HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    A few days ago I reported having a problem with HMP.A interfering with an update to Pale Moon (a Firefox derivative). Firefox just updated to 36.0.4 without a hitch on my Vista Home Premium x64 (HMP.A build 167), so I don't expect any issues with the next PM update.

    Nice work!
     
  2. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    +1 :thumb:
     
  3. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Running fine on Win7 Ult. both 32 and 64 bits. Also on win 8.1 (64).
    Way to go Mark en Erik.
     
  4. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks for explanation Erik. Loving HMPA 3 so far (build 172 now).

    In your opinion, is there any advantage to be gained by installing also MBAE, or EMET, one or the other as these two are not really compatible without considerable tweaking? Or would you say using EMET, or MBAE, would just be duplication and slow down the system?
     
  5. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    It looks like my W7 is messed up. Just ignore my cpu/memory usage-data.

    No problems updating build 172 (W7 64 bits/Sandboxie 4.16)
     
  6. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Also no problems with Firefox 36.0.4 (W7 64 bits/build 172).
     
  7. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
  8. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Appcrash build 171 earlier today (now build 172 installed/W7 64 bits).

    Logboeknaam: Application
    Bron: Windows Error Reporting
    Datum: 22-3-2015 9:11:07
    Gebeurtenis-id:1001
    Taakcategorie: Geen
    Niveau: Informatie
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: *****
    Beschrijving:
    Foutbucket 939352706, type 17
    Naam van gebeurtenis: APPCRASH
    Antwoord: Niet beschikbaar
    Id van CAB-bestand: 0

    Handtekening van probleem:
    P1: hmpalert.exe
    P2: 3.0.33.171
    P3: 550c43a1
    P4: ntdll.dll
    P5: 6.1.7601.18247
    P6: 521ea8e7
    P7: c0000005
    P8: 00038e19
    P9:
    P10:

    Edit: added WER-report.

