HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    Yes, by design. You have the choice to add (or remove) any internet facing application to Exploit Mitigations that you wish.

    By default they do not add every application. Would it make sense to do that? The user has a responsibility to decide what to protect.
     
  2. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    483
    A couple of days ago I tested installing the MyPal browser to see how my security layers handled it. HMP.A had no evident response to the installer, but by chance last night I looked at HMP.A's "Last Event" list and found that it had blocked the MyPal installer twice, for example:

    HMPA vs MyPal.png

    I'm not looking for a forensic analysis necessarily, but I'm curious if this is known to be a false positive or if it's known to be a real attack, which HMP.A then blocked.

    Also, why does the event call it a "MITRE ATT&CK," with '&' instead of 'A' in the name?

    Thanks!
     
  3. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    I looked in my "Last event" list and saw dozens of those same type CodeCave alerts logged in the past week or so. Most of them were related to running uninstallers, as I was cleaning out applications that were not being used.

    Example:
    CodeCave alert.PNG
     
  4. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    479
    Location:
    USA
    Trademark name
     
  5. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    990
    Same here (build 889).

    1.JPG
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,027
    Location:
    Among the gum trees
    I had to manually add Windows Live Mail as well.
     
  7. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    I had same with VT Hash Check, but that was Nov 28, still build 887 ...
    Code:
    Mitigation   CodeCave
    Timestamp    2020-11-28T10:29:13
    
    Platform     10.0.19042/x64 v887 06_8e
    PID          27368
    WoW          x86
    Feature      003D0A30000001A2
    Application  C:\Program Files (x86)\Boredom Software\VT Hash Check\VTHash.exe
    Created      2020-09-18T11:51:48
    Description  VT Hash Check 1.6
    
    Extra data appended to file!
    
    Data at offset: 002e2e00
    
    002E2E00  31 31 32 33 35 38 98 62 38 00 55 8B EC 81 EC 04  112358.b8.U.....
    002E2E10  00 00 00 89 A5 FC FF FF FF E8 00 00 00 00 8B 65  ...............e
    002E2E20  FC E8 B7 5C 38 00 8B 65 FC E8 40 03 00 00 8B 65  ...\8..e..@....e
    002E2E30  FC E8 02 62 38 00 8B 65 FC E8 00 00 00 00 8B 65  ...b8..e.......e
    002E2E40  FC B9 2A 8D 04 00 89 41 00 81 C4 04 00 00 00 5D  ..*....A.......]
    002E2E50  C3 55 8B EC 81 EC 0C 00 00 00 89 A5 F4 FF FF FF  .U..............
    002E2E60  E8 CA 00 00 00 8B 65 F4 E8 DE 84 21 00 8B 65 F4  ......e....!..e.
    002E2E70  33 C0 89 45 F8 E9 0E 00 00 00 11 04 00 00 00 00  3..E............
    002E2E80  F8 FF 8B A5 F4 FF FF FF 8B 45 F8 33 C9 3B C1 0F  .........E.3.;..
    002E2E90  84 19 00 00 00 50 E8 77 01 00 00 8B 65 F4 FF 75  .....P.w....e..u
    002E2EA0  F8 E8 D5 00 00 00 8B 65 F4 33 C0 89 45 F8 81 C4  .......e.3..E...
    002E2EB0  0C 00 00 00 5D C3 55 8B EC 81 EC 2C 00 00 00 89  ....].U....,....
    002E2EC0  A5 D4 FF FF FF 33 C0 89 45 F8 89 45 F0 89 45 E8  .....3..E..E..E.
    002E2ED0  89 45 E0 E8 B4 01 00 00 8B 65 D4 FF 75 E8 E8 E5  .E.......e..u...
    002E2EE0  00 00 00 8B 65 D4 33 C0 89 45 E8 FF 75 F0 E8 4E  ....e.3..E..u..N
    002E2EF0  01 00 00 8B 65 D4 33 C0 89 45 F0 E8 1E 8C 18 00  ....e.3..E......
    002E2F00  8B 65 D4 89 45 F0 E8 EC 31 21 00 8B 65 D4 89 45  .e..E...1!..e..E
    002E2F10  E0 50 FF 75 F0 E8 D4 2D 01 00 8B 65 D4 89 45 E8  .P.u...-...e..E.
    002E2F20  FF 75 F8 50 E8 F3 01 00 00 8B 65 D4 33 C0 89 45  .u.P......e.3..E
    002E2F30  F8 8B 4D E8 89 4D F8 E9 00 00 00 00 33 C0 89 45  ..M..M......3..E
    002E2F40  D8 E9 0E 00 00 00 11 04 00 00 00 00 D8 FF 8B A5  ................
    002E2F50  D4 FF FF FF FF 75 F0 E8 5E 01 00 00 8B 65 D4 33  .....u..^....e.3
    002E2F60  C0 89 45 F0 FF 75 E8 E8 82 01 00 00 8B 65 D4 33  ..E..u.......e.3
    002E2F70  C0 89 45 E8 8B 4D D8 3B C8 0F 84 19 00 00 00 51  ..E..M.;.......Q
    
