HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi All,

    Thanks for the warm welcome, and very glad to be part of the SurfRight family now!
    I hope I can bring back the interaction to it's previous levels, and as already stated there where quite a number of things reported of which the status is unknown.

    My primary focus for now is first to get a grip on the Firefox introduced Intruder alert since build 55.0.3 and parallel to that get a view on what's been reported and probably/possibly missed.
    So if someone has a shortlist for me to prevent going over a huge number of posts that would be very welcome!

    For the FF Intruder issue, who can help out and share some details either here or via DM please contact me, so we can see if we can get that reproduced.

    Cheers,
    Ronny
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Hi Ronny,
    You are right, there was a huge number of posts since HMPA 3.6.7.604 stable and 3.7.0.712 beta, in both this HMPA thread and in the HMPA beta thread.
    I'm sorry, I don't have a shortlist for you.
    If not Erik, nor Mark, nor any other SurfRight/Sophos team member kept track of these threads and inventoried reported issues since end June, early July, then I'm afraid no one did. That would really be a pity, and quite a waste.
     
  3. alawyer

    alawyer Registered Member

    Joined:
    May 17, 2017
    Posts:
    35
    Location:
    the final frontier
    Is there an Android version of this.
     
  4. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Welcome aboard, Ronny!
     
  5. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Welcome Ronny :)
     
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    What up and welcome to Wilders :thumb:

    Looking forward to the new HMPA build.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Hi Ronny,

    Welcome!

    You mean this, right? I emailed support about this the other day. Has anyone else reported the intruder alert?

    Thanks,
    Dave
     
  8. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    @RonnyT

    I posted (see #14232) about the FF 55.0.3 intruder-alert. This alert happened around the 9-11th of August. Maybe its related to a Norton Security v22.10.1.10 and Sandboxie 5.20-problem. Found the culprit: Norton Exploit Prevention-setting. No solution yet from Invincea. See https://forums.sandboxie.com/phpBB3/viewtopic.php?f=11&t=24879 I'm the same 'deugniet' btw. Or it could be related to a Firefox-message asking to enable the addon Norton Security Toolbar. At the same time I got the Intruder alert.

    Win10 1703 build 15063.608 x64/Norton Security v22.10.1.10/Sandboxie 5.20/HmP.Alert build 604
     
    Last edited: Sep 20, 2017
  9. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    HMPA v3.6.7 build 604 and Dr Web Katana

    Hi

    Before I install Dr Web Katana I could launch browsers like Google and FF. Now with Dr Web Katana installed whenever I launch Chrome and FF HMPA will prompt with Interception Alert. If I disable the Exploit Mitigation in HMPA I could launch Chrome and FF without problem

    How to solve this?

    Where can I find the log file to post? Thanks
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Hi Ronny

    Also no inventory for you here, so I think you will need to go through posts on both threads mentioned since end June, early July as mentioned by @Stupendous Man above.

    The strangest issue for me (as well as @shmu26, and @mood) seems to be some sort of silent interference with Windows Update for Cumulative Updates, where these are not detected in 712b, but also 604.
    In my case also that DISM and SFC would not run, unless HMPA service was stopped. I had previously PM'd Mark abouth the latter and this was resolved by renaming excalibur.db. I still have the conversation ...

    I had to uninstall HMPA last time to get past this.

    Also, as far as I know Credential Theft Protection still needs to be disabled for Macrium imaging to work. I also have to disable Local Privilege Mitigation, but can't remember why right now :doubt:.
     
  11. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    You can get alert details from Event Viewer:
    Open the HMPA user interface.
    If the HMPA user interface shows 1 or more alerts, clicking "Number of alerts" or "Last alert" in the HMPA user interface will open Windows Event Viewer and a "HitmanPro.Alert Events" module will be added to Windows Event Viewer. Be patient, as this takes a moment.
    As soon as the "HitmanPro.Alert Events" module is added to Event Viewer, opening that entry should show HMPA events.
    Take the entry regarding the specific alert.
    Select all text, use Ctrl+C to copy the selected text, and then you can past the copied details in a reply in the thread.
     
