HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    197
    Location:
    Canada
    I just manually updated from 3.8.9 Build 891 Release Candidate. No issues!
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,587
    Location:
    North Carolina, USA
    Hello @RonnyT ,

    I am getting a ROP alert on LibreOffice due to a false positive with ESET Internet Security.
    Mitigation ROP
    Timestamp 2021-04-13T20:53:27

    Platform 10.0.19042/x64 v893 06_9e
    PID 11328
    Feature 003D0A361FBF01B6
    Application C:\Program Files\LibreOffice\program\soffice.exe
    Created 2021-04-01T16:01:43
    Description LibreOffice 7.1.2

    Callee Type MapViewOfSection

    Branch Trace Opcode To
    ---------------------------------------- -------- ----------------------------------------
    0x00007FF8BCA7DE6E ebehmoni.dll ~ RET* +0x20330 ^0037
    0x00007FF8E3980330 hmpalert.dll
    4055 PUSH RBP
    53 PUSH RBX
    56 PUSH RSI
    57 PUSH RDI
    4156 PUSH R14
    488dac24b0fdffff LEA RBP, [RSP-0x250]
    4881ec50030000 SUB RSP, 0x350
    488b05f36c0b00 MOV RAX, [RIP+0xb6cf3]
    4833c4 XOR RAX, RSP
    48898530020000 MOV [RBP+0x230], RAX
    488b85a8020000 MOV RAX, [RBP+0x2a8]
    4889442478 MOV [RSP+0x78], RAX
    488b85b0020000 MOV RAX, [RBP+0x2b0]
    48894d80 MOV [RBP-0x80], RCX
    (E10A15ED3EF31E83)


    0x00007FF8BCA6095D ebehmoni.dll RET 0x00007FF8BCA7E09F ebehmoni.dll ^0276

    0x00007FF8BCA4832B ebehmoni.dll RET 0x00007FF8BCA4D0BF ebehmoni.dll ^0B0B

    0x00007FF8BCA440A9 ebehmoni.dll RET 0x00007FF8BCA43A74 ebehmoni.dll ^0006

    memset +0xe8 RET 0x00007FF8BCA4409C ebehmoni.dll ^0044
    0x00007FF8E6513EA8 ntdll.dll

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FF8BCA7E0BA ebehmoni.dll
    488da42458000000 LEA RSP, [RSP+0x58]
    c3 RET

    2 00007FF8BCA4D0DA ebehmoni.dll
    3 00007FF8BCA4411C ebehmoni.dll
    4 00007FF8BCA43AA8 ebehmoni.dll
    5 00007FF8BCA42B93 ebehmoni.dll
    6 00007FF8BCA7DDE8 ebehmoni.dll
    7 00007FF8E6484D42 ntdll.dll
    8 00007FF8E6484AAA ntdll.dll RtlIsCriticalSectionLockedByThread +0x21a
    9 00007FF8E6484479 ntdll.dll
    10 00007FF8E64DB1DD ntdll.dll

    Loaded Modules (17)
    -----------------------------------------------------------------------------
    00007FF609C10000-00007FF609C44000 soffice.exe (The Document Foundation),
    version: 7.1.2.2
    00007FF8E6470000-00007FF8E6665000 ntdll.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    00007FF8E58A0000-00007FF8E595D000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    00007FF8E3960000-00007FF8E3A6D000 hmpalert.dll (SurfRight B.V.),
    version: 3.8.10.893
    00007FF8E3CB0000-00007FF8E3F78000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    00007FF8E4880000-00007FF8E4FC2000 SHELL32.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    00007FF8E4400000-00007FF8E449D000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    00007FF8E4300000-00007FF8E4400000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.19041.789 (WinBuild.160101.0800)
    00007FF8E46D0000-00007FF8E4870000 USER32.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    00007FF8E44A0000-00007FF8E44C2000 win32u.dll (Microsoft Corporation),
    version: 10.0.19041.906 (WinBuild.160101.0800)
    00007FF8E5740000-00007FF8E576A000 GDI32.dll (Microsoft Corporation),
    version: 10.0.19041.746 (WinBuild.160101.0800)
    00007FF8E40E0000-00007FF8E41EB000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.19041.928 (WinBuild.160101.0800)
    00007FF8DC620000-00007FF8DC6B2000 MSVCP140.dll (Microsoft Corporation),
    version: 14.28.29334.0 built by: vcwrkspc
    00007FF8DE7B0000-00007FF8DE7C9000 VCRUNTIME140.dll (Microsoft Corporation),
    version: 14.28.29334.0 built by: vcwrkspc
    00007FF8DE7D0000-00007FF8DE7DC000 VCRUNTIME140_1.dll (Microsoft Corporation),
    version: 14.28.29334.0 built by: vcwrkspc
    00007FF8E56B0000-00007FF8E56E0000 IMM32.DLL (Microsoft Corporation),
    version: 10.0.19041.546 (WinBuild.160101.0800)
    00007FF8BCA40000-00007FF8BCACD000 ebehmoni.dll (ESET),
    version: 1.0.42.0

