HitmanPro.ALERT Support and Discussion Thread

No i do not have Radar Pro.

 

I installed 155 again and keyboard is working good again.

 

Can you try the following:

1. Uninstall Alert, reboot
2. Install Alert 155 (do not reboot)
3. Upgrade to 179, reboot
4. Is keyboard working?

 

Updated to build 179, no problems (W7 64 bits).

 

Win 8.1. x64
HMP.Alert build 179

Word 2013 is crashing at startup (with default mitigations) as long as E-Porto AddIn is active.
This never happened with previous versions of Alert.

http://abload.de/img/wcrashp6uqd.jpg

Code:

Version=1
EventType=APPCRASH
EventTime=130728659616032657
ReportType=2
Consent=1
ReportIdentifier=33f77bf0-dcf9-11e4-81a4-3c970e228989
IntegratorReportIdentifier=33f77bef-dcf9-11e4-81a4-3c970e228989
WOW64=1
NsAppName=WINWORD.EXE
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=WINWORD.EXE
Sig[1].Name=Anwendungsversion
Sig[1].Value=15.0.4701.1000
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=54d9bb8f
Sig[3].Name=Fehlermodulname
Sig[3].Value=StackHash_f3a9
Sig[4].Name=Fehlermodulversion
Sig[4].Value=6.3.9600.17668
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=54c846bb
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000374
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=PCH_E6_FROM_ntdll+0x0003CBEC
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.3.9600.2.0.0.256.103
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=f3a9
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=f3a9b20aaf6f64b2f3171edae4eff37a
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=6ec0
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=6ec00e5422661c47b457851ac2fca747
UI[2]=C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
UI[3]=Microsoft Word funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen und versuchen, die Informationen wiederherzustellen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
LoadedModule[0]=C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
LoadedModule[1]=C:\WINDOWS\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\WINDOWS\SYSTEM32\KERNEL32.dll
LoadedModule[3]=C:\Windows\SYSTEM32\hmpalert.dll
LoadedModule[4]=C:\WINDOWS\SYSTEM32\KERNELBASE.dll
LoadedModule[5]=C:\WINDOWS\system32\apphelp.dll
LoadedModule[6]=C:\Program Files\Microsoft Office 15\root\office15\AppVIsvSubsystems32.dll
LoadedModule[7]=C:\Program Files\Microsoft Office 15\root\office15\MSVCR100.dll
LoadedModule[8]=C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll
LoadedModule[9]=C:\WINDOWS\SYSTEM32\ADVAPI32.dll
LoadedModule[10]=C:\WINDOWS\SYSTEM32\RPCRT4.dll
LoadedModule[11]=C:\WINDOWS\SYSTEM32\USERENV.dll
LoadedModule[12]=C:\WINDOWS\SYSTEM32\SHELL32.dll
LoadedModule[13]=C:\WINDOWS\SYSTEM32\USER32.dll
LoadedModule[14]=C:\WINDOWS\SYSTEM32\ole32.dll
LoadedModule[15]=C:\Program Files\Microsoft Office 15\root\office15\c2r32.dll
LoadedModule[16]=C:\WINDOWS\SYSTEM32\msvcrt.dll
LoadedModule[17]=C:\WINDOWS\SYSTEM32\sechost.dll
LoadedModule[18]=C:\WINDOWS\SYSTEM32\SspiCli.dll
LoadedModule[19]=C:\WINDOWS\SYSTEM32\profapi.dll
LoadedModule[20]=C:\WINDOWS\SYSTEM32\combase.dll
LoadedModule[21]=C:\WINDOWS\SYSTEM32\SHLWAPI.dll
LoadedModule[22]=C:\WINDOWS\SYSTEM32\GDI32.dll
