HitmanPro.ALERT Support and Discussion Thread

This would be on a Windows 7 system. The older, "anti-malware" version of Windows Defender would be running. The system would also have HMP.A, Heimdal Pro, and Spybot Search & Destroy, with uBlock Origin on Firefox.

Not saying I would actually do this BTW, just curious at this point.

 

Definitely!

I'll take a look at VoodooShield, that sounds interesting. Thanks!

 

The VS dev is very active in this forum. Check out the thread over here: https://www.wilderssecurity.com/threads/voodooshield.313706/page-675#post-2684234

And so far no conflicts with HMPA or my AV, either!

 

Don't use Gutman method. On modern hard discs this is not necessary and will only do harm.
The probability to restore a bit on a new drive is about 92%, on an used it is 56%.
The probability to restore a byte (=one character) on a new drive is about 51%, on an used it is 0.97%.
The probability to restore a a 500 character long text (500 bytes, 1 byte per character) on a new drive is 1.42%*10^-143.

Overwrite your data once. If you are paranoid overwrite it twice.

Source: https://www.vidarholen.net/~vidar/overwriting_hard_drive_data.pdf

 

On my Vista HP SP2 x64 system, yesterday the computer started acting very sluggish. A visit to Task Manager showed that it was at 100% CPU and almost 90% RAM utilization, and that the bulk of this was due to high usage of both by HMP.A (build 603).

It was so slow that I had to kill the HMPA processes in Task Manager, whereupon the system became responsive as normal.

Memory leak?

Event Viewer showed two 7031 events and one 7034 event for about the time that I killed the HMP.A processes. Here they are:

Code:

- System

  - Provider

   [ Name]  Service Control Manager
   [ Guid]  {555908D1-A6D7-4695-8E1E-26931D2012F4}
   [ EventSourceName]  Service Control Manager
 
  - EventID 7031

   [ Qualifiers]  49152
 
   Version 0
 
   Level 2
 
   Task 0
 
   Opcode 0
 
   Keywords 0x80000000000000
 
  - TimeCreated

   [ SystemTime]  2017-06-15T22:20:36.000Z
 
   EventRecordID 4265292
 
   Correlation
 
  - Execution

   [ ProcessID]  0
   [ ThreadID]  0
 
   Channel System
 
   Computer XXXXXXXX-PC
 
   Security
 

- EventData

  param1 HitmanPro.Alert service
  param2 2
  param3 10000
  param4 1
  param5 Restart the service

and

Code:

- System

  - Provider

   [ Name]  Service Control Manager
   [ Guid]  {555908D1-A6D7-4695-8E1E-26931D2012F4}
   [ EventSourceName]  Service Control Manager
 
  - EventID 7034

   [ Qualifiers]  49152
 
   Version 0
 
   Level 2
 
   Task 0
 
   Opcode 0
 
   Keywords 0x80000000000000
 
  - TimeCreated

   [ SystemTime]  2017-06-15T22:21:08.000Z
 
   EventRecordID 4265294
 
   Correlation
 
  - Execution

   [ ProcessID]  0
   [ ThreadID]  0
 
   Channel System
 
   Computer XXXXXXXX-PC
 
   Security
 

- EventData

  param1 HitmanPro.Alert service
  param2 3

The same thing happened last month with a previous stable build, where the computer became very slow and I ended up having to kill HMP.A and eventually reboot to bring back its protections.

 

See this post in another thread: https://www.wilderssecurity.com/thr...xperience-toolkit.344631/page-56#post-2685978

Will this cause compatibility issues for HMPA?

