HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,291
    Location:
    Among the gum trees
    It does have a tray icon if that is what you mean.
     
  2. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    81
    There was a RCE vulnerability in the "Cisco WebEx" Chrome extension, also in Firefox (the version for IE apparently was not exploitable since it's implemented via ActiveX).
    https://bugs.chromium.org/p/project-zero/issues/detail?id=1096

    @erikloman & @markloman:
    Would HMPA have helped against this? By for example blocking the spawned processes with Application Lockdown? Or would it allow all spawned processes of "ciscowebexstart.exe" since it's considered "trusted"/signed?
    ...maybe also through Safe Browsing?

    (If you want to test it: You can download a copy of the still vulnerable v1.0.1: https://crx.dam.io/ext/jlhmfgmfgeifomenelglieieghnjghma.html. Manually install it in Chrome like it says here https://dede.help.webex.com/docs/DOC-8177, a PoC is on the bug-report page.)
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    If you see the application as a tray-icon but not in the taskbar then it isn't shown in HMP.A and can't be added.
    If it's possible, unmimize the application from the tray - Rightclick: "Show Window" or "Show", and if you can see it now in the taskbar, it can be added in HMP.A
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,291
    Location:
    Among the gum trees
    Thanks, I understand now. No it does not have an icon on the Task Bar. Anyway, Erik has a copy of the installer so if it can be added I'm sure he'll get it to work, but it is an uncommon program that not many people would be using so it may not be worth his time. We'll see.

    Thanks.
     
  5. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    @erikloman,
    @markloman,

    Have you noticed my yesterday report regarding CryptoGuard blocking LibreOffice soffice.bin?
    (Plus seven more observations regarding HMPA 3.6.3.580 beta.)

    Today, I made two edits in that report.
    First, I described more clearly what I did that led to CryptoGuard blocking LibreOffice soffice.bin.
    Secondly, I tested again, this time first disabling G Data's anti-ransomware module (with which there was no conflict before), but there was no difference with G Data's anti-ransomware module disabled.

    See my yesterday report for full details.

    If you have any suggestions for me for things to test, I will do so.
    Otherwise, I will revert to HMPA 3.6.1.574 stable.


    P.S.
    @other forum members,
    Are you able to reproduce what I described in my yesterday report?
    (See details to see what I did that led to CryptoGuard blocking LibreOffice soffice.bin)
     
    Last edited: Jan 25, 2017
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    The last time i have used LibreOffice was some weeks ago, so i decided to give it a try.
    I don't have Win7, but maybe i was affected too...
    But i couldn't reproduce it, so the CryptoGuard-problem with LibreOffice seems to be OS-specific. :cautious:

    We surely know it, after more people see the same problem with LibreOffice+CryptoGuard on Windows 7.
    Edit: LibreOffice 5.4.2 x64
     
    Last edited: Jan 25, 2017
  7. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    no (specs in my signature)
     
  8. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    Thanks, mood,
    thanks, test.

    To be certain, did you use the same LibreOffice version that I use?
    LibreOffice 5.2.4 x86 (on Windows x64),
    or did you use another LibreOffice version, or the LibreOffice x64 version?

    I don't know if those details are relevant, but I could imagine they can be.
     
    Last edited: Jan 25, 2017
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    LibreOffice 5.2.4 x64 on Windows x64.
    Edit: Typo
     
    Last edited: Jan 25, 2017
  10. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    496
    Location:
    italy
    Idem (5.2.4 64bit)
     
  11. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    Thanks, mood,
    thanks, test.

    So that's different from my LibreOffice 5.2.4 x86 on Windows x64.
    As I said, I don't know if that is relevant, but I can imagine it could be.
    I'm looking forward to Erik's or Mark's analysis.

    (By the way, mood, where you wrote "5.4.2", I suppose you mean 5.2.4, as there is no LibreOffice version 5.4.2)
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    Typo :oops:
    When i have some time later, i can try it again with the 32bit-version. If i can reproduce it, i'll report it here.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,420
    Location:
    Under a bushel ...
    FWIW I don't have any LibreOffice issues using the latest PortableApps.com version: 5.2.4.2 Build ID: 3d5603e1122f0f102b62521720ab13a38a4e0eb0 on Win 10 Pro x64 v1607 14393.693.
    I do not know if the PortableApps.com version is x86 or x64.
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We have currently _one_ detection record of LibreOffice triggering CryptoGuard.

    Is anyone else seeing this issue with LibreOffice?
     
  15. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,977
    I haven't installed HMPA on my Surface Book, yet. I still have HMPA on my XP desktop, but that hasn't had a version update for quite awhile.
     
  16. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    Thanks, Erik.
    That one detection record of LibreOffice triggering CryptoGuard, is that my Tuesday January 24 report, or was there another detection reported? I guess you refer to my report only.

    Have you or your colleagues tried to reproduce the issue, using HMPA 3.6.3.580 beta, LibreOffice 5.2.4 x86 on Windows 7 x64, in the way that I described in my Tuesday January 24 report?
    Perhaps even in combination with G Data 25.3.0.1?

    If no one else should have tested with LibreOffice 5.2.4 x86 on Windows 7 x64, but only LibreOffice x64 on Windows x64, and no one was able to reproduce the issue, one might say, "why not upgrade to LibreOffice x64?"
    I could do that, but there should be no issue with LibreOffice x86, of course.
    Many users use LibreOffice x86 on Windows x64, as LibreOffice x86 is the default download.
    And even more, not long ago, LibreOffice x86 was still more stable than x64, so x86 on Win x64 was the preferred choice because of that.
     
