HitmanPro.ALERT Support and Discussion Thread

@erikloman ?

@RonnyT ?

Also: #14254

Thanks.

 

What OS & Version are you running, and which other security software is installed and what add-ons are loaded in Firefox?
(If you don't wish to post public please DM me the details).

 

OS version win 10 latest version and updates
Firefox add-ons:
Norton Security Toolbar
Session Manager
Tabmix Plus
Zoom page
Dashlane
Other Security Software:
Norton Security w/backup latest version
VoodooShield latest Beta
Hitmanpro.alert latest beta

This does not happen if I am running Firefox 64 bit 55.02 or earlier versions

It started with Firefox 55.03. If I go back to firefox 55.02, the problem is gone.

 

Log Name: Application
Source: HitmanPro.Alert
Date: 9/24/2017 12:23:25 AM
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: User-PC
Description:
Mitigation HeapSpray

Platform 6.1.7601/x64 v604 06_3a
PID 7072
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 61

#04 000000002081D000 L00040000; CycleLen=15376; NumDetections=17
61 72 6E 69 6E 67 22 2C 22 66 69 72 65 62 69 74 2E 6E 65 74 23 23 23 61 64 76 2D 33 30 30 20 2B 20 64 69 76 5C 5C 5B 63 6C 61 73 73 5D 5C 5C 5B 61 6C 69 67 6E 3D 5C 22 63 65 6E 74 65 72 5C 22 5D 5C 5C
#05 00000000207DD000 L00040000; CycleLen=15376; NumDetections=17
61 72 6E 69 6E 67 22 2C 22 66 69 72 65 62 69 74 2E 6E 65 74 23 23 23 61 64 76 2D 33 30 30 20 2B 20 64 69 76 5C 5C 5B 63 6C 61 73 73 5D 5C 5C 5B 61 6C 69 67 6E 3D 5C 22 63 65 6E 74 65 72 5C 22 5D 5C 5C

Code Injection
00010000-00011000 4KB n/a [7180]
00CE0000-00CE1000 4KB

Process Trace
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7072]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disk-cache-dir="/tmp/ram/"
2 C:\Windows\explorer.exe [1156]
3 C:\Windows\System32\userinit.exe [2692]
4 C:\Windows\System32\winlogon.exe [888]
winlogon.exe

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-09-24T04:23:25.000000000Z" />
<EventRecordID>14477</EventRecordID>
<Channel>Application</Channel>
<Computer>User-PC</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data>
<Data>HeapSpray</Data>
<Data>Mitigation HeapSpray

Platform 6.1.7601/x64 v604 06_3a
PID 7072
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 61

#04 000000002081D000 L00040000; CycleLen=15376; NumDetections=17
61 72 6E 69 6E 67 22 2C 22 66 69 72 65 62 69 74 2E 6E 65 74 23 23 23 61 64 76 2D 33 30 30 20 2B 20 64 69 76 5C 5C 5B 63 6C 61 73 73 5D 5C 5C 5B 61 6C 69 67 6E 3D 5C 22 63 65 6E 74 65 72 5C 22 5D 5C 5C
#05 00000000207DD000 L00040000; CycleLen=15376; NumDetections=17
61 72 6E 69 6E 67 22 2C 22 66 69 72 65 62 69 74 2E 6E 65 74 23 23 23 61 64 76 2D 33 30 30 20 2B 20 64 69 76 5C 5C 5B 63 6C 61 73 73 5D 5C 5C 5B 61 6C 69 67 6E 3D 5C 22 63 65 6E 74 65 72 5C 22 5D 5C 5C

Code Injection
00010000-00011000 4KB n/a [7180]
00CE0000-00CE1000 4KB

Process Trace
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [7072]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disk-cache-dir="/tmp/ram/"
2 C:\Windows\explorer.exe [1156]
3 C:\Windows\System32\userinit.exe [2692]
4 C:\Windows\System32\winlogon.exe [888]
winlogon.exe
</Data>
</EventData>
</Event>

 

According to your sig, you are running Chrome 64-bit, and an old build (593) of HMPA. But this mitigation log refers to Chrome x86. Maybe you could add some comments about what you are running?

 

Any Norton + Chrome users checked Windows Reliability History?

Whenever Norton + HMP.A is installed on any of my machines and I check Windows Reliability History I see Chrome has crashed... often! To be clear, I don't actually see a crash, it's only when I check Windows Reliability History I see these errors.

