Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.
How exacly are you downloading YouTube video's? Using a plugin?
Yes. After the video starts the plugin allows downloading. I have two different plug ins. Same result.
Netvideohunter 1.16 and/or
VideoDownloader professional 1.97.34
Another site is vimeo.com videos
Another PS. I was running with Sandboxie as WSFfan described above.
On the video's I confirmed it is only a problem when using HMPA thru Sandboxie. Without Sandboxie it's fine. But I've got to have Sandboxie.
Worse yet another major conflict. I had a problem with Perfect Disk 13 Pro's off line defrag, and began to suspect it might be HMPA. I got PD working and installed HMPA. No problem. Tested a few things and again no problem. Then I did a scan. It found one file it couldn't delete. So it deleted it on reboot. That was it. Killed PD's offline defrag. Even uninstalling HMPA didn't help. It took uninstalling and reinstalling PD to fix it. Let me know about this when you can. I will hold off reporting the conflict to Raxco until I hear from you.
You did a scan in Alert and HitmanPro reported a file to be deleted? Which file was going to get deleted? There is a log in C:\ProgramData\HitmanPro\Logs\ . You can also request the logs by starting HitmanPro (is a separate program from Alert).
Arg. I don't remember the file. I'll retest and see what happens.
HitmanPro writes a log in the above mentioned folder.
Okay did some more testing and found the logs. Did a scan and 3 things were found 1)An entry for Crashplan.exe tray top. This software has been uninstalled, and the error said it could cause problems. Status was repair 2) a long file name thingy that HP couldn't identify. It was a Jungledisk(Cloud backup) cache file. It's status was ignore 3) it was an updatechecker for a Microsoft Codec setup. I already have it blocked from running. It's status was ignore. Clicking next it said one piece of malware couldn't be removed and would be removed on reboot.
On reboot, I saw the surfright notifier. It did delete the entry but also that is were PerfectDisk broke. I retrieved the log but all it listed was the two files.
Restored an image and then did a cleanup, the final stop which was to find every Crashplan entry in the registry and remove it. Rebooted, and try the boot time defrag which worked perfectly. Then I reinstalled TMPA, and rescanned and the crashplan entry was there. This time I set it to ignore and all was fine.
Erik is there any plan to break Alert out separately. I really really don't want the scanner part on my system.
Perhaps a bit of a dumb question, but is this really the only way to monitor system wide code-injection done by legitimate apps? I do understand that hmpalert.dll must be injected into the browser in order to check for malicious hooks. Also, does legitimate software alter the browser memory in the same way that banking trojans do? What about this tool (see link), can the same thing be done with the help of a driver?
Is SBIE already compatible with HMPA?
The HitmanPro scanner is separate of Alert.
Though, if you click on the Scan button in Alert, it will download the HitmanPro scanner separately and Alert will show progress in its interface.
Hope this helps.
See the post above by WSFfan. He posted the line to put into Sandboxie.
Keep me posted as I know Raxco is very interested.
Where does HMPA quarantine files? and how do I retrieve them when it's an fp?
No problems Sandboxie beta 4.13.5 and CTP3 (W7 64 bits). With the yet to be released CTP4: problem(s) solved with Sandboxie/Vista?
We are still tinkering the CTP4. New protection features, alternate UI and many fixes and improvements. Keep an eye on this thread.
A few niggles here.
Every time I open Chrome I get an alert - have run scans with HMP and even taken a look through DDS and GMER logs (nothing that jumps out at me)
Another issue (don't know if it's been flagged up) but when typing in a browser (I'm quite a quick typist) I'll sometimes get a double of the first letter; for example:
When typing wilderssecurity.com - I could get something like wwlderssecurity.com <-- Thinking something to do with key encryption?
I've had another BSoD too (0x7E NETIO.SYS) - not run a windbg analysis as I haven't had time but I've got a feeling it's HMPA.
Sorry if any of this has been mentioned before!
Perhaps just showing it only under exploit protected applications is less confusing.
Btw does Alert exploit-protect Firefox's Flash plugin process?
Yes it mitigates exploits the plugin-container process.
To clarify: since Flash 11.3, it has another process separate from plugin-container, FlashPlayerPlugin_*Version number*.exe, I mean this one.
Take your time with CTP4.
I can't find it, is my Firefox outdated or corrupt?
No, if you don't have it your Flash is outdated, not Firefox. But your probably looking in the wrong folder, it's in Windows\SysWOW64(or System32 for 32 bit systems)\Macromed\Flash
OK cool, didn't even know that HMPA could protect sandboxed processes.
BTW, Erik Loman has already explained to me via PM that it's not that simple. HMPA has to check which app is injecting code into the browser so that it can know if the browser is hooked by a legitimate app. If it is done by some AV it will not alert, but if it's done by some unsigned app it will alert. Apparently the only way to do this is by monitoring every process with the hmpalert.dll file. But now that I think of it, only the browser should be monitored for modification? Sorry I'm getting confused again.
Separate names with a comma.