  12. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Thank you
     
  13. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Hi problems of HMPA v3.6.7 build 604 with Dr Web Katana when running latest versions of Chrome and FF browsers. If I disable Exploit Mitigation in HMPA I can launch the browsers without problem

    Mitigation CallerCheck

    Platform 10.0.15063/x64 v604 06_45
    PID 7820
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 61

    Callee Type CreateProcess
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFA8A237C46 KernelBase.dll
    2 00007FFA8CB4BA83 kernel32.dll

    3 0000027DDE6D109E (anonymous)
    4881c400010000 ADD RSP, 0x100
    5b POP RBX
    5e POP RSI
    5f POP RDI
    c3 RET

    4 0000027DDE6C7030 (anonymous)
    5 0000027DDE6C70BB (anonymous)
    6 0000027DDE6BFD31 (anonymous)
    7 000000000068249D (anonymous)
    8 00007FFA5786DD65 chrome_elf.dll
    9 00007FFA5786E301 chrome_elf.dll
    10 00007FFA5786C46E chrome_elf.dll

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7820]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -incognito -no-referrers -disable-reading-from-canvas
    2 C:\Windows\explorer.exe [6368]
    3 C:\Windows\System32\userinit.exe [6248]

    Thumbprint
    0ebd27f7542b92b5865f753de8ea7377ffe6a91609d2efaaaa831715822eef08


    and with FF

    Mitigation CallerCheck

    Platform 10.0.15063/x64 v604 06_45
    PID 12680
    Application C:\Program Files\Mozilla Firefox\firefox.exe
    Description Firefox 55.0.3

    Callee Type CreateProcess
    C:\Program Files (x86)\EagleGet\EGMonitor.exe

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFA8A237C46 KernelBase.dll
    2 00007FFA8CB4BA83 kernel32.dll

    3 000002BDC2D9109E (anonymous)
    4881c400010000 ADD RSP, 0x100
    5b POP RBX
    5e POP RSI
    5f POP RDI
    c3 RET

    4 000002BDC2D87030 (anonymous)
    5 000002BDC2D870BB (anonymous)
    6 000002BDC2D7FBE6 (anonymous)
    7 0000000000D4249D (anonymous)
    8 00007FFA23C6CE03 xul.dll
    9 00007FFA23AB89B0 xul.dll
    10 00007FFA23C4D9D7 xul.dll

    Process Trace
    1 C:\Program Files\Mozilla Firefox\firefox.exe [12680]
    2 C:\Windows\explorer.exe [6368]
    3 C:\Windows\System32\userinit.exe [6248]

    Thumbprint
    7a09c859e866cc3846dd81123cca6267e56c1e564d60784d3ec3900dbc5baed5
     
    Last edited: Sep 20, 2017
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Is there a setting in Katana you can tweak? It looks like Katana is doing exploit mitigations as well where Katana's code is running on the heap!
     
    Last edited: Sep 20, 2017
  15. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Hi

    Yes, Katana comes with exploit protection.

    No way to tweak Katana. There's not even an exclusion feature for programs.

    You can watch its video here

    https://www.youtube.com/watch?v=5n4jAOepk1E
     
  16. Joel Clendineng

    Joel Clendineng Registered Member

    Joined:
    Nov 2, 2016
    Posts:
    10
    Location:
    USA
    Ive emailed about this but I would love a feature where I can add and delete computers from my key. Apparently the keys are tied to the pc you activate on and when I reinstall windows (as an it guy I do almost monthly ;) ) I dont want to have to keep buying year keys that I know are useless to me after a reinstall. Anyone else run into issues with licensing?
     
  17. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Such feature would be nice, but even without it, there is definitely no need to buy a new key for each Windows reinstallation.
    You can contact support, and your issue will be fixed. Although that would be very inconvenient if you need to do that every month, so an ad/delete option as you proposed would be a lot better.
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Software that doesn't provide settings for exploit protection should be banned ;)

    I recommend to turn off exploit protection in Alert on the programs that exhibit the problem (Disable Mitigations per app).

    Or uninstall Katana as that is the app that does not allow configuration.

    Hope this helps.
     
  19. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Thanks and it works. I'll need Katana to provide the exploit protection
     
  20. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    :argh:
     
  21. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Hi RonnyT,

    The following three posts could be a start: here, here and here. Beyond that, you can page back to around the beginning of July in both HMP.A threads and make your way back to the present. It really isn't that much material to go through, and some of it we figured out among ourselves, so there's less to deal with than it might seem at first glance.
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
  23. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    174
    I was hoping 3.7.0 Build 717 BETA would solve this issue, but no.

    The Issue: since the previous beta, everytime I upgrade from Firefox 55.02 to Firefox 55.03 and run firefox 55.03, I get an alert from hitmanpro.alert beta saying "intruder detected! Do not enter personal data or bank online."

    Has anyone else seen this? and
    anyone know how to fix this?

    thanks.
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Yes, I had the exact same thing. Edit: Except with the released version of HMP.A (build 604), not the beta.

    #14202

    Do you have Norton / Symantec installed?
     
  25. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    174
    Yes, I do have Norton Security installed.
    Did you find a solution?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.