HitmanPro.ALERT Support and Discussion Thread

Good question.
Yes, I checked, but I forgot to mention.
According to HMPA3's UI, keystroke encryption is enabled, while G Data Internet Security with keylogger protection is used.
However, I don't know if HMPA3 showing keystroke encryption enabled means "switched on and active", or that perhaps it can mean "switched on, but not active because of another product's keystroke encryption".
I hope Erik (or Mark) can clarify.
In case HMPA3 showing keystroke encryption enabled means "switched on and active", then the question is - why is it enabled while G Data Internet Security with keylogger protection is used, where Erik said, "If you use another security product with keystroke encryption then Alert will not enable its own."

 

Keystroke encryption vs Keylogger protection are not the same animal.

Keylogger protection aka AntiLogger will prompt you when someone or something is trying to obtain access to your keyboard. Z AntiLogger for example proactively detects keyloggers at work and shuts them down.

HMP.A offers simple local keystroke encryption.

 

Ah! I should have thought about that!
Thank you very much!
Although I don't know exactly what technique is used with G Data's keylogger protection, I may assume it is not keystroke encryption, so HMPA3's keystroke encryption is rightly enabled.
Again - I should have thought about that. Thank you very much once more.

 

I am using the latest version (183)

Lastpass works fine but did you test by creating a new entry and fill-it in? E.g. from the toolbar you select "secure note", "add a secure note", now if you write anything in the empty form the text will be jammed. I am running it on WIN 8.1. X64.

I have also tested by fully removing (complete uninstall) all security tools on the system. Same result. If I disable keystroke encryption in HMPRO then everything works fine.

 

I've not had any problem with LastPass working with HMPA. Problem is, the keystroke encryption does not work on 40% of the machines I have installed it on to test. On one of the machines I went as far as to remove all security software, reinstalled HMPA, and as before it only works until a reboot. I am unable to identify the reason, so I consider it a bug or an unidentified conflict with some other non-security software. I like the idea of this software but it doesn't go beyond my testing machines until it is fixed or the reason for the non-functioning keyboard encryption is identified.

 

Ah, very interesting! I can confirm that when typing in a new LastPass "secure note" from Internet Explorer 11 all of the characters are scrambled. Secure note creation does work properly in Firefox (works fine in Maxthon as well).

 

i received the update notification, but when i rebooted...no HMP.A

so i had a look in 'program files' and the HMP.A folder is empty - service is still listed, program/features entry and shortcuts are still there. had to delete program/features entry before a manual install of build 183 would work.

also wondering if anyone has had issues with HMP.A blocking updates/installs? a Skype update was failing & i eventually stopped hmp.a service (build 181) after disabling Tinywall didn't work - updated fine with hmp.a disabled

 

Thanks a lot for your confirmation

 

Are you using SpyBlaster or AppGuard?

 

No - windows 8.1, Avast free (hardened - aggressive mode), WFW + Tinywall, Zemana AL, HMP.A(keystroke encryption disabled)

 

In order for you to solve the updater issue, I will explain how it works:

1. The tray icon downloads a new version from updates.hitmanpro.com.
2. The tray icon writes the update to %TEMP%\hmpalert_update.exe.
3. The service validates the executable and runs hmpalert_update.exe /upgrade
4. The hmpalert_update.exe process creates a new folder C:\Program Files (x86)\HitmanPro.Alert\Update Files\
5. The hmpalert_update.exe drops 4 or 5 files in that folder (1 exe, 2 dlls, 2 sys files)
6. The hmpalert_update.exe writes entries to PendingFileRenameOperations key so that the files under the above folder overwrite the existing files before boot by Windows.
   https://technet.microsoft.com/en-us/library/cc960241.aspx

If you have a tool that blocks the URL, or prevents starting executables from the %TEMP% the updater will not work (step 1, 2 and 3).

If you see the Update Files folder BEFORE boot, and gone AFTER boot it means that the PendingFileRenameOperations has worked. If you end up with an empty folder, it means that a boot-time component blocked the overwrite of the hmpalert.exe! Look into your other security products to see which one has blocked the overwrite with a new binary (the newer hmpalert.exe).

