HitmanPro.ALERT Support and Discussion Thread

Don't know if it's just me or not :

I always get a "failed check for update" in the Windows 7_x64 application event viewver each two hours, i got nothing bad in my firewall logs, HMP build 369 and previous is allowed for full actions.

Rules.

 

That is normal behavior.
See Erik's February 8 reply.

 

@Stupendous Man

Oups, missed post.
Thanks

Rules.

 

You're welcome, of course.
With the number of posts in this thread, it's easy to overlook one or more posts, and miss some information.
I'm always a bit worried that Erik or Mark might overlook some relevant posted report or question, when there's a lot of posting going on in the thread. Much respect for Erik and Mark if they don't overlook anything.

 

DId anyone notice the nuber of times xul.dll was included in the crash reports (Firefox > Troubleshooting Information > Crash Reports > click on it to view).

Pm'd you with a few of them @erikloman

More available if needed.....

 

I am running HMPA 368 with Firefox 46.0.1 just fine, no issues. You did not mention your OS or bit level (32 or 64), or other security software ...

For Firefox, any time you have issues:
1. First try safe mode to see if it improves. Might be an add-on causing the issue. Firefox menu>Help>Troubleshooting Information>Try Safe Mode
2. Then you can try creating a new clean profile without add-ons, to see if it runs better. Run "firefox.exe -p" to access profile manager. You can leave your default profile in place to revert to.
3. If #2 corrects your problem, revert to your original profile, then try giving Firefox a refresh. Firefox menu>Help>Troubleshooting Info "Give Firefox a tune up">Refresh Firefox.

Note on refreshing: backup any extension data first, such as whitelists or blacklists. These will not be preserved. All extensions are removed, but your personal data is kept.

These Firefox troubleshooting steps have solved a few big head scratchers for me, where uninstalling and reinstalling did nothing (where your profile is preserved, if your problem lies therein, it is persistent). https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

 

Is HitmanPro.Alert supported on Windows 2008 R2 Terminal Servers?

 

368 still no issues here.

When cmd.exe is protected it seems to be managing to block lenova spyware (or malware) on my new laptop from running properly on bootup.

 

Then you'll also lose custom settings and tweaks(a potentially large number). If #2 corrects your problem it may also be a compatibility problem with an addon or badly coded addon. I would advise to first try disabling addons to see if that causes the problem. (To quicker identify the trouble-causing addon, you could disable 50% of your addons, see if that fixes anything, and if not, disable the other 50%. When you found the correct 50%, do this again with the half of those etc etc. That way you don't have to check them 1 by 1 and can save a lot of time if you have a large number of addons.)

 

guys I am considering putting EMET back on just for Attack Surface Reduction on office, is there a point for that or does HMPA cover that? also what about EMET's new Control Flow Guard? is that also covered by HMPA? thanks.

 

HMPA has attack surface reduction where is blocks certain DLLs to load in certain processes. For example the recent regsvr32.exe mitigation forbids SCT scripts to run; this mitigation falls under Application Lockdown.

Main behavior of HMPA's Application Lockdown is that it forbids Office apps to create and run binary executables. This stops macro (VBA) malware.
EMET does not block most macro malware.

CFG is covered also by HMPA as all binaries of HMPA are compiled with CFG enabled, just as EMET.

Hope this helps.

 

Send me an email.

 

Thanks!

 

Does this also provide protection on CFG-Unaware Windows versions?
I only found this:

It's not so clear if they mean that it's backwards compatible as in it doesn't cause issues or that the CFG is actually providing the same protection.

 

CFG is both a platform and compiler thing. If your platform does not support it, the CFG info enclosed by the compiler in the binary is not used.

This also means that if the binary has no CFG info, the platform will not protect the binary.

Hence, CFG is not a mitigation offered by a security vendor. A security vendor must just ensure that when all images in a process have CFG, it must have CFG as well. Otherwise the security vendor becomes the weakest link.

 

True, but if you already tried safe mode (with addons disabled) and saw no improvements, then possibly your problems are related to your custom settings and tweaks, or a corruption due to an version upgrade over the top. Mozilla does make various changes to the about:config settings defaults, etc., from version to version.

You can determine this by running with a clean test profile, without your tweaks. Keep your existing profile to revert to after the test. That way you can troubleshoot in a non-destructive way.

If this fixes the problem, then your issue is in your profile. Sorry, but now it's time to refresh/rebuild. If it's broke, it's broke. Uninstalling/reinstalling Firefox will not remove your corrupted profile. The profile is persistent, until you either refresh or delete it.

 

ok thanks, what about ASR?

 

ASR is a mitigation offered by a

As stated above, this is offered by both EMET and HMPA. Though with EMET you can configure this, HMPA has an internal list. This will change in the near future.

