HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,237
    Location:
    the Netherlands
    Good question.
    Yes, I checked, but I forgot to mention.
    According to HMPA3's UI, keystroke encryption is enabled, while G Data Internet Security with keylogger protection is used.
    However, I don't know if HMPA3 showing keystroke encryption enabled means "switched on and active", or that perhaps it can mean "switched on, but not active because of another product's keystroke encryption".
    I hope Erik (or Mark) can clarify.
    In case HMPA3 showing keystroke encryption enabled means "switched on and active", then the question is - why is it enabled while G Data Internet Security with keylogger protection is used, where Erik said, "If you use another security product with keystroke encryption then Alert will not enable its own."
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
    Keystroke encryption vs Keylogger protection are not the same animal.

    Keylogger protection aka AntiLogger will prompt you when someone or something is trying to obtain access to your keyboard. Z AntiLogger for example proactively detects keyloggers at work and shuts them down.

    HMP.A offers simple local keystroke encryption.
     
    Last edited: Apr 18, 2015
  3. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,237
    Location:
    the Netherlands
    Ah! I should have thought about that!
    Thank you very much!
    Although I don't know exactly what technique is used with G Data's keylogger protection, I may assume it is not keystroke encryption, so HMPA3's keystroke encryption is rightly enabled.
    Again - I should have thought about that. Thank you very much once more.
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    I am using the latest version (183)

    Lastpass works fine but did you test by creating a new entry and fill-it in? E.g. from the toolbar you select "secure note", "add a secure note", now if you write anything in the empty form the text will be jammed. I am running it on WIN 8.1. X64.

    I have also tested by fully removing (complete uninstall) all security tools on the system. Same result. If I disable keystroke encryption in HMPRO then everything works fine.
     
    Last edited: Apr 18, 2015
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,068
    Location:
    USA
    I've not had any problem with LastPass working with HMPA. Problem is, the keystroke encryption does not work on 40% of the machines I have installed it on to test. On one of the machines I went as far as to remove all security software, reinstalled HMPA, and as before it only works until a reboot. I am unable to identify the reason, so I consider it a bug or an unidentified conflict with some other non-security software. I like the idea of this software but it doesn't go beyond my testing machines until it is fixed or the reason for the non-functioning keyboard encryption is identified.
     
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
    Ah, very interesting! I can confirm that when typing in a new LastPass "secure note" from Internet Explorer 11 all of the characters are scrambled. Secure note creation does work properly in Firefox (works fine in Maxthon as well).
     
  7. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    355
    Location:
    Canada
    i received the update notification, but when i rebooted...no HMP.A

    so i had a look in 'program files' and the HMP.A folder is empty - service is still listed, program/features entry and shortcuts are still there. had to delete program/features entry before a manual install of build 183 would work.

    also wondering if anyone has had issues with HMP.A blocking updates/installs? a Skype update was failing & i eventually stopped hmp.a service (build 181) after disabling Tinywall didn't work - updated fine with hmp.a disabled
     
  8. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Thanks a lot for your confirmation :thumb:
     
  9. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Are you using SpyBlaster or AppGuard?
     
  10. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    355
    Location:
    Canada
    No - windows 8.1, Avast free (hardened - aggressive mode), WFW + Tinywall, Zemana AL, HMP.A(keystroke encryption disabled)
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    In order for you to solve the updater issue, I will explain how it works:
    1. The tray icon downloads a new version from updates.hitmanpro.com.
    2. The tray icon writes the update to %TEMP%\hmpalert_update.exe.
    3. The service validates the executable and runs hmpalert_update.exe /upgrade
    4. The hmpalert_update.exe process creates a new folder C:\Program Files (x86)\HitmanPro.Alert\Update Files\
    5. The hmpalert_update.exe drops 4 or 5 files in that folder (1 exe, 2 dlls, 2 sys files)
    6. The hmpalert_update.exe writes entries to PendingFileRenameOperations key so that the files under the above folder overwrite the existing files before boot by Windows.
      https://technet.microsoft.com/en-us/library/cc960241.aspx
    If you have a tool that blocks the URL, or prevents starting executables from the %TEMP% the updater will not work (step 1, 2 and 3).

    If you see the Update Files folder BEFORE boot, and gone AFTER boot it means that the PendingFileRenameOperations has worked. If you end up with an empty folder, it means that a boot-time component blocked the overwrite of the hmpalert.exe! Look into your other security products to see which one has blocked the overwrite with a new binary (the newer hmpalert.exe).
     
  12. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    999
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    @erikloman
    Any feedback if this is fixable? I know other security tools implementing your same approach that given up (or didn't manage) on fixing these type of problems while others (WSA) that does it differently allowing plug-ins to work correctly.
     
  14. L10090

    L10090 Registered Member

    Joined:
    Feb 13, 2015
    Posts:
    302
    Location:
    Netherlands
    W7-x64, IE11, FF Nightly 40.0a1, hp240, hpa181,....

