HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    Please see: https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-289#post-2537919
    Is this applicable to your i7 processor?
    ---Added support for 6th generation Intel® Core™ processors (codename Skylake) to Control-Flow Integrity (CFI) (hardware-assisted ROP mitigation)------.
     
  2. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
  3. MD5

    MD5 Registered Member

    Joined:
    Nov 6, 2015
    Posts:
    10
    Updated to 3.1.0 build 328. Hardware Control Flow Integrity is now correctly handled. Thanks for assistance!
     
  4. MD5

    MD5 Registered Member

    Joined:
    Nov 6, 2015
    Posts:
    10
    I'm currently running 3.1.0 build 328 beta.

    I'm experiencing a false alarm after clicking on any link embedded in any email message using Thunderbird email client.
    After clicking on a link, Google Chrome (latest 64 stable release) startup is stopped by HitmanPro.Alert with the following details:

    Mitigation ROP

    Platform 6.1.7601/x64 06_5e
    PID 5072
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 46

    Callee Type LoadLibrary

    Branch Trace Opcode To
    ---------------------------------------- -------- ----------------------------------------
    BaseGetProcessDllPath +0x5c RET TlsGetValue
    0x000007FEFDCDE77C KernelBase.dll 0x000007FEFDCF3788 KernelBase.dll

    GetWindowsDirectoryW +0x1af RET BaseGetProcessDllPath +0x4d
    0x000007FEFDCDAEAF KernelBase.dll 0x000007FEFDCDE76D KernelBase.dll

    wcsncmp +0x32 RET GetWindowsDirectoryW +0x181
    0x0000000077C363EA ntdll.dll 0x000007FEFDCDAE81 KernelBase.dll

    InitializeCriticalSectionEx +0xa1 RET BaseGetProcessDllPath +0x22
    0x000007FEFDCDDFD1 KernelBase.dll 0x000007FEFDCDE742 KernelBase.dll

    CreatePipe RET DeleteProcThreadAttributeList +0x67
    0x000007FEFDCE2450 KernelBase.dll 0x000007FEFDCE2CD7 KernelBase.dll

    wcsrchr +0x2b RET CreatePipe
    0x0000000077C36433 ntdll.dll 0x000007FEFDCE243E KernelBase.dll

    wcschr +0x1c RET CreatePipe
    0x0000000077C36458 ntdll.dll 0x000007FEFDCE241F KernelBase.dll

    RtlInitUnicodeStringEx +0x55 RET LoadLibraryExW +0x45
    0x0000000077C614F5 ntdll.dll 0x000007FEFDCDAF05 KernelBase.dll

    RtlAnsiStringToUnicodeString +0xcb RET LoadLibraryExA +0x39
    0x0000000077C60E2B ntdll.dll 0x000007FEFDCDCA69 KernelBase.dll

    RtlMultiByteToUnicodeN +0x74 RET RtlAnsiStringToUnicodeString +0x8d
    0x0000000077C60CC4 ntdll.dll 0x0000000077C60DED ntdll.dll

    RtlAllocateHeap +0x149 RET RtlFreeAnsiString +0x1a3
    0x0000000077C5FA19 ntdll.dll 0x0000000077C618F3 ntdll.dll

    RtlAnsiStringToUnicodeString RET RtlAllocateHeap +0xe8
    0x0000000077C6120E ntdll.dll 0x0000000077C5F9B8 ntdll.dll

    RtlInitAnsiStringEx +0x4f RET LoadLibraryExA +0x1e
    0x0000000077C6195F ntdll.dll 0x000007FEFDCDCA4E KernelBase.dll

    0x000007FEFD9B1078 profapi.dll RET 0x000007FEFD9B2F22 profapi.dll

    RtlAllocateHeap +0x149 RET 0x000007FEFD9B1059 profapi.dll
    0x0000000077C5FA19 ntdll.dll

    memset +0x69 RET RtlUnicodeToMultiByteN +0x15e
    0x0000000077C5F5E9 ntdll.dll 0x0000000077C61ACE ntdll.dll

    RtlAnsiStringToUnicodeString RET RtlAllocateHeap +0xe8
    0x0000000077C6120E ntdll.dll 0x0000000077C5F9B8 ntdll.dll

    GetProcessHeap +0x11 RET 0x000007FEFD9B104A profapi.dll
    0x000007FEFDCD18A1 KernelBase.dll