    Process Trace
    1 C:\Program Files\LibreOffice\program\soffice.exe [11328] 2021-04-13T20:53:17
    "C:\Program Files\LibreOffice\program\soffice.exe" -o "D:\WinRAR Files\Extractions\Documents\Images.ods"
    2 C:\Program Files\Biniware Run\brun.exe [7616] 2021-04-13T20:11:30
    3 C:\Windows\explorer.exe [5592] 2021-04-13T20:11:11
    4 C:\Windows\System32\userinit.exe [5488] 2021-04-13T20:11:11 23.2s
    5 C:\Windows\System32\winlogon.exe [916] 2021-04-13T20:10:56
    winlogon.exe
    6 C:\Windows\System32\smss.exe [808] 2021-04-13T20:10:56 174ms
    \SystemRoot\System32\smss.exe 00000144 00000084
    7 C:\Windows\System32\smss.exe [452] 2021-04-13T20:10:51
    \SystemRoot\System32\smss.exe

    Dropped Files

    Thumbprints
    c31d5663d13c3c8876b5d671654fedf1fced9bb764f1f8861a58eeb857f62f91
     
  3. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    343
    Location:
    Planet Earth
    Is that structural or incidental?
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    OK cool, I figured that since most browsers are based on Chromium it shouldn't be this hard?
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,587
    Location:
    North Carolina, USA
    Hello @RonnyT ,
    I am not quite sure what you mean by this question, so maybe this will help.
    I have a LibreOffice Calc file that I use often. Every time that it is launched, I get the same ROP alert along with the opening of the file being blocked. (Note that I use a program called Biniware Run to launch the file.)
    If that does not answer your question, please explain it in a simpler way for this feeble mind to understand ;) ...
    Thanks in advance :) .
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,538
    Location:
    Outer space
    Build 983 running fine now for a few days on Windows 1909 x64. (Apart from the Brave keystroke encryption issue reported in the other thread, but that is not specific to this new version.)
     
  7. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    343
    Location:
    Planet Earth
    Sorry what I meant was does it trigger the ROP everytime you open 'a' document, or just sometimes e.g. once a couple of days?
    Does it also ROP why you open Calc and then open the sheet? (so not using Biniware).
    Does it also ROP on any other Calc file?

    In general, you could allow this alert if it's a FP:
    To be able to allow this please open HitmanPro.Alert -> Click on "Last event" find the offending alert(s) -> Action -> Suppress Alert
    Make sure all offending alerts for the detected application now have the "Suppressed" message behind them and you should be good to go!
    (In case of CryptoGuard alerts also make sure to Unblock the application before trying again, on the main windows click Blocked Items and unblock).
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,587
    Location:
    North Carolina, USA
    Hello @RonnyT ,
    Yes, the ROP is triggered every time.
    Yes, it does. It happens whether using Biniware Run or not. It happens any way that I try to open the sheet.
    I can not open Calc as this triggers the ROP every time. No chance to try to open the sheet.
    I can not open LibreOffice as this triggers the ROP every time. No chance to open the sheet.
    If I try to open the sheet directly, this triggers the ROP every time.
    In fact, the ROP is triggered with anything that I try to do with LibreOffice.
    The ROP is triggered on every Calc file that I try to open.
    The ROP is triggered with any of the apps in the LibreOffice Suite that I try to open.
    The ROP is triggered with any type file that I try to open in LibreOffice.
    Basically, any thing that I try to do with LibreOffice triggers the ROP.
    The problem with this is I have to create an allow (suppressed) rule for every app in LibreOffice Suite and also for every different file that I try to open. The only easy way to get by this issue is to disable ROP for LibreOffice entirely.
    I hope that this helps...
     
  9. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    343
    Location:
    Planet Earth
    That was just as a workaround, we'll be looking in to this combo and see why it triggers, probably ESET changed some magic.
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,587
    Location:
    North Carolina, USA
    Hello @RonnyT ,
    I pretty much thought this was the case. It has been a while but I have had this issue before with ESET and HMP.A, and your team did something on your end to fix the issue with ESET.
    Thank you for your help and for looking into this...
     
