HitmanPro.ALERT Support and Discussion Thread

Hello!
I've received an xlsx file on Skype chat.
What does IAF stand for? Is this a false positive?
Thanks.



Also see https://community.sophos.com/produc...xploit-prevented-in-skype-for-business/322889

IAF=Import Address Table Filtering

 

The thumbprint can't be seen on the screenshot.
If you can provide them the thumbprint, they can whitelist the IAF alert:

 

The IAF seemed to trigger whenever a file parser of some type was activated. I know that the above IAF triggers that I posted seemed to happen on firefox whenever I spawned a file dialog or a Save As.

I was also debugging some programs in Visual studio for my CS programming, then had them running when HMPA triggered on IE.

Could this be happening here too? I suspect that Skype cannot open an excel spreadsheet natively.

 

@szepeviktor,
You can copy alert details, including thumbprint, from Event Viewer.
To get Alert details from Event Viewer:
Open the HMPA user interface, and click "Number of alerts", or "Last alert", that will open Windows Event Viewer.
This takes a moment as a HMPA module is added to Event Viewer.
In Event Viewer, in the HitmanPro.Alert Events section, information can be seen regarding HMPA events.
Take the entry regarding the specific alert.
Select all text, use Ctrl+C to copy the selected text, and past it in a next reply in this thread.

 

Anyone able to comment upon whether this is a genuine alert, false positive or incompatibility please? Any recommendations for next steps that I should take would also be appreciated, thanks.

For context, I was concluding a Skype voice call with a business colleague when it was terminated with this alert. No files were being transferred.

Log Name: Application
Source: HitmanPro.Alert
Date: 08/03/2017 18:55:48
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: Dell3550
Description:
Mitigation IAF

Platform 10.0.14393/x64 v586 06_3d
PID 5552
Application C:\Program Files (x86)\Skype\Phone\Skype.exe
Description Skype 7.33

Violation 5E20BE75 is calling sensorsnativeapi.dll IAT funcptr KernelBase.dll!GetProcAddress


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 5E20BE75 WinSATAPI.dll
ff159c61215e CALL DWORD [0x5e21619c]
894604 MOV [ESI+0x4], EAX
85c0 TEST EAX, EAX
7507 JNZ 0x5e20be89
5e POP ESI
ff254061215e JMP DWORD [0x5e216140]

2 5E208069 WinSATAPI.dll
3 5E207EF9 WinSATAPI.dll
4 5E207617 WinSATAPI.dll
5 5E1FC348 WinSATAPI.dll
6 5E1FD88A WinSATAPI.dll
7 5FFE31E9 RtmPal.dll RtcPalGetTempFolderW +0x60
8 5FFE33D5 RtmPal.dll RtcPalGetWinSATProcessorScore +0x20
9 0919AFF4 RtmPltfm.dll
10 0919C043 RtmPltfm.dll

Process Trace
1 C:\Program Files (x86)\Skype\Phone\Skype.exe [5552]
"C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
2 C:\Windows\explorer.exe [4348]
3 C:\Windows\System32\userinit.exe [4228]
4 C:\Windows\System32\winlogon.exe [692]
winlogon.exe

Thumbprint
96719702e94390802b7615aa9e626dafe722075dad06cb6ab7d5e689211784cc
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-03-08T17:55:48.291068200Z" />
<EventRecordID>18740</EventRecordID>
<Channel>Application</Channel>
<Computer>Dell3550</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\Skype\Phone\Skype.exe</Data>
<Data>IAF</Data>
<Data>Mitigation IAF

Platform 10.0.14393/x64 v586 06_3d
PID 5552
Application C:\Program Files (x86)\Skype\Phone\Skype.exe
Description Skype 7.33

Violation 5E20BE75 is calling sensorsnativeapi.dll IAT funcptr KernelBase.dll!GetProcAddress


Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 5E20BE75 WinSATAPI.dll
ff159c61215e CALL DWORD [0x5e21619c]
894604 MOV [ESI+0x4], EAX
85c0 TEST EAX, EAX
7507 JNZ 0x5e20be89
5e POP ESI
ff254061215e JMP DWORD [0x5e216140]

