HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    Build 737 working great on Win 10 x64 (F-Secure, AppGuard).
     
  2. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    3.7.6 Build 737 installed a couple days ago. I did not ran into issues.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I don't know if I've reported, but Build 737 is running fine here on Win 7
     
  4. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    81
    Location:
    Kissimmee, FL
    Build 737 did this on two computers

    Code:
    Intruder
    
    PID          14756
    Application  C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description  Google Chrome 64
    
    Detour Report
    #  Address             Owner                    Disassembly
    -- ------------------  ------------------------ ------------------------
    HttpOpenRequestA *
     1 0x00007FFE21FA9500  WININET.dll              JMP QWORD [RIP+0x237afa]
     2 0x00007FFE221D000E  (anonymous)            
    
    HttpOpenRequestW *
     1 0x00007FFE21E81580  WININET.dll              JMP QWORD [RIP+0x33fa7a]
     2 0x00007FFE221B000E  (anonymous)            
    
    HttpSendRequestA
     1 0x00007FFE21EFD3D0  WININET.dll              JMP QWORD [RIP+0x3a3c2a]
     2 0x00007FFE2229000E  (anonymous)            
    
    HttpSendRequestExA *
     1 0x00007FFE21E67AF0  WININET.dll              JMP QWORD [RIP+0x47950a]
     2 0x00007FFE222D000E  (anonymous)            
    
    HttpSendRequestExW *
     1 0x00007FFE21F00620  WININET.dll              JMP QWORD [RIP+0x3c09da]
     2 0x00007FFE222B000E  (anonymous)            
    
    HttpSendRequestW
     1 0x00007FFE21E91D10  WININET.dll              JMP QWORD [RIP+0x3ef2ea]
     2 0x00007FFE2227000E  (anonymous)            
    
    InternetOpenUrlA *
     1 0x00007FFE21F84570  WININET.dll              JMP QWORD [RIP+0x29ca8a]
     2 0x00007FFE2221000E  (anonymous)            
    
    InternetOpenUrlW *
     1 0x00007FFE21F85090  WININET.dll              JMP QWORD [RIP+0x27bf6a]
     2 0x00007FFE221F000E  (anonymous)            
    
    InternetReadFile *
     1 0x00007FFE21E90390  WININET.dll              JMP QWORD [RIP+0x3b0c6a]
     2 0x00007FFE2223000E  (anonymous)            
    
    InternetReadFileExW *
     1 0x00007FFE21EF16A0  WININET.dll              JMP QWORD [RIP+0x36f95a]
     2 0x00007FFE2225000E  (anonymous)            
    
    URLDownloadToCacheFileA
     1 0x00007FFE2AEE5DB0  urlmon.dll               JMP QWORD [RIP+0x15b24a]
     2 0x00007FFE2B03000E  (anonymous)            
    
    URLDownloadToCacheFileW
     1 0x00007FFE2AE5CBC0  urlmon.dll               JMP QWORD [RIP+0x1c443a]
     2 0x00007FFE2B01000E  (anonymous)            
    
    URLDownloadToFileA
     1 0x00007FFE2AEE5F30  urlmon.dll               JMP QWORD [RIP+0x11b0ca]
     2 0x00007FFE2AFF000E  (anonymous)            
    
    URLDownloadToFileW
     1 0x00007FFE2AE5CD20  urlmon.dll               JMP QWORD [RIP+0x1842da]
     2 0x00007FFE2AFD000E  (anonymous)            
    
    URLOpenBlockingStreamA
     1 0x00007FFE2AEE6080  urlmon.dll               JMP QWORD [RIP+0x1daf7a]
     2 0x00007FFE2B0B000E  (anonymous)            
    
    URLOpenBlockingStreamW
     1 0x00007FFE2AEE6160  urlmon.dll               JMP QWORD [RIP+0x1bae9a]
     2 0x00007FFE2B09000E  (anonymous)            
    
    URLOpenStreamA
     1 0x00007FFE2AEE6420  urlmon.dll               JMP QWORD [RIP+0x19abda]
     2 0x00007FFE2B07000E  (anonymous)            
    
    URLOpenStreamW
     1 0x00007FFE2AEE64F0  urlmon.dll               JMP QWORD [RIP+0x17ab0a]
     2 0x00007FFE2B05000E  (anonymous)            
    
