HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    thanks Krusty - i think i need a license to do that & don't have one on this PC
     
  2. CCV

    CCV Registered Member

    Joined:
    Nov 7, 2015
    Posts:
    44
    Location:
    Tasmania
    Couldn't say, but... You would need to go Settings > Advanced Interface to do it anyway.
     
  3. plat1098

    plat1098 Guest

    Hello--hopefully this is posted in the right forum. The two items are:

    1. StackPivot
    2. Anti-VM

    The former occurred during system refresh of W8.1 and almost certainly contained some kind of ransomware as there were a slew of errors in Event Viewer involving VSS, Media Player, etc. As there was resultant damage to the freshly installed OS, I just loaded W10. Because I have a Lenovo machine, it's extremely useful and convenient to use the Solutions Center software to get the proper drivers for this specific model. Well, this item didn't work and come to find that it had very recently been replaced with three other programs due to remote code execution vulnerabilities. OK, I install these and while installing a driver, an Anti-VM was mitigated and the process blocked.

    Please explain how a stack/pivot exploit operates. With the Anti-VM, I'd like to know what kind of malware was looking to install itself and what was it using to ride in on. Was it an installation file? Could one say the new Lenovo System Update software is still vulnerable? Any replies are very important and are gratefully accepted. If you need the full Anti-VM report, it's still in Event Viewer, please instruct how to obtain it. The screenshot of the stack/pivot is all I have remaining of that incident.

    Regards, plat1098

    VM attack lenovo.PNG shield report.PNG
     
  4. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,310
    Location:
    Hollow Earth - Telos
    What is the latest HMPA stable build. I have built 343 now. I thought i would be auto updated to the new stable build.
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Build 351 will go out tomorrow morning via auto update.
    http://test.hitmanpro.com/hmpalert3b351.exe
     
  6. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,332
    Location:
    the Netherlands
    HMPA 3.1.0.343 is the latest non-prerelease build, all later builds had the status prerelease.
    And there was no auto update since the update to 3.1.0.340, see my January 11 post.
     
  7. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,332
    Location:
    the Netherlands
  8. hitman_user

    hitman_user Registered Member

    Joined:
    Nov 25, 2015
    Posts:
    18
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    HI plat1098

    Did you scan your system. How are you sure these aren't false positives?

    Pete
     
  10. plat1098

    plat1098 Guest

    Absolutely, yes! Insofar as these being false-positives, how could you determine that? It would be great if these were, both of them. I have the report of the incident if that would help establish whether the Anti-VM mitigation specifically is a false-positive or not. I just don't know how to get it out of Event Viewer. I am very, very doubtful the stack/pivot exploit was falsely reported. Believe me, it happened!

    plat1098
     
  11. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    Has anyone observed behavior similar to the alt key sticking when alt+tabbing w/keystroke encryption enabled on build *.351?

    I turned keystroke encryption on, rebooted, and noticed that sometimes task switching would stick like I was holding the alt key. After toggling keystroke encryption off in HMPA, it stopped doing it. I'm on Windows 10.

    *EDIT* Looks like it's only affecting Chrome 47.x

    1. Enable keystroke encryption.
    2. Click on a Chrome window to ensure it's the foreground app.
    3. Alt+tab. Alt key acts stuck.

    Disable keystroke encryption, issue doesn't happen.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Plat

    Being in the event view doesn't add any more then the pop ups you got. If you've scanned with Hitman Pro, and a couple of other good scanners and they got not hits its probable it's a false positive. Also what other symptoms did you see?
     
  13. plat1098

    plat1098 Guest

    I'm interpreting this as a mitigation notice is only legit if malware is discovered in a subsequent scan. Is that the correct interpretation? I thought the primary objective of a shield is to keep the garbage OFF the machine, no? You're supposed to dismiss all notifications like this unless you have malware? I don't get it.

    My machine is missing several key drivers and use of the very new software that replaces the one apparently exploited and hacked to death yields me a mitigation notice in the form of a clear screen overlay with the HitmanPro insignia stating my computer is attacked and to scan for malware now. Knowing the circumstances of this software, I take this at face value. It never, ever occurred to me to dismiss this as a false-positive.

