HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    @feerf56

    You can also suppress the hmp.Alert-alerts using Sandboxie Plus 1.2.0. To suppress an alert click Actions and click Suppress Alert..

    1.JPG
     
    Last edited: Jun 29, 2022
  2. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    I tried, but it doesn't work. The option was visible, but not clickable.
     
  3. Kaedehara Kazuha

    Kaedehara Kazuha Registered Member

    Joined:
    Apr 25, 2022
    Posts:
    5
    Location:
    Cyberspace
    Version 3.8.21 Build 945
    Numerous WipeGuard alerts have been triggered
    屏幕截图 2022-08-12 214159.png
    屏幕截图 2022-08-12 214354.png

    Even includes System process
    Mitigation WipeGuard
    Timestamp 2022-08-12T13:45:11

    Platform 10.0.19044/x64 v945 06_8e%
    Feature 007D0A30000001A2

    Reason Volume Boot Record (VBR)
    Volume \Device\HarddiskVolume10
    BusType Nvme
    LBA 4100
    Length 1
    PartitionType 0xEE

    0000 F8 FF FF 7F FF FF FF FF 05 00 06 00 07 00 08 00 ................
    0010 09 00 0A 00 0B 00 0C 00 0D 00 FF FF 0F 00 10 00 ................
    0020 11 00 12 00 13 00 14 00 15 00 FF FF FF FF 18 00 ................
    0030 FF FF 1A 00 1B 00 38 00 FF FF FF FF FF FF FF FF ......8.........
    0040 21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00 !.".#.$.%.&.'.(.
    0050 29 00 FF FF 2B 00 2C 00 2D 00 2E 00 2F 00 30 00 )...+.,.-.../.0.
    0060 31 00 32 00 33 00 FF FF FF FF 36 00 37 00 3E 00 1.2.3.....6.7.>.
    0070 39 00 FF FF FF FF FF FF FF FF FF FF 42 00 17 00 9...........B...
    0080 44 00 45 00 43 00 FF FF FF FF 46 00 FF FF 00 00 D.E.C.....F.....
    0090 00 00 00 00 00 00 00 00 FF FF 4E 00 4F 00 50 00 ..........N.O.P.
    00A0 51 00 52 00 53 00 54 00 55 00 56 00 FF FF 58 00 Q.R.S.T.U.V...X.
    00B0 59 00 5A 00 5B 00 5C 00 FF FF FF FF 5F 00 60 00 Y.Z.[.\....._.`.
    00C0 61 00 62 00 63 00 64 00 65 00 66 00 67 00 FF FF a.b.c.d.e.f.g...
    00D0 69 00 6A 00 6B 00 6C 00 6D 00 FF FF FF FF 00 00 i.j.k.l.m.......
    00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00F0 00 00 7A 00 7B 00 7C 00 7D 00 7E 00 FF FF FF FF ..z.{.|.}.~.....
    0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0110 00 00 00 00 8B 00 8C 00 8D 00 8E 00 8F 00 FF FF ................
    0120 FF FF 92 00 93 00 94 00 95 00 96 00 97 00 98 00 ................
    0130 99 00 9A 00 FF FF FF FF 9D 00 9E 00 9F 00 A0 00 ................
    0140 A1 00 A2 00 A3 00 A4 00 A5 00 FF FF A7 00 A8 00 ................
    0150 A9 00 AA 00 AB 00 FF FF FF FF AE 00 AF 00 B0 00 ................
    0160 B1 00 B2 00 B3 00 B4 00 B5 00 B6 00 FF FF B8 00 ................
    0170 B9 00 BA 00 BB 00 BC 00 FF FF FF FF BF 00 C0 00 ................
    0180 C1 00 C2 00 C3 00 C4 00 C5 00 C6 00 C7 00 FF FF ................
    0190 FF FF CA 00 CB 00 CC 00 CD 00 CE 00 CF 00 D0 00 ................
    01A0 D1 00 D2 00 FF FF FF FF D5 00 D6 00 D7 00 D8 00 ................
    01B0 D9 00 DA 00 DB 00 DC 00 DD 00 FF FF DF 00 E0 00 ................
    01C0 E1 00 E2 00 E3 00 FF FF FF FF 00 00 00 00 00 00 ................
    01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF ................
    01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    01F0 00 00 00 00 FB 00 FC 00 FD 00 FE 00 FF 00 FF FF ................


