HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,360
    Location:
    Among the gum trees
    Ah! Thanks guys. I know for next time now.

    Cheers!
     
  2. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,436
    Location:
    Under a bushel ...
    Thanks for that tip. I am about to do the same, so will no doubt have encountered this issue.
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,525
    I installed HMPA beta, will it automatically update to next beta?
    If not, how can I be informed about new betas?
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
    The best way to become aware of new beta releases (and new stable releases as well) is to check this thread regularly. IIRC HMPA will only auto-update when Surfright pushes out a new stable build, and sometimes that lags the release date a fair bit too.
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,525
    how do you add something to exclusions?
     
  6. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,345
    Location:
    the Netherlands
    See Peter's instructions:
     
  7. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    "CryptoGuard works at the file system level and does not conflict with full disk encryption software like Microsoft BitLocker, Sophos SafeGuard or TrueCrypt."

    This statement from HMP.A's home page is not 100% true at least concerning BitLocker...

    I have been running Windows 10 Enterprise LTSB on a workstation hard disks encrypted with BitLocker and HMP.A active for some time without problems. Then it was time to replace the system disk, so I swapped in the new disk and restored the full backup.

    At this point the new system disk was naturally unencrypted, so I had to enable BitLocker on the new disk and let it do the initial encryption. When I let Windows to prepare the disk for BitLocker (e.g. shrink the system disk volume to create the extra parition BitLocker needs), HMP.A WipeGuard intercepted the operation:
    WP_20160827_002.jpg

    Unfortunately the interception was not successful. Windows was able to shrink the system volume and create a new 350 MB large volume for BitLocker at the end of the disk, but the system did not boot up any longer:
    WP_20160827_003.jpg

    After fixing the BCD store and reinstalling BOOTMGR I configured HMP.A's Action mode to "Silent audit" and started the encryption again - to my surprise with exactly the same results: Yet another 350 MB partition at the end of the system disk (which BitLocker was unable to use due to the HMP.A interception) and broken boot files.

    After uninstalling HMP.A completely and repairing the boot files again, I managed creating a third 350 MB partition that BitLocker agreed to use and I was able to start the disk encryption.

    After that I reinstalled HMP.A again and everything has been running smoothly ever since.

    I think that HMP.A should be checked / fixed where necessary :
    1. Not to intercept with BitLocker disk preparation process
    2. When intercepting an operation it considers harmful, preferably do it before the harm is done (a new partition was created now, and the system disk also went to a non-bootable state)
    3. When running in "Silent audit" mode, not intercept operations is may consider harmful.
     
  8. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,345
    Location:
    the Netherlands
    I think there was no need to uninstall HMP.A completely.
    Temporarily disabling HMP.A CryptoGuard should probably have been sufficient.
    (For disk management without encryption, temporarily disabling HMP.A CryptoGuard MBR protection (= WipeGuard) should be sufficient.)

    I think you're right.
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    I have beta tested HMPA in the past, and tried stable releases several times. I have always had issues and never kept HMPA installed for long. The total amount of time I have actually had HMPA installed would be measured in hours, not days.

    I would like to give HMPA another try. But the license I was kindly given quite awhile ago will not work due to too many activations (apparently, from me installing/activating new versions several times). HMPA will also not let me activate a trial license, saying the trial has expired. Am I going to have to buy a license and hope I don't have issues?
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Probably not, but assuming they do give you another license, I might suggest you not be so quick to uninstall it but work thru issue. There is a way to temporarily disable it without uninstalling. At that point, ask and we can help you.

    Pete
     
  11. TheBear

    TheBear Registered Member

    Joined:
    May 7, 2006
    Posts:
    163
    I think it would be a good idea for HMPA to give the user an option when something is blocked. At least at times when the user is installing something they trust. Perhaps they could allow the user to toggle a choice in settings. Don't allow me to install, or allow me to install. something like that. The only issue I have had with it is having to tweak it (on or off or add an exclusion) when all I want to do is install a program. Any thoughts?
     
  12. guest

    guest Guest

    i requested it long time ago, they say they will implement it somedays , no ETA.
     
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,653
    Location:
    DC Metro Area
    Send an email to support@hitmanpro.com. If your license is still unexpired they will reactivate it. I had the same problem last week.
     
  14. Valdez

    Valdez Registered Member

    Joined:
    Apr 21, 2016
    Posts:
    36
    Location:
    ITALIA
    I am having trouble with false positive with SNS-HDR Home v2.0.1.1.
    I put the software in exclusions and now all is well.
    Hello!

