HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    300
    Location:
    Netherlands
    +1
     
  2. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    179
    Location:
    Canada
    Things are working fine for me as well.

    This was actually the first time the client automatically updated before I had a chance to manually apply the update.
     
  3. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,130
    Location:
    USA
    Anyone using this latest version with XP?
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,010
    Location:
    USA
    Installed automatically over 737 on reboot. Everything looks fine :thumb:
     
  5. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    Mark, does build 738 resolve the issues reported for Vista in this post?

    I asked the same thing after 737 was released, but there was no reply.
     
  6. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    I'm in the same boat as you, with Vista 64-bit in my case (see the post just above this one).
     
  7. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    What
    What other products do you have on your machine? We are unable to reproduce the issue on our Windows Vista test machines.
     
  8. pilipali

    pilipali Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    18
    Location:
    Finland
    When I am doing a virus scan with F-security internet security, I get this "attack intercepted" from Hitman pro.Alert? Why is this, and why it triggers during virus scan? Is there a way to avoid this?
     

    Attached Files:

  9. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    434
    In terms of memory-resident security products, other than HMP.A it's Norton 360 version 22.12.1.15; Windows Defender (AM, not AV) version 1.1.1600.0; and Spybot Search & Destroy version 1.6.42.

    Similarly serious issues happen with post-604 HMP.A builds on my father's Vista x64 machine; he has the same versions of Norton and Windows Defender but Spybot isn't installed. With more recent builds, he can't boot into his PC.
     
  10. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,148
    Location:
    the Netherlands
    Eep! That looks like Credential Theft Protection interfering with F-Secure when reading LSASS process memory.
    That issue of Credential Theft Protection interfering with anti-virus products when reading LSASS process memory was introduced in beta 734, and should have been solved in build 737.

    @markloman,
    It looks like the issue of Credential Theft Protection interfering with anti-virus products when reading LSASS process memory is still not fully solved.

    I haven't tried the beta, nor release versions 737 or 738 because of that issue.
    Therefore I cannot tell whether Credential Theft Protection will interfere with my anti-virus product, G Data, but as in 738 it interferes with F-Secure, I'm rather worried.


    Also,
    @pilipali,
    Your screen capture is rather hard to read.
    Next time, you can copy and paste alert details from Event Viewer.
     
  11. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    Actually, F-Secure is really attempting to read data from LSASS’s memory, so the mitigation is working correctly. It’s designed to prevent access. We’ll solve it from remote, give it a few hours.
     
  12. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,148
    Location:
    the Netherlands
    I didn't doubt HMPA was working correctly, but nevertheless, Credential Theft Protection interfering with anti-virus products reading LSASS process memory is rather troublesome, in my opinion.

    Great, thanks very much! :thumb:
    @markloman,
    Will the same mitigation occur with G Data (and other anti-virus products) reading LSASS process memory?
    Can you fix (or have you fixed) that in advance, or can you only fix that as soon as a user offers a report of Credential Theft Protection interfering with G Data (or other anti-virus product) reading LSASS process memory?
     
  13. pilipali

    pilipali Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    18
    Location:
    Finland
    Does this help?

    Code:
    Lokinimi:      Application
    Lähde:         HitmanPro.Alert
    Päivä:         14.3.2018 18.38.31
    Tapahtumatunnus:911
    Tehtäväluokka: Mitigation
    Taso:          Virhe
    Avainsanat:    Perinteinen
    Käyttäjä:       -
    Tietokone:     Hannu-PC
    Kuvaus:
    Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v738 6f_13
    PID          4088
    Application  C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe
    Description  F-Secure Host Process 1.22
    
    Reading LSASS (732) process memory: 00007FFFBF200000 L32
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFFC7D365A4 KernelBase.dll           ReadProcessMemory +0x14
    
