HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert 3.7.3 build 729 Released

    Changelog (compared to build 723)
    • Added
      • PrivGuard: mitigate MS16-032 (CVE-2016-0099)
      • Application lockdown for Microsoft office Equation Editor (CVE-2017-11882)
    • Improved
      • CodeCave, HeapSpray, CryptoGuard, HollowProcess Mitigations
    • Fixed
      • BadUSB Alert during boot while BadUSB was disabled
      • IAF FP in Nero Media player
      • Windows System Image Backup failing with locked EFI/ESP
      • Antimalware won't (stay) enable(d)
    • Download
    This build is the same as build 728 BETA. We simply removed the BETA tag and therefor had to bump the version number to 729 ;)
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,841
    Location:
    the Netherlands
    Thanks.
    But if this is the stable release, shouldn't it be posted in the HMPA stable thread?
     
  3. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,760
    Mark, were you able to fix anything in this version from the dumps I sent you a while back concerning Shadow Defender and HMPA v723?
     
  4. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    I'm unable to install 3.7.3 build 729 over (beta) 3.7.3 build 728:

    Code:
    Failed to install program.
    Error 0.
    
     
  5. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    174
    I am running hitmanpro.alert 7.29 beta. I just looked in win 10 taskmanager and noticed that hitmanpro.alert is running as the 32bit version
    I have a Win 10 pro 64 bit version installed.
    Anyone have any idea why the 64bit version of hitmanpro.alert is not running?
     
    Last edited: Jan 10, 2018
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Build 729 isn't a beta. :)

    Same here. I'm sure that is by design and nothing to worry about.
     
  7. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    174
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    HitmanPro has a 32-bit and 64-bit version. HMP.A runs the same version on both.
     
  9. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    174
    not sure what you mean. on both what?
    I think if you have a 64 bit operating system, then you should have the 64bit version of hitmanpro.alert running. yes?

    do you mean it runs as a 32bit application on both 64bit pc's and 32bit pc's?
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    No.
    I mean the same version runs on 32-bit and 64-bit machines.
    Yes, but you don't have to believe me. I'm sure someone will correct me if I'm wrong, but I see the exact same thing on three Win10 x64 machines.
     
  11. guest

    guest Guest

    On a 64-bit system:
    The application itself (hmpalert.exe) is 32-bit, but the driver and the dll which is injected into processes is a 64-bit version (and 32-bit, see below).
    To be more precise: Two versions of hmpalert.dll are installed.
    C:\Windows\SysWOW64\hmpalert.dll (=32-bit, it is injected into 32-bit processes)
    and
    C:\Windows\System32\hmpalert.dll (=64-bit, it is injected into 64-bit processes)
     
  12. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    174
    Thanks for the explanation folks.

    I thought I understood enough about processes in Windows. Obviously I was wrong.
    When I see SysWOW64, I just assume that must be for 64bit "things". I am grateful for your help.
     
  13. guest

    guest Guest

    You're welcome :)
     
  14. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    It is totally counter-intuitive, but SysWOW64 is for 32-bit things and System32 is for 64-bit things. :eek:

    I have noticed that most of my security programs run as 32-bit executables.
     
  15. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    I've been running the HMP.A 3.7.3 b728 & several other of the previous betas since they were released without any problems, and can confirm that the 3.7.3 b729 seems to be running perfect on W10 Pro x64.

    Thanks for a great product..I'm impressed.
     
  16. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    Gotta love M$
     
  17. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    Testing https-everywhere.exe (ie extension) I got an intruder message from HitmanProAlert v3.7.3.729.
    I think this is false positive:
    IE11 Intruder HTTPSEverywere v0.0.0.3 false.jpg
     
  18. guest

    guest Guest

    It would help, if you could post all details of the alert (which can be found in the Windows Event Viewer).
    Instructions: #14351
     
  19. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    This looks exactly like intended behavior ;) HTTPS everywhere is messing with the browsers encryption.
    Where did you download this version because EFF doesn't seem to provide this one, I assume the ZScaler team?

    On a small note, 729 is a stable release and this is the BETA board...
     