    ImpersonateLoggedOnUser +0x109 RET 0x000007FEFD9B21F0 profapi.dll
    0x000007FEFDCE42C9 KernelBase.dll

    IsSandboxedProcess RET ImpersonateLoggedOnUser +0xdb
    0x000000013FF9203A chrome.exe 0x000007FEFDCE429B KernelBase.dll

    IsSandboxedProcess RET IsSandboxedProcess
    0x000000013FF9483B chrome.exe 0x000000013FF92036 chrome.exe

    IsSandboxedProcess RET IsSandboxedProcess
    0x000000013FF7F6AA chrome.exe 0x000000013FF9480B chrome.exe

    0x000000013FF442E4 chrome.exe RET IsSandboxedProcess
    0x000000013FF94803 chrome.exe

    IsSandboxedProcess RET IsSandboxedProcess
    0x000000013FF7F596 chrome.exe 0x000000013FF947F9 chrome.exe

    NtSetInformationThread +0xf * RET IsSandboxedProcess
    0x0000000077C5DA8F ntdll.dll 0x000000013FF92018 chrome.exe
    4883ec38 SUB RSP, 0x38
    44894c2420 MOV [RSP+0x20], R9D
    4d8bc8 MOV R9, R8
    448bc2 MOV R8D, EDX
    488bd1 MOV RDX, RCX
    488b0dff670400 MOV RCX, [RIP+0x467ff]
    e89e270000 CALL 0x13ff947d4
    4883c438 ADD RSP, 0x38
    c3 RET
    ( 96F1760EB14B97)


    NtQueryInformationToken +0xa RET ImpersonateLoggedOnUser +0x27
    0x0000000077C5DBCA ntdll.dll 0x000007FEFDCE41E7 KernelBase.dll

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 000007FEFDCDB026 KernelBase.dll LoadLibraryExW +0x166
    2 000007FEFDCDCA81 KernelBase.dll LoadLibraryExA +0x51

    3 000007FEFD9B3795 profapi.dll
    488bd8 MOV RBX, RAX
    4885c0 TEST RAX, RAX
    0f84ad1b0000 JZ 0x7fefd9b534e
    33c0 XOR EAX, EAX
    f0480fb15d00 LOCK CMPXCHG [RBP+0x0], RBX
    488be8 MOV RBP, RAX
    0f858c1b0000 JNZ 0x7fefd9b533e
    458d4641 LEA R8D, [R14+0x41]
    488d4c2428 LEA RCX, [RSP+0x28]
    33d2 XOR EDX, EDX
    e836ffffff CALL 0x7fefd9b36f8
    488b054f520000 MOV RAX, [RIP+0x524f]
    c744242048000000 MOV DWORD [RSP+0x20], 0x48

    4 000007FEFD9B3927 profapi.dll
    5 000007FEFD9B2F3E profapi.dll
    6 000007FEFD9B2221 profapi.dll
    7 000007FEFD9B1F1F profapi.dll
    8 000007FEFD9B2D39 profapi.dll
    9 000007FEFD9D10E9 userenv.dll ExpandEnvironmentStringsForUserW +0x9
    10 000007FEFF842A00 shlwapi.dll SHDeleteKeyW +0xf8

    Code Injection
    0000000000060000-0000000000061000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [6912]
    0000000000074000-0000000000075000 4KB
    0000000077C5D000-0000000077C5E000 4KB
    0000000077C5E000-0000000077C5F000 4KB
    000000013FFD8000-000000013FFD9000 4KB
    000000013FFD6000-000000013FFD7000 4KB
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [6912]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-289#post-2537919"
    2 C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe [6080]
    3 C:\Windows\explorer.exe [4352]
    4 C:\Windows\System32\userinit.exe [4320]

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [5072]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --channel="6912.0.1229659181\721884518" --supports-dual-gpus=false --gpu-driver-bug-workarounds=2,12,20,45,55 --gpu-vendor-id=0x10de --gpu-device-id=0x13c2 --gpu-driver-vendor
    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [6912]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-289#post-2537919"
    3 C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe [6080]
    4 C:\Windows\explorer.exe [4352]
    5 C:\Windows\System32\userinit.exe [4320]
     
  5. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    Reinstalled Windows 8.1 and the issue persists. :(
     
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    Well, this is interesting, since I haven't experienced it before... However, I lost network connections, and my browser Opera browser wouldn't connect, until I rebooted...so, I am able to post, here, now. I experienced a series of alerts, and it appears to be related to IE trying to open, see last screen shot out of the following four:

    ScreenShot_HMP,A_ Intruder Alert_01.gif

    ScreenShot_HMP,A_ Intruder Alert_02.gif ScreenShot_HMP,A_ Intruder Alert_03.gif

    ScreenShot_HMP,A_ Intruder Alert_04.gif
     
  7. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Which 3rd party security solutions are you running? It looks like at least certain functions are being hooked...

