HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. osmandemi

    osmandemi Registered Member

    Joined:
    May 5, 2010
    Posts:
    117
    Hello CookieGuard is preventing me from updating the internet download maneger program. It closes the program.
    Code:
    Mitigation   CookieGuard
    Timestamp    2024-02-24T07:41:27
    
    Platform     10.0.22621/x64 v979 af_61
    PID          8724
    WoW          x86
    Feature      00FD2E70000000A6
    Application  C:\Program Files (x86)\Internet Download Manager\IDMan.exe
    Created      2023-12-06T19:59:48
    Description  Internet Download Manager (IDM) 6.42.3
    
    Attempt to read protected Edge data
    SHA-256      8eeddaa5d3b04ce46ee4dbe6b5b875ddb186af00260d63a148e8b366e28b40e4
    SHA-1        e2d6983d646ceb5a5d85ce2626dc7b99cb270f61
    MD5          18dec5a7201493e8ad02259edcc92cf6
    
    Process is marked as signed
    Certhash could be obtained
    CertHash: 74a673ff
    
    Loaded Modules (97)
    -----------------------------------------------------------------------------
    00090000-00658000 IDMan.exe (Tonec Inc.),
                      version: 6, 42, 3, 3
    77160000-77311000 ntdll.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    75B50000-75C40000 KERNEL32.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    739F0000-73B34000 hmpalert.dll (Sophos B.V.),
                      version: 3.8.26.979
    756E0000-75954000 KERNELBASE.dll (Microsoft Corporation),
                      version: 10.0.22621.3155 (WinBuild.160101.0800)
    76B40000-76CE8000 USER32.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    75FD0000-75FEA000 win32u.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    75B20000-75B43000 GDI32.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    75090000-75172000 gdi32full.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    76510000-76589000 msvcp_win.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    76CF0000-76E02000 ucrtbase.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    74FD0000-75081000 COMDLG32.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    75D40000-75FBD000 combase.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    75350000-7540A000 RPCRT4.dll (Microsoft Corporation),
                      version: 10.0.22621.2792 (WinBuild.160101.0800)
    767D0000-76891000 shcore.dll (Microsoft Corporation),
                      version: 10.0.22621.2715 (WinBuild.160101.0800)
    75AD0000-75B1B000 SHLWAPI.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    75C70000-75D34000 msvcrt.dll (Microsoft Corporation),
                      version: 7.0.22621.2506 (WinBuild.160101.0800)
    74930000-74FC8000 SHELL32.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    766A0000-7671F000 ADVAPI32.dll (Microsoft Corporation),
                      version: 10.0.22621.3007 (WinBuild.160101.0800)
    755B0000-75635000 sechost.dll (Microsoft Corporation),
                      version: 10.0.22621.3007 (WinBuild.160101.0800)
    75FF0000-7600A000 bcrypt.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    72430000-72658000 COMCTL32.dll (Microsoft Corporation),
                      version: 6.10 (WinBuild.160101.0800)
    75C40000-75C65000 IMM32.DLL (Microsoft Corporation),
                      version: 10.0.22621.2792 (WinBuild.160101.0800)
    03180000-0386C000 windows.storage.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    740D0000-74197000 wintypes.dll (Microsoft Corporation),
                      version: 10.0.22621.2792 (WinBuild.160101.0800)
    76730000-767CC000 OLEAUT32.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    75440000-75590000 ole32.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    731E0000-7321D000 CFGMGR32.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    74040000-74053000 kernel.appcore.dll (Microsoft Corporation),
                      version: 10.0.22621.2715 (WinBuild.160101.0800)
    748C0000-74922000 bcryptPrimitives.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    76AC0000-76B3F000 uxtheme.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    76640000-76698000 wintrust.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    769B0000-76AB3000 CRYPT32.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    74060000-7406E000 MSASN1.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    73F90000-73FA5000 CRYPTSP.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    73F60000-73F90000 rsaenh.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    740A0000-740AB000 CRYPTBASE.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    75180000-7519B000 imagehlp.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    73F30000-73F51000 gpapi.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    769A0000-769A8000 version.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    73560000-7357C000 olepro32.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    73530000-7355F000 oledlg.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    764B0000-7650F000 ws2_32.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    72860000-72CE8000 wininet.dll (Microsoft Corporation),
                      version: 11.00.22621.2506 (WinBuild.160101.0800)