 

HitmanPro.Alert v3.6.7 Build 604 is now available
https://www.hitmanpro.com/en-us/downloads.aspx

Spoiler: Changelog Build 604

Build 604 (2017-06-22)

• Added Asynchronous Procedure Call (APC) mitigation which protects against the DoublePulsar code injection. This mitigation is part of Risk Reductions > Process Protection.
• Improved CryptoGuard
• Improved compatibility with Steam
• Improved path translation for thumbprints
• Improved DLL injection to respect Protected Process and Trustlets
• Fixed compatibility when installing inside QEMU/KVM hypervisor
• Fixed compatibility with Symantec Endpoint Protection on Windows XP
• Fixed compatibility with Firefox 52 (or newer) on Windows XP

 

Thanks, mood.

I wonder what the 3.6.7 build 604 changelog is, as 3.6.7 build 603 was the latest beta in the 3.6 series.

 

are loman bros still around here?
anybody knows what to do to stop hmpa from blocking portable apps from running?

 

Are you getting a message from HMPA or are the portable apps just refusing to run?

 

@Victek
the latter.

 

I recently noticed that with one portable program, and I was mystified. I wonder if it could indeed be HMPA, because it runs fine on another machine without HMPA.

But it doesn't seem to be all portable programs here. Tried some others and they run OK.

@imdb What version of HMPA are you running?

Edit: Tracked it down now to Process Protection>Code Cave Mitigation (CTP4). Thanks for the heads up. Btw the portable app was Process Piglet from DonationCoder.

 

@paulderdash
latest stable build.

 

Interesting. I don't believe that has the Process Protection mitigation (above) that I have now disabled. So your issue is different ...

 

Windows Error Message upon updating HMPA

This AM I received a HMPA Notification of an Upgrade to be installed after restart.

After clicking "Restart" I got a light blue Windows Error Screen (The one that has what looks like a vertical smile in the upper left-hand corner) "Windows has detected an error on your system and is collecting information.(Or something very close to that)" It finished that collection from 0% to 100% in approx. 10 seconds.

My PC started normally and after restart HMPA Build 3.6.7 Build 604. is the version of HMPA I have on my PC. Is that what it should be??

NVM-Event log shows it was OEM App Update Checker that had the error BUT is my version of HMPA what it should be?

OS WIN 1067 64X

 

A changelog has been published:

https://www.hitmanpro.com/en-us/whatsnewalert.aspx
Build 604 (2017-06-22)

• Added Asynchronous Procedure Call (APC) mitigation which protects against the DoublePulsar code injection. This mitigation is part of Risk Reductions > Process Protection.
• Improved CryptoGuard
• Improved compatibility with Steam
• Improved path translation for thumbprints
• Improved DLL injection to respect Protected Process and Trustlets
• Fixed compatibility when installing inside QEMU/KVM hypervisor
• Fixed compatibility with Symantec Endpoint Protection on Windows XP
• Fixed compatibility with Firefox 52 (or newer) on Windows XP

 

Thanks @mood

I saw that in this thread but the post was from last week -- guessing that was only for direct download then.

 

Yes. The changelog was not available last week.

HMP.A has auto-updated to build 604 and this is the latest stable version.

 

APC mitigation is missing on my PC (AutoUpdate)



10 x64 build 15063.413 (Creator Update)

 

Mine too.....

 

txs for the quick reply : OS?

 

I don't believe the APC mitigation can be toggled; it isn't displayed in the UI as a separate option.

 

mmmm, i'd like a reply from Loman brothers since i'm not fully convinced by your answer (anyway txs for the input Vic. )
If so, infact, is the first time that a mitigation is darkened from the UI (see for eg also the CTP and how it "manages" the new mitig.)...

 

I just checked my test system where I have CTP installed, and you're correct that in CTP4 ( 3.7.0.710 ) Asynchronous Procedure Calls, along with a number of other mitigations, is displayed as a separate item which can be enabled/disabled, but the only item listed under process protection in the stable 3.6.7.604 is DLL Hijacking.

 

Was APC a separate item in v603 beta? Maybe this mitigation is still too problematic for the stable release.

In CTP4 I have had to disable Local Privilege Mitigation and Code Cave Mitigation for now.