HitmanPro.ALERT Support and Discussion Thread

No, I said filtering WriteProcessMemory calls is not sufficient to block TDL3/4, ZeroAccess, Cridex, etc. There are a tons of ways to inject code to steal stuff. Also applies to 64 bit.

First, a good security product (like for example HIPS) should not ask the user _anything_ related to security. It can't ask my mother in law whether a registry key should be allowed to be changed. A HIPS like that is fine when you are a security expert/enthousiast, but its fairly pointless for elderly or non tech savvy people (the 98% of this world).

Some ways to inject code into browser (from the back of my head):

• Browser addon/extension (signed or unsigned)
• Replace existing DLL with malicious DLL
• Patch/modify a file
• Via registry keys (like AppInitDLL)
• SetWindowsHookEx (various tools, mouse/keyboard drivers, etc)
• WriteProcessMemory/CreateRemoteThread (various tools, mouse/keyboard drivers, etc)
• DLL injection via APC injection (various tools, rootkits, bootkits, etc)
• Use Shim Engine / AppCompat SDB (EMET, MS)
• DLL proxying - overwriting section via KnownDlls (ZeroAccess)
• Webpage exploiting vulnerability in browser/plugin (like Java/PDF etc) via ROP/shellcode; allows your code to be executed by browser, just by letting user visit a webpage.
• ... and tons of others I forgot to mention.

For any of the above they are used by both legit and malicious programs (well, perhaps not the exploit ). The fact its also used by legittools makes it hard to distinguish whether the code injection is done with legit or malicious intent.

To illustrate how common injection is, standard Windows behavior is when starting a new process, the parent process injects data into its child process (via csrss.exe). If you block it, the child process runs with improper credentials/privileges.

HitmanPro.Alert doesn't try to prevent the injections, it just tells you the browser is compromised to prevent you from entering sensitive information. This approach gives maximum compatibility with other (security) applications and its extremely lightweight.

Hope this helps.

 

I keep seeing multiple hmpalert silent crashes every time I boot/shutdown (not sure which). This happens on XP and HmpAlert seems to work, but I'm wondering about why these crashes occur.

Al

 

Interesting. Do you have a mdmp file (minidump)?

 

I haven't seen a definitive answer regarding how well HMP.Alert works alongside Sandboxie. Anyone care to chime in on this? (XP Pro SP3 system)

Thanks in advance.

 

Working fine here with same system setup.

 

Thanks, Tom, that's helpful.

I know I had read that it had issues with one of the Malwarebytes apps (I only use MBAM Pro) and was concerned about potential conflicts.

My only real-time apps are OA, Sandboxie and MBAM Pro. So hopefully no conflicts will arise which might reduce the efficacy of any of those trusted security apps.

 

Update:

Installed and ran...started Firefox via Sandboxie and got the "clean" alert.

However, I found that I could no longer open my MBAM Pro GUI. Tried multiple times with multiple fails, even after a reboot.

Uninstalled HMP.alert and all went back to working as before.

So, guess I'll have to do without.

 

I haven't been able to find any. All I have is one dmp file from today for hmpsched which by the way, silently crashes here and there at random times. I have more crash text files from hmpAltert if you want them.

Al

 

I had comodo firewall, sandboxie and qihoo 360 IS. I was running HMP alert and firefox was working well. When I started running Chrome, it kept crashing. So did comodo dragon as well. As soon as I uninstalled HMP alert I was able to run Chrome and Dragon again. Not sure if it was sandboxie or maybe CIS/qihoo.

 

I have it on 3 machines with 3 different setups and it woks like a charm. I love HitMan Pro products. Inovation is the key.

 

Has the signature hash issue been resolved with this product?

 

I may have missed what you are referring to, but is this what you are talking about?

Code:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/3/2013 09:49:18
Event ID:      5038
Task Category: System Integrity
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      2082-52G
Description:
Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

I'm seeing this on Win7 on every boot with the last version. I still see the fly-out though and assume hmpalert is functioning.

Al

 

Yes, this is what I was referring to.

 

MPC-BE and MPC-HC's latest alpha/nightly builds seem to have some problems with HMP.Alert. Let me clarify.

