HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Can you try the following, uninstall HMPA, reboot and install a fresh copy but make sure to check if the HMPA custom view xml was deleted in between?
    From reading the post it seems to happen on existing files, so I'm wondering if "creating" the file after the patch was installed makes any difference.

    Probably redundant but you can filter the application log on EventID 800 & 911 to get the same results, probably save that as a custom view and see if that works.
    Maybe it's specific to alerts generated on your machines.
     
  2. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    Hi Ronny,

    I gave it a shot, but it didn't help. Same result. But, as you mention, there is a workaround. Plus, MS is working on a fix scheduled for the end of the month, so it's not a priority.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    @RonnyT ,

    Have you had any other reports of compatibility issues with Win10 1903, like booting to either a blank black screen, or a black screen with spinning dots, but machine not booting to Windows?
     
  4. Headcool

    Headcool Registered Member

    Joined:
    Dec 8, 2015
    Posts:
    8
    Since 779 I get a MULTIPLE_IRP_COMPLETE_REQUESTS BSOD when hit a key on the keyboard. Happens with Windows 10 1809 and 1903 and HMPA 779 and 839.
    I tried to deactivate Bad USB and Keystroke Encryption, but it had no effect.
    Minidumps are available, I just need to know where to send them.
     
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Headcool,
    Please open a ticket via support@hitmanpro.com and upload the dumps to e.g. https://www.wetransfer.com or similar.

    Thanks
     
  6. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Krusty,

    No not (yet) can you switch all features OFF and see if it still happens?
     
  7. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    Since I don't have the time to read the 617 pages of this thread, here's my question please.
    On the very first post, I read:
    Is HMP.A still design as an AV companion, or can it be used standalone?
    For example, to use with WD on Win 10, is it enough?

    Thanks in advance!
    François
     
  8. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    It still is an AV companion, but best run along WD.
    In addition I recommend to use ConfigureDefender, to activate all WD power.
    https://github.com/AndyFul/ConfigureDefender
     
  9. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    Thanks!
    Much appreciated!
     
  10. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    After updating to Win 10 1903 feature update I experience similar behaviour, running 3.7.9 build 779.

    Code:
    FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}
    The process cannot access the file 'C:\ProgramData\Microsoft\Event Viewer\Views\hmpalert.xml' because it is being used by another process.
    
    Exception type: System.IO.IOException
    Exception Stack trace:
    at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
       at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
       at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
       at Microsoft.Windows.ManagementUI.CombinedControls.EventsNode.get_IsReadOnlyView()
       at Microsoft.Windows.ManagementUI.CombinedControls.EventsNode.UpdateReadOnly()
       at Microsoft.Windows.ManagementUI.CombinedControls.EventsNode.InitializeQueryNode(FileInfo fileInfo)
       at Microsoft.Windows.ManagementUI.CombinedControls.EventsNode.AddSubNodes(DirectoryInfo dir, EventNodeType nodeType, Boolean userQuery, String standardViewConfig)
       at Microsoft.Windows.ManagementUI.CombinedControls.EventsNode.AddSavedQueryNodes()
       at Microsoft.Windows.ManagementUI.CombinedControls.EventsNode.CreateChildNodes()
       at Microsoft.EventViewer.SnapIn.MMCEventsNode.ExpandNode()
       at Microsoft.EventViewer.SnapIn.MMCEventsNode.OnExpand(AsyncStatus status)
       at Microsoft.ManagementConsole.NodeSyncManager.ProcessRequest(NodeRequestInfo info, IRequestStatus requestStatus)
       at Microsoft.ManagementConsole.SnapIn.ProcessRequest(Request request)
       at Microsoft.ManagementConsole.Internal.SnapInClient.Microsoft.ManagementConsole.Internal.IMessageClient.ProcessRequest(Request request)
       at Microsoft.ManagementConsole.Internal.IMessageClient.ProcessRequest(Request request)
       at Microsoft.ManagementConsole.Executive.RequestStatus.BeginRequest(IMessageClient messageClient, RequestInfo requestInfo)
       at Microsoft.ManagementConsole.Executive.SnapInRequestOperation.ProcessRequest()
       at Microsoft.ManagementConsole.Executive.Operation.OnThreadTransfer(SimpleOperationCallback callback)
     
  11. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
  12. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    a Microsoft bug also on Win7
    https://www.ghacks.net/2019/06/12/w...ror-after-installing-kb4503293-and-kb4503327/
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    In the first version in the first post only checks browser integrity, now it is a way more extensive application with exploit protection, ransomware protection, all kinds of hardening and also realtime scanning. It is still designed to run alongside AV's, but can also be used standalone. The realtime scanning is only on execution, so compared to a full-fledged AV that is rather basic, however all the additional protections are more extensive than most AV's.
     
