HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    761
    Location:
    U.S. Citizen
    Kind regards, Many thanks! And truly appreicate!

    Kind regards,

    Moose World
     
  2. Cactus5

    Cactus5 Registered Member

    Joined:
    Jan 17, 2015
    Posts:
    27
    Location:
    Southwest USA
    @erikloman
    Regarding encryption of characters in the address bars of IE11 and Chrome 40, I recalled that it had worked properly in an earlier build. I confirmed this by starting with build 120 where it did work correctly. The next build I had was 125 which is where the encrypted characters in the address bar first showed in IE11 and Chrome when Keystroke Encryption is enabled. I tried disabling Enhanced Protected Mode in IE11 but it made no difference so restored EPM.

    For Chrome I get some limited success by disabling Bottom Up ASLR. But it works sometimes and sometimes not. I could not find any setting for IE11 but if I disable all mitigations, the keystokes show up properly with keystroke encryption enabled, not how I wish to run. I usually use the built-in keyboard on the laptops. I have tested with a wireless keyboard using itype.exe from Microsoft which still showed the encrypted characters in the address bars. Then I used the Windows 7 on-screen keyboard and it always works with Keystroke Encryption enabled. Looking at itype.exe and osk.exe with Process Explorer, it appears that HMP Alert is present in both processes (itype.exe and osk.exe) in identical ways, a device and a named pipe.

    This issue of encrypted keystrokes in the address bar of IE11 and Chrome v40 are present on all 3 laptops in my house. 2 of those laptops had Windows 7 reinstalled within the last 9 months. One of them had Windows 7 reinstalled just 2.5 weeks ago. All 3 laptops use EIS, AppGuard and HMP Alert.

    It's simple enough to just disable keystroke encryption but hoping you will be able to find a fix for this.
     
  3. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,044
    Location:
    Baden Germany
    @Cactus5:
    You are over armored.
    It's just that easy: Go for a straight setup, like I use.
    See my signature.
     
  4. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    417
    @ Eric
    Possible false positive?

    Mitigation CryptoGuard

    Platform 6.3.9600/x64 06_3c
    PID 5056
    Application C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
    Description Uninstall Programs 4

    Filename C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe

    C:\Program Files (x86)\OpenOffice 4\share\gallery\arrows\A17-CircleArrow.png
    C:\Program Files (x86)\OpenOffice 4\share\gallery\arrows\A16-CircleArrow.png
    C:\Program Files (x86)\OpenOffice 4\program\python-core-2.7.6\lib\pdb.doc

    /E
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The File Shredder function in IObit Uninstaller is performing a secure erase.
    A secure erase first overwrites the files with random data before it deletes the file (random and encrypted data look pretty much the same).
    This triggers CryptoGuard as it protected your files against malicious overwrite.

    Best is to disable CryptoGuard before performing a secure erase of your images and documents files.
     
    Last edited: Jan 28, 2015
  6. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    I found the problem. Since I have a fast system, the problem is not that apparent. Switching to a computer with a much weaker CPU the problem becomes more visible (slow loading of flash videos). Problem is caused by FlashPlayer changing the protection flags of the SAME memory region well over HUNDRED times before it starts playing a video :confused:

    I tucked a fix into source control so it will be in the next published build.
     
    Last edited: Jan 28, 2015
  7. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,024
    Having similar problem with an old cpu, Firefox 35.0.1, flash and www.twitch.tv. Almost 10 seconds black screen before the flashstream starts. Could you check if its the same problem? Random twitch-stream: http://www.twitch.tv/aimostfamous (W7 64 bits/build 141).
     
  8. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    417
    Great, thx Erik! :thumbd:

    /E
     
  9. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    417
    I forgot to mention that this was a Win 8.1 x64 installation.
    I did the exact same uninstall of OpenOffice with Iobit and Alert enabled on a Win 7 32bit without any problems.

    /E
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,600
    Location:
    Outer space
    How is he/she over armored? Alert and AppGuard and 1 realtime scanning program. You use Alert, Sandboxie and 2 realtime scanning programs.
     
  11. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    895
    Location:
    The Netherlands
    What category is best to use for Microsoft Outlook and Foxit Reader?
    I have chosen Office for Outlook and Plugins for Foxit.
    Are that the recommended categories?
     
  12. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,044
    Location:
    Baden Germany
    EIS uses two engines and behavior based protection. It is known for not going well together with other security solutions.
    AppGuard covers unknown malware and exploits.
    Adding another soft for the same purpose, like HMP.alert, is what I call over armored.

    My setup does not cause any conflict, caused by being not compatible, or double addressing the same risk.
    The few issues I had, where general with HMP.alert and sorted out, with the latest build 141.
    Sandboxie is used very seldom. I do accept if not fully compatible, without some manual configuration.

    Don't get me wrong, this thread is for testing and finding issues, so it's ok to combine in any way.

    I'm looking for a setup, that can be installed on my customers computers, without any trouble, caused by overlapping security solutions.
     
