HitmanPro.ALERT Support and Discussion Thread

The vendor has defined the scope of the software for general use, however you were also given a way to expand the coverage so why do you continue to be unhappy? Why don't you go ahead and add mitigations to the additional processes and let us know how it goes?

 

I can tell you with absolute certainty that both

@erikloman
@markloman

are not lazy.

In all the chaos that is development, they must prioritize fixes - while at the same continue on with further feature introduction and refinement.

They have a robust beta program - I don't see them rushing to release version after version.

This is how it works.

It is normal for softs to be released with minor bugs (counted in terms of X per 1000 lines of code) that still need to be fixed.

OS updates, soft updates, user changes to system - all conspire to introduce new bugs and issues.

The more innovative and technically complex a soft - like HMP.A - the more likely there is to be bugs and issues.

Finally, there are a whole host of factors, circumstances and considerations that legitimately influence development choices and timelines.

Everyone wants everything fixed yesterday... I can't speak for them directly, but I know they are quite familiar with this unreasonable expectation on the part of users.

Sometimes it takes a very long time to fix things - for a whole lot of different reasons, it could be years in some cases.

This is the reality of soft development generally - and has nothing to do with willingness or laziness.

You should give them more credit.

I know for a fact that they share our frustration when something is not working quite right.

 

@erikloman

Does HMP.A protect Apps that run from within the App container ?

Since Apps cannot be added manually to HMP.A through the Exploit Mitigation > Running Applications wizard, I assume the answer is "No."

I know there are some technical differences between Apps and portable executables, but - honestly - my understanding on this one is quite limited.

There is no need to protect Apps from exploits ?

 

@erikloman
@markloman

I tried to play a DVD from GOM Player, but accidently started it in Windows Media Player.
This resulted in a HMPA alert mentioning a combination of Windows Media Player, G Data Internet Security and GOM Player elements.

About the same thing happens when I try to play a DVD with Windows Media Player (except there is no role for GOM Player).

Windows Vista SP2 x86
HMPA 3.1.1.351
G Data IS 25.1.0.10

N.B. No issue with WMP, HMPA and G Data IS on Windows 7 SP1 x64

Is this the first serious HMPA - G Data IS conflict?
I hope you can fix this issue.

Event log:

Code:

Provider     HitmanPro.Alert
EventID      911
Qualifiers   0
Level        2
Task         9
Keywords     0x80000000000000
Channel      Application
 
 
Mitigation   Shellcode
 
Platform     6.0.6002/x86 06_17*
PID          7268
Application  C:\Program Files\Windows Media Player\wmplayer.exe
Description  Windows Media Player 11
 
052B0B1F    8bff                     MOV          EDI, EDI
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            81ece4020000             SUB          ESP, 0x2e4
            a1c8b5f163               MOV          EAX, [0x63f1b5c8]
            33c5                     XOR          EAX, EBP
            8945fc                   MOV          [EBP-0x4], EAX
            8b4508                   MOV          EAX, [EBP+0x8]
            8b4d0c                   MOV          ECX, [EBP+0xc]
            53                       PUSH         EBX
            56                       PUSH         ESI
            57                       PUSH         EDI
            898520ffffff             MOV          [EBP-0xe0], EAX
            898d1cffffff             MOV          [EBP-0xe4], ECX
            64a118000000             MOV          EAX, [FS:0x18]
            8b4030                   MOV          EAX, [EAX+0x30]
 
Code Injection
01460000-01461000    4KB C:\Program Files\G Data\InternetSecurity\AVKTray\AVKTray.exe [7832]
1  C:\Program Files\G Data\InternetSecurity\AVKTray\AVKTray.exe [7832]
2  C:\Program Files\G Data\InternetSecurity\AVK\AVKWCtl.exe [1984]
 
Process Trace
1  C:\Program Files\Windows Media Player\wmplayer.exe [7268]
"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "W:\"
2  C:\Program Files\GRETECH\GomPlayer\GOM.EXE [6620]
3  C:\Windows\explorer.exe [7576]
4  C:\Windows\System32\userinit.exe [4052]
5  C:\Windows\System32\winlogon.exe [7572]
winlogon.exe
6  C:\Windows\System32\smss.exe [6336]
\SystemRoot\System32\smss.exe 00000000 00000034
 

Windows Media Player only, with no role for GOM Player:

Event log:

Code:

