HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,656
    Location:
    USA
    3.8.12 Build 899 CookieGuard doesn't like Program Files\Sandboxie\SbieSvc.exe.
     
  2. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    874
    Location:
    USA
    I got the notice pop-up today that the update was available. Rebooted and running 899 now.
     
  3. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    314
    Location:
    Planet Earth
    Hi all,

    Should you find your browser terminated by Alert -> Technical details -> CookieGuard please follow the steps below to solve this (browser is on the wrong protection profile).

    1) Open HitmanPro.Alert
    2) Set interface to advanced via gear icon top right
    3) Check Exploit Mitigations to see if the browser is under an other protection profile then Browsers, and if so click on it and then select 'Remove mitigations'
    4) Now navigate to the orange button -> Credential Theft Protection and set to disable
    5) Start affected browser
    6) Click Exploit Mitigations -> Running applications -> click browser and add to Template "Browsers" next close this window with (x)
    7) Go back to the orange button -> Credential Theft Protection and set to enable
    :cool: Done
     
  4. Hollowred

    Hollowred Registered Member

    Joined:
    May 26, 2021
    Posts:
    3
    Location:
    Europe
    Build 899 does not let me start the game Cyberpunk 2077 from Steam. Steam tries to open the RED launcher, then HollowProcess mitigation kills it:

    Code:
    Mitigation   HollowProcess
    Timestamp    2021-05-26T13:25:14
    
    Platform     10.0.19042/x64 v899 af_21
    PID          24704
    WoW          x86
    Feature      003D0A30000000A6
    Application  C:\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe
    Created      2021-05-16T19:33:41
    Description  REDlauncher Application 2.1.1
    
    Filename     C:\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDupdater.exe
    
    Target PID   11484
    Target       C:\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDupdater.exe
    Image Base   0x00D20000
    Reason-MTH   : 0C62D554
    
    Loaded Modules (163)
    -----------------------------------------------------------------------------
    00FC0000-013AF000 REDlauncher.exe (GOG.com),
                      version: 2.1.1.118
    742F0000-743FF000 hmpalert.dll (SurfRight B.V.),
                      version: 3.8.12.899
    59A80000-59B9B000 PocoNet.dll (Applied Informatics Soft),
                      version: 1.9.4
    0F7D0000-13E8E000 Qt5WebEngineCore.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    59E20000-59E3D000 Qt5WebChannel.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    59630000-59A7B000 Qt5Widgets.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    59E00000-59E16000 Qt5Gamepad.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    594E0000-59627000 LIBEAY32.dll (The OpenSSL Project, htt),
                      version: 1.0.2t
    59DB0000-59DFC000 PocoNetSSL.dll (Applied Informatics Soft),
                      version: 1.9.4
    59350000-594DF000 PocoData.dll (Applied Informatics Soft),
                      version: 1.9.4
    592F0000-5934A000 PocoDataSQLite.dll (Applied Informatics Soft),
                      version: 1.9.4
    59230000-592EC000 sqlite.dll ((),
                      version: 3.26.0.0
    58C70000-59221000 Qt5Gui.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    58BF0000-58C6D000 PocoUtil.dll (Applied Informatics Soft),
                      version: 1.9.4
    59D60000-59DAC000 PocoJSON.dll (Applied Informatics Soft),
                      version: 1.9.4
    58BD0000-58BED000 zlib1.dll (),
                      version: 1.2.11
    586A0000-58BC8000 Qt5Core.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    58500000-58697000 PocoFoundation.dll (Applied Informatics Soft),
                      version: 1.9.4
    584C0000-584F7000 Qt5WebEngineWidgets.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    58150000-584B7000 Qt5Quick.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57E30000-58145000 Qt5Qml.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57D20000-57E26000 Qt5Network.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57CD0000-57D13000 Qt5Positioning.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57C80000-57CBE000 PocoCrypto.dll (Applied Informatics Soft),
                      version: 1.9.4
    57C30000-57C7A000 SSLEAY32.dll (The OpenSSL Project, htt),
                      version: 1.0.2t
    57BA0000-57C29000 PocoXML.dll (Applied Informatics Soft),
                      version: 1.9.4
    57B30000-57BA0000 pcre.dll ((),
                      version: 8.42.0.0
    57AE0000-57B23000 Qt5PrintSupport.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57AC0000-57AD2000 Qt5QuickWidgets.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57A60000-57ABA000 Qt5QmlModels.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57A30000-57A58000 expat.dll ((),
                      version: 2.1.1.0
    57890000-57A23000 gameoverlayrenderer.dll (Valve Corporation),
                      version: 06.54.98.72
    57750000-57887000 qwindows.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    6FC00000-6FC0D000 UMPDC.dll (),
                      version:
    04780000-066EA000 nvoglv32.dll (NVIDIA Corporation),
                      version: 27.21.14.6647
    60510000-6072C000 nvspcap.dll (NVIDIA Corporation),
                      version: 3.22.0.32
    57720000-57743000 qwindowsvistastyle.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57710000-5771B000 qico.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    576B0000-5770E000 qjpeg.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57640000-576A9000 qwebp.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    57630000-5763B000 xinputgamepad.dll (The Qt Company Ltd.),
                      version: 5.15.1.0
    7B8A0000-7B913000 WindowManagementAPI.dll (),
                      version:
    - MS skipped (121) -
    