  14. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    Thanks!
     
  15. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
  17. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    224
    Location:
    Canada
    I recently upgraded from 1809 to 1903 and <knock on wood> I am not experiencing this problem.
     
  18. Sand

    Sand Registered Member

    Joined:
    Apr 28, 2016
    Posts:
    26
    Lockdown:

    Mitigation Lockdown
    Timestamp 2019-06-22T14:48:38

    Platform 10.0.17763/x64 v779 06_9e
    PID 12564
    Feature 00170A32000001B2
    Application C:\Program Files\Mozilla Thunderbird\updater.exe
    Created 2018-11-17T19:19:27
    Modified 2019-06-22T14:48:36
    Description Thunderbird Software Updater 60.7.2

    Filename C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
    Created By C:\Program Files\Mozilla Thunderbird\updater.exe

    Command line:
    argv0ignored /PostUpdate

    Loaded Modules
    -----------------------------------------------------------------------------
    00007FF6318D0000-00007FF631929000 updater.exe (Mozilla Foundation),
    version: 60.7.0
    00007FFA07BA0000-00007FFA07D8D000 ntdll.dll (Microsoft Corporation),
    version: 10.0.17763.592 (WinBuild.160101.0800)
    00007FFA037C0000-00007FFA039A9000 hmpalert.dll (SurfRight B.V.),
    version: 3.7.9.779
    00007FFA077B0000-00007FFA07863000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.17763.475 (WinBuild.160101.0800)
    00007FFA04960000-00007FFA04BF3000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.17763.592 (WinBuild.160101.0800)
    00007FFA05630000-00007FFA057C7000 USER32.dll (Microsoft Corporation),
    version: 10.0.17763.168 (WinBuild.160101.0800)
    00007FFA04DB0000-00007FFA04DD0000 win32u.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA07730000-00007FFA07759000 GDI32.dll (Microsoft Corporation),
    version: 10.0.17763.592 (WinBuild.160101.0800)
    00007FFA043C0000-00007FFA0455A000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.17763.592 (WinBuild.160101.0800)
    00007FFA04850000-00007FFA048F0000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.17763.348 (WinBuild.160101.0800)
    00007FFA04CB0000-00007FFA04DAA000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.17763.404 (WinBuild.160101.0800)
    00007FFA05BE0000-00007FFA05C83000 ADVAPI32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA075E0000-00007FFA0767E000 msvcrt.dll (Microsoft Corporation),
    version: 7.0.17763.475 (WinBuild.160101.0800)
    00007FFA07870000-00007FFA0790E000 sechost.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA05370000-00007FFA05492000 RPCRT4.dll (Microsoft Corporation),
    version: 10.0.17763.379 (WinBuild.160101.0800)
    00007FFA04740000-00007FFA04799000 WINTRUST.dll (Microsoft Corporation),
    version: 10.0.17763.348 (WinBuild.160101.0800)
    00007FFA03C50000-00007FFA03C62000 MSASN1.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA04560000-00007FFA0473B000 CRYPT32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA060F0000-00007FFA075E0000 SHELL32.dll (Microsoft Corporation),
    version: 10.0.17763.592 (WinBuild.160101.0800)
    00007FFA048F0000-00007FFA0493A000 cfgmgr32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA07680000-00007FFA07728000 shcore.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA05DC0000-00007FFA060EC000 combase.dll (Microsoft Corporation),
    version: 10.0.17763.404 (WinBuild.160101.0800)
    00007FFA047A0000-00007FFA0481E000 bcryptPrimitives.dll (Microsoft Corporation),
    version: 10.0.17763.557 (WinBuild.160101.0800)
    00007FFA03C70000-00007FFA043BA000 windows.storage.dll (Microsoft Corporation),
    version: 10.0.17763.592 (WinBuild.160101.0800)
    00007FFA03C20000-00007FFA03C44000 profapi.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA03BC0000-00007FFA03C1D000 powrprof.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA05B80000-00007FFA05BD2000 shlwapi.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA03BA0000-00007FFA03BB1000 kernel.appcore.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA04940000-00007FFA04957000 cryptsp.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA07770000-00007FFA0779E000 IMM32.DLL (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA02A70000-00007FFA02AA1000 ntmarta.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FF9FA4B0000-00007FF9FA4B9000 WSOCK32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA05250000-00007FFA052BD000 WS2_32.dll (Microsoft Corporation),
    version: 10.0.17763.1 (WinBuild.160101.0800)
    00007FFA03AA0000-00007FFA03AC8000 USERENV.dll (Microsoft Corporation),
    version: 10.0.17763.557 (WinBuild.160101.0800)