  11. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    343
    Location:
    Planet Earth
    Did you tweak any settings on ESET, by default the deep behavior inspection dll is not loaded on my setups (ebehmoni.dll) in LibreOffice processes
     
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,587
    Location:
    North Carolina, USA
    Hello @RonnyT ,

    Sorry for the delayed response. Since your results were different then mine, I decided to do a complete uninstall of ESET and start new with a fresh install to verify all settings would be at default.
    Unfortunately, I still have the same ROP alerts being triggered in LibreOffice and am at a loss as to why we are seeing two different scenarios/situations...

    Note: In the ESET GUI, if you go to "Help and Support > About ESET Internet Security > Installed components", I have:
    Deep behavioral inspection support module: 1111 (20210407)
    as the current installed module.
     
  13. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    246
    At the new version (driverbooster v. 8.4.0.432) the false alarm will reappear. Please correct. Thanks! HitmanPro.Alert v. 3.8.10 build 893.

    2021-04-23_064207.jpg

    2021-04-23_064935.jpg
     
  14. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    343
    Location:
    Planet Earth
    I've fixed this, you can also allow this locally (As the sophos engine will flag it again with the next update);

    To be able to allow this please open HitmanPro.Alert -> Click on "Last event" find the offending alert(s) -> Action -> Suppress Alert
    Make sure all offending alerts for the detected application now have the "Suppressed" message behind them and you should be good to go!
    (In case of CryptoGuard alerts also make sure to Unblock the application before trying again, on the main windows click Blocked Items and unblock).
     
  15. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    246
    Thanks! I'm going to do this.
     
  16. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    HitmanPro.Alert 3.8.11 Build 897 Release Candidate

    Changelog (compared to build 893):
    • Fixed a rare crash in BackgroundTaskHost.exe caused by our new CookieGuard mitigation (part of Credential Theft Protection)
    • Added support for more Chromium based web browsers to CookieGuard, including Brave, Opera, Vivaldi, Comodo Dragon, Edge Canary, Beta and Dev channel.
    • Improved compatibility with games that perform tricks that trigger our main thread hijacking protection (part of Hollow Process Mitigation).
    Download:
    https://dl.surfright.nl/hmpalert3b897.exe

    Please let us know how this version runs on your machine. Thanks :thumb:
     
  17. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    980
    Besides a Microsoft SmartScreen-alert no further problems upgrading build 897.

    Win10 21H1 build 19043.985
     
    Last edited: May 20, 2021
  18. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    343
    Location:
    Planet Earth
    a note on 897, should your browser throw a CookieGuard alert at startup it's probably on the wrong protection profile.
    • Check Exploit Mitigations to see if it's under something else then Browsers, and if so click and 'Remove mitigations'
    • Disable Credential Theft Protection
    • Start browser
    • Click Exploit Mitigations -> Running applications -> click browser and add to Template "Browsers"
    • Enable Credential Theft Protection
    • Done
     
  19. abbs

    abbs Registered Member

    Joined:
    Sep 14, 2018
    Posts:
    33
    Location:
    Nederlands


    Manually uninstalled and waited for a few days and no problems.

    Windows 10 Pro Versie 21H1 Build 190453.985
     
  20. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    197
    Location:
    Canada
    Yesterday, I manually upgraded from 3.8.10 Build 893 Release Candidate to 3.8.11 Build 897 Release Candidate. No issues to report and no CookieGuard alerts.
     
  21. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    HitmanPro.Alert 3.8.12 Build 899 Release Candidate

    Changelog (compared to build 897)
    • Fixed another crash that could occur in BackgroundTaskHost caused by CookieGuard
    • Improved compatibility of Hollow Process mitigation with Rockstar games
    Download
    https://dl.surfright.nl/hmpalert3b899.exe

    Let us know if how this version runs on your machine. Thanks :thumb:

    Update: As mentioned by colleague @RonnyT, we're now auto-updating users on build 897 to build 899.
     
    Last edited: May 22, 2021
  22. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    246
    Manual install, no problem.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,373
    Location:
    Under a bushel ...
    All good here, Mark (still on Win 19042.985).
     
  24. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    980
    Yet another Microsoft SmartScreen-alert. No further problems upgrading.
     
    Last edited: May 22, 2021
  25. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    343
    Location:
    Planet Earth
    For those still on 897 I have just turned on the automatic update to 899 so if you could sit this one out and wait for the update, we have changed the fly-out -> notification to update so any feedback on that would be nice.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.