HitmanPro.ALERT Support and Discussion Thread

Forwarded it on to them, thanks.

 

HitmanPro.Alert 3.8.25 Build 975

We're slowly releasing this new build to our current 947 stable fleet, as there have been a significant number of changes this update won't be auto-update available all at once.
Monitoring telemetry & support will give us an indication of possible issues, and if all looks good we'll migrate more users, of course you are free to download the latest version via provided link if you don't want to wait for the update to show up via the auto-updating mechanism.

Changelog (compared to 947)

• Added HWBGuard (Silent), A technique heavily used by red-teams to bypass Syscall protections is to set a HardwareBreakPoint, we now detect these breakpoints
• Added New Process Protection panel for Risk Reduction
• Added RDPGuard Icon under Risk Reduction button
• Added SendKeyGuard

• Fixed BSOD in StickyKeys
• Fixed Driver BSOD under specific circumstances
• Fixed KernelTrap compatibility issues with Kaspersky and GenshinImpact
• Fixed Lockdown Bypass when loading files over UNC paths

• Improved AMSIGuard
• Improved APC Game detection
• Improved Bitdefender Compatibility
• Improved CiGuard
• Improved CookieGuard
• Improved CryptoGuard5
• Improved DrWeb Compatibility CallerCheck/SysCall
• Improved HeapHeapProtect Cobalt Strike detection
• Improved HeapHeapProtect prevents Powershell scripts from patching AMSI for bypass
• Improved HollowProcess
• Improved KeyboardGuard u.a. compatibility with ESET protected browsers, Windows search
• Improved Lockdown Now allows WMIC GET 'only' commands without interference
• Improved PrivGuard
• Improved StackPivot

• Removed ReflectiveDLL As it has become obsolete in it's current implementation

• Several other changes under the hood

Beware this build is signed with a new code-signing certificate by Sophos LTD, this might take some 3rd party vendors to have "trust" issues as it's a rather fresh certificate.

Download
https://dl.surfright.nl/hmpalert3b975.exe

Please let us know how this version runs on your machine

 

@RonnyT
i have this version via uto update since a week or so
is this build with the exact same number different ?

 

100% the RC4 release

 

HitmanPro.Alert 3.8.25 Build 977

We're slowly releasing this new build to our current 947 stable fleet, as there have been a significant number of changes this update won't be auto-update available all at once.
Monitoring telemetry & support will give us an indication of possible issues, and if all looks good we'll migrate more users, of course you are free to download the latest version via provided link if you don't want to wait for the update to show up via the auto-updating mechanism.

Changelog (compared to 975)

• Fixed HWBGuard (Silent) excessive alert reporting, now limited to max 2 alerts per process.

Download
https://dl.surfright.nl/hmpalert3b977.exe

Please let us know how this version runs on your machine

 

Np problems upgrading build 977.

 

+1

 

Ronny, can you perhaps comment on this topic? I wonder why Sophos Intercept X failed to detect 8 samples in the latest AV Comparatives test. Do you guys actively investigate these issues?

https://www.wilderssecurity.com/threads/av-c-business-security-test-august-november-2023.453123/

 

There is a problem with the latest HitmanPro.Alert (3.8.25 build 977). It does not work with ESET Browser Protection. If the browser protection of the case is enabled, HitmanPro.Alert does not work. It worked before, but now ESET has been updated too (17.0.16.0)

 

What module are we talking about? is this keyboard guard? because that has been disabled on our end if ESET is detected on browser profiles because of to much compatibility issues.

 

Auto updated here and no problems so far.

 

+1

 

+2 (and on two machines, as per sig).

 

Yes, I know that, but nothing works. See the pictures. Only for the latest HitmanPro.Alert and the latest ESET. Before that everything was fine. See my previous post for version numbers.





I do not see this.

 

It seems ESET no longer allows our dll to protect the browser, it's their "Secure all browsers" setting that causes this. I also see no config option to make an exception unless I'm missing something in their UI.
Now it doesn't make sense to have 2 products doing heavy security on the browser, so I don't think you will lose any protection from our end (Intruder) keystroke was already handled by ESET to the rest is also on their plate.

As long as you click on the "unprotected" browser and you end up directly on the mitigations page instead of having to pick a profile template (as if it was not on the config) then there would be a serious issue.
I'm afraid we'll have to label this one compatibility issue.

