HitmanPro.ALERT Support and Discussion Thread

In case anyone is/was running in to the McAfee WebAdvisor v.s. CookieGuard fight, more details here.
https://support.hitmanpro.com/hc/en...date-4-1-1-CookieGuard-alerts-blocks-PC-usage

 

HitmanPro.Alert 3.20.2 Build 2019

Changelog (compared to 983)

• Fixed Autoruns BSOD
• Fixed Driver BSOD
• Fixed CryptoGuard5 Memory leaks
• Fixed CobaltStrike Double messages in report when in audit mode
• Fixed SyscallX64 Added caching to prevent hickups during play when using Chromium browser streams (e.g. Netflix / Prime).
• Improved APCProtection Windows 11 support
• Improved CobaltStrike Add support for WinHttp based beacons
• Improved SyscallX86 Detection and alerting/reporting/suppression options
• Improved SyscallX64 Added protection against Ekko/Foliage/KrakenMask
• Improved C2Interceptor Added generic stager detection
• Improved PipeWorker Security restrictions
• Improved AmsiGuard Added protection for remote processes
• Improved LBR Added newer CPU's: Tiger Lake, Rocket Lake
• Improved CookieGuard Support for Chrome's new "Device Bound Session Credentials"
• Improved Excalibur Code handling of rapid alerts/reports
• Improved AlertProducer Added a rate limiter for repeating alerts - WARNING: Last Alert due to flood! added to eventlog
• Improved Selfprotection and alerting logic
• Improved KernelTrap32 added multiple API's
• Improved HollowProcess logic for PEB protection
• Improved CallerCheck thumbprinting for local allow-listing

https://dl.surfright.nl/hmpalert3b2019.exe

Auto-update is on for existing 2017 users, if all goes well we'll be updating 983 users soon after that in staged roll-out (first batch has been released).
Please let us know how this version runs on your machine

 

Installed on top of build 983, everything working fine.

 

Hello,

im getting many errors "nvlddmkm" since the new version.
system freezes for minutes and i cant do anything.


\Device\Video3
Restarting TDR occurred on GPUID:100
00000000020030000000000099000000000000000000000000000000000000000000000000000000

and when i open a cmd or powershell i get a pop up with the message

C:\Windows\system32\hmpalert.dll is either not intended to run on Windows or contains an error. Reinstall the program using the original installation media or contact the system administrator or software supplier for assistance. Error status 0xc0000428.

im on win 11

 

Have you tried to uninstall HPA, reboot and reinstall fresh 3.20.2.2019 like the error basically recommends?

 

i did right now a clean uninstall with revo and now installed again will see and hope for it^^

edit: same problem but without "nvlddmkm" error till now..

@RonnyT
still get this pop up message when i open cmd as admin and after typing sfc/scannow :

C:\Windows\system32\hmpalert.dll is either not designed to run on Windows or contains an error. Reinstall the program using the original installation media or contact the system administrator or software supplier for assistance. Error status 0xc0000428.

- Provider
[ Name] Application Popup
[ Guid] {47bfa2b7-bd54-4fac-b70b-29021084ca8f}
EventID 26
Version 0
Level 4
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2025-03-02T13:44:58.8310443Z
EventRecordID 41039
Correlation
- Execution
[ ProcessID] 1392
[ ThreadID] 1888
Channel System
Computer
- Security
[ UserID]

 

Auto update today. No problems so far.

 

Can you please open a support ticket support@hitmanpro.com
Please provide OS version and build + other security software installed.

 

Updated this morning to build 2019. Shortly after rebooting, the following overlay appeared on my screen:



The same thing happened on my wife's PC; we both have HMP.A and Norton 360 on Windows 10 machines. The N360 icon in the notification area disappeared soon after this interception.

A new reboot seems to have taken care of the problem, but I wanted to report it anyway because of the potential for this event to panic users.

P.S. The issue where text typed into the Norton Private Browser shows up scrambled, was not solved with build 2019.

 

OK cool, I was worried because you're not that active anymore.

But this test wasn't specifically about ransomware. I would like to see a CryptoGuard test, it would be great marketing for HMPA/Intercept X.

OK cool!

OK nice, like I said, you could simply make a list of apps that are often targeted by infostealers, and protect the data on disk and memory. Is it perhaps an idea to make a version for macOS too? Apparently, the $1.5 billion hack on Bybit was caused by some infostealer on macOS.

 

To be honest, I still don't understand why HMPA hasn't implemented a whitelist of trusted software.

 

OK I see, but I thought that Ronny was a support guy, not a developer.

OK cool, didn't know about this. This company also seems to be focused on blocking ransomware, but they haven't done a lot of marketing, strangely enough.

 

We do, but some stuff we leave up to the user to decide if they trust it or not, it's a simple as going to the event log -> action -> suppress and Norton can access your authentication cookies and passwords stored in that browser.

 

Is there a reason why you guys would not simply include Norton 360 among the programs that HMP.A trusts automatically without requiring user action? Users who are less technically sophisticated, like my wife, freak out when seeing this sort of thing filling their screen.

 

That's a good question. From a user's perspective, it would be helpful to make such a list both visible and explicitly customizable.

 

Thanks for the feedback, we've whitelisted this one, so should no longer show up.

 

Fantastic, thank you!

 

@RonnyT
the new windows update KB5053598 WIN 11 24H2 resolved my problem

 

OK cool, so you guys fixed it? I remember in the past this wasn't possible, I always had problems with Sandboxie, will soon test it.

BTW, I was reading this article about a ransomware attack that was initially stopped by EDR, but then hackers somehow managed to infect the network via some unprotected webcam. Do you think Intercept X would be able to stop this stuff? I mean, is it comparable to remote ransomware, what we discussed earlier?

https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam

 

The Sandboxie thing is a different alert not CookieGuard triggered by NortonUI.exe there is some code condition that sometimes something breaks. So there is not change there.

Yes pretty sure our CryptoGuard would have caught this as we monitor encryption on incoming/outgoing shares.

 

Yeah, Microsoft removed that code that broke and/or caused almost all security vendors chasing what they silently changed...

 

OK weird, so Sandboxie can not be whitelisted?

Wow, that would be cool. I wonder why this EDR totally missed this, most likely because they didn't monitor for remote ransomware attacks.

 

Could I get a trial key? I have tested it a long time ago and a lot has changed since then (but not my Windows install lol) and would like to check this out again. Thanks in advance

 

+1. I wouldn't mind another trial, if they're available.

 

It already is for certain cases, but there is a nasty bug there somewhere.

We come from Prevention that's a totally different angle then "Detection and/or Response" from more detection based EDR's, on top of that there are not to much vendors supporting prevention of remote encryption.
https://infosec.exchange/@SophosXOps/114154689772002479