HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Shortly after upgrading to build 723, I upgraded Windows 10 to the Fall Creators Update, plus there was an update to Comodo Internet Security. I then started to get a bunch of random BSOD's. I used the utility WhoCrashed to give me some visibility into the mini dumps and it kept saying it was related to ntoskrnl.exe, which can point to RAM issues. I ran the Windows Memory Diagnostic and it did not find and issues with my RAM. So, I assumed that one of these three updates was not playing well together. I had been planning to do a clean install of Windows 10 FCU anyways (the upgrade was a test run to look for issues), so I proceeded to do so. However, I wanted to slowly ease back into HMP.A and Comodo to see if any BSOD's crop up. I installed Windows on November 29th. I installed HMP.A on December 1st. I have not see any BSOD's up to today. However, I did find some interesting information in the Comodo Forums found here (see below in green), but I haven't reinstalled Comodo yet so I can't confirm. I'm wondering if any other members of this forum have tested this combination?

    Re: Comodo Internet Security v10.0.2.6420 (Hotfix) Released
    « Reply #126 on: November 30, 2017, 11:41:02 PM »

    My problem seems to have been solved by removing HitmanPro Alert. After uninstalling it I installed Comodo Antivirus 10 again and rebooted as part of the installation process. No BSOD this time! I was triggered by a message from umesh that development found hmpalert.sys to be a possible trigger for the issue (I sent in dumps and logs), which I recognized as being part of HitmanPro Alert.

    I'm now running Comodo Antivirus 10.0.2.6420 with the lastest database. http://forums.comodo.com/Smileys/default/smiley.gif If you're running HitmanPro Alert also, you might want to try to disable/remove it to see if your issues are solved also.

    Thanks umesh and others at Comodo!
     
  2. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    Thank you so much for the reply :)

    I did this & I could enable the anti malware option. I minimized the application & checked it after a few minutes. It went back to being disabled automatically. No matter how many times i repeat this, it always goes back to being disabled again & again :( What am I supposed to do? :(
     
  3. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    Thanks a ton for the reply :)

    No, my scans are not failing. In the particular screenshot, I had an internet connection problem so the scan didn't run. Otherwise, I can run scans.

    Self disabling? :O :(
    I added the exception to avira as @Victek suggested & I clicked it twice to lock the option & it got enabled. But it went back to being "disabled" after a few minutes :(
     
  4. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi m0unds,

    Can you download this sysinternals tool http://live.sysinternals.com/procdump.exe
    procdump -ma -i c:\some.folder.here\memory.dmps\

    then reproduce the issue, this should record a memory dump of the crashing process.
    Once you have that dump please send me a DM.

    If you want you can reset your Just in time debugger
    procdump -u
     
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Rebecca_valentine,

    Can you please try the following:
    - switch GUI to advanced interface (Gear icon)
    -- click on the blue button EM and set to disabled.
    -- click on the orange button
    --- CryptoGuard - untick SMB and MBR
    --- Set cryptoguard to disabled

    Now on the Anti-Malware set to enabled and see if it stays enabled over time.
    If that doesn't work please reboot to see if that makes any difference.

    Don't forget to switch these settings back after testing.
     
    Last edited: Dec 8, 2017
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello @RonnyT,

    The Anti-Malware feature on HMP.A 3.7.1.723 had been working with no issues on my system until this morning. I use Process Hacker 3.0.xxxx (nightly builds) on my system and an update was available this morning. It would not update as HMP.A Anti-Malware was reporting it as a threat and blocking it. I had to temporarily disable the Anti-Malware feature in order to install the update. When I went to re-enable Anti-Malware, I ended up having the same issue as @Rebecca_valentine. I tried your workaround posted above (post # 14477) but it took several attempts over several reboots for it to finally stick. At first, I thought the workaround was not going to work but persistence finally got the setting to stick. However, after about twenty to thirty minutes, the Anti-Malware feature had again turned itself off. It seems that I can occasionally get it to work for a brief period of time but it always ends up turning itself off again. Where @Rebecca_valentine's issue seemed to be present from the start with a fresh install, my issue began when I had to disable the Anti-Malware feature temporarily and then I can not re-enable it.
     
  7. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    Hey, sending a DM with a pair of *.dmp files here in a few.

    *EDIT* Sent. Let me know if you need any other memory dumps or additional diagnostic info from the system.
     
    Last edited: Dec 5, 2017
  8. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Thanks m0unds,

    From the looks of it this should be enough.
     
  9. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    219
    great, thanks for letting me know
     
  10. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Something odd is going to between Waterfox 56 HMPA, and Sandboxie. Everything worked fine in Waterfox 55, but ever since I upgraded to 56 I get the error message below whenever I launch the browser. Nothing else has changed, including the sandboxie configuration.

    Any ideas on what could be wrong?
     
  11. guest

    guest Guest

    Compare it with the Mitigation ROP in #14452 and both look very similar.
    Seems to be HMP.A + Sandboxie issue and they are working on it:
     
  12. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    Interesting. It has not affected waterfox 55, only 56. Thanks mood.
     
  13. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    HitmanPro.Alert (Trial) "Anti-Malware: Disabled"

    V 3.7.1 Build 723

    Enabled will not "stick" Double clicked, Right clicked. Single clicked. Somewhere is this tomb it was suggested to double click and that does nothing for me. Is this shut off in the Trial version?