The faulty module is always ntdll.dll.

I've been seeing this for as long as I can remember and I finally decided I'd investigate. Without HMP.A this never happens. With Windows Defender or Avast free + HMP.A installed this never happens. With Malwarebytes 3.2 installed with Exploit Protection enabled this never happens.

It appears Norton + HMPA = some incompatibility with Chrome, at least on my three machines.

Anyone see this?

Thanks.

• Windows 10 x 64
• Norton Security 22.10.1.10
• HitmanPro.Alert 3.6.7 build 604
• Chrome Version 61.0.3163.100 (Official Build) (64-bit)

 

Is there a way to determine which license is used on a computer? I don't see anything in the GUI, but perhaps it is visible in the registry or something. I have several licenses but I don't know which computers use which license.

 

Anyone using Internet Explorer, gmail and release HMP Alert 6.04 at the same time? If so, is anyone experiencing IE crashes using the latest gmail sign-in interface? Disabling "Safe Browsing" eliminates that, it's just that simple, but then the purpose is defeated. This happened with accelerated frequency after latest Windows update kb4040724.

Note: this is second machine, which does not have Sandboxie.

 

Seems this was "purely" an IE bug-lette that was fixed with kb 4041676.

 

So ... I launched my gog client today and decided I was going to play a quick game of gwent .... HMP.A had other ideas:

Mitigation CallerCheck

Platform 10.0.15063/x64 v604 06_3f
PID 10160
Application C:\Games\Gwent\Gwent.exe
Description 2017.1

Callee Type LoadLibrary

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 000000001AE619E8 (anonymous; mono.dll)
4883c420 ADD RSP, 0x20
488b4d98 MOV RCX, [RBP-0x68]
4c8b5da0 MOV R11, [RBP-0x60]
49890b MOV [R11], RCX
488b75f8 MOV RSI, [RBP-0x8]
c9 LEAVE
c3 RET

2 000000001AE61886 (anonymous; mono.dll)
3 000000001AE61673 (anonymous; mono.dll)
4 000000001AE608A7 (anonymous; mono.dll)
5 000000001AE60253 (anonymous; mono.dll)
6 000000001AE3E2B6 (anonymous; mono.dll)
7 000000001AE3DBB6 (anonymous; mono.dll)
8 000000001AE3D2A8 (anonymous; mono.dll)
9 000000001AE17C84 (anonymous; mono.dll)
10 000000001AE16C41 (anonymous; mono.dll)

Process Trace
1 C:\Games\Gwent\Gwent.exe [10160]
2 D:\Program Files (x86)\GalaxyClient\GalaxyClient.exe [17260]
"D:\Program Files (x86)\GalaxyClient\GalaxyClient.exe" /runWithoutUpdating
3 C:\ProgramData\GOG.com\Galaxy\temp\desktop-galaxy-updater\GalaxyUpdater.exe [932]
"C:\ProgramData\GOG.com\Galaxy\temp\desktop-galaxy-updater\GalaxyUpdater.exe" /clientUpdatePath="D:\Program Files (x86)\GalaxyClient" /globalRedistUpdatePath="C:\ProgramData/GOG.com/Galaxy/redists" /previousClientVersion="1.2.23.4" /redistUpdatePath="C:\Pr
4 C:\ProgramData\GOG.com\Galaxy\redists\GalaxyUpdater.exe [13244]
"C:\ProgramData\GOG.com\Galaxy\redists\GalaxyUpdater.exe" /clientUpdatePath="D:\Program Files (x86)\GalaxyClient" /globalRedistUpdatePath="C:\ProgramData/GOG.com/Galaxy/redists" /previousClientVersion="1.2.23.4" /redistUpdatePath="C:\ProgramData/GOG.com/Ga
5 D:\Program Files (x86)\GalaxyClient\GalaxyClient.exe [12252]
6 C:\Windows\explorer.exe [8524]
7 C:\Windows\System32\userinit.exe [13076]
8 C:\Windows\System32\winlogon.exe [11048]
C:\WINDOWS\System32\WinLogon.exe -SpecialSession
9 C:\Windows\System32\smss.exe [5300]
\SystemRoot\System32\smss.exe 000000d4 00000084 C:\WINDOWS\System32\WinLogon.exe -SpecialSession

Anyone else seen this before ?

