HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,841
    Location:
    Among the gum trees
    Malwarebytes has a similar feature.
     
  2. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    663
    Moved this post from BETA

    ROP Hmp.Alert build 723, Sandboxie 5.22 and Firefox 57.0.1.

    Logboeknaam: Application
    Bron: HitmanPro.Alert
    Datum: 30-11-2017 08:09:56
    Gebeurtenis-id:911
    Taakcategorie: Mitigation
    Niveau: Fout
    Trefwoorden: Klassiek
    Gebruiker: n.v.t.
    Computer: ****
    Beschrijving:
    Mitigation ROP

    Platform 10.0.16299/x64 v723 06_5e
    PID 8264
    Application C:\Program Files\Mozilla Firefox\firefox.exe
    Description Firefox 57

    Callee Type LoadLibrary

    Stack Trace
    # Address Module Location
    -- ---------------- ------------------------ ----------------------------------------
    1 00007FFE81D6966D KernelBase.dll
    2 00007FFE85848508 ntdll.dll
    3 00007FFE85830F56 ntdll.dll __C_specific_handler +0x96
    4 00007FFE85844C3D ntdll.dll __chkstk +0x11d
    5 00007FFE857BD1B8 ntdll.dll
    6 00007FFE85843B6E ntdll.dll KiUserExceptionDispatcher +0x2e

    7 00007FFE3CD64B9E xul.dll
    cc INT 3

    8 00007FFE3D10F90A xul.dll
    9 00007FFE3D0F8E66 xul.dll
    10 00007FFE3CE09EF6 xul.dll

    Code Injection
    0000000000BC0000-0000000000BC6000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2336]
    0000000000BD0000-0000000000BD1000 4KB
    00007FFE85819000-00007FFE8581A000 4KB
    000001DE89C3B000-000001DE89C3C000 4KB C:\Program Files\Mozilla Firefox\firefox.exe [17656]
    00007FFE85840000-00007FFE85841000 4KB
    00007FFE85842000-00007FFE85843000 4KB
    00007FFE8583F000-00007FFE85840000 4KB
    1 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
    2 C:\Windows\System32\services.exe [900]
    3 C:\Windows\System32\wininit.exe [788]
    wininit.exe
    1 C:\Program Files\Mozilla Firefox\firefox.exe [17656]
    2 C:\Program Files\Sandboxie\Start.exe [9476]
    "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\****\Desktop\Firefox 57.0.lnk"
    3 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
    4 C:\Windows\System32\services.exe [900]
    5 C:\Windows\System32\wininit.exe [788]
    wininit.exe

    Process Trace
    1 C:\Program Files\Mozilla Firefox\firefox.exe [8264]
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17656.12.1897105222\717771794" -childID 2 -isForBrowser -intPrefs 5:50|6:-1|28:1000|34:20|35:5|36:10|45:128|46:10000|51:0|53:400|54:1|55:0|56:0|61:0|62:120|63:120|98:2|99:1|114:5000|124
    2 C:\Program Files\Mozilla Firefox\firefox.exe [17656]
    3 C:\Program Files\Sandboxie\Start.exe [9476]
    "C:\Program Files\Sandboxie\Start.exe" /env:00000000_SBIE_CURRENT_DIRECTORY="C:\Program Files\Mozilla Firefox" /env:=Refresh "C:\Users\****\Desktop\Firefox 57.0.lnk"
    4 C:\Program Files\Sandboxie\SbieSvc.exe [2336]
    5 C:\Windows\System32\services.exe [900]
    6 C:\Windows\System32\wininit.exe [788]
    wininit.exe

    Thumbprint
    7e016af425dd8125a9190f43f3da3d150b3c68d6cd73d7ad8ebefe5a0f4d5f4b
     
  3. RonnyT

    RonnyT Registered Member

    Joined:
    Aug 9, 2016
    Posts:
    27
    Location:
    Planet Earth
    Tx Deugniet,
    Sandboxie is on our list of things to do.
     
