HitmanPro.ALERT Support and Discussion Thread

or revert to v3 and keep on CFI ...

 

HitmanPro.Alert 3.1.9 build 362 Released

Changelog

• Improved CryptoGuard mitigation (Anti-Ransomware) to fix a bug introduced with build 357.
• Improved ROP mitigations.
• Improved keystroke scrambling of Keystroke Encryption.
• Fixed compatibility with VirtualBox hardening.
• Fixed compatibility with Microsoft Edge 31.14279 (Redstone).
• Fixed compatibility with Microsoft OneNote' e-mail function.
• Updated embedded libpng library.

Download
hmpalert31.exe

Please let us know how this version runs on your computer.
We expect to enable the automatic updater to install this build (362) later this week.

 

no problem to report so far (specs in my signatures)

Txs a lot!

 

Same here.

 

i'm now enjoing again with Virtualbox

 

Smooth upgrade from build 361 to 362 on Windows 10 x64; no issues to report

 

Working good here.

 

Correct. "hmpalert31"

 

HMP.alert build 362 is running fine, no issues so far!

 

Yes. You can confirm version 3.1.9.362 by right clicking and going to Properties/Details/Product Version.

 

thanks for the information.

 

So far no issues with 362,DL over top,

running nicely along side BD, ZAM, and MBAM all in real time protection.

 

exactly

@Theblackstar
Io e te possiamo anche parlare in italiano!

 

No issues.

 

@erikloman
@markloman

HMP.A 3.1.9 build 362
Chrome 49
Firefox 45
Cyberfox 45
Internet Explorer 11

Protection Border with Keystroke Encryption display enabled

Keystroke Encryption display either does not show keystrokes or it will show a few and then freeze

 

362 working as designed. Thank you.

 

Build 362 seems to work fine here.

 

build 362 work fine, can virtualbox run without error

 

A little while ago, I had my Opera browser open, and which I had to close because it was starting to get slow when loading pages.

When I restarted the browser, I got an immediate intruder alert from HMPA...I tried to take screenshot but I couldn't get to to show in the GUI....I did manage to copy and paste [ and save] to notepad the details of the alert.

I then had to reboot, as my system became unresponsive as a result of the alert.

P.S. I am actually using Opera 12.15, even though in the details, it indicates another version of Opera.

Code:

Intruder

ID 12468
Application C:\Program Files\Opera Next\opera.exe
Description Opera Internet Browser 12.15

Detour Report
# Address Owner Disassembly
-- ---------- ------------------------ ------------------------
closesocket
1 0x71AB3E2B WS2_32.dll JMP 0x654b00c
2 0x0654B00C (anonymous) JMP 0x19033d1f
3 0x19033D1F fs_ccf_ni_umh32.dll

connect
1 0x71AB4A07 WS2_32.dll JMP 0x71ab4a02
2 0x71AB4A02 WS2_32.dll JMP 0x215002d
3 0x0215002D (anonymous; kswebshield.dll)

getpeername
1 0x71AC0B68 WS2_32.dll JMP 0x71ac0b63
2 0x71AC0B63 WS2_32.dll JMP 0x21500c9
3 0x021500C9 (anonymous; kswebshield.dll)

getsockname
1 0x71AB3D10 WS2_32.dll JMP 0x71ab3d0b
2 0x71AB3D0B WS2_32.dll JMP 0x2150095
3 0x02150095 (anonymous; kswebshield.dll)

recv
1 0x71AB676F WS2_32.dll JMP 0x654400c
2 0x0654400C (anonymous) JMP 0x1903437f
3 0x1903437F fs_ccf_ni_umh32.dll

recvfrom
1 0x71AB2FF7 WS2_32.dll JMP 0x654500c
2 0x0654500C (anonymous) JMP 0x190342fd
3 0x190342FD fs_ccf_ni_umh32.dll

select
1 0x71AB30A8 WS2_32.dll JMP 0x654e00c
2 0x0654E00C (anonymous) JMP 0x1903451d
3 0x1903451D fs_ccf_ni_umh32.dll

send
1 0x71AB4C27 WS2_32.dll JMP 0x1895bd2
2 0x01895BD2 kswebshield.dll JMP 0x654200c
3 0x0654200C (anonymous) JMP 0x1903428d
4 0x1903428D fs_ccf_ni_umh32.dll

sendto
1 0x71AB2F51 WS2_32.dll JMP 0x654300c
2 0x0654300C (anonymous) JMP 0x19034211
3 0x19034211 fs_ccf_ni_umh32.dll