    Version=1
    EventType=APPCRASH
    EventTime=130714286422209779
    ReportType=2
    Consent=1
    UploadTime=130714854572948207
    ReportIdentifier=aead994c-cfe6-11e4-9989-001f16aa0c13
    IntegratorReportIdentifier=aead994b-cfe6-11e4-9989-001f16aa0c13
    WOW64=1
    Response.BucketId=939352706
    Response.BucketTable=17
    Response.type=4
    Sig[0].Name=Naam van de toepassing
    Sig[0].Value=hmpalert.exe
    Sig[1].Name=Versie van toepassing
    Sig[1].Value=3.0.33.171
    Sig[2].Name=Tijdstempel van toepassing
    Sig[2].Value=550c43a1
    Sig[3].Name=Naam van foutmodule
    Sig[3].Value=ntdll.dll
    Sig[4].Name=Versie van foutmodule
    Sig[4].Value=6.1.7601.18247
    Sig[5].Name=Tijdstempel van foutmodule
    Sig[5].Value=521ea8e7
    Sig[6].Name=Uitzonderingscode
    Sig[6].Value=c0000005
    Sig[7].Name=Uitzonderingsmarge
    Sig[7].Value=00038e19
    DynamicSig[1].Name=Versie van besturingssysteem
    DynamicSig[1].Value=6.1.7601.2.1.0.768.3
    DynamicSig[2].Name=Landinstelling-id
    DynamicSig[2].Value=1043
    DynamicSig[22].Name=Aanvullende informatie 1
    DynamicSig[22].Value=0a9e
    DynamicSig[23].Name=Aanvullende informatie 2
    DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
    DynamicSig[24].Name=Aanvullende informatie 3
    DynamicSig[24].Value=0a9e
    DynamicSig[25].Name=Aanvullende informatie 4
    DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
    UI[2]=C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    UI[5]=Online naar een oplossing zoeken (aanbevolen)
    UI[6]=Later naar een oplossing zoeken (aanbevolen)
    UI[7]=Sluiten
    UI[8]=HitmanPro.Alert werkt niet meer en is gesloten
    UI[9]=Er is een probleem opgetreden waardoor de toepassing niet goed meer werkt. Er wordt een melding weergegeven als een oplossing beschikbaar is.
    UI[10]=&Sluiten
    LoadedModule[0]=C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    LoadedModule[1]=C:\Windows\SysWOW64\ntdll.dll
    LoadedModule[2]=C:\Windows\syswow64\KERNEL32.dll
    LoadedModule[3]=C:\Windows\SysWOW64\hmpalert.dll
    LoadedModule[4]=C:\Windows\syswow64\KERNELBASE.dll
    LoadedModule[5]=C:\Program Files (x86)\Norton Security with Backup\NortonData\22.0.0.110\Definitions\BASHDefs\20150309.001\UMEngx86.dll
    LoadedModule[6]=C:\Windows\syswow64\USER32.dll
    LoadedModule[7]=C:\Windows\syswow64\GDI32.dll
    LoadedModule[8]=C:\Windows\syswow64\LPK.dll
    LoadedModule[9]=C:\Windows\syswow64\USP10.dll
    LoadedModule[10]=C:\Windows\syswow64\msvcrt.dll
    LoadedModule[11]=C:\Windows\syswow64\ADVAPI32.dll
    LoadedModule[12]=C:\Windows\SysWOW64\sechost.dll
    LoadedModule[13]=C:\Windows\syswow64\RPCRT4.dll
    LoadedModule[14]=C:\Windows\syswow64\SspiCli.dll
    LoadedModule[15]=C:\Windows\syswow64\CRYPTBASE.dll
    LoadedModule[16]=C:\Windows\syswow64\SHELL32.dll
    LoadedModule[17]=C:\Windows\syswow64\SHLWAPI.dll
    LoadedModule[18]=C:\Windows\syswow64\ole32.dll
    LoadedModule[19]=C:\Windows\syswow64\PSAPI.DLL
    LoadedModule[20]=C:\Windows\syswow64\CRYPT32.dll
    LoadedModule[21]=C:\Windows\syswow64\MSASN1.dll
    LoadedModule[22]=C:\Windows\system32\WTSAPI32.dll
    LoadedModule[23]=C:\Windows\syswow64\USERENV.dll
    LoadedModule[24]=C:\Windows\syswow64\profapi.dll
    LoadedModule[25]=C:\Windows\system32\VERSION.dll
    LoadedModule[26]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
    LoadedModule[27]=C:\Windows\system32\FLTLIB.DLL
    LoadedModule[28]=C:\Windows\system32\IPHLPAPI.DLL
    LoadedModule[29]=C:\Windows\syswow64\NSI.dll
    LoadedModule[30]=C:\Windows\system32\WINNSI.DLL
    LoadedModule[31]=C:\Windows\system32\WINHTTP.dll
    LoadedModule[32]=C:\Windows\system32\webio.dll
    LoadedModule[33]=C:\Windows\system32\MSIMG32.dll
    LoadedModule[34]=C:\Windows\syswow64\WS2_32.dll
    LoadedModule[35]=C:\Windows\system32\IMM32.DLL
    LoadedModule[36]=C:\Windows\syswow64\MSCTF.dll
    LoadedModule[37]=C:\Windows\system32\CRYPTSP.dll
    LoadedModule[38]=C:\Windows\system32\rsaenh.dll
    LoadedModule[39]=C:\Windows\syswow64\wintrust.dll
    LoadedModule[40]=C:\Windows\system32\WINSTA.dll
    LoadedModule[41]=C:\Windows\syswow64\imagehlp.dll
    LoadedModule[42]=C:\Windows\system32\ncrypt.dll
    LoadedModule[43]=C:\Windows\system32\bcrypt.dll
    LoadedModule[44]=C:\Windows\SysWOW64\bcryptprimitives.dll
    LoadedModule[45]=C:\Windows\system32\GPAPI.dll
    LoadedModule[46]=C:\Windows\system32\cryptnet.dll
    LoadedModule[47]=C:\Windows\syswow64\WLDAP32.dll
    LoadedModule[48]=C:\Windows\system32\SensApi.dll
    LoadedModule[49]=C:\Windows\system32\apphelp.dll
    LoadedModule[50]=C:\Windows\system32\mswsock.dll
    State[0].Key=Transport.DoneStage1
    State[0].Value=1
    State[1].Key=DataRequest
    State[1].Value=Bucket=939352706/nBucketTable=17/nResponse=1/n
    FriendlyEventName=Werkt niet meer
    ConsentKey=APPCRASH
    AppName=HitmanPro.Alert
    AppPath=C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
     
    Last edited: Mar 22, 2015
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Do you have a dump?
     
  11. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    No. I do have a dmp from march 21st. Check mail.
     
  12. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    more re ROP w/dragon_sbie on MY xp running _155, 171, 172. When I saw same ROP w/dragon_sbie on 172, that I had seen on 171, I went back from 172 to 155, and got no alerts yesterday, had not had an ROP alert with 155 during the short time I've used hmpa3. But this morning, I tried opening dragon w/sbie and I did get the ROP. :gack:wow, first time for me here now seeing this with 155. Dragon closed (never opened), I opened firefox with sbie ok, then closed ff, and again tried dragon w/sbie and this time no ROP alert. Keystrokes appear to be working ok after I had removed trend 2015. here is the ROP alert I just got with 155 (from event viewer). If it would help, I could go back to 172 and copy that alert, but think they're the same. Is this helpful for you, OR indicate something irregular or intermittent with this xp as I see kernel involved??