2 5E208069 WinSATAPI.dll
3 5E207EF9 WinSATAPI.dll
4 5E207617 WinSATAPI.dll
5 5E1FC348 WinSATAPI.dll
6 5E1FD88A WinSATAPI.dll
7 5FFE31E9 RtmPal.dll RtcPalGetTempFolderW +0x60
8 5FFE33D5 RtmPal.dll RtcPalGetWinSATProcessorScore +0x20
9 0919AFF4 RtmPltfm.dll
10 0919C043 RtmPltfm.dll

Process Trace
1 C:\Program Files (x86)\Skype\Phone\Skype.exe [5552]
"C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
2 C:\Windows\explorer.exe [4348]
3 C:\Windows\System32\userinit.exe [4228]
4 C:\Windows\System32\winlogon.exe [692]
winlogon.exe

Thumbprint
96719702e94390802b7615aa9e626dafe722075dad06cb6ab7d5e689211784cc</Data>
</EventData>
</Event>

 

I hope Erik or Mark will respond to your report.
If it is a false positive alert, Erik or Mark can whitelist the IAF alert.

 

Thank you.

Code:

Mitigation   IAF

Platform     10.0.14393/x64 v586 06_2a
PID          7100
Application  C:\usr\skype\Skype.exe
Description  Skype 7.30

Violation    6FE11818 is calling Windows.Media.Devices.dll IAT funcptr KernelBase.dll!GetProcAddress


Stack Trace
#  Address  Module                   Location
-- -------- ------------------------ ----------------------------------------
1  6FE11818 duser.dll               
            ff1568a2e56f             CALL         DWORD [0x6fe5a268]
            85c0                     TEST         EAX, EAX
            7412                     JZ           0x6fe11834
            50                       PUSH         EAX
            ff1534a3e56f             CALL         DWORD [0x6fe5a334]
            8b4d08                   MOV          ECX, [EBP+0x8]
            8901                     MOV          [ECX], EAX
            b001                     MOV          AL, 0x1
            5d                       POP          EBP
            c20400                   RET          0x4

2  6FE117A4 duser.dll               
3  6FE11719 duser.dll               
4  6FE0CEAF duser.dll               
5  6FE11A35 duser.dll                AttachWndProcW +0x15
6  6F562E37 dui70.dll                ?OnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z +0xc7
7  6F54C469 dui70.dll               
8  6F54C469 dui70.dll               
9  6276E81E ExplorerFrame.dll       
10 6F5493D2 dui70.dll               

Process Trace
1  C:\usr\skype\Skype.exe [7100]
2  C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe [5992]
"C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe" /LaunchType=Auto /LaunchApps=Common
3  C:\Windows\explorer.exe [4812]
4  C:\Windows\System32\userinit.exe [4744]
5  C:\Windows\System32\winlogon.exe [908]
winlogon.exe

Thumbprint
f6d4e299066013a4d7a860f77bb3760b91b23a8f51b12aa6358543937341c619

 

Been saying this for years, but the paranoid will be what they shall be I guess.

 

+1

If the security fans can make all that stuff work together, more power to 'em! But please don't go bashing some developer because his product conflicts with another. There are just too many possible combinations to test for, and the majority of users don't layer several products with the same objectives ... especially when it comes to real-time detection

 

Is this a false positive?

 

we are investigating the IAF triggers above. Stay tuned.

 

Hi all,

I have a problem with HMP.A: I sometimes need to run a file shredder (usually it's Fileshredder but I also tried with Eraser) but HMP.A keeps blocking the .exe process although I have set it on exclude under "Exploit mitigations" - "Applications" - "Exclude"...?

Can someone help me here? Thanks!

 

you have to suspend cryptoguard since exclude works only for exploit mitigations...

 

That's done the trick, thanks lot!

Good taste in music btw

 

@JEAM,
The thumbprint isn't shown.
Please also provide the thumbprint, so that if it is a false positive, Erik can whitelist it.
You can copy alert details, including thumbprint, from Event Viewer.