 

Can't you make HitmanPro.Alert compatible with ESET Browser Protection? Or should I contact ESET with this request instead?

 

Looks like the ball is in their park atm.

 

HitmanPro.Alert 3.8.25 Build 977

Attack Intercepted HeapHeapProtect ScreenConnect Client is happening whenever I remotely connect to screenconnect clients running build 977, then I get a black screen and cannot see or control the remote computers. It is affecting my ability to provide computer support to my customers, they all have HMPA. The ones still on 947 are okay. I can call each customer and ask them to suppress the alert, I am hoping this can be fixed. Thank you

MITRE ATT&CK
Supply Chain Compromise - ID: T1195, Tactic: Initial Access

Code:

Mitigation   HeapHeapProtect
Timestamp    2023-12-28T16:25:15

Platform     10.0.22631/x64 v977 06_8e
PID          1764
Feature      00FD2E70000001A6
Application  C:\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.WindowsClient.exe
Created      2023-11-08T14:25:33
Description  ScreenConnect Client 23.8.5

Callee Type  ProtectVirtualMemory
             0x0000000180001000 (269312 bytes)

Shellcode (HHP) (0x00041C00 bytes : start at 0000000180001000)
Target address info: (anonymous)
Owner of CALLER: (anonymous; allocated by 00007FFACE2BC0AA, clr.dll)

OwnerModule
Name         clr.dll
Path         C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
Thumbprint   11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56
SHA-256      157ac3f5978f8561b9d3d0951e13501baeb8b0a7400d85b92878758ab2137b94
SHA-1        dbd9928c7e19ec7842015482b56094602c4f5cff
MD5          b53e50ccbb014395c303f0cda37ce44d

Current process is signed
OwnerModule is signed

00007FFA6EE6B45F  ffd0                     CALL         RAX
00007FFA6EE6B461  41c6470c01               MOV          BYTE [R15+0xc], 0x1
00007FFA6EE6B466  833da720c35f00           CMP          DWORD [RIP+0x5fc320a7], 0x0
00007FFA6EE6B46D  7406                     JZ           0x7ffa6ee6b475
00007FFA6EE6B46F  ff15b33dc25f             CALL         QWORD [RIP+0x5fc23db3]
00007FFA6EE6B475  85c0                     TEST         EAX, EAX
00007FFA6EE6B477  0f95c0                   SETNZ        AL
00007FFA6EE6B47A  0fb6c0                   MOVZX        EAX, AL
00007FFA6EE6B47D  0fb6c0                   MOVZX        EAX, AL
00007FFA6EE6B480  41c6470c01               MOV          BYTE [R15+0xc], 0x1
00007FFA6EE6B485  488b5590                 MOV          RDX, [RBP-0x70]
00007FFA6EE6B489  49895710                 MOV          [R15+0x10], RDX
00007FFA6EE6B48D  488d65c8                 LEA          RSP, [RBP-0x38]
00007FFA6EE6B491  5b                       POP          RBX
00007FFA6EE6B492  5e                       POP          RSI
00007FFA6EE6B493  5f                       POP          RDI

