HitmanPro.ALERT Support and Discussion Thread

Will there be a native HitManPro Alert 64-bit app? I can see that hitman pro is already 64-bit while the GUI is still an 32-bit application.

 

Build 588 crashed again on my Windows 7 system, to the point where the Notification Area icon disappeared and there is no HMP.A presence in Task Manager.

Meanwhile, build 588 on my Vista PC had two processes running, each of which Task Manager was showing to be using more than 1,200,000Kb of "private" memory, whatever that means. Together, they seemed to be taking up close to one-third of the 8GB of RAM on that machine.

From my perspective, 588 is the most problem-riddled build in a long time.

I can provide crash reports to Erik or Mark on request.

 

After reinstalling Norton Security I've found HMP.A still flogs my CPU after Norton SONAR updates. I was hoping Alert's self-protection might stop this but no. I used to excluded HMP.A from Norton but I'd rather not do this because I suspect this could be the cause of Norton detecting its own files. That's my theory anyway.

 

This week in Holland there is an important anniversary so i suppose your silence will continue a bit longer ...

C'on Erik

 

Yes, as I posted yesterday in the HMP thread just as an information: it is vacation time in The Netherlands. Many folks are on vacation, but I don't know whether Mark and Erik are on vacation. Tomorrow it is King's Day; the King is getting 50. On 4 May it is Remembrance Day; on 5 May Liberation Day. And school-children have vacation.
Sorry for getting off-topic.

 

HMP.A build 588 has done its double-crash dance yet again on my Win7 system:

Code:

Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    hmpalert.exe
  Application Version:    3.6.4.588
  Application Timestamp:    58dd0e9d
  Fault Module Name:    hmpalert.exe
  Fault Module Version:    3.6.4.588
  Fault Module Timestamp:    58dd0e9d
  Exception Code:    40000015
  Exception Offset:    00237c51
  OS Version:    6.1.7601.2.1.0.768.3
  Locale ID:    1033
  Additional Information 1:    1ef7
  Additional Information 2:    1ef784b371cca7cac9004a82a554dc62
  Additional Information 3:    9c20
  Additional Information 4:    9c20abd3e2e7c0ff2837cee1fbfab854

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt


Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    hmpalert.exe
  Application Version:    3.6.4.588
  Application Timestamp:    58dd0e9d
  Fault Module Name:    KERNELBASE.dll
  Fault Module Version:    6.1.7601.23714
  Fault Module Timestamp:    58bf87bb
  Exception Code:    e06d7363
  Exception Offset:    0000c54f
  OS Version:    6.1.7601.2.1.0.768.3
  Locale ID:    1033
  Additional Information 1:    438b
  Additional Information 2:    438b231a429efb770f3143aa83ac55d3
  Additional Information 3:    5bfc
  Additional Information 4:    5bfc27d0b34b49f2ff4ecca368723b61

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

The HMP.A icon in the Notification Area disappeared as soon as I hovered the mouse pointer over it.

 

I had HMP.A crash this morning here too.

Code:

Log Name:      Application
Source:        Application Error
Date:          28/04/2017 10:21:23 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      David-HP
Description:
Faulting application name: hmpalert.exe, version: 3.6.4.588, time stamp: 0x58dd0e9d
Faulting module name: hmpalert.dll, version: 3.6.4.588, time stamp: 0x58dd0e91
Exception code: 0xc0000005
Fault offset: 0x0004496b
Faulting process ID: 0x1624
Faulting application start time: 0x01d2bfb41566379f
Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
Faulting module path: C:\Windows\System32\hmpalert.dll
Report ID: 2bdb7b09-3fa3-4a8c-b736-4404b05a8f88
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-04-28T00:21:23.557459000Z" />
    <EventRecordID>5908</EventRecordID>
    <Channel>Application</Channel>
    <Computer>David-HP</Computer>
    <Security />
  </System>
  <EventData>
    <Data>hmpalert.exe</Data>
    <Data>3.6.4.588</Data>
    <Data>58dd0e9d</Data>
    <Data>hmpalert.dll</Data>
    <Data>3.6.4.588</Data>
    <Data>58dd0e91</Data>
    <Data>c0000005</Data>
    <Data>0004496b</Data>
    <Data>1624</Data>
    <Data>01d2bfb41566379f</Data>
    <Data>C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe</Data>
    <Data>C:\Windows\System32\hmpalert.dll</Data>
    <Data>2bdb7b09-3fa3-4a8c-b736-4404b05a8f88</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>

 

ROP mitigation. Opening Firefox.