LoadedModule[23]=C:\WINDOWS\SYSTEM32\CRYPTBASE.dll
LoadedModule[24]=C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll
LoadedModule[25]=C:\WINDOWS\system32\IMM32.DLL
LoadedModule[26]=C:\WINDOWS\SYSTEM32\MSCTF.dll
LoadedModule[27]=C:\WINDOWS\SYSTEM32\SHCORE.dll
LoadedModule[28]=C:\WINDOWS\SYSTEM32\oleaut32.dll
LoadedModule[29]=C:\Program Files\Microsoft Office 15\root\office15\wwlib.dll
LoadedModule[30]=C:\WINDOWS\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17415_none_dad8722c5bcc2d8f\gdiplus.dll
LoadedModule[31]=C:\Program Files\Microsoft Office 15\root\office15\oart.dll
LoadedModule[32]=C:\Program Files\Microsoft Office 15\root\office15\MSVCP100.dll
LoadedModule[33]=C:\WINDOWS\SYSTEM32\d2d1.dll
LoadedModule[34]=C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll
LoadedModule[35]=C:\WINDOWS\SYSTEM32\MSIMG32.dll
LoadedModule[36]=C:\WINDOWS\SYSTEM32\msi.dll
LoadedModule[37]=C:\WINDOWS\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_a9ed7f470139b3c1\Comctl32.dll
LoadedModule[38]=C:\WINDOWS\SYSTEM32\VERSION.dll
LoadedModule[39]=C:\WINDOWS\system32\uxtheme.dll
LoadedModule[40]=C:\WINDOWS\SYSTEM32\mscms.dll
LoadedModule[41]=C:\WINDOWS\SYSTEM32\icm32.dll
LoadedModule[42]=C:\WINDOWS\system32\dwmapi.dll
LoadedModule[43]=C:\WINDOWS\SYSTEM32\kernel.appcore.dll
LoadedModule[44]=C:\Program Files (x86)\MediaMonkey\MMHelper.dll
LoadedModule[45]=C:\WINDOWS\SYSTEM32\WTSAPI32.dll
LoadedModule[46]=C:\WINDOWS\SYSTEM32\WINSTA.dll
LoadedModule[47]=C:\WINDOWS\SYSTEM32\dxgi.dll
LoadedModule[48]=C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\MSPTLS.DLL
LoadedModule[49]=C:\WINDOWS\SYSTEM32\d3d10_1.dll
LoadedModule[50]=C:\WINDOWS\SYSTEM32\d3d10_1core.dll
LoadedModule[51]=C:\WINDOWS\SYSTEM32\d3d11.dll
LoadedModule[52]=C:\WINDOWS\SYSTEM32\D3D10Warp.dll
LoadedModule[53]=C:\WINDOWS\SYSTEM32\igd10iumd32.dll
LoadedModule[54]=C:\WINDOWS\SYSTEM32\bcrypt.dll
LoadedModule[55]=C:\WINDOWS\SYSTEM32\ncrypt.dll
LoadedModule[56]=C:\WINDOWS\SYSTEM32\NTASN1.dll
LoadedModule[57]=C:\WINDOWS\SYSTEM32\igdusc32.dll
LoadedModule[58]=C:\WINDOWS\SYSTEM32\WindowsCodecs.dll
LoadedModule[59]=C:\WINDOWS\SYSTEM32\DWrite.dll
LoadedModule[60]=C:\WINDOWS\SYSTEM32\mscoree.dll
LoadedModule[61]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
LoadedModule[62]=C:\WINDOWS\SYSTEM32\Secur32.dll
LoadedModule[63]=C:\WINDOWS\SYSTEM32\clbcatq.dll
LoadedModule[64]=C:\WINDOWS\System32\netprofm.dll
LoadedModule[65]=C:\WINDOWS\SYSTEM32\WS2_32.dll
LoadedModule[66]=C:\WINDOWS\SYSTEM32\NSI.dll
LoadedModule[67]=C:\WINDOWS\SYSTEM32\CRYPTSP.dll
LoadedModule[68]=C:\WINDOWS\system32\rsaenh.dll
LoadedModule[69]=C:\WINDOWS\System32\npmproxy.dll
LoadedModule[70]=C:\WINDOWS\SYSTEM32\DNSAPI.dll
LoadedModule[71]=C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
LoadedModule[72]=C:\WINDOWS\SYSTEM32\WINNSI.DLL
LoadedModule[73]=C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\riched20.dll
LoadedModule[74]=C:\WINDOWS\SYSTEM32\webservices.dll
LoadedModule[75]=C:\WINDOWS\SYSTEM32\sppc.dll
LoadedModule[76]=C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
LoadedModule[77]=C:\WINDOWS\SYSTEM32\SETUPAPI.dll
LoadedModule[78]=C:\WINDOWS\SYSTEM32\CFGMGR32.dll
