HitmanPro.Alert 3.7.3 build 729 Released Changelog (compared to build 723) Added PrivGuard: mitigate MS16-032 (CVE-2016-0099) Application lockdown for Microsoft office Equation Editor (CVE-2017-11882) Improved CodeCave, HeapSpray, CryptoGuard, HollowProcess Mitigations Fixed BadUSB Alert during boot while BadUSB was disabled IAF FP in Nero Media player Windows System Image Backup failing with locked EFI/ESP Antimalware won't (stay) enable(d) Download http://dl.surfright.nl/hmpalert3.exe This build is the same as build 728 BETA. We simply removed the BETA tag and therefor had to bump the version number to 729
Mark, were you able to fix anything in this version from the dumps I sent you a while back concerning Shadow Defender and HMPA v723?
I'm unable to install 3.7.3 build 729 over (beta) 3.7.3 build 728: Code: Failed to install program. Error 0.
I am running hitmanpro.alert 7.29 beta. I just looked in win 10 taskmanager and noticed that hitmanpro.alert is running as the 32bit version I have a Win 10 pro 64 bit version installed. Anyone have any idea why the 64bit version of hitmanpro.alert is not running?
It is listed as a 32/64 bit application on this web page. https://www.hitmanpro.com/en-us/downloads.aspx
not sure what you mean. on both what? I think if you have a 64 bit operating system, then you should have the 64bit version of hitmanpro.alert running. yes? do you mean it runs as a 32bit application on both 64bit pc's and 32bit pc's?
No. I mean the same version runs on 32-bit and 64-bit machines. Yes, but you don't have to believe me. I'm sure someone will correct me if I'm wrong, but I see the exact same thing on three Win10 x64 machines.
On a 64-bit system: The application itself (hmpalert.exe) is 32-bit, but the driver and the dll which is injected into processes is a 64-bit version (and 32-bit, see below). To be more precise: Two versions of hmpalert.dll are installed. C:\Windows\SysWOW64\hmpalert.dll (=32-bit, it is injected into 32-bit processes) and C:\Windows\System32\hmpalert.dll (=64-bit, it is injected into 64-bit processes)
Thanks for the explanation folks. I thought I understood enough about processes in Windows. Obviously I was wrong. When I see SysWOW64, I just assume that must be for 64bit "things". I am grateful for your help.
It is totally counter-intuitive, but SysWOW64 is for 32-bit things and System32 is for 64-bit things. I have noticed that most of my security programs run as 32-bit executables.
I've been running the HMP.A 3.7.3 b728 & several other of the previous betas since they were released without any problems, and can confirm that the 3.7.3 b729 seems to be running perfect on W10 Pro x64. Thanks for a great product..I'm impressed.
Testing https-everywhere.exe (ie extension) I got an intruder message from HitmanProAlert v3.7.3.729. I think this is false positive:
It would help, if you could post all details of the alert (which can be found in the Windows Event Viewer). Instructions: #14351
This looks exactly like intended behavior HTTPS everywhere is messing with the browsers encryption. Where did you download this version because EFF doesn't seem to provide this one, I assume the ZScaler team? On a small note, 729 is a stable release and this is the BETA board...
