HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Upgraded from 1909 to 2004, while HMP.A was running.
    No issues, so far.
     
  2. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    Upgraded from 1909 to 2004, while HitmanPro.ALERT 3.8.4 build 871 was running.

    No issues, so far.
     
  3. cantoris

    cantoris Registered Member

    Joined:
    Apr 3, 2005
    Posts:
    9
    The bugcheck was 0x3B (SYSTEM_SERVICE_EXCEPTION) with exception code 0xC0000005 (STATUS_ACCESS_VIOLATION) in vmwp.exe (Microsoft's VM Worker Process). Here's the stack:

    hmpalert+0x23108
    hmpalert+0x23822
    FLTMGR!FltpPerformPreCallbacksWorker+0x36b
    FLTMGR!FltpPassThroughInternal+0xc7
    FLTMGR!FltpCreate+0x310
    nt!IofCallDriver+0x55
    fsh+0x5b13
    nt!IofCallDriver+0x55
    nt!IoCallDriverWithTracing+0x34
    nt!IopParseDevice+0x6ac
    nt!IopParseFile+0xc7
    nt!ObpLookupObjectName+0x3fe
    nt!ObOpenObjectByNameEx+0x1fa
    nt!IopCreateFile+0x40f
    nt!IoCreateFileEx+0x11d
    storvsp!VspVsmbCommonRelativeCreate+0x369
    storvsp!VspVsmbHandleRelativeCreateFileRequest+0x321
    storvsp!VspVsmbDispatchIoControlForProcess+0x11e
    storvsp!VspFastIoDeviceControl+0x175
    nt!IopXxxControlFile+0x382
    nt!NtDeviceIoControlFile+0x56
    nt!KiSystemServiceCopyEnd+0x28
    0x00007ffe`e79eae74
     
  4. Mr Humphries

    Mr Humphries Registered Member

    Joined:
    Dec 3, 2016
    Posts:
    15
    Location:
    Australia
    Eddie, the OpenVPN client, version 2.19.2 gets terminated by HP.A build 871 on Windows 19635.1. Disabled mitigations for eddie-ui.exe as workaround.

    Mitigation CallerCheck
    Timestamp 2020-05-29T09:41:58

    Platform 10.0.19635/x64 v871 06_3a
    PID 4848
    Feature 003D1A361FBF01B6
    Application C:\Program Files\AirVPN\Eddie-UI.exe
    Created 2020-04-11T23:58:08
    Description Eddie - Windows UI 2.19

    Callee Type CreateProcess
    C:\WINDOWS\system32\route.exe

    0000000a:039ee4f3961eb461ae06380c069d64570f5e497b31e732197d321994dd6975ed

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFE4E56E5D6 KernelBase.dll CreateProcessW +0x66
    2 00007FFE4EB6CFE4 kernel32.dll CreateProcessW +0x54

    3 00007FFDC8587337 (anonymous; clr.dll)
    488b5560 MOV RDX, [RBP+0x60]
    c6420c01 MOV BYTE [RDX+0xc], 0x1
    833d02ada75f00 CMP DWORD [RIP+0x5fa7ad02], 0x0
    7406 JZ 0x7ffdc858734e
    ff15aab7a75f CALL QWORD [RIP+0x5fa7b7aa]
    8bf0 MOV ESI, EAX
    e83bf6065f CALL 0x7ffe275f6990
    85f6 TEST ESI, ESI
    0f95c1 SETNZ CL
    0fb6c9 MOVZX ECX, CL
    898d94000000 MOV [RBP+0x94], ECX
    4883bdd800000000 CMP QWORD [RBP+0xd8], 0x0
    7420 JZ 0x7ffdc858738d
    488b8dd8000000 MOV RCX, [RBP+0xd8]

    4 00007FFDC8585AD0 (anonymous; clr.dll)
    5 00007FFDC8585519 (anonymous; clr.dll)
    6 00007FFDC858494F (anonymous; clr.dll)
    7 00007FFDC8584556 (anonymous; clr.dll)
    8 00007FFDC85841CA (anonymous; clr.dll)
    9 00007FFDC857F4A8 (anonymous; clr.dll)
    10 00007FFDC857F1A1 (anonymous; clr.dll)

