HitmanPro.ALERT Support and Discussion Thread

Ah, ok.. Thanks.
Tho I might mention, the only reason I uninstalled the beta was because of a couple of very bothersome recent updates to 10. It turned out that disabling security software wasn't enough in every case. And, it was MBAM needed to be uninstalled in one case I know of. For me it was hmp.alert, I found having uninstalled MBAM first.

 

@Victek - are you using HMPA 3.0.59 build 209 or 3.1 build 329 beta? Keystroke encryption in HMPA is no longer working with the latter, only with the stable build. @bjm_ experiences same.

 

Using Webroot SecureAnywhere as well, and I like to know if there are any issues with WSA:s Identity Shield?
I do not want Alert and Identity Shield to argue over the same thing, I just want the added protection (if any?) from Alert on some sensitive installations.

Does Mark or Erik have any insight regarding this?

Cheers

/E

 

See my earlier post, and the one above. Hopefully Mark or Erik will respond.

 

Thanks paulderdash!
They usually respond when they are done investigating

/E

 

What do you mean (based on what) that HMP.alert is causing so much false positives?
In our environment there are 3 desktops and 2 laptops all running the same basic AV/Security SW (see my signature) and in total we had 2 false positives in the last 6 months!
Personally I think that being 'over armored' in the used AV/Security tools can/will cause conflicts.

 

Perhaps you could try testing it with Zemana and Spyshelter keystroke encryption test.

From what I saw when testing both, is that while HitmanPro.Alert doesn't show its encryption border while typing the encryption is still happening.
I did test it while adding HitmanPro.Alert to "allow" on identity protection though.

 

I'm using 3.1 build 329. With WSA Identity Shield turned ON the live keystroke encryption is not displayed in the colored border, but I don't know if that means it isn't working. Even if it's not working in HMPA WSA is designed to protect against keyloggers so I don't see that it's necessary for both programs to be doing the same thing.

 

I believe the developer stated several times that HMPA will disables 'Keystroke Encryption' if it encounters an other program that is doing 'Keystroke Encryption' too.

 

Only WSA is not doing 'Keystroke Encryption'.
I'm now back on Alert 3.0 and I have 'Keystroke Encryption' with WSA.
So, doubtful WSA is doing 'Keystroke Encryption'.

 

@erikloman any insight in what triggers this ROP?

Today I had a virtual Windows Server course through Adobe Connect. I couldn't even load Internet Explorer.
Don't know what's going on with the latest beta but I haven't seen this many warnings in such a short time.

Code:

Mitigation   ROP

Platform     10.0.10240/x64 06_5e
PID          4336
Application  C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Description  Internet Explorer 11

Branch Trace                      Opcode  To                             
-------------------------------- -------- --------------------------------
InterlockedIncrement +0x11            RET GetHotPatchInfo                
0x76667531 kernel32.dll                   0x648FC1D9 SS2DevProps.dll     

InterlockedIncrement +0x11            RET GetHotPatchInfo                
0x76667531 kernel32.dll                   0x648FC1D0 SS2DevProps.dll     

GetHotPatchInfo                       RET GetHotPatchInfo                
0x648FCDD0 SS2DevProps.dll                0x648FC0FB SS2DevProps.dll     

IEShims_SetRedirectRegistryForThread    * RET GetHotPatchInfo                
0x632BDCF5 IEShims.dll                    0x648FB6A0 SS2DevProps.dll     
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            83e4f8                   AND          ESP, -0x8
            6aff                     PUSH         -0x1
            68feb99064               PUSH         DWORD 0x6490b9fe
            64a100000000             MOV          EAX, [FS:0x0]
            50                       PUSH         EAX
            64892500000000           MOV          [FS:0x0], ESP
            51                       PUSH         ECX
            a19ced9164               MOV          EAX, [0x6491ed9c]
            a801                     TEST         AL, 0x1
            752c                     JNZ          0x648fb6f1
            83c801                   OR           EAX, 0x1
            a39ced9164               MOV          [0x6491ed9c], EAX
            6a00                     PUSH         0x0
            c744241000000000         MOV          DWORD [ESP+0x10], 0x0
                                 (4FD8E23657BE51C8)


memset +0x5a                          RET InitDManipHook +0x198          
0x7749EEAA ntdll.dll                      0x771AD238 user32.dll          

wcstok_s                              RET KiUserCallbackDispatcher +0x34 
0x774AC99D ntdll.dll                      0x7749AE44 ntdll.dll           