    Nome registro: Application
    Origine: HitmanPro.Alert
    Data: 27/08/2016 18:07:50
    ID evento: 911
    Categoria attività [9]
    Livello: Errore
    Parole chiave: Classico
    Utente: N/D
    Computer: *****
    Descrizione:
    Mitigation Lockdown

    Platform 6.1.7601/x64 06_2a
    PID 6848
    Application C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe
    Description 0.0

    Filename C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe
    Created By C:\Program Files\SNS-HDR Home 2\ExifTool.exe


    Process Trace
    1 C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe [6848]
    C:\Program Files\SNS-HDR Home 2\ExifTool.exe -overwrite_original -icc_profile<=C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/colorprofile.icc -software=SNS-HDR Home 2.0 C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/image.tmp
    2 C:\Program Files\SNS-HDR Home 2\ExifTool.exe [6468]
    "C:\Program Files\SNS-HDR Home 2\ExifTool.exe" -overwrite_original "-icc_profile<=C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/colorprofile.icc" "-software=SNS-HDR Home 2.0" "C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/image.tmp"
    3 C:\Program Files\SNS-HDR Home 2\SNS-HDR Home.exe [4188]
    "C:\Program Files\SNS-HDR Home 2\SNS-HDR Home.exe" "D:\DATI\Fotografia\Raw\Nef\Cima.Vezzena_00001.nef"
    4 C:\Program Files\ACD Systems\ACDSee Pro\9.0\ACDSeePro9.exe [6612]
    5 C:\Windows\explorer.exe [4352]
    6 C:\Windows\System32\userinit.exe [4280]

    XML evento:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="HitmanPro.Alert" />
    <EventID Qualifiers="0">911</EventID>
    <Level>2</Level>
    <Task>9</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-27T16:07:50.000000000Z" />
    <EventRecordID>66470</EventRecordID>
    <Channel>Application</Channel>
    <Computer>zagor</Computer>
    <Security />
    </System>
    <EventData>
    <Data>C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe</Data>
    <Data>Lockdown</Data>
    <Data>Mitigation Lockdown

    Platform 6.1.7601/x64 06_2a
    PID 6848
    Application C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe
    Description 0.0

    Filename C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe
    Created By C:\Program Files\SNS-HDR Home 2\ExifTool.exe


    Process Trace
    1 C:\Users\User Name\AppData\Local\Temp\par-5465782057696c6c6572\cache-exiftool-10.25\ExifTool.exe [6848]
    C:\Program Files\SNS-HDR Home 2\ExifTool.exe -overwrite_original -icc_profile&lt;=C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/colorprofile.icc -software=SNS-HDR Home 2.0 C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/image.tmp
    2 C:\Program Files\SNS-HDR Home 2\ExifTool.exe [6468]
    "C:\Program Files\SNS-HDR Home 2\ExifTool.exe" -overwrite_original "-icc_profile&lt;=C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/colorprofile.icc" "-software=SNS-HDR Home 2.0" "C:/Users/User Name/AppData/Local/Temp/snshdrh2-l9Mfi9/image.tmp"
    3 C:\Program Files\SNS-HDR Home 2\SNS-HDR Home.exe [4188]
    "C:\Program Files\SNS-HDR Home 2\SNS-HDR Home.exe" "D:\DATI\Fotografia\Raw\Nef\SpitzVerle_00001.nef"
    4 C:\Program Files\ACD Systems\ACDSee Pro\9.0\ACDSeePro9.exe [6612]
    5 C:\Windows\explorer.exe [4352]
    6 C:\Windows\System32\userinit.exe [4280]
    </Data>
    </EventData>
    </Event>

    SNS-HDR Home v2.0.1.1.png
     
    Last edited: Aug 29, 2016
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,525
    I added winrar to exploit mitigation (under the "other" category)
    In the past, I needed to disable some of the mitigations, in order for winrar to be able to extract.
    But no more. with all mitigations enabled, it is capable of extracting.
    Has something changed in HMPA, or maybe my protection is not working right?
    HMPA latest beta
    winrar 5.40 x64
     
  16. Lonesome Bob

    Lonesome Bob Registered Member

    Joined:
    Aug 24, 2016
    Posts:
    17
    Location:
    unknown

    I have never tried the portable version of MPC-HC; I have always used the standard .exe extracted using 7-Zip. MPC-HC seems to function as a portable application would, without the need to follow a specific installation process or maintain a specific installation location. I simply run the mpc-hc.exe executable from within the MPC-HC folder wherever that happens to be located.

    I use an old Windows 2008 R2 server has a HTPC with a drive mapped to a folder containing multiple MPC-HC configurations. MPC-HC has a neat feature where all settings can be stored in an mpc-hc.ini file located in the same folder as mpc-hc.exe.

    M:\Players\English\MPC-HC\mpc-hc.exe
    M:\Players\Russian\MPC-HC\mpc-hc.exe
    M:\Players\French\MPC-HC\mpc-hc.exe
    M:\Players\5.1\mpc-hc.exe
    M:\Players\6.1\MPC-HC\mpc-hc.exe
    M:\Players\7.1\MPC-HC\mpc-hc.exe
    M:\Players\NoSubs\MPC-HC\mpc-hc.exe
    M:\Players\16-9\MPC-HC\mpc-hc.exe

    HMPA seems to now block MPC-HC when opening a media file. Dealing with similar issues in the past I’ve normally chosen to add the app to the exclusions list by path. That technique does not appear to work for non-local drives.

