Hitman Pro Support and Discussion Thread

Discussion in 'other anti-malware software' started by yashau, Mar 20, 2009.

  1. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    @erikloman

    Hi Erik,

    Just out of interest, are there plans to make HMP active scanning rather than passive?

    Ed.
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Just prior acquisition we had anti-malware in HMPA. We were at the point to release it in beta. Sophos sadly scrubbed the feature but it would not take much effort to reintroduce it. The code is still present.

    HMP is passive.
    HMPA is realtime.
     
  3. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    361
    My Razer Naga mouse and my Corsair K95 keyboard keep getting alert notifications during boot up as a new USB device any way to make them exceptions so they don't trigger alerts?
     
  4. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    Ah ok, I can understand Sophos ditching it from HMPA as they'll have other products to do resident anti-malware I guess.

    It is a pity that HMP (or HMPA) isn't resident for anti-malware, it's another tick in the feature list box when comparing HMP with other products.

    Cheers,

    Ed.
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I know :(
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Disable BadUSB feature on the orange tile.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,791
    Location:
    Among the gum trees
    Hello,

    The latest AdBlock Plus for Internet Explorer is detected as a threat.
    Code:
    HitmanPro 3.7.15.281
    www.hitmanpro.com
    
       Computer name . . . . : DAVID-HP
       Windows . . . . . . . : 10.0.0.14393.X64/4
       User name . . . . . . : DAVID-HP\David
       UAC . . . . . . . . . : Enabled
       License . . . . . . . : Paid (1088 days left)
    
       Scan date . . . . . . : 2017-01-05 12:00:15
       Scan mode . . . . . . : Quick
       Scan duration . . . . : 1m 25s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 1
       Traces  . . . . . . . : 5
    
       Objects scanned . . . : 5,204
       Files scanned . . . . : 5,204
       Remnants scanned  . . : 0 files / 0 keys
    
    Miniport ____________________________________________________________________
    
       Primary
          DriverObject . . . : FFFFBB8C8851B060
          DriverName . . . . : \Driver\iaStorA
          DriverPath . . . . : \SystemRoot\System32\drivers\iaStorA.sys
          StartIo  . . . . . : 0000000000000000 +0
          IRP_MJ_SCSI  . . . : FFFFF80C44EF3F80 \??\C:\WINDOWS\system32\drivers\hmpalert.sys+147328
       Solution
          DriverObject . . . : FFFFBB8C8851B060
          DriverName . . . . : \Driver\iaStorA
          DriverPath . . . . : \SystemRoot\System32\drivers\iaStorA.sys
          StartIo  . . . . . : 0000000000000000 +0
          IRP_MJ_SCSI  . . . : FFFFF80C410C3840 \SystemRoot\System32\drivers\storport.sys+14400
    
    Malware _____________________________________________________________________
    
       C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
          Size . . . . . . . : 758,360 bytes
          Age  . . . . . . . : 1.2 days (2017-01-04 07:48:02)
          Entropy  . . . . . : 6.2
          SHA-256  . . . . . : B9B495A6CE341778E8AF3D0512A22D5611B31EC88C83A80ECBEFC8471110A144
          Product  . . . . . : Adblock Plus
          Publisher  . . . . : Eyeo GmbH
          Description  . . . : Adblock Plus BHO for Internet Explorer
          Version  . . . . . : 1.6.0
          Copyright  . . . . : Copyright (C) 2006-2016 Eyeo GmbH
          RSA Key Size . . . : 4096
          LanguageID . . . . : 1033
          Authenticode . . . : Valid
        > Kaspersky  . . . . : not-a-virus:WebToolbar.Win32.Codiby.kbe
          Fuzzy  . . . . . . : 87.0
          Startup
             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
             HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
          References
             HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
             HKU\S-1-5-21-3188001579-2604318531-2913584140-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
    
    
    
    
    Thanks.
     
  8. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
    Hi

    I don't have traditional BIOS in my laptop but instead it is using UEFI for boot up.

    Can tell me whether HMPA's MBR protection feature will protect my GPT drive since I don't have MBR and the BIOS?

    Thanks
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,791
    Location:
    Among the gum trees
  10. NiteRanger

    NiteRanger Registered Member

    Joined:
    Nov 15, 2016
    Posts:
    651
    Location:
    Far East
  11. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,505
    Location:
    the Netherlands
    False positive confirmed for Adblock Plus for Internet Explorer on Windows 7 x64:
    Code:
    HitmanPro 3.7.15.281
    www.hitmanpro.com
    
       Computer name . . . . : XXXXX
       Windows . . . . . . . : 6.1.1.7601.X64/2
       User name . . . . . . : XXXXX
       UAC . . . . . . . . . : Enabled
       License . . . . . . . : Paid (491 days left)
    
       Scan date . . . . . . : 2017-01-05 12:41:41
       Scan mode . . . . . . : Normal
       Scan duration . . . . : 2m 30s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 1
       Traces  . . . . . . . : 7
    
       Objects scanned . . . : 1.224.130
       Files scanned . . . . : 12.494
       Remnants scanned  . . : 162.797 files / 1.048.839 keys
    
    Miniport ____________________________________________________________________
    
       Primary
          DriverObject . . . : FFFFFA8004731730
          DriverName . . . . : \Driver\atapi
          DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
          StartIo  . . . . . : 0000000000000000 +0
          IRP_MJ_SCSI  . . . : FFFFF8800630BF80 \??\C:\Windows\system32\drivers\hmpalert.sys+147328
       Solution
          DriverObject . . . : FFFFFA8004731730
          DriverName . . . . : \Driver\atapi
          DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
          StartIo  . . . . . : 0000000000000000 +0
          IRP_MJ_SCSI  . . . : FFFFF88000D9F4D8 \SystemRoot\system32\drivers\ataport.SYS+29912
    
