HitmanPro.ALERT Support and Discussion Thread

No, I don't use Webroot - and it's a brand new new Laptop. It is particularly present in Firefox for some reason. HitmanPro.Alert's 3 files (.dll, and 2 .sys files are added as exclusions manually in ESS v9 to prevent compatibility issues).

Could it be Sticky Password Password Manager (currently at v 8.0.7.78 ) ? I am starting to think that may be a common denominator (although it happens when not using passwords - google search box, forum posts, etc)..

Also, the memory in Firefox 46 hits over 4GB: and I don't have a ton of tabs open this may be a Mozilla issue).

 

I bought a license(s) before Sophos and it was worth it. It's saved me from a few sudden redirects (likely malvertising). Does anyone have any experience on Windows 10 Enterprise (Windows 10 Education 64-bit) is nearly identical. Nitro Pro is great software. I could never figure out if it was ESET or what slowing it down, especially at Splash Screen and Upon saving a file. .


I let people I know with PC concerns or questions know about HMP.Alert b/c it has proven valuable, despite some minor flaws. If I could get my WP site working right, I'd put a link on there too.

I can post/upload a GetSystemInfo file if needed for @erik or @mark

 

This question has been asked before. The method used by HitmanPro.Alert is indeed different compared to Kaspersky's.

Like you said, Kaspersky (and a few other security software) run files shortly in an emulation environment (little sandbox) to discover malicious behavior, without letting the malware know that it is being analyzed. Contrary to that, HitmanPro.Alert deliberately tells the malware that it runs in an emulation environment (which isn't true), just for the purpose so sandbox-aware malware triggers its own termination to prevent malicious behavior.

More info: https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-285#post-2536042

 

Thanks! I'm now relieved. \o/

 

@erikloman
@markloman
Are you/ is SurfRight working on a new HMP.A build that fixes the injection issue on Windows 7 x64 with KB3146706 installed, like build 369 fixed, but with also fixing the build 369 issue that Peter2150 reported?
If so, when can we expect that new bugfix build?
In the mean time, the latest build that was pushed by auto update is build 368, which still leaves Windows x64 users that have KB3146706 installed with the mentioned issue of HMP.A being partially crippled.

 

no, they are playing videogames (some time ago, infact, they bought 'The Division' and usually they join multiplayer match --Erik, in particular, is the sniper while Mark defends the flag--) ...

 

BD Free and HMPA ...

 

We are not automatically updating our users to build 369. Reasons for this is that it only affects Windows 7 64-bit and that KB3146706 has been pulled by Microsoft for automatic install. Also, e.g. @Peter2150 experiences a problem with 32-bit applications due to the changed injection method, which tells us the change needs more testing and work. In addition, we expect that Microsoft is going to issue a new KB3146706 as that update is also breaking other applications, including Microsoft's own EMET.

Background: we changed our injection method in build 369 to solve KB3146706 on Windows 7 x64 because Microsoft had cut-up code & functions into multiple pieces and shuffled them around in NTDLL.DLL. What Microsoft did was something that cannot be done by a normal compiler so they did this on purpose and only for Windows 7 x64. They may have done this to deliberately break pirated copies of Windows 7 x64 on millions of machines in Asia: http://www.infoworld.com/article/30...6706-to-break-pirate-copies-of-windows-7.html

 

Mark,

Which are those 32-bit applications that I'm having problems with? Both Firefox and Cyberfox are the 64-bit versions.

Thanks.

 

Oh sorry @Krusty13, I meant @Peter2150. Haha. My bad

 

I understand, considering the issue that Peter2150 reported.
But I was expecting SurfRight was working on a new bugfix build to fix that issue.

That's true, but any Windows 7 user that ran Windows Update soon after the April 12 Patch Tuesday updates were offered, had KB3146706 ticked for install by default. Many users have Windows Update on the default setting to install updates automatically, so they probably had KB3146706 installed automatically. This may concern many users.
Furthermore, to my knowledge, KB3146706 was still ticked for install up to 16 hours after the initial Patch Tuesday release time. So, many users can have KB3146706 installed. It's quite unpleasant to think those all have HMP.A partially crippled.

I understand, but in the meantime, HMP.A is still partially crippled for users that have KB3146706 installed on Windows 7 x64, which may concern many HMP.A users, and that is a dreadful thought.
That's why I thought, and hoped, that SurfRight was working on a new bugfix build, that still fixes the injection issue on Windows 7 x64 with KB3146706 installed, like build 369 fixed, but with also fixing the build 369 issue that Peter2150 reported.
I now understand that will take more time, as more testing and work needs to be done.
Thanks very much for the clarity.


