41
Gebeurtenis-id:911
Taakcategorie: Intruder
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Intruder

PID 9596
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 55.0.3

Detour Report
# Address Owner Disassembly
-- ------------------ ------------------------ ------------------------

 

My custom malware has 30+ detection rate on VirusTotal.

 

So I just noticed I am getting event 7026 hmpalert boot-start driver failed to load error on WIndows boot. There are no indications in HMPA gui of any issues. Does this mean that HMPA protection is not enabled or is degraded? Any suggestions on how I can verify correct operation?

And atc is Bitdefender Advanced Threat Defense, which may be having similar issues.

Log Name: System
Source: Service Control Manager
Date: 9/10/2017 11:06:29 AM
Event ID: 7026
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Laptop
Description:
The following boot-start or system-start driver(s) failed to load:
atc
cdrom
hmpalert

 

Intercept X has centralised distribution and reporting. The biggest advantage of X is that it is supported on servers.

 

Well I just did, so clearly they can!

 

Hello all,

I would like to introduce @RonnyT. Over the past years (well before our acquisition) he has helped us improve HitmanPro and Alert by finding and reporting issues. I am proud to announce that he is now part of SurfRight (a Sophos company).

He will be working directly with SurfRight developers working on HitmanPro and Alert. More importantly he will improve our presence here at the Wilders Security Forum!

So give him a warm welcome

Cheers,
Erik

PS. A new build is inbound. We have fixed a few last minute show stoppers which set us back a few days for the build to release.

 

Hi, Ronny. I am sure you will be keeping us "alert". Looking forward to it.

 

Great News, Erik. Welcome to Wilders RonnyT. Hope you enjoy your stay at SurfRight and this forum.

Looking forward for the upcoming builds!

 

Welcome Ronny

 

Welcome, @RonnyT.

@erikloman,
Thanks very much, Erik.
September 6, you said the new build of Alert contains fixes from the FastTrack team at Sophos.
I asked, were all the issues and suggestions that were posted here in both Wilders HMPA threads since HMPA 3.6.7.604 stable and 3.7.0.712 beta (so since end June, early July), also inventoried and used for fixing HMPA? If not by you or Mark, then by other SurfRight/Sophos team members? I really hope all reports here in both Wilders HMPA threads (and also the HMP thread) were not wasted.

 

Welcome!

 

Welcome indeed @RonnyT

 

I second that!

 

welcome!

finally!