HitmanPro.ALERT Support and Discussion Thread

How can I whitelist individual files (false positives) that get blocked as malware?
If I run a scan and select ignore for those files, they are still blocked. I.e nircmd.exe
and others. I had to set Anti-Malware to disabled in order to use these files. Excluding
them under Exploit mitigation doesn't help.

 

Excluding of files is not possible.
Turn the "Realtime malware protection off" or else you will get an alert each time.

 

Ouch. Sophos would rather you turn off the protection completely rather than allowing you to do whitelisting. Also, scanning with hitmapro.exe allows the option /excludelist=, but this is not possible when scanning from HMPA. The whole Anti-Malware implementation leaves something to be desired. Sufficient options would be a first step.

 

The games in mention which crash with the same module (ntdll.dll) are THE FOREST, REIGNS: HER MAJESTY, and GETTING OVER IT WITH BENNETT FODDY. The game with connectivity issues is 7 DAYS TO DIE, UNTURNED, and ROGUELANDS. All installed and ran via steam.

I do have alerts on, and have included the .exe in the mitigation exclusions which, as i've mentioned, probably wouldn't help because having disabled all modules nothing changes... The only way to run aforementioned games without hitches is by uninstalling HMPA completely. Now this would be alright except I don't foresee uninstalling and reinstalling as a valid fix to this problem (although it does work).


EDITED: The OS is Windows 7 (newly reformatted literally just yesterday because I got tired of the issue and thought windows core files/ntdll.dll had issues, retail windows box bought about year ago), with most if not all updates (with only outdated/ones included in cumulative update not installed), all other steam games run fine and connecting online no issues, has HMPA and malwarebytes, and the connectivity/port forwarding issues only occur with HMPA installed, and all drivers are updated (no yellows in device manager). I hope this information helps?

I've also noticed a trend that certain games using the Unity engine have needed exclusions in the exploit mitigation module, and that a couple of the above mentioned games are made in Unity, but worked fine after including them. These are the only outliers.

 

Hello, I am using Sophos Home Premium, what are current latest changelogs for integrated HMP.A 3.6.16.617 Build (?) (2018-5-21)

Cannot seem to find any information/changes regarding HMP.A 3.6.16.617 Build (?) (2018-5-21) in HitmanPro.Alert changelogs/news. Their support is telling they have no such information and instead to ask HitmanPro. Thanks in advance.

 

This is a old (beta?) build, the changelog is always here:

https://www.hitmanpro.com/en-us/whatsnewalert.aspx

 

old beta build? Then it wouldn't be in latest stable 1.3.1 SHP version, doesn't make sense. That version isn't listed in changelog however as I said. Anyway, have sent an email to support@hitmanpro.com about this. Thanks.

 

HMPA never had a version 3.6.16 and/or a build 617, not as release version, and not as beta.
I suppose for the component in Sophos Home Premium a different version and build numbering is used.

I think that is the best idea, I hope HMPA support can offer the changelogs for the component in Sophos Home Premium. However, I think it is odd that Sophos support told you they have no such information, and you have to ask HMPA support.

 

Hey thanks, @RonnyT for the info. Downloaded and upgraded today. All seems to be running well here since the update. Stable, reboots are clean, and all protected apps launch without errors.

 

Pardon me if it's known issue.
I installed the HMPA 3.7.8 build 750 on Vista 32 bit (with all patches for Windows Server 2008 have been applied) laptop whose only security software is Avast Free (I disabled Hardened mode just in case).

But the security scan didn't start and it said there's an error. HMP executable, which IIRC usually downloaded under AppData\Local\Temp, was not found and as HMPA didn't show "downloading" message I assume it couldn't donwload the exe. Whatever I did (reboot etc.), it just repeated the error message. No firewall blockage was recorded.

Also while applications are correctly listed under exploit protection tab, when I ran them it said they are NOT protected, and of course no colored boundary. I inspected with Process Hacker and confirmed hmpalert.dll (or anything similar name) was not loaded in them.

I thought at least older version of HMPA have used AppInit_DLLs so checked the registry and found no value in it.

Note HMPA service is properly working and though its logging under event viewer too, there's no helpful info in it, as well as other events.

BTW, I entered my lifetime licence code but it seems it is outdated?? (So now using it with free-trial licence)

 

Since when has there been lifetime licenses??

 

On my Windows 7 x64 systems, HMPA 3.7.6.739 was automatically updated to 3.7.8.750, on July 11.

