HitmanPro.ALERT Support and Discussion Thread

Ah! Thanks guys. I know for next time now.

Cheers!

 

Thanks for that tip. I am about to do the same, so will no doubt have encountered this issue.

 

I installed HMPA beta, will it automatically update to next beta?
If not, how can I be informed about new betas?

 

The best way to become aware of new beta releases (and new stable releases as well) is to check this thread regularly. IIRC HMPA will only auto-update when Surfright pushes out a new stable build, and sometimes that lags the release date a fair bit too.

 

how do you add something to exclusions?

 

See Peter's instructions:

 

"CryptoGuard works at the file system level and does not conflict with full disk encryption software like Microsoft BitLocker, Sophos SafeGuard or TrueCrypt."

This statement from HMP.A's home page is not 100% true at least concerning BitLocker...

I have been running Windows 10 Enterprise LTSB on a workstation hard disks encrypted with BitLocker and HMP.A active for some time without problems. Then it was time to replace the system disk, so I swapped in the new disk and restored the full backup.

At this point the new system disk was naturally unencrypted, so I had to enable BitLocker on the new disk and let it do the initial encryption. When I let Windows to prepare the disk for BitLocker (e.g. shrink the system disk volume to create the extra parition BitLocker needs), HMP.A WipeGuard intercepted the operation:


Unfortunately the interception was not successful. Windows was able to shrink the system volume and create a new 350 MB large volume for BitLocker at the end of the disk, but the system did not boot up any longer:


After fixing the BCD store and reinstalling BOOTMGR I configured HMP.A's Action mode to "Silent audit" and started the encryption again - to my surprise with exactly the same results: Yet another 350 MB partition at the end of the system disk (which BitLocker was unable to use due to the HMP.A interception) and broken boot files.

After uninstalling HMP.A completely and repairing the boot files again, I managed creating a third 350 MB partition that BitLocker agreed to use and I was able to start the disk encryption.

After that I reinstalled HMP.A again and everything has been running smoothly ever since.

I think that HMP.A should be checked / fixed where necessary :

1. Not to intercept with BitLocker disk preparation process
2. When intercepting an operation it considers harmful, preferably do it before the harm is done (a new partition was created now, and the system disk also went to a non-bootable state)
3. When running in "Silent audit" mode, not intercept operations is may consider harmful.

 

I think there was no need to uninstall HMP.A completely.
Temporarily disabling HMP.A CryptoGuard should probably have been sufficient.
(For disk management without encryption, temporarily disabling HMP.A CryptoGuard MBR protection (= WipeGuard) should be sufficient.)

I think you're right.

 

I have beta tested HMPA in the past, and tried stable releases several times. I have always had issues and never kept HMPA installed for long. The total amount of time I have actually had HMPA installed would be measured in hours, not days.

I would like to give HMPA another try. But the license I was kindly given quite awhile ago will not work due to too many activations (apparently, from me installing/activating new versions several times). HMPA will also not let me activate a trial license, saying the trial has expired. Am I going to have to buy a license and hope I don't have issues?

 

I think it would be a good idea for HMPA to give the user an option when something is blocked. At least at times when the user is installing something they trust. Perhaps they could allow the user to toggle a choice in settings. Don't allow me to install, or allow me to install. something like that. The only issue I have had with it is having to tweak it (on or off or add an exclusion) when all I want to do is install a program. Any thoughts?

 

i requested it long time ago, they say they will implement it somedays , no ETA.

 

Send an email to support@hitmanpro.com. If your license is still unexpired they will reactivate it. I had the same problem last week.

 

I am having trouble with false positive with SNS-HDR Home v2.0.1.1.
I put the software in exclusions and now all is well.
Hello!