 

Folks might like to know that Exploit Guard is live in the new Windows 10 Fall Creators Update ( 1709 build 16299.15 ). By default:

Control flow guard = On
DEP = On
ASLR = Off
Bottom-up ASLR = On
SEHOP = On
validate heap integrity = On

I don't know if there is any interaction with HMPA yet.

 

Do they still give out a free license for hmpa. It looks like for hmpa and hmp i need to get 2 license's now instead of one.

 

Thank you VERY much for this information. I'm going to de-activate Alert prior to tomorrow's upgrade to be prudent.

 

Yes, i think so.

 

Overlapping? obviously.
Conflict ? maybe.
No need of a dedicated anti-exploit? let tests tell it...

 

So should Exploit Guard in Windows be turned off when using HMPA?

Can Exploit Guard be turned off in the first place?

 

@RonnyT ?

 

Yes, all of the items I listed, eg DEP, ASLR, etc, can be toggled Off individually.

 

Opening "Device manager" in Windows 10 Pro Fall Update (1709):
(Added for reference HMP.A version 3.6.7 build 604)

Known issue?



Mitigation APCViolation

Platform 10.0.16299/x64 v604 06_3f
PID 10868
Application C:\Windows\SysWOW64\dllhost.exe
Description COM Surrogate 10

APC intercepted:
05480080 55 PUSH EBP
05480081 8bec MOV EBP, ESP
05480083 8b4d08 MOV ECX, [EBP+0x8]
05480086 83ec08 SUB ESP, 0x8
05480089 85c9 TEST ECX, ECX
0548008B 7439 JZ 0x54800c6
0548008D 0fb711 MOVZX EDX, WORD [ECX]
05480090 6685d2 TEST DX, DX
05480093 7431 JZ 0x54800c6
05480095 56 PUSH ESI
05480096 8b7104 MOV ESI, [ECX+0x4]
05480099 83fe18 CMP ESI, 0x18
0548009C 7227 JB 0x54800c5
0548009E 8b4108 MOV EAX, [ECX+0x8]
054800A1 0b410c OR EAX, [ECX+0xc]
054800A4 741f JZ 0x54800c5

Thumbprint
efc68f679465dc215fe731acb0a43efff0760166631a49fee7cdf039f07ae0d0

 

Windows 10 16299.15 (Fall CU): release 6.04: Block Untrusted Fonts does not remain enabled. Anyone else?

 

I uninstalled HMP.A before upgrading to Windows 10 Fall Creators Update.

Forgot to do the same for MBAM... And even EAM seems not fully supported...

(currently uninstalled both HMP.A and MBAM; still running EAM)

 

Also since the Fall update:
(Added for reference HMP.A version 3.6.7 build 604)

Mitigation APCViolation

Platform 10.0.16299/x64 v604 06_3f
PID 14432
Application C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Description Microsoft .NET Framework optimization service 4.7

APC intercepted:
005E0080 55 PUSH EBP
005E0081 8bec MOV EBP, ESP
005E0083 8b4d08 MOV ECX, [EBP+0x8]
005E0086 83ec08 SUB ESP, 0x8
005E0089 85c9 TEST ECX, ECX
005E008B 7439 JZ 0x5e00c6
005E008D 0fb711 MOVZX EDX, WORD [ECX]
005E0090 6685d2 TEST DX, DX
005E0093 7431 JZ 0x5e00c6
005E0095 56 PUSH ESI
005E0096 8b7104 MOV ESI, [ECX+0x4]
005E0099 83fe18 CMP ESI, 0x18
005E009C 7227 JB 0x5e00c5
005E009E 8b4108 MOV EAX, [ECX+0x8]
005E00A1 0b410c OR EAX, [ECX+0xc]
005E00A4 741f JZ 0x5e00c5

Process Trace
1 C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe [14432]
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /Critical /StopEvent:860
2 C:\Windows\System32\taskhostw.exe [16228]
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
3 C:\Windows\System32\svchost.exe [2320]
c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
4 C:\Windows\System32\services.exe [592]
5 C:\Windows\System32\wininit.exe [1016]
wininit.exe

Thumbprint
b68e94775e3a2b290eccf10af35454a41f6eb4a812c86cbc35bb7a88e67265b5

 

Anyone seen something like this since updating Windows 10 to v1709 build 16299.19?

#3419

It would be great if one of the dev's could comment on whether there is a possible conflict with HMP.A on the latest Win10.

Thanks.

 

Uninstalled 717 beta while updating W10 Fall update.

 

Thanks. I saw them now after upgrading to RS3

So I'll disable them and use HMPA instead