HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,304
    Location:
    Kent. UK by the sea
    Hi erikloman

    Many thanks once again to all the Devs of HitmanPro.[Alert].
    Build 129 RC working without problems here. :thumb:

    Take Care
    TheQuest :cool:
     
    Last edited: Dec 21, 2014
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,285
    Location:
    Among the gum trees
    For the brief time I had the unactivated copy of HMP.A 3 RC Build 129 on my machine I could not open Internet Explorer 11. The free version of MBAE kept blocking an Exploit attempt.

    HMP.A unactivated IS NOT yet compatible with the free version of MBAE, at least on my machine.

    Norton Security with Backup v22.1 + MBAE free + HMP.A RC Build 129. Windows 7 x64 SP1.

    Restoring a backup image pre HMP.A RC Build 129.
     
  3. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,028
    No problems installing build 129 (W7 64 bits).
     
  4. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,028
    Error adding Spywareblaster 5 to template OTHER (build 129/W7 64 bits).

    Edit: Erik you need the Spywareblaster-dmpfile?
     

    Attached Files:

  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I can reproduce the issue.

    Though as a rule of thumb: do not add security software to Alert

    UPDATE:
    SpywareBlaster has an issue with the DEP mitigation. Uncheck DEP and it should start. Security software that cannot run with DEP enabled ... :isay:

    UPDATE 2: SpywareBlaster also does not have ASLR enabled on the binary o_O
     
    Last edited: Dec 19, 2014
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    I switched back into snapshot this morning, and the problem with the missing HMP scan was no longer evident. Also, I can update AVZ, too. However, I do run EIS in this snapshot, and I read
    that there have been problems.

    ScreenShot_Hmp.A_3.0.20 build 120_install_38.gif
     
  7. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Why do 125 users get the update later? Can we still download an install 129 over 125? Thanks :)

    Pete is running an internet security suite.. whooooo ! ;)

    Btw I am using ESET for ~2 weeks now and I like it a lot so far. There is room for improvement but it feels like it is the best security suite I have used so far.
     
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes you can install 129 over 125. As a matter of fact I recommend updating to 129.
     
  9. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,028
    Confirmed.
     
  10. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I tried to install a pdf-x viewer update today with the liveupdateool.exe. HMPA blocked it but didn't alert me until I killed the update process via task manager (was waiting for the setup to finish at 99% for like 10 minutes :p).
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    What was the mitigation that triggered the alert? (look in the Windows Event Log).
    Can you point me to the update tool?
     
  12. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    The update tool is build in with pdf-x change viewer (free to download): http://www.tracker-software.com/product/pdf-xchange-viewer

    Is that the Info you need?
     
  13. faircot

    faircot Registered Member

    Joined:
    May 17, 2012
    Posts:
    224
    Location:
    UK
    V 129 seems to have resolved the slow start up and browsing speed in Opera 26 and HPMA works fine..

    However, addresses typed into address bar in IE11 are scrambled (search terms typed into Google are fine).

    Using EIS, Appguard and HMPA.
     
  14. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
  15. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    It happend on 125, I am now running 129 and the following happend:

    Setup stopped at 99% again, HMPA had no warning and no event log. Still I had to end the setup.exe via task manager :/
     
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    If you remove the Lockdown mitigation from the application and retry the update ...
     
  17. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    Today during a scan, Emsisoft AM is detecting hmpnet.sys as Adware.BrowseFox.AO (B), two instances.
     
  18. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    Further to my earlier post, I have completed an over the top install of the latest RC. A selection of screenshots, as you can see.

    ScreenShot_Hmp.A_3.0.22 build 129_install_05.gif ScreenShot_Hmp.A_3.0.22 build 129_install_09.gif ScreenShot_Hmp.A_3.0.22 build 129_install_10.gif ScreenShot_Hmp.A_3.0.22 build 129_install_13.gif ScreenShot_Hmp.A_3.0.22 build 129_install_14.gif
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Can you report these as false positives?
     
