HitmanPro.ALERT Support and Discussion Thread

Windows 7 and antivirus plus latest.Chrome Version 35.0.1916.114 m

 

@ erikloman

I know you´re busy, but if you have the time, perhaps you can respond to post #1665 and #1672.

https://www.wilderssecurity.com/thre...discussion-thread.324841/page-67#post-2378840
https://www.wilderssecurity.com/thre...discussion-thread.324841/page-67#post-2379741

 

That´s a bummer, so it did alert you but couldn´t block it? I already said it before, but when it comes to ransomware, I wouldn´t rely only on behavior blocking. Some HIPS offer data protection (protection of folders), so that only certain apps can touch your files. And virtualization (like Sandboxie) is also a powerful protection method.

 

Fact is that Alert did block the attack and it tries to revert the changed files. In this case it failed to do so on 3 files. The reverting operation depends on actual process that is encrypting the file (which APIs it is using). In case of CryptoLocker, CryptoDefense and CryptoWall it should be able to revert all changes (as can be seen in our video). We are making improvements to Alert's cryptoguard feature to the reverting process. We will have a look at AxCrypt for inspiration.

 

We've contacted Zemana for their tool. More info later.

 

May 25, I reported an issue of which I wondered if it could be related to HitmanPro.Alert, or not. That was the "Windows could not connect to the System Event Notification Service" issue.
I asked Erik and Mark Loman for their opinions. Unfortunately, Erik and Mark did not reply to my request.
Though, May 28, pimjoosten reported that he had not experienced the issue that I reported, while also using Windows Vista. That certainly made it less likely that HMP.A was the cause of the issue that I had been experiencing.

By now, I can report that the issue that I reported earlier has no longer occurred, not either after yesterday's Windows updates.
I suppose the actions that I described in my May 25 post solved the problem,
or the problem was solved by a recent update of applications such as my anti-virus program, Realtek HD Audio driver, NVIDIA graphics driver, or Windows Update components.
However, I am not aware that in recent updates of my anti-virus program, Realtek HD Audio driver, NVIDIA graphics driver, or Windows Update any specific adjustment was made that related to the mentioned problem.

Anyway - all's well that ends well, I hope.

 

To be honest, I still don´t really understand how this works. If a file has already been modified, how can you revert that?

I already mentioned this before, but for example Online Armor has a feature that alerts about apps who are trying to enumerate files. If you block this, ransomware can´t modify files. Does HitmanPro.Alert work the same, will it automatically block this?

EDIT: I´m not sure if OA can protect against all ransomware variants.

Cool! Perhaps you can also take a look at G Data BankGuard. And just to clarify, I think that HitmanPro.Alert is already a useful tool, but I´m asking these questions because I´m trying to learn stuff.

 

I have used AxCrypt numerous times to encrypt folders and only once has it triggered an alert.

IIRC the three files that were encrypted still remained in their unencrypted form. I didn't realize this was because of the reverting operation. At the time I considered this just a small nuisance.

 

I wrote a small script in autoit and compiled it, it encrypts all content from a "Files" folder and removes the unencrypted files. HitmanPro Alert doesn't seem to care about this, i guess it only blocks when all personal files from different folders on your computer get encrypted?

 

HitmanPro.Alert doesn't care where the files are located. It does watch for certain file formats. Would like like to share your tool?

 

Oops! ....Thanks, I will try and delete my post.

 

Its too bad this doesn't work with MBAE I assume they both use at least one of the same techniques so there is a conflict.

 

Latest MBAE version introduced new functionality that contains a race condition (bug) that causes a compatibility issue with Alert on various apps like Chrome.

The incompatibility is introduced by MBAE latest release as previous builds were compatible.

See also this post I made in the MBAE thread:
https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-30#post-2382017

I am sure Pedro is able to fix this quite easily.

 

Beta 218 stopped working (twice). W7 64 bits.