    Searching for this turns up nothing here, there, everywhere. I have shut down and restarted the Service since there is no On/Off switch.

    Note that I had installed HMP before Alert. Both in Trials.

    Shouldn't have anything to do with it but I am also running Avast Internet Security and Comodo Firewall.

    TIA
     
  14. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    HMP.A b723 crashed and burned (the icon disappeared from the Notification Area) this afternoon:

    Code:
    Fault bucket 3420534675, type 436414885
    Event Name: APPCRASH
    Response: Not available
    Cab Id: 0
    
    Problem signature:
    P1: hmpalert.exe
    P2: 3.7.1.723
    P3: 5a0c5489
    P4: hmpalert.exe
    P5: 3.7.1.723
    P6: 5a0c5489
    P7: 40000015
    P8: 00232b92
    P9:
    P10:
    
    Attached files:
    C:\Users\xxxxxxx\AppData\Local\Temp\WER175D.tmp.WERInternalMetadata.xml
    
    These files may be available here:
    C:\Users\xxxxxxx\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_hmpalert.exe_3ad81afbb3779ba8881966ec743affe3b77aa62_2ceb38d1
    
    Analysis symbol:
    Rechecking for solution: 0
    Report Id: 2d8c40a4-db91-11e7-afdf-4c72b91da94f
    Report Status: 0
    Don't know if this is related, but Event Viewer shows the following happening about one hour before:

    Code:
    Faulting application name: hmpalert.exe, version: 3.7.1.723, time stamp: 0x5a0c5489
    Faulting module name: hmpalert.exe, version: 3.7.1.723, time stamp: 0x5a0c5489
    Exception code: 0x40000015
    Fault offset: 0x00232b92
    Faulting process id: 0x668
    Faulting application start time: 0x01d36f73ae0d1cc3
    Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Faulting module path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Report Id: 2d8c40a4-db91-11e7-afdf-4c72b91da94f
    Further symptoms: Task Manager lists only the hmpalert.exe *32 "SYSTEM" process as active, and is no longer listing the user process. There are no flyouts when opening an application, or any indication that what I'm typing here is getting encrypted.
     
  15. guest

    guest Guest

    To have the tray icon back you can try to restart the service of HMP.A.
    While restarting of the service, the first instance of hmpalert.exe (SYSTEM process) is launching the second instance (User Process, tray-icon), and the indications and flyouts should be back.
    If you can find a dump file related to the crash you can send it to the developers, so they can perhaps find out why it has crashed.
     
  16. zagtastic

    zagtastic Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    16
    Location:
    san diego
  17. JoWazzoo

    JoWazzoo Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    241
    Location:
    Ether
    Yeah - the Tray icon keeps disappearing on me too. Only way I can get it back is to kill the process and restart it in Task Manager. That sucks. Proggy though is still running behind the scenes just no way to access it.

    And still have not figured out how to access Ant-Malware. Wish they had forums so this could be organized.
     
  18. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Thanks. Two questions:

    1.Where should I look for the dump file?

    2. How to restart the service? There's only one HMP.A service listed in Services, and that one's already running. And, trying to stop that service in the hope that restarting it would also restart the user service, failed to stop the system service. Now it's listed simply as "Stopping" without actually concluding, and there's no longer a clickable option to stop or restart it.
     
    Last edited: Dec 8, 2017
  19. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    Thanks a ton for this. I did as you said, & now it works perfectly. The anti malware option stays enabled & seems to be fine.
    Again, thanks a lot :)
     
  20. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Rebecca,

    Thanks for confirming, please make sure you have switched all these other settings back to on!
     
  21. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Interesting question! The attack details make it sound similar to process hollowing, but with a twist to hide it from security tools.

     
  22. guest

    guest Guest

    Dump files for crashes of User Processes can be found there:
    C:\Users\<user>\AppData\Local\CrashDumps\
    for System Processes:
    C:\Windows\system32\config\systemprofile\AppData\Local\CrashDumps\

    Or you can use Everything and you'll find all dmp-files ("*.dmp") with ease.

    If it cannot be found:
    a) for some reasons a dump file was not created
    b) CCleaner or a similar application has already deleted it
    c) the Windows Error Reporting (WER) was configured to not collect dump-files.
    etc, ...

    The last time i had to restart the service, i have rightclicked the entry in services and selected "Restart".
    Normally the currently running instance is terminated and two instances of hmpalert.exe are created.
    If it is stuck like in your case i would reboot.

    If the tray-icon is missing the next time, remember what you have done (if possible) before it has crashed. This information can also help to find or narrow down the source of the problem. For example:
    The developers must be able to reproduce it on their systems (or they must have at least a starting point) else it can't be fixed.
     
  23. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    Thank you so much RonnyT . The solution works perfectly for me.
    & Yes, I have switched the other settings back to enabled :)
     
  24. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Thanks for all the info, @mood. :thumb:

    The next morning, the HMP.A icon was back in the Notification Area, although the Processes tab in the Task Manager showed only the user process running (and not the system process any longer). I ended up restarting the computer. Everything is working normally for now.

    If this happens again, I'll take note of what I was doing at the time and then send the dump file to Erik/Mark.
     
  25. pilipali

    pilipali Registered Member

    Joined:
    Nov 24, 2017
    Posts:
    23
    Location:
    Finland
    What does this mean? Scan found nothing.
     

    Attached Files:

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.