HitmanPro.ALERT Support and Discussion Thread

In your case Opera has dropped installer.exe to a temporary directory and wanted to execute it, but the execution was prevented from HMP.A
You can try to temporarily disable "Application Lockdown" for Opera before you update it..
If this doesn't work, reboot (or restart the service of HMP.A) and try it again.

 

Thanks for identifying which aspect triggers this and how to temporarily whitelist it.

 

i just installed the beta trial. before doing so I deleted the older version 578 and cleared my recycle bin. I then went into shadow mode and installed 580.
then ran a scan and it found three items. one was a process hacker install file I never installed. but the one odd ball was it shows it found 578 in my downloads folder and the only one I still have there 580.

 

See Erik's recent reply to bjm_'s post, in the HMP thread:

Also, there is no need to uninstall before upgrading. You can simply run the installer to upgrade, no need to uninstall first.

 

I think you are right because I use shadow defender but I thought I deleted the file from my real disk before entering shadow mode. I could understand if I had deleted it while in shadow mode because then it would really still be on my physical drive. anyway no biggie

 

Did you mean this response here?


https://www.wilderssecurity.com/thr...e-emsisoft-internet-security-12.388577/page-8

http://pastebin.com/jsNyPHr8

 

@clubhouse1,
I do not understand your reply.

Firstly, the quoted post was dated April 7, 2015, and was answered by Erik Loman at that same day.

Secondly, you refer to page 8 in the Emsisoft Anti-Malware & Emsisoft Internet Security 12 thread, without any note to what you are referring to. However, as you also refer to fwosar's Pastebin, I suppose you meant to refer to Fabian Wosar's January 8, 2017 post in that Emsisoft thread.
Still, you don't explain anything.

Try to be clear. What is it that you are trying to say?

 

I thought it was clear as in I was clearly asking a question, a question of its type usually has two answers: "Yes" or "No"....By my powers of deduction I think you are trying to say no...Case solved

 

To me, Erik's April 7, 2015 reply, was clear enough.
And I don't see what Fabian Wosar's January 8, 2017 post regarding Emsisoft has to say about HMPA's CryptoGuard.
So, it's still not clear to me what you are trying to say.

 

@erikloman @markloman
Greetings Erik/Mark. I PM'd Erik and I realize I should have done this here instead.
So here goes.
I won a key over at Malwaretips for Hitman Pro on 1/18/2017. I was already a subscriber with a key that was good till 09/2017
The key I received (that I won) registered, but did not add any time to my current subscription.
I emailed support and received a simple reply from "Lisa" that stated the key was active. I replied with a SS of the error I received
and requested that maybe the time could be added to my currently active key that I had purchased and supplied that key to her.
I receive a reply today from Lisa that states:
"I deactivated your paid key and added the time to the key you won". I apply the key that I had won (keep in mind it's the key that failed the first time) Still a no go, same error and I supply a SS of that one as well, and now my paid key which was trashed is still showing active till 9/2017.
Why deactivate the working key the customer paid for ? why not eliminate the troublesome key and add the time to the key I paid for ? That to me would have been a easy and straightforward solution.
Now I am left with a giveaway key that does not work, and a paid key Lisa is doing her best to deactivate.
I am to the point now that I have uninstalled all SurfRight solutions and discontinued the support with Lisa given the direction that was going in. If I can't receive help here from you, then just keep both keys, and I will look for another solution. But as a last ditch effort I am hoping you can help with this ?
Edit: If you need access to the Keys in question I will be glad to PM them to you.
Neither one should show up as (in use) at this time.

 

Erik and / or Mark,

How do I add a program to HMP.A's Protected Applications that isn't detected by the software radar? The program in question used to be detected by the software radar with (much) earlier versions but no more.

Thanks.

 

Launching the program, then find it in the Running Applications?

 

Thanks, but as I said it isn't detected by the software radar now. I used to add it that way but I can't now.

 

What application is failing to add?

 

I've sent you a PM.

Thanks.