    Dropped Files
    1 C:\WINDOWS\system32\Logfiles\WMI\RtBackup\EtwRTMuroc System Trace.etl
    Dropped by [4]

    Thumbprints
    N/A

    SearchApp is the most frequent
    Mitigation WipeGuard
    Timestamp 2022-08-12T13:43:27

    Platform 10.0.19044/x64 v945 06_8e%
    PID 18012
    Feature 007D0A30000001A6
    Application C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    Created 2022-08-10T03:02:21
    Description Search application 10

    Reason Volume Boot Record (VBR)
    Volume \Device\HarddiskVolume10
    BusType Nvme
    LBA 4100
    Length 1
    PartitionType 0xEE

    0000 F8 FF FF 7F FF FF FF FF 05 00 06 00 07 00 08 00 ................
    0010 09 00 0A 00 0B 00 0C 00 0D 00 FF FF 0F 00 10 00 ................
    0020 11 00 12 00 13 00 14 00 15 00 FF FF FF FF 18 00 ................
    0030 FF FF 1A 00 1B 00 38 00 FF FF FF FF FF FF FF FF ......8.........
    0040 21 00 22 00 23 00 24 00 25 00 26 00 27 00 28 00 !.".#.$.%.&.'.(.
    0050 29 00 FF FF 2B 00 2C 00 2D 00 2E 00 2F 00 30 00 )...+.,.-.../.0.
    0060 31 00 32 00 33 00 FF FF FF FF 36 00 37 00 3E 00 1.2.3.....6.7.>.
    0070 39 00 FF FF FF FF FF FF FF FF FF FF 42 00 17 00 9...........B...
    0080 44 00 45 00 43 00 FF FF FF FF 46 00 FF FF 00 00 D.E.C.....F.....
    0090 00 00 00 00 00 00 00 00 FF FF 4E 00 4F 00 50 00 ..........N.O.P.
    00A0 51 00 52 00 53 00 54 00 55 00 56 00 FF FF 58 00 Q.R.S.T.U.V...X.
    00B0 59 00 5A 00 5B 00 5C 00 FF FF FF FF 5F 00 60 00 Y.Z.[.\....._.`.
    00C0 61 00 62 00 63 00 64 00 65 00 66 00 67 00 FF FF a.b.c.d.e.f.g...
    00D0 69 00 6A 00 6B 00 6C 00 6D 00 FF FF FF FF 00 00 i.j.k.l.m.......
    00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00F0 00 00 7A 00 7B 00 7C 00 7D 00 7E 00 FF FF FF FF ..z.{.|.}.~.....
    0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    0110 00 00 00 00 8B 00 8C 00 8D 00 8E 00 8F 00 FF FF ................
    0120 FF FF 92 00 93 00 94 00 95 00 96 00 97 00 98 00 ................
    0130 99 00 9A 00 FF FF FF FF 9D 00 9E 00 9F 00 A0 00 ................
    0140 A1 00 A2 00 A3 00 A4 00 A5 00 FF FF A7 00 A8 00 ................
    0150 A9 00 AA 00 AB 00 FF FF FF FF AE 00 AF 00 B0 00 ................
    0160 B1 00 B2 00 B3 00 B4 00 B5 00 B6 00 FF FF B8 00 ................
    0170 B9 00 BA 00 BB 00 BC 00 FF FF FF FF BF 00 C0 00 ................
    0180 C1 00 C2 00 C3 00 C4 00 C5 00 C6 00 C7 00 FF FF ................
    0190 FF FF CA 00 CB 00 CC 00 CD 00 CE 00 CF 00 D0 00 ................
    01A0 D1 00 D2 00 FF FF FF FF D5 00 D6 00 D7 00 D8 00 ................
    01B0 D9 00 DA 00 DB 00 DC 00 DD 00 FF FF DF 00 E0 00 ................
    01C0 E1 00 E2 00 E3 00 FF FF FF FF 00 00 00 00 00 00 ................
    01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF ................
    01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    01F0 00 00 00 00 FB 00 FC 00 FD 00 FE 00 FF 00 FF FF ................


    Process Trace
    1 C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe [18012]
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    2 C:\Windows\System32\svchost.exe [668]
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
    3 C:\Windows\System32\services.exe [856]
    4 C:\Windows\System32\wininit.exe [764]
    wininit.exe

    Services
    668 BrokerInfrastructure
    668 DcomLaunch
    668 PlugPlay
    668 Power
    668 SystemEventsBroker

    Dropped Files

    Thumbprints
    367a194d8184aca89fde9b7b77a66dd0b1e25696ba4518e8dd8090aa03a0c0a8
    e83a499cd2d186654cfa7fe2fbdf0d36618c2c58866012da9fffdd5b488ac50c (crth-process)

    Sometimes it even causes a blue screen


    Is this a HitmanPro.Alert bug?

    Or did I install the system the wrong way or get a rootkit infection?

    @RonnyT
     
    Last edited: Aug 12, 2022
  4. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Can you share the memory.dmp with support@hitmanpro.com please so we can investigate?

    Do you use some sort of disk virtualization software? e.g. Shadow defender?
    For now I'd advise to disable the MBR protection (Wipeguard) under Risk reduction/CryptoGuard we've done some changes recently and I expect them coming from that.
     
  5. Kaedehara Kazuha

    Kaedehara Kazuha Registered Member

    Joined:
    Apr 25, 2022
    Posts:
    5
    Location:
    Cyberspace
    After making some attempts I broke the system and after reinstalling the system the problem no longer occurs.
    Thanks for your reply.
     
  6. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Dunno if this is related but FWIW:

    Since last week's Win Update, SearchApp has been causing problems on my Win 10 PC.

