HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,301
    Location:
    the Netherlands
    @ erikloman
    @ markloman
    and also @ everyone else

    In addition to my post earlier today,
    stopping and restarting the hmpalertsvc service to fix the flyout issue seemed to work, for a while,
    but after some time the issue was back, unrelated to sleep mode or anything else that I can think of.
    Looks like stopping and restarting the hmpalertsvc service to fix the flyout issue was not enough, or the issue came back for some other reason.
    Pity.
    So I'll reboot.

    Good luck fixing this darndest issue.


    Best regards
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,301
    Location:
    the Netherlands
    @ erikloman
    @ markloman

    Here's another addition to the information regarding the HitmanPro.Alert flyout issue.

    July 7th, I wrote, regarding the flyout issue:
    I can add to that:
    - Also, as the flyout issue occurs, opening multiple new browser tabs by clicking multiple URLs is notably sluggish. Opening multiple new browser tabs by clicking multiple URLs is slowed down considerably, and I need to wait to open some more tabs until the first bunch have completed opening. This happens only in connection with the flyout issue.
    I think this symptom wasn't mentioned yet.

    And as the flyout issue was back for the second or third time today (this time there could've been a connection with sleep mode),
    and as especially the slowing down of opening new browser tabs was annoying me highly,
    and as I was getting quite fed up with rebooting,
    for now, I uninstalled HitmanPro.Alert.
    I will try again later, when the version fixing the flyout issues is ready.


    System information:
    Windows Vista SP2 x86
    IE9
    G Data IS 2014
    SpywareBlaster 5.0
    EMET 4.0 with all EMET mitigations for iexplore.exe and also "Deep Hooks" enabled in EMET\ Apps\ Application Configuration.


    Best regards
     
  3. imperium

    imperium Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    73
    Location:
    England
    Noob question. This sounds like a good program to have but is Hitman Pro Alert compatible with Kaspersky Internet Security 2013/2014? I use Safe Pay but don't want a program that might interfere with Safe Pay's ability to protect me. Thankyou.
     
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes, this is also caused by the same issue. Will make priority of this issue.
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes it is fully compatible as of version 2.0.9.
     
  6. shogun_r

    shogun_r Registered Member

    Joined:
    Aug 17, 2013
    Posts:
    22
    Location:
    Sweden
    Have some small questians.

    Is the signatures/database of potential threats in the cloud? Is the signatures/database updated to new threats?

    Is there any tests or something on the program? It claims that : "HitmanPro.Alert will instantly detect over 99% of all known and new banking Trojans." Is it something that has been investigated or is it just a taken number?

    Has installed on a Win7 64bit with Qihoo360, Hitmanpro and Malwarebytes Anti-maleware Pro and no problem so far.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
    It doesn´t use any signatures, it just checks for certain changes in critical functions of the browser.

    Most banking Trojans use the same technique to hijack browsers, that´s why these claims are made I suppose.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Just intalled this. Nice light app with zip performance hit using IE9.

    Since I use Emsisoft Antimalware that gives equal to better protection and using EMET 4.0 certificate pinning is this software redundant?
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The app in the image filters WriteProcessMemory API. Thats not sufficient by a long shot. TDL3/4, ZeroAccess, Cridex (bootkits, rootkits) have free play on systems with those kind of protections.

    When you have one of the above infections on a Trusteer system, the computer becomes unresponsive while Trusteer is battling the attack. Trusteer in most cases doesn't prevent the attack but tries to abort the attack. Trusteer is also incompatible with a lot of security software. And some AVs don't like other AVs on the same system either.

    Some AVs like Kaspersky are indeed able to block, but they work on the standard browsers, not the derived browsers like Pale Moon, Comodo Dragon, Maxthon, etc.

    And x64 systems have less capabilities to counter attacks due to PatchGuard; 32-bit systems can modify kernel code and structures while 64-bit cannot. This means that software X wont work as good on 64-bit systems. I guess that is why MRG choose to do tests on 32-bit systems?

    So in order to work on all browsers and all systems, with all AVs (no conflicts) we choose to just Alert the user when browser is compromised. Compatibility is key.

    But hang around this thread for future announcements ;)

    Hope this helps.
     
