HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    770
  2. guest

    guest Guest

    Thanks for the detailed explanation.
    But what would happened if the power shell command comes from a normal executable ? Probably there is nothing in the wild like this and that executable can be classified as malware but still it could happend, and I guess this mitigation of HPA works only with the browsers, office and a few other apps.
    But indeed HPA is in a very good shape.
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,504
    Location:
    Under a bushel ...
    No worries Pete.
     
  4. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    This is nice to know, as I didn't know how mature their powershell based protection was. Nice :thumb:
     
  5. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    412
    Running Win 8.1 x64 and HPA 3.6.4.588 - to day as I was patching the system with AutoPatcher 6.2.22 I got the following:

    Type : Error
    Date : 08/05/2017
    Time : 12:19:01
    Event : 300
    Source : HitmanPro.Alert
    Category : CryptoGuard
    User : N/A
    Computer : DESKTOPDaniele
    Description:
    The following process is trying to attack your personal files:
    PID: 324
    Application: C:\Windows\System32\svchost.exe

    List of files:
    C:\Windows\SoftwareDistribution\ScanFile\a71a65d1-9634-4957-bdca-382619e015b0\Source.cab
    C:\Windows\SoftwareDistribution\ScanFile\dcdc2a77-3f5f-4417-a5e4-21e76c6d2adf\Source.cab
    C:\Windows\SoftwareDistribution\ScanFile\67fc073b-4d02-4acb-be01-07f9607c4c5c\Source.cab


    HitmanPro.Alert has intercepted and blocked this attack.
    You are strongly advised to immediately scan this computer with HitmanPro and remove the detected threats.


    Type : Error
    Date : 08/05/2017
    Time : 12:19:01
    Event : 911
    Source : HitmanPro.Alert
    Category : Mitigation
    User : N/A
    Computer : DESKTOPDaniele
    Description:
    Mitigation CryptoGuard

    Platform 6.3.9600/x64 v588 6f_10
    PID 324
    Application C:\Windows\System32\svchost.exe
    Description Host Process for Windows Services 6.3

    Filename C:\Windows\System32\svchost.exe

    C:\Windows\SoftwareDistribution\ScanFile\a71a65d1-9634-4957-bdca-382619e015b0\Source.cab
    C:\Windows\SoftwareDistribution\ScanFile\dcdc2a77-3f5f-4417-a5e4-21e76c6d2adf\Source.cab
    C:\Windows\SoftwareDistribution\ScanFile\67fc073b-4d02-4acb-be01-07f9607c4c5c\Source.cab


    Process Trace
    1 C:\Windows\System32\svchost.exe [324]
    C:\Windows\system32\svchost.exe -k netsvcs
    2 C:\Windows\System32\services.exe [640]

    Thumbprint
    3871354fffd2dec0a24da928baaec2ef9a2a1804c35dbfe214619aae14c4d9e5
     
  6. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    Anyone know if there's any leaked pricing for the new Sophos Home Premium that has HMPA functionality combined with it? My 3-PC HMPA license is expiring in about 2 weeks.
     
  7. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    Ah, didn't know it was so new. I'll re-subscribe to HMPA for another year.
     
  8. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    Looks like opting into the Sophos Home Premium beta removes the ability of HMPA + Sophos Home to coexist since they're merged. I'll have to bid adieu to contributing to this thread for a while then.
     
  9. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Yeah, that's a given seeing you would not want to run two instances of the same software on your PC ;)
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,790
    Location:
    Among the gum trees
    One would think a decent programmer would check for this and not allow it, no?
     
  11. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Agreed. :thumb:
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,504
    Location:
    Under a bushel ...
    Code:
    Mitigation   ROP
    
    Platform     10.0.15063/x64 v588 06_45
    PID          146976
    Application  C:\Program Files\Mozilla Firefox\firefox.exe
    Description  Firefox 53.0.2
    
    Callee Type  ProtectVirtualMemory
                 0x00000280B8C01000 (4096 bytes)
    
    Branch Trace                              Opcode  To                                    
    ---------------------------------------- -------- ----------------------------------------
    _aligned_free +0xd4                          RET  0x00007FFE27073357 xul.dll            
    0x00007FFE5FEC5294 mozglue.dll                                                          
    
