HitmanPro.Alert BETA

Does this still trigger??

 

Those are 923 alerts
Do you have Winrar on protection? this is collateral of Application lockdown in this case, the extracted AND executed application dropped by WinRar is attempting to abuse a LolBIN.
If you start HD Sentinel via the start menu (and it's not on protection) this should not happen.

 

Strange, I've reproduced the crash, and we've fixed the reproduction, can you send me the SHA256 hashes of the files you excluded and your setup + vbox version in a DM?

 

Does that trigger every time you start Tor Browser?

 

This was suppressed centrally hence the first machine should no longer trigger regardless of the suspend alert state

 

HitmanPro.Alert 3.8.20 Build 937 Release Candidate 2

Changelog (compared to build 935)

• Fixed crash in Spyware blaster caused by RemoteThreadGuard
• Fixed crash in VirtualBox caused by Syscall64
• Some small changes under the hood

Download
https://dl.surfright.nl/hmpalert3b937.exe

Please let us know how this build runs on your machine
*Beware some sites are leeching this build and posting it on their downloads pages as Stable release, so no 923 is still the Stable.

 

I just opened TOR on my other machine and got the same Alert. I suspect it is 0Patch injecting its .DLL. I have suppressed for now.

 

HitmanPro.Alert 8.20 Build 937

Yes.

Spoiler: Mitigation SysCall

Mitigation SysCall
Timestamp 2022-03-19T16:05:25

Platform 10.0.22000/x64 v937 06_9e
PID 10820
Feature 007D0A30000001A2
Application C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe
Created 2022-03-17T17:41:58
Description C++ Application Development Framework 5.15.2

SecLvl: 1
Direct Syscall originating from: 0000025279751734
*** RemoteAllocator ***
remoteOwnerProcessName: C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe
remoteOwnerModuleName: C:\Program Files\AMD\CNext\CNext\Qt5WebEngineCore.dll
remoteOwnerPID: 8476
remoteOwnerProcess is signed
remoteOwnerModule is not signed

0x0000025279751734 c3 RET

----- SNIP HERE -----
AAICAQAQdXlSAgAANBd1eVICAAAAEHV5UgIAAAAQAAACAAACAAACAAACAADgAwIGAKADAgYAiOvv6mkCAwAOAgMAAgT/TIvRuFUCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDMCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuD0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuEwBAgIA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bgnAgMA9gQlCAP+fwF1Aw8Fw80uww8fhAIlAEyL0bg0AQICAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4JgIDAPYEJQgD/n8BdQMPBcPNLsMPH4QCJQBMi9G4LgECAgD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuA0CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCQCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuDACAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuC8CAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCgCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAiUATIvRuCoCAwD2BCUIA/5/AXUDDwXDzS7DDx+EAgAAAgAAAgAAAgAAAgAAAgAAAgAAAgAAAoUA
----- END SNIP -----

Loaded Modules (72)
-----------------------------------------------------------------------------
00007FF7C4850000-00007FF7C48EB000 QtWebEngineProcess.exe (The Qt Company Ltd.),
version: 5.15.2.0
00007FFB26CA0000-00007FFB26DBA000 hmpalert.dll (SurfRight B.V.),
version: 3.8.20.937
00007FFAFEBC0000-00007FFAFF1C6000 Qt5Core.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFADFB00000-00007FFAE5F24000 Qt5WebEngineCore.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFAEFC10000-00007FFAF002A000 Qt5Quick.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFAEEF30000-00007FFAEF5E2000 Qt5Gui.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFB05900000-00007FFB05925000 Qt5WebChannel.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFAEEB70000-00007FFAEEF29000 Qt5Qml.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFAEE0A0000-00007FFAEE1B5000 Qt5Network.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFAF4860000-00007FFAF48B4000 Qt5Positioning.dll (The Qt Company Ltd.),
version: 5.15.2.0
00007FFAF4770000-00007FFAF47E1000 Qt5QmlModels.dll (The Qt Company Ltd.),
version: 5.15.2.0
- MS skipped (61) -

Code Injection
0000025279751000-0000025279752000 4KB C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476]
00007FFB29CA4000-00007FFB29CA5000 4KB
00007FFB29CA3000-00007FFB29CA4000 4KB
00007FFB29CA6000-00007FFB29CA7000 4KB
00007FFB29CA5000-00007FFB29CA6000 4KB