Provider     HitmanPro.Alert
EventID      911
Qualifiers   0
Level        2
Task         9
Keywords     0x80000000000000
Channel      Application
 
 
Mitigation   Shellcode
 
Platform     6.0.6002/x86 06_17*
PID          7440
Application  C:\Program Files\Windows Media Player\wmplayer.exe
Description  Windows Media Player 11
 
061E0AA1    8bff                     MOV          EDI, EDI
            55                       PUSH         EBP
            8bec                     MOV          EBP, ESP
            81ece4020000             SUB          ESP, 0x2e4
            a1c8b55c66               MOV          EAX, [0x665cb5c8]
            33c5                     XOR          EAX, EBP
            8945fc                   MOV          [EBP-0x4], EAX
            8b4508                   MOV          EAX, [EBP+0x8]
            8b4d0c                   MOV          ECX, [EBP+0xc]
            53                       PUSH         EBX
            56                       PUSH         ESI
            57                       PUSH         EDI
            898520ffffff             MOV          [EBP-0xe0], EAX
            898d1cffffff             MOV          [EBP-0xe4], ECX
            64a118000000             MOV          EAX, [FS:0x18]
            8b4030                   MOV          EAX, [EAX+0x30]
 
Code Injection
00060000-00061000    4KB C:\Program Files\G Data\InternetSecurity\AVKTray\AVKTray.exe [7832]
1  C:\Program Files\G Data\InternetSecurity\AVKTray\AVKTray.exe [7832]
2  C:\Program Files\G Data\InternetSecurity\AVK\AVKWCtl.exe [1984]
 
Process Trace
1  C:\Program Files\Windows Media Player\wmplayer.exe [7440]
"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "W:\"
2  C:\Windows\explorer.exe [7576]
3  C:\Windows\System32\userinit.exe [4052]
4  C:\Windows\System32\winlogon.exe [7572]
winlogon.exe
5  C:\Windows\System32\smss.exe [6336]
\SystemRoot\System32\smss.exe 00000000 00000034
 

 

@erikloman
@markloman

Bug\Quirk

HMP.A 3.1.1 build 351

• Enabled - Colored border
• Enabled - Show live keystroke encryption
  
• Disabled - Auto-hide colored border

W8.1 x86-64 - Clean Install

1. WPS (Kingsoft) 9.1.0.5234 (32-bit) WPS is office suite very similar to Microsoft Office.
   
2. NitroPDF Reader 3.5.6.5 (32-bit)

With WPS, colored border will sometimes appear, sometimes it will not. Fly-out always appears (auto-added to Exploit Mitigations).

With NitroPDF, neither colored border nor fly-out will appear (but is auto-added to Exploit Mitigations).

 

@erikloman
@markloman

Bug\Quirk

HMP.A 3.1.1 build 351

• Enabled - Colored border
• Enabled - Show live keystroke encryption
  
• Disabled - Auto-hide colored border

W8.1 x86-64 - Clean Install

1. Use any browser
2. Download file
3. Save as\to
4. When Windows Explorer opens - there are double green HMP.A borders with one offset (this does not always happen - most of time, but not all of the time)

 

I wonder if there are any publicly available statistics on the comparative infection rates of various Windows operating systems -- including Windows 10.

It would be interesting for professional testers (say, an AV company or a testing lab) to install the same security software on machines running all OSes from XP to Win10, then expose them to the same malware, and see how each OS performs.

 

Also on Windows 10 users will keep infecting themselves. With regard to outdated software: As long as software contains a sandbox (MS Edge, Chrome, Adobe Reader) you should still be relatively safe.

 

A question about Excluded Applications in hmpa;
Should there appear a list of any exclusions and, if so, where can it be found?

The reason I ask is that I apparently successfully excluded iexplore.exe - IE works now - yet interface looks like this



Fwiw:
I also excluded IE in avast! (Web shield - Processes), removed the avast! plug in from IE, but still it wouldn't work.
Using Procmon I found it seems avast! Self Protection Module is involved when running IE, but even with that disabled IE still couldn't be launched.

Scanning through posts in this thread gave me the idea of using the Exclude option.
Generally speaking, from experience, I'd expect a list of exclusions where you can select and remove any items.
At a guess tho, I suppose I can use Safe browsing and Exploit mitigation panes to restore protection for IE. I have previously disabled those for IE.

Any thoughts appreciated.