 

Thanks for the explanation. I might need to check whether Foolish-IT CryptoPrevent is blocking my HMPA updates.

http://www.foolishit.com/vb6-projects/cryptoprevent/technical-information/

 

@erikloman
Any feedback if this is fixable? I know other security tools implementing your same approach that given up (or didn't manage) on fixing these type of problems while others (WSA) that does it differently allowing plug-ins to work correctly.

 

W7-x64, IE11, FF Nightly 40.0a1, hp240, hpa181,....

Just for test purposes I installed SpywareBlaster v5.0 (latest free version), database update 30-3-2015.

The hmpalert3 'auto update' process, from b181 to b183, went without problems, SpywareBlaster 5.0 did not interfere with the update at boot time.

1. Flyout in hmpalert3 181 announcing a new version to be installed at next boot
2. Next boot installed b183!

 

Which SpyBlaster are you referring to?
Lavasoft mentions a "Spy Blaster" as a rogue.

Or did you mean SpywareBlaster?
Regarding SpywareBlaster,

 

I just had another HMPA crashdump coming out of suspend on win7 32-bit. I haven't had one of these in quite some time. Looks like this one will be hard to find. Dump sent your way Erik.

Spoiler

Version=1
EventType=BEX
EventTime=130739182478328817
ReportType=2
Consent=1
ReportIdentifier=3f746530-e68b-11e4-aa5a-028037ec0200
IntegratorReportIdentifier=3f74652f-e68b-11e4-aa5a-028037ec0200
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=hmpalert.exe
Sig[1].Name=Application Version
Sig[1].Value=3.0.38.183
Sig[2].Name=Application Timestamp
Sig[2].Value=552fb8de
Sig[3].Name=Fault Module Name
Sig[3].Value=netprofm.dll_unloaded
Sig[4].Name=Fault Module Version
Sig[4].Value=0.0.0.0
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=4a5bda75
Sig[6].Name=Exception Offset
Sig[6].Value=71592505
Sig[7].Name=Exception Code
Sig[7].Value=c0000005
Sig[8].Name=Exception Data
Sig[8].Value=00000008
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7601.2.1.0.256.1
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=a7aa
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=a7aa91f17ea749d42a4de3b390fa5b3d
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=a7aa
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=a7aa91f17ea749d42a4de3b390fa5b3d
UI[2]=C:\Program Files\HitmanPro.Alert\hmpalert.exe
UI[3]=HitmanPro.Alert has stopped working
UI[4]=Windows can check online for a solution to the problem.
UI[5]=Check online for a solution and close the program
UI[6]=Check online for a solution later and close the program
UI[7]=Close the program
LoadedModule[0]=C:\Program Files\HitmanPro.Alert\hmpalert.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\KERNEL32.dll
LoadedModule[3]=C:\Windows\system32\hmpalert.dll
LoadedModule[4]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[5]=C:\Windows\system32\USER32.dll
LoadedModule[6]=C:\Windows\system32\GDI32.dll
LoadedModule[7]=C:\Windows\system32\LPK.dll
LoadedModule[8]=C:\Windows\system32\USP10.dll
LoadedModule[9]=C:\Windows\system32\msvcrt.dll
LoadedModule[10]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[11]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[12]=C:\Windows\system32\RPCRT4.dll
LoadedModule[13]=C:\Windows\system32\SHELL32.dll
LoadedModule[14]=C:\Windows\system32\SHLWAPI.dll
LoadedModule[15]=C:\Windows\system32\ole32.dll
LoadedModule[16]=C:\Windows\system32\PSAPI.DLL
LoadedModule[17]=C:\Windows\system32\CRYPT32.dll
LoadedModule[18]=C:\Windows\system32\MSASN1.dll
LoadedModule[19]=C:\Windows\system32\WTSAPI32.dll
LoadedModule[20]=C:\Windows\system32\USERENV.dll
LoadedModule[21]=C:\Windows\system32\profapi.dll
LoadedModule[22]=C:\Windows\system32\VERSION.dll
LoadedModule[23]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
LoadedModule[24]=C:\Windows\system32\FLTLIB.DLL
LoadedModule[25]=C:\Windows\system32\IPHLPAPI.DLL
LoadedModule[26]=C:\Windows\system32\NSI.dll
LoadedModule[27]=C:\Windows\system32\WINNSI.DLL
LoadedModule[28]=C:\Windows\system32\WINHTTP.dll
LoadedModule[29]=C:\Windows\system32\webio.dll
LoadedModule[30]=C:\Windows\system32\MSIMG32.dll
LoadedModule[31]=C:\Windows\system32\WS2_32.dll
LoadedModule[32]=C:\Windows\system32\IMM32.DLL
LoadedModule[33]=C:\Windows\system32\MSCTF.dll
LoadedModule[34]=C:\Windows\system32\uxtheme.dll
LoadedModule[35]=C:\Windows\system32\dwmapi.dll
LoadedModule[36]=C:\Windows\system32\urlmon.dll
LoadedModule[37]=C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
LoadedModule[38]=C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
LoadedModule[39]=C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
LoadedModule[40]=C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
LoadedModule[41]=C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
LoadedModule[42]=C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
LoadedModule[43]=C:\Windows\system32\normaliz.DLL
LoadedModule[44]=C:\Windows\system32\iertutil.dll
LoadedModule[45]=C:\Windows\system32\WININET.dll
LoadedModule[46]=C:\Toolbx\WinPatrol\PATROLPRO.DLL
LoadedModule[47]=C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
LoadedModule[48]=C:\Windows\system32\Secur32.dll
LoadedModule[49]=C:\Windows\system32\SSPICLI.DLL
LoadedModule[50]=C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
LoadedModule[51]=C:\Windows\system32\mswsock.dll
LoadedModule[52]=C:\Windows\System32\wship6.dll
LoadedModule[53]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[54]=C:\Windows\system32\DNSAPI.dll
LoadedModule[55]=C:\Windows\system32\CRYPTBASE.dll
LoadedModule[56]=C:\Windows\system32\CLBCatQ.DLL
LoadedModule[57]=C:\Windows\system32\dhcpcsvc6.DLL
LoadedModule[58]=C:\Windows\system32\dhcpcsvc.DLL
LoadedModule[59]=C:\Windows\System32\wshtcpip.dll
LoadedModule[60]=C:\Windows\system32\CRYPTSP.dll
LoadedModule[61]=C:\Windows\system32\rasadhlp.dll
LoadedModule[62]=C:\Windows\system32\rsaenh.dll
LoadedModule[63]=C:\Windows\system32\RpcRtRemote.dll
LoadedModule[64]=C:\Windows\System32\fwpuclnt.dll
FriendlyEventName=Stopped working
ConsentKey=BEX
AppName=HitmanPro.Alert
AppPath=C:\Program Files\HitmanPro.Alert\hmpalert.exe

