HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,331
    Location:
    the Netherlands
    I had the same issue with PDF-XChange Viewer, last week.
    PDF-XChange Viewer and Editor both use Tracker Update (TrackerUpdate.exe).
    See last week's series of posts regarding Tracker Update lockdown: A, B, C, D and E.
    Despite of the lockdown, with simply ignoring that alert, PDF-XChange Viewer could be updated successfully, or so it looked to me.
    Just to be sure, I downloaded and ran PDF-XChange Viewer's current installer, thus bypassing Tracker Update.
    As I mentioned last week, I think that it might be wise if SurfRight could have a look at HMPA's reaction to TrackerUpdate.exe.
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,419
    Location:
    Under a bushel ...
    Thanks @Stupendous Man. Tracker Update didn't do its job, because of the Lockdown. And I am not sure how to bypass that.
    I have also subsequently downloaded the PDF-XChange Editor installer and updated fine that way.
    I have used Tracker Update successfully before with HMPA, so I guess some code related to this has changed.
     
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,331
    Location:
    the Netherlands
    Thanks, paulderdash.

    @erikloman
    As I mentioned, I think that it would be wise if SurfRight could have a look at HMPA's reaction to TrackerUpdate.exe.
     
  4. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,029
    No problems with Flash 20.0.0.286, Firefox 43.0.4 and build 351.

    Win10 1511 build 10586.63 x64/Norton Security with Backup v22.5.5.15
     
  5. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    i'm frankly pleased with the latest build...even if this issue has not been fixed again :rolleyes:

    IMO it's too easy to change accidentally a setting...

    For ex, double clicking (accidentally/distractedly) Deluge icon in the main GUI, Null page mitigation switch to OFF since it is in the same position...
     

    Attached Files:

    Last edited: Jan 19, 2016
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    HitmanPro.Alert (HMPA) works in tandem with HitmanPro, meaning when HMPA blocks and notifies you then click on "scan", which loads HitmanPro to find/remove malware. An alert doesn't necessarily mean there is malware on the machine; it means that some software is acting like malware. For instance it has been noted that some legit software uses ROP and looks like an attack to HMPA. If HitmanPro doesn't find anything then it may be the case that legit software is causing the problem and it's time to ask Surfright support for help. As for keeping malware off of the machine to begin with that's the job of real-time AV/AM.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    The problem is Trackerupdate is being created by PDF-Xchange most likely. Solution go to the PDF-Xchange mitigations and temporarily turn off application lockdown. I have the same issue with PowerArc. I have it protected, but that means I have to turn off app lockdown to extract any executable.

    Pete
     
  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    If the mitigation is triggered, it _prevented_ malware from getting on the machine. So most likely a scan will not reveal an infection.

    If an intruder alert is triggered, the scan should reveal an infection.

    Regarding the Anti-VM mitigation, if you use software which probes whether it is running in a virtual machine, you might want to nudge the Vaccination setting down to Passive (from Active).
     
  9. stvs

    stvs Registered Member

    Joined:
    Mar 17, 2013
    Posts:
    34
    Location:
    greece
    hi erik i have the free HTM.A i use it only for browser so the free HTM.A lacks the exploit mitigations and it use only safe browsing. so do i need and the exploit mitigations. or its enough?
    is the free version enough for browsing?
    2nd question: the free HTM.A doesnt ptotect from ransom ,however in the past and earlier free versions had that protection. tnx
     
  10. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,029
    Again a keystroke encryption-problem (build 351).

    1.JPG

    Win10 1511 build 10586.63 x64/Norton Security with Backup v22.5.5.15
     
  11. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    The Safe Browsing only protects against malware trying to hook into functionality provided by the browser and does not protect against exploit.

    CryptoGuard v2 present in Alert v2 does not protect against the all of the most recent crypto ransomware for that you need CryptoGuard v3 present in Alert v3.
     
  12. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    erik,

    can you please comment, has this issue in post #8128/8140 with ie11 ever addressed? I've uninstalled HMPA because I'm having the same issue, it prevents ie11 from starting on my system AND also prevents some desktop icons from opening. Would like to continue using but its useless on my system.

    Please advise!
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    Have you done any troubleshooting? For instance it could be a compatibility issue with Zemana AM and/or Bitdefender AV Plus.
     
  14. plat1098

    plat1098 Guest

    Ah, so that's it. There can be two notices generated, one for an actual intrusion, and one for detection. Yes? With all due respect to the developer, I'm afraid to "nudge" anything because I don't know what a lot of this means. The reason I'm being so persistent is that the Lenovo software contains a hardware scan, people use that, I use that or did. If it's vulnerable, theoretically, your BIOS can get infected, your motherboard corrupted, etc, esp. if you're not protected. So, how do I go about seeing if this was a ROP issue, as this occurred during installation of a driver? That would indeed make this a false-positive and I can proceed with getting my machine straightened out.