    Loaded Modules (29)
    -----------------------------------------------------------------------------
    00400000-00713000 VTHash.exe (Boredom Software),
                      version: 1.6.0.0
    77790000-77933000 ntdll.dll (Microsoft Corporation),
                      version: 10.0.19041.610 (WinBuild.160101.0800)
    749D0000-74AD0000 hmpalert.dll (SurfRight B.V.),
                      version: 3.8.8.887
    77630000-77720000 KERNEL32.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    76B50000-76D64000 KERNELBASE.dll (Microsoft Corporation),
                      version: 10.0.19041.572 (WinBuild.160101.0800)
    76550000-765FF000 COMDLG32.DLL (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    763B0000-7646F000 msvcrt.dll (Microsoft Corporation),
                      version: 7.0.19041.546 (WinBuild.160101.0800)
    759E0000-75C61000 combase.dll (Microsoft Corporation),
                      version: 10.0.19041.572 (WinBuild.160101.0800)
    756D0000-757F0000 ucrtbase.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    76D70000-76E2A000 RPCRT4.dll (Microsoft Corporation),
                      version: 10.0.19041.630 (WinBuild.160101.0800)
    760E0000-76167000 shcore.dll (Microsoft Corporation),
                      version: 10.0.19041.610 (WinBuild.160101.0800)
    757F0000-75986000 USER32.dll (Microsoft Corporation),
                      version: 10.0.19041.610 (WinBuild.160101.0800)
    76960000-76978000 win32u.dll (Microsoft Corporation),
                      version: 10.0.19041.630 (WinBuild.160101.0800)
    769F0000-76A13000 GDI32.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    76710000-767EA000 gdi32full.dll (Microsoft Corporation),
                      version: 10.0.19041.572 (WinBuild.160101.0800)
    76170000-761EB000 msvcp_win.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    76A20000-76A65000 SHLWAPI.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    76FD0000-77583000 SHELL32.dll (Microsoft Corporation),
                      version: 10.0.19041.610 (WinBuild.160101.0800)
    764D0000-7654A000 ADVAPI32.DLL (Microsoft Corporation),
                      version: 10.0.19041.610 (WinBuild.160101.0800)
    75650000-756C5000 sechost.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    76E50000-76F33000 OLE32.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    76670000-76706000 OLEAUT32.DLL (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    76980000-769E3000 WS2_32.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    74F30000-74F38000 VERSION.dll (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    747B0000-749C2000 COMCTL32.dll (Microsoft Corporation),
                      version: 6.10 (WinBuild.160101.0800)
    74E60000-74E92000 IPHLPAPI.DLL (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    654F0000-65657000 GDIPLUS.DLL (Microsoft Corporation),
                      version: 10.0.19041.630 (WinBuild.160101.0800)
    742A0000-742C8000 WINMM.DLL (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    760B0000-760D5000 IMM32.DLL (Microsoft Corporation),
                      version: 10.0.19041.546 (WinBuild.160101.0800)
    
    SHA256:   
    c230410124f47a43c75f32c5e9452ce766a8a12ada582f805c3fc8bd1883f89e
    
    Process Trace
    1  C:\Program Files (x86)\Boredom Software\VT Hash Check\VTHash.exe [27368] 2020-11-28T10:29:13
       "C:\Program Files (x86)\Boredom Software\VT Hash Check\VTHash.exe" "D:\Applications\SyncBackSE\SyncBackSE_Setup.exe"
    2  C:\Windows\explorer.exe [7504] 2020-11-27T06:13:26
    3  C:\Windows\System32\userinit.exe [7216] 2020-11-27T06:13:26 29.9s
    4  C:\Windows\System32\winlogon.exe [996] 2020-11-27T06:13:13
       winlogon.exe
    5  C:\Windows\System32\smss.exe [872] 2020-11-27T06:13:13 90ms
       \SystemRoot\System32\smss.exe 000000dc 00000084
    
    Dropped Files
    1  C:\Users\pauld\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
         Dropped by \Device\HarddiskVolume5\Windows\explorer.exe [7504]
    2  C:\Users\pauld\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS1.jpg
         Dropped by \Device\HarddiskVolume5\Windows\explorer.exe [7504]
            Read by \Device\HarddiskVolume5\Windows\explorer.exe [7504]
    
    Thumbprints
    0c63ffc329fb5877d9b1369e9ab630d06419ba9679d98e3d2539ce2f31e84a02
    
     
  8. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community."

    https://attack.mitre.org/
     
  9. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    483
    Thanks to all those who explained the meaning of this name. When I saw it in that HMP.A event listing, my first thought was that HMP.A itself had been compromised! :cautious:
     
  10. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    483
    And thanks, too, to those who showed their own experience with this result.

    Would it be safe to say that these are FP's?
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    Presumably @RonnyT and devs are looking into it!

    In my MITRE ATT&CKs: VT Hash Check (CodeCave mitigation), and MiTeC System Information X (HeapHeapProtect mitigation), I think so, and suppressed the alerts.
    Hope I'm right though! :eek::D
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,553
    Location:
    Outer space
    @paulderdash
    Note that the last release of VT Hash Check was 3 years ago. The developer used to update the included OpenSSL files, but now they're 3 years old so quite a few vulnerabilities.
     
