Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.
Ah, OK -- thanks!
I'm not sure whether this is correct, but maybe @erikloman can confirm - I was able to add steamwebhelper.exe by doing the following:
navigate hklm > software > hitmanpro.alert
(you'll see all your mitigated apps here in a list of keys)
right click on the hitmanpro.alert key, click new key, name it steamwebhelper.exe
click once on your key, and in the right hand panel right click > new string value
right click your new string, rename it to the path to steamwebhelper.exe (e.g. C:\program files (x86)\steam\bin\steamwebhelper.exe)
in my case, after rebooting, it showed up in the hmpalert gui and i was able to select mitigations. i'm not sure there's anyway to verify whether it's working because steam wraps the web helper in another process so you won't actually see the blue border (assuming my steps here are correct, of course)
yeah I found the part of the registry but each string value has a short hash code assigned to the path
From what I see I choose my own hash thats the right length, and then set a matching hash in the profile area.
imported it now, will attach the reg file I used.
Does that process show in the task manager? If so why not just add that one to HMPA while it's running?
working perfect after I rebooted
so anyone who wants can just import that reg key.
I can see its working in 2 ways.
1 - when starting steam I get the notification its protected at top right corner.
2 - in the HMPA gui, its listed as a protected app and browser.
The registry file will only work if steam is installed in default location.
if you add the steam process that shows up via the hmp.alert ui, it mitigates stuff launched from it (games) which is bad.
Application Lockdown propagates to child processes. But you should NOT set Application Lockdown on Steam as Steam writes executables to disk that need to start.
Application Lockdown is only for tools that read/write documents, images, audio, etc. (like Word, Photoshop, etc.). If the application can write binaries to disk (like Steam or an unpacker) then do not enable Application Lockdown on those processes.
Hope this helps.
Can you please explain the Application Lockdown mitigation ... it would help !
It's actually very easy. If you apply application lock down to appx, and it creates appy appy will be blocked. For example I use PowerArchiver for zipping stuff. If I apply application lock down mitigation to it, and then try to extract an exe file from an archive, that exe file will be blocked.
thanks for clarifying. I only intended to mitigate the web helper component itself because i didn't want to chance causing flakiness w/steam - so i applied the browser template just to that process as it's just based on CEF
yeah application lockdown is perfect for things like firefox which has plugin container as a child process, but on the other hand bad for steam as that launches games, thats why steamwebhelper has to be added independently.
So this hasn't happened to anyone else? Very weird!
I'll keep testing....
HMPA detect any executable downloaded with Internet Download Manager as a threat. this is surely a false positive.
Also having problems with virtualbox.
Turn off application lockdown on IDM.
What template are you using for IDM?Thanks.
Some guidance on when to select and use the Other and Test mitigation templates would help.
I am having issues activating Hitmanpro.Alert. When I install it on a computer via command line, it gives me an activation error 9.
We had this issue last month, but after exchanging e-mails with Surfright support, a new executable corrected the problem. This week I am trying to deploy it on a customer's network with a new license key (we buy a new key for each client), but am seeing activation error 9 again.
I contacted Surfright support two days ago, and am now being told that Hitmanpro.Alert is not supported in business environments. That doesn't make much sense as we've already deployed their product to over 20 customers in quantities of 5-100. The activation problems only started in the last month or so.
I ended up reinstalling the stable build til the VB issue gets fixed.
just found a weird issue.
So I had command prompt as a protected binary, applockdown unticked everything else ticked.
Then by accident I typod and hit the "\" key before hitting tab to complete the path, and command prompt crashed with a memory error.
Found it was repeatable cd <random junk>\ then tab to crash.
It doesnt crash if I remove mitigations but does crash if mitigation is enabled even with all boxes unticked.
Whats odd about a string such as sdhfsdjkfh\ causing a false detection?
Why would you protect the command prompt? You mean "cmd.exe" or even "conhost.exe"?
The last "cmd.exe" vulnerability on Windows systems I know of is over five years old.
why not to protect it?
everything on the machine is an attack vector. Batch files and the like will open a cmd.exe process.
Yes I mean cmd.exe not conhost.
Adding cmd.exe to mitigations does not protect from batch files executing malware.
Adding a process to mitigations does protect against exploiting this process.
As there are no know exploits targeting cmd.exe, and I rate it unlikely that cmd.exe is a target,
I see no sense to add it to mitigations.
What you found isn't a weird issue and don't be surprised if Erik and Mark ignore you. You are stubbornly insisting on using the product in a way you have been advised not to. Good luck.
I am just curious how a \ symbol can cause a crash.