  4. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,097
    Location:
    Da mean streets of Brooklyn
    It occurs when launching Internet Explorer also. Thank you for acknowledging this.
    sbie and ie.PNG
     
  5. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,464
    Location:
    Location Unknown
    Is there a way to exclude 1password from keyboard encryption so that I can still use it in conjunction with HMPA?
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,841
    Location:
    Among the gum trees
  7. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    524
    Location:
    USA
    Sounds like Google is telling developers to stop injecting code into their browser, and offering ways to shift to extensions or native messaging. I'm OK with that.
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,046
    Location:
    Europe then Asia
    Will impact mostly sandboxes, Anti-exploits and AV with active web filters, im sure workaround will be found.
     
  9. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    320
    One of my HMP.A systems is running Vista Home Premium SP2 x64. It has build 604 and has not received the notice about the update to build 723. Also, I rebooted it a few days ago for unrelated reasons, and the build did not change then.

    Is it that the new build is being sent out in waves and my PC just hasn't gotten it yet? Or is this the end of the road for HMP.A on Vista?
     
  10. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    119
    Is there any way to add exclusions to the real-time anti-malware component? Kaspersky's engine is using the "enhanced" detection set that flags stuff like Windows IRC clients.

    Also, I haven't used HMP.alert in a long time due to the issue w/windows update not working. Happy to see keystroke encryption still causes trouble with alt+tab $years in. Any chance of this being fixed? It's super annoying.
     
    Last edited: Dec 2, 2017
  11. markloman

    markloman Developer

    Joined:
    Jan 25, 2005
    Posts:
    479
    Location:
    Hengelo
    We even support Windows XP, so Windows Vista is certainly supported. Do you have a third-party firewall on your machine perhaps which is blocking the download of the update?
     
  12. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    320
    The PC has the Norton Firewall (from Norton 360), but it hasn't prevented earlier versions of HMP.A from updating. :doubt:

    BTW, I'm thankful that you still support XP (and Vista). :thumb:
     
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,201
    Location:
    DC Metro Area
    Wha iz dis ebowt?

    "Mitigation CredGuard

    Platform 10.0.16299/x64 v723 06_3c
    PID 9380
    Application C:\Windows\System32\SrTasks.exe
    Description Microsoft® Windows System Protection background tasks. 10

    SAM access denied.

    Range = LBA 6454272 :128
    Read = LBA 6454272 :80"
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,039
    The same here (CredGuard - SrTasks.exe): #825
    I would disable the SAM protection:
     
  15. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,201
    Location:
    DC Metro Area
    @mood

    Thanks for the info and recommendation :)
     
  16. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    I had bought HitManPro.alert just a few days back. Everything is fine, except that the "anti malware" feature is disabled. Even if I enable it, it goes back to being disabled. I can run scans, but the real time feature is disabled. I use Avira free anti virus as my primary AV on my Windows 10 system. Can anyone help me out, please?
    Thanks a lot. https://imgur.com/BkkJOae https://imgur.com/6NoZ3YW
     
  17. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    119
    I encountered a reproducible crash of build 723 on Win10 running fall creators update. I was reinstalling Overwatch using the battle.net downloader, passing ~22MB/sec of traffic and hmpalert.exe crashed and borked my network connectivity until I rebooted. I don't have realtime antimalware enabled (due to FPs w/the enhanced Kaspersky detection set which I mentioned earlier in the thread) and I don't have keystroke encryption enabled because of the "latching" effect on alt+tab.

    Info from event viewer if it's helpful:

    Faulting application name: hmpalert.exe, version: 3.7.1.723, time stamp: 0x5a0c5489
    Faulting module name: hmpalert.exe, version: 3.7.1.723, time stamp: 0x5a0c5489
    Exception code: 0xc0000409
    Fault offset: 0x00232b82
    Faulting process id: 0x305c
    Faulting application start time: 0x01d36b2521cbff88
    Faulting application path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Faulting module path: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    Report Id: 5a1832e4-9c94-4936-9cf5-0ed7fa6493ea
    Faulting package full name:
    Faulting package-relative application ID:
     
    Last edited: Dec 2, 2017
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,039
    Try to disable Network Lockdown, maybe it helps.
     