    734B0000-7352C000 netshell.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    73DF0000-73E14000 IPHLPAPI.DLL (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    73490000-734AE000 NetSetupApi.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    73470000-7347A000 nlaapi.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    723E0000-72423000 Connect.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    76070000-764AD000 SETUPAPI.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    72270000-723DE000 gdiplus.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    74070000-74094000 USERENV.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    71790000-71889000 RASAPI32.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    72250000-72262000 rtutils.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    740B0000-740CD000 profapi.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    71FE0000-7200E000 RASMAN.DLL (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    733C0000-733E9000 ntmarta.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    768B0000-76912000 coml2.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    72080000-72096000 asycfilt.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    76590000-76612000 clbcatq.dll (Microsoft Corporation),
                      version: 2001.12.10941.16384 (WinBuild.160101.080
    77050000-7714E000 MSCTF.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    73250000-73317000 PROPSYS.dll (Microsoft Corporation),
                      version: 7.0.22621.2506 (WinBuild.160101.0800)
    755A0000-755A7000 NSI.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    73DD0000-73DE6000 dhcpcsvc6.DLL (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    73DB0000-73DC7000 dhcpcsvc.DLL (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    716A0000-71783000 Windows.System.Launcher.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    71630000-71697000 msvcp110_win.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    71F90000-71FA3000 windows.staterepositorycore.dll (Microsoft Corporation),
                      version: 10.0.22621.2792 (WinBuild.160101.0800)
    71590000-71625000 TextShaping.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    72240000-7224A000 idmnmcl.dll (Internet Download Manage),
                      version: 6, 41, 18, 1
    71540000-7158C000 dataexchange.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    71350000-7153C000 twinapi.appcore.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    711F0000-71350000 WindowsCodecs.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    710E0000-711BA000 MrmCoreR.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    76E10000-77048000 iertutil.dll (Microsoft Corporation),
                      version: 11.00.22621.3085 (WinBuild.160101.0800)
    710C0000-710D2000 napinsp.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    710A0000-710B6000 pnrpnsp.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    73CC0000-73D11000 mswsock.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    73B60000-73C1D000 DNSAPI.dll (Microsoft Corporation),
                      version: 10.0.22621.3155 (WinBuild.160101.0800)
    720E0000-720EE000 winrnr.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    71080000-71091000 wshbth.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    73FB0000-73FC8000 nlansp_c.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    711C0000-711E1000 mdnsNSP.dll (Apple Inc.),
                      version: 3,0,0,10
    70F80000-71079000 textinputframework.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    733F0000-7344D000 fwpuclnt.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    70EB0000-70F7E000 CoreMessaging.dll (Microsoft Corporation),
                      version: 10.0.22621.3007 (WinBuild.160101.0800)
    73B50000-73B58000 rasadhlp.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    70350000-705E1000 CoreUIComponents.dll (Microsoft Corporation),
                      version: 10.0.22621.2506
    70E50000-70EA3000 thumbcache.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    73220000-73244000 dwmapi.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    73C80000-73CA6000 SspiCli.dll (Microsoft Corporation),
                      version: 10.0.22621.3007 (WinBuild.160101.0800)
    73730000-7373A000 secur32.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    73330000-733B4000 schannel.dll (Microsoft Corporation),
                      version: 10.0.22621.3085 (WinBuild.160101.0800)
    73130000-73155000 ncrypt.dll (Microsoft Corporation),
                      version: 10.0.22621.3007 (WinBuild.160101.0800)
    73100000-73128000 NTASN1.dll (Microsoft Corporation),
                      version: 10.0.22621.1 (WinBuild.160101.0800)
    73090000-730B0000 ncryptsslp.dll (Microsoft Corporation),
                      version: 10.0.22621.2506 (WinBuild.160101.0800)
    70DE0000-70E4C000 idmindex.dll (Tonec Inc.),
                      version: 6, 23, 21, 1
    
    Process Trace
    1  C:\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
    2  C:\Windows\explorer.exe [16116]
    