 

Also here I have (what I think is) a false positive. When trying to watch NPO1 using the Ziggo horizon.tv website (https://www.horizon.tv/nl_nl/tv-gids.html), HMPA shows the following log:

Code:

Mitigation   ROP

Platform     10.0.10586/x64 06_3a
PID          912
Application  C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description  Internet Explorer 11

Branch Trace                      Opcode  To                           
-------------------------------- -------- --------------------------------
0x0774A04C (anonymous; coreclr.dll)     RET  0x3056C490 System.Windows.Browser.ni.dll

TlsGetValue +0x43                    RET  0x0774A028 (anonymous; coreclr.dll)
0x761C7153 KernelBase.dll                                               

0x78443460 coreclr.dll             ~ RET* 0x53AEC240 System.Windows.RuntimeHost.ni.dll
            83790400                 CMP          DWORD [ECX+0x4], 0x0
            740c                     JZ           0x53aec252
            8b4904                   MOV          ECX, [ECX+0x4]
            8b410c                   MOV          EAX, [ECX+0xc]
            8b4904                   MOV          ECX, [ECX+0x4]
            ffd0                     CALL         EAX
            c3                       RET       


0x78443411 coreclr.dll               RET  0x78443449 coreclr.dll       

0x78682650 coreclr.dll               RET  0x78443411 coreclr.dll       

0x78445D5F coreclr.dll               RET  0x784433FF coreclr.dll       

0x78682650 coreclr.dll               RET  0x78445D5F coreclr.dll       

0x78454E75 coreclr.dll               RET  0x78445D4C coreclr.dll       

0x784460F9 coreclr.dll               RET  0x78445D40 coreclr.dll       

0x78443518 coreclr.dll               RET  0x784460D7 coreclr.dll       

0x78567DDE coreclr.dll               RET  0x78443510 coreclr.dll       

0x78443591 coreclr.dll               RET  0x784434F9 coreclr.dll       

0x78429968 coreclr.dll               RET  0x7844352B coreclr.dll       

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  7B5D1ABB npctrl.dll           
            85c0                     TEST         EAX, EAX
            741b                     JZ           0x7b5d1ada
            68e41a5d7b               PUSH         DWORD 0x7b5d1ae4
            68fc1a5d7b               PUSH         DWORD 0x7b5d1afc
            ffd6                     CALL         ESI
            50                       PUSH         EAX
            ff1588125c7b             CALL         DWORD [0x7b5c1288]
            85c0                     TEST         EAX, EAX
            7404                     JZ           0x7b5d1ada
            ffd0                     CALL         EAX
            8907                     MOV          [EDI], EAX
            5f                       POP          EDI
            33c0                     XOR          EAX, EAX
            5e                       POP          ESI
            5d                       POP          EBP
            c20800                   RET          0x8

2  169F3FBF agcore.dll               DOM_InPrivateMode +0x27
3  3056C4BC System.Windows.Browser.ni.dll
4  30567589 System.Windows.Browser.ni.dll
5  53AEC251 System.Windows.RuntimeHost.ni.dll
6  53AEA953 System.Windows.RuntimeHost.ni.dll
7  7977DB90 mscorlib.ni.dll       
8  79822939 mscorlib.ni.dll       
9  7981F371 mscorlib.ni.dll       
10 7AF2B790 System.Windows.ni.dll 

Process Trace
1  C:\Program Files (x86)\Internet Explorer\iexplore.exe [912]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10588 CREDAT:140548 /prefetch:2
2  C:\Program Files\Internet Explorer\iexplore.exe [10588]
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"  https://www.horizon.tv/nl_nl/tv-kijken.html
3  C:\Windows\System32\browser_broker.exe [11104]
C:\WINDOWS\system32\browser_broker.exe -Embedding

 

For the benefit of the thread:

ASR = Attack Surface Reduction

"The mitigation allows Windows administrators to determine when—or if—plug-ins such as Java or Adobe Flash run at all on a Windows computer. Java and Flash, for example, have been favorite targets of hackers. Many advanced attacks exploit vulnerabilities in either platform, giving them an initial foothold on a system that can be then leveraged for further system and network access."

https://threatpost.com/microsoft-releases-new-version-of-emet-exploit-mitigation-tool/107549/

 

Horizon.tv should only work with Firefox and Silverlight according to Ziggo.

Horizon Go op een Windows computer
Heb je een laptop of pc met Windows 7, 8 of 10? Zo gebruik je Horizon Go:

1. Download en installeer de Firefox-browser.
2. Download en installeer Microsoft Silverlight.
3. Open Firefox en ga naar horizon.tv.
4. Klik bovenin op Log in en login met je Mijn Ziggo gegevens.

Horizon Go werkt helaas niet in andere populaire browsers zoals Google Chrome, Internet Explorer of Microsoft Edge. Deze browsers ondersteunen geen Microsoft Silverlight. Horizon Go heeft dit nodig om video af te spelen in je browser. Gebruik daarom altijd Firefox.

Source: https://www.ziggo.nl/klantenservice/horizon/go/op-je-laptop-of-pc/?index

 

Ziggo says Internet Explorer doesn't support Microsoft Silverlight?

I don't know whether Ziggo's Horizon.tv does or does not work with Internet Explorer, but what Ziggo says about Internet Explorer not supporting Silverlight seems nonsense.

From Silverlight System Requirements:
"Silverlight is not available in the Microsoft Edge browser, but is supported in Internet Explorer."

As for loekverhees' report, I cannot try it myself (with Windows 7 x64), as I don't have a Ziggo account to login at Horizon.tv.

 

I do have a German Horizon.tv account, that I do not use anymore, because Silverlight is required.
As Silverlight is abandonware and not supported by Microsoft anymore, I don't wan to use it,
but my provider says:

Edge and Chrome do not support Silverlight anymore, we are working on a solution.
In the meanwhile use IE11, or Firefox...
http://abload.de/img/horizonche52.jpg

I can't test, because I have IE disabled, Sliverlight and Firefox not installed...

 

Ah thanks for explaining

 

ok thats good to know, so no need for EMET then.