HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    +1.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Not sure if this was a FP or not, so I'll post it here in case.
    Mitigation APCViolation
    Timestamp 2020-08-20T00:48:28

    Platform 10.0.19041/x64 v875 06_25
    PID 6792
    Feature 003D0A30000001A2
    Application C:\Program Files\Windows Sidebar\sidebar.exe
    Created 2019-11-11T04:33:41
    Description Windows Desktop Gadgets 1.0

    APC intercepted:
    Owner of APC-func: <-UNKNOWN->
    000001BD95A90000 4883ec38 SUB RSP, 0x38
    000001BD95A90004 4889c8 MOV RAX, RCX
    000001BD95A90007 664489442420 MOV [RSP+0x20], R8W
    000001BD95A9000D 664489442422 MOV [RSP+0x22], R8W
    000001BD95A90013 4c8d4c2440 LEA R9, [RSP+0x40]
    000001BD95A90018 4889542428 MOV [RSP+0x28], RDX
    000001BD95A9001D 4c8d442420 LEA R8, [RSP+0x20]
    000001BD95A90022 31d2 XOR EDX, EDX
    000001BD95A90024 31c9 XOR ECX, ECX
    000001BD95A90026 ffd0 CALL RAX
    000001BD95A90028 4883c438 ADD RSP, 0x38
    000001BD95A9002C c20000 RET 0x0
    000001BD95A9002F 43003a ADD [R10], DIL
    000001BD95A90032 005c0050 ADD [RAX+RAX+0x50], BL
    000001BD95A90036 007200 ADD [RDX+0x0], DH
    000001BD95A90039 6f OUTS DX, DWORD [RSI]

    ----- SNIP HERE -----
    AAIBAQAAqZW9AQAAAACplb0BAAAAAKmVvQEAAAAQAABIg+w4SInIZkSJRCQgZkSJRCQiTI1MJEBIiVQkKEyNRCQgMdIxyf/QSIPEOMIBAgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzACAAKAB4ADgANgApAFwAVwBpAHMAZQBWAGUAYwB0AG8AcgBcAFcAaQBzAGUAVgBlAGMAdABvAHIASABlAGwAcABlAHIATwBuAGUAXwBYADYANAAuAGQAbABsAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAQAAAVgA
    ----- END SNIP -----