Nome registro: Application
Origine: HitmanPro.Alert
Data: 27/08/2016 18:07:50
ID evento: 911
Categoria attività [9]
Livello: Errore
Parole chiave: Classico
Utente: N/D
Computer: *****
Descrizione:
Mitigation Lockdown

Platform 6.1.7601/x64 06_2a
PID 6848
Application C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe
Description 0.0

Filename C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe
Created By C:\Program Files\SNS-HDR Home 2\ExifTool.exe


Process Trace
1 C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe [6848]
C:\Program Files\SNS-HDR Home 2\ExifTool.exe -overwrite_original -icc_profile<=C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/colorprofile.icc -software=SNS-HDR Home 2.0 C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/image.tmp
2 C:\Program Files\SNS-HDR Home 2\ExifTool.exe [6468]
"C:\Program Files\SNS-HDR Home 2\ExifTool.exe" -overwrite_original "-icc_profile<=C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/colorprofile.icc" "-software=SNS-HDR Home 2.0" "C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/image.tmp"
3 C:\Program Files\SNS-HDR Home 2\SNS-HDR Home.exe [4188]
"C:\Program Files\SNS-HDR Home 2\SNS-HDR Home.exe" "D:\DATI\Fotografia\Raw\Nef\Cima.Vezzena_00001.nef"
4 C:\Program Files\ACD Systems\ACDSee Pro\9.0\ACDSeePro9.exe [6612]
5 C:\Windows\explorer.exe [4352]
6 C:\Windows\System32\userinit.exe [4280]

XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-08-27T16:07:50.000000000Z" />
<EventRecordID>66470</EventRecordID>
<Channel>Application</Channel>
<Computer>zagor</Computer>
<Security />
</System>
<EventData>
<Data>C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe</Data>
<Data>Lockdown</Data>
<Data>Mitigation Lockdown

Platform 6.1.7601/x64 06_2a
PID 6848
Application C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe
Description 0.0

Filename C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe
Created By C:\Program Files\SNS-HDR Home 2\ExifTool.exe


Process Trace
1 C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe [6848]
C:\Program Files\SNS-HDR Home 2\ExifTool.exe -overwrite_original -icc_profile&lt;=C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/colorprofile.icc -software=SNS-HDR Home 2.0 C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/image.tmp
2 C:\Program Files\SNS-HDR Home 2\ExifTool.exe [6468]
"C:\Program Files\SNS-HDR Home 2\ExifTool.exe" -overwrite_original "-icc_profile&lt;=C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/colorprofile.icc" "-software=SNS-HDR Home 2.0" "C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/image.tmp"
3 C:\Program Files\SNS-HDR Home 2\SNS-HDR Home.exe [4188]
"C:\Program Files\SNS-HDR Home 2\SNS-HDR Home.exe" "D:\DATI\Fotografia\Raw\Nef\SpitzVerle_00001.nef"
4 C:\Program Files\ACD Systems\ACDSee Pro\9.0\ACDSeePro9.exe [6612]
5 C:\Windows\explorer.exe [4352]
6 C:\Windows\System32\userinit.exe [4280]
</Data>
</EventData>
</Event>

 

I added winrar to exploit mitigation (under the "other" category)
In the past, I needed to disable some of the mitigations, in order for winrar to be able to extract.
But no more. with all mitigations enabled, it is capable of extracting.
Has something changed in HMPA, or maybe my protection is not working right?
HMPA latest beta
winrar 5.40 x64

 

I have never tried the portable version of MPC-HC; I have always used the standard .exe extracted using 7-Zip. MPC-HC seems to function as a portable application would, without the need to follow a specific installation process or maintain a specific installation location. I simply run the mpc-hc.exe executable from within the MPC-HC folder wherever that happens to be located.

I use an old Windows 2008 R2 server has a HTPC with a drive mapped to a folder containing multiple MPC-HC configurations. MPC-HC has a neat feature where all settings can be stored in an mpc-hc.ini file located in the same folder as mpc-hc.exe.

M:\Players\English\MPC-HC\mpc-hc.exe
M:\Players\Russian\MPC-HC\mpc-hc.exe
M:\Players\French\MPC-HC\mpc-hc.exe
M:\Players\5.1\mpc-hc.exe
M:\Players\6.1\MPC-HC\mpc-hc.exe
M:\Players\7.1\MPC-HC\mpc-hc.exe
M:\Players\NoSubs\MPC-HC\mpc-hc.exe
M:\Players\16-9\MPC-HC\mpc-hc.exe

HMPA seems to now block MPC-HC when opening a media file. Dealing with similar issues in the past I’ve normally chosen to add the app to the exclusions list by path. That technique does not appear to work for non-local drives.