    Process Trace
    1  C:\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe [24704] 2021-05-26T13:25:12
       "C:\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe"  "--launcher-game-directory=Q:/Games/Steam/steamapps/common/Cyberpunk 2077"
    2  Q:\Games\Steam\steamapps\common\Cyberpunk 2077\REDprelauncher.exe [26104] 2021-05-26T13:25:11 937ms
    3  C:\Program Files (x86)\Steam\steam.exe [14352] 2021-05-25T18:36:55
       "C:\Program Files (x86)\Steam\steam.exe" -silent
    4  C:\Windows\explorer.exe [4588] 2021-05-25T18:36:44
    5  C:\Windows\System32\userinit.exe [1644] 2021-05-25T18:36:43 23.2s
    6  C:\Windows\System32\winlogon.exe [1572] 2021-05-25T18:35:20
       winlogon.exe
    7  C:\Windows\System32\smss.exe [1144] 2021-05-25T18:35:20 138ms
       \SystemRoot\System32\smss.exe 00000138 00000088
    8  C:\Windows\System32\smss.exe [1096] 2021-05-25T18:35:15
       \SystemRoot\System32\smss.exe
    
    Dropped Files
    1  C:\Program Files (x86)\Steam\GameOverlayRenderer.log
         Dropped by \Device\HarddiskVolume4\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe [24704]
    2  C:\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\locks\REDlauncher.exe.lock
         Dropped by \Device\HarddiskVolume4\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe [24704]
    3  C:\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\web-engine-storage\persistent\Platform Notifications\LOG.old~RF40aa236.TMP
         Dropped by \Device\HarddiskVolume4\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe [24704]
    4  C:\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\web-engine-storage\persistent\Platform Notifications\LOG
         Dropped by \Device\HarddiskVolume4\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe [24704]
    5  Q:\Games\Steam\steamapps\shadercache\1091500\nvidiav1\GLCache\4c01fb27d0a2f82c0baeeb6adb0ebcc6\7a61e5b771b49442\steamapp_shader_cache0.bin
         Dropped by \Device\HarddiskVolume4\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe [24704]
    6  Q:\Games\Steam\steamapps\shadercache\1091500\nvidiav1\GLCache\4c01fb27d0a2f82c0baeeb6adb0ebcc6\7a61e5b771b49442\steamapp_shader_cache0.toc
         Dropped by \Device\HarddiskVolume4\Users\User\AppData\Local\Programs\CD Projekt Red\REDlauncher\REDlauncher.exe [24704]
    1  C:\Program Files (x86)\Steam\GameOverlayRenderer.log
         Dropped by \Device\HarddiskVolume7\Games\Steam\steamapps\common\Cyberpunk 2077\REDprelauncher.exe [26104]
            Read by \Device\HarddiskVolume4\ProgramData\Microsoft\Windows Defender\Platform\4.18.2104.14-0\MsMpEng.exe [5040]
    1  Q:\Games\Steam\steamapps\workshop\appworkshop_4000.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    2  Q:\Games\Steam\steamapps\workshop\appworkshop_107410.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    3  Q:\Games\Steam\steamapps\workshop\appworkshop_244850.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    4  Q:\Games\Steam\steamapps\workshop\appworkshop_268500.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    5  Q:\Games\Steam\steamapps\workshop\appworkshop_327030.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    6  Q:\Games\Steam\steamapps\workshop\appworkshop_431240.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    7  Q:\Games\Steam\steamapps\workshop\appworkshop_440900.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    8  Q:\Games\Steam\steamapps\workshop\appworkshop_464920.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    9  Q:\Games\Steam\steamapps\workshop\appworkshop_477160.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    10 Q:\Games\Steam\steamapps\workshop\appworkshop_594570.acf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    11 C:\Users\User\Saved Games\CD Projekt Red\Cyberpunk 2077\steam_autocloud.vdf
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    12 C:\Program Files (x86)\Steam\userdata\40877246\1091500\remotecache.vdf
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    13 C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RNKEL3A14N4UUYDPJQBQ.temp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    14 C:\Users\User\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms~RF40a9843.TMP
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    15 C:\Program Files (x86)\Steam\userdata\40877246\config\localconfig.vdf.async14352.tmp
         Dropped by \Device\HarddiskVolume4\Program Files (x86)\Steam\steam.exe [14352]
    