1. After installing, just open the MPC-HC/MPC-BE program and HMP.Alert's RAM usage starts to build up gradually, 1-2 MBs per second. Same when I am using any video files that uses internal LAV filter for video decoding. However this does not happen everytime and I am not sure exactly what is triggering this. I tried with disabled LAV and added FFDShow, same result. However most of the time, I have used MPEG2/H264 with DXVA/QuickSync as the decoder and that definitely triggers it. Also it happens if I use MPC-BE's internal DXVA decoder. There are no alerts from HMP.Alert

2. However, when I tried with some VCD (.Dat) files or FLV or WEBM files, there were no spike in HMP.Alert's usage. So it could be possible that QuickSync/DXVA is causing this. Also the the spike does not happen when I open a DVD's Video_TS folder via context menu, drag and drop or using IFO files.

3. Interestingly, I have never found any problems with any audio files/CD when I played in either MPC-BE or MPC-HC.

Here are the links for MPC-HC and MPC-BE's latest releases. I am using x64 version. Also, just so you know, MPC-BE is a fork of MPC-HC so they share a lot of code.

http://nightly.mpc-hc.org/
http://sourceforge.net/projects/mpcbe/files/

 

We are working on Alert version 3. This hash issue should be solved in that version.

 

As I am not a Citrix Pro, and I see that the browser is used to connect to your client.
Can HMPA detect/protect in this situation?
Is there any benefit to use HMPA in this environment?

PS! I will post the same in the WSA forum regarding their Identity Shield as I use both products.

/E

BTW, please ask Mark to take a look in the UTM thread

/E

 

You forget to add sound (violin strings) todo . . . . . . to do . . . . . to do . . . to do . . . to do . to do todo todo

Once the first executable runs, there are certainly many attack vectors to guard. So a pre-run browser check for post infection (like HMP alert) is a smart precaution.

Best thing is to prevent first PE to be executed (anti exec/execution restriction policies) plus memory protection (like EMET) to prevent the exploits triggered through webbased scripting code (HTML, XML, javascript, java, etc). You also need something (group policy) to prevent installation of browser plug-ins/extensions/add-ons/etc.

 

I have both to look at hitman Pro before now. Fill me in. Is it an MBAM type thing or AV or what? What other product can it be likened to?

 

@AaLF
I hope you're talking about HitmanPro Alert. It's a tool designed to alert when MITB attacks take place. Like Webroot SecureAnywhere protects against MITB and MITM. And HitmanPro Alert works with WSA.

 

Amit old chap you've lost me. MITB & MITM?

And there are two hitman Pros'? So what does the other one do?

I told you I haven't paid attention to the product.

 

Man-in-the-browser and Man-in-the-middle are forms of malicious attacks. HitmanPro.Alert is a new program made to alert you of MITB by monitoring your browser and applying a "vaccine" against VM-aware malware (it fools them into thinking they're in a virtual machine to be analyzed, so they automatically quits).

HitmanPro is the original product that quickly scans your system and uploads suspicious files to 3 cloud AV (BiDefender, Emsisoft, and Kaspersky). It's very effective at detecting malware, most people use it with MBAM. Although removal is only offered with a 30-day trial, you choose when to activate that, and scanning is always free.

 

HitmanPro is an on-demand scanner to scan for and remove threats.
HitmanPro.Alert is a realtime tool that warns if your browser has been modified by a banking trojan.
EDIT: J_L beat me to it

 

Sorry to get you lost there buddy. J_L as always explained it excellently.

In short, HitmanPro = scanner that detects and removes malware. Free version removes malware for 30 days. Similar to MBAM only multi-AV engine enabled and awesome in detecting and removing rootkits.

HitmanPro Alert = tool that detects and as the name suggests alerts about a particular type of attack called MITB or Man-in-the-browser.

 

How do I uninstall HP Alert? Cannot see it in the Control Panel Uninstall list. Have I missed it or do I open up the Cdrive Programs folder & delete it from there?

 

Run:
"C:\Program Files\HitmanPro.Alert\hmpalert.exe" /uninstall