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  648FAD57 SS2DevProps.dll          GetHotPatchInfo
            85c0                     TEST         EAX, EAX
            7461                     JZ           0x648fadbc
            0fb64608                 MOVZX        EAX, BYTE [ESI+0x8]
            8b4e04                   MOV          ECX, [ESI+0x4]
            8801                     MOV          [ECX], AL
            0fb64609                 MOVZX        EAX, BYTE [ESI+0x9]
            8b4e04                   MOV          ECX, [ESI+0x4]
            884101                   MOV          [ECX+0x1], AL
            0fb6460a                 MOVZX        EAX, BYTE [ESI+0xa]
            8b4e04                   MOV          ECX, [ESI+0x4]
            884102                   MOV          [ECX+0x2], AL
            0fb6460b                 MOVZX        EAX, BYTE [ESI+0xb]
            8b4e04                   MOV          ECX, [ESI+0x4]
            884103                   MOV          [ECX+0x3], AL
            0fb6460c                 MOVZX        EAX, BYTE [ESI+0xc]
            8b4e04                   MOV          ECX, [ESI+0x4]

2  648FB704 SS2DevProps.dll          GetHotPatchInfo
3  771AD26D user32.dll               InitDManipHook +0x1cd
4  7749AE46 ntdll.dll                KiUserCallbackDispatcher +0x36
5  632C2080 IEShims.dll              IEShims_Initialize
6  648FB07F SS2DevProps.dll          GetHotPatchInfo
7  771BE7A7 user32.dll               GetIconInfo +0xc7
8  7749AE46 ntdll.dll                KiUserCallbackDispatcher +0x36
9  771A9380 user32.dll               CreateWindowExW +0x1c0
10 771A91F8 user32.dll               CreateWindowExW +0x38

Process Trace
1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [4336]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:9868 CREDAT:75009 /prefetch:2
2  C:\Program Files\Internet Explorer\iexplore.exe [9868]
3  C:\Windows\explorer.exe [10116]
4  C:\Windows\System32\userinit.exe [7476]
5  C:\Windows\System32\winlogon.exe [4652]
C:\Windows\System32\WinLogon.exe -SpecialSession
6  C:\Windows\System32\smss.exe [2040]
\SystemRoot\System32\smss.exe 000000e0 00000074 C:\Windows\System32\WinLogon.exe -SpecialSession

 

Looks like a conflict with an ASUS component (C:\Program Files\asustekcomputer.inc\ss2\userinterface\x64\ss2devprops.dll).
To what ASUS application does the component belong?

 

Alert is designed to detect ROP, either suspicious or malicious. A ROP is a ROP.

Some poorly/deliberately written software is performing ROP operations (eg. Spotify, DRM software, etc.). Also security products generally use PUSH+RET instructions to jump to/from trampolines. In some ways this may cause Alert to trigger an alert.

HitmanPro.Alert uses Intel hardware-assistance to detect ROP operations. This means that Alert has information to detect ROP operations in the past, before reaching a point to perform ROP checks (eg. VirtualProtect). Other anti-exploit solutions are only able to analyze the stack (the future), which is under control of the attacker (!).

We had many false positives during CTP and Beta builds. We used the Wilders Security Forum to help us develop and fine-tune the product. This also means you get to see the issues during development.

When you say Alert has "so many false positives". Please quantify your assumption? Which false positives are you referring to?

 

HitmanPro.Alert 3.1 Build 332 BETA

A new build to mitigate the newly disclosed WoW64 bypass by Duo Security.

This build also supports Windows 10 "Threshold 2" build 10586 which was pushed to "Fast Ring" subscribers last week.

Changelog

• Added support for Windows 10 "Threshold 2" build 10586
• Improved SysCall Mitigation to protect against various WoW64 bypasses.
• Improved Installer to handle partly uninstalled installations.

Download
http://test.hitmanpro.com/hmpalert3b332.exe

Please let me know how this version runs on your computer

 

File properties say it's version 3.1.0.332 (which I think is correct),
not 3.0.59.332

 

Fixed. Thanks.

 

Yep, Norton reports
Version 3.1.0.332
http://test.hitmanpro.com/hmpalert3b332.exe
Downloaded File hmpalert3b332.exe from hitmanpro.com
hmpalert3b332.exe

 

What happens if the Fall Update (Threshold 2) is installed tomorrow (as is predicted), but one still runs build 329 instead of 332?

(some family members currently run build 329, but they won't know how to update it - I normally do that for them)

 

http://www.neowin.net/news/windows-...s-slow-ring-isos-will-take-a-couple-more-days

If build 332 is deemed stable it will be pushed out via automatic update.

Note that 10586 was released last week, we did not have much time to test it.

If you do not update, exploit mitigations will be disabled on some apps. Thats all.

 

So the system will still work. Good to know! Thanks!

 

flawless as usual

 

I was just going to ask if HMPA might be able to protect against the WoW64 bypass; you guys are good

Edit: 3.1.0 build 332 Beta running fine on Windows 10 x64.

By the way, which mitigation category does the WoW64 protection come under?

 

All good here so far.

 

No problems updating/upgrading build 332 Beta.

Like the previous version I do not see the encrypted url's in the orange box (both IE11 and FF 42.0).

Windows 10 build 10240 x64/Norton Security with Backup v22.5.4.24