    Thumbprints
    67d25e607b188479aa840aa5a448696f3eeb3b4f0c44a570baa1440345782a69
     
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    314
    Location:
    Planet Earth
    Hi Hollowred,

    You can also contact support@hitmanpro.com with issues like this.

    To be able to allow this please open HitmanPro.Alert -> Click on "Last event" find the offending alert(s) -> Action -> Suppress Alert
    Make sure all offending alerts for the detected application now have the "Suppressed" message behind them and you should be good to go!
    (In case of CryptoGuard alerts also make sure to Unblock the application before trying again, on the main windows click Blocked Items and unblock).

    We are looking in to tweaking this, but a lot of games 'abuse' the Main Thread Hijack trick to start games.
     
  6. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    874
    Location:
    USA
    I have been experiencing issues with Hollow Process Mitigation in 3.8.12-b899 interfering with some programs, and had to disable it. No crash logs or mitigations alerts, just applications that stop responding. Requires ending the unresponsive application task (not HMPA) via Windows Task Manager. After disabling that mitigation, followed by a reboot, all is running normally again.

    I have tried using exclusions without success.

    These are professional audio production applications that load 3rd party .dll files as plugins. The Hollow Process Mitigation seems to lock up the host plugin scan at startup. I have sent details to support@hitmanpro.com (this is just a heads-up in case you start to notice some unusual application hangs, but no crashes).
     
    Last edited: May 27, 2021
  7. tempb

    tempb Registered Member

    Joined:
    Mar 31, 2021
    Posts:
    3
    Location:
    Wondering
    @RonnyT @markloman
    Thanks for fixing the BasedNamedObjects Security in this build!
     
  8. Hollowred

    Hollowred Registered Member

    Joined:
    May 26, 2021
    Posts:
    3
    Location:
    Europe
    It required supressing two HollowProcess alerts. Then the launcher starts, but it hogs up nearly a third of my beasty CPU (AMD 5950X 16 core) and the Windows mouse cursor's blue loading circle is extremely active, even flickering constantly as if HitmanPro is interfering a lot with what it is trying to do. I had to add the .exe to the exclusion list.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    It's this kind of stuff that is a bit concerning to me. I wonder if HMPA can't become a bit smarter when it comes to this, I suppose that malware might make use of process hollowing in a more specific way, or isn't this the case?
     
  10. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    874
    Location:
    USA
    That is quite a concern. I am running with that mitigation fully disabled. The exclusions that HitmanPro support suggested did not work for me. As this issue never actually triggers a mitigation alert, there is technically nothing to be excluded. So I'm stuck in the middle. I have no idea what they are up to, as support never resplonded to my reply.