  17. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    @erikloman,
    @markloman,

    I edited my Tuesday January 24 report some more:

    I changed the previous X,Y,Z notation to A,B,C, to differentiate from the XXXXX.
    And I corrected the notation in Process Trace, where file A is the file mentioned in Process Trace (not C, nor Z, as I erroneously noted, before).

    I updated LibreOffice to version 5.2.5 x86 and tested again,
    also I tested in another user account (in case the first account might have a corrupted LibreOffice user profile),
    and also I tested with three other .odt files (in case the first files were corrupted somehow),
    but the outcome was the same, every time,
    CryptoGuard blocked C:\Program Files (x86)\LibreOffice 5\program\soffice.bin
     
  18. Alkajak

    Alkajak Registered Member

    Joined:
    Mar 6, 2016
    Posts:
    125
    I was experiencing a lot of CryptoGuard triggers late 2016 on in-app software updaters, but haven't had any issues at all this past month. So far, so good.
     
  19. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,033
  20. Alkajak

    Alkajak Registered Member

    Joined:
    Mar 6, 2016
    Posts:
    125
    Code:
    Intruder
    
    PID          2464
    Application  C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
    Description  Microsoft Edge Content Process 11
    
    Detour Report
    #  Address             Owner                    Disassembly
    -- ------------------  ------------------------ ------------------------
    EncryptMessage *
     1 0x00007FFBE18A5880  SspiCli.dll              JMP 0x7ffbe2120688
     2 0x00007FFBE2120688  (anonymous)              
    
    FilterConnectCommunicationPort
     1 0x00007FFBE1B420A0  fltlib.dll               JMP 0x7ffbe2120180
     2 0x00007FFBE2120180  (anonymous)              
    
    FilterSendMessage
     1 0x00007FFBE1B422D0  fltlib.dll               JMP 0x7ffbe21201b8
     2 0x00007FFBE21201B8  (anonymous)              
    
    CreateDCA
     1 0x00007FFBE2F038A0  GDI32.dll                JMP 0x7ffbe2120228
     2 0x00007FFBE2120228  (anonymous)              
    
    CreateDCW
     1 0x00007FFBE2F04190  GDI32.dll                JMP 0x7ffbe2120260
     2 0x00007FFBE2120260  (anonymous)              
    
    DeleteDC
     1 0x00007FFBE2F02080  GDI32.dll                JMP 0x7ffbe2120340
     2 0x00007FFBE2120340  (anonymous)              
    
    GdiAlphaBlend
     1 0x00007FFBE2F05450  GDI32.dll                JMP 0x7ffbe2120308
     2 0x00007FFBE2120308  (anonymous)              
    
    GdiTransparentBlt
     1 0x00007FFBE2F054E0  GDI32.dll                JMP 0x7ffbe21202d0
     2 0x00007FFBE21202D0  (anonymous)              
    
    GetPixel
     1 0x00007FFBE2F04660  GDI32.dll                JMP 0x7ffbe2120298
     2 0x00007FFBE2120298  (anonymous)              
    
    EndTask
     1 0x00007FFBE2FA3370  USER32.dll               JMP 0x7ffbe21201f0
     2 0x00007FFBE21201F0  (anonymous)              
    
    GetMessageA
     1 0x00007FFBE2F5E8B0  USER32.dll               JMP 0x7ffbcd020d0e
     2 0x00007FFBCD020D0E  (unknown)                
    
    GetMessageW
     1 0x00007FFBE2F64840  USER32.dll               JMP 0x7ffbcd020cce
     2 0x00007FFBCD020CCE  (unknown)                
    
    IsDialogMessage
     1 0x00007FFBE2FA61F0  USER32.dll               JMP 0x7ffbe2120538
     2 0x00007FFBE2120538  (anonymous)              
    
    IsDialogMessageW
     1 0x00007FFBE2F541F0  USER32.dll               JMP 0x7ffbe2120570
     2 0x00007FFBE2120570  (anonymous)              
    
    PeekMessageA
     1 0x00007FFBE2F5E300  USER32.dll               JMP 0x7ffbcd020c8e
     2 0x00007FFBCD020C8E  (unknown)                
    
    PeekMessageW
     1 0x00007FFBE2F5E430  USER32.dll               JMP 0x7ffbcd020c4e
     2 0x00007FFBCD020C4E  (unknown)                
    
    SetWindowsHookExA
     1 0x00007FFBE2F42730  USER32.dll               JMP 0x7ffbe21205a8
     2 0x00007FFBE21205A8  (anonymous)              
    
    SetWindowsHookExW
     1 0x00007FFBE2F67490  USER32.dll               JMP 0x7ffbe21205e0
     2 0x00007FFBE21205E0  (anonymous)              
    
    SetWinEventHook
     1 0x00007FFBE2F67D70  USER32.dll               JMP 0x7ffbe2120618
     2 0x00007FFBE2120618  (anonymous)              
    
    TranslateMessage
     1 0x00007FFBE2F55330  USER32.dll               JMP 0x7ffbe2120500
     2 0x00007FFBE2120500  (anonymous)              
    
    
    Thumbprint
    8a8bebeaa4abb76d5f77f0be47af2da9fcf42ba701c5344f46a964e401514f12
    Just had an "Intruder Alert" by opening up Microsoft Edge.
     
  21. Rudolf1982

    Rudolf1982 Registered Member

    Joined:
    Jan 30, 2017
    Posts:
    4
    Location:
    Samobor
    Hello, I am new to this forum and I want to ask how is HMPA dealing with Wallet ransomware?

    Regards
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I can confirm that this ransomware family is blocked by HitmanPro.Alert.
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You have a hook on the cryptography API in Edge. Specifically EncryptMessage().
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We are investigating. Stay tuned.
     
  25. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,335
    Location:
    the Netherlands
    Great, thanks. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.