    CreateProcessA
     1 0x00007FFE39E5D810  KernelBase.dll           JMP QWORD [RIP+0x3837ea]
     2 0x00007FFE3A1D000E  (anonymous)            
    
    CreateProcessInternalA
     1 0x00007FFE39E5DC20  KernelBase.dll           JMP QWORD [RIP+0x3433da]
     2 0x00007FFE3A19000E  (anonymous)            
    
    CreateProcessInternalW
     1 0x00007FFE39E5EBF0  KernelBase.dll           JMP 0x7ffe3a14000e
     2 0x00007FFE3A14000E  (anonymous)            
    
    CreateProcessW
     1 0x00007FFE39E5D790  KernelBase.dll           JMP QWORD [RIP+0x36386a]
     2 0x00007FFE3A1B000E  (anonymous)            
    
    HeapCreate
     1 0x00007FFE39EBDFB0  KernelBase.dll           JMP QWORD [RIP+0x3e304a]
     2 0x00007FFE3A29000E  (anonymous)            
    
    VirtualAlloc
     1 0x00007FFE39EAE040  KernelBase.dll           JMP QWORD [RIP+0x352fba]
     2 0x00007FFE3A1F000E  (anonymous)            
    
    VirtualAllocEx
     1 0x00007FFE39EBE1D0  KernelBase.dll           JMP QWORD [RIP+0x382e2a]
     2 0x00007FFE3A23000E  (anonymous)            
    
    VirtualProtect
     1 0x00007FFE39EB4090  KernelBase.dll           JMP QWORD [RIP+0x36cf6a]
     2 0x00007FFE3A21000E  (anonymous)            
    
    VirtualProtectEx
     1 0x00007FFE39EC18E0  KernelBase.dll           JMP QWORD [RIP+0x39f71a]
     2 0x00007FFE3A25000E  (anonymous)            
    
    WriteProcessMemory
     1 0x00007FFE39ECA0B0  KernelBase.dll           JMP QWORD [RIP+0x3b6f4a]
     2 0x00007FFE3A27000E  (anonymous)            
    
    GetMessageA
     1 0x00007FFE3B2906E0  USER32.dll               JMP 0x7ffe26fd0d18
     2 0x00007FFE26FD0D18  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCC8C0  hmpalert.dll            
    
    GetMessageW
     1 0x00007FFE3B293F50  USER32.dll               JMP 0x7ffe26fd0cd4
     2 0x00007FFE26FD0CD4  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCC980  hmpalert.dll            
    
    PeekMessageA
     1 0x00007FFE3B290040  USER32.dll               JMP 0x7ffe26fd0c98
     2 0x00007FFE26FD0C98  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCC720  hmpalert.dll            
    
    PeekMessageW
     1 0x00007FFE3B290170  USER32.dll               JMP 0x7ffe26fd0c58
     2 0x00007FFE26FD0C58  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCC7F0  hmpalert.dll            
    
    WSAStartup
     1 0x00007FFE3B552220  WS2_32.dll               JMP QWORD [RIP+0x171edda]
     2 0x00007FFE3CC6000E  (anonymous)            
    
    CopyFileA
     1 0x00007FFE3B61A140  kernel32.dll             JMP QWORD [RIP+0x1536eba]
     2 0x00007FFE3CB4000E  (anonymous)            
    
    CopyFileW
     1 0x00007FFE3B5E2BF0  kernel32.dll             JMP QWORD [RIP+0x154e40a]
     2 0x00007FFE3CB2000E  (anonymous)            
    
    MoveFileA
     1 0x00007FFE3B61B590  kernel32.dll             JMP QWORD [RIP+0x14f5a6a]
     2 0x00007FFE3CB0000E  (anonymous)            
    
    MoveFileW
     1 0x00007FFE3B5CFB00  kernel32.dll             JMP QWORD [RIP+0x15114fa]
     2 0x00007FFE3CAD000E  (anonymous)            
    
    SetProcessDEPPolicy
     1 0x00007FFE3B5DFFC0  kernel32.dll             JMP QWORD [RIP+0x16b103a]
     2 0x00007FFE3CC8000E  (anonymous)            
    
