HitmanPro.Alert BETA

Discussion in 'other anti-malware software' started by erikloman, May 30, 2017.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,257
    Excluding of applications should prevent HMP.A from injecting its .dll, but it seems that newer versions of HMP.A are injecting it nevertheless which might cause trouble on some systems.
    ("hmpalert!A3 / hmpalert!CVCCP", these are exports from the injected hmpalert.dll which can be seen in the crash report)
     
  2. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,200
    Location:
    the Netherlands
    I rather doubt that. MPC-HC is no longer actively developed. There are unofficial builds by clsid at Doom9's forum, but I really doubt we can expect a fix for HMPA crashing MPC-HC.
    And on the HMPA side, earlier, Erik Loman mentioned that MPC-HC uses many weird techniques to play video's and that it cannot be supported.
    But, as also mentioned by Erik, and also by Mark (as pointed out by mood), adding MPC-HC to HMPA exceptions should be sufficient to prevent MPC-HC crashing. However, if adding MPC-HC to HMPA exceptions is not sufficient, then there is an issue. I hope Erik, Mark, or Ronny can offer a solution to that.
     
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,253
    For users having issues with MPC-HC, does using MPC-HC(64-bits) instead make any difference?
     
  4. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,200
    Location:
    the Netherlands
    Good question.
    Where I said that on my Windows 7 x64 system with HMPA 723 stable, MPC-HC does not crash if it is added to HMPA's exclusion list, I am talking about MPC-HC.1.7.13.x64 portable.
    I don't know about the MPC-HC 32-bit and installer versions, or the unofficial builds by clsid.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,390
    Location:
    Among the gum trees
    Yeah, I know, I know... No comment.
    Code:
    Log Name:      Application
    Source:        HitmanPro.Alert
    Date:          26/02/2018 7:38:33 PM
    Event ID:      911
    Task Category: Mitigation
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      David-HP
    Description:
    Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v734 06_5e
    PID          940
    Application  C:\Program Files\Norton Security\Engine\22.12.0.104\symerr.exe
    Description  Symantec Error Reporting 7.10
    
    Reading LSASS (812) process memory: 0000000000000000 L1128
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFF407365A4 KernelBase.dll           ReadProcessMemory +0x14
    2  00007FFF407BBD86 KernelBase.dll           GetModuleFileNameExA +0x2a6
    3  00007FFF407BBBD0 KernelBase.dll           GetModuleFileNameExA +0xf0
    4  00007FFF407BB954 KernelBase.dll           EnumProcessModulesEx +0x84
    
    5  00007FFF2DABECB6 ccLib.dll              
                        85c0                     TEST         EAX, EAX
                        7564                     JNZ          0x7fff2dabed1e
                        488d353f830500           LEA          RSI, [RIP+0x5833f]
                        488b0538830500           MOV          RAX, [RIP+0x58338]
                        483bc6                   CMP          RAX, RSI
                        7437                     JZ           0x7fff2dabed04
                        f6401c01                 TEST         BYTE [RAX+0x1c], 0x1
                        7431                     JZ           0x7fff2dabed04
                        80781902                 CMP          BYTE [RAX+0x19], 0x2
                        722b                     JB           0x7fff2dabed04
                        ff15f1690200             CALL         QWORD [RIP+0x269f1]
                        ba2d000000               MOV          EDX, 0x2d
                        89442420                 MOV          [RSP+0x20], EAX
                        458b4d28                 MOV          R9D, [R13+0x28]
                        4c8d05dd3f0300           LEA          R8, [RIP+0x33fdd]
    
    6  00007FFF2DABE7C3 ccLib.dll              
    7  00007FFF2DABEA60 ccLib.dll              
    8  00007FFF2DABE4C1 ccLib.dll              
    9  00000000522F4F83 sqsvc.dll              
    10 00000000522F3633 sqsvc.dll              
    