    Just for test purposes I installed SpywareBlaster v5.0 (latest free version), database update 30-3-2015.

    The hmpalert3 'auto update' process, from b181 to b183, went without problems, SpywareBlaster 5.0 did not interfere with the update at boot time.

    1. Flyout in hmpalert3 181 announcing a new version to be installed at next boot
    2. Next boot installed b183!:)
     
    Last edited: Apr 19, 2015
  15. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,237
    Location:
    the Netherlands
    Which SpyBlaster are you referring to?
    Lavasoft mentions a "Spy Blaster" as a rogue.

    Or did you mean SpywareBlaster?
    Regarding SpywareBlaster,
     
  16. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,365
    I just had another HMPA crashdump coming out of suspend on win7 32-bit. I haven't had one of these in quite some time. Looks like this one will be hard to find. Dump sent your way Erik.
    Version=1
    EventType=BEX
    EventTime=130739182478328817
    ReportType=2
    Consent=1
    ReportIdentifier=3f746530-e68b-11e4-aa5a-028037ec0200
    IntegratorReportIdentifier=3f74652f-e68b-11e4-aa5a-028037ec0200
    Response.type=4
    Sig[0].Name=Application Name
    Sig[0].Value=hmpalert.exe
    Sig[1].Name=Application Version
    Sig[1].Value=3.0.38.183
    Sig[2].Name=Application Timestamp
    Sig[2].Value=552fb8de
    Sig[3].Name=Fault Module Name
    Sig[3].Value=netprofm.dll_unloaded
    Sig[4].Name=Fault Module Version
    Sig[4].Value=0.0.0.0
    Sig[5].Name=Fault Module Timestamp
    Sig[5].Value=4a5bda75
    Sig[6].Name=Exception Offset
    Sig[6].Value=71592505
    Sig[7].Name=Exception Code
    Sig[7].Value=c0000005
    Sig[8].Name=Exception Data
    Sig[8].Value=00000008
    DynamicSig[1].Name=OS Version
    DynamicSig[1].Value=6.1.7601.2.1.0.256.1
    DynamicSig[2].Name=Locale ID
    DynamicSig[2].Value=1033
    DynamicSig[22].Name=Additional Information 1
    DynamicSig[22].Value=a7aa
    DynamicSig[23].Name=Additional Information 2
    DynamicSig[23].Value=a7aa91f17ea749d42a4de3b390fa5b3d
    DynamicSig[24].Name=Additional Information 3
    DynamicSig[24].Value=a7aa
    DynamicSig[25].Name=Additional Information 4
    DynamicSig[25].Value=a7aa91f17ea749d42a4de3b390fa5b3d
    UI[2]=C:\Program Files\HitmanPro.Alert\hmpalert.exe
    UI[3]=HitmanPro.Alert has stopped working
    UI[4]=Windows can check online for a solution to the problem.
    UI[5]=Check online for a solution and close the program
    UI[6]=Check online for a solution later and close the program
    UI[7]=Close the program
    LoadedModule[0]=C:\Program Files\HitmanPro.Alert\hmpalert.exe
    LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
    LoadedModule[2]=C:\Windows\system32\KERNEL32.dll
    LoadedModule[3]=C:\Windows\system32\hmpalert.dll
    LoadedModule[4]=C:\Windows\system32\KERNELBASE.dll
    LoadedModule[5]=C:\Windows\system32\USER32.dll
    LoadedModule[6]=C:\Windows\system32\GDI32.dll
    LoadedModule[7]=C:\Windows\system32\LPK.dll
    LoadedModule[8]=C:\Windows\system32\USP10.dll
    LoadedModule[9]=C:\Windows\system32\msvcrt.dll
    LoadedModule[10]=C:\Windows\system32\ADVAPI32.dll
    LoadedModule[11]=C:\Windows\SYSTEM32\sechost.dll
    LoadedModule[12]=C:\Windows\system32\RPCRT4.dll
    LoadedModule[13]=C:\Windows\system32\SHELL32.dll
    LoadedModule[14]=C:\Windows\system32\SHLWAPI.dll
    LoadedModule[15]=C:\Windows\system32\ole32.dll
    LoadedModule[16]=C:\Windows\system32\PSAPI.DLL
    LoadedModule[17]=C:\Windows\system32\CRYPT32.dll
    LoadedModule[18]=C:\Windows\system32\MSASN1.dll
    LoadedModule[19]=C:\Windows\system32\WTSAPI32.dll
    LoadedModule[20]=C:\Windows\system32\USERENV.dll
    LoadedModule[21]=C:\Windows\system32\profapi.dll
    LoadedModule[22]=C:\Windows\system32\VERSION.dll
    LoadedModule[23]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
    LoadedModule[24]=C:\Windows\system32\FLTLIB.DLL
    LoadedModule[25]=C:\Windows\system32\IPHLPAPI.DLL
    LoadedModule[26]=C:\Windows\system32\NSI.dll
    LoadedModule[27]=C:\Windows\system32\WINNSI.DLL
    LoadedModule[28]=C:\Windows\system32\WINHTTP.dll
    LoadedModule[29]=C:\Windows\system32\webio.dll
    LoadedModule[30]=C:\Windows\system32\MSIMG32.dll
    LoadedModule[31]=C:\Windows\system32\WS2_32.dll
    LoadedModule[32]=C:\Windows\system32\IMM32.DLL
    LoadedModule[33]=C:\Windows\system32\MSCTF.dll
    LoadedModule[34]=C:\Windows\system32\uxtheme.dll
    LoadedModule[35]=C:\Windows\system32\dwmapi.dll
    LoadedModule[36]=C:\Windows\system32\urlmon.dll
    LoadedModule[37]=C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
    LoadedModule[38]=C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
    LoadedModule[39]=C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
    LoadedModule[40]=C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
    LoadedModule[41]=C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
    LoadedModule[42]=C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
    LoadedModule[43]=C:\Windows\system32\normaliz.DLL
    LoadedModule[44]=C:\Windows\system32\iertutil.dll
    LoadedModule[45]=C:\Windows\system32\WININET.dll
    LoadedModule[46]=C:\Toolbx\WinPatrol\PATROLPRO.DLL
    LoadedModule[47]=C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
    LoadedModule[48]=C:\Windows\system32\Secur32.dll
    LoadedModule[49]=C:\Windows\system32\SSPICLI.DLL
    LoadedModule[50]=C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
    LoadedModule[51]=C:\Windows\system32\mswsock.dll
    LoadedModule[52]=C:\Windows\System32\wship6.dll
    LoadedModule[53]=C:\Windows\system32\OLEAUT32.dll
    LoadedModule[54]=C:\Windows\system32\DNSAPI.dll
    LoadedModule[55]=C:\Windows\system32\CRYPTBASE.dll
    LoadedModule[56]=C:\Windows\system32\CLBCatQ.DLL
    LoadedModule[57]=C:\Windows\system32\dhcpcsvc6.DLL
    LoadedModule[58]=C:\Windows\system32\dhcpcsvc.DLL
    LoadedModule[59]=C:\Windows\System32\wshtcpip.dll
    LoadedModule[60]=C:\Windows\system32\CRYPTSP.dll
    LoadedModule[61]=C:\Windows\system32\rasadhlp.dll
    LoadedModule[62]=C:\Windows\system32\rsaenh.dll
    LoadedModule[63]=C:\Windows\system32\RpcRtRemote.dll
    LoadedModule[64]=C:\Windows\System32\fwpuclnt.dll
    FriendlyEventName=Stopped working
    ConsentKey=BEX
    AppName=HitmanPro.Alert
    AppPath=C:\Program Files\HitmanPro.Alert\hmpalert.exe
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
    I use CryptoPrevent at the default setting without updating issues, however the "Maximum Protection" setting warns that it may prevent legitimate software from installing and recommends disabling protection beforehand.
     
