HitmanPro.ALERT Support and Discussion Thread

Hello again!

Erik & Mark could you reveal what kind of differences Sophos Clean has compared to HitmanPro.ALERT? And I don't mean the logo or name.


ps. Question for the rest of readers...what kind of driver latencies you are getting with HitmanPro.ALERT? Here is mine result:

http://i.imgur.com/3w4rE44.png

 

Clean looks to be HitmanPro not HitmanPro.Alert.

 

Sophos Clean = HitmanPro

It has nothing to do with Alert.

Hope this helps.

 

Oh ok. Thanks for clarification. I wish Alert for business will be out soon too.

I need to do some Sophos Clean tests in our lab.

 

When I asked Sophos about adding CryptoGuard (used in HitmanPro.Alert) they stated that it would be an additional paid for add-on to Endpoint later in the year.

I image there is a lot of testing to be done before Sophos release the CryptoGuard add-on to their business customers to avoid generating a lot of false-positives/support calls. It'll be more than slapping a Sophos logo onto HitmanPro.Alert.

I'd really like a central console for HitmanPro and HitmanPro.Alert so that I have a remote installation and dashboard view of my PCs. Having to install and maintain both products on only 120 PCs was already a pain.

HitmanPro not running resident is unfortunate as I would like that. I think it was mentioned for v3.5?

HitmanPro.Alert not running on servers is an issue for businesses, my Terminal Server users aren't protected as a result.

 

Windows 10 Pro 64bit Version: 1511 Build:10586.318
HMPA Build 370

Firefox 46.0.1 : not responding
Google Chrome 50 on start:


Intruder

PID 12628
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 50


Code Injection
00CE4000-00CE5000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [9172]
770F7000-770F8000 4KB
770F6000-770F7000 4KB
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [9172]
2 C:\Windows\explorer.exe [8432]
3 C:\Windows\System32\userinit.exe [7852]

 

I am on 3.1.9 - 368 again after the 370 test release blew up google chrome on windows boot.

I just encountered an error with Skype for Business. here are the details

Code:

Mitigation   ROP

Platform     10.0.10586/x64 06_3a
PID          16372
Application  C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe
Description  Skype for Business 16

Branch Trace                      Opcode  To                             
-------------------------------- -------- --------------------------------
+0x55fbf                           ~ RET  0x5CDC3998 Mso20win32client.dll
0x73FA5FBF hmpalert.dll                                                   

+0x11b53                           ~ RET* 0x010B9625 lync.exe             
0x73F61B53 hmpalert.dll                                                   
            45                       INC          EBP
            fc                       CLD         
            0185f674078b             ADD          [EBP-0x74f88b0a], EAX
            ce                       INTO       


SetManipulationInputTarget +0xd6     RET  MsgWaitForMultipleObjectsEx +0x1a8
0x759D8576 user32.dll                     0x759BC4A8 user32.dll           

InvalidateRect +0x1c               ~ RET  MsgWaitForMultipleObjectsEx +0x184
0x759D895C user32.dll                     0x759BC484 user32.dll           

Wow64SystemServiceEx +0x257        ~ RET  TurboDispatchJumpAddressEnd +0xb
0x63636347 wow64.dll                      0x63621C87 wow64cpu.dll         

0x63648404 wow64.dll                 RET  Wow64SystemServiceEx +0x244     
                                          0x63636334 wow64.dll           

0x63688610 wow64win.dll            ~ RET  Wow64SystemServiceEx +0x155     
                                          0x63636245 wow64.dll           

0x63693804 wow64win.dll            ~ RET  0x6368860B wow64win.dll         

Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  5CDC39A8 Mso20win32client.dll   
            6894b8e95c               PUSH         DWORD 0x5ce9b894
            ffb7b4000000             PUSH         DWORD [EDI+0xb4]
            89476c                   MOV          [EDI+0x6c], EAX
            ffd6                     CALL         ESI
            68b4b8e95c               PUSH         DWORD 0x5ce9b8b4
            ffb7b4000000             PUSH         DWORD [EDI+0xb4]
            894770                   MOV          [EDI+0x70], EAX
            ffd6                     CALL         ESI
            68d0b8e95c               PUSH         DWORD 0x5ce9b8d0
            ffb7b4000000             PUSH         DWORD [EDI+0xb4]
            894774                   MOV          [EDI+0x74], EAX
            ffd6                     CALL         ESI
            68e8b8e95c               PUSH         DWORD 0x5ce9b8e8
            ffb7b4000000             PUSH         DWORD [EDI+0xb4]
            894778                   MOV          [EDI+0x78], EAX
            ffd6                     CALL         ESI

2  5AE7E2DD Mso99Lwin32client.dll   
3  5AE7E786 Mso99Lwin32client.dll   
4  5AE7E8C9 Mso99Lwin32client.dll   
5  5AD39FFF Mso99Lwin32client.dll   
6  5AC4FEDB Mso99Lwin32client.dll   
7  5AC4FBE2 Mso99Lwin32client.dll   
8  5AC56218 Mso99Lwin32client.dll   
9  5AC5610C Mso99Lwin32client.dll   
10 5AC560CD Mso99Lwin32client.dll   

Process Trace
1  C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe [16372]
2  C:\Windows\explorer.exe [6504]
3  C:\Windows\System32\userinit.exe [6276]

 

To summarize it, there are now 2 reports of the same type (Intruder) on build 370
userinit.exe -> explorer.exe -> chrome.exe (v50) (Code Injection)
(Windows 10)

=> #9884

=> #9933

 

I think that the third one actually referred to the first report.

 

You're right. I corrected my post

 

What AV?

 

Hi guys, I am able to reproduce the Intruder alert with Build 370 PreRelease! We're investigating the issue and we'll let you know soon!

 

Bitdefender Total Security 2016

 

erik, you got PM.

Txs

 

Appguad+Sandboxie+HMPA = Firefox 30% 60% CPU usage

 

Which HMP.A build?
3.1.9.368, 3.1.9.369, or 3.1.10.370?

 

3.1.10.370
Regards.

 

Strip HMPA. Still CPU load?

 

HitmanPro.Alert 3.1.10 Build 371 PreRelease

Changelog (compared to 370)

• Improved compatibility with Bitdefender 2016.
• Improved Attack Surface Reduction compatibility with System Mechanic
• Improved compatibility with Firefox 46
• Improved ROP mitigation

Download
http://test.hitmanpro.com/hmpalert3b371.exe

Please let me know how this version runs on your computer

 

Running fine - so far Win 8.1 x64, FF 46.0.1 x64.

 

Without Sandboxie working fine FF win10 x64
With Sandboxie working bad FF

 

seems fine so far on firefox and chrome

thanks!

 

So far so good here.

 

Does this do anything to fix Rapport compatibility?

 

Trusteer Rapport recently introduced return-oriented-programming in its hooks
A compatibility fix will be in build 372. For now disable Control-Flow Integrity on the affected browser when you run both Alert and Trusteer Rapport.