HitmanPro.ALERT Support and Discussion Thread

@erikloman

HI Erik, I am running HMP.A with 130 users and we have an issue with a Java Web application taking a few attempts to start.

- HMP.A does not alert that it has blocked the Java application from launching.
- There is no event logged in the event log.
- The application eventually launches after several attempts.
- I have tried HMP.A stable and beta versions.

However the Java Web application always launches if I turn off the Exploit Mitigation under Java Web Launcher 8 called Dynamic Heap Spray.

Since HMP.A silently blocks the application from launching and there is no log I can't really give you anything more than that! Any ideas?

Ed.

 

I think that the Java app asks a too big memory chunk. Alert randomizes memory and then Java cannot get one large contiguous piece due to randomization. Disabling Heap Spray will help indeed.

 

Is that the only solution? Disable the Heap Spray mitigation for ALL Java Web applications not just that single one?

Shouldn't HMP.A log it and alert me rather than just silently block it?

I can't add that one Java Web app to the HMP.A exclusions list as it resides on a Web server so there is no file path to exclude, I could do with an option to exclude trusted IP addresses if you see what I mean?

 

I learned it the hard way after i deinstalled it and all my settings were gone (this was not the case with earlier versions)
Btw.: the whole registry key is deleted after a deinstall - [HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert]

 

+1

 

I recently uninstalled the beta for upgrade to Win 10 AU (1607). License was preserved, but indeed settings were not. But I had exported my settings and was able to reimport them.

 

Thanks for clarifying this I remembered the license being preserved, but wasn't sure about settings.

 

Upgraded build 448 to 550 and rebooted; everything running fine

 

W7-x64 with HMP.alert 3.5.1 build 550 beta (upgraded from build 548 ) is running without issues.

 

That will probably not solve the problem. Some Java applications, like this one, are incompatible with modern security practices and on top of that allocate one big chunk of memory that is incompatible with address space relocation. If you need to use this specific Java application, you cannot avoid sacrificing some security. This is the reason why HitmanPro.Alert allows meticulous configuration of individual mitigations. You need to disable ASLR and Dynamic Heap Spray on the individual Java executables in HitmanPro.Alert to use this Java application.

 

Fair enough, but why is there no alert to tell me what is going on?

 

Is this how it ends? Will we see HMPA eventually becoming Sophos Intercept and then gradually shutting down HMPA. Or perhaps, Sophos intercept becomes a bigger project that includes HMPA as part of a wider solution?

 

Mark already said "Sophos Intercept includes HitmanPro.Alert 3.5". If HMPA is included in Sophos Intercept how does it "end" even if it was to cease to be called HMPA (which there's no reason to believe will happen at this point)? What is your concern?

 

build 550 + KeePass master password = no orange keystroke encryption bar.
build 550 + Enpass master password = orange keystroke encryption bar.

 

no fix for keyboard encryption in this build?

 

Is it not the obvious one? people who have HMPA licenses may have to spend again to get sophos licenses? why else change the product name?

There is also that the dev's minds seem elsewhere, and issues are piling up on this product.

For me the increase of false positives is increasing over time, including killing installer's. Also the unresolved keyboard encryption which the dev's are trying to avoid commenting on so it gets swept under the carpet.

 

I don't see any reason to fear that HMPA licenses will not be honored for their full duration; do you? One reason for why the product name might be changed is to reflect the name of the parent company's products. Since the devs just released a new beta build I don't see how their minds are elsewhere. FPs have always been addressed over time (and yes I understand that when they're happening to us it's bad and we want it fixed right away).

 

Thanks to all who replied to my question about what happens to settings and license key if/when you uninstall HMP.A.

 

So the ignoring of my posts and PMs is without basis? except one post.

These are facts.

Increasing false positives.
Keyboard encryption broken on mine and other's machines since the 3.5 release.

It is offensive to claim someone is spreading FUD when it is facts.

 

I am a patient guy providing the person/entity I am dealing with listens to me and accepts problems I report properly.

So e.g. if one of the dev's said problem is acknowledged and they are working on fixing it, then time would be given for them to work on the problem, however this is not the case, instead I am been blanked out with no comments on the matter, that I take issue with.

The false positives is something they can work on and fix and I know they have fixed some false positives before, the problem is a false positive can cause nasty damage, e.g. crashing an installer when it is halfway doing its task or a app with unsaved information. I suppose what I would suggest is that they dont hook onto every process in the system only the app's added in the configuration (like emet does), however I think they need to hook onto everything for the hollow process protection. So an alternative option would perhaps be to have processes that are not specifically added in the app section to be in audit only mode, whilst the app's added to protection are in the terminate mode (or whatever is configured).

Remember we are told to not add every binary on the system to hmpalert protection for the reason it will break stuff and not every binary needs exploit protection, yet it seems binaries that are not added are still been checked, e.g. in my case the avast uninstaller, which I did not add to hmpa, hmpa itself decided to apply its checks on the binary.

 

Thanks for the new build. I have downloaded and tested it and it seems Avira Web Protection download issue has not yet made it. Out of curiosity, were you able to replicate the issue or is it just me? It seems Avira is not willing to test the interaction with HMPA, they advise that no other security product should be installed with Avira.