  20. Baedric

    Baedric Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    163
    It is done.
     
  21. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Sorry for the delay in getting back.
    I have Windows 7 SP1 x64 AMD operating system.
    I have HMP running with HMP.Alert - Emsisoft IS - AppGuard - Sandboxie (but not for IE11 or Chrome) and Shadow Defender (only used for testing)
    This is much the same setup as Peter2150 has but I have never seen any start up issues. The IE11 problem only stared with Build 125, I had no problems with bld 124 at all. All problems disappear if I uninstall EIS.
    Anything else you want me to try or any logs I can provide to help solve this?
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    When a mitigation is triggered it can be sent to the backend. This way users can be protected _before_ a mitigation is triggered. Source code is not sent to the backend.
     
  23. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Cant test it as the update finished eventhough I killed the setup process.. so no new update avilable to test :S
     
  24. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    HitmanPro.Alert 3 version 3.0.22.129 Release Candidate

    HitmanPro.Alert version 3 introduces Exploit Mitigations, of which its hardware-assisted Control-Flow Integrity (CFI) technology is perhaps its most striking feature. CFI is a technique to prevent flow of control not intended by the original application, without requiring the source code or debug symbols of the protected application. With CFI, HitmanPro.Alert 3 effectively stops attackers that hijack control-flow to combine short pieces of benign code, already present in a system, for a malicious purpose; a so-called return-oriented programming (ROP) attack. This capability is achieved by programming and leveraging a hardware feature in modern Intel® Core™ processors to track code execution and assist in the detection of attacks in real-time – an industry-first method not found in any other security product.

    Besides a performance advantage, employing hardware traced records has a security benefit over software stack-based approaches. Stack-based solutions, like Microsoft EMET, rely on stack data, which is (especially in case of a ROP attack) in control of the attacker.

    Cybercriminals and hackers are becoming increasingly more proficient in finding and attacking previously unknown vulnerabilities to bypass antivirus software as well as memory protections (DEP+ASLR) to silently infiltrate computers. Well known cases that led to the discovery of zero-day attacks, like Operation SnowMan[1], GreedyWonk[2] and Clandestine Fox[3] (all uncovered by security firm FireEye), show that attackers are adept in creating malware (shellcode) by borrowing instructions from legitimate applications running on the victim computer – a ROP attack. Antivirus software is not designed to block this as there are no malicious processes or files involved. HitmanPro.Alert version 3 is built to stop existing and future attacks whether they are conducted by exploit kits or (foreign) nation-state hackers, without requiring prior knowledge of attacks or abused vulnerabilities.

    Besides Exploit Mitigations, HitmanPro.Alert 3 also offers Application Lockdown, which prevents abuse of logic-flaw vulnerabilities and stops macros in Office documents from hoisting in malware. It also protects business environments that are bound to run outdated software, including Java-based company applications.
    HitmanPro.Alert 3 also offers Man-in-the-Browser Intruder Detection (Safe Browsing), Cryptolocker Protection (CryptoGuard), System Vaccination, Webcam Notifier, Keystroke Encryption, BadUSB Protection and our acclaimed HitmanPro on-demand forensics-based Anti-Malware. Together they aim to disrupt the Cyber Attack Life-Cycle:

    Cyber-Attack-Life-Cycle.png

    DOWNLOAD
    The file hmpalert.exe inside the ZIP archive installs the software and requires just 5 MB of free disk space. It runs on 32-bit and 64-bit versions of Windows XP SP3, Windows Vista, Windows 7, Windows 8 and Windows 8.1.

    The ZIP archive also contains version 1.4 of our Exploit Test Tool which contains 27 tests to check a pc’s security posture or verify the correct working of HitmanPro.Alert. The exploit techniques performed by the Exploit Test Tool are not malicious and safe to use.