    I'm still really curious about the stack/pivot. I'll admit I was asking for it as I brainlessly opened Internet Explorer without loading some 200 Windows updates first. Cha! The clear notice with the green bar and Attack! appeared the instant I opened IE to the MSN homepage (the date was 12/15/2015 to verify the appearance of the mitigation notice). No malware at all but there was a line of red Xs all the way down System in Event Viewer. Bad! How does the stack/pivot exploit operate?
     
  15. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    In the beginning it wasn't an issue with my other software then it devolved in later builds, I haven't messed it because I don't have the time or desire to mess with it. Just wondering if it was ever addressed so I could re DL it.
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,104
    Location:
    USA
    I understand. The problem is all of the software is changing, not just HMPA, and the more layers we use the more potential for conflicts. At least if you isolate the conflict you can decide what to use and what to lose :)
     
  17. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    Correct, everything else coexists perfectly fine hate to break up my armor for one security suit. Thanks :thumb:

    anyone else having issues with ie11?

    eric?
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Plat

    Something just clicked. Turn off all of Lenovo's silly stuff. I don't use any of there stuff. I selectively update Windows and I have my own security setup. PM me if you want to know what I use.

    Pete
     
  19. Bugbatter

    Bugbatter Security Expert

    Joined:
    Jun 2, 2004
    Posts:
    14
    Location:
    USA
    Last edited: Jan 19, 2016
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Bugbatter

    Minor technicality, but it's not HitmanPro, its HitmanPRo Alert. They are two different programs.

    Pete
     
  21. Bugbatter

    Bugbatter Security Expert

    Joined:
    Jun 2, 2004
    Posts:
    14
    Location:
    USA
    Thanks. OP was not able to post a screenshot at Lenovo so we couldn't confirm the exact product. I'll edit my post above. :thumb:
     
  22. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    That's just a false positive. I had similar issues while installing a driver too, I think it's due to the used setup program. I reported it in this thread but I haven't received a reply.
     
  23. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    @erikloman @markloman
    I understand that you guys might be busy, but it's really hard to get any response from you. I just sometimes feel that I'm constantly ignored.
    You released a new build with some new strings, I updated my translation and asked to update it in this thread. No reaction. Could you take a moment to confirm that the message has been noticed and that you have replaced it?
    I know that you might be fed up with my frequent translation updates, but I can assure you that this time it was done purely to add the new strings introduced in one of the recent builds. You should be happy that a user tries to keep it up-to-date on a regular basis.
    Also, the translation of HitmanPro (the on-demand scanner) still hasn't been replaced in the new builds although you received it many weeks ago, could you please take care of this as well?
    Thank you!
     
  24. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    1,292
    Location:
    USA, MICHIGAN
    ^^^ this is why I've uninstalled HMPA and will not be renewing my license it's not worth my time.
     
  25. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    81
    Thanks a lot! I have been seeing this on my system since like 2-3 weeks too but never thought of HPA being the culprit.

    I can confirm this for HMPA 3.1.0 build 340 on up2date Win 8.1 Pro x64 (also using EAM 11.0.0.6054).
    EDIT: Still happens with HMPA 3.1.1 build 351.

    It only happens for the applications in the browsers list:
    01.PNG

    To reproduce it:
    • Make sure the web browser is the active window.
    • Press and hold [LEFT ALT] then press [TAB] to change to another application. What happens now is that the task switcher window remains on screen after all the keys have been released which is not the intended behaviour on Windows.
    • Disabling the "Keystroke Encryption" in HPA immediately removes this effect/bug. You do not even need to restart the browser.
    • It does not happen when you switch from another window to the web browser. It only happens when you want to switch away from the browser.
    What happens is actually not so uncommon: You can create the same behaviour when you press and hold [RIGHT ALT] and then press [TAB]. When you now release both keys the task switcher window does not disappear. You can btw do they same if you press and hold [LEFT ALT]+[CTRL] and then press [TAB]. (Since the Ctrl-key modifies the left Alt-key to the right Alt-key.) That's also intended behaviour on Windows so you are able to choose the window you want to switch to without the need to hold down the Alt-key all the time.

    Also: If you add the browser to the exclusion list but let the "Keystroke Encryption" feature enabled this bug does not happen for it. So it really only occurs for protected web browsers with activated "Keystroke Encryption".

    Would be awesome if you could come up with a fix. :)

    EDIT: Also another minor GUI bug I've just noticed in the "Your web browsers" window.
    • Click on one of the web browsers on the left and then immediately (less then 1s after clicking) move your mouse cursor to the right area (beyond the dark shadowy line).
    • The settings on the right will appear for a splitsecond and then disappear.
    • You need to click on one of the web browsers on the left (and wait for ~1s) to make it appear again.
     
    Last edited: Jan 19, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.