HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Only CPU's based on Intel Nehalem (or newer) architecture support hardware-assisted exploit protection. Nehalem was released in 2008.
     
  2. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.1.0 Build 344 PreRelease

    Changelog
    • Improved ROP mitigations
    • Fixed compatibility with Telegram Desktop
    • Fixed compatibility with Sophos Web Interceptor
    • Added Swedish language
    • Updated Polish language
    • Updated Indonesian language
    Download
    http://test.hitmanpro.com/hmpalert3b344.exe

    Please let me know how this version runs on your computer :thumb:
     
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,273
    Location:
    the Netherlands
    Am I correct when I say that build 343 is still not offered by automatic update, yet?
     
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    That is correct.
     
  5. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    W7-x64:
    Downloaded 3.1.0 build 344 with FF42.0, Installed build 344 over build 343, rebooted, NO issues so far, runs fine!
     
    Last edited: Dec 11, 2015
  6. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    972
    No problems upgrading to build 344 PrePrelease.

    Win10 1511 build 10586.29 x64/Norton Security with Backup v22.5.5.15
     
  7. HansF

    HansF Registered Member

    Joined:
    Dec 10, 2015
    Posts:
    24
    Hi,
    i'm running Firefox (64Bit) sandboxed (Sandboxie) and since yesterday, HMPA for testing this combination. The sandboxed Firefox shows, that it is protected by HMPA (green Frame, secure browsing and exploit-protection), but when i open surfright's exploit test tool and start a test for Firefox, the browser starts without any reaction of HMPA. HMPA only reacts, when i run Firefox outside Sandboxie. Is it right, that i've got to run the exploit test tool in Firefox's sandbox for testing or should HMPA react?
     
    Last edited: Dec 11, 2015
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Still can't download in FF42 on Desktop. Going to try VM
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,796
    Location:
    Among the gum trees
    No problem downloading Build 344 using FF42 here.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Got it. Problem was Heimdal Pro Securedns was blocking that site for some reason. turned it off and am fine. Have it purring on two desktops.

    Pete
     
  11. escalibur

    escalibur Registered Member

    Joined:
    Jun 29, 2013
    Posts:
    118
    I've found another false positive:

    Skype 7.16 + Mumble 1.3.0

    Mitigation ROP

    Platform 10.0.10586/x64 06_3c
    PID 9376
    Application C:\Program Files (x86)\Skype\Phone\Skype.exe
    Description Skype 7.16

    Callee Type LoadLibrary

    Branch Trace Opcode To
    -------------------------------- -------- --------------------------------
    RtlInitUnicodeStringEx +0x46 RET LoadLibraryExW +0x4c
    0x77D75A76 ntdll.dll 0x753BE78C KernelBase.dll

    LoadLibraryW +0x5 ~ RET* RemoveHooks +0x80
    0x77A1A845 kernel32.dll 0x63E555E0 mumble_ol.dll
    55 PUSH EBP
    8bec MOV EBP, ESP
    a190d2e663 MOV EAX, [0x63e6d290]
    83ec08 SUB ESP, 0x8
    56 PUSH ESI
    57 PUSH EDI
    8b3da4d2e663 MOV EDI, [0x63e6d2a4]
    85c0 TEST EAX, EAX
    0f84ab000000 JZ 0x63e556a6
    803da0d2e66300 CMP BYTE [0x63e6d2a0], 0x0
    0f859e000000 JNZ 0x63e556a6
    8b35d800e663 MOV ESI, [0x63e600d8]
    8d4dfc LEA ECX, [EBP-0x4]
    51 PUSH ECX
    6a40 PUSH 0x40
    6a06 PUSH 0x6
    (6674015877BF1A06)


    0x00408458 Skype.exe RET 0x00420704 Skype.exe

    SetErrorMode +0x54 ~ RET 0x004206DB Skype.exe
    0x753BF1A4 KernelBase.dll

    NtSetInformationProcess +0xc ~ RET SetErrorMode +0x4e
    0x77DA6CBC ntdll.dll 0x753BF19E KernelBase.dll

    Wow64SystemServiceEx +0x257 RET TurboDispatchJumpAddressEnd +0xb
    0x66CD6347 wow64.dll 0x66CC1C87 wow64cpu.dll

    0x66CE8404 wow64.dll RET Wow64SystemServiceEx +0x244
    0x66CD6334 wow64.dll

    0x66CDA093 wow64.dll RET Wow64SystemServiceEx +0x155
    0x66CD6245 wow64.dll

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 753BE878 KernelBase.dll LoadLibraryExW +0x138
    2 753C0CF1 KernelBase.dll LoadLibraryW +0x11