Thinking this may be an artificial limit I examined the HitmanPro.Alert registry settings to see how exclusions are applied. It seems various “protection profiles” exist within the registry each with its own unique set of exclusions and often based on a specific exclusion template.

HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_

Where I had previously excluded the local mpc-hc.exe there was a registry entry that included a string value containing the path to the executable along with a specific protection profile, C:\Program Files\MPC-HC\mpc-hc.exe and 123A-4BC5.

HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\mpc-hc.exe

I guessed I could create a profile which included all the same entries associated with the Exclude template. From within the registry editor I added a random profile “1111-1111” then included a second mpc-hc.exe exclusion string having the path M:\Players\MPC-HC\mpc-hc.exe using the data value 1111-1111, the profile I wished to associate with this exclusion entry.

After a restart I found from the HMPA interface (Advanced interface\Exploit Mitigations\Applications\Exclude) an entry was now included for the networked version of MPC-HC and opening a media file no longer triggers the false detection.

 

Been using HMPA for a while (cryptguard & vaccination are disabled), and it works near perfectly. Only 2 problems I have are:
1. key stroke glich (a wrong 1-char output) when I typed too fast or when I just swiched imput mode for Asian language (I experienced it too in Keyscrambler). It's a bit annoying but not a serious matter.
2. In event viewer, HMPA constantly fail in its update. I remember in past there're some such report, but did I make sth wrong? Ofc hmpalert.exe as well as hitmanpro_x64.exe is allowed in firewall.

I thougt it was requested by someone in the past, but there's still no option to perform EWS scan in HMP? Is their any registry entry to make HMP to perform EWS scan when evoked via HMPA?

BTW, HMPA seems to have least priviledge (almost same as EMET except for SeBackupPrivilege & SeRestorePrivilege which are probably for cryptguard), and all components of it have CFG enabled is fantastic! Even EMET doesn't have CFG enabled, as long as any other competitor and big AVs I tested.

Only concern I have is, all of HMPA communications including license check seems to be through plain http, tho HMP uses https for 1 address. I hope at least product update uses https, as there have been actual ITW attacks that hijack product's update. I though MBAM/MBAE also had this type of vuln tho not attacked.

 

IIRC the error in the event viewer does not mean HMPA failed to update, it means HMPA failed to find an update (in other words no update was available). They should fix that as it causes unnecessary concern.

 

That "bug" was solved in the recent betas for me (beginning w/552b, IIRC). Are you using the non-beta?

 

Erik, sent you a mail.

 

I just purchased an HMPA license. When I had HMP alone installed, I used to enable the option to scan at startup. I can't find this option in HMPA to save my life. Am I overlooking it?

Also, I maintain a custom hosts file. I wish there was a way to make HMPA permanently ignore (i.e. not even show) a non-standard hosts file.

 

Open HMP -> Settings -> Scan -> When -> At Startup

 

Thanks, but I'm still not seeing it. I normally have just the HMPA window, and those settings do not have anything related to "Scan". When I invoke a scan (from the HMPA window), the HMP process runs from a temp directory (C:\Users\[user name]\AppData\Local\Temp\HitmanPro_x64.exe), and there are no settings accessible at all in that window.

I'm guessing I would have to install HMP separately to obtain that feature...

 

I'm not sure why deugniet mentioned the mail to Erik here.
I suppose Erik will find the mail in his inbox, I don't see why to mention it here.
But anyhow, I see deugniet's intention.

However, I don't understand what you mean, Telos, saying "Didn't make it here".
Did you expect deugniet to post his mail here at the forum?
Or did you mean Erik didn't reply to an e-mail that you sent?
In that case, Erik is or was on holiday, so I suppose you'll need to give him some time.

 

Well, that didn't take long. Already found a problem. I have colored border enabled (auto-hide disabled), and now, none of my applications are showing with the colored border anymore. So, what's the fix? Let me guess:

* I/we cannot reproduce, so it's not an issue.
* Uninstall/reinstall.
* Don't worry about it; it's not a big deal.

Aaaaand... Found another problem. Sometimes when I hit Alt-Tab, the displayed apps just hang there after the keys are released. Never happened before.