LoadedModule[79]=C:\WINDOWS\system32\propsys.dll
LoadedModule[80]=C:\Windows\SYSTEM32\msxml6.dll
LoadedModule[81]=C:\WINDOWS\SYSTEM32\POWRPROF.dll
LoadedModule[82]=C:\WINDOWS\SYSTEM32\sxs.dll
LoadedModule[83]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
LoadedModule[84]=C:\WINDOWS\SYSTEM32\MSVCR120_CLR0400.dll
LoadedModule[85]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\d03a3ddcd6a395878751c5e90fa16915\mscorlib.ni.dll
LoadedModule[86]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
LoadedModule[87]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\1a6b5095c4416a37f9ca4cf4436d1311\System.ni.dll
LoadedModule[88]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\d91798a9a9fcb450351fe8e49026a69f\System.Drawing.ni.dll
LoadedModule[89]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\a4d2243df4af8ab65ff74d436d449789\System.Windows.Forms.ni.dll
LoadedModule[90]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\WindowsBase\bb26d987467eca70ebc4beec29158d67\WindowsBase.ni.dll
LoadedModule[91]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\PresentationCore\24f6c80242420a1cea5cc254bf420027\PresentationCore.ni.dll
LoadedModule[92]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\4136b9a7a05c8f0e2c7e15600bc20b1b\PresentationFramework.ni.dll
LoadedModule[93]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Core\794a3d83e77a53d6fc029c389f9cc408\System.Core.ni.dll
LoadedModule[94]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Data\ec0506570d793fcae40cc19bd8a43e5b\System.Data.ni.dll
LoadedModule[95]=C:\WINDOWS\Microsoft.Net\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
LoadedModule[96]=C:\WINDOWS\SYSTEM32\CRYPT32.dll
LoadedModule[97]=C:\WINDOWS\SYSTEM32\MSASN1.dll
LoadedModule[98]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Transactions\e0385d2ccd8766063e53bf96510a9350\System.Transactions.ni.dll
LoadedModule[99]=C:\WINDOWS\Microsoft.Net\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll
LoadedModule[100]=C:\WINDOWS\SYSTEM32\psapi.dll
LoadedModule[101]=C:\Program Files (x86)\Deutsche Post E-Porto\sqlceme35.dll
LoadedModule[102]=C:\WINDOWS\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.8428_none_d08a11e2442dc25d\MSVCR80.dll
LoadedModule[103]=C:\Program Files (x86)\Deutsche Post E-Porto\sqlceer35DE.DLL
LoadedModule[104]=C:\Program Files (x86)\Deutsche Post E-Porto\sqlcese35.dll
LoadedModule[105]=C:\Program Files (x86)\Deutsche Post E-Porto\sqlceqp35.dll
LoadedModule[106]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Configuration\b5b80f1284dfa1b883da48ed58ecbc47\System.Configuration.ni.dll
LoadedModule[107]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\9a349fb029581f4752d2c6cfcfeab816\System.Xml.ni.dll
LoadedModule[108]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\c9ab71df4c1c005a0c93a84bc49a75c8\System.EnterpriseServices.ni.dll
LoadedModule[109]=C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\c9ab71df4c1c005a0c93a84bc49a75c8\System.EnterpriseServices.Wrapper.dll
LoadedModule[110]=C:\WINDOWS\Microsoft.Net\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Microsoft Word
AppPath=C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=0042CD85F7BEC87B14666BCE8F0347BE