    Loaded Modules (70)
    -----------------------------------------------------------------------------
    0000025B8A990000-0000025B8A9A2000 Eddie-UI.exe (https://eddie.website),
    version: 2.19.0.0
    00007FFE50AF0000-00007FFE50CEA000 ntdll.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4EB50000-00007FFE4EC0C000 KERNEL32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE45DC0000-00007FFE45E25000 MSCOREE.DLL (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E520000-00007FFE4E800000 KERNELBASE.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4DEC0000-00007FFE4DFD8000 hmpalert.dll (SurfRight B.V.),
    version: 3.8.4.871
    00007FFE4FA80000-00007FFE4FB2B000 ADVAPI32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4F9D0000-00007FFE4FA72000 msvcrt.dll (Microsoft Corporation),
    version: 7.0.19635.1 (WinBuild.160101.0800)
    00007FFE50210000-00007FFE502AB000 sechost.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE50450000-00007FFE5056D000 RPCRT4.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE3E5F0000-00007FFE3E69A000 mscoreei.dll (Microsoft Corporation),
    version: 4.8.4180.0 built by: NET48REL1LAST_B
    00007FFE50390000-00007FFE503E5000 SHLWAPI.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4CAB0000-00007FFE4CAC3000 kernel.appcore.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4BA30000-00007FFE4BA3A000 VERSION.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE275F0000-00007FFE280B1000 clr.dll (Microsoft Corporation),
    version: 4.8.4180.0 built by: NET48REL1LAST_B
    00007FFE4F5E0000-00007FFE4F781000 USER32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E800000-00007FFE4E826000 win32u.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4F5B0000-00007FFE4F5DB000 GDI32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E3C0000-00007FFE4E4CB000 gdi32full.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E240000-00007FFE4E2DC000 msvcp_win.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E990000-00007FFE4EA95000 ucrtbase.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE46E00000-00007FFE46E16000 VCRUNTIME140_CLR0400.dll (Microsoft Corporation),
    version: 14.10.25028.0 built by: VCTOOLSD15RTM
    00007FFE26FB0000-00007FFE2706D000 ucrtbase_clr0400.dll (Microsoft Corporation),
    version: 14.10.25028.0 built by: VCTOOLSD15RTM
    00007FFE4FE80000-00007FFE4FEB0000 IMM32.DLL (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE258A0000-00007FFE26EA0000 mscorlib.ni.dll (Microsoft Corporation),
    version: 4.8.4180.0 built by: NET48REL1LAST_B
    00007FFE4FEB0000-00007FFE4FFD6000 ole32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4FB30000-00007FFE4FE80000 combase.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E2E0000-00007FFE4E35E000 bcryptPrimitives.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4B6F0000-00007FFE4B78E000 uxtheme.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE25750000-00007FFE2589E000 clrjit.dll (Microsoft Corporation),
    version: 4.8.4180.0 built by: NET48REL1LAST_B
    00007FFE406A0000-00007FFE40844000 gdiplus.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4F490000-00007FFE4F5A4000 MSCTF.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4DAB0000-00007FFE4DAC8000 CRYPTSP.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4D1E0000-00007FFE4D214000 rsaenh.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4DAD0000-00007FFE4DADC000 CRYPTBASE.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E210000-00007FFE4E237000 bcrypt.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4EC10000-00007FFE4F347000 shell32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4C2D0000-00007FFE4CAA3000 windows.storage.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4F860000-00007FFE4F912000 SHCORE.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E150000-00007FFE4E16F000 profapi.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE405C0000-00007FFE40670000 comctl32.dll (Microsoft Corporation),
    version: 5.82 (WinBuild.160101.0800)
    00007FFE460B0000-00007FFE4625F000 WindowsCodecs.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4F790000-00007FFE4F85A000 OLEAUT32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE35E80000-00007FFE360D7000 DWrite.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4AE90000-00007FFE4AF87000 textinputframework.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4B360000-00007FFE4B47D000 CoreMessaging.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE355C0000-00007FFE358F2000 CoreUIComponents.dll (Microsoft Corporation),
    version: 10.0.19635.1
    00007FFE23A70000-00007FFE23AF1000 Lib.Platform.Windows.Native.dll (),
    version:
    00007FFE501A0000-00007FFE5020F000 WS2_32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E830000-00007FFE4E987000 CRYPT32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE503F0000-00007FFE50446000 WLDAP32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE50190000-00007FFE50198000 Normaliz.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE239D0000-00007FFE23A61000 MSVCP140.dll (Microsoft Corporation),
    version: 14.25.28508.3 built by: vcwrkspc
    00007FFE4D570000-00007FFE4D59D000 IPHLPAPI.DLL (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE239B0000-00007FFE239C9000 VCRUNTIME140.dll (Microsoft Corporation),
    version: 14.25.28508.3 built by: vcwrkspc
    00007FFE48B50000-00007FFE48B5C000 VCRUNTIME140_1.dll (Microsoft Corporation),
    version: 14.25.28508.3 built by: vcwrkspc
    00007FFE49200000-00007FFE492AB000 mscms.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE48F80000-00007FFE48F92000 ColorAdapterClient.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE23920000-00007FFE23965000 icm32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE405B0000-00007FFE405B7000 msimg32.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE37FE0000-00007FFE3807D000 TextShaping.dll (),
    version:
    00007FFE4D8B0000-00007FFE4D917000 mswsock.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4F920000-00007FFE4F929000 NSI.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4F930000-00007FFE4F938000 psapi.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E0E0000-00007FFE4E10F000 SspiCli.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4D5B0000-00007FFE4D67B000 DNSAPI.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE46260000-00007FFE46277000 dhcpcsvc6.DLL (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE463E0000-00007FFE463FD000 dhcpcsvc.DLL (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE46DF0000-00007FFE46DFC000 WINNSI.DLL (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)
    00007FFE4E110000-00007FFE4E13D000 USERENV.dll (Microsoft Corporation),
    version: 10.0.19635.1 (WinBuild.160101.0800)