    2  00007FFFADBB5A74 gkhsm64.dll            
                        85c0                     TEST         EAX, EAX
                        7543                     JNZ          0x7fffadbb5abb
                        ff15e20a0500             CALL         QWORD [RIP+0x50ae2]
                        3d2b010000               CMP          EAX, 0x12b
                        7424                     JZ           0x7fffadbb5aa9
                        89442428                 MOV          [RSP+0x28], EAX
                        48896c2420               MOV          [RSP+0x20], RBP
                        4c8bcf                   MOV          R9, RDI
                        4c8d05d8b60700           LEA          R8, [RIP+0x7b6d8]
                        488d1521b70700           LEA          RDX, [RIP+0x7b721]
                        b905000000               MOV          ECX, 0x5
                        e8e724ffff               CALL         0x7fffadba7f90
                        488bce                   MOV          RCX, RSI
                        e88f75feff               CALL         0x7fffadb9d040
    
    3  00007FFFADBB3F02 gkhsm64.dll            
    4  00007FFFADB10361 gkhsm64.dll            
    5  00007FFFA7C0BF5D fsecr64.dll            
    6  00007FFFA7E00B1B fsecr64.dll            
    7  00007FFFA7E080B0 fsecr64.dll            
    8  00007FFFA7DFFB6B fsecr64.dll            
    9  00007FFFA7DF1643 fsecr64.dll            
    10 00007FFFA7E0179D fsecr64.dll            
    
    Process Trace
    1  C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe [4088]
    "C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe" -PointAppFamily:1400
    2  C:\Windows\System32\services.exe [676]
    3  C:\Windows\System32\wininit.exe [604]
    wininit.exe
    
    Thumbprint
    9cf86567bfcd5a8735a7cd7c95ab443917e60ed98c95b93bad44adf24f3bcbd0
    Tapahtuman Xml:
    <Event xmlns="[URL]http://schemas.microsoft.com/win/2004/08/events/event[/URL]">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-03-14T16:38:31.696693700Z" />
        <EventRecordID>42313</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Hannu-PC</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe</Data>
        <Data>CredGuard</Data>
        <Data>Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v738 6f_13
    PID          4088
    Application  C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe
    Description  F-Secure Host Process 1.22
    
    Reading LSASS (732) process memory: 00007FFFBF200000 L32
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFFC7D365A4 KernelBase.dll           ReadProcessMemory +0x14
    
    2  00007FFFADBB5A74 gkhsm64.dll            
                        85c0                     TEST         EAX, EAX
                        7543                     JNZ          0x7fffadbb5abb
                        ff15e20a0500             CALL         QWORD [RIP+0x50ae2]
                        3d2b010000               CMP          EAX, 0x12b
                        7424                     JZ           0x7fffadbb5aa9
                        89442428                 MOV          [RSP+0x28], EAX
                        48896c2420               MOV          [RSP+0x20], RBP
                        4c8bcf                   MOV          R9, RDI
                        4c8d05d8b60700           LEA          R8, [RIP+0x7b6d8]
                        488d1521b70700           LEA          RDX, [RIP+0x7b721]
                        b905000000               MOV          ECX, 0x5
                        e8e724ffff               CALL         0x7fffadba7f90
                        488bce                   MOV          RCX, RSI
                        e88f75feff               CALL         0x7fffadb9d040
    
    3  00007FFFADBB3F02 gkhsm64.dll            
    4  00007FFFADB10361 gkhsm64.dll            
    5  00007FFFA7C0BF5D fsecr64.dll            
    6  00007FFFA7E00B1B fsecr64.dll            
    7  00007FFFA7E080B0 fsecr64.dll            
    8  00007FFFA7DFFB6B fsecr64.dll            
    9  00007FFFA7DF1643 fsecr64.dll            
    10 00007FFFA7E0179D fsecr64.dll            
    
    Process Trace
    1  C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe [4088]
    "C:\Program Files (x86)\F-Secure\Internet Security\apps\Ultralight\ulcore\1519387538\fshoster64.exe" -PointAppFamily:1400
    2  C:\Windows\System32\services.exe [676]
    3  C:\Windows\System32\wininit.exe [604]
    wininit.exe
    
    Thumbprint
    9cf86567bfcd5a8735a7cd7c95ab443917e60ed98c95b93bad44adf24f3bcbd0</Data>
      </EventData>
    </Event>[/plain]
     
    Last edited by a moderator: Mar 14, 2018
  14. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    552
    Location:
    Hengelo
    No that's not how the mitigation works. It's more fine-grained than that. Typically, the mitigation should not trigger on antivirus products.
     