Do you mean this ? Code: Logboeknaam: Application Bron: HitmanPro.Alert Datum: 12-01-2018 10:05:54 Gebeurtenis-id:911 Taakcategorie: Intruder Niveau: Fout Trefwoorden: Klassiek Gebruiker: n.v.t. Computer: DH-PC-w10n Beschrijving: Intruder PID 6528 Application C:\Program Files (x86)\Internet Explorer\iexplore.exe Description Internet Explorer 11 Detour Report # Address Owner Disassembly -- ---------- ------------------------ ------------------------ FtpOpenFileA 1 0x73B407B0 WININET.dll JMP 0x50923560 2 0x50923560 HTTPSEverywhere.dll FtpOpenFileW 1 0x73B439C0 WININET.dll JMP 0x509234c0 2 0x509234C0 HTTPSEverywhere.dll HttpAddRequestHeadersA 1 0x73A5EAA0 WININET.dll JMP 0x50923880 2 0x50923880 HTTPSEverywhere.dll HttpAddRequestHeadersW 1 0x73A5CE80 WININET.dll JMP 0x509237e0 2 0x509237E0 HTTPSEverywhere.dll HttpOpenRequestA * 1 0x73AD5B80 WININET.dll JMP 0x509232d0 2 0x509232D0 HTTPSEverywhere.dll HttpOpenRequestW * 1 0x73A5D120 WININET.dll JMP 0x50923220 2 0x50923220 HTTPSEverywhere.dll HttpSendRequestA 1 0x73A99710 WININET.dll JMP 0x50923420 2 0x50923420 HTTPSEverywhere.dll InternetCloseHandle 1 0x73AC8010 WININET.dll JMP 0x50922f90 2 0x50922F90 HTTPSEverywhere.dll InternetConnectA 1 0x73AD5470 WININET.dll JMP 0x50923160 2 0x50923160 HTTPSEverywhere.dll InternetConnectW 1 0x73AC6F00 WININET.dll JMP 0x509230b0 2 0x509230B0 HTTPSEverywhere.dll InternetOpenA 1 0x73A974E0 WININET.dll JMP 0x50922ef0 2 0x50922EF0 HTTPSEverywhere.dll InternetOpenW 1 0x73A97370 WININET.dll JMP 0x50922e50 2 0x50922E50 HTTPSEverywhere.dll InternetReadFile * 1 0x73A70F70 WININET.dll JMP 0x50923600 2 0x50923600 HTTPSEverywhere.dll InternetReadFileExA * 1 0x73A868D0 WININET.dll JMP 0x50923740 2 0x50923740 HTTPSEverywhere.dll InternetReadFileExW * 1 0x73ACA750 WININET.dll JMP 0x509236a0 2 0x509236A0 HTTPSEverywhere.dll InternetSetStatusCallback 1 0x73AD3750 WININET.dll JMP 0x50923020 2 0x50923020 HTTPSEverywhere.dll NtCreateEvent 1 0x77B5EBE0 ntdll.dll JMP 0x68db2ca0 2 0x68DB2CA0 aswhookx.dll NtCreateMutant 1 0x77B5F230 ntdll.dll JMP 0x68db2f30 2 0x68DB2F30 aswhookx.dll NtCreateSemaphore 1 0x77B5F2E0 ntdll.dll JMP 0x68db31c0 2 0x68DB31C0 aswhookx.dll NtCreateUserProcess 1 0x77B5F370 ntdll.dll JMP 0x68db3450 2 0x68DB3450 aswhookx.dll NtOpenEvent 1 0x77B5EB60 ntdll.dll JMP 0x68db2df0 2 0x68DB2DF0 aswhookx.dll NtOpenMutant 1 0x77B5F910 ntdll.dll JMP 0x68db3080 2 0x68DB3080 aswhookx.dll NtOpenSemaphore 1 0x77B5F980 ntdll.dll JMP 0x68db3310 2 0x68DB3310 aswhookx.dll NtQueryInformationProcess 1 0x77B5E8D0 ntdll.dll JMP 0x68db3670 2 0x68DB3670 aswhookx.dll NtResumeThread 1 0x77B5EC80 ntdll.dll JMP 0x68db2b90 2 0x68DB2B90 aswhookx.dll NtWriteVirtualMemory 1 0x77B5EB00 ntdll.dll JMP 0x68db2880 2 0x68DB2880 aswhookx.dll RtlDecompressBuffer 1 0x77BC0EB0 ntdll.dll JMP 0x68db3500 2 0x68DB3500 aswhookx.dll RtlQueryEnvironmentVariable 1 0x77B3B6B0 ntdll.dll JMP 0x68db35e0 2 0x68DB35E0 aswhookx.dll Thumbprint 66a1c525e5e188e9a1abf46b246805ae8e09d36b2cb633fcbc17779aeea514fb Gebeurtenis-XML: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="HitmanPro.Alert" /> <EventID Qualifiers="0">911</EventID> <Level>2</Level> <Task>3</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2018-01-12T09:05:54.402212200Z" /> <EventRecordID>63285</EventRecordID> <Channel>Application</Channel> <Computer>DH-PC-w10n</Computer> <Security /> </System> <EventData> <Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data> <Data>Intruder</Data> <Data>Intruder PID 6528 Application C:\Program Files (x86)\Internet Explorer\iexplore.exe Description Internet Explorer 11 Detour Report # Address Owner Disassembly -- ---------- ------------------------ ------------------------ FtpOpenFileA 1 0x73B407B0 WININET.dll JMP 0x50923560 2 0x50923560 HTTPSEverywhere.dll FtpOpenFileW 1 0x73B439C0 WININET.dll JMP 0x509234c0 2 0x509234C0 HTTPSEverywhere.dll HttpAddRequestHeadersA 1 0x73A5EAA0 WININET.dll JMP 0x50923880 2 0x50923880 HTTPSEverywhere.dll HttpAddRequestHeadersW 1 0x73A5CE80 WININET.dll JMP 0x509237e0 2 0x509237E0 HTTPSEverywhere.dll HttpOpenRequestA * 1 0x73AD5B80 WININET.dll JMP 0x509232d0 2 0x509232D0 HTTPSEverywhere.dll HttpOpenRequestW * 1 0x73A5D120 WININET.dll JMP 0x50923220 2 0x50923220 HTTPSEverywhere.dll HttpSendRequestA 1 0x73A99710 WININET.dll JMP 