    3 63E556AC mumble_ol.dll RemoveHooks +0x14c
    6a00 PUSH 0x0
    b990d2e663 MOV ECX, 0x63e6d290
    8bf8 MOV EDI, EAX
    e8f6890000 CALL 0x63e5e0b0
    57 PUSH EDI
    56 PUSH ESI
    68e85ae663 PUSH DWORD 0x63e65ae8
    e8ea0a0000 CALL 0x63e561b0
    83c40c ADD ESP, 0xc
    833df0d1e66300 CMP DWORD [0x63e6d1f0], 0x0
    754c JNZ 0x63e5571e
    8b356000e663 MOV ESI, [0x63e60060]
    68a858e663 PUSH DWORD 0x63e658a8
    ffd6 CALL ESI
    85c0 TEST EAX, EAX
    7524 JNZ 0x63e55707

    4 0042070A Skype.exe
    5 01DF8448 Skype.exe
    6 00406DB4 Skype.exe
    7 77A138F4 kernel32.dll BaseThreadInitThunk +0x24
    8 77D956C3 ntdll.dll RtlUnicodeStringToInteger +0x253
    9 77D9568E ntdll.dll RtlUnicodeStringToInteger +0x21e

    Process Trace
    1 C:\Program Files (x86)\Skype\Phone\Skype.exe [9376]
    2 C:\Windows\explorer.exe [4612]
    3 C:\Windows\System32\userinit.exe [4520]
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    What is mumble_ol.dll? Looks like the source of the problem.
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I have no answer, I hope someone here can answer this.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik and HansF

    Yes you have to run the test in the Firefox Sandbox. Just running the test outside it's starts Firefox and that's it. But if I allow the test exe to run in the Firefox Sandbox, and then rightclick on the test tool and have it run Sandboxed in the Firefox Sandbox, HMPA shuts down Firefox just fine.

    Pete
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,909
    Location:
    .
    3.1.0 build 344 :)
     
    Last edited: Dec 11, 2015
  16. escalibur

    escalibur Registered Member

    Joined:
    Jun 29, 2013
    Posts:
    118

    It's a .dll file from Mumble 1.3.0 installation. Please download the latest snapshot version http://wiki.mumble.info/wiki/Main_Page and extract the .MSI file with eg. 7-zip. You will have the file right in the folder.

    VT report: ~ Removed VirusTotal Results as per Policy - PM Developer ~

    I have also noticed that HitmanPro.alert blocks my keyboard randomly during Windows' startup. I'm using this keyboard atm: http://gaming.coolermaster.com/en/products/keyboards/quickfire-xti/ (latest firmware)

    Platform 10.0.10586/x64 06_3c

    Keyboard name Quickfire XTi
    Hardware ID HID\VID_2516&PID_002E&REV_0114&MI_00
     
    Last edited by a moderator: Dec 11, 2015
  17. HansF

    HansF Registered Member

    Joined:
    Dec 10, 2015
    Posts:
    24
    Yes, Peter, launching the exploit-test-tool inside the Firefox-sandbox makes HMPA react as expected and i think it's logical, because, if i would visit a compromised, malicious code containing website, that lead to an exploit, for example, the code would be executed inside the sandbox. When i couldn't see, that the question has previously been asked, i became unsure and asked. Thanks.
     
    Last edited: Dec 11, 2015
  18. cavehomme

    cavehomme Registered Member

    Joined:
    May 19, 2010
    Posts:
    128
    Location:
    Alps
    Does anyone have specific recommendations for getting Bitdefender AVP 16 working smoothly with HMPA latest stable please? For example, I assume that the BD settings for ransomware should be turned completely off since HMPA deals with that? Anything else to consider?

    I've been trying to get the two working together with constant problems particularly getting big slowdowns and even BSOD....but that happened with BD Ransomware switched on. Switched off, still getting performance issues.

    If reinstalling, which of these 2 should be installed first, any difference or importance in this respect?

    Thanks!
     
    Last edited: Dec 12, 2015
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Can you send the minidump from C:\Windows\Minidump\ to erik@surfright.com via www.wetransfer.com?
     
  20. PoodleDoodle

    PoodleDoodle Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    6
    Sorry to report again. 344 still fails Unpivot Stack for me....
     
    Last edited: Dec 13, 2015
  21. superssjdan

    superssjdan Registered Member

    Joined:
    Dec 11, 2011
    Posts:
    148
    Location:
    USA
    One of the best investments I've made in a long time.I could kick myself for not purchasing sooner.Don't even notice it's there.Plays nice with everything on the pc I have it installed on.Superb job by the dev team.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    I agree, and I think it's going to get even better.
     
  23. CCV

    CCV Registered Member

    Joined:
    Nov 7, 2015
    Posts:
    44
    Location:
    Tasmania
    IE_error.jpg
    Selective startup with only hmpa service disabled, where IE works fine, reveals that it is Hitmanpro.alert causing the problem.
    Applied to build 340 too, but I don't use IE often. Hence my failure to notice sooner.

    I don't remember having any issue like this before the latest upgrade to Win 10.
    Version 1511 (OS Build 10586.29) Pro x64
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,678
    Location:
    USA
    Not being offered yet?
     
  25. escalibur

    escalibur Registered Member

    Joined:
    Jun 29, 2013
    Posts:
    118

    Still getting this after 344 update.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.