    As just one example, after the stack/pivot occurred, I had no flash player-- at all, anywhere. Not in Control Panel, Programs, nowhere. After loading numerous Windows updates, no flash. Shutdown/startup, no flash. The next day, flash player was mysteriously there.

    I'd requested some descriptions of stack/pivot and Anti-VM exploits as there were notices my machine was attacked by these. I'm understandably reluctant to install anything via Lenovo right now. That was it: my request for further information so I can figure out what to do.

    plat1098
     
  14. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India

    I also started seeing this behaviour on W10. How ever not only with 151 build, but also with the stable build.

    I will check and see if toggling keystroke encryption does fixes the issue later in the evening.

    Also, unlike yours, I have this problem system wide.
    B/w I am on freeware mode (i. E., Mitigations are disabled)
     
  15. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
  16. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    Erik,
    Also, I would like to know if there will be any promotional offers or like in a month or two. Because I would like to buy an license, however the price is little uncomfortable for me.
    If there are not going to be any offers in the near future, I will then go ahead and purchase.
    Please do let me know.
    Thanks, Harsha
     
  17. OMF PhD

    OMF PhD Registered Member

    Joined:
    Jan 19, 2016
    Posts:
    6
    @erikloman
    Hello, I remember having spoken to you before at Bleeping. I have been very pleased with your products since then and for that I would like to thank you. Now, this all new javascript, NW.js, ransomware that the gentleman from Emisoft first wrote an article about has me a little worried. I was really wondering, has your ProAlert come up against the new Ransom32? If so has it successfully blocked it?
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Of course, HitmanPro.Alert 2.5 from November 2013 already catches Ransom32. Nothing new.

    Ransom32.png
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I cannot comment om promotional offers in the future. I see you are a Wilders member for quite some time. Please check your PM in a few minutes.
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.1.1 Build 351 RELEASED

    A of this minute, this build is being pushed via automatic update.
     
  21. OMF PhD

    OMF PhD Registered Member

    Joined:
    Jan 19, 2016
    Posts:
    6
    November 2013? It's not that I'm doubting you, and I do actually recognize your image from a while back, like summer of last year, when I first bought your products, but that seems odd when this just hit the news, early this month, and was supposedly just first discovered quite recently
    "January 4th 2016-
    Researchers this week turned up a new ransomware-as-a-service operation that pushes the first ransomware coded entirely in JavaScript."

    That's also supported by:
    http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/
    http://www.computerworld.com/articl...ipt-based-ransomware-spotted-in-the-wild.html
    http://www.bleepingcomputer.com/for...om-32-article-picked-up-by-bbc-computerworld/

    What am I missing or misinterpreting here? Is it just that it's being sold as a service now? If it's just that, I feel amazingly silly and I'm sorry to have wasted your time.
     
  22. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    What @erikloman meant was that if you were running HitmanPro.Alert version 2.5 today (which we released in November 2013), you'd be perfectly safe against Ransom32, a new cryptoware that is making the rounds today.
     
  23. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    No problem to report so far (Autoupdate, 10 x64 build 10586.63)

    :)
     
  24. OMF PhD

    OMF PhD Registered Member

    Joined:
    Jan 19, 2016
    Posts:
    6
    Oh, I'm sorry I misunderstood. Now that makes perfect sense and that is amazing, so I must reiterate how happy I am with your product. One last last question, I bought a 1 year license for 1 PC last summer and that's going to be passing soon. I plan on buying a 3 year 3 PC license, but I only need it for 2 PCs. Is it ok if I gift the 3rd to a friend of mine overseas in England?
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,419
    Location:
    Under a bushel ...
    PDF-XChange Editor self-update generates this intercept. How do I get around this?

    2016-01-19_123342.jpg

    Edit: Tried disabling Exploit Mitigations, but still intercepted.
     
    Last edited: Jan 19, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.