HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    How exacly are you downloading YouTube video's? Using a plugin?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    Yes. After the video starts the plugin allows downloading. I have two different plug ins. Same result.

    Pete
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Which plugin?
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Netvideohunter 1.16 and/or
    VideoDownloader professional 1.97.34

    Another site is vimeo.com videos
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    Another PS. I was running with Sandboxie as WSFfan described above.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Erik

    On the video's I confirmed it is only a problem when using HMPA thru Sandboxie. Without Sandboxie it's fine. But I've got to have Sandboxie.

    Worse yet another major conflict. I had a problem with Perfect Disk 13 Pro's off line defrag, and began to suspect it might be HMPA. I got PD working and installed HMPA. No problem. Tested a few things and again no problem. Then I did a scan. It found one file it couldn't delete. So it deleted it on reboot. That was it. Killed PD's offline defrag. Even uninstalling HMPA didn't help. It took uninstalling and reinstalling PD to fix it. Let me know about this when you can. I will hold off reporting the conflict to Raxco until I hear from you.


    Pete
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You did a scan in Alert and HitmanPro reported a file to be deleted? Which file was going to get deleted? There is a log in C:\ProgramData\HitmanPro\Logs\ . You can also request the logs by starting HitmanPro (is a separate program from Alert).
     
    Last edited: Sep 24, 2014
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Arg. I don't remember the file. I'll retest and see what happens.
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro writes a log in the above mentioned folder.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Okay did some more testing and found the logs. Did a scan and 3 things were found 1)An entry for Crashplan.exe tray top. This software has been uninstalled, and the error said it could cause problems. Status was repair 2) a long file name thingy that HP couldn't identify. It was a Jungledisk(Cloud backup) cache file. It's status was ignore 3) it was an updatechecker for a Microsoft Codec setup. I already have it blocked from running. It's status was ignore. Clicking next it said one piece of malware couldn't be removed and would be removed on reboot.

    On reboot, I saw the surfright notifier. It did delete the entry but also that is were PerfectDisk broke. I retrieved the log but all it listed was the two files.

    Restored an image and then did a cleanup, the final stop which was to find every Crashplan entry in the registry and remove it. Rebooted, and try the boot time defrag which worked perfectly. Then I reinstalled TMPA, and rescanned and the crashplan entry was there. This time I set it to ignore and all was fine.

    Erik is there any plan to break Alert out separately. I really really don't want the scanner part on my system.

    Pete
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    Perhaps a bit of a dumb question, but is this really the only way to monitor system wide code-injection done by legitimate apps? I do understand that hmpalert.dll must be injected into the browser in order to check for malicious hooks. Also, does legitimate software alter the browser memory in the same way that banking trojans do? What about this tool (see link), can the same thing be done with the help of a driver? :)

    http://www.nirsoft.net/utils/injected_dll.html

    Is SBIE already compatible with HMPA?
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The HitmanPro scanner is separate of Alert.

    Though, if you click on the Scan button in Alert, it will download the HitmanPro scanner separately and Alert will show progress in its interface.

    Hope this helps.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    See the post above by WSFfan. He posted the line to put into Sandboxie.

    Pete
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks Erik.

    Keep me posted as I know Raxco is very interested.
     
  15. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Where does HMPA quarantine files? and how do I retrieve them when it's an fp?
     
  16. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    990
    No problems Sandboxie beta 4.13.5 and CTP3 (W7 64 bits). With the yet to be released CTP4: problem(s) solved with Sandboxie/Vista?
     
  17. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We are still tinkering the CTP4. New protection features, alternate UI and many fixes and improvements. Keep an eye on this thread.
     
  18. JasonAntClark

    JasonAntClark Registered Member

    Joined:
    Sep 3, 2014
    Posts:
    3
    A few niggles here.
    Every time I open Chrome I get an alert - have run scans with HMP and even taken a look through DDS and GMER logs (nothing that jumps out at me)

    Another issue (don't know if it's been flagged up) but when typing in a browser (I'm quite a quick typist) I'll sometimes get a double of the first letter; for example:
    When typing wilderssecurity.com - I could get something like wwlderssecurity.com <-- Thinking something to do with key encryption?

    I've had another BSoD too (0x7E NETIO.SYS) - not run a windbg analysis as I haven't had time but I've got a feeling it's HMPA.

    Sorry if any of this has been mentioned before!

    Jason
     
    Last edited: Sep 27, 2014
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,551
    Location:
    Outer space
    Perhaps just showing it only under exploit protected applications is less confusing.
    Btw does Alert exploit-protect Firefox's Flash plugin process?
     
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes it mitigates exploits the plugin-container process.
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,551
    Location:
    Outer space
    To clarify: since Flash 11.3, it has another process separate from plugin-container, FlashPlayerPlugin_*Version number*.exe, I mean this one.
     
  22. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    990
    Take your time with CTP4.
     
  23. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,359
    I can't find it, is my Firefox outdated or corrupt?
     
  24. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,551
    Location:
    Outer space
    No, if you don't have it your Flash is outdated, not Firefox. But your probably looking in the wrong folder, it's in Windows\SysWOW64(or System32 for 32 bit systems)\Macromed\Flash
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    OK cool, didn't even know that HMPA could protect sandboxed processes.

    BTW, Erik Loman has already explained to me via PM that it's not that simple. HMPA has to check which app is injecting code into the browser so that it can know if the browser is hooked by a legitimate app. If it is done by some AV it will not alert, but if it's done by some unsigned app it will alert. Apparently the only way to do this is by monitoring every process with the hmpalert.dll file. But now that I think of it, only the browser should be monitored for modification? Sorry I'm getting confused again. :D
     
    Last edited: Sep 29, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.