HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,049
    Location:
    Baden Germany
    I would try to temporarily disable Crypto-Guard.
    I case this works, it will not be a good solution on the long run, because you will get tired of doing,
    and possibly forget to turn Crypto-Guard back on.

    I guess @erikloman will kick in and suggest a solution soon.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I see something similiar and disabling cryptp guard didn't work. I've had to go back to 536
     
  3. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Figured as much. Your problem is because of RollBack Rx. It was only recently that I reported that kind of issue to Erik, and he said that it's because of that recovery/backup software.

    What you should do is set HitmanPro (the scanning software) to "Compatible Disk Access". Scanning will be fine afterwards. :)
     
  4. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    163
    Thanks, XhenEd. That was exactly the problem. Also, RollbackRX If you choose to allow RollbackRX disable system restore, you should uncheck "create a restore point before deleting files" in Hitmanpro settings or HTMP will hang when it tries to delete files.
     
    Last edited: Jul 27, 2016
  5. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    I already unchecked it because I don't want it to create a restore point. But it's good to know that enabling it while RollBack Rx disabled System Restore will have an adverse effect to the OS. Thanks for that info! @erikloman should check that. :)
     
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The fact that the item has an icon tells me that all those Firefoxes are on the computer. If you enable exploit mitigation you can see where these are located and there is also an option to open an explorer to that location.
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I am able to reproduce this! :eek: Please expect a fix very soon.
     
  8. 142395

    142395 Guest

    Forgive me for my laziness about searching, but to use this w/ SBIE, still do I need to add exception rule?
    Thx in advance.
    And happy to see old friends here being fine.;)
     
  9. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,511
    Okay, except for 47.0.0, the rest are portable apps that I've used for building my Win7 Boot PE. I normally don't use these apps on my active system and did not think about them also being protected by HMPA. I guess it's time to do some house cleaning.:)
     
    Last edited: Jul 28, 2016
  10. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    163
    anyone know why I occasionally get this HMPA alert:

    Is it anything to worry about?

    Log Name: Application
    Source: HitmanPro.Alert
    Date: 7/28/2016 3:37:52 PM
    Event ID: 911
    Task Category: Mitigation
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: me15
    Description:
    Mitigation CryptoGuard

    Platform 10.0.10586/x64 06_3f
    PID 6816
    Application C:\Windows\System32\dasHost.exe
    Description Device Association Framework Provider Host 10

    Filename C:\Windows\System32\dasHost.exe

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_5.jpg
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_4.jpg
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_0.png


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-07-28T22:37:52.337978500Z" />
    <EventRecordID>35016</EventRecordID>
    <Channel>Application</Channel>
    <Computer>me15</Computer>
    <Security />
    </System>
    <EventData>
    <Data>C:\Windows\System32\dasHost.exe</Data>
    <Data>CryptoGuard</Data>
    <Data>Mitigation CryptoGuard

    Platform 10.0.10586/x64 06_3f
    PID 6816
    Application C:\Windows\System32\dasHost.exe
    Description Device Association Framework Provider Host 10

    Filename C:\Windows\System32\dasHost.exe

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_5.jpg
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_4.jpg
    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Dlna\DeviceIcons\23456789-1234-1010-8000-104fa8067b65_0.png

    </Data>
    </EventData>
    </Event>
     
  11. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    I tried searching and browsing thru this thread but did not find an answer for a few newbie questions. My apologies if these are already discussed somewhere...
    1. What is the difference between the various mitigation templates in practice (e.g. "Media" vs. "Office" vs. "Other"). At first glance it seems to me that whatever mitigation template I choose for a new application, it always gets all the 7 code mitigations and 5 memory mitigations enabled...
    2. What does the "Safe Browsing" do in addition to "Exploit mitigation" (and on the other hand - why should I NOT introduce all new applications as "Browsers" to HMPA when configuring new applications for protection)?
    3. Active vaccination is the recommended setting but IIRC Passive vaccination was on by default when I first started the software after installation. Why so (or do I just memorize it erroneously)? As a matter of fact I think that there was also at least one other recommended setting which was not enabled by default...
    4. HitmanPro has some settings that can be changed via its user interface. Is HMPA aware of these settings so that it uses them, or does HMPA download another copy of HitmanPro and use it with the default settings when I click "Scan computer" in HMPA?
    5. When playing around with the HMPA test tools (32-bit and 64-bit) I made some observations:
      1. In a Windows 7 (64-bit) workstation HMPA seems to prevent the exploits targeted to the 64-bit test application itself by default (i.e. without it being listed in the protected applications list), but the 32-bit test tool is vulnerable to the exploits when running it the same way - unless I explicitly introduce the 32-bit test tool to HMPA for protection. Is this the expected behavior and if so, why?
      2. In another workstation running Windows 10 LTSB without installing HMPA but running some other security software I was able to exploit the 64-bit test tool but was unable to exploit e.g. Firefox or VLC media player. Is there a straightforward explanation for this difference ("I was able to shoot myself but unable to shoot another process")?
    Generally speaking this looks like a very promising piece of software; I'm seriously considering to purchase a whole bunch of licenses... :thumb:
     
  12. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Some very good questions there mike83 and as a newbie to HMPA, I would also be very interested in the answers.
    I can confirm that passive vaccination is on by default and I believe that BadUSB is disabled by default although Enabled is recommended. EDIT: Just realised that BadUSB is disabled on my laptop because I use a USB keyboard. Clever..

    I have just added Thunderbird manually as a "Browser" but am not sure if "Browser" is the correct category. Also I cannot see why this was not added automatically like most of my other applications . Perhaps it was not running when I set up HMPA?
     
    Last edited: Jul 30, 2016
  13. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    442
    Location:
    England
    Email clients should be added under the "Office" template.