    Malware _____________________________________________________________________
    
       C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
          Size . . . . . . . : 758.360 bytes
          Age  . . . . . . . : 1.9 days (2017-01-03 16:16:24)
          Entropy  . . . . . : 6.2
          SHA-256  . . . . . : B9B495A6CE341778E8AF3D0512A22D5611B31EC88C83A80ECBEFC8471110A144
          Product  . . . . . : Adblock Plus
          Publisher  . . . . : Eyeo GmbH
          Description  . . . : Adblock Plus BHO for Internet Explorer
          Version  . . . . . : 1.6.0
          Copyright  . . . . : Copyright (C) 2006-2016 Eyeo GmbH
          RSA Key Size . . . : 4096
          LanguageID . . . . : 1033
          Authenticode . . . : Valid
        > Kaspersky  . . . . : not-a-virus:WebToolbar.Win32.Codiby.kbe
          Fuzzy  . . . . . . : 89.0
          Startup
             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
             HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
          References
             HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
             HKU\S-1-5-21-2113389046-1677087814-4007212474-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
             HKU\S-1-5-21-2113389046-1677087814-4007212474-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFCB3198-32F3-4E8B-9539-4324694ED664}\
    
    
    
    
     
  12. max2

    max2 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    370
    Is there anyway to exclude files ?
     
  13. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,505
    Location:
    the Netherlands
    If you choose to report a false positive detection as safe, it will be ignored next scans.
    I don't know of any other way to exclude files through the HMP UI.
     
  14. max2

    max2 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    370
    How do you do that please? Thanks.
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,505
    Location:
    the Netherlands
    If a HMP scan detects a certain item as malware, but you are sure this is a false positive detection, do not click the offered Quarantine option, but click the little arrow/triangle to the right, and choose the option to report as safe.
     
  16. max2

    max2 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    370
    I don't see that. It just wants to delete it.

    I can choose ignore but it comes up again in a scan.
     
  17. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,505
    Location:
    the Netherlands
    It is getting rather annoying that you post in both the HMP and the HMPA thread.
    Regarding HMP scans, better stick to the HMP thread (that is this thread), thanks.

    A screenshot may be helpful, and also the HMP log that mentions coupon bar (that you mentioned in the HMPA thread).
    You can access the HMP log through HitmanPro\Settings\History\Logs.
     
    Last edited: Jan 5, 2017
  18. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,505
    Location:
    the Netherlands
    @erikloman,
    @markloman,
    Those reports were from last Thursday.
    Last Saturday, HMP came up with the same false positive on another Windows 7 x64 system. As reporting it as safe 'fixes' the issue for that system, I cannot tell whether or not it is fixed in the HMP database, by now.

    The cause of the issue, Kaspersky detecting C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll as malware, that is still the same, according to the latest VirusTotal check, a few minutes ago.
    Rather stupid false positive by Kaspersky, and it takes Kaspersky too long to fix it.

    I hope the issue will be fixed in the HMP database.
     
  19. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,505
    Location:
    the Netherlands
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I have whitelisted it. Should no longer appear.
     
  21. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,505
    Location:
    the Netherlands
    Thanks very much, Erik. :thumb:
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,356
    Location:
    .
    Q: does HitmanPro ever return Threat: Unknown

    Just scanned new (one hour old) beta setup installer saved to my desktop.
    I watched item scanned, 14s, in the cloud with Threats: 0
    So, I'm curious whether 0 means Hitman uploaded & launched file in protected test environment.
    Or, whether samples were uploaded, comparatives run and with nothing to compare. Hitman returned 0.
    Or, maybe hash was uploaded and not finding, to make determination. Hitman returned 0.

    Does 0 (Default scan) really always mean no threats or may mean no threats found (Unknown).
    What is uploaded and what happens in the cloud 14s.
    Generally, not asking proprietary info.

    Thanks
    Edit: added (Default scan)
     
    Last edited: Jan 18, 2017
  23. plat1098

    plat1098 Guest

    I would also like to know the answer(s).
     
  24. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,356
    Location:
    .
    Yeah, me too.
    I've seen xyz scan return Threats detected 0. And 0 translates to Unclassified.
    I've seen abc scan return Detected Objects 0. And wonder what 0 means.
    So, 0's for various samples thru other scanners got me wondering.

    What does 0 (Default scan) mean: sample is known and has no threats or sample is unknown and has ? threats.
    What does HitmanPro, Threats detected: 0 mean.
    Thanks
    Edit: added (Default scan)
     
    Last edited: Jan 18, 2017
  25. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    I have licensed hmp & hmp.a, rec'd email from sophos to renew early, so I did on 17 jan, but it seems like I "lost" some paid license time. the 1 yr 2016 license expired 26 jan, and I renewed today and activated the 2017 license, and it says it expires 17 jan 2018 so I "lost" 9 days by renewing early? Such a deal, not! other than that ripoff snafu, hmp.a has been running aok on my win7x64. IIRC, when I activated the 2016 license in hmp, it was automatically read by hmp.a, so I activated the 2017 license in hmp, but when I open hmp.a it say my license is going to expire soon, ie, hmp.a did not pickup the 2017 license activated in hmp. So do I need to manually activate the 2017 license in hmp.a? Is my recollection wrong, or has sophos mucked up the renewal process?? (or botho_O)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.