----- SNIP HERE -----
AAIRAQCw5m76fwAAX7Tmbvp/AAAAsOZu+n8AAAAQAACCXblDCBECAEi6kK2jbvp/EQIA6OrOSV9IjU4gSIvQ6D4sSl/HhowRAwABFROAx4aMEQMACRUTgEiLzuhy1UNfSLl4OBjM+n8RAgDoY09KX0iL8LmDCBECAEi6kK2jbvp/EQIA6JzOSV9Ii/hIi0246KC6g11Ii9BIi8/oZep9XUiL+EiLzuiapoJdSI1OIEiL1+jOK0pfx4aMEQMAARUTgMeGjBEDAAkVE4BIi87oAtVDX8wAGRAJABDiDDALYApwCcAH0AXgA/ABUBECAEARDwDQ0/Ju+n8RAgBVQVdBVkFVQVRXVlNIg+xoSI2sJKARAwBMiVXASIvxSI1NiEmL0uhFlDdfSIv4SIvMSIlNqEiLzUiJTbhIjU2ISIlPEEiLTcBIi0kgSIsBSIvORTPbSItVwEiJVZhIjRUKEQMASIlVsMZHDAD/0MZHDAGDPbsjw18AdAb/FcdAwl9Ii/DoZw1FX0iLEQLGRwwBSItVkEiJVxBIjWXIW15fQVxBXUFeQV9dwxEDABkQCQAQwgwwC2AKcAnAB9AF4APwAVARAgBAEQMAKNTybvp/EQIAVUFXQVZBVFdWU0iD7DBIjWwkYDPASIlFyEiL8UiL+jk2SA+/RhRIY8BIjVwGGEUz9maDfgYAD45DARECAEljxkyNPIBGi2T7JEH3xBEDAAJ0TUqNBPuLSBBEi0Y4i8GZQff4RIvIi8GZQff4hdJ0A0H/wUGD+QF+AusGQbkBEQMAQotM+wxIY8lIA89JY9FBuABAEQIA6B+Dzf/p0BEDAEH3xBEDAEBBD5XBRQ+2yUH3xBEDAIAPlcEPtslB98QRAwAgD5XCD7bSRYvBRCPBRIXCdVNFhcB1RkSFynU5RYXJdSyFynUghcl1FIXSdQhBuAERAwDrNkG4EBEDAOsuQbgIEQMA6yZBuIARAwDrHkG4AhEDAOsWQbggEQMA6w5BuAQRAwDrBkG4QBEDAEaLTPsQRYXJdQpB9sRAdAREi04gRYXJdQpB9sSAdAREi04kRYXJdBtCi0z7DEhjyUgDz0lj0UyNTcjoBn7N/4TAdCBB/8ZID79OBkQ78Q+Mvf4RAv9IjWXQW15fQVxBXkFfXcNIuXg4GMz6fxECAOhjTEpfSIvwufMIEQIASLqQraNu+n8RAgDonMtJX0iL+OgkK4NdTIvAQYvOM9Lox4IyX0iL0EiLz+hc531dSIv4SIvO6JGjgl1IjU4gSIvX6MUoSl/HhowRAwABFROAx4aMEQMACRUTgEiLzuj50UNfzBkOCAAOUgowCWAIcAfABeAD8AFQQBELADjV8m76fxECAFVBV0FWQVVBVFdWU0iD7GhIjawkoBEDAEyJVcBIi/FIi/pBi9hNi/FIjU2ISYvS6DyRN19Mi/hMi8xMiU2oTIvNTIlNuEyNTYhNiU8QTGPDTItNwE2LSSBJiwFNi85Ii85Ii9dFM9tMi1XATIlVmEyNFQsRAwBMiVWwQcZHDAD/0EHGRwwBgz2nIMNfAHQG/xWzPcJfhcAPlcAPtsAPtsBBxkcMAUiLVZBJiVcQSI1lyFteX0FcQV1BXkFfXcMRAgAZEAkAEMIMMAtgCnAJwAfQBeAD8AFQEQIAQBEAABEAABEAABEAABEAABEAABEAABEAABEAABEAABEAABFHAA==
----- END SNIP -----

Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFAF42BC7B6 KernelBase.dll           VirtualProtect +0x36

2  00007FFA6EE6B461 (anonymous; clr.dll) 
                    41c6470c01               MOV          BYTE [R15+0xc], 0x1
                    833da720c35f00           CMP          DWORD [RIP+0x5fc320a7], 0x0
                    7406                     JZ           0x7ffa6ee6b475
                    ff15b33dc25f             CALL         QWORD [RIP+0x5fc23db3]
                    85c0                     TEST         EAX, EAX
                    0f95c0                   SETNZ        AL
                    0fb6c0                   MOVZX        EAX, AL
                    0fb6c0                   MOVZX        EAX, AL
                    41c6470c01               MOV          BYTE [R15+0xc], 0x1
                    488b5590                 MOV          RDX, [RBP-0x70]
                    49895710                 MOV          [R15+0x10], RDX
                    488d65c8                 LEA          RSP, [RBP-0x38]
                    5b                       POP          RBX
                    5e                       POP          RSI
                    5f                       POP          RDI
                    415c                     POP          R12

