HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    The Attack Intercepted message noted \REGISTRY\MACHINE\SAM. The CredGuard message referenced a MITRE ATT&CK.
    As asked, how do I know if HitmanPro has been compromised or in-memory altered? What do you recommend I do?
     
  2. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
  3. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I have build 793, so do i get auto updated to 861.
     
  5. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,430
    Location:
    Surrey, England.
    I was wondering the same, as I never got round to installing build .859, and I checked a few times and it says 'no update available', so I assume one has to either download and run the installer, or do a clean install at this stage.
     
  6. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,760
    New dumps created. Check your PM. They are only good for three days before they get deleted. Let me know if they got downloaded.
     
    Last edited: Jan 16, 2020
  7. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,842
    Location:
    the Netherlands
    I think it is as simple as Mark said:
    [only] users on build 8xx are/were automatically updated to build 861 [implying: not users on build 793].
    I can only guess Mark and Erik/ Sophos didn't think 861 was ready to update build 793 systems, yet. Perhaps later, or a next build, I am guessing.
     
  8. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    580
    i have 3 machines that were on 857 (desktop/laptop & surface pro 4) only one of these auto updated, the other 2 even up to yesterday did nothing when checking for updates, aven after various reboots, i had to manually download the 861 installer, run it & reboot,
     
  9. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Kc,
    What other security software is on that machine? and can you check the Windows eventlog to see if the HitmanPro.Alert services recorded a "check for updates" result and if so post it.
     
  10. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    580
    Hi, windows 10 1909, windows defender, glasswire.
    cant see anything in event viewer if i press check for updates, then refresh either windows application log, security log or hitman pro alert events logs (where exactly should i be looking?)

    thanks!
     
  11. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    If you filter the Application log via "Filter current log" on the right and then select HitmanPro.Alert in the Event Sources, select HitmanPro.Alert and press the ENTER key on the keyboard.
    (The filter GUI is a bit user hostile).
    That should bring all our events together.
     
  12. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    580

    thanks no there doesnt seem to be any events for the check (i manually pressed check for update a few times and nothing on the 14th and 15th of jan)

    the last event i can see where the update did check was on the 3rd jan
    "Application is up-to-date. Next check in 8 hours."



    but it is logged in event viewer when i manually downloaded the installer and updated
    "An update was succesfully downloaded and is pending to be installed at next reboot. New version 3.8.0.861."

    is no problem
     
  13. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    It looks like CryptoGuard V5 is recommended in 861 over V4. In CG V4 the only block mode i have is Isolate.
     
    Last edited: Jan 16, 2020
  14. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I installed new version of chrome and HMPA about the same day. Now i have problems highlighting text in order to do a google search. Don't know if the problem is the new chrome or hmpa versions. No problem on this site but other sites i have text highlighting problems.
     
  15. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Installed Chrome today and the above is still happening after all the releases since 574 with HMPA 3.8.0 build 861.:thumbd:
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Is there any reason the old Edge browser is still showing along side the new Chromium Edge in Alert?
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I believe it's because the old Edge executable is still present on the system. I'm seeing the same thing on mine and I confirmed that the file is still there. If you click on the entry for the old Edge in HMPA you will see the path to the file.
     
  18. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    939
    Location:
    Land o fruits and nuts, and more crime.
    Took off chrome, only used it to log into a work schedual. They (IT Dept) told me chrome is the only browser that would work, had luck with Waterfox current. So using that now.
    Be nice to hear from Ronny T in case I and other people are forced to use chrome.
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Thanks. Yeah, I can see the path now you mention it. I wonder if MS will remove that at some point?
     
  20. Dark Lord

    Dark Lord Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    120
    Hi @markloman @erikloman @RonnyT

    Even I would like to know any comment for this question, any chance that hardware assisted exploit mitigations future support AMD CPU's ?

    Furthermore, it seems like a new Israeli firm (Intezer) uses a sophisticated technology known as "DNA-style genetic approach" to identify and track malware, any comments how this technology related or different from HitmanPro.ALERT and Sophos Intercept X ?
     
  21. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    I just updated from 793 to 861. HMP.A kept saying no update was available, so I had to update manually.

    Now I get a CredGuard alert every time I run my third-party registry editor (Registry Workshop). The alert says that Registry Workshop has been terminated, but that is untrue--it stays running. I'm unable to suppress these alerts for some reason.

    I had a similar thing happen with Total Uninstall, but I was able to suppress those particular CredGuard alerts.
     
  22. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Ok so it happened again, in addition, hmpalert.exe (not the process using lots of ram, has been holding a folder preventing me from deleting it.

    Now the DMP file is 1.2gig.

    So I will upload it somewhere, and send you the PM with the download link.

    This is for HMPA build 791

    For now I am going to uninstall HMPA on this machine (still be installed on others), but will reinstall if you can get back to me with proposed workarounds/solutions, am happy to test any test builds also if deemed required to debug this problem.
     

    Attached Files:

  23. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Can you send me PM please.
     
  24. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert 3.8.1 Build 863 Released

    Changelog (compared to build 861):
    • Improved CryptoGuard 5 detection.
    • Improved minifilter performance.
    • Improved compatibility with VMware ThinApp applications.
    • Improved compatibility with BoxedApp applications.
    • Improved compatibility with Checkpoint.
    • Various minor improvements to alert reports.
    • Fixed CTF Guard false alarms on some computers.
    • Fixed RDP Guard showing a flyout on non-RDP sessions on Windows 7.
    • Fixed HeapHeapProtect false alarms on Visual FoxPro applications.
    • Fixed APC mitigation false alarms on some .NET 1.1 applications.
    • Fixed Generic.Ransom.E false alarms on LSASS.exe on 64-bit computers.
    • All binaries built with Visual C++ 16.4.3 with Spectre mitigations.
    Download
    https://dl.surfright.nl/hmpalert3.exe

    We're currently automatically updating users on 8xx to this build. We're still not automatically updating our 7xx to 8xx, but feel free to do so manually.
    Let us know what you think of this new build, thanks! :thumb:
     
  25. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    No problems upgrading build 863.

    Win10 1909 build 18363.628 x64/Norton Security v22.20.1.69
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.