HitmanPro.Alert BETA

Completely clear. Thanks very much.

 

HitmanPro 3.7.0 build 721 Release Candidate working fine here.

 

Removed Alert 720 plus the ProgramData folder and installed 721. The Block Untrusted Fonts tile isn't even there any more but had to manually enable BadUSB, and set Vaccination to active for now. Left Credential Theft Protection disabled (at default) for now. Works fine so far w/Sandboxie 5.22 release and IE11. The only thing is being unable to get the HMP scanner to show separately by clicking on the scanner tile, it just shows that little menu. The only feedback you get then is a "scan complete" and green or red on the Alert tile. It would be nice to see the scanner separately in real time.

 

Followed instructions for installing 721. Left settings on standard as left factory. All is fine. PC boots to Macrium reflect USB unlike 718 and 720.
Thank you.

 

No problems installing (after also deleting Programdata folder). Win 10 Pro x64 v1709 16299.19.

Surprised to see No. of alerts is not zeroised though, must be getting that data from elsewhere (Event Viewer?). Can one manually zeroise it?

 

The alerts are read from the Application log, part of the Windows Event Log. If you want to set the counters to zero, you can clean the Windows Event Log.

 

It still triggers an alert:

Spoiler: CodeCave - Astah installer

Mitigation CodeCave

Platform 10.0.16299/x64 v721 8f_01
PID 8292
Application C:\Users\sanya\AppData\Local\Temp\is-2VQ9O.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp
Description Setup/Uninstall

Intersectional control flow detected!

Process Trace
1 C:\Users\sanya\AppData\Local\Temp\is-2VQ9O.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp [8292]
"C:\Users\sanya\AppData\Local\Temp\is-2VQ9O.tmp\astah-professional-7_2_0-1ff236-jre-64bit-setup.tmp" /SL5="$608D2,92158849,569856,C:\Users\sanya\Downloads\astah-professional-7_2_0-1ff236-jre-64bit-setup.exe"
2 C:\Users\sanya\Downloads\astah-professional-7_2_0-1ff236-jre-64bit-setup.exe [14332]
3 C:\Windows\explorer.exe [7504]

Thumbprint
37a1c59855a4c83de118d54424ab6cf74b1bf93f6de08b0a37bff1e7659618d2

However if I disable CodeCave I can install the program, and once installed I can enable CodeCave and launch the application without issue.

Another CodeCave situation: Visual Studio Community 2017 -> Create a new Windows Console Application (C++) and just make a simple Hello World application. Now do CTRL + F5 to run it, causes:

Spoiler: CodeCave - Visual Studio Community C++ Console Application

Mitigation CodeCave

Platform 10.0.16299/x64 v721 8f_01
PID 15328
Application C:\Users\sanya\source\repos\TestCodeCave\Debug\TestCodeCave.exe
Description TestCodeCave.exe

Process Protection / Code Cave Mitigation: Active code cave detected!

Process Trace
1 C:\Users\sanya\source\repos\TestCodeCave\Debug\TestCodeCave.exe [15328]
"C:\Users\sanya\source\repos\TestCodeCave\Debug\TestCodeCave.exe"
2 C:\Windows\SysWOW64\cmd.exe [2880]
"C:\WINDOWS\system32\cmd.exe" /c ""C:\Users\sanya\source\repos\TestCodeCave\Debug\TestCodeCave.exe" & pause"
3 C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\Common7\IDE\devenv.exe [9408]
4 C:\Windows\explorer.exe [7504]

Thumbprint
e6d903dc8fe081f7dc79ecf91e6fe6cb164431777269e2db654e99e00d5757c4

 

Completely uninstalled 720, installed 721, and enabled badUSB. No problems so far.

 

Win 10 Pro x64 v1709 16299.19, HMP.A build 721 beta.

Mitigation ROP

Platform 10.0.16299/x64 v721 06_45
PID 8120
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 56.0.2

Callee Type LoadLibrary

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FF841D9966D KernelBase.dll
2 00007FF844AF8508 ntdll.dll
3 00007FF844AE0F56 ntdll.dll __C_specific_handler +0x96
4 00007FF844AF4C3D ntdll.dll __chkstk +0x11d
5 00007FF844A6D1B8 ntdll.dll
6 00007FF844AF3B6E ntdll.dll KiUserExceptionDispatcher +0x2e

7 00007FF8027AAA01 xul.dll
cc INT 3

8 00007FF802EFCAAA xul.dll
9 00007FF802EE5F62 xul.dll
10 00007FF802C37D1E xul.dll

Code Injection
000002723EE4D000-000002723EE4E000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [14032]
00007FF844AF0000-00007FF844AF1000 4KB
00007FF844AF2000-00007FF844AF3000 4KB
00007FF844AEF000-00007FF844AF0000 4KB
1 C:\Program Files\Mozilla Firefox\firefox.exe [14032]
2 C:\Program Files\Mozilla Firefox\firefox.exe [16456]
3 C:\Windows\explorer.exe [4104]
4 C:\Windows\System32\userinit.exe [4676]

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [8120]
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14032.3.511104922\1068371946" -childID 1 -isForBrowser -intPrefs 5:50|6:-1|28:1000|33:20|34:10|43:128|44:10000|49:0|51:400|52:1|53:0|54:0|59:0|60:120|61:120|92:2|93:1|107:5000|118:0|120
2 C:\Program Files\Mozilla Firefox\firefox.exe [14032]
3 C:\Program Files\Mozilla Firefox\firefox.exe [16456]
4 C:\Windows\explorer.exe [4104]
5 C:\Windows\System32\userinit.exe [4676]

Thumbprint
65b08153b6f661f989e3612ad52cf5c1192ecd4df327f9082c26b98b91b224b3

 

When you run the scan the HitmanPro icon is in the "tray" though it may be hidden. If you double click the icon the usual HitmanPro window with the list of detections will open.

 

Yes, got it. Actually, this was brought up before, I guess it's just the way it is. You can double-click the scanner tile on the release and get the HMP interface while it's running. Just not in the beta, it seems. No biggie.

 

From a technical point of view HMPA is superior, but I also feel it causes too many problems, that's why I decided not to install. But for some it won't cause any problems, it also depends on apps and other security tools that are used. But I'm not willing it to risk anything.

 

Installed RC 721, upgrade over previous one "720" and clean install.

I see both zam and cyberghost working fine now.

I instead obtain a Error Starting Application for C:\Windows\System32\PrintDisp.exe

that is installed with https://www.iceni.com/infix.htm a PDF Editor,

looking at the properties of that PE looks like miss any Mitigation Exploit feature, and I added it to exclusion, so far not obtaining any error starting anymore, means that Hitman try to protect it but fail because has no way to protect it,

Am I wrong?

 

Thus far no problems here (Windows 7 Pro SP1 x64).

 

W7-x64 Professional: De-installed Build 720 completely, Installed build 721 RC, no issues what so ever!

 

I also noticed that BadUSB was off when I installed 721; I wonder if that's by default?

 

It is a default since 3.1.1 Build 350:

 

Where have I been? LOL Thanks for clarifying

 

No problem

 

Installed 721 RC, on Win 10 x64 pro fall creators update.
Chrome starts up slowly and fitfully, and some of the extensions crash.

 

That is strange, because I uninstalled 720 and deleted Programdata, rebooted, installed 721, rebooted - and BadUSB is Enabled.

 

If you uninstall HMP.A and delete the folder in Program Data, will that also delete preferences?