Code:

Mitigation   ROP

Platform     10.0.15063/x64 v588 06_45
PID          22156
Application  C:\Program Files\Mozilla Firefox\firefox.exe
Description  Firefox 53

Callee Type  ProtectVirtualMemory
             0x000000FEA0190000 (4096 bytes)

Branch Trace                              Opcode  To                                    
---------------------------------------- -------- ----------------------------------------
0x00007FFC36ECBB80 xul.dll                   RET  0x00007FFC36F3FD1F xul.dll            

0x00007FFC3714A0FC xul.dll                 ~ RET* GetMailslotInfo()                      
                                                  0x00007FFC88F7AF60 kernel32.dll        
                    4053                     PUSH         RBX
                    56                       PUSH         RSI
                    57                       PUSH         RDI
                    4156                     PUSH         R14
                    4883ec68                 SUB          RSP, 0x68
                    488b0527920400           MOV          RAX, [RIP+0x49227]
                    4833c4                   XOR          RAX, RSP
                    4889442458               MOV          [RSP+0x58], RAX
                    488b9c24b0000000         MOV          RBX, [RSP+0xb0]
                    498bf9                   MOV          RDI, R9
                    498bf0                   MOV          RSI, R8
                    c74424201a000000         MOV          DWORD [RSP+0x20], 0x1a
                    4c8bf2                   MOV          R14, RDX
                    4c8d442440               LEA          R8, [RSP+0x40]
                    41b918000000             MOV          R9D, 0x18
                                         (89D103EB922F16C0)


Stack Trace
#  Address          Module                   Location
-- ---------------- ------------------------ ----------------------------------------
1  00007FFC87B91735 KernelBase.dll           VirtualProtect +0x35

2  00007FFC373B5D5D xul.dll                
                    85c0                     TEST         EAX, EAX
                    743d                     JZ           0x7ffc373b5d9e
                    488b0d98c78f02           MOV          RCX, [RIP+0x28fc798]
                    483bd9                   CMP          RBX, RCX
                    0f824cfc4f00             JB           0x7ffc378b59bd
                    4881c100000040           ADD          RCX, 0x40000000
                    483bf9                   CMP          RDI, RCX
                    0f873cfc4f00             JA           0x7ffc378b59bd
                    b001                     MOV          AL, 0x1
                    488b5c2438               MOV          RBX, [RSP+0x38]
                    4883c420                 ADD          RSP, 0x20
                    5f                       POP          RDI
                    c3                       RET        

3  00007FFC3712BE16 xul.dll                
4  00007FFC36F3FD3B xul.dll                
5  00007FFC374CF83A xul.dll                
6  00007FFC37133CEE xul.dll                
7  00007FFC37082408 xul.dll                
8  000000FE9B1AB1E4 (anonymous; xul.dll)  

Process Trace
1  C:\Program Files\Mozilla Firefox\firefox.exe [22156]
2  C:\Program Files\Mozilla Firefox\firefox.exe [136924]
3  C:\Windows\explorer.exe [10916]
4  C:\Windows\System32\userinit.exe [10272]
5  C:\Windows\System32\winlogon.exe [1256]
winlogon.exe

Thumbprint
ced315641da3bdace5609a391e54ece1a62e40da6038b8749d7caf25eda35717

 

Some crashes can be seen with Build 588.
I have created a collection of build 588-related crashes/freezes, but maybe i missed some posts:

Edit: additions

 

You included 3 posts by me; however, they are all about the same (single) problem.

I think it's more fair if you only list one.

 

Had a strange CryptoGuard Mitigation for LibreOffice. Had three .docx documents opened for edit that I had created earlier. Nothing special, just text in a business letter format. But when I tried to save them again as Microsoft Word XML (.docx), HMPA 3.6.4 build 588 shut down the LibreOffice application. This was unexpected, as no passwords or encryption that I know of was involved.

