HitmanPro.ALERT Support and Discussion Thread

OK, so you're saying that all files downloaded via some protected application (like browser) will be scanned, but not if you copy files from USB stick? This sounds a bit weird to me.

Wow, I would have never known that YTD Downloader tries to access browser passwords and cookies? But can't you just block YTD only from this activity or does it mean that it can't run at all?

 

That's the trouble with trying to keep is simple, we don't scan downloads we only scan 'On execute'

That's the fun of our very granular whitelisting mechanism, you can use Suppress Alert for that so it only allows exactly that, should it start to fire a Hollow Process or try any other trick it will be smashed like any other binary attempting that.

 

FF uses different mechanisms so is more difficult to implement.

BUT the average stealer does a blanket sweep over all credentials it can find, they might be able to "copy" your important files to a folder, but before they zip-up and submit they will be caught by Cookie guard hitting on of your chromium browsers, the process get's terminated and you creds should be saved.

 

That depends on how they test (or who pays their review) but yes we are familiar with certain test(ers) having no clue what our product does and start about lack of VPN or Spam filter.
The signature db is SophosLabs Cloud, no VT involved. Both HMP and HMPA get their hash lookup verdicts from that, so I would not classify that as "not that advanced"

 

Thanks @RonnyT, that was informative.

 

OK cool, the cloud signatures are from Sophos Labs, I assume it's SophosLabs Intellix? But then I still don't understand why reviewers say that HMPA couldn't pick up many malware samples during testing. Is it perhaps because they didn't actually run the malware samples or because these malware samples weren't downloaded by the browser? Perhaps you guys should ask MRG Effitas to test HMPA's cloud scanner.

https://www.sophos.com/en-us/intelix

 

OK I see, so once files are actually executed, then the cloud scanner will give a verdict. I assume this shouldn't interfere with another AV like Win Defender which is also mostly cloud based? About my other question, what I meant is that can you block YTD Video Downloader from accessing browser cookies and passwords and still allow it to run? Because I know that during my last test of HMPA a year ago, it kept alerting about Sandboxie, and I believe there was no way to allow the triggered behavior or to make it trusted.

 

Hello,

We have changed our code signing certificate so that the PrivaZer update gets flagged by HitmanPro
Available here :
https://www.privazer.com/PrivaZer-new-code-signing.exe

Can you fix it for good ?

 

issue has just been fixed by the HitmanPro Team.

 

I had an episode of Steve Gibson's "Security Now!" podcast on pause in Windows (10) Media Player, when HMP.A (build 947) intercepted something:




Bug?

 

Can you reproduce that? the command suggests that the media player kicked off diagnostics because it thought it was offline, so this would normally be collateral damage.

 

Thanks for the reply, @RonnyT . Sadly, I have not managed to reproduce the above message. All I remember is that the MP3 file was on pause, but I can't remember which MP3 file it was or at what time point in the file this may have been. It may have happened when I hit the Play button to resume playing from Pause, but am no longer sure of that.

 

No @RonnyT here or beta thread in three months ... no development, or just summer holidays?

 

Hi @paulderdash

Yeah I know it looks quiet, and yes summer holidays don't help, but we're working on a new release.
Just the current testing build is no where near stable enough to release, so I expect something new in a couple of weeks.

 

Great news Ronny!

 

+1.

 

Cool to know that HMPA is still alive. Would be nice if you guys could also showcase HMPA against malware, similar to AppCheck who has its own YouTube channel. And don't forget to to give a whitelist option, so that it will stop blocking legitimate software.

 

Tonight I was running a manual HMP.A scan, when the computer BSOD'd with a KERNEL_DATA_INPAGE_ERROR, stop code 0x0000007A.

is this a coincidence, or might it have something to do with HMP.A? Reporting it just in case.

The PC is on version 3.8.22, build 947.

 

Do you happen to have the memory.dmp file?

 

For now we have suppress alert (Anti-Malware) and exclude (Anti Exploit). So are looking for something to prevent updated software from being flagged again?

 

Last time I checked, HMPA's CookieGuard kept alerting about Sandboxie, and there was no way to mark Sandboxie as trusted. In the other HMPA thread (second quote), even Edge was apparently triggering this, which is of course also a problem because a browser needs access to cookies.

 

Yes there are cases that cannot be suppressed but that's the reason the protection got it's own tick box, you can now switch it off.
Can you provide me a new alert of that type so I can have a look if we can tweak something there.

 

Yes, but you obviously don't want to switch off protection for all apps. That's what I meant, why not give an option to fully trust Sandboxie (or other app), this means that HMPA will simply ignore it. Of course Edge triggering such a warning is an even bigger problem, because you can't set it to be ignored, since it has to be protected against info-stealers. And I have send you a PM.

 

I am at a loss as to the marketing approach with HitmanPro.Alert. I have a license for 3 PC’s which was for 3 years running out 5th January next year. But I started getting emails saying I could save 15% from the end of November as I my license was meant to expire in December, no. Now I am getting them anew for the correct date in January, but no surprise there is NO discount at all. I get exactly the same price direct though the program as through the discount offer email. These sort of tactics really annoy me a lot and verge I think of dishonest.

 

Hi John,
That should not be the case, can you open a support ticket via support@hitmanpro.com so we can get this investigated and resolved?