HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,383
    Pete, thanks for confirming my hunches!
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What J_L means is that HMPA Free doesn't do exploit protection, so in theory it should be able to work well with MBAE and/or EMET. Earlier in this thread I did post my concerns that HMPA Free might still cause compatibility problems with MBAE (or vice versa) because of the underlying tech, they both operate in the same memory areas.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I agree, unless you prefer Zemana's HIPS to EIS, but EIS also offers AV, so I doubt you want to ditch it.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What about the "Network Lockdown" feature (which is related to exploit blocking), is that also free?
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    EIS, offers Behavior Blocker, AV and Firewall
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I forgot about the firewall, good point. I believe the first version of Zemana back in 2008 also offered a firewall but they decided to ditch it, I'm not sure why.
     
  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I am trying to run this, but when it opens, it just barely stays open, then closes. I had to take a screenshot of the desktop firstly to catch it, and then I took an amended screenshot of that.

    Screenshot_ProcDump_02.gif
     
  8. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    @Tarnak:
    There are several ways to run a command line tool...

    The easiest way would be, to put procdump.exe in your C:\windows\sytem32 folder.
    You can leave it there, it's tiny.

    Open a command prompt with evaluated rights.
    To do so, just press your windows button, type cmd and right click on it, select "run as administrator"
    A command prompt will open.

    Type "procdump /?" to see all options.
    Choose the desired option, than type procdump /(option)
     
  9. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    464
    Lat night I got a BSOD, and it was mentioning HMP.A at the bottom of the screen. Unfortunately it was late and I don't remember the exact wording.

    Having said this, @eric I have sent you by pm the link to the crash dump, hope it helps
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Perform the following steps:
    1. Determine the Process ID of the hmpalert.exe service process running as SYSTEM (use Task Manager or Process Explorer)

    2. Start a command prompt with administrative privileges

    3. Type the following command at the command prompt:
      procdump.exe -e -ma <process_id_of_hmpalert>

    4. Wait for the service to crash (keep the command prompt open)

    5. A dump file is written; the path to the dump is mentioned in the command prompt window
     
    Last edited: Jan 3, 2015
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I am not in the relevant snapshot, but yesterday I was and it ran for over 18 hours, before I booted into another snapshot, and the service did not crash.

    However, I hope to be able to supply the dump file. To follow instructions, don't I need the file from sysinternals, otherwise I will not be able to run the command prompt? Actually, when I was trying to run the command, I did try it with admin privileges, too. It still open and closed, as I described above in my post. Anyway, I will try again if and when the service crashes.
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    You need to perform the tasks _before_ the crash happens.
     
  13. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
  14. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    I am back in the snapshot, and am monitoring the HMPA service...

    ScreenShot_Hmp.A_ProcDump_04.gif
     
  15. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    The service just crashed a short time ago, and I have the 49 MB dump file...

    ScreenShot_Hmp.A_ProcDump_05.gif
     
  16. guest

    guest Guest

    @erikloman

    Nice to see that HMPA is also able to stop your typical MS Office exploits used in targeted attacks (CVE-2012-0158 related exploits with Chinese language settings dropping a backdoor + Vietnamese decoy doc for example).

    It's also great that Mandatory ASLR adds pseudo-ASLR to modules like mscomctl.ocx, but on Windows XP certain modules like msvcrt.dll still seem to be loaded at the same address. I suppose that this is a known limitation of the Mandatory ASLR feature?
     
  17. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Alert currently only relocates DLLs that are dynamically loaded. So if msvcrt is loaded statically by the EXE, Alert cannot yet relocate that msvcrt. EMET also has this limitation (besides EMET cannot relocate on XP at all).
     
  18. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    I can't download games on Steam. HMP.A flags "Steam Client Bootstrapper 1.0". I tried adding Steam to HMP.A as a browser, but that didn't help. Should the mitigations all be checked? Any suggestions?
     
  19. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    What game were you trying to download? Could you send us the details of the alert in a PM? (click on Technical details when the alert happens, or look in the Windows Event Log for a registration of the event)
     
  20. justenough

    justenough Registered Member

    Joined:
    May 13, 2010
    Posts:
    1,549
    Details sent.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Can I get an answer on this one please? Also, the technical aspects of this feature are still a bit unclear to me, will it only monitor attacks on MS Office?
     
  22. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    It is a free feature and monitors system wide.
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
  24. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Just sent by e-mail. You should have it. :)
     
  25. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Undesirable intervention from CryptoGuard in HitmanPro.Alert 3.0.22 Build 131 RC, when trying to install .NET Framework 3.5 on Windows 8.1 Pro x64

    The attempt to install .NET Framework 3.5 will not succeed and ends in an error.
    At no point did HitmanPro.Alert prompt or alert that it had picked up and blocked, what it thought was an attempt to encrypt user files.
    It was handled silently by HitmanPro.Alert.

    Trying to figure out why the installation had failed, I looked in HitmanPro.Alert GUI and noticed that the alert counter had increased.
    Looking in Windows Event Viewer, I see two entries that relates to the block from CryptoGuard.

    I will send the content of those in a PM.

    Disabling CryptoGuard while rerunning the .NET Framework 3.5 installation, to successfully finish installation.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.