3  00007FFA6EE6B31A (anonymous; clr.dll) 
4  00007FFA6EE6A560 (anonymous; clr.dll) 
5  00007FFA6EE6A00E (anonymous; clr.dll) 
6  00007FFA6EE69E63 (anonymous; clr.dll) 
7  00007FFA6EE69D5E (anonymous; clr.dll) 
8  00007FFA6EE69C9D (anonymous; clr.dll) 
9  00007FFA6EE69BC3 (anonymous; clr.dll) 
10 00007FFA6EE69A77 (anonymous; clr.dll) 

Loaded Modules (82)
-----------------------------------------------------------------------------
0000000000780000-0000000000814000 ScreenConnect.WindowsClient.exe (ScreenConnect Software),
                                  version: 23.8.5.8707
00007FFAF6DD0000-00007FFAF6FE7000 ntdll.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF6150000-00007FFAF6214000 KERNEL32.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAD0E60000-00007FFAD0ECB000 MSCOREE.DLL (Microsoft Corporation),
                                  version: 10.0.22621.1 (WinBuild.160101.0800)
00007FFAF4250000-00007FFAF45F6000 KERNELBASE.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF2940000-00007FFAF2A87000 hmpalert.dll (Sophos B.V.),
                                  version: 3.8.25.977
00007FFAF5E30000-00007FFAF5EE1000 ADVAPI32.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF5780000-00007FFAF5827000 msvcrt.dll (Microsoft Corporation),
                                  version: 7.0.22621.2506 (WinBuild.160101.0800)
00007FFAF63D0000-00007FFAF6475000 sechost.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF5660000-00007FFAF5777000 RPCRT4.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFACF3F0000-00007FFACF48B000 mscoreei.dll (Microsoft Corporation),
                                  version: 4.8.9065.0 built by: NET481REL1LAST_C
00007FFAF64D0000-00007FFAF652E000 SHLWAPI.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF3200000-00007FFAF3218000 kernel.appcore.dll (Microsoft Corporation),
                                  version: 10.0.22621.2715 (WinBuild.160101.0800)
00007FFAE7A30000-00007FFAE7A3A000 VERSION.dll (Microsoft Corporation),
                                  version: 10.0.22621.1 (WinBuild.160101.0800)
00007FFACE180000-00007FFACEB24000 clr.dll (Microsoft Corporation),
                                  version: 4.8.9181.0 built by: NET481REL1LAST_C
00007FFAF52C0000-00007FFAF546E000 USER32.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF4AF0000-00007FFAF4B16000 win32u.dll (Microsoft Corporation),
                                  version: 10.0.22621.2861 (WinBuild.160101.0800)
00007FFAF5D10000-00007FFAF5D39000 GDI32.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF49D0000-00007FFAF4AE8000 gdi32full.dll (Microsoft Corporation),
                                  version: 10.0.22621.2861 (WinBuild.160101.0800)
00007FFAF41B0000-00007FFAF424A000 msvcp_win.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF4600000-00007FFAF4711000 ucrtbase.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAD0F30000-00007FFAD0F3C000 VCRUNTIME140_1_CLR0400.dll (Microsoft Corporation),
                                  version: 14.32.31326.0
00007FFACF270000-00007FFACF28B000 VCRUNTIME140_CLR0400.dll (Microsoft Corporation),
                                  version: 14.32.31326.0
00007FFACDF70000-00007FFACE03D000 ucrtbase_clr0400.dll (Microsoft Corporation),
                                  version: 14.32.31326.0
00007FFAF5EF0000-00007FFAF5F21000 IMM32.DLL (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF63C0000-00007FFAF63C8000 psapi.dll (Microsoft Corporation),
                                  version: 10.0.22621.1 (WinBuild.160101.0800)
00007FFACC120000-00007FFACD72F000 mscorlib.ni.dll (Microsoft Corporation),
                                  version: 4.8.9181.0 built by: NET481REL1LAST_C
00007FFAF5F30000-00007FFAF60D0000 ole32.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF58E0000-00007FFAF5C69000 combase.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF4950000-00007FFAF49CA000 bcryptPrimitives.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF0B10000-00007FFAF0BBB000 uxtheme.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF3900000-00007FFAF391B000 CRYPTSP.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF3160000-00007FFAF3195000 rsaenh.dll (Microsoft Corporation),
                                  version: 10.0.22621.1 (WinBuild.160101.0800)
00007FFAF3920000-00007FFAF392C000 CRYPTBASE.dll (Microsoft Corporation),
                                  version: 10.0.22621.1 (WinBuild.160101.0800)
00007FFAF3AF0000-00007FFAF3B18000 bcrypt.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFACBC20000-00007FFACBD4F000 clrjit.dll (Microsoft Corporation),
                                  version: 4.8.9181.0 built by: NET481REL1LAST_C
00007FFACACB0000-00007FFACB8CC000 System.ni.dll (Microsoft Corporation),
                                  version: 4.8.9206.0 built by: NET481REL1LAST_B
00007FFABE3F0000-00007FFABE5E3000 System.Drawing.ni.dll (Microsoft Corporation),
                                  version: 4.8.9032.0 built by: NET481REL1
00007FFAB8CD0000-00007FFAB9DB5000 System.Windows.Forms.ni.dll (Microsoft Corporation),