    Loaded Modules (39)
    -----------------------------------------------------------------------------
    00007FF717C90000-00007FF717DE4000 sidebar.exe (Microsoft Corporation),
    version: 6.2.8400.0 (winmain_win8rc.120518-1423)
    00007FFE36E30000-00007FFE37025000 ntdll.dll (Microsoft Corporation),
    version: 10.0.19041.423 (WinBuild.160101.0800)
    00007FFE34320000-00007FFE34431000 hmpalert.dll (SurfRight B.V.),
    version: 3.8.6.875
    00007FFE35C50000-00007FFE35D0D000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.19041.292 (WinBuild.160101.0800)
    00007FFE34AD0000-00007FFE34D97000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.19041.423 (WinBuild.160101.0800)
    00007FFE35280000-00007FFE3532A000 ADVAPI32.dll (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFE35A10000-00007FFE35AAE000 msvcrt.dll (Microsoft Corporation),
    version: 7.0.19041.1 (WinBuild.160101.0800)
    00007FFE368C0000-00007FFE3695B000 sechost.dll (Microsoft Corporation),
    version: 10.0.19041.388 (WinBuild.160101.0800)
    00007FFE35B10000-00007FFE35C33000 RPCRT4.dll (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFE36AF0000-00007FFE36B1A000 GDI32.dll (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFE34620000-00007FFE34642000 win32u.dll (Microsoft Corporation),
    version: 10.0.19041.450 (WinBuild.160101.0800)
    00007FFE34880000-00007FFE3498A000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.19041.388 (WinBuild.160101.0800)
    00007FFE34580000-00007FFE3461D000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.19041.423 (WinBuild.160101.0800)
    00007FFE34DA0000-00007FFE34EA0000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.19041.423 (WinBuild.160101.0800)
    00007FFE357A0000-00007FFE35940000 USER32.dll (Microsoft Corporation),
    version: 10.0.19041.388 (WinBuild.160101.0800)
    00007FFE36960000-00007FFE36A89000 ole32.dll (Microsoft Corporation),
    version: 10.0.19041.153 (WinBuild.160101.0800)
    00007FFE34EA0000-00007FFE351F3000 combase.dll (Microsoft Corporation),
    version: 10.0.19041.329 (WinBuild.160101.0800)
    00007FFE35560000-00007FFE3562D000 OLEAUT32.dll (Microsoft Corporation),
    version: 10.0.19041.388 (WinBuild.160101.0800)
    00007FFE36A90000-00007FFE36AE5000 SHLWAPI.dll (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFE35D10000-00007FFE36450000 SHELL32.dll (Microsoft Corporation),
    version: 10.0.19041.423 (WinBuild.160101.0800)
    00007FFE346A0000-00007FFE347FD000 CRYPT32.dll (Microsoft Corporation),
    version: 10.0.19041.21 (WinBuild.160101.0800)
    00007FFE1B530000-00007FFE1B54D000 ATL.DLL (Microsoft Corporation),
    version: 3.05.2284
    00007FFE26CC0000-00007FFE26F5A000 COMCTL32.dll (Microsoft Corporation),
    version: 6.10 (WinBuild.160101.0800)
    00007FFE22D60000-00007FFE22F05000 gdiplus.dll (Microsoft Corporation),
    version: 10.0.19041.450 (WinBuild.160101.0800)
    00007FFE2ABC0000-00007FFE2ABE9000 Cabinet.dll (Microsoft Corporation),
    version: 5.00 (WinBuild.160101.0800)
    00007FFE28A30000-00007FFE28C1D000 urlmon.dll (Microsoft Corporation),
    version: 11.00.19041.117 (WinBuild.160101.0800)
    00007FFE16D50000-00007FFE16D62000 sfc_os.dll (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFDFD8D0000-00007FFDFD972000 dwmapi.dll (Helmut Buhler),
    version: 1.0.0.0
    00007FFE26920000-00007FFE26971000 CRYPTUI.dll (Microsoft Corporation),
    version: 10.0.19041.264 (WinBuild.160101.0800)
    00007FFE34AA0000-00007FFE34AC7000 bcrypt.dll (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFE31F00000-00007FFE31F9F000 UxTheme.dll (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFE28DD0000-00007FFE2907F000 iertutil.dll (Microsoft Corporation),
    version: 11.00.19041.423 (WinBuild.160101.0800)
    00007FFE35330000-00007FFE353DE000 shcore.dll (Microsoft Corporation),
    version: 10.0.19041.388 (WinBuild.160101.0800)
    00007FFE236F0000-00007FFE236F7000 MSIMG32.dll (Microsoft Corporation),
    version: 10.0.19041.450 (WinBuild.160101.0800)
    00007FFE22F10000-00007FFE22F76000 OLEACC.dll (Microsoft Corporation),
    version: 7.2.19041.1 (WinBuild.160101.0800)
    00007FFE35AD0000-00007FFE35B00000 IMM32.DLL (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)
    00007FFE325E0000-00007FFE32D71000 windows.storage.dll (Microsoft Corporation),
    version: 10.0.19041.423 (WinBuild.160101.0800)
    00007FFE33E70000-00007FFE33E9C000 Wldp.dll (Microsoft Corporation),
    version: 10.0.19041.423 (WinBuild.160101.0800)
    00007FFE344C0000-00007FFE344DF000 profapi.dll (Microsoft Corporation),
    version: 10.0.19041.1 (WinBuild.160101.0800)

    Process Trace
    1 C:\Program Files\Windows Sidebar\sidebar.exe [6792] 2020-08-20T00:48:23
    2 C:\Windows\explorer.exe [6348] 2020-08-20T00:47:23
    3 C:\Windows\System32\userinit.exe [6264] 2020-08-20T00:47:22 37.8s
    4 C:\Windows\System32\winlogon.exe [728] 2020-08-20T00:46:56
    winlogon.exe
    5 C:\Windows\System32\smss.exe [608] 2020-08-20T00:46:56 189ms
    \SystemRoot\System32\smss.exe 000000c8 00000084
    6 C:\Windows\System32\smss.exe [372] 2020-08-20T00:46:51
    \SystemRoot\System32\smss.exe

    Dropped Files
    1 C:\Users\Dave\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000152.db
    Dropped by \Device\HarddiskVolume2\Windows\explorer.exe [6348]

    Thumbprints
    d4f3b7c0dee2f9f7c4198490fb70ec652f75d1f8109b7868cb5ae3ede296fce2
    e500dc76f8f79f4d9161eb1153e1d4abf36025175be0541e537b701580dd190e (code)
    337b91bc2020642b3b16bbc95cd0293dd6414c1fed518510e1055ae0359b03e8 (pfn)
     
  3. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +2
     
  4. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Let me stress I'm just looking for as to why someone would want to disable their guards, just curious to see if we can improve if you would run in to issues for example.
    Well I have a very clear idea about software that advises to disable your security software, I'm just not sure if I should ventilate that here ;)
     
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Okay makes sense, but in this case you would need to reboot the machine to get all our defenses off anyway so Export config, uninstall + install + import would be the quickest route for 100% results.
    Tampering with the service etc is more work then the steps above and needs a reboot also.

    That's a good thing to do, have seen to many weird issues with a plethora of security software breaking things here.
     
  6. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    You running WiseVector? seems they have a curious way of loading their DLL in to a process.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    On that machine, yeah.
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Not now. WV doesn't play nicely on my machines.
     
  9. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
    Hi, I would appreciate any guidance here. I am wondering if anyone is using Kaspersky along HMP Alert, or has in the past - I hear on the one hand that they should be compatible but some have said that in practice they silently conflict and break function. Can anyone say whether they run this with KAV or KIS, or if they believe the two work together with no problem?

