HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. @adamgibbo
    Please ignore really positive and helpful reactions like the one below.
    These are fine examples of what one could qualify as a False Post.
     
    Last edited by a moderator: May 5, 2016
  2. __simon__

    __simon__ Registered Member

    Joined:
    Apr 28, 2013
    Posts:
    14
    Location:
    UK
    There is a false positive uninstalling Opera from the Windows "Programs and Features" dialog.
    Code:
    Mitigation   Lockdown
    
    Platform     10.0.10586/x64 06_2a
    PID          27396
    Application  C:\Program Files (x86)\Opera\37.0.2178.32\installer.exe
    Description  Opera Installer 37
    
    Filename     C:\Program Files (x86)\Opera\37.0.2178.32\installer.exe
    Created By   C:\Windows\Temp\opera autoupdate\CProgram Files (x86)Opera\installing\installer.exe
    
    
    Process Trace
    1  C:\Program Files (x86)\Opera\37.0.2178.32\installer.exe [27396]
    "C:\Program Files (x86)\Opera\37.0.2178.32\installer.exe" /uninstall
    2  C:\Program Files (x86)\Opera\launcher.exe [26388]
    "C:\Program Files (x86)\Opera\Launcher.exe" /uninstall
    3  C:\Windows\SysWOW64\dllhost.exe [21164]
    C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
     
  3. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    my laptop with HMPA installed looks like it has been owned today :/

    https://www.wilderssecurity.com/threads/weird-behaviour-from-cmd-exe-on-startup.385643/

    Also remember the debate about how everyone was telling me intrusions are done via browsers? windows was only clean installed on the laptop about 5 days ago and I have done zero browsing on it yet.

    My guess is it has happened via skype since that fetches data over http.

    Also observed the HMPA icon is missing from the system tray, but it is still installed as I can load it from the start menu.
     
    Last edited: May 5, 2016
  4. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,303
    Location:
    the Netherlands
    You write, "windows was only clean installed on the laptop about 5 days ago and I have done zero browsing on it yet."
    But you also mention it has HMPA and Skype installed, and in your other post you mention Comodo.
    And perhaps you have more software installed and did some configuration?
    I guess you know what you've installed and what configurations you made after the clean install, but we do not.
    I guess one of the things you installed or one of your configurations is the reason for what you described.
    Hard for us to tell what you have done and what can be the cause for what you're seeing.

    Regarding the HMPA icon that is missing from the system tray -
    What is your OS?
    In Windows 7 certain system tray icons are hidden by default, I don't know about HMPA.
    You can change the system tray behavior and show the system tray icons you want to have in the system tray.
    See: Change how icons appear in the notification area
    This may be different for Windows 8.1 and Windows 10, I don't know about that.
     
    Last edited: May 5, 2016
  5. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    There is some other software installed but nothing that I havent been using for a while.

    What information do you want?

    Interestingly if I protect cmd.exe in HMPA the network attempts stop on boot.
     
  6. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,303
    Location:
    the Netherlands
    I do not know. I can only say that for me it is hard to say anything based on the information you provided.
    By the way, I edited my previous post, as you edited your previous post.
     
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    I already have set to have no icons hidden, thats a very basic setting I have on all my machines.

    I will disable cmd.exe protection again in HMPA to see if network access attempts reappear.

    All scans are coming clean as well, I will just reinstall windows later today. Further investigation seems to point to adware, this time around I wont install lenova utilities (that is the one new thing on this laptop).
     
  8. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,089
    Location:
    USA
    As far as I can tell the Ccleaner "uninstaller" only shows the list of installed applications; it's just a front end and has no additional functionality. If you click an entry it just calls the application's own uninstall routine.
     
  9. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    Lenovo utilities call home before booting. Well known issue.
     
  10. adamgibbo

    adamgibbo Registered Member

    Joined:
    Nov 27, 2009
    Posts:
    20
    @Hiltihome ok thanks :thumb:

    @Victek Yes, you're right. The problem is with the k.bat which is part of the uninstall process for Opera. Even if it is ran manually the false positive occurs.
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You have to reboot to lift the lockdown on a file. Or restarting the Alert Service.
     
  12. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    991
    Reverted back to Firefox 45.0.2 (32 bits), hmpa cpu-usage is 0-0.5%. With Firefox 46.0.1 (32 bits) the hmpa cpu-usage sometimes up to 15%.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    That has bothered me a bit. Is there anyway you can set it so the lockdown is permenent if so desired?

    Pete
     
  14. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    Is there any benefit to using CryptoPrevent in addition to HMP.A ?

    I've been running both for years, but if it's redundant when using HMP.A I'd rather know and then I'll remove it from my system.
     