                                  version: 4.8.9181.0 built by: NET481REL1LAST_C
00007FFAC99D0000-00007FFACA456000 System.Core.ni.dll (Microsoft Corporation),
                                  version: 4.8.9200.0 built by: NET481REL1LAST_C
00007FFAC9870000-00007FFAC99A3000 System.Configuration.ni.dll (Microsoft Corporation),
                                  version: 4.8.9032.0 built by: NET481REL1
00007FFAC8F80000-00007FFAC9830000 System.Xml.ni.dll (Microsoft Corporation),
                                  version: 4.8.9032.0 built by: NET481REL1
00007FFAF6530000-00007FFAF6D8A000 shell32.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF1ED0000-00007FFAF27C6000 windows.storage.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF1D90000-00007FFAF1ECE000 wintypes.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF4FA0000-00007FFAF5093000 SHCORE.dll (Microsoft Corporation),
                                  version: 10.0.22621.2715 (WinBuild.160101.0800)
00007FFAF4070000-00007FFAF4096000 profapi.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF39D0000-00007FFAF3A1B000 wldp.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAD83C0000-00007FFAD83DD000 amsi.dll (Microsoft Corporation),
                                  version: 10.0.22621.1 (WinBuild.160101.0800)
00007FFAF37A0000-00007FFAF37CC000 USERENV.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAD8340000-00007FFAD83BC000 MpOav.dll (Microsoft Corporation),
                                  version: 4.18.23110.3 (9ebb3643d539a6fc4659898b1d
00007FFAF5D40000-00007FFAF5E17000 OLEAUT32.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAD08B0000-00007FFAD09E9000 MPCLIENT.DLL (Microsoft Corporation),
                                  version: 4.18.23110.3 (9ebb3643d539a6fc4659898b1d
00007FFAF4720000-00007FFAF4886000 CRYPT32.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF4140000-00007FFAF41AB000 WINTRUST.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF3960000-00007FFAF3972000 MSASN1.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF3740000-00007FFAF3766000 gpapi.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFADE7C0000-00007FFADE9B0000 urlmon.dll (Microsoft Corporation),
                                  version: 11.00.22621.2792 (WinBuild.160101.0800)
00007FFADE500000-00007FFADE7BC000 iertutil.dll (Microsoft Corporation),
                                  version: 11.00.22621.2861 (WinBuild.160101.0800)
00007FFADE4D0000-00007FFADE4F8000 srvcli.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF2BE0000-00007FFAF2BEC000 netutils.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF3470000-00007FFAF34B2000 SspiCli.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAF1720000-00007FFAF1821000 PROPSYS.dll (Microsoft Corporation),
                                  version: 7.0.22621.2506 (WinBuild.160101.0800)
00007FFAE09D0000-00007FFAE09E5000 virtdisk.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFADB860000-00007FFADBAF3000 comctl32.dll (Microsoft Corporation),
                                  version: 6.10 (WinBuild.160101.0800)
00007FFAF5470000-00007FFAF55C0000 MSCTF.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFACEB30000-00007FFACECE9000 gdiplus.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAEEFF0000-00007FFAEF1A0000 WindowsCodecs.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAC62D0000-00007FFAC6436000 System.Management.ni.dll (Microsoft Corporation),
                                  version: 4.8.9032.0 built by: NET481REL1
00007FFADFF60000-00007FFADFF8F000 wminet_utils.dll (Microsoft Corporation),
                                  version: 4.8.9032.0 built by: NET481REL1
00007FFAF5830000-00007FFAF58E0000 clbcatq.dll (Microsoft Corporation),
                                  version: 2001.12.10941.16384 (WinBuild.160101.080
00007FFAD88D0000-00007FFAD88F4000 wmiutils.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFADDF50000-00007FFADDFD0000 wbemcomn.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFADDFD0000-00007FFADDFE0000 wbemprox.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAD8A30000-00007FFAD8A44000 wbemsvc.dll (Microsoft Corporation),
                                  version: 10.0.22621.2792 (WinBuild.160101.0800)
00007FFAD8C70000-00007FFAD8D68000 fastprox.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF0C80000-00007FFAF0D78000 dxgi.DLL (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF0C20000-00007FFAF0C56000 dxcore.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAEB810000-00007FFAEB85A000 directxdatabasehelper.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAEF570000-00007FFAEF7C7000 d3d11.DLL (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAF0970000-00007FFAF0A07000 apphelp.dll (Microsoft Corporation),
                                  version: 10.0.22621.2506 (WinBuild.160101.0800)
00007FFAEAB60000-00007FFAEAB72000 Accessibility.ni.dll (Microsoft Corporation),
                                  version: 4.8.9032.0 built by: NET481REL1

