HitmanPro.ALERT Support and Discussion Thread

To make the HMP scanner resident, just run the .exe that HMPA downloads to the user temp path during the online scan. Then when you click "Next" to run the scan again, you will be presented with this window to select the options to store a local copy. You can find it here C:\Users\'username'\AppData\Local\Temp.

 

OK, got it. Thank you, it's really appreciated.

 

I've had to do this a couple of times and it can be a pain if they are on holiday or something. I just installed AdGuard and they have this brilliant button called "Reset License" that unbinds it from the present computer to allow for transfer to another computer. This type of functionality would be a very useful addition to HMPA. Just saying

 

Malwarebytes has a similar feature.

 

Moved this post from BETA

ROP Hmp.Alert build 723, Sandboxie 5.22 and Firefox 57.0.1.

Spoiler

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 30-11-2017 08:09:56
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation ROP

Platform 10.0.16299/x64 v723 06_5e
PID 8264
Application C:\Program Files\Mozilla Firefox\firefox.exe
Description Firefox 57

Callee Type LoadLibrary

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFE81D6966D KernelBase.dll
2 00007FFE85848508 ntdll.dll
3 00007FFE85830F56 ntdll.dll __C_specific_handler +0x96
4 00007FFE85844C3D ntdll.dll __chkstk +0x11d
5 00007FFE857BD1B8 ntdll.dll
6 00007FFE85843B6E ntdll.dll KiUserExceptionDispatcher +0x2e

7 00007FFE3CD64B9E xul.dll
cc INT 3

8 00007FFE3D10F90A xul.dll
9 00007FFE3D0F8E66 xul.dll
10 00007FFE3CE09EF6 xul.dll

Code Injection
0000000000BC0000-0000000000BC6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2336]
0000000000BD0000-0000000000BD1000 4KB
00007FFE85819000-00007FFE8581A000 4KB
000001DE89C3B000-000001DE89C3C000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [17656]
00007FFE85840000-00007FFE85841000 4KB
00007FFE85842000-00007FFE85843000 4KB
00007FFE8583F000-00007FFE85840000 4KB
1 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
2 C:\Windows\System32\services.exe [900]
3 C:\Windows\System32\wininit.exe [788]
wininit.exe
1 C:\Program Files\Mozilla Firefox\firefox.exe [17656]
2 C:\Program Files\Sandboxie\Start.exe [9476]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\****\Desktop\Firefox 57.0.lnk"
3 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
4 C:\Windows\System32\services.exe [900]
5 C:\Windows\System32\wininit.exe [788]
wininit.exe

Process Trace
1 C:\Program Files\Mozilla Firefox\firefox.exe [8264]
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17656.12.1897105222\717771794" -childID 2 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124
2 C:\Program Files\Mozilla Firefox\firefox.exe [17656]
3 C:\Program Files\Sandboxie\Start.exe [9476]
"C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\****\Desktop\Firefox 57.0.lnk"
4 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
5 C:\Windows\System32\services.exe [900]
6 C:\Windows\System32\wininit.exe [788]
wininit.exe

Thumbprint
7e016af425dd8125a9190f43f3da3d150b3c68d6cd73d7ad8ebefe5a0f4d5f4b

 

Tx Deugniet,
Sandboxie is on our list of things to do.

 

It occurs when launching Internet Explorer also. Thank you for acknowledging this.

Spoiler

 

Is there a way to exclude 1password from keyboard encryption so that I can still use it in conjunction with HMPA?

 

How will this impact HMP.A?

http://www.theregister.co.uk/2017/11/30/google_chrome_antivirus_shutout/

 

Sounds like Google is telling developers to stop injecting code into their browser, and offering ways to shift to extensions or native messaging. I'm OK with that.

 

Will impact mostly sandboxes, Anti-exploits and AV with active web filters, im sure workaround will be found.

 

One of my HMP.A systems is running Vista Home Premium SP2 x64. It has build 604 and has not received the notice about the update to build 723. Also, I rebooted it a few days ago for unrelated reasons, and the build did not change then.

Is it that the new build is being sent out in waves and my PC just hasn't gotten it yet? Or is this the end of the road for HMP.A on Vista?

 

Is there any way to add exclusions to the real-time anti-malware component? Kaspersky's engine is using the "enhanced" detection set that flags stuff like Windows IRC clients.

Also, I haven't used HMP.alert in a long time due to the issue w/windows update not working. Happy to see keystroke encryption still causes trouble with alt+tab $years in. Any chance of this being fixed? It's super annoying.

 

We even support Windows XP, so Windows Vista is certainly supported. Do you have a third-party firewall on your machine perhaps which is blocking the download of the update?

 

The PC has the Norton Firewall (from Norton 360), but it hasn't prevented earlier versions of HMP.A from updating.

BTW, I'm thankful that you still support XP (and Vista).

 

Wha iz dis ebowt?

"Mitigation CredGuard

Platform 10.0.16299/x64 v723 06_3c
PID 9380
Application C:\Windows\System32\SrTasks.exe
Description Microsoft® Windows System Protection background tasks. 10

SAM access denied.

Range = LBA 6454272 :128
Read = LBA 6454272 :80"

 

The same here (CredGuard - SrTasks.exe): #825
I would disable the SAM protection:

 

@mood

Thanks for the info and recommendation

 

I had bought HitManPro.alert just a few days back. Everything is fine, except that the "anti malware" feature is disabled. Even if I enable it, it goes back to being disabled. I can run scans, but the real time feature is disabled. I use Avira free anti virus as my primary AV on my Windows 10 system. Can anyone help me out, please?
Thanks a lot. https://imgur.com/BkkJOae https://imgur.com/6NoZ3YW

 

I encountered a reproducible crash of build 723 on Win10 running fall creators update. I was reinstalling Overwatch using the battle.net downloader, passing ~22MB/sec of traffic and hmpalert.exe crashed and borked my network connectivity until I rebooted. I don't have realtime antimalware enabled (due to FPs w/the enhanced Kaspersky detection set which I mentioned earlier in the thread) and I don't have keystroke encryption enabled because of the "latching" effect on alt+tab.

Info from event viewer if it's helpful:

Faulting application name: hmpalert.exe, version: 3.7.1.723, time stamp: 0x5a0c5489
Faulting module name: hmpalert.exe, version: 3.7.1.723, time stamp: 0x5a0c5489
Exception code: 0xc0000409
Fault offset: 0x00232b82
Faulting process id: 0x305c
Faulting application start time: 0x01d36b2521cbff88
Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Faulting module path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Report Id: 5a1832e4-9c94-4936-9cf5-0ed7fa6493ea
Faulting package full name:
Faulting package-relative application ID:

 

Try to disable Network Lockdown, maybe it helps.

 

I removed hmpalert for now, but I'll give that a shot if I reinstall it on this machine later.

 

Using latest version (and only happened since that installed a couple of weeks ago). Running a file lock app can only see 2 locks on EFI by MS system. Set HMP service to disabled and rebooted. Re checked locks and same MS locks in place. However with HMP service disabled the image backup completes ok. Restart HMP service and retry image backup and it fails again with locks on EFI disk

 

Try adding hmpalert.exe to Avira's file exclusion list. See here:

https://blog.avira.com/exceptions-avira-antivirus-3-steps/

 

Dunno why your scans are failing but @Victek 's possible solution looks promising.

Respecting HMPA Anti-Malware Real Time self-disabling, you have to click the GUI twice to lock Anti-Malware RT Protection "Enabled."

I usually first click on "Disabled" (dunno, maybe clicking anywhere in the Anti-Malware black block would also work) and then click on "Enabled."

Hope this helps,

hawki