WSAAsyncSelect
1 0x71AC0991 WS2_32.dll JMP 0x654d00c
2 0x0654D00C (anonymous) JMP 0x19033c35
3 0x19033C35 fs_ccf_ni_umh32.dll

WSAConnect
1 0x71AC0C81 WS2_32.dll JMP 0x71ac0c7c
2 0x71AC0C7C WS2_32.dll JMP 0x2150061
3 0x02150061 (anonymous; kswebshield.dll)

WSAEnumNetworkEvents
1 0x71AB657D WS2_32.dll JMP 0x655000c
2 0x0655000C (anonymous) JMP 0x19033b97
3 0x19033B97 fs_ccf_ni_umh32.dll

WSAEventSelect
1 0x71AB64D9 WS2_32.dll JMP 0x654c00c
2 0x0654C00C (anonymous) JMP 0x190345b7
3 0x190345B7 fs_ccf_ni_umh32.dll

WSAGetOverlappedResult
1 0x71AC0D1B WS2_32.dll JMP 0x654f00c
2 0x0654F00C (anonymous) JMP 0x19033c8b
3 0x19033C8B fs_ccf_ni_umh32.dll

WSARecv
1 0x71AB4CB5 WS2_32.dll JMP 0x654800c
2 0x0654800C (anonymous) JMP 0x19033e52
3 0x19033E52 fs_ccf_ni_umh32.dll

WSARecvFrom
1 0x71ABF66A WS2_32.dll JMP 0x654900c
2 0x0654900C (anonymous) JMP 0x19033dbc
3 0x19033DBC fs_ccf_ni_umh32.dll

WSASend
1 0x71AB68FA WS2_32.dll JMP 0x1895e03
2 0x01895E03 kswebshield.dll JMP 0x654600c
3 0x0654600C (anonymous) JMP 0x1903416c
4 0x1903416C fs_ccf_ni_umh32.dll

WSASendTo
1 0x71AC0AAD WS2_32.dll JMP 0x654700c
2 0x0654700C (anonymous) JMP 0x19033ef7
3 0x19033EF7 fs_ccf_ni_umh32.dll

WSASocketW
1 0x71AB404E WS2_32.dll JMP 0x654a00c
2 0x0654A00C (anonymous) JMP 0x19033d41
3 0x19033D41 fs_ccf_ni_umh32.dll

SysAllocStringByteLen
1 0x77124C35 OLEAUT32.dll JMP 0x18977b4
2 0x018977B4 kswebshield.dll

SysAllocStringLen
1 0x77124B39 OLEAUT32.dll JMP 0x1897779
2 0x01897779 kswebshield.dll

HttpOpenRequestA
1 0x771C2B41 WININET.dll JMP 0x1896f2c
2 0x01896F2C kswebshield.dll

HttpOpenRequestW
1 0x771CF507 WININET.dll JMP 0x1896fe5
2 0x01896FE5 kswebshield.dll

InternetConnectW
1 0x771CEE30 WININET.dll JMP 0x1897060
2 0x01897060 kswebshield.dll

InternetOpenUrlA
1 0x771C5AA2 WININET.dll JMP 0x18970de
2 0x018970DE kswebshield.dll

InternetOpenUrlW
1 0x771D5C07 WININET.dll JMP 0x1897191
2 0x01897191 kswebshield.dll

CoGetClassObject
1 0x77515205 ole32.dll JMP 0x18b1cdf
2 0x018B1CDF kswebshield.dll