    Dropped Files
    1  C:\Users\Osman\AppData\Local\Temp\~DF025118B0797D576B.TMP
         Dropped by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
    2  C:\Users\Osman\AppData\Roaming\IDM\defextmap.dat
         Dropped by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
            Read by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
    3  C:\Users\Osman\AppData\Roaming\IDM\urlexclist.dat
         Dropped by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
            Read by \Device\HarddiskVolume3\Windows\explorer.exe [16116]
    4  C:\Users\Osman\AppData\Roaming\IDM\DwnlData\Osman\www_internetdownload_392\log_392.log
         Dropped by \Device\HarddiskVolume3\Program Files (x86)\Internet Download Manager\IDMan.exe [8724]
    1  C:\Users\Osman\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x00000000000002b9.db
         Dropped by \Device\HarddiskVolume3\Windows\explorer.exe [16116]
    
    Thumbprints
    1ee47f92107742ed1c2f5f43298e16b52adb0ea58b2b376574d09bb6cb0bd307 (crt)
    fd4f33f55ae9a47e2eb35d9b0a42ef8f4ce0cbaff4ad1fa94bd7ad171ca9b97a (pfn)
    55e414b49792c9a0c6fe9cba1029193e24f1b1fe6428ac1c8d1c785db0a050b0 (fhsh)
     
  2. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    Last night suddenly we started having trouble streaming a show on our TV PC. I closed Firefox and reopened it, but FF could not load the home page or any other Web page. However, the network icon in the system tray appeared normal (no yellow triangle), and the network troubleshooter didn't report any problems.

    Looking around, I noticed that the HMP.A icon in the notification area had a small "x" in the corner, like this:

    HMPA-x.png

    Clicking on that icon didn't bring up the GUI for the program, nor could I kill its process in Task Manager (of course) in order to relaunch, so I ended up rebooting the PC, and then everything was fine again and we resumed the streamed show.

    I've seen this "x" on the icon once before, a couple of months ago. That time, I remember being able to open the GUI and noticing that there was no information displayed for any of the categories in the advanced interface.

    *** HMP.A version 3.8.26, build 979 on a Windows 7 Home Premium PC. More than two years to go on our current subscription. ***

    Any idea what might cause this "x" to appear, and what can be done to fix it other than rebooting? The wife would be a lot happier if we didn't need to reboot the system to take care of this.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,047
    Location:
    The Netherlands
    BTW Ronny, did you see Erik Loman boasting about the FudModule rootkit trying to disable HMPA? :D

    And I have another question about CryptoGuard, does it make use of a back up folder in order to restore encrypted files? I noticed that AppCheck is using such a technique.

    https://twitter.com/erikloman/status/1762847300542497181
     
    Last edited: Mar 3, 2024
  4. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    "Bumping" the above post. To prevent the issue from recurring, we have since uninstalled HMP.A, but if possible I'd rather track down the problem and solve it so that we can keep using HMP.A.
     
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    676
    Location:
    Planet Earth
    Yes the red cross means the communication with the service has gone, seems like the service process crashed in the background.
    You might want to set the postmortem debugger to catch a memory dump next time that happens.

    Can you download this sysinternals tool http://live.sysinternals.com/procdump.exe
    Create a folder c:\dumps, place the procdump.exe in there, open an administrative command-box and execute the command below:
    c:\dumps\procdump -ma -i c:\dumps\

    then reproduce the issue, this should record a memory dump of the crashing process.
    Once you have that dump please send it to us via https://www.wetransfer.com and give us a hint in this ticket

    If you want you can reset your Just in time debugger
    procdump -u
     
  6. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    676
    Location:
    Planet Earth
    :)

    And yes it does make a backup of attacked files/streams hence we can rollback (most of) the files after the attack is triggered.
     
  7. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    Thank you, @RonnyT.

    I've reinstalled HMP.A on that PC and have put procdump.exe on it. I will wait until it happens on its own and then send you the requested report.

    EDIT: I figured out the following. [[Question: the part about resetting the Just in Time debugger -- I would be doing that after reporting a crash, correct?]]
     
    Last edited: Mar 17, 2024
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,047
    Location:
    The Netherlands
    But how does this work exactly? I never really understood it, because if HMPA only makes a backup when it believes the system is attacked, then you risk not being able to rollback all files, like you said yourself.

