HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. Cactus5

    Cactus5 Registered Member

    Joined:
    Jan 17, 2015
    Posts:
    25
    Location:
    Southwest USA
    @paulderdash, I have a VM that has been running Windows 10 since September, 2014. This VM is currently running 64-bit 1703, Build 540. I am using HMP.A in this VM with beta build 712. When build 502 came along the update didn't install the first time. I disabled Credential Theft Protection and then that build installed. On Patch Tuesday when build 540 came out, it installed with no problem. Credential Theft Protection was still disabled.

    It may be some other software on your system? This VM of mine has virtually no other software, just some apps from the store, a couple of browsers and a couple of outside apps. It also runs Windows Defender and HMP.A beta build 712.
     
  2. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    79
    Note that I was talking about Intercept X which is an enterprise solution solely aimed for businesses. The only home-user product of Sophos that I am aware of is "Sophos Home" which has none of the mentioned features.
    Also I am not aware of any comparative tests including the "Endpoint Protection" product of Sophos together with Intercept X.
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,374
    Location:
    Under a bushel ...
    Thanks @Cactus5. I guess that blows my theory about it being peculiar to Win 10 x64 and v1703.

    It could be some interaction with HMPA and something else.I did try disabling other stuff, but didn't go as far as uninstalling.

    All I know is that with HMPA installed (with CTP disabled) I have cumulative update (@shmu26 encountered similar) and DISM / sfc issues, but when uninstalled I don't. I can reproduce the DISM / sfc issues on demand. IIRC, even stopping the service was not enough..

    I have also PM'd the Lomans, hoping they could find something, but they have net been around for the last six weeks. I would like to test a new build when it comes. I would be reluctant to give up on HMPA on this machine.
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,374
    Location:
    Under a bushel ...
    Mark has reached out re my issue. They should be back soon (his permission given):

    And sure, just mention we are busy with Sophos Intercept X 2.0. One of the things we've been working is a completely new malware scanner, which will debut in Sophos Intercept X 2.0, and maybe sooner on Wilders Security!
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,082
    I was also curious about win 10 so I upgraded my VM from win 7 to win 10. Everything I run including HMPA Build 712 was perfect.
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,238
    We were not forgotten :)
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,082
    Not at all surprised.
     
  8. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    739
  9. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,374
    Location:
    Under a bushel ...
    While browsing to link on sandboxed FF 55.0.2 ((Sandboxie 5.21.2 beta), this intercept from HMPA 712 beta (Win 10 Pro x64 v1703 15063.540):
    Credential Theft Protection, Process Protection - Local Privilege, Code Cave, DLL Hijacking Mitigations disabled.
    Code:
    Mitigation   ROP
    
    Platform     10.0.15063/x64 v712 06_45
    PID          29660
    Application  C:\Program Files\Mozilla Firefox\firefox.exe
    Description  Firefox 55.0.2
    
    Callee Type  ProtectVirtualMemory
                 0x00000342CC4A2000 (8192 bytes)
    
    Branch Trace                              Opcode  To                                   
    ---------------------------------------- -------- ----------------------------------------
    ReadProcessMemory +0x2b                    ~ RET* +0x22551                             
    0x00007FFA614086CB KernelBase.dll                 0x00007FFA60D72551 hmpalert.dll       
                        33ff                     XOR          EDI, EDI
                        448d6701                 LEA          R12D, [RDI+0x1]
                        48397da8                 CMP          [RBP-0x58], RDI
                        f20f84da000000           JZ           0x7ffa60d7263c
                        488b45a0                 MOV          RAX, [RBP-0x60]
                        4885c0                   TEST         RAX, RAX
                        f20f84cc000000           JZ           0x7ffa60d7263c
                        488b08                   MOV          RCX, [RAX]
                        4883f908                 CMP          RCX, 0x8
                        f20f86b4010000           JBE          0x7ffa60d72732
                        4881f900200000           CMP          RCX, 0x2000
                        f20f87b0000000           JA           0x7ffa60d7263c
                        488b45a8                 MOV          RAX, [RBP-0x58]
                                             ( 9FD0E660F044409)
    
