HitmanPro.ALERT Support and Discussion Thread

Pete, thanks for confirming my hunches!

 

What J_L means is that HMPA Free doesn't do exploit protection, so in theory it should be able to work well with MBAE and/or EMET. Earlier in this thread I did post my concerns that HMPA Free might still cause compatibility problems with MBAE (or vice versa) because of the underlying tech, they both operate in the same memory areas.

 

I agree, unless you prefer Zemana's HIPS to EIS, but EIS also offers AV, so I doubt you want to ditch it.

 

What about the "Network Lockdown" feature (which is related to exploit blocking), is that also free?

 

I forgot about the firewall, good point. I believe the first version of Zemana back in 2008 also offered a firewall but they decided to ditch it, I'm not sure why.

 

I am trying to run this, but when it opens, it just barely stays open, then closes. I had to take a screenshot of the desktop firstly to catch it, and then I took an amended screenshot of that.

Spoiler: screenshot

 

@Tarnak:
There are several ways to run a command line tool...

The easiest way would be, to put procdump.exe in your C:\windows\sytem32 folder.
You can leave it there, it's tiny.

Open a command prompt with evaluated rights.
To do so, just press your windows button, type cmd and right click on it, select "run as administrator"
A command prompt will open.

Type "procdump /?" to see all options.
Choose the desired option, than type procdump /(option)

 

Lat night I got a BSOD, and it was mentioning HMP.A at the bottom of the screen. Unfortunately it was late and I don't remember the exact wording.

Having said this, @eric I have sent you by pm the link to the crash dump, hope it helps

 

Perform the following steps:

1. Determine the Process ID of the hmpalert.exe service process running as SYSTEM (use Task Manager or Process Explorer)
   
   
2. Start a command prompt with administrative privileges
   
   
3. Type the following command at the command prompt:
   procdump.exe -e -ma <process_id_of_hmpalert>
   
   
4. Wait for the service to crash (keep the command prompt open)
   
   
5. A dump file is written; the path to the dump is mentioned in the command prompt window

 

I am not in the relevant snapshot, but yesterday I was and it ran for over 18 hours, before I booted into another snapshot, and the service did not crash.

However, I hope to be able to supply the dump file. To follow instructions, don't I need the file from sysinternals, otherwise I will not be able to run the command prompt? Actually, when I was trying to run the command, I did try it with admin privileges, too. It still open and closed, as I described above in my post. Anyway, I will try again if and when the service crashes.

 

You need to perform the tasks _before_ the crash happens.

 

Yes, I realize that, but I still need that file from - http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

 

I am back in the snapshot, and am monitoring the HMPA service...

Spoiler: screenshot

 

The service just crashed a short time ago, and I have the 49 MB dump file...

Spoiler: screenshot

 

@erikloman

Nice to see that HMPA is also able to stop your typical MS Office exploits used in targeted attacks (CVE-2012-0158 related exploits with Chinese language settings dropping a backdoor + Vietnamese decoy doc for example).

It's also great that Mandatory ASLR adds pseudo-ASLR to modules like mscomctl.ocx, but on Windows XP certain modules like msvcrt.dll still seem to be loaded at the same address. I suppose that this is a known limitation of the Mandatory ASLR feature?

 

Alert currently only relocates DLLs that are dynamically loaded. So if msvcrt is loaded statically by the EXE, Alert cannot yet relocate that msvcrt. EMET also has this limitation (besides EMET cannot relocate on XP at all).

 

I can't download games on Steam. HMP.A flags "Steam Client Bootstrapper 1.0". I tried adding Steam to HMP.A as a browser, but that didn't help. Should the mitigations all be checked? Any suggestions?

 

What game were you trying to download? Could you send us the details of the alert in a PM? (click on Technical details when the alert happens, or look in the Windows Event Log for a registration of the event)

 

Details sent.

 

Can I get an answer on this one please? Also, the technical aspects of this feature are still a bit unclear to me, will it only monitor attacks on MS Office?

 

It is a free feature and monitors system wide.

 

Can you send me the dump via www.wetransfer.com ?

 

Just sent by e-mail. You should have it.

 

Undesirable intervention from CryptoGuard in HitmanPro.Alert 3.0.22 Build 131 RC, when trying to install .NET Framework 3.5 on Windows 8.1 Pro x64

The attempt to install .NET Framework 3.5 will not succeed and ends in an error.
At no point did HitmanPro.Alert prompt or alert that it had picked up and blocked, what it thought was an attempt to encrypt user files.
It was handled silently by HitmanPro.Alert.

Trying to figure out why the installation had failed, I looked in HitmanPro.Alert GUI and noticed that the alert counter had increased.
Looking in Windows Event Viewer, I see two entries that relates to the block from CryptoGuard.

I will send the content of those in a PM.

Disabling CryptoGuard while rerunning the .NET Framework 3.5 installation, to successfully finish installation.