 

Okay. I wasn't sure about "software radar". That's why my response was with a question mark, and offered you what I presumed you already know.
At least I now know that software radar means the detection of HMP.A to possible programs to be added.

 

No worries. I'm always learning here at Wilders'.

 

@_CyberGhosT_,
I'm not sure whether you mean you PM'd Erik already, or not,
but with a PM to Erik, including your keys, there's a good chance Erik can fix your keys situation.

 

Thank You Stupendous, Erik did remedy the situation, and quickly.
I suspect that it was due to the changes made internally. I purchased my license
that was active back when the licenses would activate both HMP & HMPA
The Giveaway license was a newer key and I imagine good for only "Either / Or"
So I lost the use of HMPA and that was a paid key
Anyway it is solved and my gratitude to Erik.

 

I wish,
He won't know it by looking at my ticket, lol but I love both HMP & HMPA as I run nothing but Sig-less security on my
DigitalStorm system, and for a long time I have used both HMP & HMPA. If he were to look under my wife's CC we have years of purchases. I still may get HMPA again but when they deactivated my paid key, they took HMPA away from me and it is no longer active.
That was wrong, but after what I went through I am just glad one of them is active.
Thanks SHvFI

 

That's odd. I thought you said Erik remedied the situation?
Could it be that the way you described your situation was not clear to Erik, and Erik misunderstood?

 

If the application isn't shown in the taskbar, it isn't shown in "Running Applications".
This can be the reason why you can't see it.

 

No, See the key I purchased was for HMPA ( or at least it activated both) Cleverbridge #97156752 and Lisa deactivated that key for some reason rather than deactivating the free key I had won, which was causing the problem. I promise I am so glad to have this resolved that I don't care, if I have to repurchase HMPA I may, I am using the trial version for now, just to have that whole ordeal over with. I can just chalk it up to experience

 

@erikloman,
@markloman,

On Windows 7 x64,
with HMPA 3.6.3.580 beta
(N.B. for other system details, see second line of my signature!)
Edit: when editing and subsequently saving three .odt files in LibreOffice 5.2.4
when opening 3 .odt files (A,B,C), editing 2 (A,B), and not editing the third (C), and subsequently saving all 3 (A,B,C) .odt files in LibreOffice 5.2.4,
with saving the third, unedited, .odt file (C),
CryptoGuard blocked C:\Program Files (x86)\LibreOffice 5\program\soffice.bin
See:

Code:

Mitigation   CryptoGuard

Platform     6.1.7601/x64 v580 06_17*
PID          5428
Application  C:\Program Files (x86)\LibreOffice 5\program\soffice.bin
Description  LibreOffice 5.2.4

Filename     C:\Program Files (x86)\LibreOffice 5\program\soffice.bin

D:\Users\XXXXX\Documents\XXXXX\XXXXX\XXXXX\CCCCC.odt
D:\Users\XXXXX\Documents\XXXXX\XXXXX\XXXXX\BBBBB.odt
D:\Users\XXXXX\Documents\XXXXX\XXXXX\XXXXX\AAAAA.odt


Process Trace
1  C:\Program Files (x86)\LibreOffice 5\program\soffice.bin [5428]
"C:\Program Files (x86)\LibreOffice 5\program\swriter.exe" "-o" "D:\Users\XXXXX\Documents\XXXXX\XXXXX\XXXXX\AAAAA.odt" "--writer" "-env:OOO_CWD=2D:\\Users\\XXXXX\\Documents\\XXXXX
2  C:\Program Files (x86)\LibreOffice 5\program\soffice.exe [6804]
"C:\Program Files (x86)\LibreOffice 5\program\swriter.exe" -o "D:\Users\XXXXX\Documents\XXXXX\XXXXX\XXXXX\AAAAA.odt" --writer
3  C:\Program Files (x86)\LibreOffice 5\program\swriter.exe [5196]
"C:\Program Files (x86)\LibreOffice 5\program\swriter.exe" -o "D:\Users\XXXXX\Documents\XXXXX\XXXXX\XXXXX\AAAAA.odt"
4  C:\Windows\explorer.exe [6252]
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
5  C:\Windows\System32\svchost.exe [616]
C:\Windows\system32\svchost.exe -k DcomLaunch

Thumbprint
5f0c22a7037b6761aeca37a3ab1f7c71022dac687ee414bec2bea39c138a7b58

Edit:
N.B. So that was with LibreOffice version 5.2.4 x86 on Windows x64, in case those details are relevant.