Process Trace
1 C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe [10820]
"C:\Program Files\AMD\CNext\CNext\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMo
2 C:\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476]
"C:\Program Files\AMD\CNext\CNext\Radeonsoftware.exe" atlogon

Dropped Files
1 C:\Users\Asrock\AppData\Local\AMD\CN\restreamserverlist.json
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476]
2 C:\Users\Asrock\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG.old~RF625ab.TMP
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476]
3 C:\Users\Asrock\AppData\Local\AMD\Radeonsoftware\QtWebEngine\Default\Platform Notifications\LOG
Dropped by \Device\HarddiskVolume8\Program Files\AMD\CNext\CNext\RadeonSoftware.exe [8476]

Thumbprints
810af5e5b485b6aece639827e26999389ee9125ea60cc65e554a0da29cf75939 (pfn)

 

"Do you have Winrar on protection?" Yes. HD Sentinel start via Task Scheduler (and it is not protection).

It's really the older (923) alert, it was just today and I thought it was the 935. I installed 935 today. Sorry.

 

Browser protection does not work with ESET Banking & Payment protection in 937. It worked on the older 923, if I turned off ESET's keyboard protection within Banking & Payment protection. Now it doesn't work even if it's turned off.

see at 923:
Firefox 98.0.1 (64 bit)

 

https://dl.surfright.nl/hmpalert3b937.exe only displays the Hitmanpro.alert UI on the screen. It does not appear to install anything.

 

Then it's already updated, please check the version on the GUI

 

You are correct. It did not fix my issue with Virtualbox

 

I just got this False Positive:

Spoiler: NVT FP

Mitigation MalwareBlocked
Timestamp 2022-03-20T00:56:42

Platform 10.0.19044/x64 v937 06_5e
PID 968
Application C:\Program Files (x86)\NoVirusThanks\NVT License Manager\NVTLicenseManager.exe
Created 2022-03-20T00:56:38
Description Generic ML PUA


Process Trace
1 C:\Windows\System32\services.exe [968]
2 C:\Windows\System32\wininit.exe [824]
wininit.exe

Dropped Files

Thumbprints
3dde7f92c3b3acb1e591e978c04fd34216b713825d2647246acdbf6168ea2d18

 

I really need more details, see previous post, I have a Win7x86 machine running inside VBox without crashes or exclusions. On the old build the Vbox service would terminate on the moment you start a "machine" didn't even have a Guest OS installed, this works fine, and I have a default next, next, finish Guest OS running now without crashes.

 

Tx, Fixed should no longer trigger

 

This is a know issue on our end, and in general a thing because you can't have two products protecting your browser in that banking/secure mode, they'll fight and lessen security.
I'd advise to activate on or the other for now.

 

Doesn't really matter, this works as designed and would have triggered also on 937.
WinRar introduces new executable code and tries to execute it, because application lockdown is active on WinRar and inherit is forced this is not allowed.

 

This one should be gone now

 

Thanks, it's not 0Patch but we're looking in to it, I have repro.

 

What extra Details do you need?
I am running Windows 11 with the latest update available via the regular update service. I have not signed up for the Windows Insider program.

 

See here please:
https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-81#post-3073821

 

Looks like ESET blacklisted us for their Banking & Payment protection settings, so there is not a lot we can do, on the other hand you don't want to have two products fighting over this anyway.
If I only protect the default browser with ESET the others seem to work fine with Safebrowsing

 

HitmanPro.Alert 3.8.20 Build 939 Release Candidate 3

Changelog (compared to build 937)

• Fixed crash in VirtualBox caused by Syscall on Win11
• Improved Syscall on certain applications e.g. WhatsApp / Mullvad VPN / Torbrowser
  
• Improved RemoteThreadGuard

Download
https://dl.surfright.nl/hmpalert3b939.exe
*Auto-update enabled for 935 and higher.

Please let us know how this build runs on your machine
*Beware some sites are leeching this build and posting it on their downloads pages as Stable release, so no 923 is still the Stable.

 

Looks good so far but early days.

Thanks for your hard work.