HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    773
    Location:
    USA
    +1 thanks!
     
  2. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    773
    Location:
    USA
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,154
    I installed this version which was working fine.

    Got a prompt to reboot to install the latest version. And the keyboard stopped working.

    Thank God that someone posted online some instructions as to how fix code 19 error on the keyboard.
     
  4. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    773
    Location:
    USA
    I installed (automatic update thru reboot) 3.7.11 Build 791 without issues on my Windows 10 Pro 1809 PC.

    Thanks to all who posted their results! :thumb:
     
  5. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
  6. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    773
    Location:
    USA
    Interesting...

    This related article is linked in the original post: https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html

    Yikes! :eek:

    Edit: After re-reading these articles again, I am left wondering if this exploit is only possible if the target computer has already been compromised by a backdoor?
     
    Last edited: Oct 20, 2019
  7. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    259
    Location:
    VPN city
    It said in the article on bleeping computer mentioned "loaders" and "second stage malware"

    At the start of the article it talked about how malware has been disguised as JPEG's and PNG's for a long time now.
    I've seen some of that malware when I was doing my own testing. The malware only works after you change the file to an EXE. Which leads me to believe that part of the attack would have to involve the audio files being changed to EXE's at some point during the attack.

    If not that, then the WAV's would just be another kind of file-less malware. Any security product that monitors Parent and child processes would be able to stop this kind of malware. Voodooshield would have you covered 100%, because it monitors the execution of ALL windows system EXE's as well as any EXE name that you've added to the vulnerable apps list.

    SecureAPlus would probably also have you covered so long as all of your media-playing apps have their EXE-names listed in the restricted applications menu...Don't quote me on that claim about S.A.P., I don't know that for a fact.
    (edit): this kind of malware makes use of the media player to unpack a more conventional kind of payload into a folder on the system. So yes, S.A.P. CAN protect against it. (edit end)

    As for HMP.Alert! being able to protect from this kind of attack. I don't think so. HMP.Alert! protects against the kinds of exploits that things like Voodooshield and SecureAPlus can't protect from deeper in the system.
     
    Last edited: Oct 20, 2019
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If the player of the wav file was protected by HMPA then it probably would be protected by it's Application Lockdown protection. I've tested it and it works. Only caveat is the player has to be protected by HMPA
     
  9. Libraman

    Libraman Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    71
    +10
     
  10. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    Getting a lot of CodeCave alerts regarding OpenVPN.exe suddenly. Anybody else seeing similar with any VPN activity?
     
  11. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    896
    Location:
    Baden Germany
    So sad, that WMP-HomeCineama can't be protected by HMP.A
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,885
    Location:
    Under a bushel ...
    Does Event List>Actions>Suppress Alert just suppress the alert message, or is it equivalent to whitelisting that event (Anti-Malware block in this case).

    HmP.A is blocking BlackFog Privacy updater (on v3.8.0 build 853 CTP3 but I presume it would on stable as version well).
     
  13. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    447
    Location:
    USA
    I've got 122 alerts on openvpn. Check it on Virustotal and no problems.
     
  14. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    773
    Location:
    USA
    I am using a VPN provider that runs openvpn.exe file version 2.4.6.0 as part of their client software. No alerts here.
     
  15. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    I am using the Mullvad app. Also Simple DNScrypt. If by chance either of those are relevant or related to your setup.
     
  16. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    447
    Location:
    USA
    Yes, Mullvad.
     
  17. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    @erikloman, @markloman, @RonnyT,

    HMPA 3.7.11.791 detects and blocks NirSoft USBDeview version 2.81 x64 as malware.
    According to VirusTotal, that was the same for several other antivirus/antimalware engines/programs, last week, with that difference that the detection was corrected for those other antivirus/antimalware engines/programs, some days ago, and HitmanPro.Alert still detects and blocks USBDeview version 2.81 x64 as malware.
    Code:
    Malware found:
    Trojan.GenericKD.32650363
    D:\Users\XXXXX\Downloads\USBDeview\USBDeview.exe
    Mitigation   MalwareBlocked
    Timestamp    2019-11-03T20:38:53
    
    Platform     6.1.7601/x64 v791 06_17*
    PID          1584
    Application  D:\Users\XXXXX\Downloads\USBDeview\USBDeview.exe
    Created      2019-10-24T11:27:04
    Modified     2019-10-31T11:28:41
    Description  Trojan.GenericKD.32650363
    
