Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.
Latest build working fine here.
Build 153 working fine on my system.
RC 153 works great!
That said, I recently installed CyberLink PowerDVD 13 and RC 153 (as well as earlier RCs over the past couple of weeks) are catching vulnerabilities in the CyberLink PowerDVD 13 application. I switched off the mitigations (ROP, IAT) and then PowerDVD 13 works fine (with these mitigations turned off). Just reporting this now, since I noticed a similar post with another person using another multimedia program. Please advise.
All looked good, but I'm having problems with HMPA RC-153 in combination with Sandboxie. Firefox and Opera have problems starting up inside the sandbox, I'm getting error messages. But this does not always happen. The bad news is that even when "safe browsing" and "exploit mitigations" are turned off, these errors keep coming.
So I will probably have to uninstall HMPA until this problem is solved. I do wonder if in the future it's possible to load "hmpalert.dll" only if anti-exploit and browser protection is enabled. Because now I can not even use the free HMPA features.
About "keystroke encryption", I've noticed that it's working correctly now, it passed the Zemana, SpyShelter and AKTL test. However, why not give an option to make it system-wide. I know that right now you have to add apps to anti-exploit, but that doesn't make a lot of sense.
What version of Sandboxie are you using?
Did the new beta just licensed CryptoGuard and Process Protection? Or did that happen earlier?
CG is the only thing i use in 143. Not sure if i really need it but i wanted to try it out.
I'm installed build 153 last night, and so far I have not experienced any problems except for the problem I reported above with the blue border not going away with Media Player Classic.
It's the same on build 152... I guess this change of heart will stay permanent?
*Build 143 it is. Blocked auto-updates with Windows Firewall. Guess I'll wait and see how this develops.
*Although I'm usually up for the latest and greatest, it's surprising how many old versions of software I'm keeping (4 currently).
I am running Cyberlink PowerDVD 13 with no issues at all. All protection on. Also using 153 and SBIE 4.15.12 no issues
Gees, it would be a shame if those features were removed from the free version, especially CryptoGuard.
I'm using v4.15.9, but like I said before, I still think it would be better if HMPA only injected code into protected processes. Because I was getting these errors even when protection was disabled, this means that the HMPA dll file is interfering with SBIE's hooks. I also got a crash of Opera 12, it would freeze when watching a Flash video, and SBIE could not even kill the process.
After reboot I noticed that Windows Error Reporting had made a logfile of 500MB, is this normal? Firefox bookmarks had also become corrupted. I'm not sure if this was a result of a conflict between HMPA and SBIE. Perhaps it's better to choose either HMPA or SBIE for exploit protection.
1. which error message do you get from Sandboxie? Here (with Alert entries in Sandboxie.ini) all is running fine
2. 4.15.9 is an old beta of Sandboxie which had some bugs (NtCreateProcessEx; WerFault ...) So please also try actual beta 4.15.12
Yes, I will upgrade but the problem is still caused by HMPA, I have now uninstalled it and the problems are gone. And you can see the errors over here (using Windows 8.1 64 bit): https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-162#post-2459121
No problem at all with build 153
Win 7 x86 SP1
Emsisoft Internet Security
You are running a beta version of Sandboxie that is known to cause issues. Most people here running Sandboxie have no issues with Alert. I suggest you upgrade.
About the injection, start Process Explorer and click a child process of explorer.exe. Then view DLLs. You will see DLLs of Sandboxie, AV (e.g. a2hooks of Emsisoft) and possibly mouse drivers and graphics drivers.
Security cannot come from the brake handle in your car. Other cars on the road need brakes too in order to avoid accidents.
I'm starting to see Firefox not opening at times again. I haven't seen this with newer builds until build 153.
As before, clicking the FF task bar icon sometimes does not start FF yet Task manager shows it is running. Also as before, I see it more when my machines have been idle for an extended time. I don't allow my machines to sleep.
Edit: I have had this with IE 11 once so far as well.
If that happens, can you right click on the Firefox process in Task Manager and generate a dump (Create dump file)?
OK, I'll give it a go.
I'll PM you if I can generate the dump.
I've sent you a PM.
In the meantime, I have retested and HitmanPro.Alert 3 RC 153 is very consistent and persists in flagging vulnerabilities (ROP, IAT) each time I start PowerDVD 13. I am thinking, why not upgrade to PowerDVD 14 and retest to see if the vulnerabilities persist. This is not a complaint about HMPA, on the contrary I am very impressed with the capabilities of HMPA to catch application vulnerabilities. That said, please let me know if you have advice regarding reporting these vulnerabilities to Cyberlink?
This is really strange. I have PowerDVD 13, and HMPA 153, and don't have any problems at all.
Thanks, yes I agree, it is strange especially knowing that you are not getting the same results. It is possible, I suppose, that I may have a slightly later update of PowerDVD 13 (new download installed, 1 February, downloaded directly from CyberLink). Also, I am running this directly (no sandboxie), on Windows 7 x64 SP1 (with all Windows patches/updates installed) on an Intel Core i7 CPU 920 @ 2.67 GHz. I will report later, whether this persists, after I later upgrade to PowerDVD 14. Cheers.
I will upgrade for sure and report back. But the reason why I brought this up, is because in these cases you will have to uninstall HMPA, but if it didn't inject code into every process, I would have been able to switch of "anti-exploit", and continue to use the other "risk reduction" features.
Also, other "anti-exploit" and "browser protection" tools like MBAE and G Data BankGuard inject code only into protected apps, so is there really a need for HMPA to do it differently? But after this bad experience I'm thinking about using HMPA without the Sandboxie combo, I have a feeling that because they both hook apps in an advanced or "low level" way, it might cause issues again in the future.
As was explained to me way back, the reason for injecting the dll into so many processes, is to see what is normal on your system, so HMPA can judge if something naughty might be injected into your browsers. I have been using it with Sandboxie and Appguard with no issues, but one huge difference. You are on Win 8.1 and I am on Win 7.
Separate names with a comma.