First edit: rephrased last two sentences.
Later edit: fixed typo.

 

More about the Firefox 46.0 W^X JIT Code: http://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/

 

Hello
They have to solve the incidence between BD free and HMPA, which does not allow to download anything.
Best regards.

 

I think that you are making a good choice! I have used Comodo in the past for Windows XP (which lacked a 2-way firewall). I liked the Firewall, but always had issues with the HIPS stuff enabled.

My HMPA story: I realize that signature based defenses have about reached their limits, with cloud protection being almost mandatory these days. I also wanted protection from unknown, zero-day threats, but not at the expense of performance and weird system behavior.

When I first heard about exploit protection, it was Microsoft EMET. It's do-able, but you just about need to be a freakin MS Windows system admin to wrangle that. Plus read the manual!

Then I heard about Malwarebytes Anti-Exploit Free. I tried that and it's truly set and forget. So light you forget that it's running. I considered upgrading to the full version of MBAE, but that's when I stumbled upon HMPA!

In the comparison, http://www.surfright.nl/en/alert HMPA does more to protect you. It's so light that I cannot tell it's running, and have had very few false positives. The devs on this forum respond quickly to most issues, and release updates for them. So it's a good investment!

As far as Windows firewall control, I use the free version of this http://www.sphinx-soft.com/Vista/order.html Windows Firewall Control. It is light because it uses the Windows Filtering Platform (WFP) already built into Windows, so no new drivers are added. It makes it much easier to allow/block inbound/outbound per application. The free version automatically allows system processes by default, but you have control over your apps.`

 

I have HMP and HMP.A installed. My license covers both. Granted, HMP.Alert > Scan runs HMP.
HMP settings panel is where you may schedule scan. Cheers

 

@n8chavez

#8159
Your license should cover both products, HMP.A & HitmanPro.
Download HitmanPro, execute it and there's an option to install it to Program Files.

 

thanks for this info, but I have no such exe's in that folder.

Also what is interesting is that %temp% no longer points to the appdata\local\temp on my system, it now points to my ramdisk but HMPA still loads the binaries to the old location.

I ran the HMP in temp but there is nothing in settings to have it as permanent.

--edit--

works perfect, its not in the settings, have to click next, then it shows the option. No more HMPA downloading the binary to my temp folder.

 

Hello ericloman

The latest build eliminated all issues with blocking the latest FireFox 32x from opening. Thank You.

So now, OK, I admit it. I have had Iolo System Mechanic installed on my PC forever. No boos, frowns, or hisses please. Once you buy a disc at Target for $19 it's cheap to maintain since you always get special cheap deals from Iolo to extend your license and there are a few functions that are handy.

The latest HMPA (non beta) blocks SM from starting. Something about a malware atack and having to shut down a microsoft reg. server. This happened even when I turned off all protection modules and even after I uninstalled HMPA with IObit Uninstaller. What's up with that?

NB: It would be convenient if one could copy the details from the blocking notice.

 

Event viewer?

 

Thanks test but:

Didn't see it there :-(

Anything that says "shutting down microsoft reg. server" kinda make me nervous

 

Control Panel>Administrative Tools>Event Viewer>Windows Logs>Application. Then under Actions in right pane>Filter Current Log. Under Event Sources, select HitmanPro.Alert. For only mitigation errors, choose Event ID 911, otherwise leave it blank to see all HMPA logs.

 

Hello,

An easy way to view the details of an event is to just click on either "Number of alerts" or "Last alert" from the main HitmanPro.Alert GUI...

 

Maybe this reply got lost in the shuffle... There HAS been a lot of activity on this thread in the last couple of days.

 

My Bad. You can copy the details. Only the first part can not be copied:

"Microsoft(c) Register Server has been terminated to prevent execution of malicious code.

Mitigation Lockdown

Platform 6.3.9600/x64 06_3c
PID 4412
Application C:\Windows\SysWOW64\regsvr32.exe
Description Microsoft(C) Register Server 6.3

Filename C:\WINDOWS\SYSTEM32\jscript.dll


Process Trace
1 C:\Windows\SysWOW64\regsvr32.exe [4412]
/s "C:\WINDOWS\SysWOW64\jscript.dll"
2 C:\Windows\System32\regsvr32.exe [5404]
"C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\SysWOW64\jscript.dll"
3 C:\Program Files (x86)\iolo\System Mechanic\SysMech.exe [3400]
"C:\Program Files (x86)\iolo\System Mechanic\SysMech.exe" /Launch