Process Trace
1  C:\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.WindowsClient.exe [1764]
   "C:\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.WindowsClient.exe" "RunRole" "e80122f5-56b2-4f5e-adb7-6ef8b92f4294" "System"
2  C:\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.ClientService.exe [3556]
   "C:\Program Files (x86)\ScreenConnect Client (d285fbbafdb4d833)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-vaxh2v-relay.screenconnect.com
3  C:\Windows\System32\services.exe [1028]
4  C:\Windows\System32\wininit.exe [660]
   wininit.exe

Services
3556  ScreenConnect Client (d285fbbafdb4d833)

Dropped Files

Thumbprints
8d4a45a15ff956f533dd74fb53f4f09bc89d297204630bdd6d11a0643ea944f3 (code)
11e3e707cf3877d15911a2bbc728858d0f18e53d18566ae5b42ad94d8cab8c56 (hhp-ownermodule)
47eda548bb173b4a61d8e830851e0805266d272daa77eb53f4a572d0e776c528 (hhp-fhsh-ownmod)

 

Hi Mike,

Thanks for reporting, we're looking in to this, but it looks like we need a code update to solve this.

 

With HitmanPro.Alert 3.8.25 Build 977, Windows Live Mail is working extreme slow.
Mainley on HTML emails.
Viewing, deleting, moving emails is extreme slow then.
This issue is not with Hitman Alert 3.8.22 build 947.
I know Windows Live Mail is end of life, but I have 1 000 of emails on several emai accounts and changing to Outlook program is not so simple without loosing data.

 

Can you switch Alert to advanced interface via the gear icon and click on risk reduction -> process protection and untick all.
Now close and start WLM, and see if it's gone?
If that is the case, step-by-step enable on of the mitigations until the issue returns.
But you will have to close WLM between every step, and start a fresh process.
Please let me know if you can pin-point this to one single mitigation.

 

HMPA 3.8.25 build 977 intercepted the ESET Online Scanner 3.3.3.0 on a Windows 7 x64 system:



Excluding this program under Exploit mitigation resolved the issue, but I'm reporting it for the benefit of both HMPA staff and other users of HMPA and/or the ESET Online Scanner.

Happy New Year to all!

 

Yes but here's the thing, you shouldn't be protecting all kinds of app with exploit mitigations. ESET Online Scanner should normally not be attacked via some exploit, thus no need to protect it, since as you can see it might also trigger unexpected behavior and cause it to malfunction. Happy New Year to you too.

 

Thanks. So if I understand what you're saying, somebody either at Sophos or at ESET needs to fix it so that HMPA doesn't attack ESET's Online Scanner, as otherwise we need to exclude it (which we'd rather not do) so that it can do its work without getting intercepted, is that right?

 

Perhaps I misunderstood, but is it correct that you added ESET's Online Scanner to the exploit mitigations yourself? Or did HMPA automatically protect it and give this alert?