 

I don't take archiver programs as random application. Sure, exploit against archiver is much less common than browser, plugins, PDF reader, and office programs but still there have been many vuln in archiver and some of them are exploited. Adding archiver to anti-exploit is reasonable. Just note, as I asked in MBAE thread, some known vuln in archiver was logic-flaw vuln thus your anti-exploit may not be able to protect you even with behavior-based protection (see past MBAE thread).

 

I wonder if there is a recommended way to add explorer.exe... Last thing I need is another .LNK exploit.

 

Actually, you do not need to add Explorer.exe. HitmanPro.Alert comes with built-in protection against Windows Shell LNK exploits like CVE-2010-2568 and the recent CVE-2015-0096; Explorer.exe is out-of-the-box protected (yes, it's a bit of a secret as Explorer.exe is deliberately not mentioned in the UI of HMPA as we do not want users to make any mitigation changes to this particular application).

 

Still getting this with BS Player. Should I remove mitigation or can you fix it with new build in future?

 

That's very easy to do it ! Thank you Erik

 

Which file types are protected by CryptoGuard?

I thought CryptoGuard protected all kinds of files,
but coincidentally I stumbled upon the CryptoGuard thread at BleepingComputer.com and the post in which Erik states "Do not test Alert with .txt files as these are not protected by CryptoGuard."

And now I wonder,
- Why are .txt files not protected by CryptoGuard?
- Which file types are protected by CryptoGuard?

I hope it's OK that I ask over here at Wilders, as I don't have a BleepingComputer account and I wasn't planning on opening one.

 

Thanks for the explanation as always. What about the Corel WinDVD Pro 11 Blu-ray decoding anti-vm bug though?

 

CryptoGuard protects files with structure. A .txt has no structure and is therefore not protected. BUT ... if CryptoGuard kicks in, then the process performing the encryption no longer has write-access to volumes or network shares. So if the ransomware then wants to overwrite a .txt file, it is prevented.

So if you want to test CryptoGuard, please do not use .txt files. Just use content like documents and images (.doc, .rtf, .pdf, .jpg, .eps, .dwg, .cer, etc.). CryptoGuard currently protects over 70 file formats.

 

I installed 178 over 155 and have the same problem i had with 179 with the Keyboard not working so i went back to 155.

 

Can you uninstall 155, reboot, install 179.

 

Thank you very much, Erik.
That part - if CryptoGuard kicks in, then the process performing the encryption no longer has write-access to volumes or network shares - is very good to know. Perhaps it was explained earlier on in this thread, or it was in the Alert documentation, and I missed it or I had forgotten about it.
Thanks very much once again for explaining.

 

Can you send me the details of the alert via PM?

 

Look in the event log.

 

HitmanPro.Alert 3 build 180 General Availability

Since the four Community Technical Previews of HitmanPro.Alert 3 last year, our customers and the security community showed strong interest. Enhanced with the valuable feedback that we received, we are excited to announce the general availability (GA) of HitmanPro.Alert 3 – build 180.

HitmanPro.Alert version 3 introduces Exploit Mitigations, of which its hardware-assisted Control-Flow Integrity (CFI) technology is perhaps its most striking feature. CFI is a technique to prevent flow of control not intended by the original application, without requiring the source code or debug symbols of the protected application. With CFI, HitmanPro.Alert 3 effectively stops attackers that hijack control-flow to combine short pieces of benign code, already present in a system, for a malicious purpose; a so-called return-oriented programming (ROP) attack. This capability is achieved by programming and leveraging a hardware feature in modern Intel® processors to track code execution and assist in the detection of attacks in real-time – an industry-first method not found in any other security product.

Besides a performance advantage, employing hardware traced records has a security benefit over software stack-based approaches. Stack-based solutions, like Microsoft EMET, rely on stack data, which is (especially in case of a ROP attack) in control of the attacker, who in turn can affect or control the defender as well.

Cybercriminals and hackers are becoming increasingly more proficient in finding and attacking previously unknown vulnerabilities to bypass antivirus software as well as memory protections (DEP+ASLR) to silently infiltrate computers. Well known cases that led to the discovery of zero-day attacks, like Operation SnowMan, GreedyWonk and Clandestine Fox (uncovered by security firm FireEye) as well as the recent Adobe Flash Player exploits, show that attackers are adept in creating malware (shellcode) by borrowing instructions from legitimate applications running on the victim computer – a ROP attack. Antivirus software is not designed to block this as a ROP attack does not require malicious files or processes. HitmanPro.Alert version 3 is built to stop existing and future attacks whether they are conducted by exploit kits or (foreign) nation-state hackers, without requiring prior knowledge of attacks or abused vulnerabilities.