    Process Trace
    1  C:\Program Files\Norton Security\Engine\22.12.0.104\symerr.exe [940]
    "C:\Program Files\Norton Security\Engine\22.12.0.104\SymErr.exe" /submit
    2  C:\Windows\System32\svchost.exe [1212]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
    3  C:\Windows\System32\services.exe [788]
    4  C:\Windows\System32\wininit.exe [668]
    wininit.exe
    
    Thumbprint
    42e1b2d530f9d74fa2be1ab40cf597106ec096654b94ee2622b4aa68007c7a5f
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="HitmanPro.Alert" />
        <EventID Qualifiers="0">911</EventID>
        <Level>2</Level>
        <Task>9</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-02-26T08:38:33.301262100Z" />
        <EventRecordID>55858</EventRecordID>
        <Channel>Application</Channel>
        <Computer>David-HP</Computer>
        <Security />
      </System>
      <EventData>
        <Data>C:\Program Files\Norton Security\Engine\22.12.0.104\symerr.exe</Data>
        <Data>CredGuard</Data>
        <Data>Mitigation   CredGuard
    
    Platform     10.0.16299/x64 v734 06_5e
    PID          940
    Application  C:\Program Files\Norton Security\Engine\22.12.0.104\symerr.exe
    Description  Symantec Error Reporting 7.10
    
    Reading LSASS (812) process memory: 0000000000000000 L1128
    
    Stack Trace
    #  Address          Module                   Location
    -- ---------------- ------------------------ ----------------------------------------
    1  00007FFF407365A4 KernelBase.dll           ReadProcessMemory +0x14
    2  00007FFF407BBD86 KernelBase.dll           GetModuleFileNameExA +0x2a6
    3  00007FFF407BBBD0 KernelBase.dll           GetModuleFileNameExA +0xf0
    4  00007FFF407BB954 KernelBase.dll           EnumProcessModulesEx +0x84
    
    5  00007FFF2DABECB6 ccLib.dll              
                        85c0                     TEST         EAX, EAX
                        7564                     JNZ          0x7fff2dabed1e
                        488d353f830500           LEA          RSI, [RIP+0x5833f]
                        488b0538830500           MOV          RAX, [RIP+0x58338]
                        483bc6                   CMP          RAX, RSI
                        7437                     JZ           0x7fff2dabed04
                        f6401c01                 TEST         BYTE [RAX+0x1c], 0x1
                        7431                     JZ           0x7fff2dabed04
                        80781902                 CMP          BYTE [RAX+0x19], 0x2
                        722b                     JB           0x7fff2dabed04
                        ff15f1690200             CALL         QWORD [RIP+0x269f1]
                        ba2d000000               MOV          EDX, 0x2d
                        89442420                 MOV          [RSP+0x20], EAX
                        458b4d28                 MOV          R9D, [R13+0x28]
                        4c8d05dd3f0300           LEA          R8, [RIP+0x33fdd]
    
    6  00007FFF2DABE7C3 ccLib.dll              
    7  00007FFF2DABEA60 ccLib.dll              
    8  00007FFF2DABE4C1 ccLib.dll              
    9  00000000522F4F83 sqsvc.dll              
    10 00000000522F3633 sqsvc.dll              
    
    Process Trace
    1  C:\Program Files\Norton Security\Engine\22.12.0.104\symerr.exe [940]
    "C:\Program Files\Norton Security\Engine\22.12.0.104\SymErr.exe" /submit
    2  C:\Windows\System32\svchost.exe [1212]
    c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
    3  C:\Windows\System32\services.exe [788]
    4  C:\Windows\System32\wininit.exe [668]
    wininit.exe
    
    Thumbprint
    42e1b2d530f9d74fa2be1ab40cf597106ec096654b94ee2622b4aa68007c7a5f</Data>
      </EventData>
    </Event>
    Followed closely by - https://www.wilderssecurity.com/thr...-layer-of-defense.398859/page-45#post-2740681
     
  6. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    922
    Uninstalled 734 BETA. No wifi and Windows responds VERY slow once started to desktop. I can see both Norton and Hitmanpro Allert in Taskmanager but no Norton and HitmanPro alert trayicons. Same after several Windows-restarts. After uninstalling 734 BETA no problems, Wifi is ok now and Norton trayicon is back.