    SearchApp will suuddenly start using 11+ Gigs of my 16 Gigs of RAM causing my PC to slow to a crawl, e.g., taking 40+ seconds, if at all, to open Task Manager or do anything else. After a forced restart it's OK for a while.

    I have never experienced this before last week's Win update.

    However, I have HMPA installed [not Beta] and have not experienced the issues bugging @Kaedehara Kazuha

    WIN10 21H1
     
  7. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    If it appears that stable I'd say uninstall Alert and see if the issue is still present or not.

    Maybe search indexing is corrupt or something.
    Can't hurt to have a look or reset the DB
    https://winbuzzer.com/2020/09/25/how-to-reset-and-rebuild-the-search-index-in-windows-10-xcxwbt/
     
  8. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Thanks @RonnyT

    FWIW:

    This rabid SearchApp problem was reported by several posters on the Microsoft support forums in February and March, 2022. Supposedly it was fixed in the Spring. Perhaps the last Win Update reactivated the issue.
     
  9. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    HitmanPro.Alert 3.8.22 Build 947 (RC)

    Changelog (compared to 945)
    • Improved HollowProcess
    • Improved Syscall
    • Improved StackPivot
    • Improved RemoteThreadGuard
    • Improved CryptoGuard 5
    • Fixed rare BSOD's in CryptoGuard 5
    • Fixed HollowProcess incompatibility with PC-Matic/Pitstop
    • Several other changes under the hood
    Download
    https://dl.surfright.nl/hmpalert3b947.exe

    Please let us know how this version runs on your machine :thumb:
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    No problems so far, besides the already mentioned issue of no, or unreliable Windows start up tone x 2 machines.
     
  11. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    No problems so far with Hitman.Pro.Alert on my configuration (see signature).
     
  12. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Same here.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Build 947 all good here.
     
  14. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    947 running fine here too (upgraded yesterday)
     
  15. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    This one updated without the need to uninstall the previous version first. Nice!
     
  16. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I've never had to uninstall the previous version.
     
  17. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    HitmanPro.Alert 3.8.23 Build 951 (BETA)

    Changelog (compared to 947)
    • Improved SendKeyGuard
    • Improved CryptoGuard5
    • Improved HeapHeapProtect
    • Improved StackPivot
    • Improved CookieGuard
    • Improved HollowProcess
    • Several other changes under the hood
    SendKeyGuard - mitigation (part of Lockdown) to block macro-borne keystroke injection.
    Feature needs to be enabled manually on Office applications (e.g. Word/Excel)​

    upload_2022-12-23_22-53-25.png

    Download

    https://dl.surfright.nl/hmpalert3b951.exe

    Beware this is a BETA release which hasn't been fully tested (warning: backups, not on production etc).
    Please let us know how this version runs on your machine :thumb:

    On behalf of Team HitmanPro(Alert) we wish you Happy Holidays! and a healthy 2023.
     
  18. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
  19. Valdez

    Valdez Registered Member

    Joined:
    Apr 21, 2016
    Posts:
    50
    Location:
    Italien
    Thanks RonnyT, happy holidays from Italy. :thumb::thumb::thumb:
     
  20. lawdude

    lawdude Registered Member

    Joined:
    Sep 20, 2015
    Posts:
    41
    I run 3 security programs on two computers. MalwareBytes, Norton Security, and HitmanPro.Alert.

    MalwareBytes Premium I bought several years ago as a lifetime license. The other two, which I've had for several years, are subscription. I get interventions from Norton and MalwareBytes, but can't remember the last time I received any kind of intervention from HitmanPro.Alert.

    With or without any kind of sale on Hitman, I'm trying to figure out if it's worth renewing.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm guessing it's because Norton and Malwarebytes are AV's who try to stop malware from running. If they succesfully do this, then there is no reason for HMPA to alert about suspicious stuff. Normally, HMPA will come into action once AV's are bypassed.
     
  22. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Lawdude,

    We'll the answer is 'depends' it's entirely possible that they find/detect things that we're are not protecting, e.g. URL screening for malicious webpage, or spam filter in email.
    If you like send me some example alerts over DM and we can see if that was because the other products where earlier in the process of catching something, or that we perhaps missed something.
    It's not as simple as in the AV bad signature day's anymore.

    You might also want to have a look here at "Description of different modules and features" to get a good view as to what our product is supposed to protect so you can compare apples with apples.
    https://hitmanpro.zendesk.com/hc/en-us/categories/4405871255953-HitmanPro-Alert-Product-Info
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  24. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    ;) Same sample as in the report (Risk reduction, Process protection, unexpected system calls).

    upload_2023-1-12_14-15-30.png
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Cool, so you tested this with Magniber? This is a good example of how HMPA is one of the most advanced behavior blockers on the market. But it would be nice if HMPA added protection against more code injection methods, as mentioned in this article, see link. If I'm correct, HMPA currently protects against process hollowing and APC injection.

    https://www.elastic.co/blog/ten-pro...-technical-survey-common-and-trending-process
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.