    
    _aligned_free +0xc6                          RET  0x00007FFA14403471 xul.dll           
    0x00007FFA537F5056 mozglue.dll                                                         
    
    RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6                   
    0x00007FFA64BFFF89 ntdll.dll                      0x00007FFA537F5046 mozglue.dll       
    
    _aligned_free +0x221                         RET  _aligned_free +0x84                   
    0x00007FFA537F51B1 mozglue.dll                    0x00007FFA537F5014 mozglue.dll       
    
    memset +0x19f                                RET  _aligned_free +0x73                   
    0x00007FFA5147C91F vcruntime140.dll               0x00007FFA537F5003 mozglue.dll       
    
    RtlEnterCriticalSection +0x2a                RET  _aligned_free +0x35                   
    0x00007FFA64BE447A ntdll.dll                      0x00007FFA537F4FC5 mozglue.dll       
    
    0x00007FFA148449C2 xul.dll                   RET  0x00007FFA1440345F xul.dll           
    
    0x00007FFA167F6D79 xul.dll                   RET  0x00007FFA14403453 xul.dll           
    
    0x00007FFA1430AEEC xul.dll                 ~ RET  0x00007FFA14403449 xul.dll           
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFA61411735 KernelBase.dll           VirtualProtect +0x35
    
    2  00007FFA143042C7 xul.dll               
                        85c0                     TEST         EAX, EAX
                        7447                     JZ           0x7ffa14304312
                        488b0d0eddf802           MOV          RCX, [RIP+0x2f8dd0e]
                        483bd9                   CMP          RBX, RCX
                        0f8274bf7f00             JB           0x7ffa14b0024f
                        4881c100000040           ADD          RCX, 0x40000000
                        483bf9                   CMP          RDI, RCX
                        0f8764bf7f00             JA           0x7ffa14b0024f
                        b001                     MOV          AL, 0x1
                        488b5c2438               MOV          RBX, [RSP+0x38]
                        4883c420                 ADD          RSP, 0x20
                        5f                       POP          RDI
                        c3                       RET       
    
    3  00007FFA1440111A xul.dll               
    4  00007FFA14403488 xul.dll               
    5  00007FFA1424D5FA xul.dll               
    6  00007FFA14276753 xul.dll               
    7  00007FFA14AA3829 xul.dll               
    8  00007FFA14217921 xul.dll               
    9  00007FFA14407356 xul.dll               
    10 00000342CC066A2E (anonymous; xul.dll) 
    
    Process Trace
    1  C:\Program Files\Mozilla Firefox\firefox.exe [29660]
    2  C:\Program Files\Mozilla Firefox\firefox.exe [31808]
    3  C:\Windows\explorer.exe [20944]
    explorer.exe
    
    Thumbprint
    24fc80ff0410b56eff613c91e2ca09b7497dfc45d2d96fbfcd9584d801b047ee
    
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,374
    Location:
    Under a bushel ...
    @shmu26 Just FYI Mark asked me to try this: Stop HMPA service, rename excalibur.db, then reboot. This solved my DISM and SFC problems. It is too early to say if this will resolve the identification and install of Windows Cumulative updates also, but I suspect it might (if say, DISM is involved in the WU process).

    He asked for my excalibur.db file, and responded that he suspects the issue is likely caused by the DLL Hijack Mitigation (which corresponds to what I also saw in the dism.log). I have unticked this for now.

    Edit: From the horse's mouth ...
    You shouldn't have to uncheck DLL Hijack Mitigation. Actually, the error is not really in the DLL Hijack Mitigation but an incorrect category for one of your browsers (likely Opera or so). You likely downloaded and installed a Windows update manually. Unsure yet though. What is certain is:

    1. Stop the HitmanPro.Alert Service
    2. Rename or delete the excalibur.db in C:\ProgramData\HitmanPro.Alert
    3. Reboot the machine or start the HitmanPro.Alert service again.

    You can post this as a possible solution. People shouldn't en masse delete their excalibur.db though. Only if you ran into the issue with SFC.
     
    Last edited: Aug 25, 2017
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,374
    Location:
    Under a bushel ...
    Had mentioned this before, but now that HMPA build 712 is back on my machine, I have noticed memory usage creep up more than normal on my machine, leading me to reboot eventually.

