Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.
CTP3: no standard protection Exploit mitigations of HitmanPro 3.7 build 225 (64 bits-version).
Could HitmanPro.Alert be causing a Silverlight process's (agcp.exe) failure to terminate? agcp.exe is a child process of chrome.exe when playing Netflix videos. After I close Chrome agcp.exe lingers. If I do this repeatedly I have several remnant instances of agcp.exe running.
It possibly could. I found ROP protection being disabled eliminated a lot of problems, so start there. Then I hit a brick wall as Quickbooks wouldn't run. None it it's processes were protected, but it does use IE. Only fix was completely uninstall.
We are working on a fix for CTP4.
Will be fixed for CTP4.
I will be waiting to test.
I see the Plugin container for Firefox listed under Your web browsers.
Yep. We are still deciding whether we should show it there.
I am sorry to bring this up again but since I've just run into this issue, there is something I'd like to ask. I have disabled CryptoGuard in my HMP.Alert CTP3 and it still creates those files in c:\windows\cryptoguard. Is this supposed to happen? I am very hesitant to make a Windows folder an exception folder in AppGuard because I cannot extend launch protection to this folder.
This is not suppose to happen. I will have a look to see if we can fix this in CTP4.
Is it intentional that the 64-bit hmpalert.dll is located in C:\Windows\System32\ and the 32-bit in C:\Windows\SysWOW64\ ?
Yes. This is how Windows works.
System32 is for 64-bit files.
SysWOW64 is for 32-bit files.
WoW64 (Windows 32-bit on Windows 64-bit).
ROFL Erik of course what you posted is correct, but looking at it I can't help laughing.
Wow, I didn't know that. Counter intuitive for sure. Thanks for the education.
Just discovered something a bit disturbing. I had HMPA back on and was looking for a work around for the Quickbooks failures. As I told you the problem was caused by the hmpalert.dll I was trying all kinds of stuff, and what finally worked was simply renaming the DLL, loading Quickbooks and then immediately renaming it back. Clumsy but worked. But then I got to wondering why the Hmpalert.dll was even loaded in a Quickbooks process, since I would consider protecting this program. I did a bit of snooping and discovered the DLL has been loaded into 47 processes. Only protecting 20 with HMPA. Some of the processes it was loaded in scared me a bit considering the effect on Quickbooks.
I checked and neither EMET or MBAE behave this way. Can this behavior be changed, as it is a show stopper for me.
Can you post a screenshot of your process viewer that show this?
I am afraid not as it would mean, go thru the unstall of Emet resinstall of HMPA. Also it's going to be different for every system. I use a program called what's running -http://www.whatsrunning.net/main.aspx-
Don't know if it runs on Win 8 though. You can also use Process Explorer
We have the Quickbooks fix tucked into our source control system and will be available with CTP4. Most likely CTP4 will be released next week.
HitmanPro.Alert version 2 (out since July 2013) is a free security application that provides safe browsing, vaccination and CryptoGuard (anti-crypto-ransomware). The safe browsing feature ensures that no malicious code is listening in your web browser that is stealing traffic and/or credentials on websites of banks, e-commerce, web mail or social media. Alert detects this by scanning the web browser for malicious code hooks. Since legitimate software (like AVs) also inject code into web browsers, Alert monitors code-injection system-wide so that it knows which software is injecting what and where. In order to do this the hmpalert.dll must be in every process.
HitmanPro.Alert version 3 adds many more features, including Exploit Mitigations (with hardware-assistance), Keystroke Encryption, Webcam Notifier, Active Vaccination and more.
Hope this helps.
Thanks for the explanation. Is it possible to have an option to exclude certain processes from this. Given what happened with injecting the DLL into Quickbooks, it scares me having it injected into stuff like Raxco's Instant Recovery, and any other back up software. I count on them for the ultimate protection and don't want any risk to them. So being able to exclude certain processes would be desirable.
The other option would be the ability to turn off that safe browsing feature when desired. (Yes, I know that would probably require a reboot.)
The Quickbook case was a corner case situation (typical off-by-one issue).
We dont have an exclude option scheduled since there are very little issues to non-mitigated processes like Quickbooks.
The CTPs are here to iron out issues before we release to the masses. You found an issue and we've fixed it.
The Safe browsing feature can be turned off (no reboot needed) but that wont cause the DLL to be excluded from loading. This because the DLL is also used for exploit mitigation and vaccination as well.
It basically boils down to if you find an issue, we will solve it. As is done with most security software.
Fair enough. Okay two more issues.
1. Both IE 11 and SMPlayer get false positive exploit detection unless ROP Protection is turned off. Details show both related to a2hooks64.dll which is from Emsisofts EIS. Can you take a look at that.
2. Sandboxie. When I fire up either IE or Firefox, under Sandboxie I see the HMPAlert.dll injected, yet the GUI shows the browser unprotected. Will this be possible to fix?
PS. Keep up the good work, I do very much like this program.
If you use Sandboxie you have to add \Device\NamedPipe\hmpalert to Full Access in each sandbox and then reload Sandboxie's configuration.
Spoiler: See Screenshot
Hitman Pro CTP3 broke several games on Steam! Nearly 50% of the games ended up with error code 84 when I tried to start them. I had first the Steam Bootstrapper added to mitigations. Worked fine before, but for some reason I uninstalled HMP.Alert CTP3... then re-installed it. That's when hell broke lose. I removed the Steam Bootstrapper from HMP CTP3 but problems still occured. Finally, uninstall for HMP CTP3 solved the issues.
Here's princtscreens from error messages Steam gave me. What more help info might you need?
Win 8 x64
We will have a look. Thanks for the report!
After a bunch of testing yesterday, a couple of things.
1. As Erik said I found no issues with most of the programs I was concerned about.
2. The conflict of running several programs with false ROP detection that showed a2hook64.dll, was indeed a conflict with Emsisofts EIS. Uninstalling it and they went away.
3. On the bad side I ran into a horrific delay when downloading videos like Youtube. Once downloaded started it was fine, but normally when I get the save as window and click it download would start. What I was getting as a 5-10 2nd delay, and then the Firefox window would actually close, the download would start and then the window would return.
I am beginning to suspect it may end up being the one to many security programs.
I took it off and will retest with CT4.
Separate names with a comma.