HitmanPro.ALERT Support and Discussion Thread

Why is this? I opened a file (Zemana Antimalware Installer this time). But HMP.A intercepted the opening through a "Lockdown".


Edit: Zemana Antimalware Installer itself has been detected.

 

Do NOT add the IDMan.exe to Application Lockdown. You should not add download managers to Application Lockdown. Application Lockdown means that anything it downloads shall not execute.

What you are seeing is intended behavior.

 

Okay. My bad.
I'll try downloading the ZAM installer without IDM in the Exploit Protection. Thanks!

 

@erikloman Any idea whats going wrong (see the following post: HitmanPro.ALERT Support and Discussion Thread

Thanks in advance

 

Here same behaviour. When running newsbin pro, then Alert consumes lot of CPU time and the maximum download speed breakes down. WLAN - 150Mbit down, with Alert there is the rate between 75 and 110 Mbit, after deinstalling Alert, the speed is at ~150 Mbit again. Also reproducible on speedtest.net and other of such tests.

 

I have now tried uninstalling Malwarebytes Anti-Exploit Free and also re-installed HMPA 336 Beta but I continue to have the same issue.

After some time the service will crash silently with the following event description "The HitmanPro.Alert service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service." and then previously protected applications will show as unprotected (and border will be gone)

Also, hmpalert.exe is currently using anywhere between 3% to 10% (sometimes more) CPU usage.. May or may not be because Tixati is downloading some things now which means network usage and disk usage, perhaps that has something to do with it?

Oh also, I currently have 2 hmpalert.exe processes running, one in its own tree and then one under svchost.exe. It's the under under svchost.exe that has the CPU usage reported above.

Also still getting "Check for update has failed. Trying again in 120 minutes."

This beta is not working nicely for me.

Edit: The hmpalert.exe process spiked to ~15% CPU usage just by posting this very comment...

Edit 2: Just got a "Driver_Corrupted_Expool" blue screen.. Not sure if related to hmpa.. I'm starting to wonder if HMPA is bust on my system, or if my system is bust..

Edit 3: Finally enabled paging file and kernel memory dump so I can get some dumps next time it happens. I realize reporting blue screens aren't very helpful without that info.

Also, unrelated to the above, is there any reason to use 32bit application on 64bit systems? I was under the impression that it was beneficial to use 64bit applications on 64bit systems when it comes to security programs? ...but I don't know where I got that from and I may be wrong.

 

W7-x64 with hmp.alert 3.1 build 336
Over the last few day's quite a few hmp.alert warnings (Event-ID 214) show in the Windows Event Log.

 

BSOD hmpnet.sys. Driver IRQL not less or equal, iirc.

This is following a major upgrade to Win 10. Currently Version 10.0.10586 Build 10586. Previously build 10240, I think, and everything was fine.
Uninstalled HMP.A (3.1 build 336) , because twice it crashed while I'm looking at Event Viewer for info. First time was doing my normal browser stuff..

Hmm.. Now I can actually see Events, looks like maybe the upgrade screwed something up. Big surprise.

Thought I saw something different earlier, referring to minidump. Doesn't seem possible to upload them directly. Let me see... Nope. Supposed to be able to open them in VS, but I still don't have "permission" tho I thought I set permissions so I could.
EDIT: Apparently got permissions right on one of them, then VS tells me it doesn't support "older" format crashdumps.

Maybe I'll just reinstall hmp.a and let you know how it goes.

 

It didn't crash on Event Viewer, yet, and;

lol. Just noticed my clock is wrong - 12 hours ahead. How did that happen, I wonder..

 

I just did an experiment. Installed Alert, booted into safe mode, removed hmpnet.sys (HitmanPro.Alert WFP Driver) and restarted again. Downloads no longer cause high CPU load by Alert. Maybe Surfright can clarify which kind of protection we lose when removing that driver?

 

Wait for a fix for TH2, it's obvious that without a core component you loose at least important features (cryptoguard, process protection,..)

 

In the meantime, you could provide dump file to surfright (task manager, detail tab, create dump for process that is consuming high CPU cycles )...

 

Excellent, this is exactly what I was looking for. Thank you!

 

It has nothing to do with TH2 in particular, it's been like this before as well. I only have one computer here, so I cannot try to reproduce it on other Windows versions.

