HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    989
    CTP3: no standard protection Exploit mitigations of HitmanPro 3.7 build 225 (64 bits-version).
     
  2. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    CTP3:

    Could HitmanPro.Alert be causing a Silverlight process's (agcp.exe) failure to terminate? agcp.exe is a child process of chrome.exe when playing Netflix videos. After I close Chrome agcp.exe lingers. If I do this repeatedly I have several remnant instances of agcp.exe running.

    Silverlight.PNG
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It possibly could. I found ROP protection being disabled eliminated a lot of problems, so start there. Then I hit a brick wall as Quickbooks wouldn't run. None it it's processes were protected, but it does use IE. Only fix was completely uninstall.
     
  4. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We are working on a fix for CTP4.
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Will be fixed for CTP4.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I will be waiting to test.

    Pete
     
  7. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    989
    I see the Plugin container for Firefox listed under Your web browsers.
     

    Attached Files:

  8. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yep. We are still deciding whether we should show it there.
     
  9. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I am sorry to bring this up again but since I've just run into this issue, there is something I'd like to ask. I have disabled CryptoGuard in my HMP.Alert CTP3 and it still creates those files in c:\windows\cryptoguard. Is this supposed to happen? I am very hesitant to make a Windows folder an exception folder in AppGuard because I cannot extend launch protection to this folder.
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This is not suppose to happen. I will have a look to see if we can fix this in CTP4.
     
  11. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Is it intentional that the 64-bit hmpalert.dll is located in C:\Windows\System32\ and the 32-bit in C:\Windows\SysWOW64\ ?

    32bit.PNG 64bit.PNG
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes. This is how Windows works.
    System32 is for 64-bit files.
    SysWOW64 is for 32-bit files.

    WoW64 (Windows 32-bit on Windows 64-bit).
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    ROFL Erik of course what you posted is correct, but looking at it I can't help laughing.
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,088
    Location:
    USA
    Wow, I didn't know that. Counter intuitive for sure. Thanks for the education.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    Just discovered something a bit disturbing. I had HMPA back on and was looking for a work around for the Quickbooks failures. As I told you the problem was caused by the hmpalert.dll I was trying all kinds of stuff, and what finally worked was simply renaming the DLL, loading Quickbooks and then immediately renaming it back. Clumsy but worked. But then I got to wondering why the Hmpalert.dll was even loaded in a Quickbooks process, since I would consider protecting this program. I did a bit of snooping and discovered the DLL has been loaded into 47 processes. Only protecting 20 with HMPA. Some of the processes it was loaded in scared me a bit considering the effect on Quickbooks.

    I checked and neither EMET or MBAE behave this way. Can this behavior be changed, as it is a show stopper for me.


    Pete
     
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,088
    Location:
    USA
    Can you post a screenshot of your process viewer that show this?
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Victek

    I am afraid not as it would mean, go thru the unstall of Emet resinstall of HMPA. Also it's going to be different for every system. I use a program called what's running -http://www.whatsrunning.net/main.aspx-

    Don't know if it runs on Win 8 though. You can also use Process Explorer

    Pete
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We have the Quickbooks fix tucked into our source control system and will be available with CTP4. Most likely CTP4 will be released next week.

    HitmanPro.Alert version 2 (out since July 2013) is a free security application that provides safe browsing, vaccination and CryptoGuard (anti-crypto-ransomware). The safe browsing feature ensures that no malicious code is listening in your web browser that is stealing traffic and/or credentials on websites of banks, e-commerce, web mail or social media. Alert detects this by scanning the web browser for malicious code hooks. Since legitimate software (like AVs) also inject code into web browsers, Alert monitors code-injection system-wide so that it knows which software is injecting what and where. In order to do this the hmpalert.dll must be in every process.

    HitmanPro.Alert version 3 adds many more features, including Exploit Mitigations (with hardware-assistance), Keystroke Encryption, Webcam Notifier, Active Vaccination and more.

    Hope this helps.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    Thanks for the explanation. Is it possible to have an option to exclude certain processes from this. Given what happened with injecting the DLL into Quickbooks, it scares me having it injected into stuff like Raxco's Instant Recovery, and any other back up software. I count on them for the ultimate protection and don't want any risk to them. So being able to exclude certain processes would be desirable.

    The other option would be the ability to turn off that safe browsing feature when desired. (Yes, I know that would probably require a reboot.)

    Pete
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The Quickbook case was a corner case situation (typical off-by-one issue).

    We dont have an exclude option scheduled since there are very little issues to non-mitigated processes like Quickbooks.

    The CTPs are here to iron out issues before we release to the masses. You found an issue and we've fixed it.

    The Safe browsing feature can be turned off (no reboot needed) but that wont cause the DLL to be excluded from loading. This because the DLL is also used for exploit mitigation and vaccination as well.

    It basically boils down to if you find an issue, we will solve it. As is done with most security software.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    Fair enough. Okay two more issues.

    1. Both IE 11 and SMPlayer get false positive exploit detection unless ROP Protection is turned off. Details show both related to a2hooks64.dll which is from Emsisofts EIS. Can you take a look at that.

    2. Sandboxie. When I fire up either IE or Firefox, under Sandboxie I see the HMPAlert.dll injected, yet the GUI shows the browser unprotected. Will this be possible to fix?

    Thanks Pete

    PS. Keep up the good work, I do very much like this program.
     
  22. WSFfan

    WSFfan Registered Member

    Joined:
    May 10, 2012
    Posts:
    374
    Location:
    The Earth
    If you use Sandboxie you have to add \Device\NamedPipe\hmpalert to Full Access in each sandbox and then reload Sandboxie's configuration.
    [​IMG]
     
  23. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Hitman Pro CTP3 broke several games on Steam! Nearly 50% of the games ended up with error code 84 when I tried to start them. I had first the Steam Bootstrapper added to mitigations. Worked fine before, but for some reason I uninstalled HMP.Alert CTP3... then re-installed it. That's when hell broke lose. I removed the Steam Bootstrapper from HMP CTP3 but problems still occured. Finally, uninstall for HMP CTP3 solved the issues.

    Here's princtscreens from error messages Steam gave me. What more help info might you need?

    Win 8 x64

    2.png
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We will have a look. Thanks for the report!
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    After a bunch of testing yesterday, a couple of things.

    1. As Erik said I found no issues with most of the programs I was concerned about.
    2. The conflict of running several programs with false ROP detection that showed a2hook64.dll, was indeed a conflict with Emsisofts EIS. Uninstalling it and they went away.
    3. On the bad side I ran into a horrific delay when downloading videos like Youtube. Once downloaded started it was fine, but normally when I get the save as window and click it download would start. What I was getting as a 5-10 2nd delay, and then the Firefox window would actually close, the download would start and then the window would return.

    I am beginning to suspect it may end up being the one to many security programs.

    I took it off and will retest with CT4.

    Pete
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.