HitmanPro.ALERT Support and Discussion Thread

While you download a file to E:, HMP.A is creating a temporary file in C:\Windows\Temp (which has the same size)
As soon as the download is finished, the temporary file is deleted.

 

That's what I was afraid of. In the long run that would be many many many terabytes written to my SSD that was meant for my HDD, not something I particularly want, might just be paranoid but... Yeah. Would there be any way to work around this? Making HMPA use the HDD instead or just ignore the writes by that one application or ignore writes to that one disk or do temporary storage on the disk which is being written to or.. .. .. any other way besides not using HMPA? Also, which feature specifically is the cause of this, Cryptoguard?

 

The hmpnet.sys driver of HMP.A is monitoring the downloads. "Its purpose it to block C&C traffic" - as mentioned below, so the feature related to that should be "Network Lockdown" (Stops backdoor traffic)
There is a registry-key to disable the monitoring for specific ports, IP's or Processnames.
If you add for example the processname of your downloadmanager, it is not monitoring it and no temporary file is created for this process.

Spoiler: Disable monitoring

Code:

Its purpose is to (a) block C&C traffic and (b) obtain URLs from an attack
It is system-wide because malware can contact C&C from every process.

There is a registry key to disable monitoring per-port, per-IP or per-processname:
Note: Place every item on a seperate line.

HKLM\Software\HitmanPro.Alert\

NetFilterExclude  REG_MULTI_SZ  1224          // do not filter port 1224
                                10.2.121.3    // do not filter IP 10.2.121.3
                                sfftray.exe   // do not filter ProcessName sfttray.exe

If you make changes you have to restart the HitmanPro.Alert service so that it reads the new excludes.

 

I'm very confused right now. I added the appropriate Registry entry for tixati.exe and then I opened services and clicked "Restart" on HMPA's service. After that I started a new torrent and looked in Process Explorer, hmpalert.exe started writing to the disk at around 2MB/s (byte not bit) so I paused the download and it went down to a few B/s occasionally going up to a few kB/s... Then I started the torrent again but HMPA didn't go back up to 2MB/s even though the torrent was downloading that fast... Weird... So I started yet another torrent and now HMPA started writing to the disk again at around 5GB/s, I paused the torrent again, HMPA stopped writing, started torrent again, HMPA started writing... ... ... ... So basically some downloads occasionally still cause HMPA to start writing while other downloads will always cause HMPA to start writing and... I.. I don't understand. The exclude seems to work partially but also dependently on what information is shared... Unless I don't understand the format of the registry entry? I made a "REG_MULTI_SZ" with the only value "tixati.exe", do I also need to add ports and ip? If so, how do I specify all?

Which file specifically in temp folder is HMPA writing to? I can't find any obvious file. Also, how large would such a file ever be? I mean, would it not be possible to carry out the things directly in memory? Why is the file on a disk necessary?

Edit: I'm not actually so sure it's the network lockdown module. I tried disabling it completely in the HMPA settings and then restarted the service and then started tixati.exe again, I/O for hmpalert.exe shot up to almost 6MB/s a few seconds later, closed tixati.exe and I/O for hmpalert.exe went away.

 

What if you changed the default environment variable for both TEMP and TMP files from %userprofile%\AppData\local\temp to (for instance) E:\temp ? That would direct all temp file writes off the SSD.

 

The temporary file in C:\Windows\Temp\ begins with 'mfs' and has 4 random characters: mfs????.tmp

To see I/O for hmpalert.exe is normal. But you have to look in your temporary directory to see if a file is created right after you started a download.
If you don't see it you're fine.
But if it's created you'll notice it, because you'll have less free space on C: while you download to E:. (20 GB download = 20 GB less free space on C

Btw.: You have to monitor "Disk write bytes" of hmpalert.exe not I/O, to have a correct summary of all written bytes to harddisk.
(I have an I/O of 40GB but only 1 MB "Disk write bytes" for hmpalert.exe)

 

Ah my bad, I assumed "I/O write bytes" meant disk (due to "write" as I haven't encountered that word with any other kind of I/O before.) I added the disk write column manually and now I see it's around 412KB so not bad at all. Thanks for pointing it out.

 

Hi everyone i've just purchased hitman pro alerts and am having some activation issues. I've also been unable to find any email address for support from hitmanpro/surfright. We are behind a proxy which is think is our issue but when we attempt to activate a licence it proceeds as if activating but after 30-40 seconds the progress bar vanishes and im still on the activate licence tab with no licence activated. I was able to activate a licence on a machine not behind a proxy so i am wondering if there is somewhere in the set up that allows me to choose our proxy settings or to make hitman pro run through I.E's proxy settings like most other applications? The majority of desktops we need to use these licences on are behind a proxy with no way to run on another connection.


Further to this the regular hitman pro activates fine but that has a section for proxy settings and i can't seem to find anything similar in the alerts application

 

Hi dinosaurman and welcome to Wilders Security forums.

You could try this email address - support@hitmanpro.com

 

@dinosaurman :
Seems like you are running HMP.A in an enterprise environment.
HMP.A was never designed, or recommended, for such environments, but for home use.

