HitmanPro.ALERT Support and Discussion Thread

Uninstalling the patch everything returns to work.
I tried.

 

@markloman
@erikloman

HitmanPro.Alert 3.1.9 Build 368

False Positive ROP

Windows 10 \ 1511
Cyberfox 46.0
ReHIPS 2.2.0

* * * * *

Mitigation ROP

Platform 10.0.10586/x64 06_3c
PID 3428
Application C:\Program Files\Cyberfox\Cyberfox.exe
Description Cyberfox 46

Callee Type LoadLibrary

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 00007FFA3CA8B9A0 HookDll64.dll
50 PUSH RAX
488bc8 MOV RCX, RAX
488bd4 MOV RDX, RSP
4883ec28 SUB RSP, 0x28
e810b6ffff CALL 0x7ffa3ca86fc0
4883c428 ADD RSP, 0x28
48870424 XCHG [RSP], RAX
c3 RET


Process Trace
1 C:\Program Files\Cyberfox\Cyberfox.exe [3428]
2 C:\Program Files\ReCrypt\ReHIPS\HIPSAgent64.exe [2548]
3 C:\Program Files\ReCrypt\ReHIPS\HIPSService64.exe [2296]

 

Thanks Erik.
I can confirm that Build 368 has solved the Firefox 46 slowness issue, at least on my Win 8.1 x64 system.

 

ReCrypt\ReHIPS is causing the FP.

 

@erikloman

Anything specific I can report to ReCrypt to get this behavior to stop ?

 

@erikloman

I checked.
hmpalert.dll is in both C:\Windows\System32 and C:\Windows\SysWOW64.
And I checked whether hmpalert.dll is injected in the mentioned processes, using Process Explorer to see if the DLL is listed (as explained by FleischmannTV, thanks very much for that).
I see several hmpalert.dll for iexplore.exe processes, but not for PDF-XChange Viewer, WordPad and Windows Media Center,
and I cannot tell if hmpalert.dll may be missing in any iexplore.exe process(es) that are related to C:\Program Files\Internet Explorer\iexplore.exe that HMP.A reports as "not protected" in "Running applications".



I hope this is the information you need.
If not, please tell me what to look for, and how.


Edit:
I noticed your update here:

Thanks very much.
I'll wait for the update later today.
And thanks very much @Valdez for reporting the KB3146706 issue!

 

If i look at your screenshot, hmpalert.dll is only injected in 32bit-programs (SysWOW64), but not 64bit.

Do you have KB3146706 installed? That can be the culprit.

 

Thanks very much for clarifying.

Thanks very much.
Yes, I have.
And I noticed Erik's update. I updated my previous post a few minutes ago.

 

KB3146706 is that strange important but unticked KB that persists on Win 7.

 

Thank you Fleischman, I did not know that.

 

+1

 

I installed KB3146706 a few hours after it was released, on Patch Tuesday.
At that time it was still ticked for installation.
It sure is an intriguing KB.

 

hmpalert.dll only shows in syswow64.

 

I expressed my thanks in a previous post, but in case you didn't notice, thank you very much @FleischmannTV

 

You could try uninstalling it to see if your issues disappear?

 

Ah, in Process Explorer search results.
Yes, I saw the same.

I had interpreted Erik's question in another way.
I thought he meant C:\Windows\System32 and C:\Windows\SysWOW64.
hmpalert.dll is in both locations.

But indeed, in Process Explorer search results hmpalert.dll only shows in SysWOW64.

 

I would rather not.
As Erik confirmed the issue and said to expect an update later today, I would rather wait for that than uninstalling KB3146706.

 

because 32bit processes are unaffected so it's ok.

32bit processes→ SysWOW64
64bit → system32



Wait for the patch (later today)

 

I think I'd use the word " irritating "

I've been rejecting it on all W7 machines that I'm responsible for.

It will stay that way until I read a credible , intelligent and full description of what it does.
I don't care if it is ticked or not , or if it's labelled as "important" , " recommended " or anything else !

 

+1

 

^^ This. Same problem. Any ideas?

 

Can you send your key via PM?

 

HitmanPro.Alert 3.1.9 Build 368 Released


Firefox 46 32 bits....too slow

 

i mentioned since at least 3 previous version. hence my suggestion for HMPA implementation of a "on-the-fly" allow/whitelist feature.

 

even disabling all protections hitman, Firefox is slow