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,148
    Location:
    the Netherlands
    @markloman,
    On my 'semi test-system' (one of my two Windows 7 x64 systems, as mentioned in my signature), I upgraded HMPA build 729 to 738.

    Next, I did a G Data "Check computer (all local drives)" scan, which includes checking memory for all running processes. However, the memory scan may be limited, I don't know if LSASS process memory is read with that G Data "Check computer" scan.
    HMPA did not interfere with this scan.

    Then, I did a G Data "Check memory and Startup" scan, which includes checking memory for all running processes, but may include more extensive memory processes checking than the "Check computer (all local drives)" scan.
    There was no HMPA alert, but G Data's "Check memory and Startup" hang for about 15 minutes, before there was any progress. Next, it ran, and it completed in a couple of minutes, with a total of 17 minutes 40 seconds.
    There is no corresponding HMPA report in Event Viewer.

    I tried the same on my other system, that has HMPA build 729.
    On this system the same G Data "Check memory and Startup" scan ran and completed in 3 minutes 30 seconds, with no hang.

    I cannot tell whether or not the 15 minute hang on the system with build 738 was related to that new HMPA build 738, but it seems rather iffy to me.
     
    Last edited: Mar 15, 2018
  16. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,148
    Location:
    the Netherlands
    @markloman,
    @erikloman,
    @RonnyT,

    This morning, I noticed that on the sytem with HMPA build 738 it took G Data IS 11 minutes to load the hourly virus definitions, instead of usually about 2 minutes 30 seconds.

    Here also, I cannot tell whether or not this is related to the new HMPA build 738, but it sure is striking.
    I'll keep an eye on it.
     
  17. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,148
    Location:
    the Netherlands
    @markloman,
    @erikloman,
    @RonnyT,

    I tested again, this morning.

    This time, it took G Data IS less than 2 minutes to load the hourly virus definitions.

    Next, I ran the G Data "Check memory and Startup" scan.
    It ran and completed successfully in a couple of minutes.
    First run was 5 minutes, second run was 3 minutes.

    So, all looks well, now.
    My previous findings may have been only one time glitches.
     
  18. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,130
    Location:
    USA
    @markloman
    Just curious. . . with HMPA 3.7.6.138 active and protecting my local email client, does it also monitor all incoming email attachments?
     
  19. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    Further to pilipali's post 14785 I followed the advice given by Victek in post 14661 and excluded F-Secure's running processes from HMPA. Problem solved for me.
     
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,148
    Location:
    the Netherlands
    @pilipali,
    Was the issue that you reported solved?
    Did you try another F-Secure virus scan, later, after Mark had a few hours to solve the issue from remote?
     
    Last edited: Mar 17, 2018
  21. pilipali

    pilipali Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    18
    Location:
    Finland
    Yes, I have made scans with F-secure and have not seen issues, yet. I don't know what have been changed, but I have not changed any settings.
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,148
    Location:
    the Netherlands
    Great! Thanks for reporting.
    I suppose Mark and colleagues, the Sophos HMPA team, solved the F-secure issue from remote, as Mark said they would.
    Neat that such things can be solved from remote and don't need a program update.
     
  23. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    773
    Location:
    USA
    I would expect that monitoring incoming mail attachments to be a function of your resident AV's signature based file scanner. Now if one of the attachments tried to run an exploit that got past your AV, then HMPA should kick in and prevent any damage.
     
  24. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    76
    Location:
    Long Beach, WA
    Intruder errors opening Chrome with HMPA license expired. This happened on two more computers today after update to version 738. As soon as I activate a new HMPA license, Chrome works normally again. I am a HMPA reseller/ computer store owner so I see a lot of computers every day. All the computers also are Win 10 x64 with windows defender and Malwarebytes Premium.

     
    Last edited: Mar 21, 2018
  25. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    I can confirm the chrome problem after the latest update.

    p.s. where's the quote button??
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.