    
    SHA256:	
    889ced9bd8a6a43731fc9a1d8d228e26d31dc7f5118cba3f1cfdbf0096dbd3ab
    
     
  18. davido

    davido Registered Member

    Joined:
    Mar 18, 2015
    Posts:
    12
    Hi,
    I had to unistall HMPA in order to play Red Dead Redempion 2, the game stopped at launch without any messages from HMPA, now it works.
    Now i think i know why i was not able to play Battlefield 1
    Anyway only 19 days left to the license expire date
    Ciao
    edit: reinstalling the program solved, i can play red dead redemption 2 now, and battlefield v is the one i had problem with, not bf1. Maybe i will reinstall that too, bye
     
    Last edited: Nov 9, 2019
  19. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    @erikloman, @markloman, @RonnyT,

    Is there anything to say regarding my last Sunday's report regarding HMPA 3.7.11.791 detecting and blocking NirSoft USBDeview version 2.81 x64 as malware?

    If, according to VirusTotal, all other vendors corrected the detection for their antivirus/antimalware engines/programs, last week, why can't Sophos/SurfRight, why is HMPA still detecting and blocking USBDeview version 2.81 x64 as malware?
     
  20. Valdez

    Valdez Registered Member

    Joined:
    Apr 21, 2016
    Posts:
    30
    Location:
    ITALIA
    HitmanPro.Alert 3.7.11 Build 791
     

    Attached Files:

  21. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    896
    Location:
    Baden Germany
    This is expected behavior, as USB-DV accesses on hardware level.
    HMP.A is not definition based.
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    HMPA never detected and blocked NirSoft USBDeview before last week, when several other antivirus/antimalware engines/programs did the same.

    That is true for HMPA safe browsing, exploit mitigation and risk reduction, but I'm not so sure about the anti-malware component.
     
  23. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    896
    Location:
    Baden Germany
    ct
    So actually HMP blocked USB-DV.
    HMP, as part of HMP.A, is cloud based.
     
  24. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,139
    Location:
    the Netherlands
    @erikloman, @markloman, @RonnyT,
    As I reported, November 3, HMPA's Anti-Malware component detects and blocks USBDeview version 2.81 x64 as malware, "Trojan.GenericKD.32650363". That is when HMPA's Anti-Malware component is trigered, for instance by a SUMo (Software Update Monitor) scan or check that includes USBDeview.

    On my system, a usual HMP scan does not detect NirSoft USBDeview, as USBDeview is not on C:, but stored as portable application on D:
    If I choose to scan USBDeview using HMP's context menu option, HMP detects USBDeview as Bitdefender "Trojan.GenericKD.32650363":
    Code:
    Malware _____________________________________________________________________
    
       D:\Users\XXXXX\Downloads\USBDeview\USBDeview.exe
          Size . . . . . . . : 182.120 bytes
          Age  . . . . . . . : 17.4 days (2019-10-24 12:27:04)
          Entropy  . . . . . : 6.1
          SHA-256  . . . . . : 889CED9BD8A6A43731FC9A1D8D228E26D31DC7F5118CBA3F1CFDBF0096DBD3AB
          Product  . . . . . : USBDeview
          Publisher  . . . . : NirSoft
          Description  . . . : Lists USB Devices
          Version  . . . . . : 2.81
          Copyright  . . . . : Copyright © 2006 - 2019 Nir Sofer
          RSA Key Size . . . : 2048
          LanguageID . . . . : 1033
          Authenticode . . . : Valid
        > Bitdefender  . . . : Trojan.GenericKD.32650363
    
    So HMP's and HMPA's Anti-Malware cloud based component detects USBDeview as Bitdefender "Trojan.GenericKD.32650363".
    However, Bitdefender corrected that detection end of October, same as it was corrected for other antivirus/antimalware programs using the Bitdefender engine, according to VirusTotal.

    What I do not understand is why HMP's and HMPA's Anti-Malware cloud based component still uses the Bitdefender "Trojan.GenericKD.32650363" detection for USBDeview, when Bitdefender corrected that detection 10 days ago!
     
    Last edited: Nov 10, 2019
  25. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    923
    Location:
    UK
    Thanks for posting this as it seems now on your website one has to fill in a form on sophos to download builds.

    I am still on a old build, which with keyboard encryption misbehaved with chrome, I will retest on this build and report it as a big if still exists.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.