HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    502
    Ah, OK -- thanks!
     
  2. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    I'm not sure whether this is correct, but maybe @erikloman can confirm - I was able to add steamwebhelper.exe by doing the following:
    run regedit
    navigate hklm > software > hitmanpro.alert
    (you'll see all your mitigated apps here in a list of keys)
    right click on the hitmanpro.alert key, click new key, name it steamwebhelper.exe
    click once on your key, and in the right hand panel right click > new string value
    right click your new string, rename it to the path to steamwebhelper.exe (e.g. C:\program files (x86)\steam\bin\steamwebhelper.exe)
    reboot

    in my case, after rebooting, it showed up in the hmpalert gui and i was able to select mitigations. i'm not sure there's anyway to verify whether it's working because steam wraps the web helper in another process so you won't actually see the blue border (assuming my steps here are correct, of course)
     
  3. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    yeah I found the part of the registry but each string value has a short hash code assigned to the path

    From what I see I choose my own hash thats the right length, and then set a matching hash in the profile area.

    imported it now, will attach the reg file I used.
     

    Attached Files:

    Last edited: Feb 11, 2016
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,131
    Location:
    USA
    Does that process show in the task manager? If so why not just add that one to HMPA while it's running?
     
  5. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    working perfect after I rebooted :)

    so anyone who wants can just import that reg key.

    I can see its working in 2 ways.

    1 - when starting steam I get the notification its protected at top right corner.
    2 - in the HMPA gui, its listed as a protected app and browser.

    The registry file will only work if steam is installed in default location.
     
  6. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    if you add the steam process that shows up via the hmp.alert ui, it mitigates stuff launched from it (games) which is bad.
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Application Lockdown propagates to child processes. But you should NOT set Application Lockdown on Steam as Steam writes executables to disk that need to start.

    Application Lockdown is only for tools that read/write documents, images, audio, etc. (like Word, Photoshop, etc.). If the application can write binaries to disk (like Steam or an unpacker) then do not enable Application Lockdown on those processes.

    Hope this helps.
     
  8. hjlbx

    hjlbx Guest

    @erikloman

    Can you please explain the Application Lockdown mitigation ... it would help !
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi hjlbox

    It's actually very easy. If you apply application lock down to appx, and it creates appy appy will be blocked. For example I use PowerArchiver for zipping stuff. If I apply application lock down mitigation to it, and then try to extract an exe file from an archive, that exe file will be blocked.
     
  10. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    thanks for clarifying. I only intended to mitigate the web helper component itself because i didn't want to chance causing flakiness w/steam - so i applied the browser template just to that process as it's just based on CEF
     
  11. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    yeah application lockdown is perfect for things like firefox which has plugin container as a child process, but on the other hand bad for steam as that launches games, thats why steamwebhelper has to be added independently.
     
  12. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    So this hasn't happened to anyone else? Very weird!

    I'll keep testing....
     
  13. guest

    guest Guest

    HMPA detect any executable downloaded with Internet Download Manager as a threat. this is surely a false positive.
     
  14. technonerd

    technonerd Registered Member

    Joined:
    Feb 3, 2016
    Posts:
    2
    Also having problems with virtualbox.

    Running
    • MBAM
    • Cryptoprevent
    • Privatefirewall
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Turn off application lockdown on IDM.
     
  16. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    What template are you using for IDM?Thanks.
     
  17. hjlbx

    hjlbx Guest

    @erikloman
    @markloman

    Some guidance on when to select and use the Other and Test mitigation templates would help.
     
  18. vlen

    vlen Registered Member

    Joined:
    Feb 12, 2016
    Posts:
    1
    I am having issues activating Hitmanpro.Alert. When I install it on a computer via command line, it gives me an activation error 9.

    We had this issue last month, but after exchanging e-mails with Surfright support, a new executable corrected the problem. This week I am trying to deploy it on a customer's network with a new license key (we buy a new key for each client), but am seeing activation error 9 again.

    I contacted Surfright support two days ago, and am now being told that Hitmanpro.Alert is not supported in business environments. That doesn't make much sense as we've already deployed their product to over 20 customers in quantities of 5-100. The activation problems only started in the last month or so.
     
  19. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    I ended up reinstalling the stable build til the VB issue gets fixed.
     
  20. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    just found a weird issue.

    So I had command prompt as a protected binary, applockdown unticked everything else ticked.
    Then by accident I typod and hit the "\" key before hitting tab to complete the path, and command prompt crashed with a memory error.
    Found it was repeatable cd <random junk>\ then tab to crash.
    It doesnt crash if I remove mitigations but does crash if mitigation is enabled even with all boxes unticked.

    Whats odd about a string such as sdhfsdjkfh\ causing a false detection?
     
  21. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    81
    Why would you protect the command prompt? You mean "cmd.exe" or even "conhost.exe"?
    The last "cmd.exe" vulnerability on Windows systems I know of is over five years old.
     
  22. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    why not to protect it?

    everything on the machine is an attack vector. Batch files and the like will open a cmd.exe process.

    Yes I mean cmd.exe not conhost.
     
  23. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,055
    Location:
    Baden Germany
    Adding cmd.exe to mitigations does not protect from batch files executing malware.

    Adding a process to mitigations does protect against exploiting this process.

    As there are no know exploits targeting cmd.exe, and I rate it unlikely that cmd.exe is a target,
    I see no sense to add it to mitigations.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Chrchol

    What you found isn't a weird issue and don't be surprised if Erik and Mark ignore you. You are stubbornly insisting on using the product in a way you have been advised not to. Good luck.
     
  25. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    I am just curious how a \ symbol can cause a crash.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.