    I don`t know why this is the case but it was mentioned somewhere in this megathread, so that`s what I did. Edit: HERE

    Portable Thunderbird here, I had to add it manually.
     
  14. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    Thanks Fad - I've now corrected to Office.
     
  15. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    442
    Location:
    England
    I used the browser template at first as well, it seemed the obvious choice to me at the time.

    (I thought "office" was for office suites and similar programs that had internet access)
     
  16. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    432
    Location:
    Mercia
    It's definitely not clear where email clients should go and it looks as though they are not added automatically for some reason. Also, as mike83 mentions above in his Q1, "whatever mitigation template I choose for a new application, it always gets all the 7 code mitigations and 5 memory mitigations enabled...", so it would be interesting to hear the expert view as to why we need to differentiate.
     
  17. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    978
    Location:
    UK
    I only recently discovered that if you click the big green safe browsing button, then click web browsers, then click on any of the browsers, you will see two boxes on the right wehich should be ticked. These may give an idea what that protection does.

    One box says intruder monitor and says it detects browser malware. My guess is it scans plugins and extensions loaded by the browser.
    The second box says keyboard encryption, this one is odd because HMPA does encrypt my typing when safe browsing is disabled, so I guess its a duplicated function thats also available in the exploit mitigation (not redundant when someone only has the free version of HMPA).

    I have the bad usb devices option disabled, but interestingly enough when I swapped my keyboard HMPA detected this and asked me to approve the change, so there is still some USB type protection in existance with that option unticked.

    I am also interested in the 64bit vs 32bit question.
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,116
    Location:
    USA
    Keystroke Encryption can also be toggled under "Risk Reduction". Whether or not it's implemented on a specific program may depend on which template is used though (not sure about this).

    Can you say more about this? I couldn't find an earlier reference in the thread.
     
    Last edited: Jul 30, 2016
  19. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    And on the other hand HMPA seems to automatically recognize e.g. KeePass which it puts into category "Other" but without displaying its icon below the big blue "Exploit Mitigation" button. However, when you click the blue icon and then "Applications", you will find KeePass under the title "OTHER". If you then go further and click KeePAss's icon you will find the standard 12 mitigations.

    BUT when you start and open KeePass, you will find also the "Keyboard Encryption" notification visible at the lower right corner of KeePass window...

    So I wonder why Firefox Keyboard encryption can be switched on and off under the big green button, but this is not so for KeePass (is it only a matter of implementing some of the missing features in the HMPA user interface or is there something else behind this difference...)

    I hope that Erik will have the time to shed some light into this and the other questions I presented a few messages ago...
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Yes I know, but the reason I asked is because in the past HMPA has sometimes failed to block ransomware. If I understood it correctly, the CryptoDrop developers managed to block them all. The only difference is that they can't stop encryption of all files, but I rather lose a couple of files, than to lose them all. So I wonder if HMPA works about the same or is CryptoDrop using a different method.
     
  21. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    Not sure if this has been reported before (it is new for me and a long thread to comb through) but Cryptoguard on 3.5.0 546 terminates Privazer when using Empty recycle bin without a trace option. Understandable I suppose as the deletion routine is overwriting data but.........

    Thanks
     
  22. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,116
    Location:
    USA
    It's been mentioned before that secure deleting, ie writing ones and zeros over deleted files, looks like active file encryption and so CryptoGuard jumps in to stop it. IIRC the advice has been to temporarily disable CryptoGuard, do the secure deleting and then re-enable CryptoGuard.
     
  23. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    Thanks! Its what I've been doing. Will keep that going.

    Cheers
     
  24. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    Yet one more observation that I do not fully understand: TeamViewer (a remote desktop session application) is not protected in HMPA by default. If I add TeamViewer into the web browsers, it will get a green border - and respectively a blue one should I add it in another mitigation category.

    However, there will be no "Keystroke Encryption" label or "Safe Browsing" label or "Exploit Mitigation" label at the TeamViewer application windows lower right corner regardless of how I configure it. On the other hand KeePass displays a "Keystroke encryption" label without any user configuration... why the difference?

    I also do not understand the meaning of "Add exclusion" in the Exploit mitigation settings... or is is meant only for the applications that are "built-in" in the HMPA like Firefox, VLC media player etc? (If not, what is the difference between not configuring TeamViewer at all in HMPA and configuring it in the exclusion list)?

    Sorry for asking so many basic questions... somehow I feel that I'd like to see a similar kind of a user manual for HMPA that exists for the HMPA test applications.

    I actually wonder if that document already exists somewhere but I just have not found it yet - if so, please tell me where to search for it ...
     
  25. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    @mike83
    "Browsers" and the template "Other" have an additional keystroke encryption.
    If you look in the registry you'll see that "KbdGuard" is enabled for only these profiles:
    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_templates_\Other]
    "KbdGuard"=dword:00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_templates_\Browsers]
    "KbdGuard"=dword:00000001
    As you already mentioned, for "Browsers" it can be changed in the GUI, but not for "Other".
    There can be problems with specific programs, even if you do not have added them to HMPA.
    Good example: MPC-HC (Media Player Classic Home Cinema) (It was mentioned earlier in this thread)
    If you have one of these "problematic" applications you have to add it to the Exclusion list.
    Better don't add all new applications to the category "Browsers".
    Put Media Players to "Media", Office Applications to "Office", Browsers to "Browsers", and so on ...
    Even if the templates "look the same" ;)
    if you don't know where to put a specific applications, just use "Other" first.
    I think because of more false positives with active vaccination. But i'm not sure.
    Changelog 3.1.3 Build 353 PreRelease: Changed Vaccination default from Active to Passive on fresh installs
    If you have HitmanPro installed and configured, Alert is launching it and therefore is using "your" already configured settings.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.