  18. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    999
    I also use the default settings.
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,064
    Location:
    USA
  20. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,174
    Location:
    Hollow Earth - Telos
    I used to use CP but now use HMPA V3 instead for Crypto.
     
  21. PallMall

    PallMall Guest

    Good to know, thanks for the details. One question : I guess the delay between (2) and (4) is negligible, that this transfer is immediate, is this correct? Because here I empty the temp folder regularly so I wouldn't want to delete the update when it is still in the temp folder...
     
  22. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,237
    Location:
    the Netherlands
    Another issue:

    When I choose to print an image from Windows Vista x86 IE9 (for instance take this image, or any other image),
    and next in Windows' Print menu I choose Preferences,
    it takes an unusually long time before my printer's (Canon iP4300) preferences menu shows
    (first, Windows says printer is not responding),
    and then when the printer's preferences menu shows and I choose OK, and then Print,
    it takes a very(!) long time before printing starts.

    This was not the case before installing HMPA3.

    I see this behavior with Windows Vista x86 IE9, but there is no issue with Windows 7 x64 IE11.
    Nor is there any issue when I print from Windows Explorer.
    I haven't tested with other browsers than IE9 and IE11, nor have I tested with other printers than Canon iP4300.


    Edit:
    Added x86 and x64 details.
     
    Last edited: Apr 19, 2015
  23. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,237
    Location:
    the Netherlands
    Hmm ... good point there!
     
  24. PallMall

    PallMall Guest

    Not as good if emptying the Temp folder includes deleting HMP's Update... nothing is perfect :)
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    There is no delay between download-finished and executing the updater. The files for the update are extracted in HitmanPro's update folder under ProgramFiles.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.