Mitigation CryptoGuard

Platform 10.0.14393/x64 v588 06_3a
PID 6872
Application C:\Program Files\LibreOffice 5\program\soffice.bin
Description LibreOffice 5.2.6

Filename C:\Program Files\LibreOffice 5\program\soffice.bin

 

Thanks very much for reporting, Tinstaafl.

The reported issue seems somewhat related to the CryptoGuard and LibreOffice x86 on Windows x64 issue that I reported January 24 and February 3, and that no one was able to reproduce for LibreOffice x64.
Although, in your case the issue concerns LibreOffice x64 on Windows x64!

As Erik mentioned on February 27, the CryptoGuard and LibreOffice x86 on Windows x64 issue should be resolved with the new major version of CryptoGuard. But as Erik mentioned later, the major new build is taking long because of all the overhead, so that is still taking some time.

I do not know if the CryptoGuard and LibreOffice x64 on Windows x64 issue that you reported is caused by the same underlying cause as the CryptoGuard and LibreOffice x86 on Windows x64 issue that I reported, and whether or not it too will be resolved with the new major version of CryptoGuard.

@erikloman,
@markloman,
I hope you can have a look at Tinstaafl's report.

 

To be clear, that was the first time that has happened to me, and I cannot reproduce it when working with a single document. But if I open a generic .docx and save it as THREE different test copies and then try to save them one at a time, the "Attack Intercepted" event happens when saving the THIRD .docx.

This leaves me with a LibreOffice pop-up alert "Error saving the document xxxxx.docx Access to xxxxx.docx was denied".

Now when trying to open any file after the crash, LibreOffice comes up with a "Fatal Error the application cannot be started. User installation could not be completed".

Seems the only way to restart LibreOffice after this intercept is to reboot. I cannot locate any hung processes or disk files using Windows Task Manager or Resource Monitor.

EDIT: just noticed that your previous reports also indicated this HMPA intercept also occurred when working with 3 files. And it happened with .odt format files as well. Good to know!

 

Have you tried temporarily disabling CryptoGuard, to fix the LibreOffice "Access denied" and "Fatal Error"?
As I described on January 24, for me, temporarily disabling CryptoGuard unlocked LibreOffice soffice.bin, after which I was able to use it again.

 

Not having any problems with HPMA. Guess I'm lucky.

 

Big thanks! That suggestion works great!!!

Once soffice.bin unlocked, re-enabled CryptoGuard and back to normal now!

 

+1

 

I'm not having problems anymore, now that I know how to avoid them!

 

Still running smoothly for me almost a month later.

 

W7-x64 Professional with HMP.alert build 588:
Running build 588 from day one, no issues what so ever!

 

the same for a lot of other users (even if we don't clearly use itunes that seems to be involved in the latest issues)...

 

@erikloman

RE: HMPA

"There will be a slight delay in the delivery of your license key. We are in the process of correcting this technical issue which may include waiting for information from the software publisher. This should be resolved within 1-2 workdays... We will contact you via email as soon as further information is available." ?

 

Mitigation Lockdown

Platform 10.0.14393/x64 v588 06_2a
PID 7716
Application C:\Windows\System32\config\systemprofile\Downloads\opera autoupdate\installer.exe
Description Opera Installer 44

Filename C:\Windows\System32\config\systemprofile\Downloads\opera autoupdate\installer.exe
Created By C:\Users\xxx\AppData\Local\Programs\Opera x64\launcher.exe


Process Trace
1 C:\Windows\System32\config\systemprofile\Downloads\opera autoupdate\installer.exe [7716]
"C:\Windows\system32\config\systemprofile\Downloads\opera autoupdate\installer.exe" --version
2 C:\Users\xxx\AppData\Local\Programs\Opera x64\launcher.exe [11068]
"C:\Users\xxx\AppData\Local\Programs\Opera x64\launcher.exe" --scheduledautoupdate $(Arg0)
3 C:\Windows\System32\svchost.exe [1452]
C:\Windows\system32\svchost.exe -k netsvcs

Thumbprint
9073f3da213bc1ff5109e312542db243c064d5059c8e078049834a49a28e74a3

 

You experienced this ("Mitigation Lockdown") with the previous version of Opera too: