Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.
Getting ROP alerts with MS Word 2010:
Latest RC is running great in a Win 10 TR X64 VM
Nice to see that's already compatible.
I wonder whether or not Mark and Erik are still trying to make HMPA compatible with EMET and MBAE.
Personally I hope not. The reason, is they will forever be chasing the target of the other software changing. It just adds an expense, that really won't bring them any pay back. And I just don't see the need to run all of them. If the only reason for doing this is so someone can combine the free versions, that makes it even less economic sense.
With a specific file or just opening Word 2010?
The OSPPC.DLL is related to the licensing mechanism op Word.
To my knowledge Alert + MBAE and Alert + EMET are compatible. We frequently test these combinations. Could be that adding a third factor could cause conflicts, like Sandboxie?
Now it's gone again, it wasn't limited to a specific file, but everytime when it happened, Word was in 'recovery mode'.(When it shows different auto-saved versions of the same file, after crashing, though that may also be because it was terminated by Alert. When the ROP alert happened the first time, I wasn't there so I can't be sure.)
Just read about the latest variant of CryptoWall here:
Do these new "features" have any effect on HMPA's ability to detect and block it?
From what I read, I'd say your protected. The vaccination alone would protect you as it makes the process think it's running in a VM. Also when you get strange emails, that have zip attachments do you download the zips and run what's in them. Most the ones I've seen take someone pretty .... ah dumb... to open them.
I'm glad you asked. These defenses are indeed pretty effective against most security solutions. On the other hand, they make CryptoWall 2.0, 'the ransomware on steroids', weaker and easier to spot for HMPA
Indeed, even if the crypto-ransomware is not fooled by Alert's virtual machine simulation, CryptoWall 2.0 e.g. tries to unmap the process code which will trigger Alert's Hollow Process protection:
From http://blogs.cisco.com/security/talos/cryptowall-2: "If no VM is detected, another “dropper“ process is spawned in a suspended state. The “ZwUnmapViewOfSection” API is used to unmap the original PE buffer."
Also, when malware doesn't have those tricks, the CryptoGuard technology in HitmanPro.Alert will immediately block any process that tries to take your data hostage and rollback its changes. CryptoGuard in HitmanPro.Alert 3 is full aware of CryptoWall 2.0.
I was just about to post this, this is another example how this "process hollowing" technique is being used by malware. But I don't completely understand it, what is the advantage of this technique, is it to fool HIPS who monitor only dll/code injection?
I'm sorry, but it's still unclear to me, to me it seems to be related to exploit blocking, yet it's a free feature. So what type of behavior is it looking for, and what does it block exactly?
I've been carefully watching this whole thread for months, but this is my first post.
I've got HMPA 2.6.5 on all my machines pending the final release of HMPA 3. I decided to wait, although I didn't expect it to take so long for the final release!
What is the performance impact on any machine with HMPA 3 compared to HMPA 2 ?
If I just opted for the "free" alert program, would I still be covered for example against Cryptowall 2.0 ??
Alert 3 turned out to contain way more features that initially anticipated. We are a really small company and the Alert project took all our resources while still churning out new builds of HitmanPro as well.
This hugely depends on what other security applications you using. But Alert works faster than EMET. Also keep in mind that Alert is not yet final so performance numbers may improved for the final.
HMPA 2.6.5 prevents DCS World from starting
Faulting application name: Launcher.exe_DCS, version: 188.8.131.52734, time stamp: 0x548c8748
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000005
Fault offset: 0x00000000000508c5
Faulting process id: 0x1c2c
Faulting application start time: 0x01d02d31c3248a1a
Faulting application path: C:\Program Files\Eagle Dynamics\DCS World\bin\Launcher.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 01f83f9c-9925-11e4-b8e7-74d02bc838fd
On Eagle Dynamics forums some user suggest to rename hmplaert.dll to resolve the problem but I'm not sure about that "dirty" workaround
I have exactly the same problem. Currently I've uninstalled HMPA to resolve this issue but I don't like compromise like this.
So, what is purpose of hmpalert.dll? If I rename this library will cripple HMPA?
With HitmanPro.Alert 3.0.22 Build 131 RC installed on Windows 8.1 Pro x64, I notice the following :
In IE11 running with Enhanched Protection Mode enabled, 64bit processes for Enhanched Protection Mode enabled and running as InPrivate - then scroll wheel on mouse are not working.
I see at least one more user has reported the same ealier in this thread.
Also trying to use the up and down arrows in IE11 instead of scroll wheel on mouse, I see that these do also not work with .Alert installed. Clicking them does nothing.
Uninstalling .Alert and both scroll wheel on mouse and up and down buttons in IE11 will function normal again.
With .Alert installed and plugging in an PS2 connected keyboard while PC is turned off, results in keyboard not found and hence not working afterwards.
Tried unplugging and replugging while pc was on - no change.
Did several reboots while trying to pinpoint what went wrong - no change.
Uninstalled .Alert and keyboard, which was plugged in at the time, immediately was found and works upon reboot.
With .Alert installed, I recieve daily errors in Windows Event Viewer about CAPI2 errors.
I will send content of those in a PM.
Uninstalling .Alert and these entries in Windows Event Viewer no longer appears.
CryptoGuard (which protects against CryptoWall and the like) is available in the free v3.
@erikloman Thanks for your replies to my questions....I'm currently using HMPA 184.108.40.206 + CryptoPrevent 7.4.11 + NOD32 8.0.304 so not sure if HMPA 3 will have any impact on general performance?
Also, where is the link to download the very latest build of HMPA3 & is there an expiry date on this build?
First, thank you for your elaborate post!
This has been addressed in a new build (will be out somewhere this week).
We are unable to reproduce this issue. The BadUSB feature only filters USB keyboards, not PS/2. Though maybe issue is related to keystroke encryption. Not sure.
A few questions:
Do you perhaps use a PS/2-USB dongle to connect the PS/2 keyboard?
Can you try disabling keystroke encryption on the orange tile (switch to Advanced Interface via the gear icon next to minimize window button).
We have this in investigation. We are trying to reproduce.
Are there other viewers of this thread that experience the same issue?
Note that I can see here Erik
For anyone who have CAPI2 error, enabling logging for CAPI2 via Event Viewer might help Erik to analyse the issue.
I think I haven't seen the error, but will check it after I got home.
Yes, a few CAPI2 Errors which appear to be HMPA related (info of one sent by PM for reference)
Strangely the CAPI2 errors of Martin_C are different from the CAPI2 errors reported by Fad.
I have attached a few more event error reports that have appeared this morning to the original message.
They appear to differ from each other but all seem to be HMPA related, with one being HMP related (I am not sure though, not being able to decipher the errors)
Okay it seems I don't have that CAPI2 error.
For those who don't know how to enable logging,
open Event Viewer>extract "Application and Service Log">Microsoft\Windows\CAPI2>select "Operational", right click and choose "enable logging".
After new error is reported, go to that place again and "Open saved logs" to see logs.
Not sure if it really helps though.