HitmanPro.ALERT Support and Discussion Thread

+1 thanks!

 

+1 thanks!

 

I installed this version which was working fine.

Got a prompt to reboot to install the latest version. And the keyboard stopped working.

Thank God that someone posted online some instructions as to how fix code 19 error on the keyboard.

 

I installed (automatic update thru reboot) 3.7.11 Build 791 without issues on my Windows 10 Pro 1809 PC.

Thanks to all who posted their results!

 

Does HMP.A stop this?
https://www.bleepingcomputer.com/ne...UyYEcHdJkeYMPOJ4zTUL-RavrjzT1rIf7uJb1u5OPyNrM

 

Interesting...

This related article is linked in the original post: https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html

Yikes!

Edit: After re-reading these articles again, I am left wondering if this exploit is only possible if the target computer has already been compromised by a backdoor?

 

It said in the article on bleeping computer mentioned "loaders" and "second stage malware"

At the start of the article it talked about how malware has been disguised as JPEG's and PNG's for a long time now.
I've seen some of that malware when I was doing my own testing. The malware only works after you change the file to an EXE. Which leads me to believe that part of the attack would have to involve the audio files being changed to EXE's at some point during the attack.

If not that, then the WAV's would just be another kind of file-less malware. Any security product that monitors Parent and child processes would be able to stop this kind of malware. Voodooshield would have you covered 100%, because it monitors the execution of ALL windows system EXE's as well as any EXE name that you've added to the vulnerable apps list.

SecureAPlus would probably also have you covered so long as all of your media-playing apps have their EXE-names listed in the restricted applications menu...Don't quote me on that claim about S.A.P., I don't know that for a fact.
(edit): this kind of malware makes use of the media player to unpack a more conventional kind of payload into a folder on the system. So yes, S.A.P. CAN protect against it. (edit end)

As for HMP.Alert! being able to protect from this kind of attack. I don't think so. HMP.Alert! protects against the kinds of exploits that things like Voodooshield and SecureAPlus can't protect from deeper in the system.

 

+10

 

Getting a lot of CodeCave alerts regarding OpenVPN.exe suddenly. Anybody else seeing similar with any VPN activity?

 

So sad, that WMP-HomeCineama can't be protected by HMP.A

 

Does Event List>Actions>Suppress Alert just suppress the alert message, or is it equivalent to whitelisting that event (Anti-Malware block in this case).

HmP.A is blocking BlackFog Privacy updater (on v3.8.0 build 853 CTP3 but I presume it would on stable as version well).

 

I've got 122 alerts on openvpn. Check it on Virustotal and no problems.

 

I am using a VPN provider that runs openvpn.exe file version 2.4.6.0 as part of their client software. No alerts here.

 

I am using the Mullvad app. Also Simple DNScrypt. If by chance either of those are relevant or related to your setup.

 

Yes, Mullvad.

 

@erikloman, @markloman, @RonnyT,

HMPA 3.7.11.791 detects and blocks NirSoft USBDeview version 2.81 x64 as malware.
According to VirusTotal, that was the same for several other antivirus/antimalware engines/programs, last week, with that difference that the detection was corrected for those other antivirus/antimalware engines/programs, some days ago, and HitmanPro.Alert still detects and blocks USBDeview version 2.81 x64 as malware.

Code:

Malware found:
Trojan.GenericKD.32650363
D:\Users\XXXXX\Downloads\USBDeview\USBDeview.exe
Mitigation   MalwareBlocked
Timestamp    2019-11-03T20:38:53

Platform     6.1.7601/x64 v791 06_17*
PID          1584
Application  D:\Users\XXXXX\Downloads\USBDeview\USBDeview.exe
Created      2019-10-24T11:27:04
Modified     2019-10-31T11:28:41
Description  Trojan.GenericKD.32650363


SHA256:	
889ced9bd8a6a43731fc9a1d8d228e26d31dc7f5118cba3f1cfdbf0096dbd3ab

 

Hi,
I had to unistall HMPA in order to play Red Dead Redempion 2, the game stopped at launch without any messages from HMPA, now it works.
Now i think i know why i was not able to play Battlefield 1
Anyway only 19 days left to the license expire date
Ciao
edit: reinstalling the program solved, i can play red dead redemption 2 now, and battlefield v is the one i had problem with, not bf1. Maybe i will reinstall that too, bye

 

@erikloman, @markloman, @RonnyT,

Is there anything to say regarding my last Sunday's report regarding HMPA 3.7.11.791 detecting and blocking NirSoft USBDeview version 2.81 x64 as malware?

If, according to VirusTotal, all other vendors corrected the detection for their antivirus/antimalware engines/programs, last week, why can't Sophos/SurfRight, why is HMPA still detecting and blocking USBDeview version 2.81 x64 as malware?

 

HitmanPro.Alert 3.7.11 Build 791

 

This is expected behavior, as USB-DV accesses on hardware level.
HMP.A is not definition based.

 

HMPA never detected and blocked NirSoft USBDeview before last week, when several other antivirus/antimalware engines/programs did the same.

That is true for HMPA safe browsing, exploit mitigation and risk reduction, but I'm not so sure about the anti-malware component.

 

ct

So actually HMP blocked USB-DV.
HMP, as part of HMP.A, is cloud based.

 

@erikloman, @markloman, @RonnyT,

As I reported, November 3, HMPA's Anti-Malware component detects and blocks USBDeview version 2.81 x64 as malware, "Trojan.GenericKD.32650363". That is when HMPA's Anti-Malware component is trigered, for instance by a SUMo (Software Update Monitor) scan or check that includes USBDeview.

On my system, a usual HMP scan does not detect NirSoft USBDeview, as USBDeview is not on C:, but stored as portable application on D:
If I choose to scan USBDeview using HMP's context menu option, HMP detects USBDeview as Bitdefender "Trojan.GenericKD.32650363":

Code:

Malware _____________________________________________________________________

   D:\Users\XXXXX\Downloads\USBDeview\USBDeview.exe
      Size . . . . . . . : 182.120 bytes
      Age  . . . . . . . : 17.4 days (2019-10-24 12:27:04)
      Entropy  . . . . . : 6.1
      SHA-256  . . . . . : 889CED9BD8A6A43731FC9A1D8D228E26D31DC7F5118CBA3F1CFDBF0096DBD3AB
      Product  . . . . . : USBDeview
      Publisher  . . . . : NirSoft
      Description  . . . : Lists USB Devices
      Version  . . . . . : 2.81
      Copyright  . . . . : Copyright © 2006 - 2019 Nir Sofer
      RSA Key Size . . . : 2048
      LanguageID . . . . : 1033
      Authenticode . . . : Valid
    > Bitdefender  . . . : Trojan.GenericKD.32650363

So HMP's and HMPA's Anti-Malware cloud based component detects USBDeview as Bitdefender "Trojan.GenericKD.32650363".
However, Bitdefender corrected that detection end of October, same as it was corrected for other antivirus/antimalware programs using the Bitdefender engine, according to VirusTotal.

What I do not understand is why HMP's and HMPA's Anti-Malware cloud based component still uses the Bitdefender "Trojan.GenericKD.32650363" detection for USBDeview, when Bitdefender corrected that detection 10 days ago!

 

Thanks for posting this as it seems now on your website one has to fill in a form on sophos to download builds.

I am still on a old build, which with keyboard encryption misbehaved with chrome, I will retest on this build and report it as a big if still exists.