HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,775
    Location:
    the Netherlands
    If you could add the full alert details, then Erik, Mark, or RonnyT can have a look at it.
    You can get alert details from Event Viewer:
    Open the HMPA user interface.
    If the HMPA user interface shows 1 or more alerts, clicking "Number of alerts" or "Last alert" in the HMPA user interface will open Windows Event Viewer and a "HitmanPro.Alert Events" module will be added to Windows Event Viewer. Be patient, as this takes a moment.
    As soon as the "HitmanPro.Alert Events" module is added to Event Viewer, opening that entry should show HMPA events.
    Take the entry regarding the specific alert.
    Select all text, use Ctrl+C to copy the selected text, and then you can paste the copied details in a reply in the thread.
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,446
    If you are using a browser with Sandboxie, it is better to disable Local Privilege Mitigation. Or run it unsandboxed.
     
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    1,775
    Location:
    the Netherlands
    @mood,
    Thanks very much for that information regarding Sandboxie and Local Privilege Mitigation.
    I should have remembered, but I was too much focused on how to get and add alert details. ;)
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,446
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,863
    Go to the orange box and click on Risk Reduction Then select Process Protection. Then untick Local Privilege Mitigation. That should solve the problem. It's because of Chrome Sandbox
     
  6. Armadax

    Armadax Registered Member

    Joined:
    Sep 13, 2015
    Posts:
    19
    Location:
    Zuid-Holland
    Not happy with the new update...
    I have Nicehash miner running on my win 10 computer (standard Win Defender and Hitman Pro Alert 3.7.1 723) and it blocks the application. It did not with the previous version and it does now with the update. I've excluded both the NiceHash Miner 2.exe in the program files folder and the actual miner exe in the appdata/roaming folder (excavator.exe), but the excavator keeps being blocked with a pop-up that the malware is blocked. I've also tried to change/remove the rules for the applications, but the strange thing is that with the 'mini icons' beneath the exploit protection it only shows the nicehash miner icon, not one for excavator. And if you click on the excluded Excavator, it only gives you the option to remove the exclusion...
    Also, is it correct that there is no mentioning of the blocking event? Not in the HMPA screen, nor in the event viewer....
     

    Attached Files:

  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,446
    The Real-time Antimalware protection is blocking it. To be able to run the executable you have to disable the Real-time Antimalware protection, because there is no option yet to exclude the executable.
     
  8. plat1098

    plat1098 Guest

    For the heck of it, I put Chrome (first time EVER) and Firefox 57 on here with Sbie and Alert, both release versions. I'm aware Chrome has its sandbox but I'm able to use Chrome just fine without disabling any mitigations in Alert for over one hour now. I do have to launch Chrome from "Run any program" in Sbie's context menu to avoid Sbie launch errors but otherwise, no problems. Dumb beginner's luck maybe? By the way, in terms of speed running both Alert and Sbie, Chrome is the fastest and most efficient on here, hands down. No contest re:Firefox Quantum.

    Chrome version on here is 62.0.3202.94.

    Screenshot (17).png

    Edit: Here, but with launching Internet Explorer, never happened before:

    hmpalert privguard.PNG

    Even with exclusions in HMP Alert, looks like I left out an exclusion.

    hmp exclude.PNG
     
    Last edited by a moderator: Nov 22, 2017
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,407
    Location:
    Europe then Asia
    @plat1098 you have to add every Sbie processes especially snadoboxieDcomLaunch.exe and SandboxieRpcS.exe
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,994
    Location:
    Last Breath Farm
    Okay, I've followed the advice given here to disable LPM. TY, mood and Peter, for that. Please advise, what might be the downside of disabling that mitigation?

    Also, would adding full SBIE exclusions accomplish the same end?

    And thanks, StupendousMan, for your suggestion. I did include that info with my email to tech support, which so far has gone unanswered. :thumb:
     
  11. plat1098

    plat1098 Guest

    OK @Umbra, Sandboxie COM Services RpcSs was added to Alert exclusions. No mitigations disabled yet, might be a little premature but Chrome is running well so far. Thank you. :)

    Edit: Despite exclusions, still getting PrivGuard mitigations, this time clicking on a bookmark. Sbie Start exe was named and it's supposed to be excluded in Alert--? Bummer! Adding all the services to exclusions, as instructed.

    alert prviguard.PNG
     
    Last edited by a moderator: Nov 23, 2017
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,863
    You'd be better off taking out all the exclusions, use Sandboxie, and just uncheck the Local Privilege Mititgation in HMPA
     
  13. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,720
    Location:
    UK
    Or leave LPM enabled and run Chrome unsandboxed with Sandboxie.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,863
    You may get the alerts with Sandboxie.
     
  15. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,720
    Location:
    UK
    But if Sandboxie isn't being used to sandbox any browser such as Chrome, it isn't doing anything so no HMP alerts, right?
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,863
    You can't always make that assumption. Drivers installed, services running etc.
     
  17. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,720
    Location:
    UK
    Okay, fair enough. I was going by the comment from @markloman that @mood quoted in post #14352. Mark had said (bold part my emphasis): "Sandboxie is actually stealing tokens and elevating privileges with them so our mitigation is not wrong. Disable Local Privilege Mitigation if you insist on using Sandboxie around your browsers." I just thought if you didn't use Sandboxie with said browser, you shouldn't get the LPM alerts.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,863
    Hi Tony

    May be true, but I am not sure what LPM does for me exactly. I do know from long time usage what SBIE does for me so that is the basis of my comment.
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,041
    Location:
    Outer space
    Changelog is published:
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    804
    In Fall CU you don't need the font protection, because Windows handles fonts in a much more secure way. So it is overkill and possible issue to block untrusted fonts.
     
    Last edited: Nov 23, 2017
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,446
    Excluding a process will only circumvent the exploit mitigations. Secure deleting a file will still be prevented by CryptoGuard, writing to the MBR isn't possible for the excluded application, and excluding also doesn't affect the new mitigations ("CredGuard", "PrivGuard", etc.)
    These mitigations are still active, system-wide.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,446
    Yes, it is now done by a User-mode process (fontdrvhost.exe), which runs in an AppContainer wich no Capabilities and also runs under a virtual account.
    The AppContainer mitigation has been there since the first release of Windows 10:
     
  23. plat1098

    plat1098 Guest

    Yes, OK then, this summarizes the issue very neatly. Perhaps it is best for me to keep the "ie" in Sandboxie and leave Chrome out of it--for now at least. Otherwise, it gets very complicated and messy. :)

    Hey @shmu26: this untrusted fonts thing is a relic from the past and was resolved when I attempted to activate this mitigation thru group policy, only to get a warning id 1085 in event viewer! @BoerenkoolMetWorst and @markloman had illuminated the untrusted fonts mitigation issue re: Alert in below post over a month ago. :) Very interesting--glad this mitigation is reworked in Fall CU.

    https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-573#post-2713455
     
  24. Armadax

    Armadax Registered Member

    Joined:
    Sep 13, 2015
    Posts:
    19
    Location:
    Zuid-Holland
    Okay, thanks for this. But, errmmm, we’re staying tuned since June??
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,863
    This was brought up yesterday. Whats the June.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.