    I also don't have a clue how it works in AppCheck Anti-Ransomware, in the newest versions it even warns about that if you disable the back up function, it might not be able to fully protect against ransomware. Then why give an option to disable it, know what I mean?
     
  9. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    676
    Location:
    Planet Earth
    That's correct
     
  10. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    Thanks @RonnyT. :thumb:

    BTW, I'm relieved to report that the issue hasn't recurred yet...
     
  11. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    676
    Location:
    Planet Earth
    HitmanPro.Alert 3.8.26 Build 983

    Changelog (compared to 979)
    • Added UI - EventLog - Clear event data dialog, use right mouse click on "Last events"
    • Added UI - EventLog - Show only Suppressed events
    • Added UI - EventLog - Copy details to clipboard button
    • Added Several code preparations for upcoming changes/additions
    • Fixed Exclusions - UWP exclusions browser for Windows 11
    • Fixed BSOD - CryptoGuard5
    • Improved HeapHeapProtect
    • Improved SoftwareRadar - No longer removes UWP Exclusions at startup
    • Improved PrivGuard - Now also prints the current and expected userSID's
    • Improved Kernel32Trap
    • Improved SyscallX64
    https://dl.surfright.nl/hmpalert3b983.exe
    Auto-update will also be enabled from 979 -> 983
    Note for testers this is the exact same version as 983 RC1 on the beta board.
    HMPA983CleanEvents.jpg HMPA983Filtered.jpg HMPA983CopyToClipboard.jpg
     
    Last edited: Apr 5, 2024
  12. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    OK, the issue has recurred. Launched Firefox, and can't open any new Web pages. The "x" is back in the corner of the HMP.A shield.

    I followed the instructions given above, but nothing happened: no dump file was created!

    What is known in the Home Theater online forums as "WAF" (Wife Approval Factor") has dropped to near zero, as she was looking forward to watching one of her favorite series. Rebooting was out of the question, as Windows Media Center was recording my favorite baseball team at the same time.
     
  13. Higgsie

    Higgsie Registered Member

    Joined:
    Jun 22, 2008
    Posts:
    5
    Not sure if anyone else has this problem - HitmanPro scan is initiated by HitmanPro Alert the resultant scan I cannot click on any of the links to open up the VirusTotal report.

    ----------------------------------------------------------------
    Issue Sent to Support:
    When HitmanPro scan has finished when I click on VirusTotal link no webpage opens, on previous builds a VirusTotal page would open, and I could see the scan results.
    I’ve looked at the setting and cannot see any configuration I can make; the only option is to include my personal VirusTotal API key.

    Please can you advise on how this issue can be resolved?
    ----------------------------------------------------------------
    The engineer came back with the following:
    Looks like somethings broken there, I'll pass that on to the devs so they can fix this in an upcoming release.

    Hopefully a fix is deployed soon as like most people on this forum like to validate results.
     
  14. cavehomme

    cavehomme Registered Member

    Joined:
    May 19, 2010
    Posts:
    140
    Location:
    Alps
    I've been hoping to use Sophos Home Premium as a one-stop solution, but even on a new and very powerful Thinkbook it makes the whole exprience of working on this laptop "sticky".

    So I've returned to Defender + Hitmanpro.alert despite some of the issues a wrote about here a while ago, I want to try and live with this combo, preferring Defender to be the primary AV with HMPA watching and pouncing whenever needed.

    I've already got a HMP license bought a week or so ago, but for the life of me cannot find any upgrade path to HMPA within the product nor on the Sophos site. There isn't even any contact form to that I can find, just a whole series of FAQs that don't lead me to where I need to be.

    Is there anyone from Hitman / Sophos here that can help me with an upgrade please?
    Even a little discount would be appreciated, if possible, given the amount of time I've already invested in this product and the time wasted on Sophos Home Premium, still have a license fo that - perhaps it's a cheeky ask, but you never know ;)
     
  15. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    676
    Location:
    Planet Earth
    Are we talking about upgrading the license from HMP to HMP(A) or about the product?

    Support is either:
    support@hitmanpro.com
    https://support.hitmanpro.com/hc/en-us
    Or here.
     