    Process Trace
    1 C:\Program Files\AirVPN\Eddie-UI.exe [4848] 2020-05-29T09:41:46
    2 C:\Windows\explorer.exe [3260] 2020-05-29T09:41:42
    3 C:\Windows\System32\userinit.exe [780] 2020-05-29T09:41:42
    4 C:\Windows\System32\winlogon.exe [668] 2020-05-29T09:40:36
    winlogon.exe
    5 C:\Windows\System32\smss.exe [740] 2020-05-29T09:40:20 16.1s
    \SystemRoot\System32\smss.exe 000000dc 00000088
    6 C:\Windows\System32\smss.exe [408] 2020-05-29T09:40:11
    \SystemRoot\System32\smss.exe

    Dropped Files
    1 C:\Users\jonat\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_2560_1440_POS0.jpg
    Dropped by \Device\HarddiskVolume13\Windows\explorer.exe [3260]

    Thumbprints
    848697d328ff95a686c742189d6127d25e408f594b906f622e5eedf3be738376
     
  5. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Can you confirm you where running version 795 when you upgraded to 2004?

    Please download 871 to fix this issue:
    https://dl.surfright.nl/hmpalert3.exe
     
  6. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    I don't agree on this one, I do wonder why this ended up on protected applications? if you add stuff like this you might run in to these things, you'll need to disable "Application lockdown" for this one in this case.

    And Really HP dev's? you got your own code running and you need to spawn to shell a batch file to get things done?!?!?!?!
     
  7. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Geeze, using a non legal way of creating a new process route.exe well done Eddie dev's.
    I would advise to enable the protections again, then open the new eventlog via "number of alerts" find the alert -> action -> suppress alert.
    That should allow this "trick" to add a route during the setup of the VPN tunnel.
     
  8. cantoris

    cantoris Registered Member

    Joined:
    Apr 3, 2005
    Posts:
    9
    Thanks Ronny. I don't know what the version was - automatic updating was on. I can see this in WinDbg of the crashdump for hmpalert.sys:
    Timestamp: Wed Feb 5 08:34:59 2020 (5E3A7E33)
    CheckSum: 0004C740
    ImageSize: 00049000
    Can you identify the version from that? If not, is there a WinDbg command that will show more info on the driver that will let you confirm it was a version with a known issue?
     