0x50923420 2 0x50923420 HTTPSEverywhere.dll InternetCloseHandle 1 0x73AC8010 WININET.dll JMP 0x50922f90 2 0x50922F90 HTTPSEverywhere.dll InternetConnectA 1 0x73AD5470 WININET.dll JMP 0x50923160 2 0x50923160 HTTPSEverywhere.dll InternetConnectW 1 0x73AC6F00 WININET.dll JMP 0x509230b0 2 0x509230B0 HTTPSEverywhere.dll InternetOpenA 1 0x73A974E0 WININET.dll JMP 0x50922ef0 2 0x50922EF0 HTTPSEverywhere.dll InternetOpenW 1 0x73A97370 WININET.dll JMP 0x50922e50 2 0x50922E50 HTTPSEverywhere.dll InternetReadFile * 1 0x73A70F70 WININET.dll JMP 0x50923600 2 0x50923600 HTTPSEverywhere.dll InternetReadFileExA * 1 0x73A868D0 WININET.dll JMP 0x50923740 2 0x50923740 HTTPSEverywhere.dll InternetReadFileExW * 1 0x73ACA750 WININET.dll JMP 0x509236a0 2 0x509236A0 HTTPSEverywhere.dll InternetSetStatusCallback 1 0x73AD3750 WININET.dll JMP 0x50923020 2 0x50923020 HTTPSEverywhere.dll NtCreateEvent 1 0x77B5EBE0 ntdll.dll JMP 0x68db2ca0 2 0x68DB2CA0 aswhookx.dll NtCreateMutant 1 0x77B5F230 ntdll.dll JMP 0x68db2f30 2 0x68DB2F30 aswhookx.dll NtCreateSemaphore 1 0x77B5F2E0 ntdll.dll JMP 0x68db31c0 2 0x68DB31C0 aswhookx.dll NtCreateUserProcess 1 0x77B5F370 ntdll.dll JMP 0x68db3450 2 0x68DB3450 aswhookx.dll NtOpenEvent 1 0x77B5EB60 ntdll.dll JMP 0x68db2df0 2 0x68DB2DF0 aswhookx.dll NtOpenMutant 1 0x77B5F910 ntdll.dll JMP 0x68db3080 2 0x68DB3080 aswhookx.dll NtOpenSemaphore 1 0x77B5F980 ntdll.dll JMP 0x68db3310 2 0x68DB3310 aswhookx.dll NtQueryInformationProcess 1 0x77B5E8D0 ntdll.dll JMP 0x68db3670 2 0x68DB3670 aswhookx.dll NtResumeThread 1 0x77B5EC80 ntdll.dll JMP 0x68db2b90 2 0x68DB2B90 aswhookx.dll NtWriteVirtualMemory 1 0x77B5EB00 ntdll.dll JMP 0x68db2880 2 0x68DB2880 aswhookx.dll RtlDecompressBuffer 1 0x77BC0EB0 ntdll.dll JMP 0x68db3500 2 0x68DB3500 aswhookx.dll RtlQueryEnvironmentVariable 1 0x77B3B6B0 ntdll.dll JMP 0x68db35e0 2 0x68DB35E0 aswhookx.dll Thumbprint 66a1c525e5e188e9a1abf46b246805ae8e09d36b2cb633fcbc17779aeea514fb</Data> </EventData> </Event>
Yes, from the ZScaler team. Sorry for this. Virustotal about this file: * virus total results removed as per Wilders policy Thanks for the tip.
Hi, Installed Yandex beta browser for the first time, but HMPA blocking it with the following message, I wonder why Yandex is trying to call(?) RTSS hook (RivaTunerStaticServer, which is a software related to MSI Afterburner), is this something that one should be careful from, or just false positive? Code: Mitigation ROP Platform 6.1.7601/x64 v729 06_3a PID 2080 Application C:\Users\user\AppData\Local\Yandex\YandexBrowser\Application\browser.exe Description Yandex 18.1.1 Callee Type LoadLibrary Stack Trace # Address Module Location -- -------- ------------------------ ---------------------------------------- 1 75302E0F KernelBase.dll LoadLibraryExW +0x233 2 755148DC kernel32.dll LoadLibraryW +0x11 3 0507F7A2 RTSSHooks.dll UninstallRTSSHook +0x1b2 9c PUSHF 60 PUSHA a3ac272905 MOV [0x52927ac], EAX f705d827290500000000 TEST DWORD [0x52927d8], 0x0 7518 JNZ 0x507f7cd ff1580272905 CALL DWORD [0x5292780] bec2272905 MOV ESI, 0x52927c2 8b3d78272905 MOV EDI, [0x5292778] b905000000 MOV ECX, 0x5 f3a4 REP MOVSB 61 POPA 9d POPF c705e027290500000000 MOV DWORD [0x52927e0], 0x0 ff2588272905 JMP DWORD [0x5292788] 4 686221FF browser.dll 5 67AE0DAF browser.dll 6 67ADC276 browser.dll 7 67F8230D browser.dll 8 67F8B5D1 browser.dll 9 67F81D32 browser.dll 10 6789543C browser.dll ChromeMain +0x169 Process Trace 1 C:\Users\user\AppData\Local\Yandex\YandexBrowser\Application\browser.exe [2080] 2 C:\Windows\explorer.exe [3320] 3 C:\Windows\System32\userinit.exe [1532] Thumbprint 94f89113efb6ed532feeb287d988f388f746c8a4f515c18b49a7f313f55c1dd6
See: #10668 Try to add the browser to the "RSS application list" and set "Application detection level" to "None"