HitmanPro.ALERT Support and Discussion Thread

Yes, i noticed it too after upgrading to HMPA 3.5. The previous version (3.1) was fine with that.

But MPC-HC is not a good candidate for mitigation, mentioned some time ago:

#4593

 

MPC is not listed under mitigations. Process hollow protection is to blame.

 

Updated from beta to build 546: no problems. (Win 10, x64, Kaspersky Internet Security)

 

MPC-HC is fine on my laptop with latest HMP.A (3.5). I could view movies with it.

 

Confirmed with HMP.A 3.5.0.546 and MPC-HC 1.7.10, mpc-hc64.exe, portable, on Windows 7 x64 (more details, see signature).
With HMP.A 3.5.0.546, MPC-HC 1.7.10 crashes on opening video or audio files.
MPC-HC is not listed under mitigations.
Adding MPC-HC 1.7.10, mpc-hc64.exe, as an exclusion in HMP.A 3.5.0.546 prevents MPC-HC from crashing with opening a video or audio file.

 

Happens here too with HMPA 3.5.0 build 546 on Win 8.1 (x64).

MPC-HC 1.7.10.252 crashes during startup:

Code:

Name der fehlerhaften Anwendung: mpc-hc64.exe, Version: 1.7.10.252, Zeitstempel: 0x57800c12
Name des fehlerhaften Moduls: mpc-hc64.exe, Version: 1.7.10.252, Zeitstempel: 0x57800c12
Ausnahmecode: 0xc000041d
Fehleroffset: 0x00000000006351d8
ID des fehlerhaften Prozesses: 0x1b50
Startzeit der fehlerhaften Anwendung: 0x01d1e4d721c64890
Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\K-Lite Codec Pack\MPC-HC64\mpc-hc64.exe
Pfad des fehlerhaften Moduls: C:\Program Files (x86)\K-Lite Codec Pack\MPC-HC64\mpc-hc64.exe

The only workaround is excluding it from HMPA or disabling Process Protection. I tried disabling single mitigations via the import/export feature but eventually it's just the following:

MPA-HC only works if

Code:

<HollowProcessGuard>off</HollowProcessGuard>

is set or if the profile for MPA-HC is set to

Code:

<Template>Exclude</Template>

 

Getting a FP? when trying to enter a page on my weather underground site, 373 did not do this;

Log Name: Application
Source: HitmanPro.Alert
Date: 7/23/2016 8:58:15 AM
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: Owner-PC
Description:
Mitigation HeapSpray

Platform 6.1.7601/x64 06_2a
PID 4288
Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description Internet Explorer 11

#00 186F0000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. A0 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#01 186D0000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. A0 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#02 186B0000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 90 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#03 18690000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 90 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#05 18670000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 80 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#06 18650000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 70 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#07 18630000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 70 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00

Process Trace
1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [4288]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4292 CREDAT:1054200 /prefetch:2
2 C:\Program Files\Internet Explorer\iexplore.exe [4292]
3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [2004]
4 C:\Windows\explorer.exe [2284]
5 C:\Windows\System32\userinit.exe [2204]

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-07-23T12:58:15.000000000Z" />
<EventRecordID>85569</EventRecordID>
<Channel>Application</Channel>
<Computer>Owner-PC</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
<Data>HeapSpray</Data>
<Data>Mitigation HeapSpray

Platform 6.1.7601/x64 06_2a
PID 4288
Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description Internet Explorer 11

#00 186F0000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. A0 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#01 186D0000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. A0 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#02 186B0000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 90 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#03 18690000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 90 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#05 18670000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 80 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#06 18650000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 70 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00
#07 18630000 L00020000; Javascript array
24 F9 8F 6A E0 FD 8D 10 ..00(*9).. 70 0A 5B 7D 61 75 42 ..00(*80).. D0 8E AC 10 00 00 00

Process Trace
1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [4288]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4292 CREDAT:1054200 /prefetch:2
2 C:\Program Files\Internet Explorer\iexplore.exe [4292]
3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [2004]
4 C:\Windows\explorer.exe [2284]
5 C:\Windows\System32\userinit.exe [2204]
</Data>
</EventData>
</Event>


Log Name: Application
Source: HitmanPro.Alert
Date: 7/23/2016 8:56:52 AM
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: Owner-PC
Description:
Mitigation HeapSpray

Platform 6.1.7601/x64 06_2a
PID 5288
Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description Internet Explorer 11

#00 188E0000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 70 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#01 188C0000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 60 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#02 188A0000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 60 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#04 18880000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 50 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#05 18860000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 40 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#06 18840000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 30 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#07 18820000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 20 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00

Process Trace
1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [5288]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4292 CREDAT:3937624 /prefetch:2
2 C:\Program Files\Internet Explorer\iexplore.exe [4292]
3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [2004]
4 C:\Windows\explorer.exe [2284]
5 C:\Windows\System32\userinit.exe [2204]