  9. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Yeah that is 795 which as a bug on 2004, for now upgrade to 871, we're working on 797 to fix that.
     
  10. cantoris

    cantoris Registered Member

    Joined:
    Apr 3, 2005
    Posts:
    9
    Thanks Ronny!
     
  11. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Got ABBY Finereader15/Screenshot Reader blocked. (screenshotreader.exe)
    This happend with WIN10-1909, and 2004.
    Added screenshotreader.exe (32bit) to exclutions, and solved the issue.
     
  12. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    HitmanPro.Alert 3.7.14 Build 797 Released

    Changelog (compared to build 795):
    • Fixed a BSOD in Windows 10 version 2004 (20H1).
    • Fixed a handle leak in the service.
    • Fixed a reference count in the driver.
    Download
    https://dl.surfright.nl/hmpalert3b797.exe

    We're currently automatically updating users on 7xx to this build.
     
    Last edited: May 30, 2020
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    OK, I've removed HP Support Assistant from Protected Applications.
    Can't answer that one.

    Thanks Ronny.
     
  14. Mr Humphries

    Mr Humphries Registered Member

    Joined:
    Dec 3, 2016
    Posts:
    15
    Location:
    Australia
    Thanks -- it worked, eventually. Had to suppress alerts related to creation of 5 processes:
    route.exe
    openvpn.exe
    plink.exe
    stunnel.exe
    ipconfig.exe
     
  15. HansF

    HansF Registered Member

    Joined:
    Dec 10, 2015
    Posts:
    24
    Hi,

    in my new Setup with an Intel i9 10900K the assited by hardware logo is missing. Is there any solution or doesn't this cpu support it?
     
  16. davido

    davido Registered Member

    Joined:
    Mar 18, 2015
    Posts:
    15
    HitmanProAlert blocked my attempt to install newest AMD chipset driver released today.
    Since then if i try to install them i get a windows registry error.
    Don't know what to do
    Bye
    https://imgur.com/X3eKuWu
    Ok with version 3.8.4
    Cheers
     
    Last edited: Jun 4, 2020
  17. HansF

    HansF Registered Member

    Joined:
    Dec 10, 2015
    Posts:
    24
  18. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    Why are some people on 7xx and other people on 8xx. I have build 871 but don't know if i should be on 7xx instead.
     
  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    7xx was still the official release, and 8xx a Release Candidate - but now I am not sure (build 871 doesn't indicate that) ... :doubt:

    I have v3.7.14 build 797 on my 'prod' machine, and v3.8.4 build 871 on my 'test' machine.
     
  20. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Both 7xx and 8xx are official releases, but because of the large number of changes in 8xx, they are waiting for it to iron out the bugs, before rolling it out to the whole user base.


    Alert probably needs an update with support for this new generation of CPU's.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Thanks for that clarification from Outer space, @BoerenkoolMetWorst.
     
  22. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    HitmanPro.Alert 3.8.4 Build 871 keystroke encryption function is not compatible with ESET 13.1.21.0 Banking & Payment Protection. It is confuses the keyboard. The wrong letter is displayed. When I press the same key multiple times, a different letter always appears. If I disable keystroke encryption protection, then there is no problem. It was similar before: https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-66#post-2872639
     
  23. guest

    guest Guest

    You need to disable keystroke encryption within HMP.A:
     
  24. feerf56

    feerf56 Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    324
    I am aware of this, only it is inconvenient. It would be better to improve compatibility. Older versions did not have this problem.
     
  25. RonnyT

    RonnyT QA Engineer

    Joined:
    Aug 9, 2016
    Posts:
    632
    Location:
    Planet Earth
    Hi Hans,
    Can you trigger an alert in HMPA e.g. by downloading EICAR test file and trying to start that so Anti-Malware triggers an alert, and then send the Alert details to support@hitmanpro.com please.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.