 

I use CryptoPrevent at the default setting without updating issues, however the "Maximum Protection" setting warns that it may prevent legitimate software from installing and recommends disabling protection beforehand.

 

I also use the default settings.

 

OK. I'll be interested to hear what you find out from the CryptoPrevent people. Do you use their forum?

http://www.foolishtech.com/viewforum.php?f=34&sid=780fc5789b67d16cb38d0732ec9fd0e2

 

I used to use CP but now use HMPA V3 instead for Crypto.

 

Good to know, thanks for the details. One question : I guess the delay between (2) and (4) is negligible, that this transfer is immediate, is this correct? Because here I empty the temp folder regularly so I wouldn't want to delete the update when it is still in the temp folder...

 

Another issue:

When I choose to print an image from Windows Vista x86 IE9 (for instance take this image, or any other image),
and next in Windows' Print menu I choose Preferences,
it takes an unusually long time before my printer's (Canon iP4300) preferences menu shows
(first, Windows says printer is not responding),
and then when the printer's preferences menu shows and I choose OK, and then Print,
it takes a very(!) long time before printing starts.

This was not the case before installing HMPA3.

I see this behavior with Windows Vista x86 IE9, but there is no issue with Windows 7 x64 IE11.
Nor is there any issue when I print from Windows Explorer.
I haven't tested with other browsers than IE9 and IE11, nor have I tested with other printers than Canon iP4300.


Edit:
Added x86 and x64 details.

 

Hmm ... good point there!

 

Not as good if emptying the Temp folder includes deleting HMP's Update... nothing is perfect

 

There is no delay between download-finished and executing the updater. The files for the update are extracted in HitmanPro's update folder under ProgramFiles.