HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    What does it mean if I run the hmpalert-test tool (a variety of tests) on a 32-bit program which should be protected by hmp.a and absolutely nothing at all happens?
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I would just try updating thru the normal channel. I have one Acrobat update no problem, the 2nd HMPA nailed the first time,but the 2nd time it worked. Reader updated fine both times.

    Pete
     
  3. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    Which test are you performing and what is the target application?
     
  4. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    We've found the culprit. I will send you a PM with a link to a test version so you can test it as well.
     
  5. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    File managers are like browsers and designed to browse the computer and potentially start other programs. This means you should put it in the Browser mitigation category - especially not in Test, Office or Other.
    Anyway, what is the exact name of your file manager and who's the publisher?

    Update: After brief research I now see what you mean. Explanation: Any document that you create with applications in the Office category receives low-level protection by HMPA. This means that HMPA will not allow this document to execute in a way an application is started. Because in an attack scenario an Office application could be exploited to download malware for execution. In effect, if you try to execute a document in a very uncommon way, like the command-line, HMPA will step in and prevent this. This is exactly how we designed it. We'll consider a change.
     
    Last edited: Dec 10, 2014
  6. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Does HMPA work in a VM (VirtualBox) or virtual system software? (Shadow Defender, Time Freeze, etc.)
     
  7. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes. Both.
     
  8. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Having same issue again with keylogger protection. It starts out working fine and then stops working. No VM.
    Using latest version of Pale Moon browser along with Sandboxie . I tried without Sandboxing browser to see if
    that would make a difference since I have changed many settings in Sandboxie. No difference. I can see the flyout
    at each start of browser session. Checked Event logs and the HMPA service and everything looks OK.
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I can confirm as I use it in both VMware and ShadowDefender
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We have found an issue regarding keystroke encryption dropping out. Expect a fix soon.
     
  11. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Thanks. Will HMPA 3RC automatically update the fix? Event logs indicate time frame on updates.
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes it will auto update :thumb:
     
  13. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    Just installed Dropbox 3.0.3 and it triggers a alert at startup.
    Dropbox is now stuck on synching some files. Is this already a known issue? Couldn't find such report on the last couple of pages of this topic.
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    What Alert is being triggered? Click on Technical Details and copy/paste the output. The Alert is also logged into the Windows Event Log.
    A reboot should resolve the issue.
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    At the end of installing the latest versions of Flash, the Flash update process crashes with hmpalert.dll

    Code:
    Problem signature:
      Problem Event Name:    APPCRASH
      Application Name:    FlashPlayerUpdateService.exe
      Application Version:    16.0.0.235
      Application Timestamp:    546fc103
      Fault Module Name:    hmpalert.dll
      Fault Module Version:    3.0.20.120
      Fault Module Timestamp:    548064c7
      Exception Code:    c0000005
      Exception Offset:    0000b5de
      OS Version:    6.1.7601.2.1.0.256.1
      Locale ID:    1043
      Additional Information 1:    dae0
      Additional Information 2:    dae0841d28bb3a301a419e5efe5b0022
      Additional Information 3:    450e
      Additional Information 4:    450e2985f0fe05fed9023f7909977c00
    Also when I tried to install the new PPAPI Flash version, the installer process crashes. No mention of hmpalert.dll, but I thought these may be related and both problems don't appear on another machine with Alert v2 instead of v3 RC.

    Code:
    Problem Event Name:   APPCRASH
      Application Name:   install_flashplayer16x32pp_mssd_aaa_aih.exe
      Application Version:   3.5.4.26
      Application Timestamp:   53d3d183
      Fault Module Name:   install_flashplayer16x32pp_mssd_aaa_aih.exe
      Fault Module Version:   3.5.4.26
      Fault Module Timestamp:   53d3d183
      Exception Code:   c0000005
      Exception Offset:   00065ed3
      OS Version:   6.1.7601.2.1.0.256.1
      Locale ID:   1043
      Additional Information 1:   0a9e
      Additional Information 2:   0a9e372d3b4ad19135b953a78882e789
      Additional Information 3:   0a9e
      Additional Information 4:   0a9e372d3b4ad19135b953a78882e789
    
     
  16. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    http://i57.tinypic.com/23gy9o7.jpg

    I can't find any logging from HMP Alert in my EventLog :(
    Scanned with HMP and MBAM, no hits. AV = Bitdefender Total Security 2015
     
  17. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
  18. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    Indeed. I was using v2.6.5
    Now with the new, boy it looks good, version the alert is gone.

    I see it's also encrypting my keystrokes now? Neat!
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Keep in mind that the latest stable is still v2, the latest v3 is already a Release Candidate, but it is probably still not advisable to install on production machines:
    https://www.wilderssecurity.com/thr...iscussion-thread.324841/page-114#post-2433635
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I've been running V3 since the 2nd CTD, on all my machines including a "production" machine. Absolutely no bad issues. Early bugs that showed up, are already fixed.

    As always my usual caveat. BACKUP
     
  21. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert version 3.0.21 build 124 Release Candidate

    Changes
    • Added compression of the resource section to optimize the binary, reducing the file size over 30%.
    • Improved process startup performance.
    • Improved Import Address Table Filtering (IAF) mitigation.
    • Fixed issue with Application Lockdown that prevented some applications from installing updates.
    • Fixed sudden loss of keyboard encryption that could occur when the computer wakes from sleep.
    • Fixed drawing of the notification and keystroke encryption indicator in Internet Explorer 11.
    • Fixed a problem when opening Office documents from the Windows Command Prompt.
    • Fixed a problem that manifested when opening the multiplayer version of Call of Duty: Advanced Warfare.
    Download

    <link removed>​

    Let us know how this version runs on your machine.
    Users running build 120 will be automatically updated at a later moment.
     
    Last edited: Dec 14, 2014
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Interesting, is the Intruder registry key the MitB protection?
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes. A full blown manual is in the works.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Downloaded and prepared to install
     
  25. JohnMiller

    JohnMiller Registered Member

    Joined:
    Nov 6, 2014
    Posts:
    49
    @erikloman Hey erik would it be possible to add the functionality to disable all exploit mitigations with one button, like until a restart or a way to disable all the risk reduction at once. I ask this specifically because I need to disable all my layers of security for online /school exams
     
    Last edited: Dec 12, 2014
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.