Edit:
I changed the previous X,Y,Z notation to A,B,C, to differentiate from the XXXXX.
And I corrected the notation in Process Trace, where file A is the file mentioned in Process Trace (not C, nor Z, as I erroneously noted, before).

To be able to use LibreOffice again, I had to disable CryptoGuard, which unlocked LibreOffice soffice.bin
See:

Code:

Auto-unblock C:\Program Files (x86)\LibreOffice 5\program\soffice.bin

After re-enabling CryptoGuard, and trying again, the same happened:
when opening 3 .odt files (A,B,C), editing 2 (A,B), and not editing the third (C), and subsequently saving all 3 (A,B,C) .odt files in LibreOffice 5.2.4,
with saving the third, unedited, .odt file (C),
CryptoGuard blocked C:\Program Files (x86)\LibreOffice 5\program\soffice.bin

Edit:
I tested once more,
this time first disabling G Data's anti-ransomware module (with which there was no conflict before),
and then again opening 3 .odt files (A,B,C), editing 2 (A,B), and not editing the third (C), and subsequently saving all 3 (A,B,C) .odt files in LibreOffice 5.2.4.
There was no difference with G Data's anti-ransomware module disabled.
Just as with G Data's anti-ransomware module enabled, with saving the third, unedited, .odt file (C),
CryptoGuard blocked C:\Program Files (x86)\LibreOffice 5\program\soffice.bin

Edit:
I updated LibreOffice to version 5.2.5 x86 and tested again,
also I tested in another user account (in case the first account might have a corrupted LibreOffice user profile),
and also I tested with three other .odt files (in case the first files were corrupted somehow),
but the outcome was the same, every time,
CryptoGuard blocked C:\Program Files (x86)\LibreOffice 5\program\soffice.bin


Additionally:

Some other issues that I noticed a few times, but that I cannot reproduce each time, are the following issues:

1.
When moving shortcut icons on Windows 7 desktop by dragging, sometimes when dragging the item, it stops halfway, and I need to resume dragging.
2.
When moving shortcut icons on Windows 7 desktop by dragging, sometimes when dragging the item, it stops halfway, and the shortcut opens, even though I do not double-click.

3.
When in Windows Explorer, showing a series of files (in Details view), when I swipe to mark a selection of the files to move or copy to another folder, marking stops halfway the intended selection, and I need to reselect the intended selection.
4.
When in Windows Explorer, showing a series of files (in Details view), when I swipe to mark a selection of the files to move or copy to another folder, marking stops halfway the intended selection, and one of the files opens, even though I do not double-click.

5.
When editing a text or document file, marking a selection to copy or move, when I swipe to mark the selection, marking stops halfway the intended selection, and I need to reselect the intended selection.
6.
When editing a text or document file, marking a selection to copy or move, when I swipe to mark the selection, marking stops halfway the intended selection, and the selection is moved unintentionally.
N.B.
Regarding 5 and 6, this happened when editing a .txt file in Windows WordPad,
but if I remember correctly, the same happened when editing an .odt file in LibreOffice Writer.

7.
With HMPA 3.6.3.579 and 3.6.3.580 beta (I didn't test 3.6.3.578), many times LibreOffice Writer crashes when closing, however, I cannot reproduce each time.

@erikloman,
@markloman,
If you have any suggestions for me for things to test, I will do so.
Otherwise, I will revert to HMPA 3.6.1.574 stable.

 

BTW, about the rollback feature, what I don't understand is how HMPA knows which files are going to be modified. I mean, most tools are often too late to stop ALL files from being encrypted. I can't fully visualize it. And what do you think about the honey-pot approach? Would HMPA's CryptoGuard benefit from it?