HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Lazarus Long

    Lazarus Long Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    5
    Location:
    Macedonia
    Yes I know for that. I've report that issue but I didn't like fact that I'm unprotected from CryptoLocker even Norton crashes :)
    btw
    Prior 2.5.0, Norton coexists vith Hitman but only main windows was an issue. Now NIS crashes but hey..it's a beta program.

    Thank you
     
    Last edited: Nov 13, 2013
  2. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    Can anyone please confirm that the CryptoGuard folder inside C:\Windows belongs to HitmanPro.Alert? Thanks

    dja2k
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes it does.
     
  4. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    False message GONE in 2.5.1
     
  5. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    I installed AppGuard yesterday and saw a block this afternoon pointing towards that folder, so thanks for verifying.

    dja2k
     
  6. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    With the default settings of HitmanProAlert 2.5.1 I get at start of Avant browser more than one Green flyouts.
    It happens very fast, but I think as many as tabs (20!) I use within my Avast.
    I think this is wrong.
    But during shutdown of Avant I also get 2(?) Green flyouts.
    I am sure this should not happen.
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Avant Browser is a bit peculiar as it hosts other browsers. I'm not sure I can fix the flyout. You could set the setting to "Once per session" at the moment.
     
  8. Lazarus Long

    Lazarus Long Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    5
    Location:
    Macedonia
    Please add "Installation Success" or similar after installation. Maybe balloon tip in tray or window.
    Also, add shortcut to Desktop and/or Start Menu
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    A flyout should appear when Installation is complete.
     
  10. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    Why would Microsoft Word be wanting to write to the CryptoGuard folder?

    dja2k
     
  11. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I really have no idea, but I have the same thing here (as seen in my AppGuard log).
     
  12. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    That's exactly where I saw it too :D

    dja2k
     
  13. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Also see that AppGuard prevents this action, but only on Win7 on Win 8.1 not.

    Maybe Erik can give some Details here, for me it seems that everytime you open/create an office document an encrypted copy is saved in Windows/Crypotguard folder. So if you are a massive office worker this folder will grow.

    @Erik: Will and when those files get deleted automatically?

    Edit: typo. A k for erik (instead of c) ;-)
     
    Last edited: Nov 15, 2013
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    CryptoGuard copies a file to the mentioned CryptoGuard folder right _before_ the file is being modified (either by Office or CryptoLocker malware). CryptoGuard makes no distinction between which process modify files as legitimate software can be invaded via malware code injection.

    If a file handle is closed, the file is automatically deleted from the CryptoGuard folder. There should not be any files in the CryptoGuard folder as they are only there temporarily.

    Hope this helps.
     
  15. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,113
    Location:
    South Texas, USA
    So then something is not working right because I still have files inside the CryptoGuard folder. o_O

    dja2k
     
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    How many? Maybe AppGuard interferes with the files.
     
  17. harshisthere

    harshisthere Registered Member

    Joined:
    Aug 8, 2011
    Posts:
    84
    I also have files and they are old files.
     

    Attached Files:

  18. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,920
    Hi Erik,

    Sorry, I am afraid that I don't understand it.

    Situation:
    Malware M modifies file F.
    CryptoGuard copies file F right-before-it to the CrytpoGuard folder.
    File F has now been modified (malware M has done its job).
    CryptoGuard doesn't know whether it was a legitimate change or not.
    The original file F is removed by CryptoGuard from the CryptoGuard folder.
    And now you have only the modified file F.

    So, what is the purpose of this all?
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Simple answer: after crypto ransomware is done with it, the document is no longer a document.
     
  20. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,920
    Yes, I understand. And then CrytpoGuard does what?
     
  21. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Revert the changes made by the crypto ransomware as the original is kept in the CryptoGuard folder. And the process that performed the malicious changes can no longer write to the file system.
     
  22. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,920
    But that is what I don't understand. As you said, the original file F has already been removed by CryptoGuard from the CryptoGuard folder (CryptoGuard doesn't know whether it was a legitimate change or not).
     
  23. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I currently have 47 files (17.5MB) in my CryptoGuard folder dating back to November 7. Not sure what that means, but that's the count.
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    CryptoGuard automatically removes the file from the CryptoGuard folder when a document is still a document (not a malicious change). The file _is kept_ when the file was severely changed (no longer a document) and we might need to rollback that particular change at a later point in time. THAT kept file should also be deleted after a while. Clearly this doesn't happen in all cases (the point of the discussion).

    I will have a look why they are lingering. I have 2 files myself in that folder.
     
  25. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Thx. Tested some things and found out that

    - AppGuard on my Win 8.1. system prevents the deletion of those files, so the folder grows. (Office programs are guarded)
    - AppGuard on my Win 7 system even prevents that those file copies are created. So CryptoGuard won't work when office programs are guarded in AppGuard.

    Solution: AppGuard users must create a folder exeption rule for C:\Windows\cryptoguard folder. (read/write in folder settings under guarded tab)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.