    BTW, why are you still running IE6?
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    @ropchain

    Actually, I had updated IE 8 to fix the memory error, I posted about in post #7348, here, but that didn't get rid of the problem so I uninstalled it, and that is how I came to be back in IE 6.

    P.S. I don't like to use IE, period.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Tarnak

    Are you using Malware Defender?

    Pete
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    Hi Pete,

    No, I never have....Is it by Microsoft?
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    Further to, my post above, I notice that it says I have no alerts...That can't be correct, since obviously, I have had some alerts.

    ScreenShot_HMP,A_ Intruder Alert_05.gif
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,069
    Location:
    .
    Installed Firefox x64
     
    Last edited: Nov 7, 2015
  13. colorado13

    colorado13 Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    117
    Location:
    Orihuela, Spain
    I'm currently running 3.1.0 build 329 beta, ESS 9 and Sandboxie 5.06 in Win 7 x32.
    I have a problem with my games:
    Pillars of Eternity slow loading/saving times and crashing.
    War Thunder crashing.
    After uninstalling HitmanPro.ALERT the problem is gone.
     

    Attached Files:

    • q.png
      q.png
      File size:
      74.7 KB
      Views:
      18
  14. alex5723

    alex5723 Registered Member

    Joined:
    Nov 7, 2015
    Posts:
    8
    HitmanPro alert 3.0.59.209 blocks/crashes iTunes 12.3.1.
    Removed Mitigations for iTunes to function.
     
  15. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,112
    No such problem with HitmanPro.Alert 3.1.0.329. Maybe you can use that?
     
  16. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    It has been fixed:
     
  17. Cch123

    Cch123 Registered Member

    Joined:
    Oct 27, 2013
    Posts:
    15
  18. CCV

    CCV Registered Member

    Joined:
    Nov 7, 2015
    Posts:
    44
    Location:
    Tasmania
    Hi, everybody.
    I've had an alert like this twice now, and both times it crashed Facebook.
    Can anyone tell me what it means, please?

    The screenshot you can view on my OneDrive - http://1drv.ms/1HA2wAs

    Curious as well if Hitmanpro.Alert saves logs of such events anywhere.

    Version 3.0.59 build 209, running on Win 10 Pro x64.
    (Actually ran the beta version previously, for some good time.)

    Any help much appreciated.
    Thank you.
     
  19. alex5723

    alex5723 Registered Member

    Joined:
    Nov 7, 2015
    Posts:
    8
    Thanks.
    Do you have a link for download ?
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,286
    Location:
    Among the gum trees
  21. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    Win10 users are advised by the developer to run hmp.alert 3.1 beta build 328 or the newer 329.

    http://test.hitmanpro.com/hmpalert3b328.exe
    http://test.hitmanpro.com/hmpalert3b329.exe

    https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-292#post-2539059
     
    Last edited: Nov 8, 2015
  22. alex5723

    alex5723 Registered Member

    Joined:
    Nov 7, 2015
    Posts:
    8
  23. shogun_r

    shogun_r Registered Member

    Joined:
    Aug 17, 2013
    Posts:
    22
    Location:
    Sweden
    Is there any know issues with Bitdefender 2016?

    Had first Bitdefender 2015 with HMPA and it worked without some issues (at least what I could see). When I formated and installed all over again I got Bitdefender 2016. Now when I'm using it with HMPA - bitdefender deactivate "Active threat control" and "Intrusion Detection" all the time. Feels that my AV is quite pointless in this situation. Feels also bad then both HMPA and Bitdefender are paid versions.

    Someone that has experienced the same? What is the advice? Install again and get a new AV with HMPA? In this case I would get a free AV to my current has expired, don't want to pay for two at the same time.

    Which good combo of AV are you using with HMPA? Free or paid?

    Suppose that HMPA takes a good part of the security of the computer, but anyways it's important to have a good AV with "threat control"/"behaviorial analyser".
     
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    For antivirus I use Webroot SecureAnywhere and it works together with HMPA.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    I really wonder why HMPA is causing so many false positives, is it perhaps because of conflicts with other tools, or is it perhaps too strict?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.