 

That's a good question; I don't know if there's a list of excluded processes somewhere. You should be able to add IE back though by running it, then clicking on the Mitigations tile and selecting "Running applications".

 

Thanks Victek. I guess that would work..
I don't need IE really, but figured there must be some way to get it to work. Excluding it from hmpa seems to be the only way - with avast! running alongside.
It used to be the case that IE was needed to use the Windows Update site. Would be handy still to check for "Optional" updates, but since Win 10 (or earlier, idk) it doesn't work that way any more. I can find the optional updates listed, using a Show/Hide Updates utility, but looks like there's no way to download them from MS any more.
Certainly their Intel driver updates aren't welcome on a Dell machine anyway, but others might be useful.

Cheers.

 

HitmanPro.Alert 3.1.2 Build 352 PreRelease

Changelog

• Improved CryptoGuard mitigation
• Improved BadUSB mitigation

Download
http://test.hitmanpro.com/hmpalert3b352.exe

Please let me know how this version runs on your computer

@malware1 the strings are not yet in this build (they are in Alert 3.5 which will appear in the coming weeks).

 

After a problem in Opera 12.15....sluggish response, so I closed it and restarted it.

However, when it started I got an alert when the browser loaded, immediately. Twice, this has occurred, now...and, also my computer is virtually unresponsive until I close out the browser.

I have managed to get the following screenshots, and I am posting via Vivaldi browser.



P.S. I could only get the screenshots, separately per each of two tries to load Opera browser.

 

Erik,
I'm getting fly-outs but no border around protected applications, for example Windows Live Mail (Other template) and Cyberfox (Browser template). Also, no keyboard encryption indicator.

Thanks,
Dave

 

@Krusty13 :
I had to disable and reenable the according options, to get this functions back

 

Thanks. Did you have to restart for the setting change?

 

@Krusty13 :
During figuring out, I restarted two times...
Don't remember if it was mandatory, to take effect

You may think about resetting all, if nothing else works...

 

I've tried without restarting without success. I'll have to restart after each change to see if that works.

 

Well that's odd! The border and keyboard encryption indicator on my other machine wasn't working either but I left it while I was dealing with the first machine. When I came back to the second machine they were working without me doing anything.

Edit: Well, it isn't working with Windows Live Mail every time I open it. @erikloman ?

 

i found out that you have to select the "media" mitigation when you want protect the Windows Apps.

 

However I'm not talking about the Mail application. I meant what I wrote, Windows Live Mail, and it has been protected in the Other template since I started using the first betas of HMP.A 3.

Thanks.

 

got a big issue on my laptop with hitman pro alert, and its very big.

For troubleshooting purposes, there is no EMET or MBAE installed.
Only other security software is windows firewall and avast.

Windows version is 8.1 pro fully up to date.

I initially thought everything was ok. Then I tried to access the event viewer and got an error "file system error" with a long neagative numerical code.
Rebooted laptop, it gets to the login screen very slowly, after enetering password nothing happens just blue screen, i/o light flickers on and off at static intervals.
Safe mode boots normally.

IIf I uninstall hitman pro alert in safe mode, it can then boot up normally again and no event viewer errors.
Reinstall hitman pro alert and it breaks again as before, broken event viewer and non functional boot.

I tried disabling all the risk reduction stuff but to no affect.

Its fine on my win10 rig and that also has avast with same config as the laptop.

The one thing different on the laptop is it has no hardware assisted protection icon (probably as it has a rubbish cpu)

So that might be relevant.

Also on all 3 systems the scan button always says a scan has never been run when it has.

 

No problems upgrading build 352 PreRelease. Also no problems with Firefox 44.0.

Win10 1511 build 10586.63 x64/Norton Security with Backup v22.5.5.15

 

@erikloman
@markloman

Bug\Quirk ()

HMP.A 3.1.1 builds 352 and earlier

W8.1 x86-64 - Clean Install

Launch any Windows or Windows Store Apps (e.g. Mail, OneDrive, Calculator, Help, etc, etc)

Exploit Mitigations > Running Applications > Does NOT detect any Windows (formerly Metro) Apps or Windows Store Apps

W10 users can add certain Windows & other Apps to HMP.A protections.

App Container different between W8.1 and W10 ?

 

Yes, because of the difference between Windows 8.1 and Windows 10, adding Windows Apps or Windows Store Apps is currently supported on Windows 10 only.