    Last edited: Aug 18, 2013
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Maybe I spoke to soon about this software. Anyone want to explain what these invalid hashes are about? I just downloaded and installed from HMP web site this morning.
     

    Attached Files:

  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The DLL uses Page Hashes for integrity.
    http://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx

    Can you right-click the DLL and go to Properties, then Digital Signature tab?
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Sorry. Cannot do. Already uninstalled from my PC.
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,539
    Location:
    Outer space
    I just checked mine out of curiosity and saw I have the same entries in Event Viewer. Digital Signature is OK though, here's the SHA-256 of the file:
    9B8FDA2AAD871D3AFFD03463CA7A1756CB1395ABF507701F1053913B642EBCDF
    v2.0.10.45 (x64)
    EDIT: Almost all Audit Failures in Event Viewer are about hmpalert.dll and always the one in \System32, never the one in \SysWOW64
     
  15. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Where can I find which version of HMP.Alert I have installed?
     
  16. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,853
    I've started using this since it is out of beta. I appears to work, but I was wondering if it is necessary since I use AppGuard. Can my browser even be compromised since I use AppGuard?
     
  17. SpeedyPC

    SpeedyPC Registered Member

    Joined:
    Dec 27, 2010
    Posts:
    105
    Location:
    The Land of OZ (Australia)
    @ erikloman welcome back from you're enjoyable holiday and I hope it was long enough for you to relax, just asking if you remember the bug you found during remote access from my laptop just making sure you haven't forgotten. Take you're time doing the complete bug investigation before releasing the new version.

    Cheers.
     
    Last edited: Aug 19, 2013
  18. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,853
    I've been using this a few days, and I think there is some sort of conflict with Malwarebytes Ant-Exploit Beta. The day I installed it, I would occasionally get a popup from MBAE saying it had blocked an exploit, right after opening Chrome. However, checking MBAE shows no information on any exploit blocked. I think it has to be something to do with HMPA since it didn't happen until I installed it.
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
  20. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    How can I tell which version/build of HMP.Alert I'm using?

    Apparently, HMP.Alert auto updates just like HMP. However, because I use NVT ERP in lockdown mode, all of the updates are blocked. What do you suggest as a workaround for this?

    If there were a way to track the versions, I could probably manually update as necessary.
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Open "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe", and look at title bar. Or right-click > properties > details on "hmpalert.exe".

    You have to whitelist the path "C:\Users\TomAZ\AppData\Local\Temp\hmpalert_update.exe". Unfortunately, it's a temporary file (disappears right after update), so hash rules are extremely hard.

    SUMo (download lite or portable version) supports this software, like any other with detectable version in file properties and active users.
     
  22. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Thanks for the info. Because it's a temporary file, does this mean that each subsequent update will be blocked?
     
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Not if NVT ERP allows file path rules (like the format I used) where the file doesn't have to exist or be a specific hash. You can try a dummy file if it just doesn't need the same hash.

    Otherwise, you could try Recuva or training mode, but both require luck or at least a day's effort, and the file may change in future updates. This update only occurs on some browser startups, so I don't know when to expect it.
     
  24. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,121
    I also noticed the multiple popup issue when the service is running properly. It is after I enabled "Enhanced Protected Mode" in Internet Explorer 10. I'm using Internet Explorer 10 in Windows 8 x64.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,385
    Location:
    The Netherlands
    Wait a minute, so basically you´re saying that just about all HIPS on WinXP 32 bit can´t stop these banking trojans?
    And what about HIPS on Win7/8 64 bit? :blink:

    Just to clarify, I´m not talking about systems who are already infected, I can imagine it´s quite hard for HIPS to protect a heavily infected machine. But HIPS should be able to stop banking trojans from infecting the system in the first place.

    It´s clear to me that all these banking trojans make use of code injection, trying to hijack (or "hook") the browser, but sadly enough, in all these technical papers it´s never explained how (and if) HIPS can stop this kinda stuff. :cautious:

    Which areas should HIPS be monitoring? That´s what I wonder about.

    http://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf
    http://www.autosectools.com/IAT-Hooking-Revisited.pdf
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.