HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. ajp2k16

    ajp2k16 Registered Member

    Joined:
    Sep 12, 2016
    Posts:
    6
    Location:
    Sweden
    Update: Apparently HMPA uses around 30% CPU (process is "Hitman Pro Alert (32-bit)" - Hitmanpro.Alert service) when doing an online speed test even without being connected to a VPN, it's just that it doesn't affect the top speed much when not connected to the VPN. I guess I notice it more when connected to a VPN because it can be CPU heavy in itself being connected to a VPN doing the encryption.

    When connected to the VPN, HMPA uses around 15-20% of the CPU but the VPN speed is cut in half because of it.
     
  2. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    So a conflict with the VPN isn't the problem. Have you tried the suggestions from @eddiewood ?
     
  3. ajp2k16

    ajp2k16 Registered Member

    Joined:
    Sep 12, 2016
    Posts:
    6
    Location:
    Sweden
    @askmark Doesn't look like it! Just never noticed it before since it doesn't affect top speed much when not connected to the VPN. I haven't had time to try @eddiewood's suggestions yet but I will next, at least network lockdown.

    Nope, disable network lockdown didn't help... same 20-30% CPU now even without VPN.
     
  4. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
  5. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    417
    I had slowdown on the LAN transfer speeds when using Alert some weeks ago, lost about 20% in speed while moving large files.
    Used the free Alert at that time if that makes any difference?

    /E
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,303
    I noticed it too.
    If i download a file (1-2MB/s) the CPU load of hmpalert.exe goes up from ~0% to ~13-15% (hmpalert.exe). If the speed is higher, the CPU Load goes up too.
    The system is still usuable, but 15%-30% CPU Load for downloading a file in the background is a little bit high.
     
  7. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,049
    Location:
    Baden Germany
    @all, complaining about high cpu usage while downloading, or doing speed-tests:
    Don't do speed-tests. Use your machine, as intended.
    All web filtering will need some cpu time, depending on your cpu power.
    On my office machine I see 2-4% cpu time, for HMP.A

    Other web filters, like the Avira one, take ~15%

    As long as there is enough cpu time left, I don't care....
     
  8. guest

    guest Guest

    expected behavior; if you are using webfilters + adblocker + RT AVs + VPNs ; don't expect your cpu usage will stay low while downloading...

    you want measure HMPA CPU usage, do a clean install, install HMPA , that's it.
     
  9. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Yes,all true but the poster is experiencing a slowdown of his transfer speed using VPN when HMPA is enabled but doesn't experience the same slowdown when it isn't

     
  10. ajp2k16

    ajp2k16 Registered Member

    Joined:
    Sep 12, 2016
    Posts:
    6
    Location:
    Sweden
    Perhaps because OpenVPN is single-threaded and HMPA uses the same CPU core and that core becomes overloaded? I have a quad-core CPU, not the latest model but still. Also, I don't understand why HMPA or any other webscanner would try to scan the VPN traffic becuase it won't find anything anyway since it's encrypted? Same thing with HTTPS too right?

    Thanks for all your comments and suggestions!
     
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    HMPA is multi-threaded, so is the inspection of the traffic. I think the load comes from the mere fact that the traffic is encrypted and the analysis tries to detect something but there isn't anything to see (it is encrypted). It should then ignore the whole stream which should reduce the load during high-speed traffic.

    We have been looking at the problem and we are looking at it again.
     
  12. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    442
    Location:
    England
    I have Internet Download Manager set to intercept (most) downloads.

    I see the CPU usage of HMP.A increase while downloading a file - I also see the I/O of HMP.A match that of the downloading file...

    ...so HMP.A appears to be monitoring the downloading stream.

    For my test, I have added IDM to the "exclude" list and have also turned off all Risk Reduction features while testing - yet I still see HMP.A monitoring the stream

    I am not concerned with the CPU usage but why is it doing this when I have manually excluded IDM ?

    (I have noticed a partial reduction in internet download speeds and also when transferring files via FTP to a local NAS box)
     
  13. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Exclude is only for exploit mitigations (via blue tile).
    The network filtering is system-wide (via orange tile).
    Stuff on the blue tile has no effect on stuff on the orange tile.
     