    Event Type: Error
    Event Source: HitmanPro.Alert
    Event Category: (9)
    Event ID: 911
    Date: 3/22/2015
    Time: 05:28:54
    User: N/A
    Computer: [snip]
    Description:
    Mitigation ROP

    Platform 5.1.2600/x86 0f_04
    PID 1128
    Application C:\Program Files\Comodo\Dragon\dragon.exe
    Description Comodo Dragon 36.1.1

    Stack Trace
    # Address Module Location
    -- -------- ------------------------ ----------------------------------------
    1 7C81045B kernel32.dll SetEnvironmentVariableW +0x1cd
    2 7C810560 kernel32.dll CreateRemoteThread +0x64
    3 7C812F3C kernel32.dll GetDiskFreeSpaceExW +0x1c1
    4 7C9293F2 ntdll.dll RtlFormatMessage +0x314
    5 7C929457 ntdll.dll RtlFormatMessage +0x379
    6 7C92949A ntdll.dll RtlFormatMessage +0x3bc
    7 7C927FA5 ntdll.dll RtlQueueWorkItem +0x4a5
    8 7C928171 ntdll.dll RtlQueueWorkItem +0x671
    9 7C90E457 ntdll.dll KiUserApcDispatcher +0x7
    10 0800003B (anonymous)
     
  13. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    702
    Location:
    Europe
    It will great to add on the context menu from the system tray, a feature to disabled completely HMP Pro Alert. This will be useful to detect HMP Pro Alert conflicts with others security programs.
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Updating HMP.A is like the only reason I'm rebooting more than once a week these days. :argh:
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Updated two machines to 172. A total non event. Erik and Mark. Well done!
     
  16. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,760
    Still getting DEP alerts for IE8 with v172 when launching Microsoft Update and Microsoft Update Catalog from XP Start Menu. The event log looks a little different though.
     

    Attached Files:

    Last edited: Mar 22, 2015
  17. wasgij6

    wasgij6 Registered Member

    Joined:
    Mar 29, 2011
    Posts:
    321
    Installed the newest RC last night without any problems. I shut down my computer for the night and when i boot up this morning i continuously got BSOD right after the BIOS screen. The BSOD was caused by partmgr.sys which is a windows process but i have never had the BSOD until now. I was trying to get the dump file but every boot my system BSOD so i had to do a system restore.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  19. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    I see something similar now and then in my Windows XP virtual machine, though not super easy to reproduce. We'll tale a look at it tomorrow. Thanks!
     
  20. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    http://malwaretips.com/threads/hitm...29-release-candidate.39282/page-7#post-361358
    "Alert 3 does run together with MBAE. Both it does not make sense to run both. Either use EMET, MBAE or Alert 3 for exploit mitigations. Running a combination of these is not recommended as protection would be redundant and harming performance."

    I know that the latest MBAE Release Candidate build 1.06.1.1012 adds
    -advanced configuration of mitigations per family.

    So, I wonder if disabling redundant mitigation would improve compatiblity between the two.
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    You might like this thread:

    https://www.wilderssecurity.com/threads/emet-mbae-and-hmp-a.370363/
     
  22. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,760
    Mark, I can reproduce this alert consistently. If you or Erik want to do a remote session to debug it,.let me know.
     
  23. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    I have mbae 1.05 installed on xp, ie, did not uninstall mbae before I installed hmpa3, but neither mbae nor its service are running. Any chance even disabled mbae is causing any conflicts on xp. I'm seeing some issues with 171 & 172 and "degraded" to 155 where hmpa3 seems mostly aok.
     
  24. heikwith

    heikwith Registered Member

    Joined:
    Jul 29, 2002
    Posts:
    91
    Erik,
    2 days ago I installed 172 in my Dutch Vista and W8.1 without problems.
    Until now no problems anymore.
    So my problems with Getright and Avant browser are also gone here (I hope).
    Thanks.
     
  25. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Hi Victek

    I seem to have two problems with WSA and HMPA 3, both with Chrome browser:
    1. Unless I set every instance of chrome.exe to from 'Protect' to 'Allow' in Identity Protection/Application Protection, Chrome will not load. Is the 'Allow' status potentially dangerous?
    2. I saw in another post https://www.wilderssecurity.com/threads/wsa-and-hitman-pro-alert.361633/, you also had issues with the 'flyout' message. I also do not get the 'flyout' message for Chrome (FF and IE work fine), even when set to 'Allow', though I do get the green border.
    I think these issues must be some sort of incompatibility with WSA - do you think it is worth pursuing on the WSA Forum, or could it be fixable from the HMPA side? It would be good to 'fix' it ...

    Edit: Please ignore my point 2. The flyout indeed does occur on boot; my Chrome seems to load on boot.
     
    Last edited: Mar 23, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.