  15. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,089
    Location:
    USA
    Personally I don't feel they're redundant; CyptoPrevent 7.X blocks access to folders where ransomware typically executes while HMP.A provides real-time behavior monitoring. Since CryptoPrevent creates zero overhead I don't see any benefit in removing it. There is supposedly going to be a version 8 of CryptoPrevent though (someday RSN), which may have new features, so we'll see.
     
  16. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    The fact that everything has to go through a very long list of blocking rules that CryptoPrevent creates is surely going to be even a slight slowdown?

    Why doesn't everyone on here use this in addition to HMP.A then as it's free & portable & there isn't any negative & adds to your protection?
     
  17. obi

    obi Registered Member

    Joined:
    May 6, 2016
    Posts:
    2
    Is this real or false positive? I had Chrome open, three tabs, one empty, one facebook, one youtube. Facebook tab was killed after this message so some junk tried to come trough Facebook? HitmanPro found only few tracking cookies.

    Mitigation DEP

    Platform 10.0.10586/x64 06_3d
    PID 13240
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 50

    EIP = 11D1E2E0, State = 0x1000, Type = 0x20000, Protect = 0x4

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 77DDB652 ntdll.dll RtlConvertUlongToLargeInteger +0xc2
    2 77DDB624 ntdll.dll RtlConvertUlongToLargeInteger +0x94
    3 77DC8E7F ntdll.dll KiUserExceptionDispatcher +0xf

    4 6DA52EFC chrome_child.dll
    83c418 ADD ESP, 0x18
    8bc3 MOV EAX, EBX
    5f POP EDI
    5e POP ESI
    5b POP EBX
    8be5 MOV ESP, EBP
    5d POP EBP
    c3 RET

    5 6DA2E81B chrome_child.dll
    6 6DA2E1C8 chrome_child.dll
    7 6DA2DF12 chrome_child.dll
    8 6DA195D1 chrome_child.dll
    9 6DA1925D chrome_child.dll
    10 6DA191B4 chrome_child.dll

    Code Injection
    0109E000-0109F000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [3312]
    77DC7000-77DC8000 4KB
    77DC6000-77DC7000 4KB
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [3312]
    2 C:\Windows\explorer.exe [4508]
    3 C:\Windows\System32\userinit.exe [4440]

    Process Trace
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [13240]
    "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-features=AutomaticTabDiscarding<AutomaticTabDiscarding,IncidentReportingModuleLoadAnalysis<SafeBrowsingIncidentReportingServiceFeatures,UpdateRendererPriorityOnStartup<U
    2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [3312]
    3 C:\Windows\explorer.exe [4508]
    4 C:\Windows\System32\userinit.exe [4440]
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Looks like a crash of Chrome.
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,089
    Location:
    USA
    I should have been more specific; when I said zero overhead I meant that CryptoPrevent does not have a real-time component which uses CPU cycles and would be easy to monitor. I guess it's possible that the changes it implements require some additional processing, but it is not apparent. Perhaps someone can figure out a way to benchmark it?

    I have no idea who is or isn't using CryptoPrevent along with HMPA. If others are intentionally not using it perhaps they will chime in and say why...
     
  20. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I'm using CryptoPrevent along with HMP.A.
    I believe what @Victek said.
    It should be noted, however, that CryptoPrevent has other protections other than the classic blacklisting of system locations.
     
  21. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,973
    Location:
    Location Unknown
    Both Firefox (x86) and Cyberfox (x86) 46.02 keep randomly crashing every time HMPA is active on my Win10x64 system. This was never and issue with version 45. Anyone have an ideas at all how to fix this? I know I can add it to the exclusions, but honestly what would be the doing in running HMPA at all if that needs to be done? Windows crash log below:

     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    I use both also for the same reasons. No issues.
     
  23. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    494
    Location:
    italy
    simply because i'm not used to run every piece of code i find on my way (i bought infact an Alert3 key to take basically advantage of its antiexploit talent)*...


    *CryptoGuard, then, is just another layer i can leverage using Alert as my primary line of defence (in SUA with UAC maxed and full awareness about every consent-prompt i receive)...but again, i'm not used to open e-mail messily/haphazardly/scrappily (in Italy we say ''ALLA CAZZO DI CANE''...or dick of dog :D)...
     
    Last edited: May 7, 2016
  24. Doraemon

    Doraemon Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    202
    I also have the same Firefox 46.0.1 + HPA 368 problem, at home and at work. I hope you guys can figure it out.

    Thanks BTW for HPA, it's such a great product! ;)
     
  25. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,007
    Location:
    .
    by first part > do you mean General Tab...? Hi-lite, CtrlC/P works on General Tab.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.