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-07-23T12:56:52.000000000Z" />
<EventRecordID>85567</EventRecordID>
<Channel>Application</Channel>
<Computer>Owner-PC</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
<Data>HeapSpray</Data>
<Data>Mitigation HeapSpray

Platform 6.1.7601/x64 06_2a
PID 5288
Application C:\Program Files (x86)\Internet Explorer\iexplore.exe
Description Internet Explorer 11

#00 188E0000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 70 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#01 188C0000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 60 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#02 188A0000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 60 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#04 18880000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 50 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#05 18860000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 40 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#06 18840000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 30 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00
#07 18820000 L00020000; Javascript array
24 F9 84 6A 80 4B 08 05 ..00(*9).. 20 A1 46 7D 61 75 42 ..00(*80).. F0 56 77 03 00 00 00

Process Trace
1 C:\Program Files (x86)\Internet Explorer\iexplore.exe [5288]
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4292 CREDAT:3937624 /prefetch:2
2 C:\Program Files\Internet Explorer\iexplore.exe [4292]
3 C:\Program Files (x86)\Internet Explorer\iexplore.exe [2004]
4 C:\Windows\explorer.exe [2284]
5 C:\Windows\System32\userinit.exe [2204]
</Data>
</EventData>
</Event>

 

Firefox still crashes with latest HMP-A . I don't want to disable DEP mitigations, so is there an alternative adjustment for the meantime? Not really a big problem, just irritating.

Firefox 47.01/HitmanPro Alert 3.5.0 build 546

edited to add: Could one go back to the beta or is support for that being discontinued?

 

Confirmed for W7-x64 with HMP.alert 3.5 build 546!
Using HMP.alert 3.1 build 474, only unchecking "Null Page" mitigation is enough to run MPC-HC 1.7.10 as a protected application.

 

Try adding it to the Exclude category via the blue tile.

The fact that Process Protection triggers should say something about how MPC was built. Why is it using so many weird techniques to play video's?

 

I would also like to know this. Was HMPA affected by this?

 

Adding MPC to the Exclude category (via the blue tile) allows MPC to run video's etc....
I personally have no issue/problem with running MPC 'Excluded' in 3.5 build 546 and following releases.

 

I have always needed to exclude MPC-HC (& MPC-BE) from Alert`s protection, I don`t use any online features so I`m not overly concerned.

3.5. 546 - all appears OK here.

 

I don't know. One reason may be to be able to play 'difficult' media.
For instance, I use VLC media player as my primary media player, but for a 'difficult' dvd, like the Wall-E dvd, I need to use MPC-HC to play that dvd correctly. I tried several other media players, but MPC-HC was the only one that would play the Wall-E dvd without issues. Perhaps this is because of some helpful but 'weird' techniques that MPC-HC uses? I'm just guessing.

Me neither. But it might be an issue for less tech savvy users. MPC-HC is rather popular. If many HMP.A users would complain about HMP.A crashing MPC-HC, that might put a burden on SurfRight support.

 

What is MPC-HC

 

@ Erik and Mark Loman

Can you perhaps also take a look at this thread? Does HMPA use the same kind of tech? I believe they are tyring to stop ransomware with a very simple technique, and also don't claim to be able to protect every file.

https://www.wilderssecurity.com/threads/how-to-defeat-every-ransomware-with-crypto-drop.387117/

 

Had two occurrences where Firefox could not keep up with my typing speed.

After I stopped typing (in the search field) several characters appeared, but random gibberish.

HMP.Alert keylogger protection?

 

erik FP?

#10439

https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-418#post-2604017

 

@anyone > Is 2) this just me. Is Block Untrusted Fonts in anyway looking at Yahoo buttons.
@erikloman > Does 3.5 Build 546 return Safe browsing (green) for Norton users...?

 

Hi, bjm:
how long before you trash that AV??

Norton = garbage, rubbish,...


If i was you, i'll replace it ASAP with any free AV, for eg Avira ...

 

Alert = truly a jewel (especially as AntiExploit solution on Intel CPU txs to its Hardware-assisted CFI) so, if something else interfers with it (in particular, NorTrash), i'll have no doubt about who remove...

IMO

 

Is Block Untrusted Fonts in anyway looking at Yahoo buttons.

 

uh?

 

#10453

 

ok:
10 TH2 (10586.494), 3.5.546 installed over the top (overwriting previous build 3.1.1.374).
Block untrusted fonts kept the desired setting (= Enabled) and Yahoo buttons are showed 'full' (or https://www.wilderssecurity.com/attachments/yahoo-buttons-fancy-png.253559/) [Browser→ Google Chrome 52.xxx/EDGE]