HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Would this have any effect on CryptoGuard protection which I have enabled in HMP.A, Appguard (another security application I use) blocks its protected apps such as MS Word from writing to C/windows/cryptoguard folder. Here is an example from AppGuard activity log:
    "02/04/16 11:10:26 Prevented process <Microsoft Word> from writing to <c:\windows\cryptoguard\3e57db46>."
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You need to set that folder as an exception folder, same as Sandboxie.
     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    That is the rollback folder; if you get hit by ransomware then you lost max. 3 files.
    As @Peter2150 said, exclude te folder.
     
    Last edited: Feb 4, 2016
  4. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Okay, thanks.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Assumption is the mother of ***** ;)
    The incompatibility had absolutely NOTHING to do with our injection but with Emsisofts new tamper protection. Problem was only with Emsisofts binaries. Also Alert wasn't the only tool with a conflict but since we sell Emsisoft and HitmanPro as a bundle people noticed it first. So we were the first ones to get a workaround. Emsisoft is fixing the issue in their code as stated on their forum.
    Conflict with Avast was also not the injection but with hooking in general. Avast is overwriting an existing hook with more opcodes breaking the existing hook's call to original code (hook-on-hook). Avast is doing it wrong! Avast assumes (there it is again) they are first in the process, they are not as we load before kernel32.dll.
     
  7. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    Emsi has released new stable version with hotfix today.
     
  8. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    @erikloman
    I think Hiltihome's question was a good question.
    I would like to know, as well.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see, so it wasn't HMPA's fault. So basically EIS was probably blocking HMPA from hooking the EIS process, and Avast interfered with HMPA's user-mode hook inside the browser or perhaps in the Avast process? So in short, other tools can cause problems but HMPA can still offer a workaround.
     
    Last edited: Feb 4, 2016
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    When you write "probably" you assume. EIS was not blocking HMPA. It was related to a one line in kernel mode, nothing with user mode or hooking. If you want details, ask Emsisoft. It was their bug. We provided a workaround for our users.
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    If you have activated the license with HitmanPro.Alert 3.1 or newer, it is tied to the hardware. If you activate with HitmanPro or Alert 3.0 it is tied to the installation. If you run into activation issues, just contact me or support.
     
  12. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,843
    Location:
    the Netherlands
    Thank you very much.
    Perfectly clear. :thumb:
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, it was in a form of a question, so obviously I'm trying to figure things out. I did assume that PatchGuard (released in 2006) which prevents OS kernel hooking would prevent a lot of conflicts, but apparently that's not always the case. So it's quite tricky stuff, one day HMPA might cause some conflict, the other day some other security tool might interfere with HMPA.
     
  14. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Perfectly clear now, how licences are treated,
    but:
    "As I stand now I poor gate and so am no wiser than before",
    because I activated 12 licences in waves and do not recall with version of HMP.A was used by the time....

    Is there a way to find out witch licences model is active, on a particular machine?

    The situation is, that I bought 15 licences for my company, but get only 12 activated.
    I guess the the rest was burned, during several attempts to get HMP.A running along Trend Micro worry free business,
    and one replaced machine.
     
  15. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I would not call an honest bug in software a HMPA specific conflict as it affected more software besides HMPA.

    Also if you are trying to figure things out related to an EIS update, you are assuming in the wrong thread. You are trying to get details that aren't mine to tell (I already told too much).

    You keep focussing on HMPA causing conflicts or other tools interfering with HMPA. Read the MBAE forum or EMET thread at Microsoft.
    Also might I remind you that the big AVs uninstall your existing AV before you can install theirs? Why do you think that is? Spoiler: they do not want to put in the effort. At least we try/have no other option but to get along with others.

    But I'm not continuing the argument.
    If you have a genuine HMPA conflict with a product/combination of products we are more than willing to sort it out.
     
    Last edited: Feb 4, 2016
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Send me the keys via PM. Ill sort it out for you.
     
  17. Ooze

    Ooze Registered Member

    Joined:
    Apr 12, 2015
    Posts:
    6
    Hi!

    Out of the blue I got this BSOD today. The computer restarted about 3 times before I could get in again.

    "netio.sys" and "classpnp.sys" were named in the bsods.

    This is from WhoCrashed:

    "On Fri 2016-02-05 07:49:01 GMT your computer crashed
    crash dump file: C:\WINDOWS\Minidump\020516-12359-01.dmp
    This was probably caused by the following module: hmpnet.sys (hmpnet+0x1B82)
    Bugcheck code: 0xD1 (0x8, 0x2, 0x0, 0xFFFFF8003005173C)
    Error: DRIVER_IRQL_NOT_LESS_OR_EQUAL
    file path: C:\WINDOWS\system32\drivers\hmpnet.sys
    product: HitmanPro.Alert
    company: SurfRight B.V.
    description: HitmanPro.Alert WFP Driver
    Bug check description: This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
    This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
    A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hmpnet.sys (HitmanPro.Alert WFP Driver, SurfRight B.V.).
    Google query: SurfRight B.V. DRIVER_IRQL_NOT_LESS_OR_EQUAL"

    Running Windows 10 x64 with all the latest updates and the latest HitmanPro. Alert 3.1.7.357

    Computer name: -
    Windows version: Windows 10 , 10.0, build: 10586
    Windows dir: C:\WINDOWS
    Hardware: ASRock, Z77 Extreme4
    CPU: GenuineIntel Intel(R) Core(TM) i7-3770K CPU @ 3.50GHz Intel586, level: 6
    8 logical processors, active mask: 255
    RAM: 34314354688 bytes total
     
  18. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    send dumps to erik via wetransfer!
    (zipped)
     
  19. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I have items showing in event viewer going back to November, so I don't understand the problem. I usually access via Start >RUN > eventvwr
     
  20. BeltandSuspenders

    BeltandSuspenders Registered Member

    Joined:
    Feb 4, 2016
    Posts:
    3
    Yesterday I posted about a new anti-ransomware product from Malwarebytes.

    https://www.wilderssecurity.com/threads/hitmanpro-alert-support-and-discussion-thread.324841/page-345#post-2561791

    I had included links to a blog which describes the product and also to the Malwarebytes MBARW beta download page. For whatever reason, Wilders moderators chose to remove those links. So, if you have an interest in testing this free product I suggest a Google search of "Malwarebyte Anti-Ransonware".