    Win10 1709 build 16299.214 x64/Norton Security v22.11.0.104
     
  7. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,200
    Location:
    the Netherlands
    Is that with HMPA stable build 729, or with no HMPA at all?
    If that is with no HMPA at all, what happens when you install stable build 729?
     
  8. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    922
    With build 734 beta.
     
  9. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    922
    Found this:

    Logboeknaam: System
    Bron: Service Control Manager
    Datum: 26-2-2018 9:58:15
    Gebeurtenis-id:7011
    Taakcategorie: Geen
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Time-out (30000 seconden) tijdens het wachten op een reactie op een transactie van deze service: hmpalertsvc.
    Gebeurtenis-XML:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
    <EventID Qualifiers="49152">7011</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2018-02-26T08:58:15.808148600Z" />
    <EventRecordID>7369</EventRecordID>
    <Correlation />
    <Execution ProcessID="720" ThreadID="6908" />
    <Channel>System</Channel>
    <Computer>****PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="param1">30000</Data>
    <Data Name="param2">hmpalertsvc</Data>
    </EventData>
    </Event>
     
  10. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,200
    Location:
    the Netherlands
    No, I mean, where you said "After uninstalling 734 BETA no problems", is that with no HMPA at all, or with HMPA stable build 729 reinstalled?
    And if that is with no HMPA at all, what happens when you install stable build 729?
     
  11. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    922
    No HMPA at all. I'll try build 729.
     
  12. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,200
    Location:
    the Netherlands
    Ah, OK, thanks for clarifying.
    I wonder what build 729 will do, on your system.
     
  13. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    922
    No problems with build 729.
     
  14. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,200
    Location:
    the Netherlands
    Great, thanks for testing.
    Beta 734, however, seems not so great. Quite a few issues reported by now, some tinkering needed by the developers, so it seems.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thats why they call it a beta.
     
  16. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,200
    Location:
    the Netherlands
    But of course. :)
    However, with some beta we see no issues at all and those are later released as stable, while other beta still need some more work, like this one. But of course that's fine, as it's a beta.
     
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,534
    Location:
    North Carolina, USA
    Hello,
    I am also having similar issue when trying to do a scan with ESET. HMP.A does not generate any alert. ESET just sits there endlessly scanning memory. Completely disabling CredGuard (Credential Theft Protection) solves the issue.
    For the time being, I have completely disabled CredGuard (Credential Theft Protection) in order for the anti-virus/malware scanners that I have to work properly. I will enable and test again later if a new version of HMP.A is released with changes that will solve this issue.
     
  18. volt99

    volt99 Registered Member

    Joined:
    Feb 22, 2015
    Posts:
    4
    Hitman Pro Alert Beta 737 interfering with Battleeye Anti-Cheat system for Player Battlegrounds Unknown.
     
  19. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137
    with 734 BETA , no wifi , bsod with kaspersky small office latest version
     
    Last edited: Feb 26, 2018
  20. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,200
    Location:
    the Netherlands
    Just to get that clear - Are you sure you are talking about the latest stable build 729? Or beta build 734?
    (By the way, this is the dedicated beta thread, there's a different thread for the HMPA stable versions.)
     
  21. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    137

    modified sorry , the prob with 734 BETA
     
  22. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    465
  23. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,311
    Yeah, I'm stuck on 604 too because of BSODs on W7/XP 32-bit with all later HMPA versions. Not sure when this issue will be resolved due to SOPHOS priorities even though they were able to reproduce the crashes. We are no longer dealing with the Loman brothers like we did before SOPHOS took over. :'(
     
    Last edited: Feb 28, 2018
  24. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,587
    Location:
    Canada
    How is hitmanpro alert these days?
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,390
    Location:
    Among the gum trees
    The 'Stable' build is stable on my machines but the 'Beta' build is, well a beta.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.