HitmanPro.ALERT Support and Discussion Thread

A few questions to get this ironed out:

• What version of Windows are you running?
• What AV are you using?
• What other security products are you using?

Make sure you are running build 167 (or newer).

 

Appcrash hmpalert.exe (W7 64 bits/build 167).

Logboeknaam: Application
Bron: Windows Error Reporting
Datum: 16-3-2015 7:53:53
Gebeurtenis-id:1001
Taakcategorie: Geen
Niveau: Informatie
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Foutbucket 919660272, type 17
Naam van gebeurtenis: APPCRASH
Antwoord: Niet beschikbaar
Id van CAB-bestand: 0

Handtekening van probleem:
P1: hmpalert.exe
P2: 3.0.32.167
P3: 55005fb5
P4: unknown
P5: 0.0.0.0
P6: 00000000
P7: 00000000
P8: 00000000
P9:
P10:

Bijgevoegde bestanden:
C:\Windows\Temp\WER55BD.tmp.appcompat.txt
C:\Windows\Temp\WER566A.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER5764.tmp.WERDataCollectionFailure.txt

Deze bestanden zijn mogelijk hier beschikbaar:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hmpalert.exe_eb9184e45586dcac87d5a569a318b15ae54ed_0288c5dd

Analysesymbool:
Opnieuw zoeken naar oplossing: 0nRapport-id: 01226324-cae4-11e4-87b4-001f16aa0c13
Rapportstatus: 0
Gebeurtenis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-03-16T06:53:53.000000000Z" />
<EventRecordID>163826</EventRecordID>
<Channel>Application</Channel>
<Computer>****2-PC</Computer>
<Security />
</System>
<EventData>
<Data>919660272</Data>
<Data>17</Data>
<Data>APPCRASH</Data>
<Data>Niet beschikbaar</Data>
<Data>0</Data>
<Data>hmpalert.exe</Data>
<Data>3.0.32.167</Data>
<Data>55005fb5</Data>
<Data>unknown</Data>
<Data>0.0.0.0</Data>
<Data>00000000</Data>
<Data>00000000</Data>
<Data>00000000</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
C:\Windows\Temp\WER55BD.tmp.appcompat.txt
C:\Windows\Temp\WER566A.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER5764.tmp.WERDataCollectionFailure.txt</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_hmpalert.exe_eb9184e45586dcac87d5a569a318b15ae54ed_0288c5dd</Data>
<Data>
</Data>
<Data>0</Data>
<Data>01226324-cae4-11e4-87b4-001f16aa0c13</Data>
<Data>0</Data>
</EventData>
</Event>

 

Licensed HitmanPro/HitmanPro.Alert 3.0.30.167 running fine on Windows 7 x64 Premium
-
I started with HitmanPro.Alert 3.0.30.155 then updated to HitmanPro.Alert 3.0.30.167, with either version no problem... except one small issue regarding an application which had been included with the very first post-install first scan. The application is XMPlay.exe and it initiates an alert when run until I disable one and one only mitigation : its Control-Flow integrity.

This exception for XMPlay.exe's Control-Flow Integrity is the only exception I've had to perform and all other settings are default ones.
I've added Thunderbird.exe with the Office template as recommended by erikloman plus two other applications under the Media mitigation template (mpc-be64.exe and winyl.exe).

No problems to put it mildly when Hitman.pro.Alert 3 is, as far as I'm concerned, a piece of art

 

I personally prefer separate products or option for uninstalling unneeded component rather than disable, so I can save my limited disk space and avoid possible conflicts. But it seems it's hard in HMPA as hmpalart.dll is responsible many tasks not limited to exploit mitigation.

 

• Windows 7 SP1 Home Premium x64 UK, all Windows updates applied
• Emsisoft Internet Security 9
• Malwarebytes Anti-Malware 2

I was running build 167 (as I have seen no newer builds).

 

Question re CryptoGuard folder...
How may I see that cyrptoguard files are being maintained / updated. The cryptoguard files Date Modified never changes. I have no way to associate a crypoguard rollback file with my files / documents. I'll update a document file expecting to see a corresponding date modified in cryptoguard files....alas no date modified change. To my understanding cryptoguard files are snapshots for rollback. How can I confirm snapshots are current ? Thanks !

 

See here:

http://www.surfright.nl/en/cryptoguard

If I understand correctly CryptoGuard is protecting in real time to prevent encryption, not taking snapshots for rolling back after an attack.

 

I just did a new install of build 167 on Windows 7X64 Ultimate. I'm still having the same problem that started with build 166. I can't activate my license. It says a server error occurred. NOD 32 prompted me 3 times during the installation that a potentially unsafe application was being installed just as it did with build 166. I wonder if maybe NOD 32 is causing the installation to become corrupted. I never got any response back about this problem, or the other problems I reported last time.

Edited: 3/16 @ 1:41 pm: I'm going to disable NOD 32 the next time I install HMPA to see if makes any difference with the license issue, and the other issues I reported.

 

I don't use NOD32, but perhaps you can add an exclusion for HMPA?

 

Does the license for HitmanPro also works for HitmanPro Alert?

 

I don't think so. It only happens during the installation. It only detects it as a potentially unsafe application. There's no conflict after that that I am aware of. Its easy to just disable NOD 32 during the installation. I could make an exception for HMPA in NOD 32 after the installation if needed.

 

Yes.
Only a single license is necessary for running HMP and HMPA.

 

so i have come on your boot XIII here the same discribed on #4437

 

Sorry, I don't understand this post. Can you please explain?

 

I am using RC build 155 - where can I find the build 167? Is that for beta testers only?

 

Please see Wednesday March 11th post:

 

Do I need to uninstall the previous beta version for this new version ?

 

No.

 

Is HMPA CryptoGuard ready for this one?

http://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/

 

Yes! https://twitter.com/markloman/status/573174353992544257

 

@Cutting_Edgetech

I was just using Autoruns for something else and the Virus Total scan shows this from ESET/NOD32: "a variant of Win64/NetFilter.A potentially unsafe"

This is for the file C:\Windows\system32\drivers\hmpnet.sys

This must be a False Positive since only 5/57 say this is something of concern. Perhaps ESET can whitelist this file after an investigation?

 

We are in contact with ESET about their classification. The classification only occurs when you have enabled the PUP detection in ESET.

 

Then what are the files in the CryptoGuard folder....and how did they acquire their Date modified. My understanding is the files are snapshots for rollback. If they're are not snapshots....then what are they ?

 

These files are temporary and are used during rollback in case of an attack.

PS. Congrats on your 500th post here are Wilders