    WinExec
     1 0x00007FFE3B61E660  kernel32.dll             JMP QWORD [RIP+0x155299a]
     2 0x00007FFE3CB6000E  (anonymous)            
    
    ShellExecuteExW
     1 0x00007FFE3B6D1800  SHELL32.dll              JMP QWORD [RIP+0x157f7fa]
     2 0x00007FFE3CC4000E  (anonymous)            
    
    ShellExecuteW
     1 0x00007FFE3B77D930  SHELL32.dll              JMP QWORD [RIP+0x14b36ca]
     2 0x00007FFE3CB8000E  (anonymous)            
    
    KiUserApcDispatcher
     1 0x00007FFE3CD63A20  ntdll.dll                JMP 0x7ffe26fd0d56
     2 0x00007FFE26FD0D56  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38D3F890  hmpalert.dll            
    
    LdrLoadDll
     1 0x00007FFE3CCD5AF0  ntdll.dll                JMP 0x7ffe26fd0e15
     2 0x00007FFE26FD0E15  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA7A10  hmpalert.dll            
    
    LdrResolveDelayLoadedAPI
     1 0x00007FFE3CCE1CC0  ntdll.dll                JMP QWORD [RIP+0x1ef33a]
     2 0x00007FFE3CEC000E  (anonymous)            
    
    NtAllocateVirtualMemory
     1 0x00007FFE3CD60170  ntdll.dll                JMP 0x7ffe3cee000e
     2 0x00007FFE3CEE000E  (anonymous)            
    
    NtFreeVirtualMemory
     1 0x00007FFE3CD60230  ntdll.dll                JMP 0x7ffe26fd0f16
     2 0x00007FFE26FD0F16  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA5830  hmpalert.dll            
    
    NtMapViewOfSection
     1 0x00007FFE3CD60370  ntdll.dll                JMP 0x7ffe26fd0e96
     2 0x00007FFE26FD0E96  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA6CD0  hmpalert.dll            
    
    NtProtectVirtualMemory
     1 0x00007FFE3CD60870  ntdll.dll                JMP 0x7ffe3cf0000e
     2 0x00007FFE3CF0000E  (anonymous)            
    
    NtQueueApcThread
     1 0x00007FFE3CD60710  ntdll.dll                JMP 0x7ffe26fd0d96
     2 0x00007FFE26FD0D96  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA77D0  hmpalert.dll            
    
    NtUnmapViewOfSection
     1 0x00007FFE3CD603B0  ntdll.dll                JMP 0x7ffe26fd0e56
     2 0x00007FFE26FD0E56  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA7480  hmpalert.dll            
    
    NtWaitForDebugEvent
     1 0x00007FFE3CD63740  ntdll.dll                JMP 0x7ffe26fd0fd6
     2 0x00007FFE26FD0FD6  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CCF990  hmpalert.dll            
    
    RtlInstallFunctionTableCallback
     1 0x00007FFE3CD34250  ntdll.dll                JMP 0x7ffe26fd0f98
     2 0x00007FFE26FD0F98  (unknown)                JMP QWORD [RIP+0x0]
     3 0x00007FFE38CA9E50  hmpalert.dll            
    
    
    Backwards compatible thumbprint:
    668ef8bf2e78f88ea90c1b4e87d501bfbd26e1893d3e8b06926ef2abef51fb0f
    
    Thumbprint
    b579a32c03a09580153481505a8e476aec4658b4809cc549f336715d570ca4e7
     
    Last edited by a moderator: Mar 10, 2018
  5. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    81
    Location:
    Kissimmee, FL
    Build 737
    Intruder

    PID 15132
    Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Description Google Chrome 64


    Code Injection
    0000025C026AC000-0000025C026AD000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [14756]
    00007FFE3CD60000-00007FFE3CD61000 4KB
    00007FFE3CD62000-00007FFE3CD63000 4KB
    1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [14756]
    2 C:\Windows\explorer.exe [7436]
    3 C:\Windows\System32\userinit.exe [6460]
    4 C:\Windows\System32\winlogon.exe [832]
    winlogon.exe

    Thumbprint
    b579a32c03a09580153481505a8e476aec4658b4809cc549f336715d570ca4e7
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Been doing some testing agains malware, and this latest version of HMPA is definitely much better on catching stuff. Well done.
     