@erikloman, @markloman, @RonnyT,
I notice that LibreOffice 6.0.5. x64 running applications do not show as protected in HMPA "Running applications".
In HMPA "Running applications", only LibreOffice 6.0.5 soffice.bin is shown, and not running LibreOffice applications LibreOffice 6.0.5 swriter.exe, scalc.exe, simpress.exe, sdraw.exe and smath.exe.
I remember from previous HMPA builds (I don't know which builds, or how long ago) that swriter.exe, scalc.exe, simpress.exe and sdraw.exe did show as protected in HMPA "Running applications".
However, I don't know if that was with LibreOffice x64, or earlier, LibreOffice x86.

Also, I notice that LibreOffice 6.0.5 smath.exe is not shown in HMPA "Applications", nor in "Running applications".
I don't remember whether smath.exe was shown in earlier HMPA builds.

 

On my Windows 10 x64 system, running HMPA 3.7.8.750, I see LibreOffice 6.0.3.2 x64 as follows under "Exploit Mitigations"...

Applications, Office: soffice.exe; scalc.exe; sdraw.exe; simpress.exe

With all LibreOffice applications running open windows, all I see in HMPA under "Running Applications" is "soffice.bin".

But when I hover my cursor over the top of ANY open LibreOffice window, I will see the colored border with "Exploit Mitigations" tag. So I know the app is being protected by HMPA. It appears that the whole app bundle is protected.

 

Thanks very much, Tinstaafl.
I guess what is displayed under "Running applications" was changed.
Where previously it showed all separate running LibreOffice applications, now only soffice.bin is shown.
Perhaps it is meant like this.
However, it is confusing, as earlier what was displayed under "Running applications" was different.
I hope @erikloman, @markloman, or @RonnyT can confirm that the current display is correct. I hope they can also tell why what is displayed was changed.

 

There is an issue with recent builds of HMP.A that has been known since December, see here.

I have it on good authority that the cause of the problem has been identified. Hopefully a fix is coming out soon.

The most recent publicly available HMP.A version that's verified to work well in Vista is 3.6.7, build 604. I recommend that you use that one.

 

https://support.microsoft.com/en-us/help/22882/windows-vista-end-of-support

 

Check this out: https://msfn.org/board/topic/176686-server-2008-updates-on-windows-vista/

 

Blah, blah, blah. I can spot a dead operating system when I see one ...

But just to be clear, I have nothing against them! I still run a couple instances of Windows XP, LOL!!!

Expecting commercial developers to continue supporting them is unrealistic, however. We are in "you are on your own" territory now ...

 

It's up to each vendor to decide if and when to stop supporting an OS. Norton recently announced they'll stop providing "new product capabilities" for XP and Vista systems, but will continue issuing malware definitions, "vulnerability updates," and "compatibility fixes" with no end date. And fortunately, the developers of HMP.A continue to choose to support XP and Vista.

I noticed that you list Linux Mint in your signature. That's more or less where I'm headed when Windows 7 (which I also run) stops getting security fixes.

 

OT, but yep! Linux Mint is a rock solid and secure OS!

Linux is the #1 web server OS in the world today. But the desktop is still lagging, unfortunately...

I would have migrated totally, except for the Windows-only applications that I still depend on. Unfortunately, most commercial developers still do not have much interest in Linux desktop applications yet. Maybe one reason is the small market share of installed Linux desktops, combined with the average Linux user expectations of "free software", has dampened developer enthusiasm.

 

Hello,
I don't know if it is a false positive
Can you help me ?



That's the log:

 

smath was never protected for as far as I know.

The applications should show up with their executable names on the "Applications" menu, however on the running applications you will only see the soffice.bin.

You can check with process explorer for example that that is the process doing the business under the hood.

I have tested this against 604 and it all looks the same, so from here it looks to behave the same in both 604 / 750.
Maybe an older version of LibreOffice spawned the processes differently?

 

Please disable the SAM feature under the orange Credential Theft Protection, it's blocking access to SAM and needs a bit more attention from the devs.

 

Thanks @RonnyT , I just disabled "SAM" feature on my work PC and do the same later on my Home PC.

 

Thanks very much, Ronny.

Perhaps.
Or could it be that the difference is with LibreOffice x86 and x64?
Last time that I viewed HMPA "Running applications" and that LibreOffice swriter.exe, scalc.exe, simpress.exe and sdraw.exe all showed in HMPA "Running applications", that was quite a while ago. It was with an older LibreOffice version, and probably it may have been LibreOffice x86, not x64.
Could it be that the difference was because of LibreOffice x86 instead of x64?
Does anyone know? Does anyone still use LibreOffice x86 on Windows x64?