  13. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    Hmm ... I see now. Thanks for the heads up!

    Pity, I do (did?) like the program.
     
    Last edited: Dec 21, 2020
  14. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    578
    Location:
    Hengelo
    HitmanPro.Alert 3.8.8 Build 889 Released

    Changelog (compared to build 887)
    Fixed:
    • False alarm on Chrome 88 and higher by the Stack Pivot exploit mitigation
    Improved:
    • Heap Heap Protect shellcode detection
    Download
    https://dl.surfright.nl/hmpalert3.exe

    Users will be automatically updated in the coming hours and these release notes will also appear on the website later today.
    We hope you all have a great holiday! Stay safe!
     
  15. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    Thanks! Just received an alert that HMPA will be updated next reboot!
     
  16. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    Is there any way to clear the Event List? I don't think there is, but there should be.
     
  17. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    I believe that these events are all actually stored in the Windows Event Viewer as "HitmanPro.Alert Events". You should be able to manage them from there. The HMPA UI is apparently just providing a shortcut to the details.
     
  18. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    I'm aware of those event log entries, but the alerts must also be stored elsewhere, because very old alerts remain, even after I clear the Windows event logs.
     
  19. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    883
    Location:
    USA
    Sorry I can't elaborate further. Never went looking beyond the Event Log itself. The historical list actually doesn't bother me.

    Maybe @RonnyT will contribute here, or you can contact support?
     
  20. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    Answering my own question: The alerts are stored in excalibur.db, and can be cleaned up with a DB editor, so long as the file can be written to (i.e. using Safe Mode, etc.). I guess I'm requesting a way to do this in the HMP.A UI.
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,553
    Location:
    Outer space
    Yeah I really liked it as well :(
     
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,392
    Location:
    Under a bushel ...
    Hmm ... I had previously excluded BFP executables in HMPA:
    Code:
    Mitigation   CodeCave
    Timestamp    2020-12-22T15:18:40
    
    Platform     10.0.19042/x64 v889 06_8e
    PID          38540
    WoW          x86
    Feature      003D0A30000005A2
    Application  C:\ProgramData\BlackFog\BlackFog Privacy\updates\Update\BlackFogPrivacySetup.exe
    Description  BlackFogPrivacySetup.exe
    
    Process Protection / Code Cave Mitigation: Active code cave detected!
    
     Loaded Modules (5)
    -----------------------------------------------------------------------------
    00F50000-0115E000 BlackFogPrivacySetup.exe (BlackFog),
                      version: 4.7.3
    77C60000-77E03000 ntdll.dll (Microsoft Corporation),
                      version: 10.0.19041.662 (WinBuild.160101.0800)
    74D90000-74E90000 hmpalert.dll (SurfRight B.V.),
                      version: 3.8.8.889
    76B70000-76C60000 KERNEL32.dll (Microsoft Corporation),
                      version: 10.0.19041.662 (WinBuild.160101.0800)
    75B20000-75D34000 KERNELBASE.dll (Microsoft Corporation),
                      version: 10.0.19041.662 (WinBuild.160101.0800)
    
    SHA256: 
    0000000000000000000000000000000000000000000000000000000000000000
    
    Process Trace
    1  C:\$Extend\$Deleted\0034000000001B567514090D [38540] 2020-12-22T15:18:37
       BlackFogPrivacySetup.exe /qn
    2  C:\Program Files\BlackFog\BlackFog Privacy\PrivacySvc.exe [5332] 2020-12-19T09:17:02
    3  C:\Windows\System32\services.exe [544] 2020-12-19T09:16:58
    4  C:\Windows\System32\wininit.exe [840] 2020-12-19T09:16:52
       wininit.exe
    
    Services
    5332  PrivacyService64
    
    Dropped Files
    
    Thumbprints
    ea75da12223f2e6e21ba7c74cda906e06d1842e444c6347e756474589f3f2956
    
     
    Last edited: Dec 22, 2020
  23. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    Lately HMP.A has been interfering with games. Buttons mapped in games behave haphazardly if keystroke encryption is enabled.

    I have been manually disabling/enabling keystroke encryption, but this is tedious and prone to error. In fact, I just forgot to re-enable it, so I guess I just have to hope I don't have any keyloggers on my system.

    This is a relatively new problem. I'm using HMP.A 3.8.8 build 889 on Win10 Pro 20H2.
     
  24. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,972
    Location:
    Location Unknown
    Not really. I've been having this issue with HMP.A for a long time. Sometime buttons work fine in games as intended, other times they do not. Disabling keystroke encryption works, but I don't want to do that. I'm thinking of switching from HMP.A for this very reason.
     
  25. B-boy/StyLe/

    B-boy/StyLe/ Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    308
    Location:
    Bulgaria
    Btw Sophos Home Premium Anit-Ransomware protection failed badly here:

    https://www.youtube.com/watch?v=5RWcfccExQA

    Is this version of Sophos using Intercept X (HitmanPro.Alert) as well? If so, then maybe the developers could take a look and improve it in the next release.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.