There is Sophos Intercept-X, based on HMP.A, which has a central console to administer,
and can be set granular, to what users are allowed, or not.
https://www.sophos.com/products/intercept-x.aspx

Maybe you can use the bought licences on other machines...

At the time being, we are running a trial on twelve machines, and encountered no serious issues.

 

I have HMP and HMP.A working just fine on my LAN.

If HMP.A is being blocked by a Proxy then that is a misconfigured Proxy.

 

HitmanPro has a command line reference for network managers, http://dl.surfright.nl/hmp-command-line_reference-1_9.pdf
Is it possible Alert would respect the proxy registry values mentioned in pages 19 and 20, particularly ProxyAuthentication?

Another possibility would be to request the proxy administrator include these address exclusions:
*.hitmanpro.nl
activate.hitmanpro.nl 87.249.108.116

 

If you would like to run HitmanPro.Alert in a networked environment I'd like to suggest that you upgrade to Sophos Intercept X. The Sophos product has support for environments with a proxy.

 

I've had to uninstall hitmanpro.alert because it's been stopping safe programs from launching causing issue with sites i know to be safe and the scan function doesn't work. Anytime i try to scan my pc it gets to around 87k files and crashes every single time. Any idea why this might be happening?

 

I'm still quite vexed trying to figure out why chrome browser downloads fail with "network error".

I turned off all browser exploits; disabled crypto, vaccination, process protection, network lockdown, and disabled my browser's download extension, and disabled my security suite without any effect. Only when I stop the service does the download work as expected.

There must be a way to isolate the cause but I'm running out of ideas. Help?

Win 8.1-64

 

Make sure you look at Disk I/O and not regular I/O as named pipes are also I/O but are not actual disk access.

 

What other security tools are you using? Or perhaps network traffic monitoring tools?

 

It would be helpful to the developers if you could indicate
which HitmanPro.Alert build you use, the latest stable, 3.5.3.562, or the latest pre-release, 3.5.5.570,
what your Windows version is, exactly,
what browser you use,
what antivirus program you use,
if you use any other realtime security applications, and if so, which,
which safe programs are stopped,
and what alerts you get - you can copy alert details from Event Viewer.

To get Alert details from Event Viewer:
Open the HMP.A user interface, and click "Number of alerts", or "Last alert", that will open Windows Event Viewer.
This takes a moment as a HMP.A module is added to Event Viewer.
In the HitmanPro.Alert Events section, information can be seen regarding HMP.A events.
Are there entries to be found regarding the mentioned issues?
If so, please select the text, use Ctrl+C to copy the selected text, and past it in your next reply. That information can be helpful to the developers to find out what is the issue.


Secondly, you could try if updating to pre-release 3.5.5.570 helps.

Furthermore, if needed, you can exclude applications from HitmanPro.Alert's protection.
To do so, you need to know (or look for) the exe for the regarding application.
Then open the HMP.A user interface,
in settings, choose Advanced interface,
click the blue Exploit mitigation tile, and then Applications,
scroll to the right, and under Exclude, choose Add exclusion, navigate to the regarding application exe, and add it as exclusion.
Please let us know if that helps.

And also, you can download and install HitmanPro, and see if scanning works if you use the HitmanPro standalone application.
You can use both HitmanPro.Alert and HitmanPro with your HitmanPro.Alert license.

 

Occasionally Malwarebytes Anti-Malware, but that wasn't in use.

Is there a debug that will tell what the service is doing?

EDIT: This is bizarre. I went back into Chrome to try out a few things and the file downloaded straight away. The only things I recall doing since my earlier issues is

a) stopping and restarting HMP.A service
b) clearing all browser history (maybe an hour ago)

So those are 2 things I can play with the next time this problem surfaces.

 

Firstly I un-downloaded HMP.A for the time being because it was making my life harder then it seemed to be helping atm. But I can provide all the request information other than the Event Viewer info since I don't currently have it installed.

I was using the Latest stable version of HMP.A

I'm using Windows 10 Pro Version 1607 Build 14393.447

I use Bitdefender Totaly Security

Currently the only program that seems to be stopped from loading is Discord

The brower I seem to be having issues with is Google Chrome.

I'm going to install the pre-release version you linked and see if maybe that solves part of my problems. If not I can post the information from the event viewer from there.

 

It may help to disable Bitdefender "Active Threat Control" for Google Chrome.

 

FYI...564 seems to have problems with the latest Flash player within Firefox. I am not having problems with 570 so far.

 

interesting, I wish all this stuff was documented, how did you find this out?

I agree with the other poster regarding the disk writes if HMPA is to write its own copy of data then the folder it uses needs to be customisable.

I am going to exclude battlenet and steam of which both make HMPA cpu usage go pretty high.

Ok did some quick testing, it looks like it doesnt bypass the filtering, it probably just sets it to always never block C&C, the actual network filter is still processing the traffic.

 

I collected these information with help of this thread - The registry key for disable the monitoring, then there is another one for disabling auto-updates, etc.

Regarding the temporary file which HMP.A is creating, setting the registry-key for a specific app is preventing the creation of the temporary file. And i have much less CPU-% (a few % instead of 20-40%) while downloading a file.
The registry-key to exclude applications is operating definitely.