  19. m0unds

    m0unds Registered Member

    Joined:
    Nov 12, 2015
    Posts:
    119
    I removed hmpalert for now, but I'll give that a shot if I reinstall it on this machine later.
     
  20. NZDragon

    NZDragon Registered Member

    Joined:
    Dec 3, 2017
    Posts:
    1
    Location:
    UK
    Using latest version (and only happened since that installed a couple of weeks ago). Running a file lock app can only see 2 locks on EFI by MS system. Set HMP service to disabled and rebooted. Re checked locks and same MS locks in place. However with HMP service disabled the image backup completes ok. Restart HMP service and retry image backup and it fails again with locks on EFI disk
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,582
    Location:
    USA
    Try adding hmpalert.exe to Avira's file exclusion list. See here:

    https://blog.avira.com/exceptions-avira-antivirus-3-steps/
     
  22. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    3,201
    Location:
    DC Metro Area
    Dunno why your scans are failing but @Victek 's possible solution looks promising.

    Respecting HMPA Anti-Malware Real Time self-disabling, you have to click the GUI twice to lock Anti-Malware RT Protection "Enabled."

    I usually first click on "Disabled" (dunno, maybe clicking anywhere in the Anti-Malware black block would also work) and then click on "Enabled."

    Hope this helps,

    hawki
     
  23. HempOil

    HempOil Registered Member

    Joined:
    Jun 15, 2015
    Posts:
    52
    Shortly after upgrading to build 723, I upgraded Windows 10 to the Fall Creators Update, plus there was an update to Comodo Internet Security. I then started to get a bunch of random BSOD's. I used the utility WhoCrashed to give me some visibility into the mini dumps and it kept saying it was related to ntoskrnl.exe, which can point to RAM issues. I ran the Windows Memory Diagnostic and it did not find and issues with my RAM. So, I assumed that one of these three updates was not playing well together. I had been planning to do a clean install of Windows 10 FCU anyways (the upgrade was a test run to look for issues), so I proceeded to do so. However, I wanted to slowly ease back into HMP.A and Comodo to see if any BSOD's crop up. I installed Windows on November 29th. I installed HMP.A on December 1st. I have not see any BSOD's up to today. However, I did find some interesting information in the Comodo Forums found here (see below in green), but I haven't reinstalled Comodo yet so I can't confirm. I'm wondering if any other members of this forum have tested this combination?

    Re: Comodo Internet Security v10.0.2.6420 (Hotfix) Released
    « Reply #126 on: November 30, 2017, 11:41:02 PM »

    My problem seems to have been solved by removing HitmanPro Alert. After uninstalling it I installed Comodo Antivirus 10 again and rebooted as part of the installation process. No BSOD this time! I was triggered by a message from umesh that development found hmpalert.sys to be a possible trigger for the issue (I sent in dumps and logs), which I recognized as being part of HitmanPro Alert.

    I'm now running Comodo Antivirus 10.0.2.6420 with the lastest database. http://forums.comodo.com/Smileys/default/smiley.gif If you're running HitmanPro Alert also, you might want to try to disable/remove it to see if your issues are solved also.

    Thanks umesh and others at Comodo!
     
  24. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    Thank you so much for the reply :)

    I did this & I could enable the anti malware option. I minimized the application & checked it after a few minutes. It went back to being disabled automatically. No matter how many times i repeat this, it always goes back to being disabled again & again :( What am I supposed to do? :(
     
  25. Rebecca_valentine

    Rebecca_valentine Registered Member

    Joined:
    Dec 2, 2017
    Posts:
    5
    Location:
    India
    Thanks a ton for the reply :)

    No, my scans are not failing. In the particular screenshot, I had an internet connection problem so the scan didn't run. Otherwise, I can run scans.

    Self disabling? :O :(
    I added the exception to avira as @Victek suggested & I clicked it twice to lock the option & it got enabled. But it went back to being "disabled" after a few minutes :(
     
Loading...