  20. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    Do you mean this ?
    Code:
    Logboeknaam:   Application
    Bron:          HitmanPro.Alert
    Datum:         12-01-2018 10:05:54
    Gebeurtenis-id:911
    Taakcategorie: Intruder
    Niveau:        Fout
    Trefwoorden:   Klassiek
    Gebruiker:     n.v.t.
    Computer:      DH-PC-w10n
    Beschrijving:
    Intruder
    
    PID          6528
    Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Description  Internet Explorer 11
    
    Detour Report
    #  Address     Owner                    Disassembly
    -- ----------  ------------------------ ------------------------
    FtpOpenFileA
     1 0x73B407B0  WININET.dll              JMP 0x50923560
     2 0x50923560  HTTPSEverywhere.dll    
    
    FtpOpenFileW
     1 0x73B439C0  WININET.dll              JMP 0x509234c0
     2 0x509234C0  HTTPSEverywhere.dll    
    
    HttpAddRequestHeadersA
     1 0x73A5EAA0  WININET.dll              JMP 0x50923880
     2 0x50923880  HTTPSEverywhere.dll    
    
    HttpAddRequestHeadersW
     1 0x73A5CE80  WININET.dll              JMP 0x509237e0
     2 0x509237E0  HTTPSEverywhere.dll    
    
    HttpOpenRequestA *
     1 0x73AD5B80  WININET.dll              JMP 0x509232d0
     2 0x509232D0  HTTPSEverywhere.dll    
    
    HttpOpenRequestW *
     1 0x73A5D120  WININET.dll              JMP 0x50923220
     2 0x50923220  HTTPSEverywhere.dll    
    
    HttpSendRequestA
     1 0x73A99710  WININET.dll              JMP 0x50923420
     2 0x50923420  HTTPSEverywhere.dll    
    
    InternetCloseHandle
     1 0x73AC8010  WININET.dll              JMP 0x50922f90
     2 0x50922F90  HTTPSEverywhere.dll    
    
    InternetConnectA
     1 0x73AD5470  WININET.dll              JMP 0x50923160
     2 0x50923160  HTTPSEverywhere.dll    
    
    InternetConnectW
     1 0x73AC6F00  WININET.dll              JMP 0x509230b0
     2 0x509230B0  HTTPSEverywhere.dll    
    
    InternetOpenA
     1 0x73A974E0  WININET.dll              JMP 0x50922ef0
     2 0x50922EF0  HTTPSEverywhere.dll    
    
    InternetOpenW
     1 0x73A97370  WININET.dll              JMP 0x50922e50
     2 0x50922E50  HTTPSEverywhere.dll    
    
    InternetReadFile *
     1 0x73A70F70  WININET.dll              JMP 0x50923600
     2 0x50923600  HTTPSEverywhere.dll    
    
    InternetReadFileExA *
     1 0x73A868D0  WININET.dll              JMP 0x50923740
     2 0x50923740  HTTPSEverywhere.dll    
    
    InternetReadFileExW *
     1 0x73ACA750  WININET.dll              JMP 0x509236a0
     2 0x509236A0  HTTPSEverywhere.dll    
    
    InternetSetStatusCallback
     1 0x73AD3750  WININET.dll              JMP 0x50923020
     2 0x50923020  HTTPSEverywhere.dll    
    
    NtCreateEvent
     1 0x77B5EBE0  ntdll.dll                JMP 0x68db2ca0
     2 0x68DB2CA0  aswhookx.dll            
    
    NtCreateMutant
     1 0x77B5F230  ntdll.dll                JMP 0x68db2f30
     2 0x68DB2F30  aswhookx.dll            
    
    NtCreateSemaphore
     1 0x77B5F2E0  ntdll.dll                JMP 0x68db31c0
     2 0x68DB31C0  aswhookx.dll            
    
    NtCreateUserProcess
     1 0x77B5F370  ntdll.dll                JMP 0x68db3450
     2 0x68DB3450  aswhookx.dll            
    
    NtOpenEvent
     1 0x77B5EB60  ntdll.dll                JMP 0x68db2df0
     2 0x68DB2DF0  aswhookx.dll            
    
    NtOpenMutant
     1 0x77B5F910  ntdll.dll                JMP 0x68db3080
     2 0x68DB3080  aswhookx.dll            
    
    NtOpenSemaphore
     1 0x77B5F980  ntdll.dll                JMP 0x68db3310
     2 0x68DB3310  aswhookx.dll            
    
    NtQueryInformationProcess
     1 0x77B5E8D0  ntdll.dll                JMP 0x68db3670
     2 0x68DB3670  aswhookx.dll            
    
    NtResumeThread
     1 0x77B5EC80  ntdll.dll                JMP 0x68db2b90
     2 0x68DB2B90  aswhookx.dll            
    