  16. cavehomme

    cavehomme Registered Member

    Joined:
    May 19, 2010
    Posts:
    140
    Location:
    Alps
    Sorry for not being clear, upgrading the license from HMP to HMPA, just paying for the difference in the two prices, hopefully, rather than a separate new license.
    I've just emailed the support. Thanks
     
    Last edited: May 2, 2024
  17. cavehomme

    cavehomme Registered Member

    Joined:
    May 19, 2010
    Posts:
    140
    Location:
    Alps
    FYI just bought 3 alert licences for 3 years and support will refund the HMP single licence for 1 year.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,047
    Location:
    The Netherlands
    Ronny, what do you think about Morphisec's Moving Target Defense? I think it sounds very interesting but I wonder how it works in practice. They also claim that EDR's from MS and Sophos aren't good enough to stop certain attacks like with fileless malware, see second and third link. And I wonder if HMPA could prevent DLL- sideloading as described in the fourth link?

    https://www.morphisec.com/moving-target-defense
    https://blog.morphisec.com/fileless-malware-attacks
    https://blog.morphisec.com/business-ransomware-protection-edr
    https://blog.morphisec.com/sys01stealer-facebook-info-stealer
     
  19. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    676
    Location:
    Planet Earth
    Nice worded blog posts, their "moving target" sound like they placed some traps here and there on highly abused spots and re-route some memory regions.
    I don't see anything spectacular new compared to what we do, though I guess their implementation is different, we're aiming at the same issue's in the OS/Application landscape and place guardrails to keep things on track.

    the undetectable attacks such as zero-days, malware variants or supply chain attacks that lead to ransomware.
    I'm pretty sure CryptoGuard (as the last layer of defense) already protects against this from 2015 on.

    With regards to the "fileless" the initial vector might not be a PE/DLL but in which ever scenario the cat has to come out of the bag and the stager/backdoor/c2 thingy has to show up, that's where HeapHeap and C2Interceptor should kick in, if non of the previous layers already triggered suspicious behavior.

    And yes Managed Detection and Response (from certain suppliers/vendors as everywhere there is cowboy's out there) is likely better trained and equipped the the average IT team, to be able to cover so much ground with your own team you have to have a large team and a huge bunch of knowledge in house.

    Not the sideloading it self, that's really hard and the main reason why it's so popular atm. but as soon as it tries to steal the cookies it's game-over.
    And on top of that the Business product has a bunch of other layers and behavior rules to mitigate this.
     
  20. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,301
    Location:
    USA
    How do I transfer HMPA to a new computer?
     
  21. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    676
    Location:
    Planet Earth
    Just install it on the new one, and activate with the existing license, should it complain about "to many activations" please send email + key to support@hitmanpro.com
     
  22. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,301
    Location:
    USA
    Thanks Ronny.
     
  23. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    589
    @RonnyT, somebody sent me a HEIC (Apple image) file and I installed the program CopyTransViewer to see the image. But when I clicked on the image file, HMP.A intercepted the program with the following output:

    Is this a false positive or a real threat? The program had checked out OK in Norton File Insight, Norton 360 scan, and Malwarebytes scan.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,047
    Location:
    The Netherlands
    Thanks for the info. So according to you, it's probably a bit the same but not exactly the same, because the re-route of memory regions does sound like something new, no?

    Yes, CryptoGuard should protect against this stuff, and even when it's performed by malware that operates completely in-memory right?

    That's a bit weird, isn't HMPA supposed to protect against sideloading? And now you're saying it doesn't protect against the sideloading itself? Why is it so hard to detect? Or is this something that can only be fixed in Windows itself? And yes correct, HMPA is supposed to block the cookie stealing.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    18,047
    Location:
    The Netherlands
    BTW, I have been thinking about Morphisec's tech, and it almost sounds like some kind of memory virtualization? I suppose this is of course different compared to Sandboxie which virtualizes file system, registry and interprocess communications. I still think it's a pity that Sophos decided to stop developing Sandboxie's tech, I think virtualization can still be helpful in certain cases.

    Also, perhaps you can comment on this thread:

    https://www.wilderssecurity.com/thr...new-malware-to-kill-security-software.454839/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.