    But whatever tweak the dev just did to Hollow Process Mitigation in the new version is definitely the culprit. I have been running HMPA with all mitigations since 2016 without any serious issues in any of my applications, until now. :(
     
  11. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    474
    Thank you, that did the trick.

    We were using 2 out of 3 activations on the license. Then my own PC developed a problem and had to be replaced. So for good measure, I contacted tech support and told them we needed to activate HMP.A on 2 new computers. I didn't want to end up in a situation where we were trying to use 4 activations on a 3-PC license.

    Everything seems to have worked out. :thumb:
     
  12. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,415
    @RonnyT What is the trigger or criteria at Sophos when HMPa gets updated on a user's system? Since the release of v899, only one of my systems (Win8.1) got the update. W7 and W10 still at v891.
     
    Last edited: Jun 1, 2021
  13. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    314
    Location:
    Planet Earth
    HitmanPro.Alert 3.8.13 Build 901 Released

    Changelog (compared to build 899):
    • Fixed more compatibility issues between process hollowing and certain games.
    • Fixed an issue with three CryptoGuard 5 Thumbprints that were not working in the previous build.
    • Fixed a potential security issue where specifically crafted malware on the machine could craft and manipulate a file structure to elevate privileges.
    • Improved compatibility of CookieGuard with browsers that are attached to the Office mitigation profile.
    • Temporarily disabled the fix that detects Cobalt Strike delivery over SMB. The fix appears to be incompatible with many game launchers that actually perform main thread hijacking.
    • Temporarily disabled system-wide Syscall mitigation as certain third-party security products, like Cylance, actually attempt to bypass API calls by directly jumping to kernel functions via a syscall.
    • Temporarily set CookieGuard's Remote Debugger Port detection to silent as it causes issues with some web developer machines.
    We'll first upgrade 899 users, as they where affected by the above issues, if that is looking good we'll enable the automatic update for all users of HitmanPro.Alert.

    Beware though, we no longer support or update HitmanPro.Alert builds running on Windows 7 RTM (no service pack), Windows Vista and Windows XP.
    This is because Microsoft mandates the use of SHA-2 to sign our code. These older versions of Windows only support SHA-1 and would not allow our new driver to load.
    If you want to update now, manually, use this link: https://dl.surfright.nl/hmpalert3b901.exe
     
  14. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    314
    Location:
    Planet Earth
    We had paused the update from 891 to 899 because of some issues that needed to be fixed before further roll out.
     
  15. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    314
    Location:
    Planet Earth
    Please enable it again and let us know if and if so what still causes issues, we're working on improving compatibility with these mitigations in combination with games.
     
  16. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    314
    Location:
    Planet Earth
    Your welcome, and thanks for raising it!
     
  17. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    314
    Location:
    Planet Earth
    Can you unsuppress alerts and enable Hollow Process again to see if all is solved?
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,739
    Location:
    Canada
    Thank you Ronny
     
  19. Hollowred

    Hollowred Registered Member

    Joined:
    May 26, 2021
    Posts:
    3
    Location:
    Europe
    Works fine now, appreciated!
     
  20. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    235
    Update was automatic, no problem, everything OK.
     
  21. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    966
    No problems after automatic upgrading build 901.
     
  22. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,017
    Had to uninstall and reboot before I could install it (upgrade did not work).
     
  23. abbs

    abbs Registered Member

    Joined:
    Sep 14, 2018
    Posts:
    32
    Location:
    Nederlands
    Hey,

    I got a notification for an update and had to restart my PC to do this.
    Done that and HitmanPrlo-Alert is automatically updated to build 901.
    No further problems encountered.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,004
    Location:
    The Netherlands
    Yes, that's the risk with these kind advanced mitigations, it might break legit software also, that's why I decided not to install HMPA. From a technical point of view it's one of the best, but on certain systems it causes too many issues. Back in the day you also had this with Trusteer Rapport. Perhaps certain mitigations should be less aggresive, but perhaps this simply isn't possible.
     
  25. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    235
    Should software from cloud services (Mega, Dopbox) be included in the protected (exploit mitigation) files? If so, in which category? Perhaps Far Manager https://www.farmanager.com? I start many programs with it.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.