    Don't know if it's possible that HMPA could have some sort of memory leak ... ?
     
  12. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Noticed this too, I have enough memory that it didn't really bother me, but I have Sophos Home
    on one Firecuda HD, same windows os and setup, and I don't get the problem. So it's something
    for sure exclusive to HMPA, which is on my other Firecuda.
    Maybe something in the HMPA elements in Sophos are slightly different ?
    Or the leak was cut out in the Sophos version ?
     
  13. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    512
    Location:
    Hengelo
    HMPA elements in Sophos builds are a bit ahead of the beta build here on Wilders Security.
    We plan to post a new build on this forum soon - expect next week!
     
  14. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,781
    Location:
    Canada
    Thanks Mark, and nice to see you back here.:)
     
  15. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    I love the Sophos beta, that's why I felt that was the case, you can feel the difference between the HMPA beta and it's Sophos cousin. Thanks Mark.
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,082
    I for one am just thrilled we have access to HMPA here. Thanks to the Loman Bros for this.
     
  17. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,076
    +1
     
  18. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    133
    Location:
    Canada
    +2
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,138
    Location:
    Outer space
    Build 712 gives a LoadLib alert on Firefox when browsing 24kitchen.nl as soon as it loads a video.(Win7x64 with Eset Smart Security 10.1.219.0)
    Interestingly the alert log shows "This program cannot be run in DOS mode". Haven't seen that before.
     

    Attached Files:

    • hmp.txt
      File size:
      2.3 KB
      Views:
      5
  20. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    389
    I've experienced the same thing on a variety of other sites. For me it happened while using Firefox 43 after installing the Foxit PhantomPDF plug-in, but your report suggests that the age of the FF version may not be related to the problem with HMP.A.

    BTW I tried disabling mitigations for the FF plug-in container, and that didn't help. I also tried adding the Foxit plug-in to the exclusions, and that didn't help either. I even tried starting the browser in FF safe mode (that is, with all extensions disabled), and still it got intercepted by HMP.A (b712) when trying to go to a site where these crashes were occurring.
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    11,238
    Because "HMPA elements in Sophos builds are a bit ahead", i assume that LoadLib False Positives will be fixed with a new version of HMP.A ("We plan to post a new build on this forum soon" #463)
    A similar "LoadLib"-issue was mentioned in the Sophos forum:
     
  22. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    389
    Sounds like HMP.A elements in Sophos builds are even ahead of HMP.A beta builds!
     
  23. plat1098

    plat1098 Guest

    Re: LoadLib "mitigations": a reason why I uninstalled Firefox (among others). HMP products will remain HMP for the foreseeable future, right?--but not at the expense of being overlooked in favor of Sophos!
     
  24. Rudolf1982

    Rudolf1982 Registered Member

    Joined:
    Jan 30, 2017
    Posts:
    4
    Location:
    Samobor
    Does HPMA have these problems as IX 2.0 beta:

    Problem: Any operation on any office 2016 app [Licenced through Office 365 pro plus] fails
    Fix: Only solution is to completely remove Intercept X [including older version], restart, disable the HitmanPro.alert service, uninstall Sophos Endpoint. Then remove computer from the EAP for Intercept X, and reinstall current version.

    Regards
     
  25. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    389
    I uninstalled b712 and installed b604, and the problem with Firefox went away even after re-enabling all of 604's mitigations for the Foxit Plug-in Container. Tried it on three web pages where FF had consistently crashed in b712 after installing the Foxit plug-in.

    Will try the beta builds again when there is some assurance that the LoadLib issue has been resolved.

    ADDENDUM: There was an unexpected side benefit of removing 712 and going back to 604. I had been getting frequent, repetitive notices in IE11 for the Foxit PhantomPDF Creator plug-in, to the effect that "A website wants to open web content using this program on your computer." Every single time I opened a new tab or clicked on a link, the notice would pop up and interrupt the workflow. These notices, too, have now stopped appearing with the replacement of 712 with 604.

    Hope this info helps Eric and Mark with future builds.
     
    Last edited: Aug 30, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.