    Thinking this may be an artificial limit I examined the HitmanPro.Alert registry settings to see how exclusions are applied. It seems various “protection profiles” exist within the registry each with its own unique set of exclusions and often based on a specific exclusion template.

    HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_

    Where I had previously excluded the local mpc-hc.exe there was a registry entry that included a string value containing the path to the executable along with a specific protection profile, C:\Program Files\MPC-HC\mpc-hc.exe and 123A-4BC5.

    HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\mpc-hc.exe

    I guessed I could create a profile which included all the same entries associated with the Exclude template. From within the registry editor I added a random profile “1111-1111” then included a second mpc-hc.exe exclusion string having the path M:\Players\MPC-HC\mpc-hc.exe using the data value 1111-1111, the profile I wished to associate with this exclusion entry.

    After a restart I found from the HMPA interface (Advanced interface\Exploit Mitigations\Applications\Exclude) an entry was now included for the networked version of MPC-HC and opening a media file no longer triggers the false detection.
     
  17. 142395

    142395 Guest

    Been using HMPA for a while (cryptguard & vaccination are disabled), and it works near perfectly. Only 2 problems I have are:
    1. key stroke glich (a wrong 1-char output) when I typed too fast or when I just swiched imput mode for Asian language (I experienced it too in Keyscrambler). It's a bit annoying but not a serious matter.
    2. In event viewer, HMPA constantly fail in its update. I remember in past there're some such report, but did I make sth wrong? Ofc hmpalert.exe as well as hitmanpro_x64.exe is allowed in firewall.

    I thougt it was requested by someone in the past, but there's still no option to perform EWS scan in HMP? Is their any registry entry to make HMP to perform EWS scan when evoked via HMPA?

    BTW, HMPA seems to have least priviledge (almost same as EMET except for SeBackupPrivilege & SeRestorePrivilege which are probably for cryptguard), and all components of it have CFG enabled is fantastic! Even EMET doesn't have CFG enabled, as long as any other competitor and big AVs I tested.

    Only concern I have is, all of HMPA communications including license check seems to be through plain http, tho HMP uses https for 1 address. I hope at least product update uses https, as there have been actual ITW attacks that hijack product's update. I though MBAM/MBAE also had this type of vuln tho not attacked.
     
  18. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,115
    Location:
    USA
    IIRC the error in the event viewer does not mean HMPA failed to update, it means HMPA failed to find an update (in other words no update was available). They should fix that as it causes unnecessary concern.
     
  19. Telos

    Telos Registered Member

    Joined:
    Jul 26, 2016
    Posts:
    171
    Location:
    Baana
    That "bug" was solved in the recent betas for me (beginning w/552b, IIRC). Are you using the non-beta?
     
  20. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,052
    Erik, sent you a mail.
     
  21. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    I just purchased an HMPA license. When I had HMP alone installed, I used to enable the option to scan at startup. I can't find this option in HMPA to save my life. Am I overlooking it?

    Also, I maintain a custom hosts file. I wish there was a way to make HMPA permanently ignore (i.e. not even show) a non-standard hosts file.
     
  22. lawdude

    lawdude Registered Member

    Joined:
    Sep 20, 2015
    Posts:
    39
    Open HMP -> Settings -> Scan -> When -> At Startup
     
  23. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    Thanks, but I'm still not seeing it. I normally have just the HMPA window, and those settings do not have anything related to "Scan". When I invoke a scan (from the HMPA window), the HMP process runs from a temp directory (C:\Users\[user name]\AppData\Local\Temp\HitmanPro_x64.exe), and there are no settings accessible at all in that window.

    I'm guessing I would have to install HMP separately to obtain that feature...
     
  24. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,345
    Location:
    the Netherlands
    I'm not sure why deugniet mentioned the mail to Erik here.
    I suppose Erik will find the mail in his inbox, I don't see why to mention it here.
    But anyhow, I see deugniet's intention.

    However, I don't understand what you mean, Telos, saying "Didn't make it here".
    Did you expect deugniet to post his mail here at the forum?
    Or did you mean Erik didn't reply to an e-mail that you sent?
    In that case, Erik is or was on holiday, so I suppose you'll need to give him some time.
     
  25. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    Well, that didn't take long. Already found a problem. I have colored border enabled (auto-hide disabled), and now, none of my applications are showing with the colored border anymore. So, what's the fix? Let me guess:

    * I/we cannot reproduce, so it's not an issue.
    * Uninstall/reinstall.
    * Don't worry about it; it's not a big deal.

    Aaaaand... Found another problem. Sometimes when I hit Alt-Tab, the displayed apps just hang there after the keys are released. Never happened before.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.