    NtWriteVirtualMemory
     1 0x77B5EB00  ntdll.dll                JMP 0x68db2880
     2 0x68DB2880  aswhookx.dll            
    
    RtlDecompressBuffer
     1 0x77BC0EB0  ntdll.dll                JMP 0x68db3500
     2 0x68DB3500  aswhookx.dll            
    
    RtlQueryEnvironmentVariable
     1 0x77B3B6B0  ntdll.dll                JMP 0x68db35e0
     2 0x68DB35E0  aswhookx.dll            
    
    
    Thumbprint
    66a1c525e5e188e9a1abf46b246805ae8e09d36b2cb633fcbc17779aeea514fb
    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>3</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-01-12T09:05:54.402212200Z" />
        <EventRecordID>63285</EventRecordID>
        <Channel>Application</Channel>
        <Computer>DH-PC-w10n</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
        <Data>Intruder</Data>
        <Data>Intruder
    
    PID          6528
    Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
    Description  Internet Explorer 11
    
    Detour Report
    #  Address     Owner                    Disassembly
    -- ----------  ------------------------ ------------------------
    FtpOpenFileA
     1 0x73B407B0  WININET.dll              JMP 0x50923560
     2 0x50923560  HTTPSEverywhere.dll    
    
    FtpOpenFileW
     1 0x73B439C0  WININET.dll              JMP 0x509234c0
     2 0x509234C0  HTTPSEverywhere.dll    
    
    HttpAddRequestHeadersA
     1 0x73A5EAA0  WININET.dll              JMP 0x50923880
     2 0x50923880  HTTPSEverywhere.dll    
    
    HttpAddRequestHeadersW
     1 0x73A5CE80  WININET.dll              JMP 0x509237e0
     2 0x509237E0  HTTPSEverywhere.dll    
    
    HttpOpenRequestA *
     1 0x73AD5B80  WININET.dll              JMP 0x509232d0
     2 0x509232D0  HTTPSEverywhere.dll    
    
    HttpOpenRequestW *
     1 0x73A5D120  WININET.dll              JMP 0x50923220
     2 0x50923220  HTTPSEverywhere.dll    
    
    HttpSendRequestA
     1 0x73A99710  WININET.dll              JMP 0x50923420
     2 0x50923420  HTTPSEverywhere.dll    
    
    InternetCloseHandle
     1 0x73AC8010  WININET.dll              JMP 0x50922f90
     2 0x50922F90  HTTPSEverywhere.dll    
    
    InternetConnectA
     1 0x73AD5470  WININET.dll              JMP 0x50923160
     2 0x50923160  HTTPSEverywhere.dll    
    
    InternetConnectW
     1 0x73AC6F00  WININET.dll              JMP 0x509230b0
     2 0x509230B0  HTTPSEverywhere.dll    
    
    InternetOpenA
     1 0x73A974E0  WININET.dll              JMP 0x50922ef0
     2 0x50922EF0  HTTPSEverywhere.dll    
    
    InternetOpenW
     1 0x73A97370  WININET.dll              JMP 0x50922e50
     2 0x50922E50  HTTPSEverywhere.dll    
    
    InternetReadFile *
     1 0x73A70F70  WININET.dll              JMP 0x50923600
     2 0x50923600  HTTPSEverywhere.dll    
    
    InternetReadFileExA *
     1 0x73A868D0  WININET.dll              JMP 0x50923740
     2 0x50923740  HTTPSEverywhere.dll    
    
    InternetReadFileExW *
     1 0x73ACA750  WININET.dll              JMP 0x509236a0
     2 0x509236A0  HTTPSEverywhere.dll    
    
    InternetSetStatusCallback
     1 0x73AD3750  WININET.dll              JMP 0x50923020
     2 0x50923020  HTTPSEverywhere.dll    
    
    NtCreateEvent
     1 0x77B5EBE0  ntdll.dll                JMP 0x68db2ca0
     2 0x68DB2CA0  aswhookx.dll            
    
    NtCreateMutant
     1 0x77B5F230  ntdll.dll                JMP 0x68db2f30
     2 0x68DB2F30  aswhookx.dll            
    
    NtCreateSemaphore
     1 0x77B5F2E0  ntdll.dll                JMP 0x68db31c0
     2 0x68DB31C0  aswhookx.dll            
    
    NtCreateUserProcess
     1 0x77B5F370  ntdll.dll                JMP 0x68db3450
     2 0x68DB3450  aswhookx.dll            
    