  13. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,044
    Location:
    Baden Germany
    Based of my long term experience, I do not recommend using uninstallers, without serious reasons.
    A few leftovers in the registry and some files are not an issue, compared to the trouble uninstaller can cause.
    Using uninstallers, cleaning all files of a previous installed software, disables the chance of the build in uninstaller to cleanup during next reboot.

    Especially I would not support IOBit, the chinese company that steals Malwarebytes signatures.
    If the build in uninstaller of a software fails, I recommend using Revo Uninstaller.
     
    Last edited: Jan 28, 2015
  14. hotlips69

    hotlips69 Registered Member

    Joined:
    Nov 3, 2005
    Posts:
    55
    Location:
    Sussex. UK
    Since I installed the latest build, using IE11 (& Firefox 35.0.1) I keep getting massive slowdowns with "Encrypting........." appearing in the bottom right of the screen.
    What is this actually doing?
     
  15. tuvalu_tt

    tuvalu_tt Registered Member

    Joined:
    Apr 28, 2013
    Posts:
    49
    Location:
    Finland
    My keyboard also stopped working, i think i did restart after update, but it was 3 hours later.
    Anyway, i turn on PC next day (Tuesday) and keyboard stopped working.
    i did disable Keystroke Encryption and BadUSB protection and rebooted few times, no luck.
    uninstalled HMP.Alert and keyboard started working again.

    Then rebooted ones more, installed .alert 141, i did see that Keystroke Encryption and BadUSB protection still disabled, enabled them and rebooted.
    Keyboard still works. after that several reboots and still all ok.

    i have no other anti-keylogger program.
    My os is: Windows 7 64bit.
    Emsisoft Anti-malware and Malwarebytes Anti-malware 1.75
    Windows Firewall

    ps: has nothing to do with bug report, but i now updated MBAM to 2.x, it's nice.
     
    Last edited: Jan 29, 2015
  16. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    761
    Location:
    U.S. Citizen
    @erikloman

    Appreicated your help yesterday and you answering all of my questions.
    Looking forward to you answer on my PM post at Malwaretips.

    Many thanks

    Moose's World
     
  17. tuvalu_tt

    tuvalu_tt Registered Member

    Joined:
    Apr 28, 2013
    Posts:
    49
    Location:
    Finland
    I do not use Google Chrome that much.
    My Chrome is istalled at: C:\Users\my username\AppData\Local\Google\Chrome\Application\chrome.exe
    and it seems that HitManPro.Alert 3 does not protect it.
    There is no FlyOut and Keystroke Encryption do not show up with it.

    I think i did see FlyOut with .Alert 2.5 beta.

    edit: i did go to HMP.A Running Applications tab and added Browsers Mitigation template to chrome.exe.
    It seems to work now, but why it was not protected before?
     
    Last edited: Jan 29, 2015
  18. FOXP2

    FOXP2 Guest

    FWIW, I can report there were no CryptoGuard triggers with YL Computing WinUtilities File Shredder v2.9 using any of the Passes methods - Single, DOD 5223-22M, NSA, Gutmann. Or with Heidi Computers Eraser v5.8.8 using Gutmann, US DoD 5220.22-M (7 and 3 passes) and Schneier 7 pass.

    Files used: a 16MB txt (of lorem ipsum text) in My Documents and a 21MB exe in Downloads.

    Cheers.
     
  19. brihy1

    brihy1 Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    198
    Location:
    usa
    Installed webroot secureanywhere and with hmpa 131 google chrome does not connect to internet?Even if I disable safe browsing and exploit mitigation it makes no difference.Also hmpa is allowed in webroot.

    Uninstalled hmpa 313 and everything is fine with chrome.
     
    Last edited: Jan 29, 2015
  20. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HitmanPro.Alert build 141 is the lastest:
    http://test.hitmanpro.com/hmpalert3b141.exe
     
  21. brihy1

    brihy1 Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    198
    Location:
    usa
    sorry thats what i ment,141
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Just installed ver. 2.6.5 on WIN 7 x64 SP.

    Anyone know what these event log audit failures are about? Getting one posted to the event log every 7 mins.

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 1/29/2015 3:10:28 PM
    Event ID: 6281
    Task Category: System Integrity
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: xxxxx
    Description:
    Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
    File Name: \Device\HarddiskVolume3\Windows\System32\hmpalert.dll
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6281</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-01-29T20:10:28.318919600Z" />
    <EventRecordID>193029</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="44" />
    <Channel>Security</Channel>
    <Computer>Don-PC</Computer>
    <Security />
    </System>
    <EventData>
    <Data Name="param1">\Device\HarddiskVolume3\Windows\System32\hmpalert.dll</Data>
    </EventData>
    </Event>
     
  23. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Perhaps after a reboot the issue is resolved.
     
  24. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This issue is solved in Alert 3.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Where can I download a non-beta version of Alert 3?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.