    RtlLeaveCriticalSection +0x39                RET  _aligned_free +0xb6                    
    0x00007FFE72A5FF99 ntdll.dll                      0x00007FFE5FEC5276 mozglue.dll        
    
    _aligned_free +0x201                         RET  _aligned_free +0x8c                    
    0x00007FFE5FEC53C1 mozglue.dll                    0x00007FFE5FEC524C mozglue.dll        
    
    memset +0x19f                                RET  _aligned_free +0x7b                    
    0x00007FFE5E5BC91F vcruntime140.dll               0x00007FFE5FEC523B mozglue.dll        
    
    RtlEnterCriticalSection +0x2a                RET  _aligned_free +0x59                    
    0x00007FFE72A4447A ntdll.dll                      0x00007FFE5FEC5219 mozglue.dll        
    
    0x00007FFE2721BEA6 xul.dll                   RET  0x00007FFE2707332E xul.dll            
    
    0x00007FFE292FF57C xul.dll                   RET  0x00007FFE27073322 xul.dll            
    
    0x00007FFE27129A10 xul.dll                   RET  0x00007FFE27073312 xul.dll            
    
    0x00007FFE27129C8D xul.dll                   RET  0x00007FFE270732E2 xul.dll            
    
    0x00007FFE27739F86 xul.dll                   RET* 0x00000000005B160C EventMon.dll        
                        cc                       INT 3      
    
    
    SleepEx +0x10e                             ~ RET* 0x00000000005B1604 EventMon.dll        
    0x00007FFE6EFA72EE KernelBase.dll                                                        
                        cc                       INT 3      
    
    
    NtDelayExecution +0x14                     ~ RET  SleepEx +0xa7                          
    0x00007FFE72AD5A34 ntdll.dll                      0x00007FFE6EFA7287 KernelBase.dll      
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFE6EFB1735 KernelBase.dll           VirtualProtect +0x35
    
    2  00007FFE2720E769 xul.dll                
                        85c0                     TEST         EAX, EAX
                        743d                     JZ           0x7ffe2720e7aa
                        488b0d4c3db002           MOV          RCX, [RIP+0x2b03d4c]
                        483bd9                   CMP          RBX, RCX
                        0f82b8776600             JB           0x7ffe27875f35
                        4881c100000040           ADD          RCX, 0x40000000
                        483bf9                   CMP          RDI, RCX
                        0f87a8776600             JA           0x7ffe27875f35
                        b001                     MOV          AL, 0x1
                        488b5c2438               MOV          RBX, [RSP+0x38]
                        4883c420                 ADD          RSP, 0x20
                        5f                       POP          RDI
                        c3                       RET        
    
    3  00007FFE26EFE1B2 xul.dll                
    4  00007FFE27073376 xul.dll                
    5  00007FFE26F03595 xul.dll                
    6  00007FFE2702930E xul.dll                
    7  00007FFE277B3AC6 xul.dll                
    8  00007FFE26F31A5C xul.dll                
    9  00007FFE26F3B61D xul.dll                
    10 00000280B71CBEBD (anonymous; xul.dll)  
    
    Code Injection
    0000000000530000-0000000000536000   24KB C:\Program Files\Sandboxie\SbieSvc.exe [3604]
    0000000000540000-0000000000541000    4KB
    00007FFE72AA9000-00007FFE72AAA000    4KB
    
    Process Trace
    1  C:\Program Files\Mozilla Firefox\firefox.exe [146976]
    2  C:\Program Files\Mozilla Firefox\firefox.exe [142328]
    3  C:\Windows\explorer.exe [9964]
    4  C:\Windows\System32\userinit.exe [9444]
    5  C:\Windows\System32\winlogon.exe [1284]
    winlogon.exe
    
    Thumbprint
    4dc38dac7a603ec076cdde33f91b79d263efd90ae3c2310257db23ca11a9362e
    
     
  13. mrhex1

    mrhex1 Registered Member

    Joined:
    Jul 2, 2016
    Posts:
    19
    Location:
    Timbuktu
    The problem is that I believe the cname/wildcard DNS record is pointing to the provider where the brother's live in the Netherlands. The www.hitmanpro.com already has the Sophos edgekey CDN along with the akamai CDN in it. Depends on how the DNS is configured on their end. I am using Google DNS on my end. https://www.hitmanpro.com is definitely reachable. Here is a dump from nslookup:

    Code:
    > hitmanpro.com
    Server:  DD-WRT
    Address:  192.168.11.1
    
    Non-authoritative answer:
    Name:    hitmanpro.com
    Address:  87.249.108.118
    
    > www.hitmanpro.com
    Server:  DD-WRT
    Address:  192.168.11.1
    
    Non-authoritative answer:
    Name:    e6203.b.akamaiedge.net
    Address:  23.214.15.163
    Aliases:  www.hitmanpro.com
              www.sophos.com.edgekey.net
    
    >
     
  14. rei

    rei Registered Member

    Joined:
    May 25, 2006
    Posts:
    51
    I'm fine with this but an up-front dialog about it would have helped. I'll submit feedback to Sophos.

    Goodness knows this forum has enough overly-paranoid tinfoil-hat-wearing people running 2-10+ different programs all at once against imaginary threats. This thread is full of them demanding Surfright/Sophos "fix" their products to account for all the other bizarre nonsense they're running simultaneously.
     
  15. P_TT

    P_TT Registered Member

    Joined:
    May 9, 2017
    Posts:
    4
    Location:
    Italy
    I have some issues with HMP.A: Some apps just don't work if it's enabled. Processes are running, they are listed in the task manager but the GUI is missing. I guess HMP.A blocks them while they are loading.
    Adding such apps as exceptions doesn't fix the issue, i also tried to disable every feature in HMP.A with no luck. They only thing which fixes the issue is disabling the HMP.A service and reboot the pc, after that all is working fine.
    Below the apps that aren't working with HMP.A

    NAPS2(Not another pdf scanner 2)
    ADOBE DIGITAL EDITION
    AMAZON CLOUD DRIVE APP(This is somehow different from the other 2, the app works only the first time after the setup, obviously disabling HMP.A makes it working correctly every time i launch it)
     
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The above do work with HMPA. It is likely that you have a 3rd party component that conflicts with HMPA.
    What security products are you using?
     
  17. P_TT

    P_TT Registered Member

    Joined:
    May 9, 2017
    Posts:
    4
    Location:
    Italy
    Thank you for your promptly reply. You are absolutely right about the conflit, i use bitdefender internet security. After your reply i investigated and found that disabling the active thread control in bitdefender also fixes the issues. Moreover i can leave that feature enabled because adding those apps as exceptions in bitdefender works too! Again, thank you for your help: great product, fast support, very happy to have renewed my license for another year! Have a nice day
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert 3.6.5 build 592

    A small update to the stable release.

    Changelog
    • Fixed CryptoGuard false positive
    Notes
    This build contains drivers that are co-signed by Microsoft.

    Download

    http://test.hitmanpro.com/hmpalert3b592.exe

    Please let me know how this build runs :thumb:
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,790
    Location:
    Among the gum trees
    Hi Erik,

    After installing and restarting I was informed there was an update available that would be installed next restart. That reinstalled 588! o_O

    Rienstalled 592 and same thing.

    HMP.A Update.PNG
     
    Last edited: May 11, 2017
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,504
    Location:
    Under a bushel ...
    Installed OK over the top of 588 on Win 10 Pro x64 v1703 15063.296.

    But after reboot, a flyout and message appeared that an update was available and had to reboot again.

    Edit: Yes, same as @Krusty, back to 588!
     
  21. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    807
    Location:
    Baden Germany
    Same here.
    HMP.A reverted to build 588, after reboot.
     
  22. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    770
    Same here. 588 > 592 > 588.
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I have fixed this issue in our cloud. It should now stick to 592.
     
  24. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,057
    Location:
    the Netherlands
    No issues so far on my Windows 7 x64 system (see signature).

    And as the changelog mentions "Fixed CryptoGuard false positive", I decided to check for the CryptoGuard and LibreOffice x86 on Windows x64 issue that I reported January 24 and February 3, even though February 27 Erik replied "We are working on a new major version of CryptoGuard which should solve the LibreOffice issue", so I wasn't expecting a fix for the LibreOffice issue in this minor update, but only in the major release 3.7.

    But guess what - according to my tests, the CryptoGuard and LibreOffice x86 on Windows x64 issue looks to be fixed in 3.6.5.592.
    Nice! :thumb:

    Tested with LibreOffice x86 version 5.2.7.2
     
    Last edited: May 11, 2017
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,504
    Location:
    Under a bushel ...
    Yes, fixed now.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.