    HITMANPRO.ALERT 3 FEATURE OVERVIEW
    • Install-and-Forget Signature-less protection suitable for Home Users, Power Users and IT Professionals
    • Exploit Mitigations (Anti-Exploit) Aims to stop attackers from exploiting software vulnerabilities
    • Fine-grained Exploit Mitigation Settings Allows experienced computer users to change individual mitigations, per application
    • On-demand Malware Detection and Remediation Integrated Anti-Malware scanner
    • BadUSB Protection Blocks malicious USB devices that pose as a keyboard
    • Safe Browsing (Man-in-the-Browser Detection) Warns when malware manipulates the browser; behavior-based
    • Active Vaccination Makes sandbox-aware malware self-terminate
    • CryptoGuard Protects your data against CryptoLocker, CryptoWall, TorrentLocker, OphionLocker, CoinVault and variants; behavior-based
    • Webcam Notifier Blocks the webcam when it is (secretly) accessed
    • Keystroke Encryption Protects credentials against keyloggers in the browser
    • Hollow Process Protection Protects the main executable of a process against unmapping
    • Network Lockdown Helps to stop attacks that connect back to command-and-control
    • Full 64-bit Support Offers 64-bit applications same protection as 32-bit applications
    • Software Radar Automatically protects new browsers, plug-ins, media and office applications
    • Easy-to-Use High DPI User Interface Suitable for Home Users, Power Users and IT Pros
    • Advanced Exploit Reporting Logs advanced technical data for forensic threat analysis
    • Multilingual User Interface English, Chinese (Simplified), Chinese (Traditional), Dutch, French, German, Italian, Brazilian Portuguese, Russian, Spanish
    • Antivirus Compatible Runs alongside third-party antivirus or internet security software
    ANTI-EXPLOIT // CODE MITIGATIONS
    • SEHOP Stops abuse of the structured exception handler
    • Stack Pivot Stops abuse of the stack pointer
    • Stack Exec Stops attacker's code on the stack
    • Software Stack-based Anti-ROP Stops return-oriented programming (ROP) attacks (part of Control-Flow Integrity)
    • Hardware-assisted Branch-based Anti-ROP Programs microprocessor to stop ROP attacks (part of Control-Flow Integrity)
    • Import Address Table Filtering (IAF) Prevents attackers from snooping function addresses (part of Control-Flow Integrity)
    • Caller Check Stops processes called from attacker-controlled memory (part of Control-Flow Integrity)
    • Load Library Stops modules that load from insecure network paths
    • Application Lockdown Prevents abuse of logic flaws and stops attacks that bypass mitigations (incl. Office macros)
    ANTI-EXPLOIT // MEMORY MITIGATIONS
    • Enforce DEP Prevents abuse of buffer overflows
    • Mandatory ASLR Prevents predictable code locations
    • Pseudo ASLR for Windows XP and Windows Server 2003 Prevents predictable code locations of modules on legacy Windows (part of Mandatory ASLR)
    • Bottom Up ASLR Improves code location randomization (ASLR)
    • Null Page Stops exploits that jump via page 0
    • Heap Spray Pre-Allocation Stops attacks that start via common memory addresses on the heap (part of Dynamic Heap Spray)
    • Dynamic Heap Spray Stops exploits that start via the heap; behavior-based

    SCREENSHOTS


    Install.png UI Advanced.png Exploit Mitigations.png CryptoGuard.png

    [1] http://www.fireeye.com/blog/technic...ises-us-veterans-of-foreign-wars-website.html
    [2] http://www.fireeye.com/blog/technic...omised-serving-up-flash-zero-day-exploit.html
    [3] http://www.fireeye.com/blog/uncateg...hrough-11-identified-in-targeted-attacks.html
     
    Last edited: Dec 23, 2014
  25. JM42

    JM42 Registered Member

    Joined:
    Dec 19, 2014
    Posts:
    1
    HitmanProAlert keeps on blocking Dropbox.exe and therefore stopping dropbox syncing. Please can you fix this, otherwise it will be uninstalled so dropbox works OK!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.