    HMP Alert is on Kapserksy's list of incompatible software. On the other hand, HMP Alert support said they 'should' work together (did not say they 'will').
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I have used KIS in the past and noticed they add almost everything to their list of incompatible software, also on-demand scanners. I have used KIS with other realtime security software without problems. However I started using HMP Alert only after I stopped using KIS so I have no experience with HMP.A and KIS.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    You should indeed have an option to simply disable the protection from the GUI, and it can be secured via CAPTCHA, I believe some security tools do this.

    Good to see that HMPA spots this, and also very cool that you guys discovered this new ransomware technique! :thumb:

    https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/
     
  12. JohnMiller

    JohnMiller Registered Member

    Joined:
    Nov 6, 2014
    Posts:
    49
    Hi I seem to be having a weird behavior on my Widows Surface Pro 7. I randomly will get an issue where when typing in an application my text will start to scramble. This is resolved by disabling keystroke encryption. Is this a known issue or?

    Thanks!
     
  13. Libraman

    Libraman Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    198
    Hi @Richard981
    I use KIS and HMPro.Alert together for years. I have not problems with them.
    But I recomend exclude each progam. I explain:
    In Kaspersky, HMpro.Alert in exlusiones (Conf → Additional → Treats & Excl. → Manage Excl. → Add → Browse..)
    In HMP.A, the same.
     
  14. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
    Thanks for taking the time to answer! @Libraman, gives me confidence to try it out! I have already added HMPro Alert to Kaspersky's exclusion - now I will add Kaspersky to HMPro Alert as well.
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Not to harp on ESET NOD32, but it's what I use so, it's what I know. ESET does it without CAPTCHA. And it's a menu selection that provides five different pause increments. There is, of course, the requisite warning put forth about disabling protection will leave your computer vulnerable. Is that the reason HMP.A does not have a pause feature, because they are protecting us from ourselves?
     
  16. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
    I have successfully added an application to exclusions, but now it is being blocked by the 'malware' compoenent of Hitman Pro Alert - only work around is to disable the malware component completely if i want to run the program. Any workarounds for this?
     
  17. Libraman

    Libraman Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    198
    I have 'AntiMalware' disable in HMPro.A. If I need to run HitmanPro for second opinion.. I execute it directly.
    And I suppressed the 'Cred Guard' alert of KIS in HMPro.A (January 2020)
    Everything works excellent here
     
  18. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
    So let me ask what may sound like a dumb question, or a question with an obvious answer - With malware component disabled, there is still a whole lot to be gained from the rest of HMPAlert (from other security components)

    Also why the need to run Hitman Pro for second opinion? Within HMPA and malware part disabled, you can just run a scan from within HMPAlert nevertheless? Why go to hitman pro for that?
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    The license for HMPA lapsed on my of my PCs and now it reminds me everyday with a little flyout that I have to clear. Is that the normal behavior when running HMPA in limited/free mode? TIA
     
  20. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
    Sorry I answered my question - i thought supression of events would only get rid of notification, but it works as a form of 'exclusion', as far as I understand. And I did not know that running a scan downloads hitman pro...thanks again. so now i can keep my scanning enabled, and have exclusions.
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    I think I read that HMP.A uses a compatibility mode when MBAM realtime is used, because of conflicting anti-exploit features. How does that detection work: realtime or for example checking on every boot? For example I have MBAM free installed, after updating to a new version it automatically enabled realtime trial. I disabled the trial. Will HMP.A detect that immediately and go back to full protection or is a reboot needed?
     
  22. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Today I went to run a manual scan, and found HMP.A was "locked" with no icons below the "Safe Browsing" or "Exploit mitigation" categories. Also, the usual orange flyout that appears when typing into a browser form, isn't showing up.

    There are no HMP.A processes to be seen in Task Manager, unless I launch it from the Start Menu and then there is a single process associated with my PC user name, which of course disappears if I close the program. In the Services tab, there are a HitmanProScheduler service and an hmpalertsvc listed as running.

    Version 3.7.9, build 779 on a Vista HP x64 system. IIRC, this machine will not accept any versions newer than that.

    UPDATE: Oh, weird. I stopped hmpalertsvc in Services, then restarted it and then launched HMP.A again. This time all the icons showed up under their respective categories. However, the orange flyout is still not working when I type something into the browser.

    Any thoughts on what could be causing the lockup?
     
  23. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    3,336
    Location:
    Location Unknown
    How do I go about excluding apps from keystroke encryption? Keystroke encryption is messing with my games, yet I do not want to globally disable it.
     
  24. Libraman

    Libraman Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    198
    Hi again.
    I have 'ON' HMP.A for everything except 'Antimalware'. I have KIS for that but, sometimes, I scan with HitmanPro. I 'play' with low reputación files
     
  25. Richard981

    Richard981 Suspended Member

    Joined:
    Aug 21, 2020
    Posts:
    14
    Location:
    Canada
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.