Logboeknaam: Application
Bron: Application Error
Datum: 15-6-2014 10:45:38
Gebeurtenis-id:1000
Taakcategorie: (100)
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: *****
Beschrijving:
Naam van toepassing met fout: HitmanProBeta_x64.exe, versie: 3.7.9.218, tijdstempel: 0x539af82d
Naam van module met fout: HitmanProBeta_x64.exe, versie: 3.7.9.218, tijdstempel: 0x539af82d
Uitzonderingscode: 0xc0000005
Foutoffset: 0x0000000000192efe
Id van proces met fout: 0x1304
Starttijd van toepassing met fout: 0x01cf887566c63e37
Pad naar toepassing met fout: C:\Users\****\Desktop\HitmanProBeta_x64.exe
Pad naar module met fout: C:\Users\****\Desktop\HitmanProBeta_x64.exe
Rapport-id: 6bf711a7-f469-11e3-8832-001f16aa0c13
Gebeurtenis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-06-15T08:45:38.000000000Z" />
<EventRecordID>138398</EventRecordID>
<Channel>Application</Channel>
<Computer>****-PC</Computer>
<Security />
</System>
<EventData>
<Data>HitmanProBeta_x64.exe</Data>
<Data>3.7.9.218</Data>
<Data>539af82d</Data>
<Data>HitmanProBeta_x64.exe</Data>
<Data>3.7.9.218</Data>
<Data>539af82d</Data>
<Data>c0000005</Data>
<Data>0000000000192efe</Data>
<Data>1304</Data>
<Data>01cf887566c63e37</Data>
<Data>C:\Users\****\Desktop\HitmanProBeta_x64.exe</Data>
<Data>C:\Users\****\Desktop\HitmanProBeta_x64.exe</Data>
<Data>6bf711a7-f469-11e3-8832-001f16aa0c13</Data>
</EventData>
</Event>

 

This is the Alert thread

Can you run:

HitmanPro.exe /debug:full

... and send me the minidump?

 

Hi there

I had Hitmanpro.alert installed for a while and then decided to update it to a more recent version, so I effectively installed that over the top of the existing installation. What I am now finding that I get TWO notifications (Green boxes) notifying me that Hitmanpro.alert is protecting the browser when I start IE. So I though that I would start again and uninstall Hitmanpro.alert completely and then just install the latest version. So ran the uninstaller and...I still get BOTH examples of the protection notification appearing when I start IE.

Would really like to start a fresh and so was hoping that someone could advise as to how I best uninstall Hitmanpro.alert...as it appears to still be installed.

Many thanks in advance.

Regards, Baldrick

 

Hi Baldrick, the HitmanPro.Alert installation on your computer sounds broken. Please download and run the appropriate uninstaller using the links below. Then reboot and install HitmanPro.Alert again.

• 32-bit version: http://dl.surfright.nl/hmpalert-uninstall.exe
• 64-bit version: http://dl.surfright.nl/hmpalert-uninstall_x64.exe

 

For the HitmanPro 3.7.9 Build 218 BETA. Do you have a removal tool for un-installing HitmanPro 3.7.9 Build 218 BETA after testing?
Also, do you have a Removal for the HitmanPro 3.7.9 Build 216 with Kickstart 2.3? So, that I can do a clean install of HitmanPro? Can you include the links.

Thanks!

 

Here you go, i included the script written in autoit. I created different file types in the "Files" folder to test. I get no alert when running the script, all files like .doc, .jpg etc. get encrypted and the orginal files are removed.

http://www38.zippyshare.com/v/55880913/file.html

 

Thank you! I will let the team have a look at it

 

Hi markloman

Many thanks for the prompt response. Yes, that is what I was thinking so thanks for the links. Will do that as soon as possible.

Regards, Baldrick

 

Do i need to run this uninstaller after i already uninstalled with CCleaner and did a CCleaner Registry Scan.

 

For the HitmanPro 3.7.9 Build 218 BETA. Do you have a removal tool for un-installing HitmanPro 3.7.9 Build 218 BETA after testing?
Also, do you have a Removal for the HitmanPro 3.7.9 Build 216 with Kickstart 2.3? So, that I can do a clean install of HitmanPro? Can you include the links.

Thanks!

 

I also get 2 green notifications when I start IE (which is not my main browser). I get 1 for Firefox. In fact, I configured HitmanPro.Alert to show none.

A clean install after uninstalling via the uninstaller provided here did not help.

I think this started when I installed Sandboxie and created sandboxes for Firefox and IE. Is there some setting in Sandboxie that I need to apply?

 

Hi markloman, just to confirm that this did the trick and I now have just ONE notification. Cheers, Baldrick