    Process Trace
    1 C:\Program Files\Mozilla Thunderbird\updater.exe [12564] 2019-06-22T14:48:34
    "C:\Program Files\Mozilla Thunderbird\updater.exe" C:\Users\x\AppData\Local\Thunderbird\updates\D78BF5DD33499EC2\updates\0 "C:\Program Files\Mozilla Thunderbird" "C:\Program Files\Mozilla Thunderbird" 17868 "C:\Program Files\Mozilla Thunderbird" "C:\P
    2 C:\Program Files\Mozilla Thunderbird\updater.exe [9948] 2019-06-22T14:48:27
    "C:\Program Files\Mozilla Thunderbird\updater.exe" C:\Users\x\AppData\Local\Thunderbird\updates\D78BF5DD33499EC2\updates\0 "C:\Program Files\Mozilla Thunderbird" "C:\Program Files\Mozilla Thunderbird" 17868 "C:\Program Files\Mozilla Thunderbird" "C:\P
    3 C:\Program Files\Mozilla Thunderbird\thunderbird.exe [17868] 2019-06-22T14:48:27 121ms
    4 C:\Windows\explorer.exe [17188] 2019-06-22T10:26:25
    5 C:\Windows\System32\userinit.exe [17260] 2019-06-22T10:26:25 23.1s
    6 C:\Windows\System32\winlogon.exe [17416] 2019-06-21T19:16:47
    C:\Windows\System32\WinLogon.exe -SpecialSession
    7 C:\Windows\System32\smss.exe [14480] 2019-06-21T19:16:47 15ms
    \SystemRoot\System32\smss.exe 000000b4 00000084 C:\Windows\System32\WinLogon.exe -SpecialSession

    Thumbprint
    aa8410feb5981a6cd700f3438dd9516723c22096ae033ee02069085abe47be16
     
  19. maniac2003

    maniac2003 Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    120
    Location:
    Netherlands
    I also experience issues with the keyboard encryption after updating to Win 10 1903. Still running 3.7.9 build 779. ;)

    The keyboard encryption becomes the output. So I type complete nonsense o_O
    I've seen the behavior within Windows and Chrome (latest version). Known problem? How can I troubleshoot?
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    To be fair, I would like to have a basic freeware version of HMPA that checks only browser integrity, just like the first version. And it should be fully compatible with Sandboxie.

    BTW, what do you think about the "mirror shielding" technology that NeuShield uses? It sounds a bit like virtualization. Would something like this be useful to HMPA?

    https://www.neushield.com/learn/mirror-shielding/
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Good luck.
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    HMPA without a license comes very close. You have browser integrity protection, keystroke encryption and a few other small features, which you could of course turn off. Don't expect them to release a version with only browser integrity checking, it's too much work for the handful of users that would want it.
    And I dont know how SBIE compatibility is currently, but afaik HMPA was frequently updated to be compatible with newer SBIE versions.

    They use it to protect against file lockers and file encryptors, HMPA Cryptoguard already protects against those. HMPA also keeps the original files intact, so I dont see much difference there.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I didn't know you had a freeware version of HMPA? A simple and nag-free version of HMPA would make sense to generate more popularity. Not a whole lot of tools offer this feature, except for G Data BankGuard, but it's not available anymore as a standalone tool.

    https://www.gdata-software.com/news/2720-g-data-bankguard-makes-online

    But seems like the NeuShield protection method is a bit different, I would like to know the difference between the two on a technical level.
     
  24. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    If you let the trial expire it will fallback to the "Free" version which has.
    • Safe Browsing (Intruder + Keystroke).
    • Webcam notifier
    • Keystroke encryption
    • BadUSB protection
     

    Attached Files:

  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, totally forgot about this. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.