CopyFileA
1 0x7C8286EE kernel32.dll JMP 0x1897392
2 0x01897392 kswebshield.dll

CopyFileExA
1 0x7C85F39C kernel32.dll JMP 0x1897206
2 0x01897206 kswebshield.dll

CopyFileExW
1 0x7C827B32 kernel32.dll JMP 0x18972f4
2 0x018972F4 kswebshield.dll

CopyFileW
1 0x7C82F87B kernel32.dll JMP 0x1897477
2 0x01897477 kswebshield.dll

CreateProcessA
1 0x7C80236B kernel32.dll JMP 0x58550000
2 0x58550000 (anonymous; ksfmon.dll)

CreateProcessInternalA
1 0x7C81D54E kernel32.dll JMP 0x58980000
2 0x58980000 (anonymous; ksfmon.dll)

CreateProcessInternalW
1 0x7C8197B0 kernel32.dll JMP 0x58990000
2 0x58990000 (anonymous; ksfmon.dll)

CreateProcessW
1 0x7C802336 kernel32.dll JMP 0x70dd0000
2 0x70DD0000 (anonymous; ksfmon.dll)

LoadLibraryA
1 0x7C801D7B kernel32.dll JMP 0x71c90000
2 0x71C90000 (anonymous; kwsui.dll)

LoadLibraryExA
1 0x7C801D53 kernel32.dll JMP 0x46570000
2 0x46570000 (anonymous; kwsui.dll)

LoadLibraryExW
1 0x7C801AF5 kernel32.dll JMP 0x55c02ec
2 0x055C02EC (anonymous; ksfmon.dll) PUSH DWORD 0x55c0000
JMP 0x1524b20
3 0x01524B20 ksfmon.dll

LoadLibraryW
1 0x7C80AEEB kernel32.dll JMP 0x45470000
2 0x45470000 (anonymous; kwsui.dll)

ReadFile
1 0x7C801812 kernel32.dll JMP 0x655200c
2 0x0655200C (anonymous) JMP 0x19034068
3 0x19034068 fs_ccf_ni_umh32.dll

WinExec
1 0x7C86250D kernel32.dll MOV EDI, EDI
PUSH EBP
MOV EBP, ESP
JMP 0x41cb0000
2 0x41CB0000 (anonymous; kwsui.dll)

WriteFile
1 0x7C810E27 kernel32.dll JMP 0x655100c
2 0x0655100C (anonymous) JMP 0x19033fa7
3 0x19033FA7 fs_ccf_ni_umh32.dll

KiFastSystemCall
1 0x7C90E510 ntdll.dll CLD
JMP 0x7c90e521
2 0x7C90E521 ntdll.dll JMP 0x100577dd
3 0x100577DD hmpalert.dll

NtCreateProcess
1 0x7C90D14E ntdll.dll JMP 0x1896ec5
2 0x01896EC5 kswebshield.dll

NtCreateProcessEx
1 0x7C90D15E ntdll.dll JMP 0x1896e5b
2 0x01896E5B kswebshield.dll

ShellExecuteEx
1 0x7CA40ED5 SHELL32.dll JMP 0x1897e90
2 0x01897E90 kswebshield.dll

CoGetClassObjectFromURL
1 0x7E21EA2F UrlMon.dll JMP 0x1897fc9
2 0x01897FC9 kswebshield.dll

URLDownloadToCacheFileW
1 0x7E23BB54 UrlMon.dll JMP 0x189847f
2 0x0189847F kswebshield.dll

URLDownloadToFileA
1 0x7E23BE5D UrlMon.dll JMP 0x18984fa
2 0x018984FA kswebshield.dll

URLDownloadToFileW
1 0x7E23BAEE UrlMon.dll JMP 0x18985e2
2 0x018985E2 kswebshield.dll


Code Injection
7FFA0000-7FFA1000 4KB C:\Program Files\F-Secure\SAFE\fshoster32.exe [668]
00400000-00401000 4KB

 

Upgraded to Build 362 - so far ok on Win 7 x64

 

Question...

I DL'ed 362 manually over top and now noticed that when I go to open the program using the desktop icon UAC prompts me twice before it brings up the UI, Also I don't see HMPA listed in my programs.

did it not install right why im seeing these changes in behavior?

 

It sounds like something went wrong. When I pull up the UI for build 362 from either the taskbar notification icon or a desktop shortcut I don't get a UAC prompt. You might want to try an uninstall/re-install.