    NtOpenEvent
     1 0x77B5EB60  ntdll.dll                JMP 0x68db2df0
     2 0x68DB2DF0  aswhookx.dll            
    
    NtOpenMutant
     1 0x77B5F910  ntdll.dll                JMP 0x68db3080
     2 0x68DB3080  aswhookx.dll            
    
    NtOpenSemaphore
     1 0x77B5F980  ntdll.dll                JMP 0x68db3310
     2 0x68DB3310  aswhookx.dll            
    
    NtQueryInformationProcess
     1 0x77B5E8D0  ntdll.dll                JMP 0x68db3670
     2 0x68DB3670  aswhookx.dll            
    
    NtResumeThread
     1 0x77B5EC80  ntdll.dll                JMP 0x68db2b90
     2 0x68DB2B90  aswhookx.dll            
    
    NtWriteVirtualMemory
     1 0x77B5EB00  ntdll.dll                JMP 0x68db2880
     2 0x68DB2880  aswhookx.dll            
    
    RtlDecompressBuffer
     1 0x77BC0EB0  ntdll.dll                JMP 0x68db3500
     2 0x68DB3500  aswhookx.dll            
    
    RtlQueryEnvironmentVariable
     1 0x77B3B6B0  ntdll.dll                JMP 0x68db35e0
     2 0x68DB35E0  aswhookx.dll            
    
    
    Thumbprint
    66a1c525e5e188e9a1abf46b246805ae8e09d36b2cb633fcbc17779aeea514fb</Data>
      </EventData>
    </Event>
     
    Last edited by a moderator: Jan 13, 2018
  21. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    Yes, from the ZScaler team.
    Sorry for this.
    Virustotal about this file:
    * virus total results removed as per Wilders policy
    Thanks for the tip.
     
  22. lofac

    lofac Registered Member

    Joined:
    Jan 18, 2018
    Posts:
    125
    Location:
    .
    Hi,
    Installed Yandex beta browser for the first time, but HMPA blocking it with the following message, I wonder why Yandex is trying to call(?) RTSS hook (RivaTunerStaticServer, which is a software related to MSI Afterburner), is this something that one should be careful from, or just false positive?

    Code:
    Mitigation   ROP
    
    Platform     6.1.7601/x64 v729 06_3a
    PID          2080
    Application  C:\Users\user\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
    Description  Yandex 18.1.1
    
    Callee Type  LoadLibrary
    
    Stack Trace
    #  Address  Module                   Location
    -- -------- ------------------------ ----------------------------------------
    1  75302E0F KernelBase.dll           LoadLibraryExW +0x233
    2  755148DC kernel32.dll             LoadLibraryW +0x11
    
    3  0507F7A2 RTSSHooks.dll            UninstallRTSSHook +0x1b2
                9c                       PUSHF       
                60                       PUSHA       
                a3ac272905               MOV          [0x52927ac], EAX
                f705d827290500000000     TEST         DWORD [0x52927d8], 0x0
                7518                     JNZ          0x507f7cd
                ff1580272905             CALL         DWORD [0x5292780]
                bec2272905               MOV          ESI, 0x52927c2
                8b3d78272905             MOV          EDI, [0x5292778]
                b905000000               MOV          ECX, 0x5
                f3a4                     REP MOVSB   
                61                       POPA       
                9d                       POPF       
                c705e027290500000000     MOV          DWORD [0x52927e0], 0x0
                ff2588272905             JMP          DWORD [0x5292788]
    
    4  686221FF browser.dll             
    5  67AE0DAF browser.dll             
    6  67ADC276 browser.dll             
    7  67F8230D browser.dll             
    8  67F8B5D1 browser.dll             
    9  67F81D32 browser.dll             
    10 6789543C browser.dll              ChromeMain +0x169
    
    Process Trace
    1  C:\Users\user\AppData\Local\Yandex\YandexBrowser\Application\browser.exe [2080]
    2  C:\Windows\explorer.exe [3320]
    3  C:\Windows\System32\userinit.exe [1532]
    
    Thumbprint
    94f89113efb6ed532feeb287d988f388f746c8a4f515c18b49a7f313f55c1dd6
     
  23. guest

    guest Guest

    See: #10668
    Try to add the browser to the "RSS application list" and set "Application detection level" to "None"
     
  24. lofac

    lofac Registered Member

    Joined:
    Jan 18, 2018
    Posts:
    125
    Location:
    .
    Thanks! that fixed it for me.
     
  25. guest

    guest Guest

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.