  7. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,760
    I'm still getting BSODs shutting down when in shadow mode (Shadow Defender) on Win7 32-bit. Not going to bother testing on XP which has the same problem. Do BSODs count as being fixable? :thumbd:

    For me on Win7/XP 32-bit, HMPA has been broken on all versions released after v604, which I am rolling back to now. :rolleyes: The problem has been acknowledged, but no ETA in sight based on so many broken releases.:( Dump attached if anyone at Surfright is interested.
     

    Attached Files:

    Last edited: Mar 11, 2018
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    New build, so far so good on 2 machines: Win7x64 and Win10x64 FCU.

    Do older versions of Windows also take advantage of this or is it limited to w10?
     
  9. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,760
    What is this all about? I don't want an update for HMPA. I need to stay at v604
    Is the AutoUpdate=0 registry setting no longer valid?

    Edit: I may have forgotten to shutdown/restart after installing 604 offline and applying the registry update. Seems HMPA only looks at those settings on boot. I will retry and see.
     

    Attached Files:

    • HMPA.png
      HMPA.png
      File size:
      537.9 KB
      Views:
      16
    Last edited: Mar 12, 2018
  10. Damnatus

    Damnatus Registered Member

    Joined:
    Dec 29, 2015
    Posts:
    16
    bump
     
  11. MikeRepairs

    MikeRepairs Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    81
    Location:
    Kissimmee, FL
    Update... this error could be related to HMPA licensing somehow. I had this same error on three computers that the license had just expired. As soon as I updated the program to build 737, this error happens everytime opening Chrome. After I activated a new license, the error is gone. By the way, HMPA does nothing to indicate an expired license, my customers rarely notice the expiration. There should be a notification and the tray icon should change to indicate an expired license don't you think?

     
    Last edited: Mar 11, 2018
  12. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Just curious because I am running Glasswire too. What would be the reason for protecting a firewall application? In general is this advisable, and in a more general context the question might be what should we not protect with HMPA?
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I'm sure I read somewhere in this thread @erikloman posted not to add security programs, but in 590+ pages please don't ask me to find it.
     
  14. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    I believe you are correct. My assumption is that the priority would be for browsers, email, office programs, and media players. Things that are internet facing and open files that may contain payloads received externally. I would also assume that most every other exploit should be covered by the risk reduction and anti-malware modules.
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +1. I have Glasswire, but didn't add it.
    Indeed, I have excluded all my security programs ...
     
  16. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I use Glasswire for the Usage and Alerts features. I use Comodo for my firewall. I chose to protect Glasswire because it is Internet facing and assumed that was a good practice for any program that is Internet facing (other than my Comodo security suite).

    Perhaps, I am wrong. I think your second question is a valid one.
     
  17. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    I guess that I am thinking that since Glasswire doesn't actually open files, and used the Windows Filtering Platform for accessing network traffic, there wouldn't be any risks involved in that activity.

    But I could be wrong about that.
     
  18. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    581
    Location:
    Hengelo
    HitmanPro.Alert 3.7.6 Build 738 Released

    Changelog (compared to build 737)
    • Improved Credential Theft Protection mitigation (LSASS shielding) so it no longers alerts on non-commited memory that caused false positive alerts
    • Added /qspectre compile flag on main hmpalert.exe binary
    Download
    https://dl.surfright.nl/hmpalert3.exe

    Users running build 737 are automatically updated to build 738. Other users will start receiving build 738 in a few days.
    Let us know how this version runs on your machine, thanks! :thumb:
     
    Last edited: Mar 13, 2018
  19. newyorkjet

    newyorkjet Registered Member

    Joined:
    Jan 17, 2013
    Posts:
    63
    Location:
    UK
    Rebooted after on-screen notification of upgrade awaiting reboot. Flawless upgrade from 737 to 738. Everything working well so far
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    +1
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Ditto on 738 here also.
     
  22. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    738 showing "Anti-Malware Offline"

    AM is "Enabled" but GUI indicates AM is not functioning.
     
  23. guest

    guest Guest

    It can take some time until it recognizes a connection to the cloud:
     
  24. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    6,065
    Location:
    DC Metro Area
    Thanks @mood :)

    That was it -- took over an hour to connect but all is OK now.
     
  25. guest

    guest Guest

    Ok, good to hear :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.