HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Getting ROP alerts with MS Word 2010:

     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Latest RC is running great in a Win 10 TR X64 VM
     
  3. guest

    guest Guest

    Nice to see that's already compatible.

    I wonder whether or not Mark and Erik are still trying to make HMPA compatible with EMET and MBAE.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Personally I hope not. The reason, is they will forever be chasing the target of the other software changing. It just adds an expense, that really won't bring them any pay back. And I just don't see the need to run all of them. If the only reason for doing this is so someone can combine the free versions, that makes it even less economic sense.
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    With a specific file or just opening Word 2010?

    The OSPPC.DLL is related to the licensing mechanism op Word.
     
    Last edited: Jan 9, 2015
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    To my knowledge Alert + MBAE and Alert + EMET are compatible. We frequently test these combinations. Could be that adding a third factor could cause conflicts, like Sandboxie?
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Now it's gone again, it wasn't limited to a specific file, but everytime when it happened, Word was in 'recovery mode'.(When it shows different auto-saved versions of the same file, after crashing, though that may also be because it was terminated by Alert. When the ROP alert happened the first time, I wasn't there so I can't be sure.)
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    From what I read, I'd say your protected. The vaccination alone would protect you as it makes the process think it's running in a VM. Also when you get strange emails, that have zip attachments do you download the zips and run what's in them. Most the ones I've seen take someone pretty .... ah dumb... to open them.
     
  10. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    I'm glad you asked. These defenses are indeed pretty effective against most security solutions. On the other hand, they make CryptoWall 2.0, 'the ransomware on steroids', weaker and easier to spot for HMPA :D

    Indeed, even if the crypto-ransomware is not fooled by Alert's virtual machine simulation, CryptoWall 2.0 e.g. tries to unmap the process code which will trigger Alert's Hollow Process protection:

    From http://blogs.cisco.com/security/talos/cryptowall-2: "If no VM is detected, another “dropper“ process is spawned in a suspended state. The “ZwUnmapViewOfSection” API is used to unmap the original PE buffer."

    Also, when malware doesn't have those tricks, the CryptoGuard technology in HitmanPro.Alert will immediately block any process that tries to take your data hostage and rollback its changes. CryptoGuard in HitmanPro.Alert 3 is full aware of CryptoWall 2.0.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I was just about to post this, this is another example how this "process hollowing" technique is being used by malware. But I don't completely understand it, what is the advantage of this technique, is it to fool HIPS who monitor only dll/code injection?

    I'm sorry, but it's still unclear to me, to me it seems to be related to exploit blocking, yet it's a free feature. So what type of behavior is it looking for, and what does it block exactly?
     
  12. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    I've been carefully watching this whole thread for months, but this is my first post.

    I've got HMPA 2.6.5 on all my machines pending the final release of HMPA 3. I decided to wait, although I didn't expect it to take so long for the final release!

    What is the performance impact on any machine with HMPA 3 compared to HMPA 2 ?

    If I just opted for the "free" alert program, would I still be covered for example against Cryptowall 2.0 ??
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Alert 3 turned out to contain way more features that initially anticipated. We are a really small company and the Alert project took all our resources while still churning out new builds of HitmanPro as well.

    This hugely depends on what other security applications you using. But Alert works faster than EMET. Also keep in mind that Alert is not yet final so performance numbers may improved for the final.

    Yes.
     
  14. Lazarus Long

    Lazarus Long Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    5
    Location:
    Macedonia
    HMPA 2.6.5 prevents DCS World from starting

    Faulting application name: Launcher.exe_DCS, version: 1.2.14.35734, time stamp: 0x548c8748
    Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
    Exception code: 0xc0000005
    Fault offset: 0x00000000000508c5
    Faulting process id: 0x1c2c
    Faulting application start time: 0x01d02d31c3248a1a
    Faulting application path: C:\Program Files\Eagle Dynamics\DCS World\bin\Launcher.exe
    Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report Id: 01f83f9c-9925-11e4-b8e7-74d02bc838fd

    On Eagle Dynamics forums some user suggest to rename hmplaert.dll to resolve the problem but I'm not sure about that "dirty" workaround

    I have exactly the same problem. Currently I've uninstalled HMPA to resolve this issue but I don't like compromise like this.
    http://forums.eagle.ru/showthread.php?t=129952


    [edit]
    So, what is purpose of hmpalert.dll? If I rename this library will cripple HMPA?
     
  15. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    With HitmanPro.Alert 3.0.22 Build 131 RC installed on Windows 8.1 Pro x64, I notice the following :

    In IE11 running with Enhanched Protection Mode enabled, 64bit processes for Enhanched Protection Mode enabled and running as InPrivate - then scroll wheel on mouse are not working.
    I see at least one more user has reported the same ealier in this thread.

    Also trying to use the up and down arrows in IE11 instead of scroll wheel on mouse, I see that these do also not work with .Alert installed. Clicking them does nothing.

    Uninstalling .Alert and both scroll wheel on mouse and up and down buttons in IE11 will function normal again.

    --

    With .Alert installed and plugging in an PS2 connected keyboard while PC is turned off, results in keyboard not found and hence not working afterwards.
    Tried unplugging and replugging while pc was on - no change.
    Did several reboots while trying to pinpoint what went wrong - no change.

    Uninstalled .Alert and keyboard, which was plugged in at the time, immediately was found and works upon reboot.

    --

    With .Alert installed, I recieve daily errors in Windows Event Viewer about CAPI2 errors.
    I will send content of those in a PM.

    Uninstalling .Alert and these entries in Windows Event Viewer no longer appears.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    CryptoGuard (which protects against CryptoWall and the like) is available in the free v3.
     
  17. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    @erikloman Thanks for your replies to my questions....I'm currently using HMPA 2.6.5.77 + CryptoPrevent 7.4.11 + NOD32 8.0.304 so not sure if HMPA 3 will have any impact on general performance?

    Also, where is the link to download the very latest build of HMPA3 & is there an expiry date on this build?
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    First, thank you for your elaborate post!

    This has been addressed in a new build (will be out somewhere this week).

    We are unable to reproduce this issue. The BadUSB feature only filters USB keyboards, not PS/2. Though maybe issue is related to keystroke encryption. Not sure.

    A few questions:
    1. Do you perhaps use a PS/2-USB dongle to connect the PS/2 keyboard?

    2. Can you try disabling keystroke encryption on the orange tile (switch to Advanced Interface via the gear icon next to minimize window button).
    We have this in investigation. We are trying to reproduce.

    Are there other viewers of this thread that experience the same issue?
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Note that I can see here Erik
     
  21. 142395

    142395 Guest

    For anyone who have CAPI2 error, enabling logging for CAPI2 via Event Viewer might help Erik to analyse the issue.
    I think I haven't seen the error, but will check it after I got home.
     
  22. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    456
    Location:
    England
    Yes, a few CAPI2 Errors which appear to be HMPA related (info of one sent by PM for reference)
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Strangely the CAPI2 errors of Martin_C are different from the CAPI2 errors reported by Fad.
     
  24. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    456
    Location:
    England
    I have attached a few more event error reports that have appeared this morning to the original message.

    They appear to differ from each other but all seem to be HMPA related, with one being HMP related (I am not sure though, not being able to decipher the errors)
     
  25. 142395

    142395 Guest

    Okay it seems I don't have that CAPI2 error.
    For those who don't know how to enable logging,
    open Event Viewer>extract "Application and Service Log">Microsoft\Windows\CAPI2>select "Operational", right click and choose "enable logging".
    After new error is reported, go to that place again and "Open saved logs" to see logs.
    Not sure if it really helps though.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.