Which kind of protection is lost without hmpnet.sys is yet to be answered by Surfright. Though I doubt it would be exploit protection, cryptoguard, vaccination or process protection. Maybe it's just network lockdown. Regarding the importance of the latter there is next to no information available. To me, exploit protection is the most important feature, because exploits are the very first entry into my system and if I can secure myself against that, all other features become less important.

Surfright hasn't replied to my e-mail to support on November 10th regarding this issue. If they asked me for something, of course I would try to provide it.

 

This is normal with the Beta.

 

HitmanPro.Alert 3.1 Build 337 RC

Changelog

• Improved ROP mitigation on Skylake processors
• Improved Application Lockdown
• Fixed BSOD in hmpnet.sys
• Fixed Application Lockdown on Foxit Reader updater
• Updated network component hmpnet.sys

Download
http://test.hitmanpro.com/hmpalert3b337.exe

 

Hi Erik,

Every so often (not predictable) when I open a PDF file on my W7 64-bit rig with Adobe Reader, HMPA (3.1.0 b334 beta) raises the following alert (pulled from the Windows Event Viewer). Please let me know if you have any ideas as to the source of the issue.

Mitigation StackExec

Platform 6.1.7601/x64 06_2a
PID 6368
Application C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Description Adobe Acrobat Reader DC 15.9

Callee Type ProtectVirtualMemory
0x003AD95C (4096 bytes)

Base 0x002B0000
Stack top 0x0039D000
ESP 0x003AD650
Stack bottom 0x003B0000

Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 74C9F7C6 hmpalert.dll +0x4f7c6

2 0E415FEA AcroRd32.dll WinMain
8b4dbc MOV ECX, [EBP-0x44]
8b45b4 MOV EAX, [EBP-0x4c]
8901 MOV [ECX], EAX
eb20 JMP 0xe416014

3 0E29162F AcroRd32.dll ??0CTJPEGWriter@@QAE@XZ
4 759862FA user32.dll gapfnScSendMessage
5 75986D3A user32.dll GetThreadDesktop +0xd7
6 7598965E user32.dll GetWindow
7 7599617A user32.dll SendMessageA +0x4c
8 0E4CA81C AcroRd32.dll AX_PDXlateToHostEx
9 0E4CA765 AcroRd32.dll AX_PDXlateToHostEx
10 0E4CA9C4 AcroRd32.dll AX_PDXlateToHostEx

Code Injection
01200000-01201000 4KB C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [2916]
01201000-01202000 4KB
005A0000-005A2000 8KB
005B6000-005B7000 4KB
77490000-77491000 4KB
7748F000-77490000 4KB
77491000-77492000 4KB
011FC000-011FD000 4KB
1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [2916]
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "D:\Users\HempOil\Desktop\Shared Space\flu_uiip_TIV_factsheet_2015-16_en.pdf"
2 C:\Windows\explorer.exe [3184]
C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding

Process Trace
1 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [6368]
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --channel=2916.0.1586117100 --type=renderer "D:\Users\HempOil\Desktop\Shared Space\flu_uiip_TIV_factsheet_2015-16_en.pdf"
2 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe [2916]
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "D:\Users\HempOil\Desktop\Shared Space\flu_uiip_TIV_factsheet_2015-16_en.pdf"
3 C:\Windows\explorer.exe [3184]
C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding

 

Thank you for this report. Adobe is marking the stack executable which is not allowed. We are investigating in why Adobe is doing this.

 

Glad to hear it's Adobe's fault. I forgot to mention that I had experienced it in previous builds of HMPA, but in light of your analysis, it's irrelevant. I look forward to the results of your investigation, and now I'll upgrade to build 337.

 

All good here so far, thanks!

 

Before this makes it to stable will you still try and fix #7444?

 

HitmanPro.Alert 3.1 Build 338 RC

Changelog

• Fixed memory leak and CPU load on hmpalert.exe
• Updated network component

Download
http://test.hitmanpro.com/hmpalert3b338.exe

 

All good here so far, thanks!

 

3.1.0 build 337RC 338RC
How can I do a "cleaner" un-install so that stats and applications are not pre-loaded with re-install.
When do files populate to C:\Windows\CryptoGuard

 

Just choose Reset Settings from the gear icon at the top right of the GUI.