Besides Exploit Mitigations, HitmanPro.Alert 3 also offers Man-in-the-Browser Intruder Detection (Safe Browsing), Cryptolocker Protection (CryptoGuard), System Vaccination, Webcam Notifier, Keystroke Encryption, BadUSB Protection and our Forensics-based Anti-Malware.

Download
http://dl.surfright.nl/hmpalert3.exe

Screenshot


Review
We asked Malware Research Group (MRG Effitas) to test and write an independent review on HitmanPro.Alert 3. In addition we sponsored their Real World Exploit Prevention Test comparison wherein they threw a very diverse set of in-the-wild exploits (12 different exploit kits) and attacks on 16 different vulnerabilities, against 13 different products.

Second part of the comparison revolved around an artificial zero-day exploit attack. The purpose of this attack is to provide a more realistic picture of the capabilities of security software against real zero-day attacks. Just like real-world exploit attacks, this attack has not yet been discovered by security researchers and is unknown to blacklist-based technologies that rely on prior discovery, like URL filtering and virus signatures (which is a good indication why all security solutions, other than Microsoft EMET and Malwarebytes Anti-Exploit, failed te detect this attack).
We also provided MRG with an advanced ROP chain and shellcode for their artificial zero-day attack, which is able to bypass every popular anti-exploit solution.

The techniques that we used to defeat these solutions are not new and available in the public domain for a long time. The purpose of our attack is to show readers that any motivated attacker is able to (re-)weaponize exploits to bypass security solutions. In effect it also shows the power of our unique hardware-assisted exploit protection technology. We provided all the details surrounding our attack as well. They are made available by MRG Effitas for verification by interested researchers.

You can download the report (which includes the review, comparison and the artificial zero-day attack) from this link: https://www.mrg-effitas.com/mrg-effitas-real-world-exploit-prevention-test-march-2015/

Release notes build 180 GA (changelog compared to build 155 RC)

• Improved Lockdown mitigation to enforce safe execution of VBScript. This mitigates the exploitation technique known as "VBScript God Mode".
• Improved Load Library mitigation to detect shellcode.
• Improved Load Library mitigation to detect reflective loaded libraries.
• Improved branch-based hardware-assisted ROP mitigation (part of Control-Flow Integrity).
• Improved software-based ROP mitigation (part of Control-Flow Integrity).
• Improved IAT Filtering.
• Improved Dynamic Heap Spray mitigation.
• Improved CryptoGuard mitigation, specifically protection of connected network drives.
• Improved BadUSB mitigation.
• Improved Enforce DEP mitigation.
• Improved Safe Browsing intruder alert, which now also shows the correct technical details.
• Improved Software Radar.
• Improved compatibility with EMET 5.1.
• Improved compatibility with Sandboxie 4.16.
• Fixed upgrade from HitmanPro.Alert version 2 to version 3. In previous builds, the upgrade could affect the functionality of the existing connected keyboard.

Changelog compared to build 179 RC

• Improved HeapSpray mitigation.
• Improved network driver compatibility.

Remarks

• HitmanPro.Alert 3 allows experienced computer users to apply exploit mitigations to applications of their own choosing. But the following software types should not be protected by HitmanPro.Alert:
  • Anti-malware and intrusion prevention or detection software
  • Debuggers
  • Software that handles digital rights management (DRM) technologies (i.e. videogames)
  • Software that use anti-debugging, obfuscation, or hooking technologies
• HitmanPro.Alert 3 is not compatible with the Microsoft Enhanced Mitigation Experience Toolkit (EMET) version 5.2. As workaround you can disable EAF and EAF+ in EMET 5.2. HitmanPro.Alert is fully compatible with EMET 4.1 and EMET 5.1.

 

@markloman @erikloman
Congrats for the final release!

Is there any plan to sell HPA as lifetime licenses?

 

BRAVI!!!