To get Alert details from Event Viewer:
Open the HMPA user interface, and click "Number of alerts", or "Last alert", that will open Windows Event Viewer.
This takes a moment as a HMPA module is added to Event Viewer.
In Event Viewer, in the HitmanPro.Alert Events section, information can be seen regarding HMPA events.
Take the entry regarding the specific alert.
Select all text, use Ctrl+C to copy the selected text, and past it in a next reply in this thread.

 

Hi All,

I got some software that help you to delete/erase your data, pics, documents as permanently. But HitMan Pro Alert not allowing me to do that. How can I solve this problem? Thanks

 

Open the HitmanPro.Alert user interface,
go to settings (gear wheel, in upper right hand corner),
choose Advanced interface,
click the orange Risk reduction tile,
click CryptoGuard,
click Disabled.
Now you can use your eraser software.
After erasing, make sure that you re-enable CryptoGuard.

 

@Stupendous Man ,

Thanks a lot.
It relay helped me a lot.

 

Today HMP scan flagged excalibur.db-shm belonging to HMP.A as suspicious.

Suspicious files ____________________________________________________________

C:\ProgramData\HitmanPro.Alert\excalibur.db-shm
Size . . . . . . . : 32,768 bytes
Age . . . . . . . : 0.1 days (2017-03-09 05:47:24)
Entropy . . . . . : 7.6
SHA-256 . . . . . : DED53D3528457D15A2BD7E236F6EA98549F9CFD84F0DC3C0EA9A6ED06BBFCB32
Product . . . . . : PyWin32
Publisher
Description
Version . . . . . : 2.5.213.0
Copyright
LanguageID . . . . : 1033
Fuzzy . . . . . . : 23.0
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
The file name extension of this program is not common.
Program is running but currently exposes no human-computer interface (GUI).
Authors name is missing in version info. This is not common to most programs.
Time indicates that the file appeared recently on this computer.
The file is in use by one or more active processes.
Forensic Cluster
0.0s C:\ProgramData\HitmanPro.Alert\excalibur.db-wal
0.0s C:\ProgramData\HitmanPro.Alert\excalibur.db-shm
2.9s C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2.9s C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
3.5s C:\Windows\setupact.log
3.5s C:\Windows\setuperr.log

 

With HMP 3.7.15.281 and HMPA 3.6.3.586 on Windows 7 x64, I cannot reproduce your result.
Which HMP version did you use, the 3.7.15.281 stable release, or a beta version?
And which HMPA version?
And which Windows version? (and in case of Windows 10, which build?)

 

I'm running same as you. And I could not reproduce it either, either via full scan or via right-click context menu scan. Guess it was a weird glitch. Thanks for checking.

 

Ah, thanks very much, and yes, I suppose so, it must have been a weird glitch.
I think I would rather have seen a reproducible false positive. That could be fixed by Erik or Mark.
A non-reproducible weird glitch may happen again, perhaps with a not computer savvy user, who might act wrongly on excalibur.db-shm being flagged as suspicious.
Let's hope it was a one and only case glitch.

 

I'll certainly report back if there is a recurrence.
HMP.A has been flagging Outlook.exe and MailwasherPro.exe recently... perhaps each program two or three times. I close them, then immediately reopen them without another peep from HMP.A. This started happening with the most recent upgrade within the last week. Today was the first flag I've gotten from HMP in a very long time.

 

Mitigation IAF

Platform 6.1.7601/x64 v586 06_2a
PID 4564
Application C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
Description Microsoft Outlook 14

Violation 5790D47D is calling PSTOREC.DLL IAT funcptr kernel32.dll!GetProcAddress

****************************************************************************************
****************************************************************************************
Mitigation IAF

Platform 6.1.7601/x64 v586 06_2a
PID 4772
Application C:\Program Files (x86)\Firetrust\MailWasher\MailWasherPro.exe
Description MailWasher 2015.7.8

Violation 5D1AEB78 is calling rasctrs.dll IAT funcptr kernel32.dll!GetProcAddress