    So far MBARW appears to play well with Windows 7 Pro installs of the paid version of HMP.A 3.1.1 build 351. I also have Malwarebytes Anti-Exploit running on the same systems, again without issue. I do have HMP.A keystroke encryption disabled due to earlier issues and have so far not valued re-enabling this feature.

    The beta version of MBARW does leave the application open but minimized to the taskbar. This can be closed leaving MBARW running with a blue icon visible within the notification area. I understand the finalized release will not open the application GUI upon installation and system startup.

    MBARW can be installed silently and I’ve found these switches in the following batch script to work well.


    @Echo OFF

    START "" /WAIT MBARW_Setup.exe /VERYSILENT /SUPPRESSMSGBOXES /CLOSEAPPLICATIONS /NORESTART

    DEL /F /Q "%Public%\Desktop\Malwarebytes Anti-Ransomware.lnk" >NUL


    Other installation switches are available:

    /HELP, /?

    Shows this information.


    /SP-

    Disables the This will install... Do you wish to continue? prompt at the beginning of Setup.


    /SILENT, /VERYSILENT

    Instructs Setup to be silent or very silent.


    /SUPPRESSMSGBOXES

    Instructs Setup to suppress message boxes.


    /LOG

    Causes Setup to create a log file in the user's TEMP directory.


    /LOG="filename"

    Same as /LOG, except it allows you to specify a fixed path/filename to use for the log file.


    /NOCANCEL

    Prevents the user from cancelling during the installation process.


    /NORESTART

    Prevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.


    /RESTARTEXITCODE=exit code

    Specifies a custom exit code that Setup is to return when the system needs to be restarted.


    /CLOSEAPPLICATIONS

    Instructs Setup to close applications using files that need to be updated.


    /NOCLOSEAPPLICATIONS

    Prevents Setup from closing applications using files that need to be updated.


    /RESTARTAPPLICATIONS

    Instructs Setup to restart applications.


    /NORESTARTAPPLICATIONS

    Prevents Setup from restarting applications.


    /LOADINF="filename"

    Instructs Setup to load the settings from the specified file after having checked the command line.


    /SAVEINF="filename"

    Instructs Setup to save installation settings to the specified file.


    /LANG=language

    Specifies the internal name of the language to use.


    /DIR="x:\dirname"

    Overrides the default directory name.


    /GROUP="folder name"

    Overrides the default folder name.


    /NOICONS

    Instructs Setup to initially check the Don't create a Start Menu folder check box.


    /TYPE=type name

    Overrides the default setup type.


    /COMPONENTS="comma separated list of component names"

    Overrides the default component settings.


    /TASKS="comma separated list of task names"

    Specifies a list of tasks that should be initially selected.


    /MERGETASKS="comma separated list of task names"

    Like the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.


    /PASSWORD=password

    Specifies the password to use.
     
  21. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,436
    Location:
    U.S.A.
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    With Alert 3 you do not need Malwarebytes Anti-Ransomware because Alert has anti-ransomware feature called aka CryptoGuard for more than 2 years.
    The CryptoGuard technology is currently in its 3rd generation and prevents mass encryption.

    1st generation was launched in November 2013 to protect against CryptoLocker
    http://www.ghacks.net/2013/11/06/hitmanpro-alert-2-5-update-brings-protection-crypto-ransomware/
    https://www.youtube.com/watch?v=5M8YYnXIAlw

    2nd generation was launched shortly thereafter with file shares protection against rogue endpoints trying to encrypt files on the server:
    https://www.wilderssecurity.com/thre...discussion-thread.324841/page-38#post-2309084

    3rd generation was launched mid 2014 to counter TorrentLocker, CTB-Locker, CryptoWall 3.0 etc.:
    https://www.youtube.com/watch?v=XrSP-CMjuFk

    Alert 3 also prevents the creation of the ransom letters in each and every folder.

    HitmanPro.Alert 3 = Anti-Ransomware + Anti-Exploit (with Intel hardware-assistance) + Safe Browsing + Risk Reduction in 5MB footprint.

    Hope this helps.
     
    Last edited: Feb 5, 2016
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Regarding having MBARW, MBAE and HMPA installed at the same time, I would want to do some thorough testing before assuming that this is a workable configuration. It's not enough that they don't overtly conflict or crash. It needs to be demonstrated that all of the overlapping functions of the apps continue working and over all protection is not compromised. In fact if protection is not stronger then there wouldn't be a point.
     
  24. malware1

    malware1 Registered Member

    Joined:
    May 26, 2014
    Posts:
    133
    Could you please send me the new strings to translate before the new version is released? Thanks :)
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually, this isn't an argument, so no need to be so defensive. It was a simple technical question, and you gave me the answer. I have learned that there is no way to prevent these type of conflicts, and both parties can cause these conflicts.

    But no wonder I assumed that HMPA was the problem, since it was EIS that could not load correctly anymore (strangely enough because of anti-tamper), and after removing HMPA the problem was gone. And you even managed to post a workaround for it by changing code in HMPA. So I've learned that this doesn't tell the whole story and sometimes both parties can come up with a fix.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.