  14. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    442
    Location:
    England
    I understand.

    I did disable all of the options on the Orange tile and HMPA still monitored my download stream ...

    so the new question would be: how to disable that behaviour for certain programs that transfer data ?

    (whether it is across the internet or even just locally - to my nas box for example)
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,303
    there is a temporary file in C:\Windows\Temp that has the same size as the file you're downloading.
    If the download is finished, this temporary file is deleted.
    That can maybe explain the I/O of HMP.A
     
  16. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    442
    Location:
    England
    Yes, it`s almost certainly the temp files being created that are being "tracked" by HMP.A

    The downloaded data stream appears to be passing through, via the hmpnet.sys driver.

    As noted earlier in this thread, by disabling the hmpnet.sys driver - no monitoring occurs, I/O remains unchanged and CPU usage also does not increase.

    I am not implying that HMP.A is monitoring the data content of course, just the stream - but why is it doing that after disabling all Risk Reduction options ?

    What is the purpose of the hmpnet.sys driver ?
    What exactly is it doing and why is it needed ?
    What specific HMP.A feature is it supporting ?
    Why can data stream monitoring not be disabled on a per application basis ?

    Curious :)
     
  17. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    Just for information:

    I had an unrelated issue with a Java application not starting.

    Even after disabling every option and excluding the programs, HMP.A silently blocked the application from starting with no warning and no event logged. The Java application works fine without HMP.A installed.

    "Something" in HMP.A blocks stuff and there is no option in the GUI to turn it off, it doesn't surprise me that you have disabled everything and still get your issue. The lack of documentation for these features doesn't help either.
     
  18. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Its purpose is to (a) block C&C traffic and (b) obtain URLs from an attack
    It is system-wide because malware can contact C&C from every process.

    There is a registry key to disable monitoring per-port, per-IP or per-processname:

    Code:
    Note: Place every item on a seperate line.
    
    HKLM\Software\HitmanPro.Alert\
    
    NetFilterExclude  REG_MULTI_SZ  1224          // do not filter port 1224
                                    10.2.121.3    // do not filter IP 10.2.121.3
                                    sfftray.exe   // do not filter ProcessName sfttray.exe
    
    If you make changes you have to restart the HitmanPro.Alert service so that it reads the new excludes.
     
  19. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This is not a completely correct statement.
    In that particular instance it was not HMPA actively blocking the Java application. It was the fact that the Java application needed one large chunk of memory (almost 2GB in one chunk; obviously 32-bit apps cannot allocate more than ~2GB in a single allocation). Since HMPA randomizes memory, that one large chunk is no longer available and the Java application fails to start.

    If it was an actual block, you would have gotten an alert and an event log entry along with it.
     
  20. eddiewood

    eddiewood Registered Member

    Joined:
    Apr 23, 2006
    Posts:
    136
    Exactly my point about documentation,
    With respect Erik, you are talking semantics. :)

    The Java application works on hundreds of x86 computers without HMP.A installed, as far as the user is concerned HMP.A is the problem and because there is no way to turn off this randomisation of memory you speak of, we can not run our warehouse system with HMP.A on any x86 Windows computer.

    If you have a feature that does "something" at least give the user the option to disable it.
     
  21. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Basically you have a Java application you want to protect but that Java application does not allow it to consume memory (it is greedy :isay:). It needs so much memory there is no space for security.

    The solution is to not protect that particular application.

    So basically add the Java binaries to the Exclude category (you first need to remove it from the Java category as it cannot be listed under two categories).

    For reference, how is that Java application called? Maybe we can add some automatic rule for it.
     
  22. Great answer to all problems, just as deep and meaningfull as 42
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    o_Oo_O?
     
  24. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    442
    Location:
    England
    "the answer to the ultimate question of life, the universe and everything" ;)

    Thanks Erik, that was an intriguing development re: the exclusion reg entry.

    (although it didn`t appear to have any effect when I tested it - both with process name and port)

    We now know that it is a critical function if that type of protection is desired.

     
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,116
    Location:
    USA
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.