HitmanPro.ALERT Support and Discussion Thread

Thanks for the quick reply. ill try out the new version once its released.

 

Thx but I talk about the windows 8 app Skype, which is not under any template.

 

Exploit mitigations on Metro apps are currently not yet supported.

 

The prompt that notifies the user that HMPA is protecting Adobe Flash continuously prompts the user when navigating Wilders Security Forum. It prompts the user so often that it can be annoying.

 

Already noted - https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-172#post-2465866

Also - https://www.wilderssecurity.com/thre...h-player-starting-on-these-forums-now.373936/

 

No problems with (un)sandboxed Firefox 36.0.1 (W7 64 bits/build 155).

 

I got a BSOD in my Dutch Vista 32bit with build 155.
I am using Avast Free 10.2.2214.845 nl Final

On Wed 04-03-2015 11:25:18 GMT your computer crashed
crash dump file: C:\Windows\Minidump\Mini030415-01.dmp
This was probably caused by the following module: hmpalert.sys (hmpalert+0xB7D9)
Bugcheck code: 0x1000008E (0xFFFFFFFFC0000005, 0xFFFFFFFFAB40B7D9, 0xFFFFFFFFDE12962C, 0x0)
Error: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M
file path: C:\Windows\system32\drivers\hmpalert.sys
product: HitmanPro.Alert
company: SurfRight B.V.
description: HitmanPro.Alert Support Driver
Bug check description: This indicates that a kernel-mode program generated an exception which the error handler did not catch.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hmpalert.sys (HitmanPro.Alert Support Driver, SurfRight B.V.).
Google query: SurfRight B.V. KERNEL_MODE_EXCEPTION_NOT_HANDLED_M

On Wed 04-03-2015 11:25:18 GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: hmpalert.sys (hmpalert+0xB779)
Bugcheck code: 0x8E (0xFFFFFFFFC0000005, 0xFFFFFFFFAB40B7D9, 0xFFFFFFFFDE12962C, 0x0)
Error: KERNEL_MODE_EXCEPTION_NOT_HANDLED
file path: C:\Windows\system32\drivers\hmpalert.sys
product: HitmanPro.Alert
company: SurfRight B.V.
description: HitmanPro.Alert Support Driver
Bug check description: This bug check indicates that a kernel-mode application generated an exception that the error handler did not catch.
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hmpalert.sys (HitmanPro.Alert Support Driver, SurfRight B.V.).
Google query: SurfRight B.V. KERNEL_MODE_EXCEPTION_NOT_HANDLED

 

Can you send me the C:\Windows\memory.dmp file? Send it via www.wetransfer.com to erik(at]surfright.com.

 

Both transfered

 

Ok, thank you for the info.

 

I got this at startup of download application Getright in my Dutch Vista 32bit with build 155.
But this happens not always and I do not see why.
Same problem with Avant browser, also not always.
When this happens and after starting both in passive vaccination, these programs are running without problems in active vaccination.

 

When I try to 'scan' with HMPA, it comes up with 'Failed' now.

Any idea?

 

AppGuard activity reports numerous > Prevented process <Firefox> from writing to <c:\windows\cryptoguard\bcd6a129>

Why does FF writing to cryptoguard require preventing. Is AppGuard blocking required communication between Firefox and HMPA

 

If you get attacked by crypto-ransomware, CryptoGuard won't be able to help you as AppGuard is interfering with the rollback mechanism. Can you make an exclude to C:\Windows\CryptoGuard\ folder in AppGuard?

 

EDIT ~ #4315

OK ~ just that AG Thread advises not to make exception.
<<Unless something has stopped working as a result of AppGuard preventing Firefox from writing to the Cryptoguard folder (unlikely), it's probably best to ignore this and wait for it to be fixed in HMPA. Speaking personally, I wouldn't make folder exceptions for something that shouldn't be happening in the first place.>> #2920
Hope Wilders does not see this as A v B
So, C:\Windows\CryptoGuard\ will be added as an Exception folder in AppGuard
*** Nice to find out no rollback because of AG.

 

Have you considered holding the CryptoGuard rollback data in an AppData folder instead of a Windows folder?

AppGuard launch protection will be weakened if a Windows folder is listed as an exception folder within AppGuard.

 

AppGuard assumes that application data will be held in AppData, not Windows system folders. Whilst a Windows folder can be listed as an exception folder within AppGuard, it can't also be included in the user-space definition, which would apply AppGuard launch protection. This creates a potential for a drive-by download. That said, any attempt to launch an executable would inherit the same permissions as Firefox and run guarded. Using AppData to hold application data avoids the issue altogether.

You can create an exception folder via the Settings section of the Guarded Apps tab within the AppGuard GUI.

EDIT: I've just checked this myself and somewhere down the line AppGuard has been changed to allow Windows folders to be included in the user-space definition, albeit with a recommendation not to do it. AppGuard used to prevent this with no option to override.

What I would suggest you do then is to also include the CryptoGuard folder in the user-space definition within AppGuard. This is done via the User Space tab within the AppGuard GUI by listing the folder with the Include flag set to Yes. Making the CryptoGuard folder an exception folder and including it in the user-space definition effectively moves it from system-space to user-space. That way, you don't weaken AppGuard drive-by download protection.

If you would like to discuss this further, let's continue in the AppGuard thread.

 

Interesting ... Hi pegr....yeah I edited when I recalled route for Exception. Now, though .... seems I loose no matter what. HMPA no rollback or weaken AG to drive by.
EDIT ~~ OK see you over at AG

 

Long known issue, but a specific exclusion in AppGuard ist all you need and both are running fine together.
SOLUTION

 

CryptoGuard is a kernel mode feature. So rollback is done from kernel mode. The AppData folder is somewhat tricky to resolve on different systems (languages) from kernel mode.

 

No help with this issue?

 

See my edited reply in post #4318 above. AppGuard 4.2 beta allows Windows folders to be included in the user-space definition. I don't know when the change to allow this was made so not sure about AppGuard 4.1.

 

Thanks for the clarification. It looks like the latest beta version of AppGuard is now allowing Windows folders to effectively be moved from system-space to user-space. It didn't used to allow this. Adding the CryptoGuard folder to the user-space definition in addition to listing it as an exception folder within AppGuard will resolve this issue without weakening any AppGuard protection, so it looks like we have a solution.

 

OK ... Please see AG #2921